CN109547257A - Method for controlling network flow, device, equipment, system and storage medium - Google Patents

Method for controlling network flow, device, equipment, system and storage medium Download PDF

Info

Publication number
CN109547257A
CN109547257A CN201811483441.6A CN201811483441A CN109547257A CN 109547257 A CN109547257 A CN 109547257A CN 201811483441 A CN201811483441 A CN 201811483441A CN 109547257 A CN109547257 A CN 109547257A
Authority
CN
China
Prior art keywords
network
target network
flow control
information
packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811483441.6A
Other languages
Chinese (zh)
Other versions
CN109547257B (en
Inventor
黄楷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WeBank Co Ltd
Original Assignee
WeBank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by WeBank Co Ltd filed Critical WeBank Co Ltd
Priority to CN201811483441.6A priority Critical patent/CN109547257B/en
Publication of CN109547257A publication Critical patent/CN109547257A/en
Application granted granted Critical
Publication of CN109547257B publication Critical patent/CN109547257B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of method for controlling network flow, this method comprises: obtaining preset configuration information corresponding with the packet amount warning information when detecting the packet amount warning information of destination network device;The configuration information is packaged into the remote procedure call rpc message based on NETCONF agreement;The rpc message is issued to the destination network device, so that the destination network device executes corresponding control of network flow quantity emergency operation according to the rpc message.The invention also discloses a kind of control of network flow quantity device, equipment, system and a kind of storage mediums.The present invention, which can be realized, carries out flow control efficient, precisely, stable and inexpensive to the network equipment under bank's basic network architectures.

Description

网络流量控制方法、装置、设备、系统及存储介质Network flow control method, device, device, system and storage medium

技术领域technical field

本发明涉及通信技术领域,尤其涉及网络流量控制方法、装置、设备、系统及存储介质。The present invention relates to the field of communication technologies, and in particular, to a network flow control method, apparatus, device, system and storage medium.

背景技术Background technique

目前基于网络流量监控采取相应的应急操作主要包括两种方式:At present, the corresponding emergency operations based on network traffic monitoring mainly include two methods:

第一种,基于SNMP(Simple Network Management Protocol,简单网络管理协议)协议进行流量监控,然后基于监控产生的通告,用传统的CLI(command-line interface,命令行界面)方式从跳板机登录传统交换机上做相应的应急操作。这种方式是目前在各大银行基础架构应用最多的方式,即基于SNMP协议对网络环境进行监控,出现告警以后通过运维人员在跳板机上从管理IP登录设备,输入CLI指令进行交换机、路由器、防火墙等一系列网络配置。这种方式的缺点在于:The first is to monitor traffic based on the SNMP (Simple Network Management Protocol) protocol, and then log in to the traditional switch from the springboard using the traditional CLI (command-line interface, command-line interface) method based on the notifications generated by the monitoring. Take appropriate emergency actions. This method is currently the most widely used method in the infrastructure of major banks, that is, the network environment is monitored based on the SNMP protocol. A series of network configurations such as firewalls. The disadvantages of this approach are:

1.应急操作慢:对于一些应急操作如防火墙旁路等,需要在多台设备进行配置操作,这时候人工输入不但耗费时间和人力,还影响生产运营的稳定;2.可编程性弱:不同厂商指令存在差异,配置方式无统一的标准;3.宏观性差:操作人员仅仅是对网络设备逐一进行配置,而不是对整个网络进行配置;4.运维消耗大:一般情况下,不同厂商的部分相同指标的OID(Object identifier,对象标识)是不同的,仅仅在监控层面就增大了运维的成本,增加了监控应用开发的难度。1. Slow emergency operation: For some emergency operations such as firewall bypass, it is necessary to perform configuration operations on multiple devices. At this time, manual input not only consumes time and manpower, but also affects the stability of production and operation; 2. Weak programmability: different There are differences in the manufacturer's instructions, and there is no unified standard for the configuration method; 3. Poor macroscopic: the operator only configures the network devices one by one, rather than the entire network; 4. The operation and maintenance consumption is high: under normal circumstances, the The OIDs (Object identifiers) of some of the same indicators are different, which increases the cost of operation and maintenance only at the monitoring level and increases the difficulty of monitoring application development.

第二种,基于sflow协议对网络流量进行监控,然后根据监控产生的通告,基于openflow协议(一种网络通信协议,属于数据链路层,能够控制网络交换器或路由器的转发平面,借此改变网络数据包所走的网络路径)配置真实交换机(需要支持openflow协议)或者下发流表给OVS(Open VSwitch)虚拟交换机完成相应的应急操作。这种方式的缺点在于:The second is to monitor network traffic based on the sflow protocol, and then based on the notification generated by the monitoring, based on the openflow protocol (a network communication protocol, which belongs to the data link layer and can control the forwarding plane of the network switch or router, thereby changing the The network path taken by the network data packets) configure a real switch (which needs to support the openflow protocol) or issue a flow table to the OVS (Open VSwitch) virtual switch to complete the corresponding emergency operations. The disadvantages of this approach are:

1.在金融行业适应性一般:由于金融行业(传统银行、券商)的网络架构以稳定为第一要义,而该方案需要重新设计新的网络架构(需要OVS虚拟交换机和物理交换机并存),这会对银行的稳定运营产生不小的冲击;2.价格昂贵:人力方面需要新的SDN(software-defined networking,软件定义网络)软件开发人才,物力上需要购置支持openflow协议的物理交换机。1. General adaptability in the financial industry: Since the network architecture of the financial industry (traditional banks, securities companies) takes stability as the first priority, and this solution needs to redesign a new network architecture (the coexistence of OVS virtual switches and physical switches is required), this It will have a big impact on the stable operation of the bank; 2. Expensive: new SDN (software-defined networking, software-defined networking) software development talents are needed in terms of manpower, and physical switches that support the openflow protocol need to be purchased in terms of material resources.

基于上述两种方案的缺点,目前对于银行基础网络架构下的网络设备,缺乏一种高效、精准、稳定以及低成本的流量控制方案。Based on the shortcomings of the above two solutions, there is currently a lack of an efficient, accurate, stable and low-cost flow control solution for network equipment under the bank's basic network architecture.

发明内容SUMMARY OF THE INVENTION

本发明的主要目的在于提出一种网络流量控制方法、装置、设备、系统及存储介质,旨在实现对银行基础网络架构下的网络设备进行高效、精准、稳定以及低成本的流量控制。The main purpose of the present invention is to provide a network flow control method, device, equipment, system and storage medium, aiming at realizing efficient, accurate, stable and low-cost flow control of network equipment under the basic network architecture of the bank.

为实现上述目的,本发明提供一种网络流量控制方法,所述网络流量控制方法包括如下步骤:In order to achieve the above object, the present invention provides a network flow control method, the network flow control method includes the following steps:

当侦测到目标网络设备的包量告警信息时,获取预设的与所述包量告警信息对应的配置信息;When detecting the packet volume alarm information of the target network device, obtain preset configuration information corresponding to the packet volume alarm information;

将所述配置信息封装成基于NETCONF协议的远程过程调用rpc消息;The configuration information is encapsulated into a remote procedure call rpc message based on the NETCONF protocol;

将所述rpc消息下发至所述目标网络设备,以使所述目标网络设备根据所述rpc消息执行相应的网络流量控制应急操作。The rpc message is delivered to the target network device, so that the target network device performs a corresponding emergency network flow control operation according to the rpc message.

优选地,所述当侦测到目标网络设备的包量告警信息时,获取预设的与所述包量告警信息对应的配置信息的步骤之前,还包括:Preferably, before the step of acquiring preset configuration information corresponding to the packet volume alarm information when the packet volume alarm information of the target network device is detected, the method further includes:

获取包量采集设备采集到的流经目标网络设备的数据包的包量信息;Obtain the packet volume information of the data packets flowing through the target network device collected by the packet volume collection device;

对所述包量信息进行分析,判断所述包量信息是否满足预设的包量告警条件;analyzing the packet volume information to determine whether the packet volume information meets a preset packet volume alarm condition;

若是,则生成所述目标网络设备的包量告警信息。If yes, generate packet volume alarm information of the target network device.

优选地,所述将所述rpc消息下发至所述目标网络设备,以使所述目标网络设备根据所述rpc消息执行相应的网络流量控制应急操作的步骤包括:Preferably, the step of delivering the rpc message to the target network device so that the target network device performs corresponding emergency network traffic control operations according to the rpc message includes:

通过预设的NETCONF南向接口,将所述rpc消息下发至所述目标网络设备,以使所述目标网络设备根据所述rpc消息执行相应的网络流量控制应急操作,所述网络流量控制应急操作包括关闭目标网络设备端口、设置访问控制列表、防火墙旁路和虚拟专用网络刷新中的一种或多种。The rpc message is delivered to the target network device through the preset NETCONF southbound interface, so that the target network device performs a corresponding emergency network flow control operation according to the rpc message. Actions include one or more of closing target network device ports, setting access control lists, firewall bypassing, and virtual private network refresh.

优选地,所述通过预设的NETCONF南向接口,将所述rpc消息下发至所述目标网络设备的步骤包括:Preferably, the step of delivering the rpc message to the target network device through a preset NETCONF southbound interface includes:

当存在多个目标网络设备时,通过预设的NETCONF南向接口,将所述rpc消息并行下发至所述多个目标网络设备。When there are multiple target network devices, the rpc message is delivered to the multiple target network devices in parallel through the preset NETCONF southbound interface.

优选地,所述当侦测到目标网络设备的包量告警信息时,获取预设的与所述包量告警信息对应的配置信息的步骤之前,还包括:Preferably, before the step of acquiring preset configuration information corresponding to the packet volume alarm information when the packet volume alarm information of the target network device is detected, the method further includes:

接收前台应用通过NETCONF北向接口下发的网络流量控制规则信息,并将所述网络流量控制规则信息进行保存,其中,所述网络流量控制规则信息中包含有包量告警信息与配置信息之间的对应关系;Receive the network flow control rule information delivered by the foreground application through the NETCONF northbound interface, and save the network flow control rule information, wherein the network flow control rule information includes the packet volume alarm information and the configuration information. Correspondence;

所述当侦测到目标网络设备的包量告警信息时,获取预设的与所述包量告警信息对应的配置信息的步骤包括:The step of acquiring preset configuration information corresponding to the packet volume alarm information when detecting the packet volume alarm information of the target network device includes:

当侦测到目标网络设备的包量告警信息时,从保存的所述网络流量控制规则信息中读取与所述包量告警信息对应的配置信息。When the packet volume alarm information of the target network device is detected, the configuration information corresponding to the packet volume alarm information is read from the stored network flow control rule information.

此外,为实现上述目的,本发明还提供一种装置,所述网络流量控制装置包括:In addition, in order to achieve the above object, the present invention also provides a device, and the network traffic control device includes:

配置信息获取模块,用于当侦测到目标网络设备的包量告警信息时,获取预设的与所述包量告警信息对应的配置信息;a configuration information acquisition module, configured to acquire preset configuration information corresponding to the packet volume alarm information when detecting the packet volume alarm information of the target network device;

封装模块,用于将所述配置信息封装成基于NETCONF协议的远程过程调用rpc消息;an encapsulation module for encapsulating the configuration information into a remote procedure call rpc message based on the NETCONF protocol;

下发模块,用于将所述rpc消息下发至所述目标网络设备,以使所述目标网络设备根据所述rpc消息执行相应的网络流量控制应急操作。A delivery module, configured to deliver the rpc message to the target network device, so that the target network device performs a corresponding emergency operation of network flow control according to the rpc message.

此外,为实现上述目的,本发明还提供一种网络流量控制设备,所述网络流量控制设备包括:存储器、处理器及存储在所述存储器上并可在所述处理器上运行的网络流量控制程序,所述网络流量控制程序被所述处理器执行时实现如上所述的网络流量控制方法的步骤。In addition, in order to achieve the above object, the present invention also provides a network flow control device, the network flow control device includes: a memory, a processor, and a network flow control device stored on the memory and running on the processor A program, when the network flow control program is executed by the processor, implements the steps of the network flow control method described above.

此外,为实现上述目的,本发明还提供一种网络流量控制系统,所述网络流量控制系统包括网络流量控制设备和包量采集设备;其中,In addition, in order to achieve the above object, the present invention also provides a network flow control system, the network flow control system includes a network flow control device and a packet volume collection device; wherein,

所述网络流量控制设备为上述的网络流量控制设备;The network flow control device is the above-mentioned network flow control device;

所述包量采集设备,用于采集流经目标网络设备的数据包的包量信息,并将采集到的所述包量信息发送给所述网络流量控制设备。The packet volume collection device is configured to collect the packet volume information of the data packets flowing through the target network device, and send the collected packet volume information to the network flow control device.

优选地,所述包量采集设备为采用sFlow协议的sFlow采集器,所述sFlow采集器用于,Preferably, the packet collection device is an sFlow collector using the sFlow protocol, and the sFlow collector is used to:

接收sFlow代理转发的所述目标网络设备端口的流量数据,所述sFlow代理嵌入在所述目标网络设备中,用于采集所述目标网络设备端口的第一流量数据;receiving the flow data of the port of the target network device forwarded by an sFlow agent, where the sFlow agent is embedded in the target network device and used to collect the first flow data of the port of the target network device;

对所述第一流量数据进行分析,得到流经所述目标网络设备的数据包的包量信息。The first traffic data is analyzed to obtain packet volume information of the data packets flowing through the target network device.

优选地,所述包量采集设备为采用简单网络协议SNMP的SNMP采集器,所述SNMP采集器用于,Preferably, the packet collection device is an SNMP collector that adopts the simple network protocol SNMP, and the SNMP collector is used to:

根据预设的对象标识符ODI,从SNMP代理查询所述目标网络设备端口的流量数据,所述SNMP代理嵌入在所述目标网络设备中,用于采集所述目标网络设备端口的第二流量数据;According to the preset object identifier ODI, query the traffic data of the port of the target network device from the SNMP agent, where the SNMP agent is embedded in the target network device and used to collect the second traffic data of the port of the target network device ;

对所述第二流量数据进行分析,得到流经所述目标网络设备的数据包的包量信息。The second traffic data is analyzed to obtain packet volume information of the data packets flowing through the target network device.

此外,为实现上述目的,本发明还提供一种存储介质,所述存储介质上存储有网络流量控制程序,所述网络流量控制程序被处理器执行时实现如上所述的网络流量控制方法的步骤。In addition, in order to achieve the above object, the present invention also provides a storage medium on which a network flow control program is stored, and when the network flow control program is executed by a processor, the steps of the above network flow control method are implemented .

本发明提出的网络流量控制方法,通过采用NETCONF协议进行网络流量控制设备与目标网络设备之间的控制交互,减少了交互次数,相比于传统的多交互的CLI模式执行起来更加高效、稳定,且不需要对银行的现网架构做大规模改动,也不需要更改与生产直接相关的路由协议,节省了人力、物力成本;此外,由于包量告警信息与配置信息之间的对应关系可以灵活设置,因此根据该对应关系能够实现精准的流量控制。因此,本发明实现了对银行基础网络架构下的网络设备进行高效、精准、稳定以及低成本的流量控制。The network flow control method proposed by the present invention reduces the number of interactions by using the NETCONF protocol to perform the control interaction between the network flow control device and the target network device, and is more efficient and stable than the traditional multi-interaction CLI mode. It does not need to make large-scale changes to the existing network architecture of the bank, nor does it need to change the routing protocols directly related to production, which saves manpower and material costs; in addition, because the correspondence between packet volume alarm information and configuration information can be flexibly Therefore, accurate flow control can be achieved according to the corresponding relationship. Therefore, the present invention realizes efficient, accurate, stable and low-cost flow control for the network equipment under the basic network architecture of the bank.

附图说明Description of drawings

图1是本发明实施例方案涉及的硬件运行环境的设备结构示意图;1 is a schematic diagram of a device structure of a hardware operating environment involved in an embodiment of the present invention;

图2为本发明网络流量控制方法第一实施例的流程示意图;FIG. 2 is a schematic flowchart of a first embodiment of a network traffic control method according to the present invention;

图3为本发明实施例中通过sFlow采集器进行包量采集和上报的示意图。FIG. 3 is a schematic diagram of packet volume collection and reporting performed by an sFlow collector in an embodiment of the present invention.

本发明目的的实现、功能特点及优点将结合实施例,参照附图做进一步说明。The realization, functional characteristics and advantages of the present invention will be further described with reference to the accompanying drawings in conjunction with the embodiments.

具体实施方式Detailed ways

应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。It should be understood that the specific embodiments described herein are only used to explain the present invention, but not to limit the present invention.

如图1所示,图1是本发明实施例方案涉及的硬件运行环境的设备结构示意图。As shown in FIG. 1 , FIG. 1 is a schematic diagram of a device structure of a hardware operating environment involved in an embodiment of the present invention.

本发明实施例网络流量控制设备可以是PC机或服务器设备。The network flow control device in this embodiment of the present invention may be a PC or a server device.

如图1所示,该设备可以包括:处理器1001,例如CPU,网络接口1004,用户接口1003,存储器1005,通信总线1002。其中,通信总线1002用于实现这些组件之间的连接通信。用户接口1003可以包括显示屏(Display)、输入单元比如键盘(Keyboard),可选用户接口1003还可以包括标准的有线接口、无线接口。网络接口1004可选的可以包括标准的有线接口、无线接口(如WI-FI接口)。存储器1005可以是高速RAM存储器,也可以是稳定的存储器(non-volatile memory),例如磁盘存储器。存储器1005可选的还可以是独立于前述处理器1001的存储装置。As shown in FIG. 1 , the device may include: a processor 1001 , such as a CPU, a network interface 1004 , a user interface 1003 , a memory 1005 , and a communication bus 1002 . Among them, the communication bus 1002 is used to realize the connection and communication between these components. The user interface 1003 may include a display screen (Display), an input unit such as a keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface and a wireless interface. Optionally, the network interface 1004 may include a standard wired interface and a wireless interface (eg, a WI-FI interface). The memory 1005 may be high-speed RAM memory, or may be non-volatile memory, such as disk memory. Optionally, the memory 1005 may also be a storage device independent of the aforementioned processor 1001 .

本领域技术人员可以理解,图1中示出的终端结构并不构成对终端的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。Those skilled in the art can understand that the terminal structure shown in FIG. 1 does not constitute a limitation on the terminal, and may include more or less components than the one shown, or combine some components, or arrange different components.

如图1所示,作为一种计算机存储介质的存储器1005中可以包括操作系统、网络通信模块、用户接口模块以及网络流量控制程序。As shown in FIG. 1 , the memory 1005 as a computer storage medium may include an operating system, a network communication module, a user interface module and a network flow control program.

在图1所示的终端中,网络接口1004主要用于连接后台服务器,与后台服务器进行数据通信;用户接口1003主要用于连接客户端(用户端),与客户端进行数据通信;而处理器1001可以用于调用存储器1005中存储的网络流量控制程序,并执行下述网络流量控制方法各个实施例中的操作。In the terminal shown in FIG. 1 , the network interface 1004 is mainly used to connect to the background server and perform data communication with the background server; the user interface 1003 is mainly used to connect to the client (client) and perform data communication with the client; and the processor 1001 can be used to call the network flow control program stored in the memory 1005, and perform operations in various embodiments of the network flow control method described below.

基于上述硬件结构,提出本发明网络流量控制方法各个实施例。Based on the above hardware structure, various embodiments of the network traffic control method of the present invention are proposed.

参照图2,图2为本发明网络流量控制方法第一实施例的流程示意图,所述网络流量控制方法包括:Referring to FIG. 2, FIG. 2 is a schematic flowchart of a first embodiment of a network traffic control method according to the present invention. The network traffic control method includes:

步骤S10,当侦测到目标网络设备的包量告警信息时,获取预设的与所述包量告警信息对应的配置信息;Step S10, when detecting the packet volume alarm information of the target network device, obtain preset configuration information corresponding to the packet volume alarm information;

在本实施例中,网络流量控制设备可以实时侦测是否有目标网络设备的包量告警信息,其中目标网络设备即预设的一个或多个需要进行流量控制的网络设备,比如可以为路由器、交换机、防火墙等具有网络转发功能的设备。当侦测到目标网络设备的包量告警信息时,说明当前流经目标网络设备的数据包存在异常,比如当目标网络设备受到ddos攻击(distributed denial-of-service attack,分布式拒绝服务攻击)时,流经目标网络设备的数据包包量会激增,此时即触发包量告警。In this embodiment, the network flow control device can detect in real time whether there is packet volume alarm information of the target network device, wherein the target network device is one or more preset network devices that need to perform flow control, such as a router, Switches, firewalls, and other devices with network forwarding functions. When the packet volume alarm information of the target network device is detected, it indicates that the data packets currently flowing through the target network device are abnormal, for example, when the target network device is attacked by ddos (distributed denial-of-service attack) , the data packet volume flowing through the target network device will increase sharply, and the packet volume alarm will be triggered at this time.

当侦测到包量告警信息时,首先获取预设的与该包量告警信息对应的配置信息。具体地,作为一种实施方式,在上述步骤S10之前,可以包括步骤:接收前台应用通过NETCONF北向接口下发的网络流量控制规则信息,并将所述网络流量控制规则信息进行保存,其中,所述网络流量控制规则信息中包含有包量告警信息与配置信息之间的对应关系;此时步骤S10可以替换为:当侦测到目标网络设备的包量告警信息时,从保存的所述网络流量控制规则信息中读取与所述包量告警信息对应的配置信息。When the packet volume alarm information is detected, the preset configuration information corresponding to the packet volume alarm information is obtained first. Specifically, as an implementation manner, before the above step S10, it may include the steps of: receiving the network flow control rule information delivered by the foreground application through the NETCONF northbound interface, and saving the network flow control rule information, wherein all the The network flow control rule information includes the correspondence between the packet volume alarm information and the configuration information; at this time, step S10 can be replaced with: when the packet volume alarm information of the target network device is detected, from the saved network The configuration information corresponding to the packet volume alarm information is read from the flow control rule information.

其中,NETCONF是一种网络设备通信协议,NETCONF北向接口,即基于NETCONF协议的向上提供给前台应用进行接入和管理的接口,具体实施时,网络工程师可以基于前台应用配置好网络流量控制规则信息,该网络流量控制规则信息中包含有包量告警信息与配置信息之间的对应关系,然后前台应用通过NETCONF北向接口将该网络流量控制规则信息下发给网络流量控制设备,网络流量控制设备在接收到前台应用下发的网络流量控制规则信息时,将该网络流量控制规则信息进行保存。后续当网络流量控制设备侦测到目标网络设备的包量告警信息时,即可从该保存的网络流量控制规则信息中读取与侦测到的包量告警信息对应的配置信息。Among them, NETCONF is a network device communication protocol. The NETCONF northbound interface is an interface that is provided upward to foreground applications for access and management based on the NETCONF protocol. During specific implementation, network engineers can configure network flow control rule information based on the foreground application. , the network flow control rule information contains the corresponding relationship between the packet volume alarm information and the configuration information, and then the foreground application sends the network flow control rule information to the network flow control device through the NETCONF northbound interface, and the network flow control device is in the When receiving the network flow control rule information issued by the foreground application, the network flow control rule information is saved. Subsequently, when the network flow control device detects the packet volume alarm information of the target network device, the configuration information corresponding to the detected packet volume alarm information can be read from the stored network flow control rule information.

需要说明的是,网络工程师可以基于前台应用灵活配置和修改网络流量控制规则信息,当网络流量控制规则信息发生变更时,前台应用会利用NETCONF北向接口告知网络流量控制设备,从而使网络流量控制设备更新本地保存的网络流量控制规则信息。It should be noted that the network engineer can flexibly configure and modify the network flow control rule information based on the foreground application. When the network flow control rule information changes, the foreground application will use the NETCONF northbound interface to inform the network flow control device, so that the network flow control device can be controlled. Update the locally saved network traffic control rule information.

步骤S20,将所述配置信息封装成基于NETCONF协议的远程过程调用rpc消息;Step S20, encapsulating the configuration information into a remote procedure call rpc message based on the NETCONF protocol;

在获取到与当前包量告警信息对应的配置信息后,将该配置信息封装成基于NETCONF协议的远程过程调用rpc消息。为便于理解,现将NETCONF协议内容及原理介绍如下:After acquiring the configuration information corresponding to the current packet volume alarm information, the configuration information is encapsulated into a remote procedure call rpc message based on the NETCONF protocol. For ease of understanding, the content and principles of the NETCONF protocol are introduced as follows:

NETCONF是一种网络设备通信协议,现在已经广泛地被网络设备厂家所支持。NETCONF协议采用了分层的设计结构,与OSI(Open System Interconnection,开放式系统互联)网络模型类似,下层为上层提供服务,每一层是对某一个功能的封装。NETCONF协议内部分为4层,由下至上分别是安全通信层,消息层,操作层和内容层。NETCONF is a network equipment communication protocol, which has been widely supported by network equipment manufacturers. The NETCONF protocol adopts a layered design structure, which is similar to the OSI (Open System Interconnection, Open System Interconnection) network model. The lower layer provides services for the upper layer, and each layer is an encapsulation of a certain function. The NETCONF protocol is divided into 4 layers, from bottom to top, they are the security communication layer, the message layer, the operation layer and the content layer.

安全通信层:这一层提供了服务端与客户端之间的安全通信通道,这部分在NETCONF协议中是最底层的定义,也是网络设备最先支持的层次。本方案使用的NETCONF协议进行通信的时候,连接网络设备是使用SSH(Secure Shell,安全外壳协议)的库完成底层的通信。Secure communication layer: This layer provides a secure communication channel between the server and the client. This part is the bottom-level definition in the NETCONF protocol, and is also the first layer supported by network devices. When the NETCONF protocol used in this solution is used for communication, the low-level communication is completed by the library of SSH (Secure Shell, Secure Shell) to connect the network device.

消息层:NETCONF使用的是rpc(Remote Procedure Call,远程过程调用)机制。这里定义了一些简单的rpc消息,这些都是通过XML(Extensible Markup Language,可扩展标记语言)标记来实现的。比如<rpc>\<rpc-reply>。Message layer: NETCONF uses the rpc (Remote Procedure Call, Remote Procedure Call) mechanism. Some simple rpc messages are defined here, which are implemented through XML (Extensible Markup Language) tags. For example <rpc>\<rpc-reply>.

操作层:这一层也是基于XML标记的。RFC6241定义了如下方法:<get>\<get-config>\<edit-config>\<copy-config>\<delete-config>\lock\unlock\clo se-session,传统思科nexus设备的文档里对这个层面也都有支持。Operation layer: This layer is also based on XML markup. RFC6241 defines the following method: <get>\<get-config>\<edit-config>\<copy-config>\<delete-config>\lock\unlock\clo se-session, in the documentation for legacy Cisco nexus devices There is also support for this level.

内容层:内容层描述了网络管理所涉及的配置数据,由于NETCONF内容层是唯一没有被标准化的层,没有标准的NETCONF数据建模语言和数据模型,所以各制造商设备的配置数据可能会不相同。Content layer: The content layer describes the configuration data involved in network management. Since the NETCONF content layer is the only layer that has not been standardized, there is no standard NETCONF data modeling language and data model, so the configuration data of equipment from various manufacturers may not be the same. same.

本质上,netconf协议传输的是一个一个的rpc消息,这些rpc消息是通XML(Extensible Markup Language,可扩展标记语言)标记来实现的。本实施例中,网络流量控制设备将预设的与包量告警信息对应的配置信息封装成基于NETCONF协议的远程过程调用rpc消息的过程可以为:首先根据配置信息建立netconf模型,netconf模型来描述网络设备强相关的数据,诸如设备配置运行状态等等,每种设备的netconf模型都是采用YANG语言(一个数据结构语言)描述的;然后根据建立的netconf模型编写XML标记,然后再根据XML标记生成rpc消息。In essence, the netconf protocol transmits rpc messages one by one, and these rpc messages are implemented through XML (Extensible Markup Language) tags. In this embodiment, the process for the network flow control device to encapsulate the preset configuration information corresponding to the packet volume alarm information into a remote procedure call rpc message based on the NETCONF protocol may be as follows: first, a netconf model is established according to the configuration information, and the netconf model describes the Strongly related data of network devices, such as device configuration and running status, etc., the netconf model of each device is described in YANG language (a data structure language); then XML tags are written according to the established netconf model, and then according to the XML tags Generate rpc messages.

NETCONF相比CLI具有明显的优点:减少了交互次数,针对整个系统的配置数据进行操作,且定义了过滤功能。而且这种配置方式使用XML编码,使得系统兼容性和可编程性都大大增强,具有很强的可扩展性。Compared with CLI, NETCONF has obvious advantages: it reduces the number of interactions, operates on the configuration data of the entire system, and defines filtering functions. Moreover, this configuration method uses XML encoding, which greatly enhances the system compatibility and programmability, and has strong scalability.

步骤S30,将所述rpc消息下发至所述目标网络设备,以使所述目标网络设备根据所述rpc消息执行相应的网络流量控制应急操作。Step S30, delivering the rpc message to the target network device, so that the target network device performs a corresponding emergency network flow control operation according to the rpc message.

该步骤中,目标网络设备支持NETCONF协议。网络流量控制设备将rpc消息下发至目标网络设备,由于rpc消息是将配置信息封装得到的,因此网络设备在接收到该rpc消息后,即能够执行与其中的配置信息对应的网络流量控制应急操作,该网络流量控制应急操作包括但不限于关闭目标网络设备端口、设置访问控制列表、防火墙旁路以及虚拟专用网络刷新等。In this step, the target network device supports the NETCONF protocol. The network flow control device sends the rpc message to the target network device. Since the rpc message is obtained by encapsulating the configuration information, the network device can execute the network flow control emergency corresponding to the configuration information after receiving the rpc message. The network traffic control emergency operation includes but is not limited to closing the port of the target network device, setting the access control list, bypassing the firewall, and refreshing the virtual private network, etc.

此外,本发明实施例中,所述方法还包括:在需要更改交换机的配置时,网络流量控制设备经由NETCONF协议更改目标网络设备的配置,从而实现对整个网络包量流量的集中管控。In addition, in the embodiment of the present invention, the method further includes: when the configuration of the switch needs to be changed, the network flow control device changes the configuration of the target network device via the NETCONF protocol, thereby realizing centralized management and control of the entire network packet flow.

在本实施例中,通过采用NETCONF协议进行网络流量控制设备与目标网络设备之间的控制交互,减少交互次数,相比于传统的多交互的CLI模式执行起来更加高效、稳定,且不需要对银行的现网架构做大规模改动,也不需要更改与生产直接相关的路由协议,节省了人力、物力成本;此外,由于包量告警信息与配置信息之间的对应关系可以灵活设置,因此根据该对应关系能够实现精准的流量控制。因此,本实施例实现了对银行基础网络架构下的网络设备进行高效、精准、稳定以及低成本的流量控制。In this embodiment, the control interaction between the network flow control device and the target network device is carried out by using the NETCONF protocol, which reduces the number of interactions, and is more efficient and stable than the traditional multi-interaction CLI mode, and does not require Large-scale changes to the existing network architecture of the bank do not need to change the routing protocols directly related to production, which saves manpower and material costs; in addition, since the correspondence between the packet volume alarm information and the configuration information can be flexibly This correspondence enables precise flow control. Therefore, this embodiment realizes efficient, accurate, stable and low-cost flow control for network devices under the basic network architecture of the bank.

进一步地,本发明网络流量控制方法第一实施例,提出本发明网络流量控制方法第二实施例。本实施例中,在上述步骤S10之前,还可以包括:获取包量采集设备采集到的流经目标网络设备的数据包的包量信息;对所述包量信息进行分析,判断所述包量信息是否满足预设的包量告警条件;若是,则生成所述目标网络设备的包量告警信息。Further, the first embodiment of the network flow control method of the present invention proposes the second embodiment of the network flow control method of the present invention. In this embodiment, before the above step S10, the method may further include: acquiring the packet volume information of the data packets flowing through the target network device collected by the packet volume collecting device; analyzing the packet volume information, and judging the packet volume Whether the information satisfies the preset packet volume alarm condition; if so, generates packet volume alarm information of the target network device.

在本实施例中,可以通过包量采集设备采集流经目标网络设备的数据包的包量信息,然后由包量采集设备将采集到的包量信息发送给网络流量控制设备。In this embodiment, the packet volume information of the data packets flowing through the target network device may be collected by the packet volume collection device, and then the collected packet volume information may be sent to the network flow control device by the packet volume collection device.

网络流量控制设备获取包量采集设备采集到的流经目标网络设备的数据包的包量信息,然后判断该包量信息是否满足预设的包量告警条件,若是,则生成包量告警信息。其中,包量告警条件可以灵活设置,比如单个网络设备端口的包量超过预设阈值,或者多个网络设备端口的包量总数超过预设阈值等。需要说明的是,所述包量采集设备可选内嵌在所述网络流量控制设备中,也可选是所述网络流量控制设备的外置设备。为了提高网络流量控制的灵活性,所述包量采集设备优选为所述网络流量控制设备的外置设备。The network flow control device obtains the packet volume information of the data packets flowing through the target network device collected by the packet volume collection device, and then judges whether the packet volume information satisfies the preset packet volume alarm condition, and if so, generates the packet volume alarm information. The packet volume alarm condition can be flexibly set, for example, the packet volume of a single network device port exceeds a preset threshold, or the total packet volume of multiple network device ports exceeds a preset threshold, and the like. It should be noted that, the packet collection device can be optionally embedded in the network flow control device, or can be an external device of the network flow control device. In order to improve the flexibility of network flow control, the packet collection device is preferably an external device of the network flow control device.

进一步地,上述步骤S30可以包括:通过预设的NETCONF南向接口,将所述rpc消息下发至所述目标网络设备,以使所述目标网络设备根据所述rpc消息执行相应的网络流量控制应急操作,所述网络流量控制应急操作包括关闭目标网络设备端口、设置访问控制列表、防火墙旁路和虚拟专用网络刷新中的一种或多种。Further, the above step S30 may include: sending the rpc message to the target network device through a preset NETCONF southbound interface, so that the target network device performs corresponding network flow control according to the rpc message The emergency operation, the emergency operation of network flow control includes one or more of closing the port of the target network device, setting an access control list, bypassing the firewall and refreshing the virtual private network.

其中,NETCONF南向接口,即基于NETCONF协议提供的向下用于管理其他厂家网管或设备的接口,网络流量控制设备根据流量监测的结果做分析以后确定相应的应急操作,并通过NETCONF南向接口下发对应的rpc消息,从而实现对整个网络流量的调度。Among them, the NETCONF southbound interface is the interface provided based on the NETCONF protocol to manage the network management or equipment of other manufacturers. The network flow control device determines the corresponding emergency operation after analyzing the results of the flow monitoring, and passes the NETCONF southbound interface. The corresponding rpc message is sent to realize the scheduling of the entire network traffic.

例如,网络工程师在前台应用配置好一条规则:当交换机某个端口包量达到异常值时就自动执行端口down(关闭)操作。前台应用会利用NETCONF北向接口告知网络流量控制设备;之后网络流量控制设备接收了sflow监测模块(sflow监测模块用于监测目标网络设备;包量采集设备内嵌在所述sflow监测模块中,包量采集设备用于采集流经目标网络设备的数据包的包量信息,并传输至网络流量控制设备)发送来的包量数目发现端口包量达到异常值,便会触发执行操作,执行操作通过南向接口下发rpc实现,此时目标网络设备端口将立即被关闭,异常包随即也被丢弃。For example, a network engineer applies and configures a rule in the foreground: when the packet volume of a certain port of the switch reaches an abnormal value, the port down (close) operation is automatically performed. The foreground application will use the NETCONF northbound interface to inform the network traffic control device; then the network traffic control device receives the sflow monitoring module (the sflow monitoring module is used to monitor the target network device; the packet volume collection device is embedded in the sflow monitoring module, the packet volume The collection device is used to collect the packet volume information of the data packets flowing through the target network device, and transmit it to the network flow control device). The RPC implementation is delivered to the interface. At this time, the port of the target network device will be closed immediately, and the abnormal packet will be discarded immediately.

进一步地,所述通过预设的NETCONF南向接口,将所述rpc消息下发至所述目标网络设备的步骤可以包括:当存在多个目标网络设备时,通过预设的NETCONF南向接口,将所述rpc消息并行下发至所述多个目标网络设备。Further, the step of sending the rpc message to the target network device through the preset NETCONF southbound interface may include: when there are multiple target network devices, through the preset NETCONF southbound interface, Delivering the rpc message to the multiple target network devices in parallel.

例如,在实际应用中,对于真正的生产网络里躲避ddos攻击对应的操作往往是大规模的操作,不仅仅是关闭一个端口,而是对多个设备进行多个操作,为此,网络流量控制设备可以把这些操作封装成基于NETCONF协议的rpc,然后通过预设的NETCONF南向接口,向支持NETCONF的多个目标网络设备同时并发地下发配置,具体是通过多线程实现同时并发。For example, in practical applications, the operation corresponding to avoiding ddos attacks in a real production network is often a large-scale operation, not only closing one port, but performing multiple operations on multiple devices. For this reason, network traffic control The device can encapsulate these operations into rpc based on the NETCONF protocol, and then concurrently issue configurations to multiple target network devices that support NETCONF through the preset NETCONF southbound interface, specifically through multi-threading to achieve simultaneous concurrency.

上述下发方式相较于CLI方式更加稳健,CLI需要多次交互,指令下发存在中途执行某条指令后出现控制器和设备连接关系不稳定的情况,这种情况会影响操作的完整实现,十分危险;而rpc流只需要发送一次,所以只需在开始时就确认网络流量控制设备和目标网络设备的连通性就可以避免上述情况带来的风险。The above delivery method is more robust than the CLI method. The CLI requires multiple interactions, and the connection between the controller and the device may become unstable after a certain command is executed in the middle of the command delivery. This situation will affect the complete implementation of the operation. Very dangerous; and the rpc stream only needs to be sent once, so just confirm the connectivity of the network flow control device and the target network device at the beginning to avoid the risk of the above situation.

本发明还提供一种网络流量控制装置。本发明网络流量控制装置包括:The invention also provides a network flow control device. The network flow control device of the present invention includes:

配置信息获取模块,用于当侦测到目标网络设备的包量告警信息时,获取预设的与所述包量告警信息对应的配置信息;a configuration information acquisition module, configured to acquire preset configuration information corresponding to the packet volume alarm information when detecting the packet volume alarm information of the target network device;

封装模块,用于将所述配置信息封装成基于NETCONF协议的远程过程调用rpc消息;an encapsulation module for encapsulating the configuration information into a remote procedure call rpc message based on the NETCONF protocol;

下发模块,用于将所述rpc消息下发至所述目标网络设备,以使所述目标网络设备根据所述rpc消息执行相应的网络流量控制应急操作。A delivery module, configured to deliver the rpc message to the target network device, so that the target network device performs a corresponding emergency operation of network flow control according to the rpc message.

进一步地,所述网络流量控制装置还包括:Further, the network traffic control device further includes:

包量信息获取模块,用于获取包量采集设备采集到的流经目标网络设备的数据包的包量信息;The packet volume information acquisition module is used to acquire the packet volume information of the data packets flowing through the target network device collected by the packet volume acquisition device;

判断模块,用于对所述包量信息进行分析,判断所述包量信息是否满足预设的包量告警条件;a judgment module, configured to analyze the packet volume information, and determine whether the packet volume information satisfies a preset packet volume alarm condition;

告警模块,用于若所述包量信息满足预设的包量告警条件,则生成所述目标网络设备的包量告警信息。An alarm module, configured to generate packet volume alarm information of the target network device if the packet volume information satisfies a preset packet volume alarm condition.

进一步地,所述下发模块,还用于通过预设的NETCONF南向接口,将所述rpc消息下发至所述目标网络设备,以使所述目标网络设备根据所述rpc消息执行相应的网络流量控制应急操作,所述网络流量控制应急操作包括关闭目标网络设备端口、设置访问控制列表、防火墙旁路和虚拟专用网络刷新中的一种或多种。Further, the sending module is further configured to send the rpc message to the target network device through a preset NETCONF southbound interface, so that the target network device executes the corresponding rpc message according to the rpc message. The emergency operation of network flow control, the emergency operation of network flow control includes one or more of closing the port of the target network device, setting an access control list, bypassing the firewall and refreshing the virtual private network.

进一步地,所述下发模块,还用于当存在多个目标网络设备时,通过预设的NETCONF南向接口,将所述rpc消息并行下发至所述多个目标网络设备。Further, the sending module is further configured to send the rpc message to the multiple target network devices in parallel through a preset NETCONF southbound interface when there are multiple target network devices.

进一步地,所述网络流量控制装置还包括:Further, the network traffic control device further includes:

接收模块,用于接收前台应用通过NETCONF北向接口下发的网络流量控制规则信息,并将所述网络流量控制规则信息进行保存,其中,所述网络流量控制规则信息中包含有包量告警信息与配置信息之间的对应关系;The receiving module is configured to receive the network flow control rule information sent by the foreground application through the NETCONF northbound interface, and save the network flow control rule information, wherein the network flow control rule information includes packet volume alarm information and Correspondence between configuration information;

所述配置信息获取模块,还用于当侦测到目标网络设备的包量告警信息时,从保存的所述网络流量控制规则信息中读取与所述包量告警信息对应的配置信息。The configuration information acquisition module is further configured to read configuration information corresponding to the packet volume alarm information from the stored network flow control rule information when detecting the packet volume alarm information of the target network device.

上述各程序模块所实现的方法可参照本发明网络流量控制方法实施例,此处不再赘述。For the methods implemented by the above program modules, reference may be made to the embodiments of the network flow control method of the present invention, which will not be repeated here.

本发明还提供一种网络流量控制系统。The invention also provides a network flow control system.

在本发明网络流量控制系统实施例中,该系统包括网络流量控制设备和包量采集设备;其中,In an embodiment of the network flow control system of the present invention, the system includes a network flow control device and a packet volume collection device; wherein,

所述网络流量控制设备为如上述实施例所述的网络流量控制设备;The network flow control device is the network flow control device described in the foregoing embodiment;

所述包量采集设备,用于采集流经目标网络设备的数据包的包量信息,并将采集到的所述包量信息发送给所述网络流量控制设备。The packet volume collection device is configured to collect the packet volume information of the data packets flowing through the target network device, and send the collected packet volume information to the network flow control device.

在一实施方式中,该包量采集设备可以为采用sFlow协议的sFlow采集器,所述sFlow采集器用于,接收sFlow代理转发的所述目标网络设备端口的流量数据,所述sFlow代理嵌入在所述目标网络设备中,用于采集所述目标网络设备端口的第一流量数据;对所述第一流量数据进行分析,得到流经所述目标网络设备的数据包的包量信息。In one embodiment, the packet volume collection device may be an sFlow collector that adopts the sFlow protocol, and the sFlow collector is configured to receive the traffic data of the port of the target network device forwarded by an sFlow agent, and the sFlow agent is embedded in the In the target network device, the first flow data of the port of the target network device is collected; the first flow data is analyzed to obtain the packet volume information of the data packets flowing through the target network device.

为便于理解,现对sFlow技术介绍如下:For ease of understanding, the sFlow technology is introduced as follows:

sFlow,名称来自流量采样(英语:sampled flow)的缩写,是一种工业规格,用来测量OSI模型第二层封包。sFlow基于标准的最新网络导出协议(RFC3176),能够解决当前网络管理人员面临的很多问题。通过将sFlow技术嵌入到网络路由器和交换机ASIC芯片中,这个规格提供了一个方法:以取样的方式获得网络封包的信息,让网络管理人员可以了解网络的运作状况。sFlow, whose name comes from the acronym for sampled flow, is an industry specification for measuring layer 2 packets of the OSI model. sFlow is based on the latest standard network export protocol (RFC3176), which can solve many problems faced by current network managers. By embedding sFlow technology into network routers and switch ASIC chips, the specification provides a way to sample network packet information, allowing network managers to understand how the network is doing.

与那些需要镜像端口或网络旁路器来监视传输流量的解决方案不同,在sFlow的解决方案中,并不是每一个数据包都发送到采集器。sFlow提供了两种采样方式供用户从不同的角度分析网络流量状况,分别为Flow采样以及Counter采样。Unlike solutions that require mirrored ports or network bypassers to monitor transit traffic, in sFlow's solution, not every packet is sent to the collector. sFlow provides two sampling methods for users to analyze network traffic conditions from different perspectives, namely Flow sampling and Counter sampling.

Flow采样是设备在指定端口上按照特定的采样方向和采样比对报文进行采样分析,并将分析的结果通过sFlow报文发送到Collector设备的过程。Flow采样报文中的主要信息包括原始报文的一些基本信息,比如目的IP、源IP等。Counter采样是sFlow Agent设备周期性的获取接口上的流量统计,并将这些统计信息通过sFlow报文发送给收集器的过程。Counter采样报文中的主要是一些统计信息。而且,sFlow还能使用不同的采样率对整个交换机或仅对其中一些端口实施监视,这样保证了在设计管理方案时的灵活性。Flow sampling is a process in which a device samples and analyzes packets on a specified port according to a specific sampling direction and sampling ratio, and sends the analysis results to the Collector device through sFlow packets. The main information in the flow sampling packet includes some basic information of the original packet, such as destination IP and source IP. Counter sampling is a process in which the sFlow Agent periodically obtains traffic statistics on an interface and sends the statistics to the collector through sFlow packets. Counter sampling packets mainly contain some statistical information. Furthermore, sFlow can monitor the entire switch or just some of its ports using different sampling rates, allowing flexibility in designing management solutions.

sFlow能够建立一个正常网络使用的基准(可以配置阈值),当发现网络活动明显偏离基准时,就会发出告警信息,从而做到有效地识别访问策略破坏和入侵现象。sFlow can establish a benchmark for normal network usage (thresholds can be configured), and when network activities are found to deviate significantly from the benchmark, an alarm message will be issued, so as to effectively identify access policy violations and intrusions.

参照图3,图3为本发明实施例中通过sFlow采集器进行包量采集和上报的示意图。本发明在银行基础网络架构下使用了SDN(Software Defined Network,软件定义网络)中心控制的思想,图3中控制管理层作为SDN控制层面,交换机作为SDN转发层面,包量采集设备从控制管理层分离出来,用于实现对交换机包量信息的采集,并将采集到的包量信息上报给控制管理层,当控制管理层侦测到包量告警信息时,再下发rpc消息给路由器,从而使路由器执行相应的网络流量控制应急操作。具体地,基于sFlow技术的包量采集设备分为两类:sFlow代理和sFlow采集器。在本实施例中,sFlow采集器接收sFlow代理转发的目标网络设备端口的流量数据,其中sFlow代理能够嵌入网络路由和交换设备的ASIC芯片中,无需采购额外的探针和旁路器就能全面监视整个网络,sFlow代理采集目标网络设备上每个端口的流量并形成sFlow数据分组,然后将sFlow数据分组的流量数据转发给sFlow采集器,sFlow采集器对该数据分组进行分析,可以得到流经目标网络设备的数据包的包量信息。Referring to FIG. 3 , FIG. 3 is a schematic diagram of packet volume collection and reporting performed by an sFlow collector in an embodiment of the present invention. The present invention uses the idea of SDN (Software Defined Network, Software Defined Network) central control under the basic network architecture of the bank. In FIG. 3, the control management layer is used as the SDN control layer, the switch is used as the SDN forwarding layer, and the packet collection equipment is used from the control management layer. Separated, used to collect the packet volume information of the switch, and report the collected packet volume information to the control management layer. When the control management layer detects the packet volume alarm information, it sends an rpc message to the router, thereby Make the router perform the corresponding network traffic control emergency operation. Specifically, packet collection devices based on sFlow technology are divided into two categories: sFlow agents and sFlow collectors. In this embodiment, the sFlow collector receives the traffic data of the port of the target network device forwarded by the sFlow agent, where the sFlow agent can be embedded in the ASIC chip of the network routing and switching device, without purchasing additional probes and bypassers to fully Monitoring the entire network, the sFlow agent collects the traffic of each port on the target network device and forms sFlow data packets, and then forwards the flow data of the sFlow data packets to the sFlow collector. Packet volume information of the data packets of the target network device.

在另一实施方式中,该包量采集设备可以为采用简单网络协议SNMP(SimpleNetwork Management Protocol)的SNMP采集器,所述SNMP采集器用于,根据预设的对象标识符ODI,从SNMP代理查询所述目标网络设备端口的流量数据,所述SNMP代理嵌入在所述目标网络设备中,用于采集所述目标网络设备端口的第二流量数据;对所述第二流量数据进行分析,得到流经所述目标网络设备的数据包的包量信息。本实施例中,第二流量数据与第一流量数据是同一种数据。In another implementation manner, the packet collection device may be an SNMP collector that adopts the Simple Network Management Protocol (SNMP), and the SNMP collector is configured to query the SNMP agent for all information from the SNMP agent according to the preset object identifier ODI. The flow data of the port of the target network device, the SNMP agent is embedded in the target network device, and is used to collect the second flow data of the port of the target network device; Packet volume information of the data packets of the target network device. In this embodiment, the second flow data and the first flow data are the same data.

为便于理解,现对SNMP技术介绍如下:For ease of understanding, the SNMP technology is introduced as follows:

SNMP是基于TCP/IP协议族的网络管理标准,是一种在IP网络中管理网络节点(如防火墙、服务器、工作站、路由器、交换机等)的标准协议。协议由一组网络管理的标准组成,包含一个应用层协议(application layer protocol)、数据库模型(database schema)和一组资源对象。该协议能够支持网络管理系统,用以监测连接到网络上的设备是否有任何引起管理上关注的情况。SNMP is a network management standard based on the TCP/IP protocol suite, and is a standard protocol for managing network nodes (such as firewalls, servers, workstations, routers, switches, etc.) in an IP network. The protocol consists of a set of network management standards, including an application layer protocol, a database schema, and a set of resource objects. The protocol enables network management systems to monitor devices connected to the network for any management concerns.

MIB(Management Information Base,管理信息基础)是对象的集合,它代表网络中可以管理的资源和设备。每个对象基本上是一个数据变量,它代表被管理的对象的一方面的信息。OID(Object Identifier,对象标识符),是SNMP代理提供的具有唯一标识的键值。MIB还提供数字化OID到可读文本的映射。基于SNMP的网络管理工具有很多种实现方式。最简单的是某台服务器安装net-snmp去SNMP代理上做网络采集然后上报。MIB (Management Information Base, Management Information Base) is a collection of objects, which represent the resources and devices that can be managed in the network. Each object is basically a data variable that represents information about one aspect of the managed object. OID (Object Identifier, Object Identifier) is a key value with a unique identification provided by the SNMP agent. The MIB also provides a mapping of digitized OIDs to readable text. There are many ways to implement SNMP-based network management tools. The simplest is to install net-snmp on a server to do network collection on the SNMP agent and then report it.

在本实施例中,SNMP采集器接收SNMP代理转发的目标网络设备端口的流量数据,其中SNMP代理能够嵌入网络路由和交换设备的ASIC芯片中,SNMP代理采集目标网络设备端口的流量数据,然后将该流量数据转发给SNMP采集器,SNMP采集器对该流量数据进行分析,可以得到流经目标网络设备的数据包的包量信息。In this embodiment, the SNMP collector receives the traffic data of the port of the target network device forwarded by the SNMP agent, wherein the SNMP agent can be embedded in the ASIC chip of the network routing and switching device, the SNMP agent collects the traffic data of the port of the target network device, and then The traffic data is forwarded to the SNMP collector, and the SNMP collector analyzes the traffic data to obtain the packet volume information of the data packets flowing through the target network device.

需要说明的是,与sFlow不同,SNMP功能比较单一,其收集到的流量信息仅是简单的端口出、入流量统计信息,不能用于深入的流量分析,不利于网络流量控制设备做更多扩展性的功能设计,而sFlow技术除了可以采集到端口出、入流量信息外,还可以采集到包括传统数据包头、传输协议信息以及物理传输信息在内的其他信息,因此本实施例优选采用sFlow技术进行目标网络设备流量的监控和采集,如此便于网络流量控制设备能够做更多扩展性的功能设计,进一步提高流量控制的精准性。It should be noted that, unlike sFlow, the SNMP function is relatively simple, and the traffic information it collects is only simple port outbound and inbound traffic statistics, which cannot be used for in-depth traffic analysis, which is not conducive to more expansion of network traffic control devices. The sFlow technology can collect other information including traditional packet headers, transmission protocol information, and physical transmission information in addition to the port outbound and inbound traffic information. Therefore, the sFlow technology is preferably used in this embodiment. Monitor and collect the traffic of the target network device, so that the network traffic control device can do more extensible function design, and further improve the accuracy of the traffic control.

另外,本实施例网络流量控制设备进行网络流量控制的方法可以参照上述网络流量控制方法的各个实施例,此处不作赘述。In addition, for the method for performing network flow control by the network flow control device in this embodiment, reference may be made to each embodiment of the foregoing network flow control method, which will not be repeated here.

本实施例提出的网络流量控制系统,通过利用数据流采集技术对银行基础网络架构下的网络设备端口流量进行监控,然后基于NETCONF协议对银行基础网络架构下的网络设备进行网络流量控制应急操作,实现了对银行基础网络架构下的网络设备进行高效、精准、稳定以及低成本的流量控制。The network traffic control system proposed in this embodiment monitors the port traffic of network devices under the bank's basic network architecture by using the data stream collection technology, and then performs network traffic control emergency operations on the network devices under the bank's basic network architecture based on the NETCONF protocol. It realizes efficient, accurate, stable and low-cost flow control of network equipment under the bank's basic network architecture.

本发明还提供一种存储介质。The present invention also provides a storage medium.

本发明存储介质上存储有网络流量控制程序,所述网络流量控制程序被处理器执行时实现如上所述的网络流量控制方法的步骤。A network flow control program is stored on the storage medium of the present invention, and when the network flow control program is executed by the processor, the steps of the network flow control method described above are implemented.

其中,在所述处理器上运行的网络流量控制程序被执行时所实现的方法可参照本发明网络流量控制方法各个实施例,此处不再赘述。For the method implemented when the network flow control program running on the processor is executed, reference may be made to the various embodiments of the network flow control method of the present invention, which will not be repeated here.

需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者系统不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者系统所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者系统中还存在另外的相同要素。It should be noted that, herein, the terms "comprising", "comprising" or any other variation thereof are intended to encompass non-exclusive inclusion, such that a process, method, article or system comprising a series of elements includes not only those elements, It also includes other elements not expressly listed or inherent to such a process, method, article or system. Without further limitation, an element qualified by the phrase "comprising a..." does not preclude the presence of additional identical elements in the process, method, article or system that includes the element.

上述本发明实施例序号仅仅为了描述,不代表实施例的优劣。The above-mentioned serial numbers of the embodiments of the present invention are only for description, and do not represent the advantages or disadvantages of the embodiments.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在如上所述的一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,空调器,或者网络设备等)执行本发明各个实施例所述的方法。From the description of the above embodiments, those skilled in the art can clearly understand that the method of the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course can also be implemented by hardware, but in many cases the former is better implementation. Based on such understanding, the technical solutions of the present invention can be embodied in the form of software products in essence or the parts that make contributions to the prior art, and the computer software products are stored in a storage medium (such as ROM/RAM) as described above. , magnetic disk, optical disk), including several instructions to make a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) execute the methods described in the various embodiments of the present invention.

以上仅为本发明的优选实施例,并非因此限制本发明的专利范围,凡是利用本发明说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本发明的专利保护范围内。The above are only preferred embodiments of the present invention, and are not intended to limit the scope of the present invention. Any equivalent structure or equivalent process transformation made by using the contents of the description and drawings of the present invention, or directly or indirectly applied in other related technical fields , are similarly included in the scope of patent protection of the present invention.

Claims (11)

1. A network flow control method is characterized by comprising the following steps:
when packet volume alarm information of target network equipment is detected, acquiring preset configuration information corresponding to the packet volume alarm information;
encapsulating the configuration information into a NETCONF protocol-based remote procedure call rpc message;
and sending the rpc message to the target network equipment so that the target network equipment executes corresponding network flow control emergency operation according to the rpc message.
2. The method as claimed in claim 1, wherein before the step of obtaining the configuration information corresponding to the packet volume alarm information when the packet volume alarm information of the target network device is detected, the method further comprises:
acquiring packet quantity information of data packets flowing through target network equipment, which is acquired by packet quantity acquisition equipment;
analyzing the packet quantity information, and judging whether the packet quantity information meets a preset packet quantity alarm condition;
and if so, generating packet volume alarm information of the target network equipment.
3. The method of claim 1 or 2, wherein the step of sending the rpc message to the target network device to enable the target network device to perform the corresponding network traffic control emergency operation according to the rpc message comprises:
and sending the rpc message to the target network equipment through a preset NETCONF southbound interface so that the target network equipment executes corresponding network flow control emergency operation according to the rpc message, wherein the network flow control emergency operation comprises one or more of closing a target network equipment port, setting an access control list, bypassing a firewall and refreshing a virtual private network.
4. The method according to claim 3, wherein the step of sending the rpc message to the target network device through a preset NETCONF southbound interface comprises:
and when a plurality of target network devices exist, the rpc message is sent to the target network devices in parallel through a preset NETCONF southbound interface.
5. The method as claimed in claim 1, wherein before the step of obtaining the configuration information corresponding to the packet volume alarm information when the packet volume alarm information of the target network device is detected, the method further comprises:
receiving network flow control rule information issued by a foreground application through a NETCONF northbound interface, and storing the network flow control rule information, wherein the network flow control rule information comprises a corresponding relation between packet quantity alarm information and configuration information;
the step of acquiring preset configuration information corresponding to the packet volume alarm information when the packet volume alarm information of the target network device is detected comprises:
and when the packet volume alarm information of the target network equipment is detected, reading the configuration information corresponding to the packet volume alarm information from the stored network flow control rule information.
6. A network flow control device, comprising:
the configuration information acquisition module is used for acquiring preset configuration information corresponding to the packet volume alarm information when the packet volume alarm information of the target network equipment is detected;
the packaging module is used for packaging the configuration information into a NETCONF protocol-based remote procedure call rpc message;
and the issuing module is used for issuing the rpc message to the target network equipment so that the target network equipment executes corresponding network flow control emergency operation according to the rpc message.
7. A network traffic control device, characterized in that the network traffic control device comprises: memory, a processor and a network flow control program stored on the memory and executable on the processor, the network flow control program when executed by the processor implementing the steps of the network flow control method according to any of claims 1 to 5.
8. A network flow control system comprises a network flow control device and a packet quantity acquisition device; wherein,
the network traffic control device is the network traffic control device of claim 7;
the packet quantity acquisition device is used for acquiring packet quantity information of data packets flowing through the target network device and sending the acquired packet quantity information to the network flow control device.
9. The network flow control system according to claim 8, wherein the packet quantity collecting device is an sFlow collector using an sFlow protocol, the sFlow collector is configured to,
receiving flow data of the target network equipment port forwarded by an sFlow agent, wherein the sFlow agent is embedded in the target network equipment and is used for acquiring first flow data of the target network equipment port;
and analyzing the first flow data to obtain the packet volume information of the data packets flowing through the target network equipment.
10. The network flow control system of claim 8, wherein the packet volume collecting device is an SNMP collector using a simple network protocol (SNMP), the SNMP collector is configured to,
inquiring the flow data of the target network equipment port from an SNMP agent according to a preset object identifier (ODI), wherein the SNMP agent is embedded in the target network equipment and is used for acquiring second flow data of the target network equipment port;
and analyzing the second flow data to obtain the packet volume information of the data packets flowing through the target network equipment.
11. A storage medium having stored thereon a network traffic control program which, when executed by a processor, implements the steps of the network traffic control method according to any one of claims 1 to 5.
CN201811483441.6A 2018-12-05 2018-12-05 Network flow control method, device, device, system and storage medium Active CN109547257B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811483441.6A CN109547257B (en) 2018-12-05 2018-12-05 Network flow control method, device, device, system and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811483441.6A CN109547257B (en) 2018-12-05 2018-12-05 Network flow control method, device, device, system and storage medium

Publications (2)

Publication Number Publication Date
CN109547257A true CN109547257A (en) 2019-03-29
CN109547257B CN109547257B (en) 2022-08-12

Family

ID=65852941

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811483441.6A Active CN109547257B (en) 2018-12-05 2018-12-05 Network flow control method, device, device, system and storage medium

Country Status (1)

Country Link
CN (1) CN109547257B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110430100A (en) * 2019-08-27 2019-11-08 中国工商银行股份有限公司 Network connectivty detection method and device
CN113472674A (en) * 2021-07-12 2021-10-01 多点生活(成都)科技有限公司 Flow control method and device, storage medium and electronic equipment
CN115361191A (en) * 2022-08-15 2022-11-18 杭州安恒信息技术股份有限公司 A firewall traffic detection method, system, device and medium based on sflow
CN115514686A (en) * 2021-06-23 2022-12-23 深信服科技股份有限公司 Flow acquisition method and device, electronic equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102387043A (en) * 2011-12-07 2012-03-21 深圳市同洲视讯传媒有限公司 Alarm analysis method, workstation and system based on simple network management protocol
CN103281197A (en) * 2013-04-08 2013-09-04 浙江工商大学 ForCES configuration method based on NETCONF
CN105281981A (en) * 2015-11-04 2016-01-27 北京百度网讯科技有限公司 Data traffic monitoring method and device for network service
US20160380874A1 (en) * 2014-03-27 2016-12-29 Nicira, Inc. Packet tracing in a software-defined networking environment
CN106921666A (en) * 2017-03-06 2017-07-04 中山大学 A kind of ddos attack system of defense and method based on Synergy
CN107786350A (en) * 2016-08-24 2018-03-09 华为技术有限公司 A kind of method, apparatus and the network equipment of the configuration of dispatching from the factory for recovering the network equipment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102387043A (en) * 2011-12-07 2012-03-21 深圳市同洲视讯传媒有限公司 Alarm analysis method, workstation and system based on simple network management protocol
CN103281197A (en) * 2013-04-08 2013-09-04 浙江工商大学 ForCES configuration method based on NETCONF
US20160380874A1 (en) * 2014-03-27 2016-12-29 Nicira, Inc. Packet tracing in a software-defined networking environment
CN105281981A (en) * 2015-11-04 2016-01-27 北京百度网讯科技有限公司 Data traffic monitoring method and device for network service
CN107786350A (en) * 2016-08-24 2018-03-09 华为技术有限公司 A kind of method, apparatus and the network equipment of the configuration of dispatching from the factory for recovering the network equipment
CN106921666A (en) * 2017-03-06 2017-07-04 中山大学 A kind of ddos attack system of defense and method based on Synergy

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
程东亮: "基于SDN技术实现人民银行智能骨干网的应用研究", 《软件研发与应用》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110430100A (en) * 2019-08-27 2019-11-08 中国工商银行股份有限公司 Network connectivty detection method and device
CN115514686A (en) * 2021-06-23 2022-12-23 深信服科技股份有限公司 Flow acquisition method and device, electronic equipment and storage medium
CN113472674A (en) * 2021-07-12 2021-10-01 多点生活(成都)科技有限公司 Flow control method and device, storage medium and electronic equipment
CN113472674B (en) * 2021-07-12 2024-05-24 多点生活(成都)科技有限公司 Flow control method and device, storage medium and electronic equipment
CN115361191A (en) * 2022-08-15 2022-11-18 杭州安恒信息技术股份有限公司 A firewall traffic detection method, system, device and medium based on sflow

Also Published As

Publication number Publication date
CN109547257B (en) 2022-08-12

Similar Documents

Publication Publication Date Title
Tan et al. In-band network telemetry: A survey
CN109547257B (en) Network flow control method, device, device, system and storage medium
CN103457791B (en) A kind of intelligent substation network samples and the self-diagnosing method of control link
Isolani et al. Interactive monitoring, visualization, and configuration of OpenFlow-based SDN
Affandi et al. Design and implementation fast response system monitoring server using Simple Network Management Protocol (SNMP)
US11799737B1 (en) Topology-based graphical user interface for network management systems
US12170645B2 (en) Edge device for source identification using source identifier
CN105629103A (en) Online monitoring method based on transformer substation operation and maintenance network shutdown
CN106572190A (en) Autonomous collection method for operational data of information communication
EP4080850A1 (en) Onboarding virtualized network devices to cloud-based network assurance system
CN113039755B (en) Monitoring method, device, system and computer readable medium for industrial control systems
US11729075B1 (en) Time series data collection for a network management system
KR102180038B1 (en) Wan node apparatus in tactical mesh network environment
Ehrlich et al. Passive flow monitoring of hybrid network connections regarding quality of service parameters for the industrial automation
EP4380124A2 (en) Dropped packet detection and classification for networked devices
Mellia et al. Overview of Network and Service Management
US20240275707A1 (en) Anomaly detection for network devices using intent-based analytics
Song et al. Toward a network telemetry framework
US20240243963A1 (en) Replay of analytics for a network management system
EP4113942A1 (en) Network segmentation for network management graphical user interfaces
US20240176878A1 (en) Machine learning assisted root cause analysis for computer networks
CN208386586U (en) A kind of network transmission system
Moceri SNMP and Beyond: A Survey of Network Performance Monitoring Tools
Song et al. RFC 9232: Network Telemetry Framework
Yu et al. MLPing: Real-Time Proactive Fault Detection and Alarm for Large-Scale Distributed IDC Network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant