CN109088824B - Message processing method and device - Google Patents

Message processing method and device Download PDF

Info

Publication number
CN109088824B
CN109088824B CN201811256449.9A CN201811256449A CN109088824B CN 109088824 B CN109088824 B CN 109088824B CN 201811256449 A CN201811256449 A CN 201811256449A CN 109088824 B CN109088824 B CN 109088824B
Authority
CN
China
Prior art keywords
mac address
message
equipment
layer network
forwarding
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811256449.9A
Other languages
Chinese (zh)
Other versions
CN109088824A (en
Inventor
仇宏迪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN201811256449.9A priority Critical patent/CN109088824B/en
Publication of CN109088824A publication Critical patent/CN109088824A/en
Application granted granted Critical
Publication of CN109088824B publication Critical patent/CN109088824B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing

Abstract

The embodiment of the application provides a message processing method and device. The method comprises the following steps: receiving a message from an intranet device forwarded by a three-layer network device; determining a first MAC address of the intranet equipment according to a first corresponding relation between each intranet equipment and a Media Access Control (MAC) address acquired from the three-layer network equipment; determining a forwarding strategy corresponding to the first MAC address in a second corresponding relation between a predetermined MAC address and the forwarding strategy as a target forwarding strategy corresponding to the message; and processing the message according to the target forwarding strategy. By applying the scheme provided by the embodiment of the application, the forwarding control of the message from the equipment can be realized when the IP address of the equipment dynamically changes.

Description

Message processing method and device
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for processing a packet.
Background
In the existing networking, forwarding control equipment (such as a firewall, a controller, etc.) may perform forwarding control on a packet according to attribute information of the packet, so as to implement a prevention and control policy. When forwarding control is performed on a packet, a forwarding policy for the packet may be determined according to five-tuple information of the packet and a correspondence between an application carried on a protocol and the forwarding policy. The method can meet the requirement of message forwarding control under most conditions.
When it is necessary to accurately perform forwarding control on a packet of a single intranet device, a source Internet Protocol (IP) address is usually used as a filtering condition. However, in a network, when the IP address of the intranet device is dynamically changed, the IP address of the packet transmitted from the intranet device is also changed. In this case, it is impossible to forward and control the packet sent by a single device according to the source IP address of the packet.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method and an apparatus for processing a packet, so as to implement forwarding control on a packet from a device when an IP address of the device changes dynamically.
In a first aspect, an embodiment of the present application provides a method for processing a packet, where the method is applied to a forwarding control device, and the method includes:
receiving a message from an intranet device forwarded by a three-layer network device;
determining a first MAC address of the intranet equipment according to a first corresponding relation between each intranet equipment and a Media Access Control (MAC) address acquired from the three-layer network equipment;
determining a forwarding strategy corresponding to the first MAC address in a second corresponding relation between a predetermined MAC address and the forwarding strategy as a target forwarding strategy corresponding to the message;
and processing the message according to the target forwarding strategy.
In a second aspect, an embodiment of the present application provides a packet processing apparatus, where the apparatus is applied to a forwarding control device, and the apparatus includes:
the receiving module is used for receiving the message from the intranet equipment forwarded by the three-layer network equipment;
the first determining module is used for determining a first MAC address of the intranet equipment according to a first corresponding relation between each intranet equipment and the MAC address acquired from the three-layer network equipment;
a second determining module, configured to determine, in a second correspondence between a predetermined MAC address and a forwarding policy, the forwarding policy corresponding to the first MAC address as a target forwarding policy corresponding to the packet;
and the processing module is used for processing the message according to the target forwarding strategy.
In a third aspect, an embodiment of the present application provides a forwarding control device, where the forwarding control device includes: a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: the message processing method provided by the first aspect is implemented.
In a fourth aspect, an embodiment of the present application provides a machine-readable storage medium, where a computer program is stored in the machine-readable storage medium, and when the computer program is executed by a processor, the message processing method provided in the first aspect is implemented.
According to the message processing method and device provided by the embodiment of the application, when a message from an intranet device forwarded by a three-layer network device is received, a first MAC address of the intranet device can be determined from a first corresponding relation between each intranet device and an MAC address, a forwarding strategy corresponding to the first MAC address in a second corresponding relation between the MAC address and the forwarding strategy is determined as a target forwarding strategy, and the message is processed according to the target forwarding strategy. When the IP of the equipment dynamically changes, the IP address cannot position the corresponding equipment, and because the MAC address is the fixed and unchangeable address of the equipment, when the message from the equipment is forwarded according to the corresponding relation between the MAC address and the forwarding strategy, the message from the equipment which needs to be controlled can be forwarded and controlled. Of course, not all advantages described above need to be achieved at the same time in the practice of any one product or method of the present application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the application, and that for a person skilled in the art, other drawings can be derived from them without inventive effort.
Fig. 1 is a schematic flowchart of a message processing method according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a scenario in which an embodiment of the present application is applied;
FIG. 3 is a schematic diagram of another scenario in which embodiments of the present application are applied;
fig. 4 is a schematic diagram of an interaction of a device according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a message processing apparatus according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a forwarding control device according to an embodiment of the present application.
Detailed Description
The technical solution in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. It is to be understood that the described embodiments are merely a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In order to implement forwarding control on a message from a device when an IP address of the device dynamically changes, embodiments of the present application provide a message processing method and apparatus. The present application will be described in detail below with reference to specific examples.
Fig. 1 is a schematic flowchart of a message processing method according to an embodiment of the present application. The method is applied to the forwarding control equipment. A forwarding control device may be understood as a device having a forwarding control function on a packet, for example, the forwarding control device may include a firewall, a Software Defined Network (SDN) controller, a router, and the like. The method comprises the following steps.
Step S101: and receiving the message from the intranet equipment forwarded by the three-layer network equipment.
Wherein the message may carry a source address. The source address includes a source Internet Protocol (IP) address and a source Media Access Control (MAC) address. The source IP address of the message is the address of the intranet equipment, and the source MAC address is the MAC address of the three-layer network equipment.
The intranet device can be understood as a terminal device in an intranet. The terminal equipment can be ordinary computers, tablet computers and other equipment. Referring to fig. 2, fig. 2 is a schematic view of a scenario to which the embodiment of the present application is applied. And terminal equipment in the intranet is accessed to the extranet sequentially through the three-layer network equipment and the firewall. Here, the firewall may be understood as the forwarding control apparatus in this embodiment, but the forwarding control apparatus in this embodiment is not limited to the firewall.
The three-layer network device is a device working at a network layer, and the router is a common three-layer network device. The three-layer network device can utilize IDentification (ID) numbers (i.e., IP addresses) of different networks to forward the packet, that is, the three-layer network device can forward the packet according to the IP address of the packet. The IP address of the device is implemented in software and may describe the network in which the device is located.
This embodiment can refer to the scene diagram shown in fig. 2. When the intranet device needs to send the first message to the outside, the first message may be sent to the three-layer network device. The source IP address of the first message is the IP address of the intranet equipment, and the source MAC address is the MAC address of the intranet equipment. And when the three-layer network equipment receives a first message sent by the intranet equipment, replacing the source MAC address in the first message with the MAC address of the three-layer network equipment to obtain the message, and sending the message to the forwarding control equipment. The forwarding control device is the firewall in fig. 2.
The message from the intranet device received by the forwarding control device may also carry a destination IP address, a destination MAC address, and the like.
Step S102: and determining a first MAC address of the intranet equipment according to the first corresponding relation between each intranet equipment and the MAC address acquired from the three-layer network equipment.
An example is shown of how the first MAC address of the intranet device is determined. For example, the first correspondence includes the following: the correspondence between intranet device 1 and MAC4, the correspondence between intranet device 2 and MAC3, and the correspondence between intranet device 3 and MAC 2. When the intranet device is the intranet device 1, the first MAC address is the MAC 4.
The three-layer network equipment can store the MAC address of each intranet equipment when receiving the message from the intranet equipment. Specifically, the three-layer network device may store a first corresponding relationship between an IP address and an MAC address of each intranet device.
When the forwarding control device obtains the first corresponding relationship from the three-layer network device, the forwarding control device may specifically send a request packet for the first corresponding relationship to the three-layer network device, and receive the first corresponding relationship sent by the three-layer network device for the request packet. The forwarding control device may periodically obtain the first correspondence from the three-layer network device.
The request message may be a request message in a Simple Network Management Protocol (SNMP).
Wherein the first correspondence in the forwarding control device may be stored in the form of a table. For example, the first corresponding relationship may be stored in an Address Resolution Protocol (ARP) table, and the corresponding relationship between each intranet device and the MAC Address is an ARP entry.
The first corresponding relationship may be stored in a memory of the forwarding control device, and may be stored by using a hash table data structure, so that the query efficiency may be improved.
In an embodiment, for convenience of implementation, the first corresponding relationship may be a corresponding relationship between an IP address and a MAC address of each intranet device. When the first MAC address of the intranet device is determined, the MAC address corresponding to the source IP address of the packet may be specifically determined as the first MAC address of the intranet device according to the first correspondence between the IP address and the MAC address of each intranet device obtained from the three-layer network device. The IP address of the intranet device may change dynamically.
For example, an application scenario of this embodiment is that there are 10 terminal devices in an intranet, and the 10 terminal devices share 5 IP addresses. Assuming that the MAC address of the terminal device is MAC1, the IP address can be obtained by dynamically updating the IP address when it needs to connect to the network. In this way, the terminal device may be assigned different IP addresses at different times. After the terminal device is assigned an IP address of IP1, the correspondence relationship between the IP address and the MAC address of the terminal device itself (correspondence relationship between IP1 and MAC1) can be transmitted to the three-layer network device by the ARP protocol. The three-layer network device may generate the ARP entry after receiving the correspondence. The terminal device sends a first message with a source IP address of IP1 and a source MAC address of MAC1 to the external network. After receiving a first message sent by a terminal device, a layer three network device determines an egress port corresponding to the first message according to a destination IP address of the message, replaces a source MAC address MAC1 of the first message with an MAC address (assumed to be MACT) of the egress port, and sends the obtained message (the source IP address is IP1, and the source MAC address is MACT) to a forwarding control device. And the forwarding control equipment receives the message sent by the three-layer network equipment. The source MAC address of the message is the MAC address of the three-layer network equipment, but is not the MAC address of the intranet equipment. In order to determine the MAC address of the intranet device, a first MAC address corresponding to the source IP address of the packet may be determined according to an ARP entry obtained from the three-layer network device, where the first MAC address is the MAC address of the intranet device.
The MAC address may also be referred to as a physical address, which is used to define the end device. Generally, the physical address is a number which is preset and not changed by the terminal device, and the MAC address is used to represent the terminal device, so that the specific terminal device can be more accurately located.
Step S103: and determining the forwarding strategy corresponding to the first MAC address in a second corresponding relation between the predetermined MAC address and the forwarding strategy as a target forwarding strategy corresponding to the message.
The forwarding policy may include release and intercept policies. The forwarding policy corresponding to the MAC address may be understood as a forwarding policy for the intranet device corresponding to the MAC address. The forwarding policy may indicate that the message of the intranet device is processed in a clear (i.e., allowed to access the internet) or an intercept (i.e., not allowed to access the internet).
After receiving the first corresponding relationship sent by the three-layer network device, the forwarding control device may determine a second corresponding relationship between the MAC address and the forwarding policy according to the MAC address in the first corresponding relationship and the forwarding policy set for each intranet device. For example, when the forwarding policy for the intranet device a is released, it may be determined that the forwarding policy corresponding to the MAC address of the intranet device a is released.
Step S104: and processing the message according to the target forwarding strategy.
Specifically, the message may be subjected to release processing or interception processing according to the target forwarding policy.
When it is determined that the message is to be subjected to the pass processing, the forwarding control device may replace the source MAC address of the message with the MAC address of the output port of the forwarding control device, and forward the message after replacing the MAC address through the output port.
As can be seen from the above, in this embodiment, when a packet from an intranet device forwarded by a three-layer network device is received, a first MAC address of the intranet device is determined from a first corresponding relationship between each intranet device and an MAC address, a forwarding policy corresponding to the first MAC address in a second corresponding relationship between the MAC address and a forwarding policy is determined as a target forwarding policy, and the packet is processed according to the target forwarding policy. When the IP of the equipment dynamically changes, the IP address cannot position the corresponding equipment, and because the MAC address is the fixed and unchangeable address of the equipment, when the message from the equipment is forwarded according to the corresponding relation between the MAC address and the forwarding strategy, the message from the equipment which needs to be controlled can be forwarded and controlled.
In order to realize more accurate point-to-point communication control between the terminal devices, the second corresponding relationship may be: and the source MAC address, the destination MAC address and the forwarding strategy are in corresponding relation.
Before determining the target forwarding policy, that is, before the foregoing step S103, the second MAC address of the destination device of the packet may also be determined according to the third correspondence between each destination device and the MAC address acquired from other three-layer network devices.
The corresponding step S103 specifically includes: and in a second corresponding relation among the predetermined source MAC address, the predetermined destination MAC address and the predetermined forwarding strategy, taking the first MAC address as the source MAC address, taking the second MAC address as the destination MAC address to determine the forwarding strategy, and taking the forwarding strategy as a target forwarding strategy corresponding to the message.
The other three-layer network devices are different from the three-layer network devices. The other three-layer network devices may be three-layer network devices located in an external network, or may be three-layer network devices located in other local area networks. The other local area networks are different from the local area network where the three-layer network equipment is located. The destination device of the packet may be an extranet device, or may be a device in another local area network connected to the local area network where the source device of the packet is located.
Fig. 3 is a schematic view of a scenario to which the present embodiment is applied. Included in fig. 3 are interior web 1, interior web 2, interior web 3, and interior web 4. Each intranet is a different department in the company. And the terminal equipment in the intranet is connected with the common firewall through the three-layer network equipment corresponding to the intranet. The firewall can obtain the corresponding relationship between the IP address and the MAC address of the terminal device of each intranet from the three-layer network devices 1, 2, 3, and 4, and configure the corresponding relationship between the source MAC address, the destination MAC address, and the forwarding policy according to the sending end device and the receiving end device that need to be controlled. For example, if terminal device 1(MAC1) is allowed to communicate with terminal device 3(MAC3), terminal device 1 is not allowed to communicate with terminal device 4(MAC4), and the like, the forwarding policy corresponding to source MAC1 and destination MAC3 may be configured as pass, and the forwarding policy corresponding to source MAC1 and destination MAC4 may be configured as intercept.
In this embodiment, access control between different terminal devices, that is, more accurate peer-to-peer communication control between different local area network devices can be achieved by configuring the correspondence between the source MAC address, the destination MAC address, and the forwarding policy.
When the networking system includes multiple forwarding control devices, the forwarding control device may obtain a third corresponding relationship from other three-layer network devices forwarded by other forwarding control devices. The forwarding control device may specifically periodically obtain the third corresponding relationship from other three-layer network devices forwarded by other forwarding control devices. The other forwarding control devices are different from the forwarding control device.
The forwarding control device may specifically determine the correspondence between the source MAC address, the destination MAC address, and the forwarding policy according to the MAC addresses in the first correspondence and the third correspondence, and the forwarding policies set for each terminal device.
The forwarding control device may further send the first corresponding relationship to other forwarding control devices in the network so that the other forwarding control devices determine the MAC address of the destination device of the packet according to the first corresponding relationship, and determine the forwarding policy according to the MAC address of the source device and the MAC address of the destination device.
The firewall (i.e. forwarding control device) in the application scenario shown in fig. 3 may be multiple, that is, there is at least one firewall at the edge of each intranet, and the firewalls of the intranets are connected with each other. Therefore, the firewall equipment can realize the updating of the data by exchanging the ARP list items, and ensure the point-to-point forwarding control as much as possible.
In this embodiment, each forwarding control device in the network may synchronize the ARP entry data by exchanging data at regular time, so that the ARP entry data can be updated in time, and real-time control of the packet is realized.
The present application will be described in detail below with reference to the schematic interaction diagram of the devices shown in fig. 4.
After the intranet equipment obtains the allocated IP address, the intranet equipment can send the IP address corresponding to the MAC address to the three-layer network equipment through an ARP protocol. When the three-layer network device receives the MAC address corresponding to the IP address sent by the intranet device, the ARP table entry can be generated or updated. The forwarding control device may periodically send SNMP request messages to the three-layer network devices. And when the three-layer network equipment receives the SNMP request message sent by the forwarding control equipment, the three-layer network equipment returns the ARP table entry stored by the three-layer network equipment to the forwarding control equipment. When receiving the ARP entry sent by the three-layer network device, the forwarding control device stores the ARP entry in the memory, and can formulate a forwarding policy corresponding to the MAC address according to the obtained ARP entry.
The intranet equipment can send a message to the extranet equipment. When the message passes through the three-layer network equipment, the source MAC address of the message is replaced by the MAC address of the output port of the three-layer network equipment, and the message is sent to the forwarding control equipment through the three-layer network equipment. The forwarding control equipment determines the MAC address corresponding to the source IP address of the message according to the ARP table entry stored in the memory, matches the determined MAC address with the forwarding strategy corresponding to the established MAC address, and processes the message according to the successfully matched forwarding strategy.
Fig. 5 is a schematic structural diagram of a message processing apparatus according to an embodiment of the present application. The device is applied to forwarding control equipment. The forwarding control apparatus may include: firewalls, SDN controllers and routers, and the like. This embodiment corresponds to the embodiment of the method shown in fig. 1, and the apparatus comprises:
a receiving module 501, configured to receive a message from an intranet device forwarded by a three-layer network device;
a first determining module 502, configured to determine a first MAC address of the intranet device according to a first corresponding relationship between each intranet device and an MAC address obtained from the three-layer network device;
a second determining module 503, configured to determine, in a second correspondence between the predetermined MAC address and the forwarding policy, the forwarding policy corresponding to the first MAC address as a target forwarding policy corresponding to the packet.
A processing module 504, configured to process the packet according to the target forwarding policy.
In another embodiment of the present application, based on the embodiment shown in fig. 5, before the second determining module 503, the apparatus further includes: a third determination module (not shown in the figures); the third determination module may be before or after the first determination module 501.
A third determining module, configured to determine, before determining the target forwarding policy, a second MAC address of the destination device of the packet according to a third correspondence between each destination device and an MAC address acquired from other three-layer network devices;
the second determining module 503 is specifically configured to use, in a second correspondence relationship between a predetermined source MAC address, a predetermined destination MAC address, and a predetermined forwarding policy, the forwarding policy determined by using the first MAC address as the source MAC address and using the second MAC address as the destination MAC address as a target forwarding policy corresponding to the packet.
In another embodiment of the present application, based on the embodiment shown in fig. 5, the apparatus further includes an obtaining module (not shown in the figure); an obtaining module, configured to obtain the third corresponding relationship from another three-layer network device by using the following operations: acquiring a third corresponding relation from other three-layer network equipment forwarded by other forwarding control equipment;
the device further comprises a sending module (not shown in the figure); the sending module is configured to send the first corresponding relationship to the other forwarding control devices.
In another embodiment of the present application, based on the embodiment shown in fig. 5, the first determining module 502 is specifically configured to:
and determining the MAC address corresponding to the source IP address of the message as the first MAC address of the intranet equipment according to the first corresponding relation between the IP address and the MAC address of each intranet equipment acquired from the three-layer network equipment.
Since the device embodiment is obtained based on the method embodiment and has the same technical effect as the method, the technical effect of the device embodiment is not described herein again. For the apparatus embodiment, since it is substantially similar to the method embodiment, it is described relatively simply, and reference may be made to some descriptions of the method embodiment for relevant points.
Fig. 6 is a schematic structural diagram of a forwarding control device according to an embodiment of the present application. The forwarding control apparatus includes: a processor 601 and a machine-readable storage medium 602, the machine-readable storage medium 602 storing machine-executable instructions executable by the processor 601, the processor 601 caused by the machine-executable instructions to: the message processing method provided by the embodiment of the application is realized. The message processing method comprises the following steps:
receiving a message from an intranet device forwarded by a three-layer network device;
determining a first MAC address of the intranet equipment according to a first corresponding relation between each intranet equipment and a Media Access Control (MAC) address acquired from the three-layer network equipment;
determining a forwarding strategy corresponding to the first MAC address in a second corresponding relation between a predetermined MAC address and the forwarding strategy as a target forwarding strategy corresponding to the message;
and processing the message according to the target forwarding strategy.
The machine-readable storage medium 602 may include a Random Access Memory (RAM) and a Non-Volatile Memory (NVM), such as at least one disk Memory. Alternatively, the machine-readable storage medium 602 may also be at least one storage device located remotely from the aforementioned processor 601.
The Processor 601 may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In this embodiment, when a message from an intranet device forwarded by a three-layer network device is received, a first MAC address of the intranet device is determined from a first corresponding relationship between each intranet device and an MAC address, a forwarding policy corresponding to the first MAC address in a second corresponding relationship between the MAC address and the forwarding policy is determined as a target forwarding policy, and the message is processed according to the target forwarding policy. When the IP of the equipment dynamically changes, the IP address cannot position the corresponding equipment, and because the MAC address is the fixed and unchangeable address of the equipment, when the message from the equipment is forwarded according to the corresponding relation between the MAC address and the forwarding strategy, the message from the equipment which needs to be controlled can be forwarded and controlled.
The embodiment of the application provides a machine-readable storage medium, wherein a computer program is stored in the machine-readable storage medium, and when being executed by a processor, the computer program realizes the message processing method provided by the embodiment of the application. The message processing method comprises the following steps:
receiving a message from an intranet device forwarded by a three-layer network device;
determining a first MAC address of the intranet equipment according to a first corresponding relation between each intranet equipment and a Media Access Control (MAC) address acquired from the three-layer network equipment;
determining a forwarding strategy corresponding to the first MAC address in a second corresponding relation between a predetermined MAC address and the forwarding strategy as a target forwarding strategy corresponding to the message;
and processing the message according to the target forwarding strategy.
In this embodiment, when a message from an intranet device forwarded by a three-layer network device is received, a first MAC address of the intranet device is determined from a first corresponding relationship between each intranet device and an MAC address, a forwarding policy corresponding to the first MAC address in a second corresponding relationship between the MAC address and the forwarding policy is determined as a target forwarding policy, and the message is processed according to the target forwarding policy. When the IP of the equipment dynamically changes, the IP address cannot position the corresponding equipment, and because the MAC address is the fixed and unchangeable address of the equipment, when the message from the equipment is forwarded according to the corresponding relation between the MAC address and the forwarding strategy, the message from the equipment which needs to be controlled can be forwarded and controlled.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments.
The above description is only for the preferred embodiment of the present application, and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application are included in the protection scope of the present application.

Claims (10)

1. A message processing method is applied to forwarding control equipment, and is characterized in that the method comprises the following steps:
receiving a message from an intranet device forwarded by a three-layer network device;
determining a first MAC address of the intranet equipment according to a first corresponding relation between each intranet equipment and a Media Access Control (MAC) address acquired from the three-layer network equipment; the message from the intranet equipment forwarded by the three-layer network equipment is obtained by replacing a source MAC address in a first message with an MAC address of the three-layer network equipment when the three-layer network equipment receives the first message from the intranet equipment, and the first corresponding relationship is stored when the three-layer network equipment receives the first message from each intranet equipment;
determining a forwarding strategy corresponding to the first MAC address in a second corresponding relation between a predetermined MAC address and the forwarding strategy as a target forwarding strategy corresponding to the message;
and processing the message according to the target forwarding strategy.
2. The method of claim 1, wherein prior to determining the target forwarding policy, the method further comprises:
determining a second MAC address of the destination device of the message according to a third corresponding relation between each destination device and the MAC address acquired from other three-layer network devices;
the step of determining, in a second correspondence between a predetermined MAC address and a forwarding policy, the forwarding policy corresponding to the first MAC address as a target forwarding policy corresponding to the packet includes:
and in a second corresponding relation among a predetermined source MAC address, a predetermined destination MAC address and a predetermined forwarding strategy, taking the first MAC address as the source MAC address, taking the second MAC address as the destination MAC address to determine the forwarding strategy, and taking the forwarding strategy as a target forwarding strategy corresponding to the message.
3. The method according to claim 2, wherein the third correspondence is obtained from other three-layer network devices in the following manner:
acquiring a third corresponding relation from other three-layer network equipment forwarded by other forwarding control equipment;
the method further comprises the following steps:
and sending the first corresponding relation to the other forwarding control equipment.
4. The method according to claim 1, wherein the step of determining the first MAC address of the intranet device according to the first corresponding relationship between each intranet device and the MAC address acquired from the three-layer network device comprises:
and determining the MAC address corresponding to the source IP address of the message as the first MAC address of the intranet equipment according to the first corresponding relation between the Internet protocol IP address and the MAC address of each intranet equipment acquired from the three-layer network equipment.
5. A message processing apparatus, applied to a forwarding control device, the apparatus comprising:
the receiving module is used for receiving the message from the intranet equipment forwarded by the three-layer network equipment;
the first determining module is used for determining a first MAC address of the intranet equipment according to a first corresponding relation between each intranet equipment and the MAC address acquired from the three-layer network equipment; the message from the intranet equipment forwarded by the three-layer network equipment is obtained by replacing a source MAC address in a first message with an MAC address of the three-layer network equipment when the three-layer network equipment receives the first message from the intranet equipment, and the first corresponding relationship is stored when the three-layer network equipment receives the first message from each intranet equipment;
a second determining module, configured to determine, in a second correspondence between a predetermined MAC address and a forwarding policy, the forwarding policy corresponding to the first MAC address as a target forwarding policy corresponding to the packet;
and the processing module is used for processing the message according to the target forwarding strategy.
6. The apparatus of claim 5, wherein prior to the second determining module, the apparatus further comprises: a third determination module;
the third determining module is configured to determine, before determining the target forwarding policy, a second MAC address of the destination device of the packet according to a third correspondence between each destination device and an MAC address acquired from other three-layer network devices;
the second determining module is specifically configured to use, in a second correspondence between a predetermined source MAC address, a predetermined destination MAC address, and a forwarding policy, the forwarding policy determined by using the first MAC address as the source MAC address and using the second MAC address as the destination MAC address as a target forwarding policy corresponding to the packet.
7. The apparatus of claim 6, further comprising: an acquisition module;
the obtaining module is configured to obtain the third corresponding relationship from other three-layer network devices by using the following operations: acquiring a third corresponding relation from other three-layer network equipment forwarded by other forwarding control equipment;
the device further comprises: a sending module;
the sending module is configured to send the first corresponding relationship to the other forwarding control devices.
8. The apparatus of claim 5, wherein the first determining module is specifically configured to:
and determining the MAC address corresponding to the source IP address of the message as the first MAC address of the intranet equipment according to the first corresponding relation between the IP address and the MAC address of each intranet equipment acquired from the three-layer network equipment.
9. A forwarding control apparatus, comprising: a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: carrying out the method steps of any one of claims 1 to 4.
10. A machine readable storage medium, characterized in that a computer program is stored in the machine readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any one of claims 1 to 4.
CN201811256449.9A 2018-10-26 2018-10-26 Message processing method and device Active CN109088824B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811256449.9A CN109088824B (en) 2018-10-26 2018-10-26 Message processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811256449.9A CN109088824B (en) 2018-10-26 2018-10-26 Message processing method and device

Publications (2)

Publication Number Publication Date
CN109088824A CN109088824A (en) 2018-12-25
CN109088824B true CN109088824B (en) 2021-02-23

Family

ID=64844193

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811256449.9A Active CN109088824B (en) 2018-10-26 2018-10-26 Message processing method and device

Country Status (1)

Country Link
CN (1) CN109088824B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110620729A (en) * 2019-10-25 2019-12-27 新华三信息安全技术有限公司 Message forwarding method and device and message forwarding equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101789942A (en) * 2010-01-29 2010-07-28 蓝盾信息安全技术股份有限公司 Method for preventing sensitive data from betraying confidential matters and device thereof
CN101835145A (en) * 2010-03-30 2010-09-15 北京傲天动联技术有限公司 User information management method based on thin AP
CN103580930A (en) * 2013-11-22 2014-02-12 汉柏科技有限公司 Method and system for controlling network management
CN108600415A (en) * 2018-05-28 2018-09-28 郑州云海信息技术有限公司 A kind of virtual network accesses method, system and the SDN controllers of outer net

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101789942A (en) * 2010-01-29 2010-07-28 蓝盾信息安全技术股份有限公司 Method for preventing sensitive data from betraying confidential matters and device thereof
CN101835145A (en) * 2010-03-30 2010-09-15 北京傲天动联技术有限公司 User information management method based on thin AP
CN103580930A (en) * 2013-11-22 2014-02-12 汉柏科技有限公司 Method and system for controlling network management
CN108600415A (en) * 2018-05-28 2018-09-28 郑州云海信息技术有限公司 A kind of virtual network accesses method, system and the SDN controllers of outer net

Also Published As

Publication number Publication date
CN109088824A (en) 2018-12-25

Similar Documents

Publication Publication Date Title
US10868833B2 (en) DNS or network metadata policy for network control
US10623339B2 (en) Reduced orthogonal network policy set selection
US11086653B2 (en) Forwarding policy configuration
US9531850B2 (en) Inter-domain service function chaining
CN111460460B (en) Task access method, device, proxy server and machine-readable storage medium
US9225641B2 (en) Communication between hetrogenous networks
US9621516B2 (en) Firewall configured with dynamic membership sets representing machine attributes
US9621512B2 (en) Dynamic network action based on DHCP notification
US9825861B2 (en) Packet forwarding method, apparatus, and system
US20120207167A1 (en) Method of searching for host in ipv6 network
US10574570B2 (en) Communication processing method and apparatus
US10938775B2 (en) Configuration data distribution unit and method for configuring communication devices in an industrial automation system
US9043492B2 (en) Method to publish remote management services over link local network for zero-touch discovery, provisioning and management
US10608932B2 (en) Refresh flow entry
CN109088824B (en) Message processing method and device
SE544512C2 (en) Methods and apparatuses for routing data packets in a network topology
CN103561026A (en) Method and device for updating hardware access control list and switch
WO2017219777A1 (en) Packet processing method and device
US10050929B2 (en) Connection setting information managing system
US9191328B2 (en) Forwarding broadcast traffic to a host environment
CN110677439B (en) Protection method and device for ND attack
US11184325B2 (en) Application-centric enforcement for multi-tenant workloads with multi site data center fabrics
CN108111638A (en) A kind of address distribution method and device
CN103560960A (en) Access control list dynamic updating method and Ethernet switch
US9800591B2 (en) Method and apparatus for processing packet on trill network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant