CN112422437A - Message forwarding control method and device and electronic equipment - Google Patents

Message forwarding control method and device and electronic equipment Download PDF

Info

Publication number
CN112422437A
CN112422437A CN202011272968.1A CN202011272968A CN112422437A CN 112422437 A CN112422437 A CN 112422437A CN 202011272968 A CN202011272968 A CN 202011272968A CN 112422437 A CN112422437 A CN 112422437A
Authority
CN
China
Prior art keywords
epg
source
address
target
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202011272968.1A
Other languages
Chinese (zh)
Inventor
阳进
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd Hefei Branch
Original Assignee
New H3C Technologies Co Ltd Hefei Branch
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd Hefei Branch filed Critical New H3C Technologies Co Ltd Hefei Branch
Priority to CN202011272968.1A priority Critical patent/CN112422437A/en
Publication of CN112422437A publication Critical patent/CN112422437A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/745Address table lookup; Address filtering
    • H04L45/74591Address table lookup; Address filtering using content-addressable memories [CAM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/58Association of routers
    • H04L45/586Association of routers of virtual routers

Abstract

The application provides a message forwarding control method, a message forwarding control device and electronic equipment. In the application, when a hardware chip, such as an MRVL chip, does not support the LPM table originally used for three-layer forwarding of a message to be SEBP and DEBP for implementing micro-segmentation, the network device changes a TCAM table originally not used for three-layer forwarding of a message to implement micro-segmentation and GBP, and implements forwarding control of the message, so that micro-segmentation can be implemented on the premise that the hardware chip, such as the MRVL chip, does not support the LPM table originally used for three-layer forwarding of a message to be SEBP and DEBP.

Description

Message forwarding control method and device and electronic equipment
Technical Field
The present application relates to network communication technologies, and in particular, to a method and an apparatus for controlling packet forwarding, and an electronic device.
Background
Micro-segmentation, also called fine grouping-based security isolation, refers to grouping servers in a data center network according to a certain principle, and then deploying a flow control policy based on the grouping, thereby achieving the purposes of simplifying operation and maintenance and managing security.
In network application, micro-segmentation is realized based on a Longest Prefix Matching hardware three-layer switching (LPM) table. Specifically, a Source End Point Group (SEBP) and a Destination End Point Group (DEBP) may be grouped in the LPM table. Here, SEBP refers to the EBP to which the source IP address is allocated, and DEBP refers to the EBP to which the destination IP address is allocated. Then, a packet-Based flow control Policy (GBP) is added to the LPM table to realize the flow control between the SEBP and the DEBP.
However, currently, for many hardware chips such as MRVL chips and the like, LPM table partitioning SEBP and DEBP (also called as non-supporting EBP to which the LPM table subdivides an IP address belongs) thereon is not supported, which results in that micro-segmentation cannot be realized.
Disclosure of Invention
The application provides a message forwarding control method, a message forwarding control device and electronic equipment, so as to realize micro-segmentation on the premise that many hardware chips such as MRVL chips do not support the separation of the LPM tables SEBP and DEBP thereon.
The technical scheme provided by the application comprises the following steps:
a message forwarding control method is applied to network equipment and comprises the following steps:
when a message sent to a destination host by a local source host is received, a source endpoint packet EPG matched with a source IP address in the message is searched in a TCAM (ternary content addressable memory) table through a first specified engine for managing the TCAM table;
searching a target EPG matched with a target IP address in the message in a TCAM table through a second specified engine for managing the TCAM table;
the method comprises the steps of searching a flow control strategy GBP based on a packet between a source EPG and a target EPG in a TCAM through a third specified engine for managing the TCAM, and carrying out forwarding control on a message sent to the target host by the source host according to the searched GBP, wherein the first specified engine, the second specified engine and the third specified engine are applied to the same hardware chip, and the hardware chip does not support the EBP to which an LPM table subdivides an IP address.
Optionally, the source IP address and the destination IP address belong to an IPv4 address; the TCAM table comprises a corresponding relation between the IP address and the EPG;
the finding of the source endpoint packet EPG matching the source IP address in the message in the TCAM table includes: searching an EPG corresponding to the keyword in the TCAM table by taking the source IP address as the keyword according to a longest matching principle, and determining the searched EPG as the source EPG;
the finding of the target EPG matched with the target IP address in the message in the TCAM table comprises: and searching the EPG corresponding to the keyword in the TCAM table by taking the target IP address as the keyword according to the longest matching principle, and determining the searched EPG as the target EPG.
Optionally, the source IP address and the destination IP address belong to an IPv6 address; the TCAM table comprises a corresponding relation between the MAC address and the EPG;
the finding of the source endpoint packet EPG matching the source IP address in the message in the TCAM table includes: determining a source MAC address of a source host with an IP address as a source IP address in the message, searching an EPG (electronic program guide) corresponding to a keyword in the TCAM by taking the source MAC address as the keyword, and determining the searched EPG as the source EPG;
the finding of the target EPG matched with the target IP address in the message in the TCAM table comprises: and searching the EPG corresponding to the keyword in the TCAM table by taking the target IP address as the keyword according to the longest matching principle, and determining the searched EPG as the target EPG.
Optionally, the looking up the packet-based flow control policy GBP between the source EPG and the destination EPG in the TCAM table includes: searching GBP of the source EPG and the target EPG according to matching conditions in the TCAM table; alternatively, the first and second electrodes may be,
the source IP address and the destination IP address belong to the same virtual private network VPN; the VPN has a corresponding Virtual Routing Forwarding (VRF) instance Identification (ID);
the looking up the packet-based flow control policy (GBP) between a source EPG and a destination EPG in the TCAM table comprises: and searching GBP with matching conditions of the source EPG, the target EPG and the VRF ID in the TCAM table.
Optionally, the controlling, according to the found GBP, forwarding the packet sent by the source host to the destination host includes:
if the searched GBP comprises a first identification value used for indicating permission of forwarding, forwarding a message sent to the target host by the source host;
and if the searched GBP comprises a second identification value for indicating that the forwarding is refused, forbidding to forward the message sent to the target host by the source host.
A message forwarding control device is applied to network equipment and comprises:
the first specified engine is used for managing a Ternary Content Addressable Memory (TCAM) table, and when a message sent to a destination host by a local source host of the network equipment is received, a source Endpoint Packet (EPG) matched with a source IP address in the message is searched in the TCAM table;
the second appointed engine and the first appointed engine manage a TCAM table together, and is used for searching a target EPG matched with a target IP address in the message in the TCAM table;
a third specifying engine, configured to manage a TCAM table together with the first specifying engine and the second specifying engine, configured to search a packet-based flow control policy GBP between a source EPG and a destination EPG in the TCAM table, and perform forwarding control on a packet sent by the source host to the destination host according to the searched GBP;
the first designated engine, the second designated engine and the third designated engine are applied to the same hardware chip, and the hardware chip does not support the EBP to which the LPM table subdivision IP address belongs.
Optionally, the source IP address and the destination IP address belong to an IPv4 address; the TCAM table comprises a corresponding relation between the IP address and the EPG;
the first specification engine finding a source endpoint packet EPG in the TCAM table that matches the source IP address in the message comprises: searching an EPG corresponding to the keyword in the TCAM table by taking the source IP address as the keyword according to a longest matching principle, and determining the searched EPG as the source EPG;
the step of finding the target EPG matched with the target IP address in the message in the TCAM table by the second specifying engine comprises the following steps: searching an EPG corresponding to the keyword in the TCAM table by taking the target IP address as the keyword according to a longest matching principle, and determining the searched EPG as the target EPG;
alternatively, the first and second electrodes may be,
the source IP address and the destination IP address belong to IPv6 addresses; the TCAM table comprises a corresponding relation between the MAC address and the EPG;
the first specification engine finding a source endpoint packet EPG in the TCAM table that matches the source IP address in the message comprises: determining a source MAC address of a source host with an IP address as a source IP address in the message, searching an EPG (electronic program guide) corresponding to a keyword in the TCAM by taking the source MAC address as the keyword, and determining the searched EPG as the source EPG;
the step of finding the target EPG matched with the target IP address in the message in the TCAM table by the second specifying engine comprises the following steps: and searching the EPG corresponding to the keyword in the TCAM table by taking the target IP address as the keyword according to the longest matching principle, and determining the searched EPG as the target EPG.
Optionally, the third specifying engine looking up a packet-based flow control policy, GBP, between a source EPG and a destination EPG in the TCAM table comprises: searching GBP of the source EPG and the target EPG according to matching conditions in the TCAM table; alternatively, the first and second electrodes may be,
the source IP address and the destination IP address belong to the same virtual private network VPN; the VPN has a corresponding Virtual Routing Forwarding (VRF) instance Identification (ID);
the looking up the packet-based flow control policy (GBP) between a source EPG and a destination EPG in the TCAM table comprises: and searching GBP with matching conditions of the source EPG, the target EPG and the VRF ID in the TCAM table.
Optionally, the forwarding control, performed by the third specified engine, the packet sent by the source host to the destination host according to the found GBP includes:
if the searched GBP comprises a first identification value used for indicating permission of forwarding, forwarding a message sent to the target host by the source host;
and if the searched GBP comprises a second identification value for indicating that the forwarding is refused, forbidding to forward the message sent to the target host by the source host.
An embodiment of the present application further provides an electronic device, which includes: a processor and a memory;
the memory for storing machine executable instructions;
the processor is used for reading and executing the machine executable instructions stored in the memory so as to realize the method.
According to the technical scheme, when a hardware chip such as an MRVL chip does not support the LPM table separation SEBP and DEBP on the hardware chip, which is originally used for three-layer forwarding of a message, to realize micro-segmentation, the network device changes to realize micro-segmentation and GBP by a TCAM table, which is not originally used for three-layer forwarding of a message, so as to realize forwarding control of the message, and thus, micro-segmentation can be realized on the premise that the hardware chip such as the MRVL chip does not support the LPM table separation SEBP and DEBP on the hardware chip.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
FIG. 1 is a flow chart of a method provided herein;
fig. 2 is a flowchart of an implementation in an IPv4 scenario according to an embodiment of the present application;
fig. 3 is a flowchart of an implementation in an IPv6 scenario according to an embodiment of the present application;
FIG. 4 is a schematic diagram of the apparatus provided herein;
fig. 5 is a schematic hardware structure diagram of the apparatus shown in fig. 4 provided in the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.
As described in the background, in network applications, micro-segmentation is implemented based on LPM tables specified by the routing protocol. Specifically, when the network device receives a message, a routing (Route) engine for managing the LPM table searches a source EPG and a destination EPG in the LPM table, and performs message forwarding control based on a GBP between the source EPG and the destination EPG in the LPM table.
However, in many cases, hardware chips on the network device, such as MRVL chips, do not support the LPM tables thereon to separate SEBP and DEBP, which results in that micro-segmentation cannot be implemented, and thus message forwarding control cannot be implemented.
For the above technical problem, through creative analysis of each hardware chip on the network device, in the embodiment of the present application, if the hardware chip on the network device, such as the MRVL chip, does not support the LPM table, SEBP and DEBP, which is originally used for three-layer forwarding of a message, the LPM table, which is originally used for three-layer forwarding of a message, may not be used to implement micro-segmentation, but a Ternary Content Addressable Memory (TCAM) table, which is not originally used for three-layer forwarding of a message, is used to implement micro-segmentation, which may be specifically referred to a flow shown in fig. 1 provided below:
referring to fig. 1, fig. 1 is a flowchart of a method provided in an embodiment of the present application. The flow is applied to a network device. Optionally, the network device may be a VXLAN Tunnel Endpoint (VTEP) or the like.
As shown in fig. 1, the process may include the following steps:
step 101, when receiving a message sent by a local source host to a destination host, finding an SEPG matched with a source IP address in the message in a TCAM table through a first specified engine for managing the TCAM table.
As described above, in order to avoid that a hardware chip in a network device, such as an MRVL chip, does not support the LPM table thereon to partition SEBP and DEBP, so that micro-segmentation cannot be realized, in the embodiment of the present application, micro-segmentation is no longer realized based on the LPM table originally used for three-layer packet forwarding, but is realized by using a TCAM table originally not used for three-layer packet forwarding. Corresponding to the TCAM table, as described in step 101, when a message sent from the local source host to the destination host is received, the SEPG matching the source IP address in the message is found in the TCAM table through the first specified engine for managing the TCAM table. The first specific engine can be applied to a hardware chip, such as an MRVL chip (collectively referred to as a specific hardware chip), on which LPM table separation SEBP and DEBP is not supported in a network device. Alternatively, the first specified engine here can be a tunnel-terminated TTI engine on the aforementioned specified hardware chip.
And step 102, finding the DEPG matched with the destination IP address in the message in the TCAM table through a second specified engine for managing the TCAM table.
Alternatively, the second specific engine here may be an ingress policy control list IPCL engine on the aforementioned specific hardware chip.
Step 103, searching a packet-based GBP between a source EPG and a destination EPG in a TCAM table through a third specified engine for managing the TCAM table, and performing forwarding control on a message sent from the source host to the destination host according to the searched GBP.
Alternatively, the third specifying engine may be the same as the second specifying engine, such as the incoming policy control list IPCL engine on the specified hardware chip. Of course, the third specifying engine may also be different from the second specifying engine, and this embodiment is not particularly limited.
Thus, the flow shown in fig. 1 is completed.
As can be seen from the flow shown in fig. 1, in this embodiment, when a hardware chip, such as an MRVL chip, does not support the LPM table, which is originally used for three-layer packet forwarding, to separate SEBP and DEBP to implement micro-segmentation, the network device changes to implement micro-segmentation and GBP by using a TCAM table, which is not originally used for three-layer packet forwarding, to implement packet forwarding control, so that micro-segmentation can be implemented on the premise that the hardware chip, such as the MRVL chip, does not support the LPM table, which is originally used for three-layer packet forwarding, to separate SEBP and DEBP.
In order to make the method provided by the embodiment of the present application clearer, the method provided by the embodiment of the present application is specifically described below by taking the first designated engine as a TTI engine, and the second designated engine and the third designated engine as an IPCL engine as examples:
example 1:
this embodiment 1 is applied to an IPv4 scenario, where a source IP address and a destination IP address of a packet in this IPv4 scenario are two different IPv4 addresses.
When a network device such as a VTEP receives a message sent by a local host (denoted as a source host), as shown in fig. 2, a TTI engine finds an EPG corresponding to a keyword in a TCAM table according to a longest match rule with a source IP address of the message as the keyword, and determines the found EPG as an SEPG.
And then, the IPCL engine searches the EPG corresponding to the keyword in the TCAM table by taking the destination IP address of the message as the keyword according to the longest matching principle, and determines the searched EPG as the DEPG.
Then, as an embodiment, the IPCL engine searches the GBP with the matching condition as the key by using the segg and the DEPG as the key. Or, as another embodiment, the source IP address and the destination IP address of the packet belong to the same Virtual Private Network (VPN). Here, the VPN to which the source IP address and the destination IP address of the packet belong has a corresponding Virtual Route Forwarding (VRF) instance Identifier (ID), and based on this, the IPCL engine searches for the GBP whose matching condition is the keyword using the segg, the DEPG, and the VRF ID as the keyword.
If the searched GBP comprises a first identification value such as permit used for indicating permission of forwarding, forwarding the message; and if the searched GBP comprises a second identification value such as deny for indicating that the forwarding is refused, the forwarding of the message is forbidden. Therefore, the forwarding control of the message is realized.
Embodiment 1 is described above.
Example 2:
the embodiment 2 is applied to an IPv6 scenario, where a source IP address and a destination IP address of a packet in the IPv6 scenario are two different IPv6 addresses. The IPv6 address is 128 bits, which is increased by 4 times compared with the 32-bit IPv4 address. However, the TTI engine only supports 30 bytes, which results when using the TTI engine to find SEPGs with source IP address matches because the TTI engine cannot completely match the 128-bit IPv6 address. Based on this, in this embodiment, the 128-bit source IP address (128-bit IPv6 address) can be converted into the 48-bit MAC address first, so as to save TTI resources.
Specifically, when a network device such as a VTEP receives a message sent by a local host (denoted as a source host), as shown in fig. 3, a TTI engine first determines a source MAC address of the source host whose IP address is a source IP address in the message. Optionally, in this embodiment, the TTI engine may find the MAC address (denoted as the source MAC address) corresponding to the source IP address in the packet in the existing ARP entry.
And the TTI engine searches the EPG corresponding to the keyword in the TCAM by taking the source MAC address as the keyword, and determines the searched EPG as SEPG.
And then, the IPCL engine searches the EPG corresponding to the keyword in the TCAM table by taking the destination IP address of the message as the keyword according to the longest matching principle, and determines the searched EPG as the DEPG.
Then, as an embodiment, the IPCL engine searches the GBP with the matching condition as the key by using the segg and the DEPG as the key. Or, as another embodiment, the source IP address and the destination IP address of the packet belong to the same Virtual Private Network (VPN). Here, the VPN to which the source IP address and the destination IP address of the packet belong has a corresponding Virtual Route Forwarding (VRF) instance Identifier (ID), and based on this, the IPCL engine searches for the GBP whose matching condition is the keyword using the segg, the DEPG, and the VRF ID as the keyword.
If the searched GBP comprises a first identification value such as permit used for indicating permission of forwarding, forwarding the message; and if the searched GBP comprises a second identification value such as deny for indicating that the forwarding is refused, the forwarding of the message is forbidden. Thus, the forwarding control of the message is realized
Embodiment 2 is described above.
It can be seen from the two embodiments that, in this embodiment, micro-segmentation in an IPv4 scenario or an IPv6 scenario is implemented by using a TCAM table that is not originally used for three-layer forwarding of a packet, so as to implement forwarding control of the packet.
The method provided by the embodiment of the present application is described above, and the apparatus provided by the embodiment of the present application is described below:
referring to fig. 4, fig. 4 is a diagram illustrating the structure of the apparatus according to the present invention. The device is applied to network equipment and comprises:
the first specified engine is used for managing a TCAM (ternary content addressable memory) table, and searching a source endpoint packet EPG (electronic program guide) matched with a source IP (Internet protocol) address in a message in the TCAM table when the message sent to a target host by a local source host of the network equipment is received;
the second appointed engine and the first appointed engine manage a TCAM table together, and is used for searching a target EPG matched with a target IP address in the message in the TCAM table;
a third specifying engine, configured to manage a TCAM table together with the first specifying engine and the second specifying engine, configured to search a packet-based flow control policy GBP between a source EPG and a destination EPG in the TCAM table, and perform forwarding control on a packet sent by the source host to the destination host according to the searched GBP;
the first designated engine, the second designated engine and the third designated engine are applied to the same hardware chip, and the hardware chip does not support the EBP to which the LPM table subdivision IP address belongs.
Optionally, the source IP address and the destination IP address belong to an IPv4 address; the TCAM table comprises a corresponding relation between the IP address and the EPG;
the first specification engine finding a source endpoint packet EPG in the TCAM table that matches the source IP address in the message comprises: searching an EPG corresponding to the keyword in the TCAM table by taking the source IP address as the keyword according to a longest matching principle, and determining the searched EPG as the source EPG;
the step of finding the target EPG matched with the target IP address in the message in the TCAM table by the second specifying engine comprises the following steps: searching an EPG corresponding to the keyword in the TCAM table by taking the target IP address as the keyword according to a longest matching principle, and determining the searched EPG as the target EPG;
alternatively, the first and second electrodes may be,
the source IP address and the destination IP address belong to IPv6 addresses; the TCAM table comprises a corresponding relation between the MAC address and the EPG;
the first specification engine finding a source endpoint packet EPG in the TCAM table that matches the source IP address in the message comprises: determining a source MAC address of a source host with an IP address as a source IP address in the message, searching an EPG (electronic program guide) corresponding to a keyword in the TCAM by taking the source MAC address as the keyword, and determining the searched EPG as the source EPG;
the step of finding the target EPG matched with the target IP address in the message in the TCAM table by the second specifying engine comprises the following steps: and searching the EPG corresponding to the keyword in the TCAM table by taking the target IP address as the keyword according to the longest matching principle, and determining the searched EPG as the target EPG.
Optionally, the third specifying engine looking up a packet-based flow control policy, GBP, between a source EPG and a destination EPG in the TCAM table comprises: searching GBP of the source EPG and the target EPG according to matching conditions in the TCAM table; alternatively, the first and second electrodes may be,
the source IP address and the destination IP address belong to the same virtual private network VPN; the VPN has a corresponding Virtual Routing Forwarding (VRF) instance Identification (ID);
the looking up the packet-based flow control policy (GBP) between a source EPG and a destination EPG in the TCAM table comprises: and searching GBP with matching conditions of the source EPG, the target EPG and the VRF ID in the TCAM table.
Optionally, the forwarding control, performed by the third specified engine, the packet sent by the source host to the destination host according to the found GBP includes:
if the searched GBP comprises a first identification value used for indicating permission of forwarding, forwarding a message sent to the target host by the source host;
and if the searched GBP comprises a second identification value for indicating that the forwarding is refused, forbidding to forward the message sent to the target host by the source host.
Thus, the apparatus structure diagram provided in the present application is completed.
Correspondingly, the application also provides a hardware structure diagram of the device shown in fig. 4. As shown in fig. 5, the hardware structure may include: a machine-readable storage medium and a processor, wherein:
a machine-readable storage medium: the instruction code is stored.
A processor: the network connection detection method is realized by communicating with a machine-readable storage medium, reading and executing instruction codes in the machine-readable storage medium.
Thus, the hardware configuration diagram of the apparatus shown in fig. 5 is completed.
In the present application, a machine-readable storage medium may be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and the like. For example, the machine-readable storage medium may be: a RAM (random Access Memory), a volatile Memory, a non-volatile Memory, a flash Memory, a storage drive (e.g., a hard drive), a solid state drive, any type of storage disk (e.g., an optical disk, a dvd, etc.), or similar storage medium, or a combination thereof.
The apparatuses, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or implemented by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.
It will be apparent to those skilled in the art that embodiments of the present application may be provided as a method, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Furthermore, these computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (10)

1. A message forwarding control method is applied to network equipment and is characterized by comprising the following steps:
when a message sent to a destination host by a local source host is received, a source endpoint packet EPG matched with a source IP address in the message is searched in a TCAM (ternary content addressable memory) table through a first specified engine for managing the TCAM table;
searching a target EPG matched with a target IP address in the message in a TCAM table through a second specified engine for managing the TCAM table;
the method comprises the steps of searching a flow control strategy GBP based on a packet between a source EPG and a target EPG in a TCAM through a third specified engine for managing the TCAM, and carrying out forwarding control on a message sent to the target host by the source host according to the searched GBP, wherein the first specified engine, the second specified engine and the third specified engine are applied to the same hardware chip, and the hardware chip does not support the EBP to which an LPM table subdivides an IP address.
2. The method of claim 1, wherein the source IP address and the destination IP address belong to IPv4 addresses; the TCAM table comprises a corresponding relation between the IP address and the EPG;
the finding of the source endpoint packet EPG matching the source IP address in the message in the TCAM table includes: searching an EPG corresponding to the keyword in the TCAM table by taking the source IP address as the keyword according to a longest matching principle, and determining the searched EPG as the source EPG;
the finding of the target EPG matched with the target IP address in the message in the TCAM table comprises: and searching the EPG corresponding to the keyword in the TCAM table by taking the target IP address as the keyword according to the longest matching principle, and determining the searched EPG as the target EPG.
3. The method of claim 1, wherein the source IP address and the destination IP address belong to IPv6 addresses; the TCAM table comprises a corresponding relation between the MAC address and the EPG;
the finding of the source endpoint packet EPG matching the source IP address in the message in the TCAM table includes: determining a source MAC address of a source host corresponding to a source IP address in the message, searching an EPG corresponding to a keyword in the TCAM table by taking the source MAC address as the keyword, and determining the searched EPG as the source EPG;
the finding of the target EPG matched with the target IP address in the message in the TCAM table comprises: and searching the EPG corresponding to the keyword in the TCAM table by taking the target IP address as the keyword according to the longest matching principle, and determining the searched EPG as the target EPG.
4. The method according to any one of claims 1 to 3,
the looking up the packet-based flow control policy (GBP) between a source EPG and a destination EPG in the TCAM table comprises: searching GBP of the source EPG and the target EPG according to matching conditions in the TCAM table; alternatively, the first and second electrodes may be,
the source IP address and the destination IP address belong to the same virtual private network VPN; the VPN has a corresponding Virtual Routing Forwarding (VRF) instance Identification (ID);
the looking up the packet-based flow control policy (GBP) between a source EPG and a destination EPG in the TCAM table comprises: and searching GBP with matching conditions of the source EPG, the target EPG and the VRFID in the TCAM table.
5. The method according to claim 1, wherein the controlling forwarding of the packet sent from the source host to the destination host according to the found GBP comprises:
if the searched GBP comprises a first identification value used for indicating permission of forwarding, forwarding a message sent to the target host by the source host;
and if the searched GBP comprises a second identification value for indicating that the forwarding is refused, forbidding to forward the message sent to the target host by the source host.
6. A message forwarding control device is applied to a network device, and comprises:
the first specified engine is used for managing a Ternary Content Addressable Memory (TCAM) table, and when a message sent to a destination host by a local source host of the network equipment is received, a source Endpoint Packet (EPG) matched with a source IP address in the message is searched in the TCAM table;
the second appointed engine and the first appointed engine manage a TCAM table together, and is used for searching a target EPG matched with a target IP address in the message in the TCAM table;
a third specifying engine, configured to manage a TCAM table together with the first specifying engine and the second specifying engine, configured to search a packet-based flow control policy GBP between a source EPG and a destination EPG in the TCAM table, and perform forwarding control on a packet sent by the source host to the destination host according to the searched GBP;
the first designated engine, the second designated engine and the third designated engine are applied to the same hardware chip, and the hardware chip does not support the EBP to which the LPM table subdivision IP address belongs.
7. The apparatus of claim 6, wherein the source IP address and the destination IP address belong to IPv4 addresses; the TCAM table comprises a corresponding relation between the IP address and the EPG;
the first specification engine finding a source endpoint packet EPG in the TCAM table that matches the source IP address in the message comprises: searching an EPG corresponding to the keyword in the TCAM table by taking the source IP address as the keyword according to a longest matching principle, and determining the searched EPG as the source EPG;
the step of finding the target EPG matched with the target IP address in the message in the TCAM table by the second specifying engine comprises the following steps: searching an EPG corresponding to the keyword in the TCAM table by taking the target IP address as the keyword according to a longest matching principle, and determining the searched EPG as the target EPG;
alternatively, the first and second electrodes may be,
the source IP address and the destination IP address belong to IPv6 addresses; the TCAM table comprises a corresponding relation between the MAC address and the EPG;
the first specification engine finding a source endpoint packet EPG in the TCAM table that matches the source IP address in the message comprises: determining a source MAC address of a source host corresponding to a source IP address in the message, searching an EPG corresponding to a keyword in the TCAM table by taking the source MAC address as the keyword, and determining the searched EPG as the source EPG;
the step of finding the target EPG matched with the target IP address in the message in the TCAM table by the second specifying engine comprises the following steps: and searching the EPG corresponding to the keyword in the TCAM table by taking the target IP address as the keyword according to the longest matching principle, and determining the searched EPG as the target EPG.
8. The apparatus of claim 6 or 7, wherein the third specification engine looking up a packet-based flow control policy (GBP) between a source EPG and a destination EPG in the TCAM table comprises: searching GBP of the source EPG and the target EPG according to matching conditions in the TCAM table; alternatively, the first and second electrodes may be,
the source IP address and the destination IP address belong to the same virtual private network VPN; the VPN has a corresponding Virtual Routing Forwarding (VRF) instance Identification (ID);
the looking up the packet-based flow control policy (GBP) between a source EPG and a destination EPG in the TCAM table comprises: and searching GBP with matching conditions of the source EPG, the target EPG and the VRFID in the TCAM table.
9. The apparatus of claim 6, wherein the third specific engine performs forwarding control on the packet sent by the source host to the destination host according to the found GBP comprises:
if the searched GBP comprises a first identification value used for indicating permission of forwarding, forwarding a message sent to the target host by the source host;
and if the searched GBP comprises a second identification value for indicating that the forwarding is refused, forbidding to forward the message sent to the target host by the source host.
10. An electronic device, comprising: a processor and a memory;
the memory for storing machine executable instructions;
the processor is used for reading and executing the machine executable instructions stored by the memory so as to realize the method of any one of claims 1 to 5.
CN202011272968.1A 2020-11-13 2020-11-13 Message forwarding control method and device and electronic equipment Withdrawn CN112422437A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011272968.1A CN112422437A (en) 2020-11-13 2020-11-13 Message forwarding control method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011272968.1A CN112422437A (en) 2020-11-13 2020-11-13 Message forwarding control method and device and electronic equipment

Publications (1)

Publication Number Publication Date
CN112422437A true CN112422437A (en) 2021-02-26

Family

ID=74831129

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011272968.1A Withdrawn CN112422437A (en) 2020-11-13 2020-11-13 Message forwarding control method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN112422437A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113438208A (en) * 2021-06-03 2021-09-24 新华三技术有限公司 Message processing method, device and equipment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113438208A (en) * 2021-06-03 2021-09-24 新华三技术有限公司 Message processing method, device and equipment

Similar Documents

Publication Publication Date Title
JP4742167B2 (en) Method for performing a table lookup operation using a table index that exceeds the CAM key size
US7509674B2 (en) Access control listing mechanism for routers
EP1649389B1 (en) Internet protocol security matching values in an associative memory
US9680747B2 (en) Internet protocol and Ethernet lookup via a unified hashed trie
US7724728B2 (en) Policy-based processing of packets
US7336660B2 (en) Method and apparatus for processing packets based on information extracted from the packets and context indications such as but not limited to input interface characteristics
US9569561B2 (en) Label masked addressable memory
CN112422435B (en) Message forwarding control method and device and electronic equipment
US20080205403A1 (en) Network packet processing using multi-stage classification
US10148571B2 (en) Jump on a match optimization for longest prefix match using a binary search tree
CN107580079B (en) Message transmission method and device
US11012258B2 (en) Packet transmission
US9960995B2 (en) Packet forwarding using a physical unit and a virtual forwarding unit
US9183322B2 (en) Increasing internet protocol version 6 host table scalability in top of rack switches for data center deployments
CN102291472A (en) Network address lookup method and device
CN108199947B (en) Designated forwarder DF election method and device
CN106789859B (en) Message matching method and device
CN103825824A (en) Message processing method and message processing device
US10313274B2 (en) Packet forwarding
CN112422437A (en) Message forwarding control method and device and electronic equipment
WO2021135492A1 (en) Routing table entry processing method and device
US9596215B1 (en) Partitioning a filter to facilitate filtration of packets
CN107547687B (en) Message transmission method and device
US20180212877A1 (en) Combining prefix lengths into a hash table
US10216535B2 (en) Efficient MAC address storage for virtual machine applications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20210226