CN112953809A - System and method for generating multilayer VLAN flow - Google Patents
System and method for generating multilayer VLAN flow Download PDFInfo
- Publication number
- CN112953809A CN112953809A CN202110320270.0A CN202110320270A CN112953809A CN 112953809 A CN112953809 A CN 112953809A CN 202110320270 A CN202110320270 A CN 202110320270A CN 112953809 A CN112953809 A CN 112953809A
- Authority
- CN
- China
- Prior art keywords
- vlan
- switch
- flow data
- packet
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/60—Software-defined switches
- H04L49/602—Multilayer or multiprotocol switching, e.g. IP switching
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present disclosure relates to a system, method, electronic device, and computer-readable medium for generating multilayer VLAN traffic. The system comprises: the first packet receiving and sending equipment is used for generating a VLAN flow data packet; the switch acquires the VLAN flow data packet by the first packet receiving and transmitting device and forwards the VLAN flow data inside the switch for multiple times through the snake-shaped networking of the switch so as to generate a multilayer VLAN flow data packet; and the second packet receiving and sending equipment is used for acquiring the multilayer VLAN flow data packet by the switch. The system, the method, the electronic device and the computer readable medium for generating the multilayer VLAN flow can realize the multilayer VLAN flow message only through the switch without modifying the flow message, are not limited by tool software when generating the multilayer VLAN flow message, and have short time and high efficiency.
Description
Technical Field
The present disclosure relates to the field of computer information processing, and in particular, to a system, a method, an electronic device, and a computer-readable medium for generating multilayer VLAN traffic.
Background
With the popularization and wide application of networks, various tunnel or message encapsulation technologies appear in order to realize the division of private networks or networks, VLAN is one of the most common ways, and when a message is subjected to various processing of increasing and decreasing VLAN in the transmission process, a VLAN traffic message exceeding 2 layers is generated. In order to ensure that the intrusion prevention system can accurately intercept the attack and does not influence the forwarding of normal messages no matter the intrusion prevention system enters any extreme packaging condition, when the intrusion prevention system is tested, besides the conventional single-layer VLAN message test, the intrusion prevention test of multi-layer VLAN flow under extreme conditions can also be carried out.
In the prior art, the multilayer VLAN traffic generation method is complex, and therefore, a new multilayer VLAN traffic generation system, method, electronic device, and computer readable medium are needed.
The above information disclosed in this background section is only for enhancement of understanding of the background of the disclosure and therefore it may contain information that does not constitute prior art that is already known to a person of ordinary skill in the art.
Disclosure of Invention
In view of this, the present disclosure provides a system, a method, an electronic device, and a computer readable medium for generating a multilayer VLAN traffic, which can implement a multilayer VLAN traffic only through a switch without modifying a traffic message, and are not limited by tool software when generating the multilayer VLAN traffic, and are short in time and high in efficiency.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.
According to an aspect of the present disclosure, a system for generating multilayer VLAN traffic is provided, the system including: the first packet receiving and sending equipment is used for generating a VLAN flow data packet; the switch acquires the VLAN flow data packet by the first packet receiving and transmitting device and forwards the VLAN flow data inside the switch for multiple times through the snake-shaped networking of the switch so as to generate a multilayer VLAN flow data packet; and the second packet receiving and sending equipment is used for acquiring the multilayer VLAN flow data packet by the switch.
In an exemplary embodiment of the present disclosure, the first interface of the switch is connected to the packet sending interface of the first packet sending and receiving device; and the last interface of the switch is connected with the packet receiving interface of the second packet receiving and transmitting device.
In an exemplary embodiment of the present disclosure, the switch includes a plurality of interfaces, and the plurality of interfaces between the second interface and the last second interface of the switch are sequentially connected two by two.
In an exemplary embodiment of the present disclosure, the plurality of interfaces of the switch are configured in trunk mode.
In an exemplary embodiment of the present disclosure, a trunk allowed VLAN of an odd number of interfaces of the switch is the same as a trunk allowed VLAN of a previous interface thereof;
and the trunk allowed VLAN of the even number of interfaces of the switch is the same as the trunk allowed VLAN of the first two interfaces.
In an exemplary embodiment of the present disclosure, the plurality of interfaces of the switch are configured as QINQ policies.
In an exemplary embodiment of the present disclosure, further comprising: the intrusion prevention system is connected between the switch and the second packet receiving and transmitting equipment in series and is used for carrying out intrusion detection on the multilayer VLAN flow data packet and generating a detection result; and the management equipment is used for acquiring and analyzing the detection result.
According to an aspect of the present disclosure, a method for generating multilayer VLAN traffic is provided, where the method includes: the first packet receiving and sending equipment generates a VLAN flow data packet; the switch acquires the VLAN flow data packet by the first packet receiving and transmitting device; the exchanger forwards the VLAN flow data in the exchanger for multiple times through the snake-shaped networking of the exchanger so as to generate a multilayer VLAN flow data packet; and the second packet receiving and transmitting equipment acquires the multilayer VLAN flow data packet by the switch.
In an exemplary embodiment of the present disclosure, the first packet transceiver device generates a VLAN traffic packet, including: the first packet receiving and transmitting equipment generates an attack VLAN flow data packet; and/or the first packet receiving and sending device generates VLAN flow data packets of the background flow class; and/or the first packet receiving and transmitting equipment generates VLAN flow data packets of abnormal message types; and/or the first packet receiving and transmitting device generates the VLAN flow data packet of the mixed message class.
In an exemplary embodiment of the present disclosure, further comprising: and the intrusion prevention system acquires the multilayer VLAN flow data packet between the switch and the second packet receiving and transmitting equipment to carry out intrusion detection and generate a detection result.
In an exemplary embodiment of the present disclosure, the intrusion prevention system, which obtains the multi-layer VLAN traffic data packet between the switch and the second packet transceiver device for intrusion detection, includes: the intrusion prevention system acquires the multilayer VLAN flow data packet between the switch and the second packet receiving and transmitting device; when the multilayer VLAN flow data packet is an attack type, abnormal message type or mixed message type, carrying out intrusion detection on the flow data packet; and when the multilayer VLAN flow data packet is a background flow type multilayer VLAN flow data packet, forwarding the multilayer VLAN flow data packet.
According to an aspect of the present disclosure, an electronic device is provided, the electronic device including: one or more processors; storage means for storing one or more programs; when executed by one or more processors, cause the one or more processors to implement a method as above.
According to an aspect of the disclosure, a computer-readable medium is proposed, on which a computer program is stored, which program, when being executed by a processor, carries out the method as above.
According to the system, the method, the electronic device and the computer readable medium for generating the multilayer VLAN flow, the first packet receiving and sending device is used for generating a VLAN flow data packet; the switch acquires the VLAN flow data packet by the first packet receiving and transmitting device and forwards the VLAN flow data inside the switch for multiple times through the snake-shaped networking of the switch so as to generate a multilayer VLAN flow data packet; and the second packet receiving and transmitting equipment is used for acquiring the multilayer VLAN flow data packet mode by the switch, the multilayer VLAN flow message can be realized only through the switch without modifying the flow message, and the multilayer VLAN flow message is not limited by tool software when being generated, so that the time is short, and the efficiency is high.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings. The drawings described below are merely some embodiments of the present disclosure, and other drawings may be derived from those drawings by those of ordinary skill in the art without inventive effort.
Fig. 1 is a system block diagram illustrating a system for generating multi-layer VLAN traffic in accordance with an exemplary embodiment.
Fig. 2 is a schematic block diagram illustrating a system for generating multi-layer VLAN traffic in accordance with an exemplary embodiment.
Fig. 3 is a block diagram illustrating an intrusion prevention detection system in a system for generating multi-layer VLAN traffic in accordance with an exemplary embodiment.
Fig. 4 is a flow chart illustrating a method of generating multi-layer VLAN traffic in accordance with another exemplary embodiment.
Fig. 5 is a flow chart illustrating a method of generating multi-layer VLAN traffic in accordance with another exemplary embodiment.
FIG. 6 is a block diagram illustrating an electronic device in accordance with an example embodiment.
FIG. 7 is a block diagram illustrating a computer-readable medium in accordance with an example embodiment.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The same reference numerals denote the same or similar parts in the drawings, and thus, a repetitive description thereof will be omitted.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known methods, implementations, or operations are not shown or described in detail to avoid obscuring aspects of the disclosure.
The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the contents and operations/steps, nor do they necessarily have to be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
It will be understood that, although the terms first, second, third, etc. may be used herein to describe various components, these components should not be limited by these terms. These terms are used to distinguish one element from another. Thus, a first component discussed below may be termed a second component without departing from the teachings of the disclosed concept. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
It is to be understood by those skilled in the art that the drawings are merely schematic representations of exemplary embodiments, and that the blocks or processes shown in the drawings are not necessarily required to practice the present disclosure and are, therefore, not intended to limit the scope of the present disclosure.
The technical abbreviations referred to in this application are explained as follows:
VLAN (virtual Local Area network) is known in chinese as "virtual Local Area network" and operates at layers 2 and 3 of the OSI reference model, and a VLAN is a broadcast domain. The same physical local area network can be divided into a plurality of different broadcast domains through different VLANs, and the different VLANs can only be communicated through three layers of routes, so that the network security is improved.
QinQ technology (also known as Stacked or Double VLANs) that can effectively extend the number of VLANs.
Intrusion Prevention Systems (IPS) are computer network security facilities, and are a complement to anti-virus software (anti Programs) and firewalls (Packet filters, Application gateways).
In order to test whether the VLAN affects the detection of the intrusion prevention device, a multi-layer VLAN traffic message needs to be constructed, but generally, a message used for testing is often a message without the VLAN, so that the VLAN can be added by modifying the message with software for testing.
And using message constructing tool software to create a message with the VLAN or modify the existing attack message, sending the message to the corresponding intrusion prevention equipment, testing whether the intrusion prevention equipment can process the message with the VLAN, and accurately detecting the attack type.
The above method can increase the number of VLAN layers by creating or modifying the existing attack message by itself, realize the construction of the multilayer VLAN message, and carry out the intrusion prevention detection of the multilayer VLAN, but the method is only limited to the attack with less message number.
The message construction and reconstruction are complex, limited by tool software, long in time consumption and low in efficiency, various messages cannot be simultaneously modified in batches, the types of the sent flow are changed, and new messages need to be modified again. The system for generating the multilayer VLAN flow utilizes the common attack message without the VLAN and the background flow, and adds a multilayer VLAN structure for the message without the VLAN by using the QINQ function of the switch interface in a mode of repeatedly passing through the switch so as to generate the multilayer VLAN flow, and can also send the multilayer VLAN flow to the intrusion detection equipment for testing.
The present disclosure is described in detail below with reference to specific examples.
Fig. 1 is a system block diagram illustrating a system for generating multi-layer VLAN traffic in accordance with an exemplary embodiment.
The first packet transceiver device 102 is configured to generate a VLAN traffic packet;
the switch 104 obtains the VLAN traffic data packet from the first packet receiving and sending device, and forwards the VLAN traffic data inside the switch for multiple times through its own snake-shaped networking to generate a multilayer VLAN traffic data packet;
the second packet-transceiving device 106 is configured to obtain the multi-layer VLAN traffic packet by the switch.
Wherein, the first interface of the switch 104 is connected to the packet sending interface of the first packet sending and receiving device 102; the last interface of the switch 104 is connected to the packet receiving interface of the second packet transceiver 106.
The switch 104 includes a plurality of interfaces, and the plurality of interfaces from the second interface to the last second interface of the switch 104 are connected in pairs. The plurality of interfaces of the switch 104 are configured in trunk mode. The trunk allowed VLAN of the odd interface of the switch 104 is the same as the trunk allowed VLAN of the previous interface; the trunk allowed VLAN of the even-numbered interface of the switch 104 is the same as the trunk allowed VLANs of the first two interfaces. The plurality of interfaces of the switch 104 are configured as QINQ policies.
Fig. 2 is a schematic block diagram illustrating a system for generating multi-layer VLAN traffic in accordance with an exemplary embodiment. As shown in fig. 2, the solid line in the figure shows the traffic going outside the device, the dashed line shows the traffic going inside the device, and the dashed line in the circle shows the irrelevant traffic due to the broadcast (which would be discarded without affecting the test).
More specifically, the deployment method for constructing the multilayer VLAN traffic is as follows:
1. sending a packet by using a PC1 (or other packet receiving and sending devices, in this embodiment, only a PC device is taken as an example), wherein a packet sending interface is connected with a gige0_0 port of a switch, and the gige0_0 port of the switch is taken as a message input interface;
2. another PC2 is used to connect to the last interface gige0_ n port of the switch (where n is an odd number and the switch has n +1 ports);
3. connecting a gige0_1 port of the switch with a gige0_2 port, and connecting a gige0_3 port with a gige0_4 port, … … gige0_ n-2 port with a gige0_ n-1 port to form a snake-shaped networking;
4. configuring all interfaces of the switch into a trunk mode;
5. trunk native VLANs of the n +1 interfaces gige0_0 to gige0_ n are respectively VLAN1 to VLAN n + 1;
6. configuring trunk allowed VLANs from gige0_1 to gige0_ n, wherein trunk allowed VLANs of a port 0_1 and a port 0_2 are 1, trunk allowed VLANs of a port 0_3 and a port 0_4 are 3, and so on, that is, if the interface id is an odd number, the trunk allowed VLAN is the same as the trunk native VLAN of the interface previous to the interface, and if the interface id is an even number, the trunk allowed VLAN is the same as the trunk native VLANs of the two interfaces previous to the interface;
7. and using the QINQ function of the switch, configuring a QINQ strategy (a gige0_0 port can not be configured) for each interface, and using the basic QINQ function to enable the message in the incoming direction to be based on the original VLAN, newly adding a layer of VLAN on the outermost layer, wherein the VLAN ID is the native VLAN of the current interface.
Fig. 3 is a block diagram illustrating an intrusion prevention detection system in a system for generating multi-layer VLAN traffic in accordance with an exemplary embodiment. As shown in fig. 3, the intrusion prevention system is serially connected between the switch and the second packet receiving and sending device, and is configured to perform intrusion detection on the multilayer VLAN traffic data packet and generate a detection result; and the management equipment acquires and analyzes the detection result.
More specifically, the test procedure is as follows:
1. and the intrusion detection equipment is connected in series between the switch and the PC2 equipment, and the intrusion prevention strategy is configured.
2. The PC1 plays back the message, and the message can select attack message, background flow, abnormal message or mixed message according to the requirement.
3. The attack message is processed and detected after being encapsulated by (n + 1)/2-layer VLAN through the switch.
4. The multilayer VLAN encapsulation attack can be normally detected by the intrusion detection equipment, and the multilayer VLAN background flow is normally forwarded.
Fig. 4 is a flow diagram illustrating a system and method for generating multi-layer VLAN traffic in accordance with an exemplary embodiment. The system and method 40 for generating multilayer VLAN traffic includes at least steps S402 to S408.
As shown in fig. 4, in S402, the first packet transceiver device generates a VLAN traffic packet. The first packet-sending and receiving device may, for example, generate VLAN traffic packets of the attack class; the first packet receiving and sending equipment generates a VLAN flow data packet of a background flow class; the first packet receiving and sending equipment generates VLAN flow data packets of abnormal message types; the first packet receiving and transmitting device generates a mixed message type VLAN flow data packet.
In S404, the switch obtains the VLAN traffic packet by the first packet transceiver device.
In S406, the switch forwards the VLAN traffic data inside it multiple times through its own snake-shaped networking to generate a multilayer VLAN traffic data packet.
More specifically, a VLAN-free message enters the switch from gige0_0 through an entrance switch, a layer of VLAN1 is added according to an interface VLAN rule, and as the gige0_1 port and the gige0_2 port both belong to the VLAN1, the flow can be broadcasted from the gige0_1 port and the gige0_2 port;
according to interface wiring, messages output from gige0_2 enter from gige0_1, VLAN2 is added on the outermost layer of the messages input from gige0_1 configured by basic QINQ of the interface, the flow is changed into double-layer VLAN messages, outer layer VLAN2 of inner layer VLAN1 belongs to VLAN2, and the flow is discarded because no output interface exists except gige0_ 1;
another message from gige0_1 is imported from gige0_2, because of QINQ configuration, VLAN3 is added to the outermost layer of the message, the flow is changed into a double-layer VLAN message, and an inner layer VLAN1 and an outer layer VLAN3 are added to the outermost layer of the message. Similarly, the traffic of the outer VLAN3 can be output from gige0_3 and gige0_4, the packet output from gige0_4 is input from gige0_3 and added with a layer of VLAN4, no output interface is discarded, and the packet output from gige0_3 is input from gige0_4 and added with a layer of VLAN5 at the outermost layer for further forwarding.
And finally, from the outlet of gige0_ n, the VLAN which is received by the PC2 is sequentially VLAN1, VLAN3, VLAN5 … … VLAN n-2 and VLAN n from the innermost layer to the outermost layer. The messages passing through the networking are encapsulated into (n + 1)/2-layer VLAN.
In S408, the second packet transceiver device obtains the multilayer VLAN traffic packet from the switch.
According to the method for generating the multilayer VLAN flow, a first packet receiving and transmitting device generates an attack VLAN flow data packet; and/or the first packet receiving and sending device generates VLAN flow data packets of the background flow class; and/or the first packet receiving and transmitting equipment generates VLAN flow data packets of abnormal message types; and/or the first packet receiving and transmitting equipment generates the mixed message type VLAN flow data packet, the multilayer VLAN flow message can be realized only through the switch without modifying the flow message, and the multilayer VLAN flow message is not limited by tool software when being generated, so that the time is short, and the efficiency is high.
It should be clearly understood that this disclosure describes how to make and use particular examples, but the principles of this disclosure are not limited to any details of these examples. Rather, these principles can be applied to many other embodiments based on the teachings of the present disclosure.
Fig. 5 is a flow diagram illustrating a system and method for generating multi-layer VLAN traffic according to another exemplary embodiment. The flow 50 shown in fig. 5 is a supplementary description of the flow shown in fig. 4.
As shown in fig. 5, in S502, the intrusion prevention system obtains the multi-layer VLAN traffic data packet between the switch and the second packet transceiver device.
In S504, the type of the multilayer VLAN traffic packet is determined.
In S506, when the multilayer VLAN traffic data packet is an attack type, an abnormal packet type, or a mixed packet type, intrusion detection is performed on the traffic data packet.
In S508, when the multilayer VLAN traffic packet is a background flow type multilayer VLAN traffic packet, the multilayer VLAN traffic packet is forwarded.
According to the method for generating the multilayer VLAN flow, messages do not need to be modified, and the multilayer VLAN is directly added only in a mode of using an exchanger; when the traffic model changes, the networking does not need to be modified again.
Those skilled in the art will appreciate that all or part of the steps implementing the above embodiments are implemented as computer programs executed by a CPU. When executed by the CPU, performs the functions defined by the above-described methods provided by the present disclosure. The program may be stored in a computer readable storage medium, which may be a read-only memory, a magnetic or optical disk, or the like.
Furthermore, it should be noted that the above-mentioned figures are only schematic illustrations of the processes involved in the methods according to exemplary embodiments of the present disclosure, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
FIG. 6 is a block diagram illustrating an electronic device in accordance with an example embodiment.
An electronic device 600 according to this embodiment of the disclosure is described below with reference to fig. 6. The electronic device 600 shown in fig. 6 is only an example and should not bring any limitations to the function and scope of use of the embodiments of the present disclosure.
As shown in fig. 6, the electronic device 600 is embodied in the form of a general purpose computing device. The components of the electronic device 600 may include, but are not limited to: at least one processing unit 610, at least one storage unit 620, a bus 630 that connects the various system components (including the storage unit 620 and the processing unit 610), a display unit 640, and the like.
Wherein the storage unit stores program code that is executable by the processing unit 610 such that the processing unit 610 performs the steps described in this specification in accordance with various exemplary embodiments of the present disclosure. For example, the processing unit 610 may perform the steps shown in fig. 4 and 5.
The storage unit 620 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM)6201 and/or a cache memory unit 6202, and may further include a read-only memory unit (ROM) 6203.
The memory unit 620 may also include a program/utility 6204 having a set (at least one) of program modules 6205, such program modules 6205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
The electronic device 600 may also communicate with one or more external devices 600' (e.g., keyboard, pointing device, bluetooth device, etc.), such that a user can communicate with devices with which the electronic device 600 interacts, and/or any device (e.g., router, modem, etc.) with which the electronic device 600 can communicate with one or more other computing devices. Such communication may occur via an input/output (I/O) interface 650. Also, the electronic device 600 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the Internet) via the network adapter 660. The network adapter 660 may communicate with other modules of the electronic device 600 via the bus 630. It should be appreciated that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device 600, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, as shown in fig. 7, the technical solution according to the embodiment of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, or a network device, etc.) to execute the above method according to the embodiment of the present disclosure.
The software product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable storage medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable storage medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The computer readable medium carries one or more programs which, when executed by a device, cause the computer readable medium to perform the functions of: controlling a first packet receiving and transmitting device to generate a VLAN flow data packet; the control switch acquires the VLAN flow data packet by the first packet receiving and transmitting device; controlling the switch to forward the VLAN flow data in the switch for multiple times through the snake-shaped networking of the switch so as to generate a multilayer VLAN flow data packet; and controlling the second packet receiving and sending equipment to obtain the multilayer VLAN flow data packet by the switch.
Those skilled in the art will appreciate that the modules described above may be distributed in the apparatus according to the description of the embodiments, or may be modified accordingly in one or more apparatuses unique from the embodiments. The modules of the above embodiments may be combined into one module, or further split into multiple sub-modules.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a mobile terminal, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
Exemplary embodiments of the present disclosure are specifically illustrated and described above. It is to be understood that the present disclosure is not limited to the precise arrangements, instrumentalities, or instrumentalities described herein; on the contrary, the disclosure is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
Claims (11)
1. A system for generating multilayer VLAN traffic, comprising:
the first packet receiving and sending equipment is used for generating a VLAN flow data packet;
the switch acquires the VLAN flow data packet by the first packet receiving and transmitting device and forwards the VLAN flow data inside the switch for multiple times through the snake-shaped networking of the switch so as to generate a multilayer VLAN flow data packet;
and the second packet receiving and sending equipment is used for acquiring the multilayer VLAN flow data packet by the switch.
2. The generation system of claim 1,
the first interface of the switch is connected with the packet sending interface of the first packet receiving and sending device;
and the last interface of the switch is connected with the packet receiving interface of the second packet receiving and transmitting device.
3. The generation system of claim 1,
the switch comprises a plurality of interfaces, and the plurality of interfaces from the second interface to the last second interface of the switch are connected in pairs in sequence.
4. The generation system of claim 1,
the plurality of interfaces of the switch are configured in trunk mode.
5. The generation system of claim 4,
the trunk allowed VLAN of the odd interface of the switch is the same as the trunk allowed VLAN of the previous interface;
and the trunk allowed VLAN of the even number of interfaces of the switch is the same as the trunk allowed VLAN of the first two interfaces.
6. The generation system of claim 1,
the plurality of interfaces of the switch are configured as QINQ policies.
7. The generation system of claim 1, further comprising:
the intrusion prevention system is connected between the switch and the second packet receiving and transmitting equipment in series and is used for carrying out intrusion detection on the multilayer VLAN flow data packet and generating a detection result;
and the management equipment is used for acquiring and analyzing the detection result.
8. A method for generating multilayer VLAN traffic is characterized by comprising the following steps:
the first packet receiving and sending equipment generates a VLAN flow data packet;
the switch acquires the VLAN flow data packet by the first packet receiving and transmitting device;
the exchanger forwards the VLAN flow data in the exchanger for multiple times through the snake-shaped networking of the exchanger so as to generate a multilayer VLAN flow data packet;
and the second packet receiving and transmitting equipment acquires the multilayer VLAN flow data packet by the switch.
9. The method of generating as claimed in claim 8, wherein the first packet-transceiving device generates VLAN traffic packets, comprising:
the first packet receiving and transmitting equipment generates an attack VLAN flow data packet; and/or
The first packet receiving and sending equipment generates a VLAN flow data packet of a background flow class; and/or
The first packet receiving and sending equipment generates VLAN flow data packets of abnormal message types; and/or
The first packet receiving and transmitting device generates a mixed message type VLAN flow data packet.
10. The generation method of claim 8, further comprising:
and the intrusion prevention system acquires the multilayer VLAN flow data packet between the switch and the second packet receiving and transmitting equipment to carry out intrusion detection and generate a detection result.
11. The method of generating as set forth in claim 10, wherein the step of the intrusion prevention system obtaining the multi-layer VLAN traffic packets for intrusion detection between the switch and a second packet-sending and receiving device comprises:
the intrusion prevention system acquires the multilayer VLAN flow data packet between the switch and the second packet receiving and transmitting device;
when the multilayer VLAN flow data packet is an attack type, abnormal message type or mixed message type, carrying out intrusion detection on the flow data packet;
and when the multilayer VLAN flow data packet is a background flow type multilayer VLAN flow data packet, forwarding the multilayer VLAN flow data packet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110320270.0A CN112953809B (en) | 2021-03-25 | 2021-03-25 | System and method for generating multilayer VLAN flow |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110320270.0A CN112953809B (en) | 2021-03-25 | 2021-03-25 | System and method for generating multilayer VLAN flow |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112953809A true CN112953809A (en) | 2021-06-11 |
| CN112953809B CN112953809B (en) | 2022-07-26 |
Family
ID=76228514
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110320270.0A Active CN112953809B (en) | 2021-03-25 | 2021-03-25 | System and method for generating multilayer VLAN flow |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112953809B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060077975A1 (en) * | 2004-10-08 | 2006-04-13 | Broad Web Corporation | Checking method for applying in the field of network packet contents of network security switch |
| US20070115913A1 (en) * | 2004-02-07 | 2007-05-24 | Bin Li | Method for implementing the virtual leased line |
| WO2007065358A1 (en) * | 2005-12-06 | 2007-06-14 | Huawei Technologies Co., Ltd. | Method and system for service processing based on vlan stack |
| CN101588305A (en) * | 2009-06-30 | 2009-11-25 | 杭州华三通信技术有限公司 | message handling method carried with multilayer labels and an exchanger |
| CN103078770A (en) * | 2013-01-22 | 2013-05-01 | 浪潮电子信息产业股份有限公司 | Method for testing stability of switch |
| CN104168184A (en) * | 2013-05-17 | 2014-11-26 | 杭州华三通信技术有限公司 | Message forwarding method and device |
| CN108512721A (en) * | 2018-03-05 | 2018-09-07 | 山东超越数控电子股份有限公司 | A kind of three layers of stability test method of multi-exchange |
| CN109922090A (en) * | 2019-04-29 | 2019-06-21 | 杭州迪普科技股份有限公司 | Flow forwarding method, device, electronic equipment and machine readable storage medium |
| CN111526121A (en) * | 2020-03-24 | 2020-08-11 | 杭州迪普科技股份有限公司 | Intrusion prevention method and device, electronic equipment and computer readable medium |
-
2021
- 2021-03-25 CN CN202110320270.0A patent/CN112953809B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070115913A1 (en) * | 2004-02-07 | 2007-05-24 | Bin Li | Method for implementing the virtual leased line |
| US20060077975A1 (en) * | 2004-10-08 | 2006-04-13 | Broad Web Corporation | Checking method for applying in the field of network packet contents of network security switch |
| WO2007065358A1 (en) * | 2005-12-06 | 2007-06-14 | Huawei Technologies Co., Ltd. | Method and system for service processing based on vlan stack |
| CN101588305A (en) * | 2009-06-30 | 2009-11-25 | 杭州华三通信技术有限公司 | message handling method carried with multilayer labels and an exchanger |
| CN103078770A (en) * | 2013-01-22 | 2013-05-01 | 浪潮电子信息产业股份有限公司 | Method for testing stability of switch |
| CN104168184A (en) * | 2013-05-17 | 2014-11-26 | 杭州华三通信技术有限公司 | Message forwarding method and device |
| CN108512721A (en) * | 2018-03-05 | 2018-09-07 | 山东超越数控电子股份有限公司 | A kind of three layers of stability test method of multi-exchange |
| CN109922090A (en) * | 2019-04-29 | 2019-06-21 | 杭州迪普科技股份有限公司 | Flow forwarding method, device, electronic equipment and machine readable storage medium |
| CN111526121A (en) * | 2020-03-24 | 2020-08-11 | 杭州迪普科技股份有限公司 | Intrusion prevention method and device, electronic equipment and computer readable medium |
Non-Patent Citations (3)
| Title |
|---|
| 李吟等: "场景驱动的工业以太网交换机软件测评框架", 《计算机工程与设计》 * |
| 郭亮等: "路由器性能测试中蛇形测试的局限性探讨", 《电信科学》 * |
| 陈林,等: "《互联网+"智慧校园技术与工程实施》", 30 September 2017 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112953809B (en) | 2022-07-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210243276A1 (en) | Systems and methods for protecting an identity in network communications | |
| CN107733795B (en) | Ethernet virtual private network EVPN and public network intercommunication method and device | |
| EP2916491A1 (en) | Tunnelling time-critical messages between substations over WAN | |
| US10205609B2 (en) | Overlay switch | |
| Marchetto et al. | Formally verified latency-aware vnf placement in industrial internet of things | |
| Ali et al. | IEC 61850 substation communication network architecture for efficient energy system automation | |
| Lopes et al. | Geese: A traffic generator for performance and security evaluation of IEC 61850 networks | |
| Gavriluţ et al. | Constructive or optimized: An overview of strategies to design networks for time-critical applications | |
| Tarnaras et al. | Efficient topology discovery algorithm for software‐defined networks | |
| US9426122B2 (en) | Architecture for network management in a multi-service network | |
| CN112953809B (en) | System and method for generating multilayer VLAN flow | |
| CN101753376A (en) | Method and equipment for detecting link state | |
| CN109728926A (en) | Communication means and the network equipment | |
| CN111490986B (en) | Test system and method for intrusion prevention equipment | |
| Damiani et al. | Stay thrifty, stay secure: a VPN-based assurance framework for hybrid systems | |
| CN114143079B (en) | Verification device and method for packet filtering strategy | |
| CN112436983B (en) | Analog wide area network data transmission method and device, electronic equipment and storage medium | |
| Jia et al. | Improved reliability of large scale publish/subscribe based moms using model checking | |
| Rubinstein et al. | Availability analysis of power substation automation architectures with PRP and HSR protocols | |
| Singh | Implementing Cisco Networking Solutions: Configure, implement, and manage complex network designs | |
| Farah et al. | High‐Level Petri Nets‐Based Modeling of Network Controlled Systems under Communication Constraints (Network‐Induced Delay) | |
| US10735292B1 (en) | Monitoring interconnections between network devices of different network entities | |
| CN114448667B (en) | Data transmission method, device and equipment | |
| Zakinthinos et al. | Composing secure systems that have emergent properties | |
| CN115277308B (en) | Cloud resource pool SSLVPN equipment deployment method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |