CN108540387A - Method for network access control and device - Google Patents

Method for network access control and device Download PDF

Info

Publication number
CN108540387A
CN108540387A CN201810577347.0A CN201810577347A CN108540387A CN 108540387 A CN108540387 A CN 108540387A CN 201810577347 A CN201810577347 A CN 201810577347A CN 108540387 A CN108540387 A CN 108540387A
Authority
CN
China
Prior art keywords
flow table
list item
flow
matching
subordinate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810577347.0A
Other languages
Chinese (zh)
Inventor
兰天
韩欢乐
任维春
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Cloud Technologies Co Ltd
Original Assignee
New H3C Cloud Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Cloud Technologies Co Ltd filed Critical New H3C Cloud Technologies Co Ltd
Priority to CN201810577347.0A priority Critical patent/CN108540387A/en
Publication of CN108540387A publication Critical patent/CN108540387A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/745Address table lookup; Address filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/70Virtual switches

Abstract

Present disclose provides a kind of method for network access control and devices;Wherein, this method is applied to virtual switch, and at least two-stage flow table is provided in the virtual switch;Each flow table includes the corresponding list item of at least one business feature;This method includes:In current flow table, the corresponding first matching list item of present flow rate is searched according to the business feature that current flow table includes;Check whether the action in the first matching list item indicates to carry out the matching of subordinate's flow table;If so, in subordinate's flow table, the corresponding second matching list item of present flow rate is searched according to the business feature that subordinate's flow table includes, and is accessed control to present flow rate according to the action in the second matching list item.The disclosure can enhance NS software scalability.

Description

Method for network access control and device
Technical field
This disclosure relates to field of cloud computer technology, more particularly, to a kind of method for network access control and device.
Background technology
Virtual switch (Vswitch) is a kind of replacement part of software form, and physical exchange is realized by software mode The double layer network function of machine;A kind of more common virtual switch is OVS (OpenVswitch, virtual switch of increasing income).
Virtual switch accesses control to flow by inquiring data forwarding flow table.In the flow table, preserve multinomial The forwarding-table item to match with the network-control demand of user.It, can be by the flow and flow table when virtual switch receives flow In list item matched one by one, and according to hit list item described in action handle the flow.When user needs to increase demand When, flow table can be updated;Often increase a kind of control function, it may be necessary to which whole change is carried out to the list item in the flow table;With It is more and more user demand, flow table can become very tediously long, and readable poor, update flow table workload is increasing, causes to flow Table can subsequently optimize poor with scalability.
Invention content
In view of this, the disclosure is designed to provide a kind of method for network access control and device, to enhance network visit Ask control scalability.
To achieve the goals above, the technical solution that the disclosure uses is as follows:
In a first aspect, present disclose provides a kind of method for network access control, this method is applied to virtual switch, virtually At least two-stage flow table is provided in interchanger;Each flow table includes the corresponding list item of at least one business feature;This method includes: In current flow table, the corresponding first matching list item of present flow rate is searched according to the business feature that current flow table includes;Check the Whether the action in one matching list item indicates to carry out the matching of subordinate's flow table;If so, in subordinate's flow table, according to subordinate's flow table Including business feature search present flow rate it is corresponding second matching list item, and according to second matching list item in action to current Flow accesses control.
Second aspect, present disclose provides a kind of network access control device, which is set to virtual switch, virtually At least two-stage flow table is provided in interchanger;Each flow table includes the corresponding list item of at least one business feature;The device includes: Searching module, in current flow table, it is first corresponding to search present flow rate according to the business feature that current flow table includes With list item;Module is checked, for checking whether the action in the first matching list item indicates the matching of progress subordinate flow table;Access control Molding block, if the matching of subordinate's flow table is carried out for the action instruction in the first matching list item, in subordinate's flow table, under The business feature that grade flow table includes searches the corresponding second matching list item of present flow rate, and according to the action in the second matching list item It accesses control to present flow rate.
The third aspect, disclosure embodiment provide a kind of server, including processor and machine readable storage medium, The machine readable storage medium is stored with the machine-executable instruction that can be executed by the processor, and the processor executes The machine-executable instruction is to realize above-mentioned method for network access control.
Fourth aspect, disclosure embodiment provide a kind of machine readable storage medium, and the machine readable storage is situated between Matter is stored with machine-executable instruction, and when being called and being executed by processor, the machine can be held the machine-executable instruction Row instruction promotes the processor to realize above-mentioned method for network access control.
Above-mentioned method for network access control, device, server and machine readable storage medium, virtual switch be provided with to Few two-stage flow table, each flow table includes respective business feature, during carrying out NS software, according to current flow table packet The business feature contained searches the corresponding first matching list item of present flow rate;If the action instruction in the first matching list item carries out down The matching of grade flow table is then searched the corresponding second matching list item of present flow rate according to the business feature that subordinate's flow table includes, and is pressed It accesses control to present flow rate according to the action in the second matching list item, this flow table hierarchical approaches are having new business characteristic When increase, it can establish and extend new flow table on the basis of original flow table, enhance NS software autgmentability.
Meanwhile which is accessed by least two-stage flow table when controlling, and need to only be redirected according to the action that list item indicates Flow table and the matching for carrying out subordinate's flow table are not necessarily to repeated multiple times traversal flow table, improve the efficiency of list item inquiry.
Other feature and advantage of the disclosure will illustrate in the following description, alternatively, Partial Feature and advantage can be with Deduce from specification or unambiguously determine, or by implement the disclosure above-mentioned technology it can be learnt that.
To enable the above objects, features and advantages of the present invention to be clearer and more comprehensible, better embodiment cited below particularly, and match Appended attached drawing is closed, is described in detail below.
Description of the drawings
It, below will be to specific in order to illustrate more clearly of disclosure specific implementation mode or technical solution in the prior art Embodiment or attached drawing needed to be used in the description of the prior art are briefly described, it should be apparent that, in being described below Attached drawing is some embodiments of the disclosure, for those of ordinary skill in the art, before not making the creative labor It puts, other drawings may also be obtained based on these drawings.
Fig. 1 is a kind of application scenarios schematic diagram for method for network access control that disclosure embodiment provides;
Fig. 2 is a kind of flow chart for method for network access control that disclosure embodiment provides;
Fig. 3 is the schematic diagram for individual flow table that disclosure embodiment provides;
When Fig. 4 is the two-stage flow table that disclosure embodiment provides, schematic diagram that list item redirects;
When Fig. 5 is the three-level flow table that disclosure embodiment provides, schematic diagram that list item redirects;
Fig. 6 is the flow chart for another method for network access control that disclosure embodiment provides;
Fig. 7 is a kind of structural schematic diagram for network access control device that disclosure embodiment provides;
Fig. 8 is a kind of structural schematic diagram for server that disclosure embodiment provides.
Specific implementation mode
To keep the purpose, technical scheme and advantage of disclosure embodiment clearer, below in conjunction with attached drawing to this public affairs The technical solution opened is clearly and completely described, it is clear that and described embodiment is a part of embodiment of the disclosure, Rather than whole embodiment.Based on the embodiment in the disclosure, those of ordinary skill in the art are not making creation Property labour under the premise of the every other embodiment that is obtained, belong to the range of disclosure protection.
The technical solution of the disclosure in order to better understand, first below to the application scenarios of method for network access control into Row description.As shown in Figure 1, being provided with multiple virtual ports in virtual switch, it is used for connecting virtual machine port and physical port, The virtual machine port is arranged on virtual machine network interface card, and physical port is arranged on physical network card;Connect physical network card on host Virtual port is communicated with external physical network;The virtual port and the virtual machine on the host for connecting Microsoft Loopback Adapter connect It connects, for realizing the data exchange between virtual machine and external network or virtual machine.One virtual switch can manage one Virtual machine (as shown in Figure 1) on host, the mode that can also be managed in a distributed manner while managing the void on more physical hosts Quasi- machine.Microsoft Loopback Adapter is generally arranged on virtual machine, is corresponded with virtual machine;One virtual machine can also be arranged multiple virtual Network interface card, so that the virtual machine connects different virtual networks.
When virtual switch receives flow by above-mentioned virtual port, agreement is generally included to the process flow of the flow Parsing, entry lookup and action execute;Wherein, protocol analysis is the agreement head and tail that flow is analyzed by program, to obtain Behavioural information of the flow in generation and transmission process, for example, the time of the flow, source address, destination address, agreement version Sheet, conditional code etc.;Entry lookup is to search the flow table pre-set according to the behavioural information parsed, obtains hit list item; The last action executed again described in hit list item, for example, forwarded by specified virtual port, abandon the flow etc., to Complete the process flow to the flow.
Above-mentioned flow table needs the practical demand for control according to user, is safeguarded and is updated often, when the list item in flow table When less, the step of above-mentioned entry lookup, can't spend very large overhead can be completed, meanwhile, update the workload of list item also not Greatly;But with user demand increasingly diversification and fining, the control strategy in flow table is also further fine, complicated, invention human hair The space that flow table sustainable extension and optimization has now been limited in such a way that individual flow table realizes all control strategies, often increases Add a control function, the quantity of flow table item double may to increase, flow table seems excessively too fat to move, is not easy to read;Meanwhile The increase of control function, the number that flow table is traversed when can also improve entry lookup undoubtedly increase in the case where flow table item is more Add the expense of entry lookup step, search efficiency relatively low.
Based on this, the embodiment of the present disclosure provides a kind of method for network access control, device and server;The technology can be with Applied in a variety of virtualization network-based control management such as cloud computing, big data platform, it is specifically described below.
Wherein, above-mentioned method for network access control is applied to virtual switch, and at least two are provided in the virtual switch Grade flow table;Each flow table includes the corresponding list item of at least one business feature.The business feature specifically can be according to the control of user Demand processed is selected, and IP address, MAC Address and ACL (Access Control List, access control row are generally included Table) service parameter is one or more in table.
At least two-stage flow table is provided in virtual switch, by taking two-stage flow table as an example, respectively level-one flow table and secondary streams Table;After virtual switch receives flow, level-one flow table is usually first matched, after hitting list item, then jumps to the hit list item pair In the two level flow table answered.Therefore, the specific service parameter for including in every grade of flow table, it usually needs according to the reality of virtual machine user Border demand for control is selected.
If user needs more efficient list item matching efficiency, it is more tight that safety measure is set usually in level-one flow table The business feature of lattice, for example, with the IP address of flow binding or the matching list item of MAC Address;On being arranged again in two level flow table It states service parameter in ACL table and carries out traffic classification;In this way by the filtering of bind address, illegitimate traffic, nothing can be directly removed It need to be in the traffic classification for carrying out ACL.
And if user needs more relaxed, flexible list item matching way, it can be arranged in level-one flow table more wide The business feature of pine, for example, service parameter in above-mentioned ACL table;IP address or the matching list of MAC Address are set in two level flow table ;By in level-one flow table, after service parameter classifies to flow in the ACL table, then by corresponding two level flow table to classification Flow afterwards such as is filtered, forwards at the operations.
The form of this at least two-stage flow table, comparatively facilitates the extension and optimization of follow-up flow table;Specifically, if with Want to increase a kind of control function in family, it is only necessary to increase new list item in corresponding flow table, while be arranged what the list item redirected Next stage flow table, without modifying to whole list item in same Zhang Liubiao.
Certainly, the flow table of three-level flow table or more stages, the practical control of concrete foundation are also provided in virtual switch Demand setting processed.The method that NS software is carried out by the way of this at least two-stage flow table, as shown in Fig. 2, specific packet Include following steps:
Step S202, in current flow table, the business feature that includes according to current flow table searches present flow rate corresponding the One matching list item;
The form of generally use traversal searches list item, for example, since first list item, if hitting in the list item With condition, then the flow is handled according to the action in the list item;If the matching condition with the list item is not inconsistent, second is skipped to List item continues to match;It is, of course, also possible to using the list item in the sequential search flow table of other settings.
Step S204, checks whether the action in the first matching list item indicates to carry out the matching of subordinate's flow table;
How action in flow table item is handled the flow if being generally used to indicate that, such as normally forwarded, lost Abandon, be lined up, changing data on flows, redirect flow table etc.;When the matching of action instruction progress subordinate flow table, usually also answered in the action This includes the table mark of subordinate's flow table;If only there are one subordinate's flow tables for current flow table, table can not be included in the action Mark, when needing to redirect flow table, acquiescence jumps to subordinate's flow table, then carries out the matching of subordinate's flow table.
Step S206 searches present flow rate pair if so, in subordinate's flow table according to the business feature that subordinate's flow table includes The the second matching list item answered, and access control to present flow rate according to the action in the second matching list item.
Second action matched in list item generally also includes normal forwarding, discarding, queuing, modification data on flows etc.;Such as Fruit subordinate's flow table is also equipped with corresponding subordinate's flow table, then the action in the second matching list item further includes redirecting flow table.
Contrastingly, in the access control scheme of individual flow table, flow table schematic diagram as shown in figure 3, all business features all Existed by the way of independent list item, distinguished using priority, if engineer slips up when flow table is arranged, very may be used The list item that flow hits one of business feature can be caused just to be forwarded, no longer hit the list item of other business features, this Cannot meet user by various control strategy access control the needs of.
In addition, if user needs N number of control function, each control function to need that M list item is arranged, then flowed for one Amount, in order to make each control function that can be matched to, then at most needs to be traversed for M*N* (N+1)/2 time flow table, when flow is very big, It needs frequently to refresh flow table, list item search efficiency can be very low.Specifically, if user needs with realizing IP in individual flow table Location, MAC Address and ACL table control, then execute ACL strategies and need to be traversed for the number of the flow table and be preferably at most:Hit binding IP/ Flow table frequency n, repetition traversal binding IP/MAC and the summation for traversing ACL table number 2n that MAC is needed to be traversed for, i.e. 3n.
In above-mentioned method for network access control, virtual switch is provided at least two-stage flow table, and each flow table includes respective Business feature, during carrying out NS software, the business feature for including according to current flow table searches present flow rate pair The the first matching list item answered;If the action instruction in the first matching list item carries out the matching of subordinate's flow table, flowed according to subordinate The business feature that table includes searches the corresponding second matching list item of present flow rate, and according to the action in the second matching list item to working as Preceding flow accesses control, this flow table hierarchical approaches, when there is the increase of new business characteristic, can establish in original flow table base New flow table is extended on plinth, enhances NS software scalability.
Meanwhile which is accessed by least two-stage flow table when controlling, the action that need to be only indicated according to list item carries out Flow table redirects, and carries out the matching step of subordinate's flow table, is not necessarily to repeated multiple times traversal flow table, improves the effect of list item inquiry Rate.
The method for network access control is expanded on further in following embodiments.In the embodiment, with virtual switch Including being illustrated for two-stage flow table, wherein the business feature that current flow table includes includes MAC Address and/or IP address, under The business feature of grade flow table includes at least one of ACL table service parameter.
The business feature that current flow table includes can include MAC Address and IP address simultaneously, can also only include MAC Address Or IP address.IP address and MAC Address can be used for the filtering to flow, for example, the form by enumerating IP address blacklist The flow for filtering specific source IP address palms off the attack traffic etc. of MAC Address according to source MAC address filtering;In current flow table IP address and the business feature of MAC Address are set, the message not being inconsistent with the access control demand of user can be filtered first, also may be used With referred to as invalid packet, these invalid packets would generally threaten the safety of network;The message filtered is generally made at discarding Reason.
Above-mentioned ACL table can be used for classifying to the flow for passing in and out virtual port;Service parameter in ACL table usually wraps Agreement, direction, the interface etc. of flow are included, can realize multiple dimensions such as Ether protocoll, time control, standard MAC to flow Classification.
When Fig. 4 show two-stage flow table, schematic diagram that list item redirects;Wherein, flow table 1 is for matching the IP carried in flow Address and MAC Address whether with the addresses match bound in flow table 1, if IP address and MAC Address wherein have one not Match, is then indicated according to the action in hit list item, discard processing is made to the flow;Only when IP address and MAC Address all match When, list item n is hit, the matching for being designated as carrying out subordinate's flow table, i.e. flow table 2 are acted in list item n;Flow table 2 is for matching in ACL table Service parameter;If flow matches with the service parameter, the flow is handled according to acl rule, if flow and the industry Parameter of being engaged in mismatches, then normally forwards the flow.
It has been generally acknowledged that the MAC Address and/or IP address of matching binding are most stringent, therefore this current flow table includes MAC Address and/or IP address, subordinate's flow table include the mode of service parameter in ACL table, can first be filtered most of illegitimate traffic It removes, then ACL selections is carried out to legitimate traffic so that list item matching efficiency is higher.
In addition, this mode improves the independence of MAC/IP address matchings and ACL matching features, each flow table is mutually only It is vertical, it extends and optimizes convenient for later stage flow table.
In another embodiment, above-mentioned at least two-stage flow table includes the first flow table, the binding IP of binding MAC address The third flow table of the second flow table and binding ACL service parameters of address;And the level order between flow table is that priority match is first-class Table, then the second flow table is matched, third flow table is matched later.That is, the embodiment is illustrated by taking three-level flow table as an example, it will be described The matching of MAC Address and IP address is realized with different flow tables.
It should be noted that the first flow table of above-mentioned binding MAC address can be understood as:First flow table saves specified MAC Address or MAC Address group, if the MAC Address of flow can be inquired from first flow table, which can be into The matching of row subordinate flow table.
Second flow table of above-mentioned binding IP address can be understood as:Second flow table is with saving specified IP address or IP Location group, if the IP address of flow can be inquired from second flow table, which can carry out the matching of subordinate's flow table.
The third flow table of above-mentioned binding ACL service parameters can be understood as:The third flow table saves specified ACL business Parameter and corresponding ACL business rules, if the business feature (such as agreement, direction, interface) of flow meets the service parameter Requirement, then the flow can be handled according to corresponding ACL business rules, if the business feature of flow do not meet the business ginseng Several requirements then can handle the flow according to the normal pass-through mode of acquiescence.
When virtual switch receives flow, above-mentioned first-class table is matched first, second is jumped to according to matching result Flow table finally jumps to the matching of third flow table again.Specifically, when Fig. 5 is three-level flow table, schematic diagram that list item redirects.Work as flow When being matched with the MAC Address bound in flow table 1 (i.e. above-mentioned first flow table), then flow table 2 (i.e. above-mentioned second flow table) is jumped to, such as Fruit mismatches, it is believed that the flow is the pseudo- flow created, then abandons the flow;If bound in flow and flow table 2 IP address matches, then jumps to flow table 3 (i.e. above-mentioned third flow table), if mismatched, it is believed that the flow is not user institute The flow needed then abandons the flow;If flow is matched with the service parameter in ACL table in flow table 3, according to acl rule The flow is handled, if flow is mismatched with the service parameter, which is normally forwarded by the forwarding measure of acquiescence.
Certainly, the content of above three flow table binding can be exchanged mutually, and level order each other can also be mutual Exchange, for example, level order between these three flow tables is the first flow table of preferential binding IP address, then binding MAC address the Two flow tables bind the third flow table etc. of ACL service parameters later.
The mode of this three or more level flow table can make every grade of flow table only match one or more a small amount of business ginsengs It counts, the logical relation between flow table between list item is more succinct, clear, is conducive to subsequent expansion and the optimization of flow table, and list item is looked into It is higher to ask efficiency.
Based on the set-up mode of above-mentioned at least two-stage flow table, the disclosure is accessed embodiment further provides another network and is controlled Method processed, as shown in fig. 6, this method specifically comprises the following steps:
Step S602, in current flow table, the business feature that includes according to current flow table searches present flow rate corresponding the One matching list item;
Step S604, checks whether the action in the first matching list item indicates to carry out the matching of subordinate's flow table;If so, holding Row step S606;If not, executing step S614;
Step S606, in subordinate's flow table, the business feature that includes according to subordinate's flow table searches present flow rate corresponding the Two matching list items;
Step S608 judges the action instruction in the second matching list item;If it is indicated that being handled according to acl rule, execute Step S610;If it is indicated that normal forwarding, executes step S612;
Step S610 accesses control to present flow rate according to acl rule;
Step S612 normally forwards the flow;
Step S614 handles present flow rate according to the action in the first matching list item.
Aforesaid way is accessed control by least two-stage flow table, and the scalability and list item for improving flow table are looked into Ask efficiency.
Be provided at least one flow table group in another embodiment, in virtual switch, flow table group include to Few two-stage flow table;For example, flow table group 1 include flow table 1 and flow table 2, flow table 1 be used for match binding IP address, flow table 2 be used for The first service parameter in ACL table with binding;Flow table group 2 includes flow table 3 and flow table 4, and flow table 3 is used to match the MAC of binding Address, flow table 4 are used to match the second service parameter in the ACL table of binding;First service parameter and the second service parameter can It, can also be entirely different with identical, part is identical.
By above-mentioned flow table group access control when, can according to the type of service of present flow rate search present flow rate pair The flow table group answered carries out NS software based on the flow table in flow table group to present flow rate.Wherein, the service class of present flow rate Type can be agreement, address or the time parameter etc. of present flow rate.
By the way that flow table group is arranged, access control measure can be made to be arranged more flexible, meet the diversified access of user Demand for control.
It should be noted that above-mentioned each method embodiment is described in a progressive manner, each embodiment emphasis What is illustrated is all the difference with other embodiment, and identical similar part is mutually referring to i.e. between each embodiment It can.
Corresponding to above method embodiment, a kind of structural schematic diagram of network access control device shown in Figure 7, The device is set to virtual switch, and at least two-stage flow table is provided in virtual switch;Each flow table includes at least one industry The corresponding list item of characteristic of being engaged in;The device includes:
Searching module 70, in current flow table, present flow rate pair to be searched according to the business feature that current flow table includes The the first matching list item answered;
Module 71 is checked, for checking whether the action in the first matching list item indicates the matching of progress subordinate flow table;
Access control module 72, if carrying out the matching of subordinate's flow table for the action instruction in the first matching list item, In subordinate's flow table, the business feature that includes according to subordinate's flow table searches the corresponding second matching list item of present flow rate, and according to the Action in two matching list items accesses control to present flow rate.
The business feature that current flow table includes includes MAC Address and/or IP address;The business feature of subordinate's flow table includes At least one of ACL table service parameter.
Above-mentioned access control module, is additionally operable to:If the action instruction in the second matching list item is handled according to acl rule, It accesses control to present flow rate according to acl rule.
At least two-stage flow table includes the first flow table of binding MAC address, the second flow table of binding IP address and binding ACL industry The third flow table for parameter of being engaged in;And the level order between flow table is the first flow table of priority match, then the second flow table is matched, it matches later Third flow table.
Above-mentioned network access control device, virtual switch are provided at least two-stage flow table;First, in accordance with current flow table packet The business feature contained searches the corresponding first matching list item of present flow rate;If the action instruction in the first matching list item carries out down The matching of grade flow table is then searched the corresponding second matching list item of present flow rate according to the business feature that subordinate's flow table includes, and is pressed It accesses control to present flow rate according to the action in the second matching list item.Which can improve the scalability of flow table.
Present embodiment additionally provides a kind of server corresponding with above method embodiment.Fig. 8 is the server Structural schematic diagram, as shown in figure 8, the equipment includes processor 801 and memory 802;Wherein, memory 802 is for storing One or more computer instruction, one or more computer instruction are executed by processor, to realize above-mentioned NS software Method.
Realization device shown in Fig. 8 further includes bus 803 and forwarding chip 804, processor 801, forwarding chip 804 and is deposited Reservoir 802 is connected by bus 803.The server can be network edge device.
Wherein, memory 802 may include high-speed random access memory (RAM, Random Access Memory), May further include non-labile memory (non-volatile memory), for example, at least a magnetic disk storage.Bus 803 can be isa bus, pci bus or eisa bus etc..The bus can be divided into address bus, data/address bus, control always Line etc..For ease of indicating, only indicated with a four-headed arrow in Fig. 8, it is not intended that an only bus or a type of Bus.
Forwarding chip 804 will be sealed for being connect at least one user terminal and other network element by network interface The IPv4 messages or IPv6 messages installed is sent to the user terminal by network interface.
Processor 801 may be a kind of IC chip, the processing capacity with signal.It is above-mentioned during realization Each step of method can be completed by the integrated logic circuit of the hardware in processor 801 or the instruction of software form.On The processor 801 stated can be general processor, including central processing unit (Central Processing Unit, abbreviation CPU), network processing unit (Network Processor, abbreviation NP) etc.;It can also be digital signal processor (Digital Signal Processing, abbreviation DSP), application-specific integrated circuit (Application Specific Integrated Circuit, abbreviation ASIC), ready-made programmable gate array (Field-Programmable Gate Array, abbreviation FPGA) or Person other programmable logic device, discrete gate or transistor logic, discrete hardware components.It may be implemented or execute sheet Disclosed each method, step and logic diagram in invention embodiment.General processor can be microprocessor or this at It can also be any conventional processor etc. to manage device.The step of method in conjunction with disclosed in embodiment of the present invention, can direct body Be now that hardware decoding processor executes completion, or in decoding processor hardware and software module combine and execute completion.It is soft Part module can be located at random access memory, and flash memory, read-only memory, programmable read only memory or electrically erasable programmable are deposited In the storage medium of this fields such as reservoir, register maturation.The storage medium is located at memory 802, and processor 801 reads storage Information in device 802, in conjunction with its hardware complete aforementioned embodiments method the step of.
Embodiment of the present invention additionally provides a kind of machine readable storage medium, and machine readable storage medium storage is organic Device executable instruction, for the machine-executable instruction when being called and being executed by processor, machine-executable instruction promotes processor Realize that above-mentioned method for network access control, specific implementation can be found in method embodiment, details are not described herein.
The technology of the network access control device and server that embodiment of the present invention is provided, realization principle and generation Effect is identical with preceding method embodiment, and to briefly describe, device embodiments part does not refer to place, can refer to aforementioned side Corresponding contents in method embodiment.
Finally it should be noted that:Embodiment described above, the only specific implementation mode of the disclosure, to illustrate this public affairs The technical solution opened, rather than its limitations, the protection domain of the disclosure are not limited thereto, although with reference to aforementioned embodiments pair The disclosure is described in detail, it will be understood by those of ordinary skill in the art that:Any technology for being familiar with the art Personnel can still modify to the technical solution recorded in aforementioned embodiments in the technical scope that the disclosure discloses Or variation or equivalent replacement of some of the technical features can be readily occurred in;And these modifications, variation or replacement, The spirit and scope for disclosure embodiment technical solution that it does not separate the essence of the corresponding technical solution, should all cover in this public affairs Within the protection domain opened.Therefore, the protection domain of the disclosure shall be subject to the protection scope of the claim.

Claims (10)

1. a kind of method for network access control, which is characterized in that the method is applied to virtual switch, the virtual switch In be provided at least two-stage flow table;Each flow table includes the corresponding list item of at least one business feature;The method includes:
In current flow table, corresponding first matching list of present flow rate is searched according to the business feature that the current flow table includes ;
Check whether the action in the first matching list item indicates to carry out the matching of subordinate's flow table;
If so, in subordinate's flow table, the present flow rate pair is searched according to the business feature that subordinate's flow table includes The the second matching list item answered, and match according to described second the action in list item and access control to the present flow rate.
2. according to the method described in claim 1, it is characterized in that, business feature that the current flow table includes includes MAC Location and/or IP address;The business feature of subordinate's flow table includes at least one of ACL table service parameter.
3. according to the method described in claim 2, working as to described it is characterized in that, matching the action in list item according to described second Preceding flow access control the step of, including:
If the action instruction in the second matching list item is handled according to acl rule, according to the acl rule to described current Flow accesses control.
4. according to the method described in claim 1, it is characterized in that, at least two-stage flow table includes the of binding MAC address One flow table, the second flow table of binding IP address and the third flow table for binding ACL service parameters;And the level order between flow table is excellent First flow table is first matched, then matches second flow table, matches the third flow table later.
5. according to the method described in claim 1, it is characterized in that, the method further includes:
Action instruction in the first matching list item is not the matching for carrying out subordinate's flow table, is matched in list item according to described first Action handle the present flow rate.
6. according to the method described in claim 1, it is characterized in that, being provided at least one flow table in the virtual switch Group, the flow table group include at least two-stage flow table;
The method further includes:The corresponding flow table group of the present flow rate is searched according to the type of service of present flow rate, is based on institute The flow table stated in flow table group carries out NS software to the present flow rate.
7. a kind of network access control device, which is characterized in that described device is set to virtual switch, the virtual switch In be provided at least two-stage flow table;Each flow table includes the corresponding list item of at least one business feature;Described device includes:
Searching module, in current flow table, searching present flow rate according to the business feature that the current flow table includes and corresponding to First matching list item;
Module is checked, for checking whether the action in the first matching list item indicates the matching of progress subordinate flow table;
Access control module, if the matching that the action instruction in list item carries out subordinate's flow table is matched for described first, in institute It states in subordinate's flow table, corresponding second matching list of the present flow rate is searched according to the business feature that subordinate's flow table includes , and match according to described second the action in list item and access control to the present flow rate.
8. device according to claim 7, which is characterized in that business feature that the current flow table includes includes MAC Location and/or IP address;The business feature of subordinate's flow table includes at least one of ACL table service parameter.
9. device according to claim 8, which is characterized in that the access control module is additionally operable to:If described second Action instruction in matching list item is handled according to acl rule, is accessed control to the present flow rate according to the acl rule System.
10. device according to claim 7, which is characterized in that at least two-stage flow table includes the of binding MAC address One flow table, the second flow table of binding IP address and the third flow table for binding ACL service parameters;And the level order between flow table is excellent First flow table is first matched, then matches second flow table, matches the third flow table later.
CN201810577347.0A 2018-06-06 2018-06-06 Method for network access control and device Pending CN108540387A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810577347.0A CN108540387A (en) 2018-06-06 2018-06-06 Method for network access control and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810577347.0A CN108540387A (en) 2018-06-06 2018-06-06 Method for network access control and device

Publications (1)

Publication Number Publication Date
CN108540387A true CN108540387A (en) 2018-09-14

Family

ID=63470194

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810577347.0A Pending CN108540387A (en) 2018-06-06 2018-06-06 Method for network access control and device

Country Status (1)

Country Link
CN (1) CN108540387A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109005077A (en) * 2018-10-18 2018-12-14 郑州云海信息技术有限公司 A kind of duplicate method and apparatus of detection MAC Address
CN109450811A (en) * 2018-11-30 2019-03-08 新华三云计算技术有限公司 Flow control methods, device and server
CN112583949A (en) * 2020-11-26 2021-03-30 新华三云计算技术有限公司 VPC (virtual private network) public network access method and VPC equipment
CN113992428A (en) * 2021-11-29 2022-01-28 北京天融信网络安全技术有限公司 Intrusion prevention method and device under container environment, electronic equipment and storage medium
WO2023236858A1 (en) * 2022-06-06 2023-12-14 华为技术有限公司 Flow table rule management method, traffic management method and system, and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104486103A (en) * 2014-12-03 2015-04-01 杭州华三通信技术有限公司 Message transmission method and equipment
CN104580027A (en) * 2013-10-25 2015-04-29 杭州华三通信技术有限公司 OpenFlow message forwarding method and equipment
US20170222931A1 (en) * 2014-09-29 2017-08-03 Hewlett Packard Enterprise Development Lp Dynamic allocation of flow table capacity

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104580027A (en) * 2013-10-25 2015-04-29 杭州华三通信技术有限公司 OpenFlow message forwarding method and equipment
US20170222931A1 (en) * 2014-09-29 2017-08-03 Hewlett Packard Enterprise Development Lp Dynamic allocation of flow table capacity
CN104486103A (en) * 2014-12-03 2015-04-01 杭州华三通信技术有限公司 Message transmission method and equipment

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109005077A (en) * 2018-10-18 2018-12-14 郑州云海信息技术有限公司 A kind of duplicate method and apparatus of detection MAC Address
CN109450811A (en) * 2018-11-30 2019-03-08 新华三云计算技术有限公司 Flow control methods, device and server
CN112583949A (en) * 2020-11-26 2021-03-30 新华三云计算技术有限公司 VPC (virtual private network) public network access method and VPC equipment
CN113992428A (en) * 2021-11-29 2022-01-28 北京天融信网络安全技术有限公司 Intrusion prevention method and device under container environment, electronic equipment and storage medium
CN113992428B (en) * 2021-11-29 2024-02-09 天融信雄安网络安全技术有限公司 Intrusion prevention method and device in container environment, electronic equipment and storage medium
WO2023236858A1 (en) * 2022-06-06 2023-12-14 华为技术有限公司 Flow table rule management method, traffic management method and system, and storage medium

Similar Documents

Publication Publication Date Title
CN108540387A (en) Method for network access control and device
CN110168499B (en) Executing context-rich attribute-based services on a host
US10742682B2 (en) Attack data packet processing method, apparatus, and system
EP1836808B1 (en) Fibre channel forwarding information base
US9917729B2 (en) Methods, systems, and computer readable media for multi-layer orchestration in software defined networks (SDNs)
US8151339B2 (en) Method and apparatus for implementing filter rules in a network element
CN109962832A (en) The method and apparatus of Message processing
US11343187B2 (en) Quantitative exact match distance in network flows
EP1613015A1 (en) Network protocol processing device
JP6248938B2 (en) Communication system, virtual network management apparatus, virtual network management method and program
US20040028046A1 (en) Logarithmic time range-based multifield-correlation packet classification
CN109981493B (en) Method and device for configuring virtual machine network
US20140119379A1 (en) Forwarding table optimization with flow data
CN105812340B (en) A kind of method and apparatus of virtual network access outer net
CN108141416A (en) A kind of message processing method, computing device and message process device
CN108134856B (en) Network tree-based virtualized MAC address anti-collision method and device
US8615015B1 (en) Apparatus, systems and methods for aggregate routes within a communications network
CN108063718A (en) Message processing method, device and electronic equipment
CN109240796A (en) Virtual machine information acquisition methods and device
CN108683607A (en) Virtual machine traffic control method, device and server
RU2602333C2 (en) Network system, packet processing method and storage medium
US10560284B2 (en) System and methods for mapping a network service path
CN109672594B (en) IPoE message processing method and device and broadband remote access server
US10862850B2 (en) Network-address-to-identifier translation in virtualized computing environments
CN111031056B (en) Method for realizing security domain function in security group

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180914