CN108769045B - ACL rule configuration method, device and network equipment - Google Patents
ACL rule configuration method, device and network equipment Download PDFInfo
- Publication number
- CN108769045B CN108769045B CN201810581820.2A CN201810581820A CN108769045B CN 108769045 B CN108769045 B CN 108769045B CN 201810581820 A CN201810581820 A CN 201810581820A CN 108769045 B CN108769045 B CN 108769045B
- Authority
- CN
- China
- Prior art keywords
- acl rule
- backup area
- area
- acl
- issued
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
- H04L45/745—Address table lookup; Address filtering
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides an ACL rule configuration method, which relates to the technical field of ACL rule configuration and is applied to a switching chip of network equipment, and the method comprises the following steps: detecting the current operating environment to obtain the existing ACL rules stored in the TCAM; acquiring a new ACL rule added by upper software, and recombining the new ACL rule with the existing ACL rule to generate an ACL rule to be issued; and detecting the ACL rule to be issued, issuing the ACL rule to a low-frequency storage area if the ACL rule to be issued is a low-frequency ACL rule, issuing the ACL rule to a standby area in a static state in a high-frequency storage area if the ACL rule to be issued is a high-frequency ACL rule, and filtering messages by the exchange chip according to the ACL rule stored in the standby area in an active state. The method can avoid the switching equipment from being in an irregular protection state because the ACL rule is cleared when the ACL rule is updated, and improve the safety of the switching equipment.
Description
Technical Field
The present invention relates to the technical field of ACL rule configuration, and in particular, to an ACL rule configuration method, apparatus and network device.
Background
Acl (access Control list), i.e. access Control list, is used to Control the data packets entering and exiting from the ports of the switch. In the prior art, when an ACL rule is updated, an existing ACL rule stored in a TCAM (ternary content addressable memory) needs to be cleared first, a new ACL rule is issued to the TCAM, and then a switch performs message filtering through the new ACL rule.
In the ACL rule updating process, because the ACL rules stored in the TCAM are cleared, when the ACL rules in the TCAM are cleared, the switching device is in an irregular protection state, so that huge potential safety hazards exist.
Disclosure of Invention
In order to overcome the above-mentioned deficiencies in the prior art, an object of the present invention is to provide an ACL rule configuration method, an ACL rule configuration device, and a network device, wherein the ACL rule configuration method can prevent an exchange device from being in a random protection state due to an empty ACL rule in a TCAM when an ACL rule is updated, thereby improving the security of the exchange device.
In order to achieve the above object, an embodiment of the present invention provides an ACL rule configuration method, which is applied to a switch chip of a network device, where a ternary content addressable memory TCAM of the switch chip includes a high frequency storage area and a low frequency storage area,
the high-frequency storage area comprises a first backup area and a second backup area, the first backup area and the second backup area both comprise a static working state and a movable working state, the first backup area and the second backup area can be switched in state, and at least one of the first backup area and the second backup area is in the movable state at any moment;
the method comprises the following steps:
detecting the current operating environment of the network equipment to obtain the existing ACL rule stored in the TCAM;
acquiring a new ACL rule added by upper software, and recombining the new ACL rule with the existing ACL rule to generate an ACL rule to be issued;
and detecting whether the ACL rule to be issued is a high-frequency ACL rule or a low-frequency ACL rule, if the ACL rule to be issued is the low-frequency ACL rule, issuing the low-frequency ACL rule to the low-frequency storage area, and if the ACL rule to be issued is the high-frequency ACL rule, issuing the high-frequency ACL rule to a standby area in a static state in the high-frequency storage area.
The method further comprises the following steps:
when the ACL rule to be issued is issued to a first backup area or a second backup area, switching the working state of the first backup area and the second backup area;
and the switching chip filters the message according to the ACL rule stored in the backup area in the current active state.
Optionally, the method further comprises:
when the first backup area and the second backup area are switched, the state of the backup area in the static state is switched to the active state, and then the state of the backup area in the active state at the last moment is switched to the static state.
Optionally, the ACL rules to be issued are issued to the high-frequency storage area or the low-frequency storage area according to a priority order for sequential storage.
Optionally, the high frequency storage area further comprises a redundant area arranged between the first backup area and the second backup area,
when the ACL rules are issued to the first backup area or the second backup area, the ACL rules are arranged in an extending way from one end of the first backup area or the second backup area far away from the redundant area to the redundant area.
Optionally, the method further comprises:
detecting the total number of the ACL rules to be issued and the number of low-frequency ACL rules in the ACL rules to be issued;
acquiring the number of high-frequency ACL rules which need to be configured to a first backup area or a second backup area;
calculating a storage space used for storing and issuing a high-frequency ACL rule in the first backup area or the second backup area;
and readjusting the boundary position of the redundant area according to the storage space used for storing the issued high-frequency ACL rule in the first backup area or the second backup area.
Optionally, the adjusting manner of the boundary position of the redundant area includes:
and after the ACL rule to be issued is issued to the first backup area or the second backup area, the position where the ACL rule is arranged at last is used as the boundary between the redundant area and the first backup area or the second backup area.
The embodiment of the invention also provides an ACL rule configuration device, which is applied to a switching chip of network equipment, wherein a ternary content addressable memory TCAM of the switching chip comprises a high-frequency storage area and a low-frequency storage area,
the high-frequency storage area comprises a first backup area and a second backup area, the first backup area and the second backup area both comprise a static working state and a movable working state, the first backup area and the second backup area can be switched in state, and at least one of the first backup area and the second backup area is in the movable state at any moment;
the device comprises:
the detection module is used for detecting the current operating environment of the network equipment and acquiring the existing ACL rules stored in the TCAM;
the acquisition module is used for acquiring a new ACL rule added by upper software and recombining the new ACL rule with an existing ACL rule to generate an ACL rule to be issued;
and the issuing module is used for issuing the ACL rule to be issued, issuing the low-frequency ACL rule to the low-frequency storage area if the ACL rule to be issued is a low-frequency ACL rule, and issuing the high-frequency ACL rule to the standby area in a static state in the high-frequency storage area if the ACL rule to be issued is a high-frequency ACL rule.
Optionally, the apparatus further comprises:
the switching module is used for switching the working states of the first backup area and the second backup area after the ACL rule to be issued is issued to the first backup area or the second backup area;
and the filtering module is used for filtering the message according to the ACL rule stored in the backup area which is currently in the active state.
In addition, an embodiment of the present invention further provides a network device, where the network device includes a processor and a nonvolatile memory storing a plurality of computer instructions, and when the computer instructions are executed by the processor, the network device executes the ACL rule configuration method.
Compared with the prior art, the invention has the following beneficial effects:
the ACL rule configuration method provided in the embodiment of the present invention is applied to a switching chip of a network device, a TCAM of the switching chip includes a high frequency storage area and a low frequency storage area, wherein the high frequency storage area includes a first backup area and a second backup area, both the first backup area and the second backup area include a static working state and a movable working state, the first backup area and the second backup area can perform state switching, and at least one of the first backup area and the second backup area is in the movable state at any time; the ACL rule configuration method provided in the embodiment of the present invention issues the new ACL rule added by the upper layer software to the static backup areas in the first backup area and the second backup area, thereby ensuring that the switching device can still perform message filtering according to the existing ACL rule stored in the active backup area in the TCAM when the ACL rule is updated, and after the new ACL rule is issued, the switching device switches the working states of the first backup area and the second backup area, and then performs message filtering according to the new ACL rule stored in the active backup area, thereby avoiding that the switching device is in an irregular protection state due to the clearance of the ACL rule in the TCAM when the ACL rule is updated, and greatly improving the security of the switching device.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 is a flowchart of an ACL rule configuration method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a TCAM memory partition according to an embodiment of the invention;
FIG. 3 is a schematic diagram of ACL rule sequential storage according to an embodiment of the present invention;
FIG. 4 is a schematic diagram illustrating a method for adjusting the boundary of a redundant area according to an embodiment of the present invention;
fig. 5 is a schematic diagram of functional modules of an ACL rule configuration apparatus according to an embodiment of the present invention.
Icon: 10-high frequency storage region; 101-a first backup area; 102-redundant area; 103-a second backup area; 11-low frequency memory region; 20-ACL rule configuration means; 201-a detection module; 202-an obtaining module; 203-issuing module; 204-a switching module; 205-filtration module.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
In the description of the embodiments of the present invention, it should be noted that the terms "first", "second", and the like are named only for distinguishing different features, so as to facilitate description of the present invention and simplify description, but do not indicate or imply relative importance, and thus, should not be construed as limiting the present invention.
Some embodiments of the invention are described in detail below with reference to the accompanying drawings. The embodiments described below and the features of the embodiments can be combined with each other without conflict.
Example 1
Fig. 1 and fig. 2 are basic diagrams of the present embodiment, where fig. 1 is a flowchart of an ACL rule configuration method provided in the present embodiment, and fig. 2 is a schematic diagram of a TCAM storage area partition provided in the present embodiment.
The embodiment provides an ACL rule configuration method, which is applied to a switching chip of a network device, where a ternary content addressable memory TCAM of the switching chip includes a high frequency storage area 10 and a low frequency storage area 11,
the high-frequency storage area 10 includes a first backup area 101 and a second backup area 103, both the first backup area 101 and the second backup area 103 include a static working state and an active working state, the first backup area 101 and the second backup area 103 can be switched between states, and at least one of the first backup area 101 and the second backup area 103 is in an active state at any time;
the method comprises the following steps:
detecting the current operating environment of the network equipment to obtain the existing ACL rule stored in the TCAM;
acquiring a new ACL rule added by upper software, and recombining the new ACL rule with the existing ACL rule to generate an ACL rule to be issued;
and detecting whether the ACL rule to be issued is a high-frequency ACL rule or a low-frequency ACL rule, issuing the low-frequency ACL rule to the low-frequency storage area 11 if the ACL rule to be issued is the low-frequency ACL rule, and issuing the high-frequency ACL rule to a standby area in a static state in the high-frequency storage area 10 if the ACL rule to be issued is the high-frequency ACL rule.
The working principle is as follows: in the ACL rule updating process, because the ACL rules stored in the TCAM are cleared first and then the new ACL rules are issued, however, when the ACL rules in the TCAM are cleared, the exchange device is in an irregular protection state, and thus, a huge potential safety hazard exists. According to the ACL rule configuration method provided by the embodiment of the invention, a TCAM is divided into a high-frequency storage area 10 and a low-frequency storage area 11, then the high-frequency storage area 10 is divided into a first backup area 101 and a second backup area 103, the first backup area 101 and the second backup area 103 both comprise a static working state and a movable working state, the first backup area 101 and the second backup area 103 can be switched in states, and at least one of the first backup area 101 and the second backup area 103 is in the movable state at any moment;
when the ACL rules are updated, firstly, a new ACL rule added by upper software is obtained through step S110, and meanwhile, the existing ACL rules stored in the TCAM are detected; secondly, recombining the new ACL rule with the existing ACL rule through the step S120 to generate an ACL rule to be issued; then, step S130 detects whether the ACL rule to be issued is a high-frequency ACL rule or a low-frequency ACL rule, and if the ACL rule to be issued is a low-frequency ACL rule, step S140 issues the low-frequency ACL rule to the low-frequency storage area 11; if the ACL rule to be issued is a high-frequency ACL rule, selecting a backup area through step S141 to store the high-frequency ACL rule in the first backup area 101 or the second backup area 103;
if the current first backup area 101 is in a static state and the second backup area 103 is in an active state, the ACL rule to be issued is issued to the first backup area 101 through step S1411, and meanwhile, the switching chip may perform message filtering according to the existing ACL rule stored in the second backup area 103; if the backup area is selected, the second backup area 103 is in a static state and the first backup area 101 is in an active state, the ACL rule to be issued is issued to the second backup area 103 through step S1411, and meanwhile, the switching chip may perform message filtering according to the existing ACL rule stored in the first backup area 101.
The ACL rule configuration method provided by the embodiment of the invention can ensure that the switching equipment can still filter messages according to the existing ACL rules stored in the backup area in the active state when the ACL rules are updated, thereby avoiding the switching equipment from being in the irregular protection state and improving the safety of the switching equipment.
In step S110, the acquiring of the new ACL rule and the detecting of the existing ACL rule stored in the TCAM may be performed synchronously or asynchronously, where the new ACL rule added by the upper layer software is acquired first and then the existing ACL rule in the TCAM is detected, or the existing ACL rule in the TCAM is detected first and then the new ACL rule added by the upper layer software is acquired.
In this embodiment of the present invention, the ACL rule configuration method further includes step S1412:
after the ACL rule to be issued is issued to the first backup area 101 or the second backup area 103, switching the working state of the first backup area 101 and the second backup area 103; if the ACL rule to be issued is issued to the first backup area 101, the first backup area 101 is switched to an active state after the issuance is completed, the second backup area 103 is switched to a static state, and the switching chip can perform message filtering according to the new ACL rule stored in the first backup area 101 after the state switching is completed; when the next ACL rule is updated, the new ACL rule to be issued is issued to the second backup area 103, and the ACL rule updating and configuration are circularly completed in this way; the same applies when the ACL rules to be issued are issued to the second backup area 103, which will not be described herein.
Optionally, to further ensure that at least one backup area is in an active state when the first backup area 101 and the second backup area 103 perform state switching, in an embodiment of the present invention, the method further includes:
when the first backup area 101 and the second backup area 103 are switched between states, the state of the backup area in the static state is switched to the active state, and then the state of the backup area in the active state at the previous time is switched to the static state. When the static state backup area is switched to the active state, the backup area which is in the active state at the last moment is immediately switched to the static state, so that the new ACL rule issued when the next ACL rule is updated can be received at the first time.
As shown in fig. 3, optionally, in order to ensure that the storage sequence of the ACL rules in the TCAM corresponds to the priority sequence of the ACL rules, the ACL rules to be issued are issued to the high-frequency storage area 10 or the low-frequency storage area 11 according to the priority sequence for sequential storage.
With continued reference to fig. 2, optionally, the high frequency storage region 10 further includes a redundant region 102 disposed between the first backup region 101 and the second backup region 103,
when the ACL rules are issued to the first backup area 101 or the second backup area 103, the ACL rules are arranged to extend from one end of the first backup area 101 or the second backup area 103, which is far away from the redundant area 102, to the redundant area 102, so that the ACL rules with high priority are preferentially stored when the TCAM storage space is insufficient.
As shown in fig. 4, a schematic diagram of a method for adjusting a boundary of a redundant area 102 according to an embodiment of the present invention is provided, where in order to ensure that a storage space for storing a new ACL rule is maximized when an ACL rule is updated next time, in the embodiment of the present invention, the method further includes:
step S210, detecting the total number of the ACL rules to be issued and the number of low-frequency ACL rules in the ACL rules to be issued;
step S220, obtaining the number of high frequency ACL rules that need to be configured to the first backup area 101 or the second backup area 103;
step S230, calculating a storage space used for storing and issuing a high-frequency ACL rule in the first backup area 101 or the second backup area 103;
in step S240, the boundary position of the redundant area 102 is readjusted according to the storage space used by the first backup area 101 or the second backup area 103 for storing the issued high frequency ACL rules.
Optionally, in this embodiment of the present invention, the adjusting manner of the boundary position of the redundant area 102 includes:
after the ACL rules to be issued are issued to the first backup area 101 or the second backup area 103, the position where the ACL rules are arranged last is used as the boundary between the redundant area 102 and the first backup area 101 or the second backup area 103.
By the method, the boundary position of the redundant area 102 is readjusted when the ACL rule is updated every time, and the minimum storage space occupied by storing the issued ACL rule is ensured, so that the maximum storage space available for storing the issued ACL rule next time is ensured.
Example 2
As shown in fig. 5, an ACL rule configuration apparatus 20 is further provided in an embodiment of the present invention, and is applied to a switching chip of a network device, where a ternary content addressable memory TCAM of the switching chip includes a high frequency storage area 10 and a low frequency storage area 11,
the high-frequency storage area 10 includes a first backup area 101 and a second backup area 103, both the first backup area 101 and the second backup area 103 include a static working state and an active working state, the first backup area 101 and the second backup area 103 can be switched between states, and at least one of the first backup area 101 and the second backup area 103 is in an active state at any time;
the device comprises:
a detecting module 201, configured to detect a current operating environment of the network device, and obtain an existing ACL rule stored in the TCAM;
the obtaining module 202 is configured to obtain a new ACL rule added by upper layer software, and recombine the new ACL rule with an existing ACL rule to generate an ACL rule to be issued;
the issuing module 203 is configured to issue the ACL rules to be issued, issue the low-frequency ACL rules to the low-frequency storage area 11 if the ACL rules to be issued are the low-frequency ACL rules, and issue the high-frequency ACL rules to the backup area in the static state in the high-frequency storage area 10 if the ACL rules to be issued are the high-frequency ACL rules.
Optionally, in an embodiment of the present invention, the apparatus further includes:
the switching module 204 is configured to switch the working states of the first backup area 101 and the second backup area 103 after the ACL rule to be issued is issued to the first backup area 101 or the second backup area 103;
and the filtering module 205 is configured to perform message filtering according to the ACL rule stored in the backup area currently in the active state.
The ACL rule configuration device 20 can select the static backup area in the TCAM for new ACL rule storage when the ACL rule is updated, and at the same time, the switching chip can still perform message filtering according to the existing ACL rule stored in the active backup area in the TCAM, and after the new ACL rule is completely issued, the working states of the first backup area 101 and the second backup area 103 are switched, so that the switching chip can perform message filtering according to the new ACL rule stored in the active backup area, thereby ensuring that the network device is not in a random protection state when the ACL rule is updated, and solving the potential safety hazard of the network device.
In addition, an embodiment of the present invention further provides a network device, where the network device includes a processor and a nonvolatile memory storing a plurality of computer instructions, and when the computer instructions are executed by the processor, the network device executes the ACL rule configuration method.
In summary, the embodiments of the present invention provide an ACL rule configuration method, an apparatus, and a network device. The ACL rule configuration method provided in the embodiment of the present invention issues a new ACL rule added by upper layer software to a static backup area in a first backup area and a second backup area, thereby ensuring that the switching device can still perform message filtering according to an existing ACL rule stored in a backup area in an active state in a TCAM when the ACL rule is updated, and after the new ACL rule is completely issued, the switching device switches the working states of the first backup area and the second backup area, and then performs message filtering according to the new ACL rule stored in the backup area in the active state, thereby avoiding that the switching device is in a random protection state due to the clearance of the ACL rule in the TCAM when the ACL rule is updated, and greatly improving the security of the switching device.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein, and any reference signs in the claims are not intended to be construed as limiting the claim concerned.
Claims (10)
1. An ACL rule configuration method is characterized in that the ACL rule configuration method is applied to a switching chip of network equipment, a ternary content addressable memory TCAM of the switching chip comprises a high-frequency storage area and a low-frequency storage area,
the high-frequency storage area comprises a first backup area and a second backup area, the first backup area and the second backup area both comprise a static working state and a movable working state, the first backup area and the second backup area can be switched in state, and at least one of the first backup area and the second backup area is in the movable state at any moment;
the method comprises the following steps:
detecting the current operating environment of the network equipment to obtain the existing ACL rule stored in the TCAM;
acquiring a new ACL rule added by upper software, and recombining the new ACL rule with the existing ACL rule to generate an ACL rule to be issued;
and detecting whether the ACL rule to be issued is a high-frequency ACL rule or a low-frequency ACL rule, if the ACL rule to be issued is the low-frequency ACL rule, issuing the low-frequency ACL rule to the low-frequency storage area, and if the ACL rule to be issued is the high-frequency ACL rule, issuing the high-frequency ACL rule to a standby area in a static state in the high-frequency storage area.
2. The ACL rule configuration method as claimed in claim 1, wherein said method further comprises:
when the ACL rule to be issued is issued to a first backup area or a second backup area, switching the working state of the first backup area and the second backup area;
and the switching chip filters the message according to the ACL rule stored in the backup area in the current active state.
3. The ACL rule configuration method as claimed in claim 2, wherein said method further comprises:
when the first backup area and the second backup area are switched, the state of the backup area in the static state is switched to the active state, and then the state of the backup area in the active state at the last moment is switched to the static state.
4. The ACL rule configuration method of claim 1,
and the ACL rules to be issued are issued to the high-frequency storage area or the low-frequency storage area according to the priority order for sequential storage.
5. The ACL rule configuration method of claim 4, wherein said high frequency storage area further comprises a redundant area disposed between said first backup area and said second backup area,
when the ACL rules are issued to the first backup area or the second backup area, the ACL rules are arranged in an extending way from one end of the first backup area or the second backup area far away from the redundant area to the redundant area.
6. The ACL rule configuration method as claimed in claim 5, wherein said method further comprises:
detecting the total number of the ACL rules to be issued and the number of low-frequency ACL rules in the ACL rules to be issued;
acquiring the number of high-frequency ACL rules which need to be configured to a first backup area or a second backup area;
calculating a storage space used for storing and issuing a high-frequency ACL rule in the first backup area or the second backup area;
and readjusting the boundary position of the redundant area according to the storage space used for storing the issued high-frequency ACL rule in the first backup area or the second backup area.
7. The ACL rule configuration method according to claim 6, wherein the adjustment manner of the boundary position of the redundant area includes:
and after the ACL rule to be issued is issued to the first backup area or the second backup area, the position where the ACL rule is arranged at last is used as the boundary between the redundant area and the first backup area or the second backup area.
8. An ACL rule configuration device is characterized in that the ACL rule configuration device is applied to a switching chip of a network device, a ternary content addressable memory TCAM of the switching chip comprises a high-frequency storage area and a low-frequency storage area,
the high-frequency storage area comprises a first backup area and a second backup area, the first backup area and the second backup area both comprise a static working state and a movable working state, the first backup area and the second backup area can be switched in state, and at least one of the first backup area and the second backup area is in the movable state at any moment;
the device comprises:
the detection module is used for detecting the current operating environment of the network equipment and acquiring the existing ACL rules stored in the TCAM;
the acquisition module is used for acquiring a new ACL rule added by upper software and recombining the new ACL rule with an existing ACL rule to generate an ACL rule to be issued;
and the issuing module is used for issuing the ACL rule to be issued, issuing the low-frequency ACL rule to the low-frequency storage area if the ACL rule to be issued is a low-frequency ACL rule, and issuing the high-frequency ACL rule to the standby area in a static state in the high-frequency storage area if the ACL rule to be issued is a high-frequency ACL rule.
9. The ACL rule configuration device according to claim 8, further comprising:
the switching module is used for switching the working states of the first backup area and the second backup area after the ACL rule to be issued is issued to the first backup area or the second backup area;
and the filtering module is used for filtering the message according to the ACL rule stored in the backup area which is currently in the active state.
10. A network device comprising a processor and a non-volatile memory storing computer instructions,
the computer instructions, when executed by the processor, cause the network device to perform the ACL rule configuration method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810581820.2A CN108769045B (en) | 2018-06-07 | 2018-06-07 | ACL rule configuration method, device and network equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810581820.2A CN108769045B (en) | 2018-06-07 | 2018-06-07 | ACL rule configuration method, device and network equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108769045A CN108769045A (en) | 2018-11-06 |
| CN108769045B true CN108769045B (en) | 2020-09-29 |
Family
ID=64000403
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810581820.2A Active CN108769045B (en) | 2018-06-07 | 2018-06-07 | ACL rule configuration method, device and network equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108769045B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109743231A (en) * | 2019-02-22 | 2019-05-10 | 杭州迪普科技股份有限公司 | A kind of acl feature test method and device |
| CN110191135B (en) * | 2019-06-11 | 2021-09-21 | 杭州迪普信息技术有限公司 | ACL configuration method, device and electronic equipment |
| CN110519221A (en) * | 2019-07-12 | 2019-11-29 | 苏州浪潮智能科技有限公司 | A kind of pair of host carries out the method, apparatus and management system of safeguard protection |
| CN111064714A (en) * | 2019-11-29 | 2020-04-24 | 苏州浪潮智能科技有限公司 | Intelligent network card ACL updating device based on FPGA |
| CN117278341A (en) * | 2023-11-23 | 2023-12-22 | 成都卓拙科技有限公司 | ACL rule updating method, device, equipment and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101035060A (en) * | 2006-03-08 | 2007-09-12 | 中兴通讯股份有限公司 | Integrated processing method for three-folded content addressable memory message classification |
| CN101035062A (en) * | 2006-03-09 | 2007-09-12 | 中兴通讯股份有限公司 | Rule update method for three-folded content addressable memory message classification |
| CN101321162A (en) * | 2008-07-03 | 2008-12-10 | 江苏华丽网络工程有限公司 | TCP sequence number examination hardware implementing method based on TCAM order pair |
| CN104468361A (en) * | 2014-12-15 | 2015-03-25 | 盛科网络(苏州)有限公司 | Storing and searching method and device for TCAM with priorities |
| CN105743678A (en) * | 2014-12-11 | 2016-07-06 | 中兴通讯股份有限公司 | Method and apparatus for managing table space of ternary content addressable memory (TCAM) |
| US9497119B2 (en) * | 2014-05-22 | 2016-11-15 | International Business Machines Corporation | Supporting access control list rules that apply to TCP segments belonging to ‘established’ connection |
| CN107332813A (en) * | 2016-04-29 | 2017-11-07 | 华为技术有限公司 | A kind of ACL collocation methods, ACL configuration equipment and server |
| US9912639B1 (en) * | 2015-12-28 | 2018-03-06 | Juniper Networks, Inc. | Verifying firewall filter entries using rules associated with an access control list (ACL) template |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9485257B2 (en) * | 2014-05-22 | 2016-11-01 | International Business Machines Corporation | Atomically updating ternary content addressable memory-based access control lists |
-
2018
- 2018-06-07 CN CN201810581820.2A patent/CN108769045B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101035060A (en) * | 2006-03-08 | 2007-09-12 | 中兴通讯股份有限公司 | Integrated processing method for three-folded content addressable memory message classification |
| CN101035062A (en) * | 2006-03-09 | 2007-09-12 | 中兴通讯股份有限公司 | Rule update method for three-folded content addressable memory message classification |
| CN101321162A (en) * | 2008-07-03 | 2008-12-10 | 江苏华丽网络工程有限公司 | TCP sequence number examination hardware implementing method based on TCAM order pair |
| US9497119B2 (en) * | 2014-05-22 | 2016-11-15 | International Business Machines Corporation | Supporting access control list rules that apply to TCP segments belonging to ‘established’ connection |
| CN105743678A (en) * | 2014-12-11 | 2016-07-06 | 中兴通讯股份有限公司 | Method and apparatus for managing table space of ternary content addressable memory (TCAM) |
| CN104468361A (en) * | 2014-12-15 | 2015-03-25 | 盛科网络(苏州)有限公司 | Storing and searching method and device for TCAM with priorities |
| US9912639B1 (en) * | 2015-12-28 | 2018-03-06 | Juniper Networks, Inc. | Verifying firewall filter entries using rules associated with an access control list (ACL) template |
| CN107332813A (en) * | 2016-04-29 | 2017-11-07 | 华为技术有限公司 | A kind of ACL collocation methods, ACL configuration equipment and server |
Non-Patent Citations (2)
| Title |
|---|
| "PC-TRIO:A Power Efficient TCAM Architecture for Packet Classifiers";Tania Banerjee,Sartaj Sahni;《IEEE TRANSACTIONS ON COMPUTERS》;20150428;第64卷(第4期);全文 * |
| "利用域转换的三态内容信息存储器报文分类算法";田乐,陈庶樵,黄慧群,马腾;《西安交通大学学报》;20131031;第47卷(第10期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108769045A (en) | 2018-11-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108769045B (en) | ACL rule configuration method, device and network equipment | |
| CN110213371A (en) | Information consumption method, apparatus, equipment and computer storage medium | |
| CN105930498A (en) | Distributed database management method and system | |
| CN102917425A (en) | Operator network switching method and device | |
| CN103530200A (en) | Server hot backup system and method | |
| CN107729185B (en) | Fault processing method and device | |
| CN103259688A (en) | Failure diagnosis method and device of distributed storage system | |
| CN103150149A (en) | Method and device for processing redo data of database | |
| CN113625945A (en) | Distributed storage slow disk processing method, system, terminal and storage medium | |
| CN106331081B (en) | Information synchronization method and device | |
| CN110351313B (en) | Data caching method, device, equipment and storage medium | |
| CN115102841B (en) | Network fault recovery method, device, equipment and storage medium | |
| CN109408149A (en) | Starting method, apparatus, equipment and the storage medium of application program | |
| CN106170013B (en) | A kind of Kafka message uniqueness method based on Redis | |
| CN106874103B (en) | Heartbeat implementation method and device | |
| CN110457321A (en) | Date storage method and Related product based on block chain | |
| CN113126925B (en) | Member list determining method, device and equipment and readable storage medium | |
| CN103810038A (en) | Method and device for transferring virtual machine storage files in HA cluster | |
| CN105939203A (en) | Table entry synchronization method and device | |
| CN106980402A (en) | Reset the determination methods and device, terminal of calibration | |
| CN109067864A (en) | Notification message method for pushing, device and electronic equipment | |
| Ghosh et al. | Scalable self-stabilization | |
| CN111935337B (en) | MAC address keep-alive method, equipment and storage medium of aggregation link | |
| CN106302184B (en) | Flow entry issuing method, flow entry storing method, related device and system | |
| CN113051143A (en) | Detection method, device, equipment and storage medium for service load balancing server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |