CN114039910A - Data forwarding method based on packet label strategy - Google Patents
Data forwarding method based on packet label strategy Download PDFInfo
- Publication number
- CN114039910A CN114039910A CN202111363981.2A CN202111363981A CN114039910A CN 114039910 A CN114039910 A CN 114039910A CN 202111363981 A CN202111363981 A CN 202111363981A CN 114039910 A CN114039910 A CN 114039910A
- Authority
- CN
- China
- Prior art keywords
- source
- forwarding
- label
- packet
- searching
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 24
- 238000011144 upstream manufacturing Methods 0.000 claims abstract description 10
- 238000002955 isolation Methods 0.000 abstract description 10
- 102100027722 Small glutamine-rich tetratricopeptide repeat-containing protein alpha Human genes 0.000 description 15
- 101001064542 Homo sapiens Liprin-beta-1 Proteins 0.000 description 3
- 101000650857 Homo sapiens Small glutamine-rich tetratricopeptide repeat-containing protein beta Proteins 0.000 description 3
- 101710113900 Protein SGT1 homolog Proteins 0.000 description 3
- 101100020531 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) LAC1 gene Proteins 0.000 description 3
- 102100027721 Small glutamine-rich tetratricopeptide repeat-containing protein beta Human genes 0.000 description 3
- 101150085401 dgt2 gene Proteins 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000020169 heat generation Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/50—Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
- H04L45/745—Address table lookup; Address filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The invention discloses a data forwarding method based on a grouping label strategy, which comprises the following steps: collecting a data message; analyzing the data message to obtain a source address, a destination address, an input port, a virtual local area network number and a source packet tag inserted by the upstream equipment; acquiring intermediate state information of a two-layer forwarding domain and a three-layer VRF; searching a forwarding information base for a destination address to obtain an index of next hop operation and a destination packet label; searching a forwarding information base for a source address to obtain a first source packet label; searching the serial numbers of the input port and the virtual local area network to obtain a second source grouping label; the invention can realize the differential section based on the grouping label, support the safety isolation of the mutual access in the subnet, have finer granularity of safety control, and realize the strategy routing forwarding based on the source and the target grouping label. The packet tag may not be limited to an IP address, and may be based on an ingress port, VLAN, virtual machine tag, MAC address, geographic location, device type, etc., making security control more flexible.
Description
Technical Field
The invention relates to the technical field of packet label strategies, in particular to a data forwarding method based on a packet label strategy.
Background
As users pay more and more attention to security, the differential segment technology Based on security Group becomes the technological trend of fine granularity policy control, and the sgt (scalable Group tag) technology for campus networks and the gbp (Group Based policy) technology for data centers are gradually accepted by the market. The traditional Ethernet exchange chip uses the target IP address to look up the table, obtains the index pointing to the next hop address, and discards or forwards the index according to the IP mutual access strategy configured and issued by the user in the access control link of the access ACL of the entrance. The main factors restricting the large-scale deployment of the security policy are large heat generation, small capacity and high price of tcam (ternary content addressable memory) for realizing the ACL function.
The deployment of the traditional security policy needs clear network planning, service isolation is realized by using service subnets divided by VLAN, VXLAN VNI and the like, and ACL under a three-layer interface of a switch cannot realize isolation of different servers in the same subnet. In cloud computing and virtualization environments, security boundaries are difficult to define, making ACL practical deployments difficult. Even in a conventional network environment, due to the huge number of IP devices, the configuration and maintenance of ACLs are quite complex, and lack of global perspective, it is difficult to implement an intent-based network policy. Meanwhile, the Ethernet switching chip uses TCAM, and lacks the capability of using RAM memory to support a large number of ACL entries like a firewall.
Disclosure of Invention
According to the embodiment of the invention, a data forwarding method based on a packet label strategy is provided, which comprises the following steps:
collecting a data message;
analyzing the data message to obtain a source address, a destination address, an input port, a virtual local area network number and a source packet tag inserted by the upstream equipment;
address searching and forwarding information base is carried out on the prefix of the destination address, and an index of next hop operation and a destination grouping label are obtained;
acquiring information of a two-layer forwarding domain according to the virtual local area network information of the data message added to the input port, and obtaining information of a three-layer VRF to which the two-layer forwarding domain belongs;
searching a forwarding information base for a source address to obtain a first source packet label;
searching the serial numbers of the input port and the virtual local area network to obtain a second source grouping label;
selecting a final source packet label from the source packet labels, the first source packet label and the second source packet label which are inserted by the upstream equipment from high to low according to the priority of the data message;
comparing and searching the final source grouping label and the final destination grouping label to obtain a searching and comparing result;
and judging whether to discard the data message or obtain the next hop of outlet information according to the searching and comparing result.
Further, the priority of the data message is: source packet tag > second source packet tag > first source packet tag that the upstream device has inserted.
Further, the final source grouping label and the final destination grouping label are compared and searched through a strategy matching lookup table.
Further, whether the result of the lookup comparison is discarded or forwarded is determined by the user security policy.
Further, which port to which the result of the lookup comparison is forwarded is determined by the user routing forwarding policy.
Further, the result of the searching and comparing is divided into a security policy result and a routing policy result.
According to the data forwarding method based on the packet label strategy, 1, differential sections based on the packet labels are realized, the safety isolation of mutual access in a subnet is supported, the granularity of safety control is finer, and the strategy routing forwarding based on the source packet labels and the target packet labels can be realized. The packet tag may not be limited to an IP address, and may be based on an ingress port, VLAN, virtual machine tag, MAC address, geographic location, device type, etc., making security control more flexible. 2. And simultaneously searching a source IP and a destination IP, and searching the reverse path with the uRPF. 3. And in the IP searching and forwarding stage, security strategies based on SGT and DGT are fused, and the scale is expanded from hundreds of strategies based on TCAM to tens of thousands of strategies. 4. The GBP strategy based on the packet label is convenient for users to understand and deploy, and supports the whole network unified security strategy based on the user intention. 5. The occupation of the traditional ACL TCAM resources is reduced, so that the deployment of network security control in a data center does not depend on subnet isolation any more, and the security isolation in tenants becomes possible. 6. And PBR strategy routing is realized according to SGT and DGT, so that the data packet forwarding is more flexible and is not only forwarded according to a target IP. 7. And the fine QoS service quality guarantee is realized according to the SGT and the DGT, and the GBP strategy search result is used as the basis of characteristics such as priority marking, bandwidth guarantee and speed limit, queue distribution and the like.
According to the invention, the switching chip is internally provided with the GBP strategy in the route searching link, so that efficient micro-segmentation can be realized, dependence on TCAM resources is reduced, large-scale safety strategy deployment is realized, the safety of a data center is improved, and meanwhile, the increase of data forwarding delay is not brought.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and are intended to provide further explanation of the claimed technology.
Drawings
Fig. 1 is a schematic block diagram of data forwarding.
Fig. 2 is a diagram illustrating GBP lookup.
Fig. 3 is a flowchart of a method for forwarding data based on a packet label policy according to an embodiment of the present invention.
Detailed Description
The present invention will be further explained by describing preferred embodiments of the present invention in detail with reference to the accompanying drawings.
First, a data forwarding method based on a packet label policy according to an embodiment of the present invention will be described with reference to fig. 1 to 3, where the method is used for forwarding data and the application scenario is wide.
As shown in fig. 1 to 3, a method for forwarding data based on a packet label policy according to an embodiment of the present invention includes the following steps:
s1: as shown in fig. 1, data messages are collected;
s2: as shown In fig. 1, the data packet is parsed by a packet Parser (Parser), and a source address (SIP), a VRF + destination address (DIP), an ingress port (In-intf), a Virtual Local Area Network (VLAN) number, and a source packet tag (SGT, third source packet tag) that has been inserted by an upstream device are obtained.
S3: as shown in fig. 1, an address lookup Forwarding Information Base (FIB) is performed on the prefix of the VRF + destination address to obtain the index of the next hop operation (Eg-idx) and the destination packet label (DGT). In this embodiment, the LPM Hash looks up the forwarding information base for the destination address using a conventional L3 Host match.
S4: as shown In fig. 1, the information of the two-layer forwarding domain is collected according to the ingress port (In-intf) and the Virtual Local Area Network (VLAN) information of the data packet, and the information of the three-layer VRF to which the two-layer forwarding domain belongs is obtained.
S5: as shown in fig. 1, a forwarding information base is looked up for the source address, and a first source packet label (SGT) is obtained.
S6: as shown in fig. 1, a second source packet tag (SGT) is obtained by looking up the ingress port and the virtual local area network number.
S7: as shown in fig. 1, the final source packet label (SGT) is selected from the source packet labels (third source packet labels) already inserted by the upstream device, the first source packet label, and the second source packet label according to the priority of the data packet. In this embodiment, the priority of the data packet is: the source packet label (third source packet label) > second source packet label > first source packet label that the upstream device has inserted.
S8: as shown in fig. 1, the final source packet label and the final destination packet label are searched for by comparison, and a result of the search comparison is obtained. In this embodiment, the final source packet tag SGT and the destination packet tag DGT are searched by performing a comparison search through a policy matching lookup table.
And comparing and searching the final source grouping label SGT and the destination grouping label DGT, and obtaining a searching and comparing result according to a network deployment strategy. Such as SGT1 accessing DGT1 with the result of Drop dropping; SGT1 accesses DGT2 and results in forwarding out of Port 2; SGT2 accesses DGT1 with a result of forwarding based on the destination address as normal; the SGT2 accesses the DGT2 and as a result forwards according to a predetermined QoS policy.
| SGT1 | SGT2 | |
| DGT1 | Drop | Exit indexing |
| DGT2 | Port2 | Qos policy indexing |
S9: as shown in fig. 1, according to the result of the search and comparison, it is determined whether to discard the data packet (security policy result) or to obtain the next hop of egress information (routing policy result). In this embodiment, whether the result of the search comparison is discarded or forwarded is determined by the user security policy, to which port the result of the search comparison is forwarded is determined by the user routing forwarding policy, and the result of the search comparison is divided into a security policy result and a routing policy result.
As shown in fig. 2, if Discard _ en = true, the packet is discarded, and security isolation is implemented; if PBR _ en = true, using the next hop index in GBP lookup table result to realize policy routing; if PBR _ en = false, using a next hop index in the DIP lookup result to realize the traditional normal forwarding; if QoS _ en = true, using the index to point to QoS Policy table, and performing Policy setting related to QoS such as TC group and Color; if QoS _ en = false, the conventional QoS setting procedure is used.
In the above, with reference to fig. 1 to 3, a method for forwarding data based on a packet tag policy according to an embodiment of the present invention is described, 1, a differential segment based on a packet tag is implemented, secure isolation of mutual access inside a subnet is supported, and granularity of security control is finer. The packet tag may not be limited to an IP address, and may be based on an ingress port, VLAN, virtual machine tag, MAC address, geographic location, device type, etc., making security control more flexible. 2. And simultaneously searching a source IP and a destination IP, and searching the reverse path with the uRPF. 3. And in the IP searching and forwarding stage, security strategies based on SGT and DGT are fused, and the scale is expanded from hundreds of strategies based on TCAM to tens of thousands of strategies. 4. The GBP strategy based on the packet label is convenient for users to understand and deploy, and supports the whole network unified security strategy based on the user intention. 5. The occupation of the traditional ACL TCAM resources is reduced, so that the deployment of network security control in a data center does not depend on subnet isolation any more, and the security isolation in tenants becomes possible. 6. And PBR strategy routing is realized according to SGT and DGT, so that the data packet forwarding is more flexible and is not only forwarded according to a target IP. 7. And the fine QoS service quality guarantee is realized according to the SGT and the DGT, and the GBP strategy search result is used as the basis of characteristics such as priority marking, bandwidth guarantee and speed limit, queue distribution and the like.
It should be noted that, in the present specification, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
While the present invention has been described in detail with reference to the preferred embodiments, it should be understood that the above description should not be taken as limiting the invention. Various modifications and alterations to this invention will become apparent to those skilled in the art upon reading the foregoing description. Accordingly, the scope of the invention should be determined from the following claims.
Claims (6)
1. A method for forwarding data based on a packet label strategy is characterized by comprising the following steps:
collecting a data message;
analyzing the data message to obtain a source address, a destination address, an ingress port, a virtual local area network number and a source packet tag inserted by an upstream device;
address searching and forwarding information base is carried out on the prefix of the destination address, and an index of next hop operation and a destination grouping label are obtained;
acquiring information of a two-layer forwarding domain according to the ingress port and the virtual local area network information of the data message, and obtaining information of a three-layer VRF to which the two-layer forwarding domain belongs;
searching a forwarding information base for the source address to obtain a first source packet label;
searching the serial numbers of the input port and the virtual local area network to obtain a second source grouping label;
selecting a final source packet label from the source packet labels, the first source packet labels and the second source packet labels which are inserted by the upstream equipment from high to low according to the priority of the data message;
comparing and searching the final source grouping label and the destination grouping label to obtain a searching and comparing result;
and judging whether to discard the data message or obtain the next hop of outlet information according to the searching and comparing result.
2. The method according to claim 1, wherein the priority of the data packet is: the source packet tag > the second source packet tag > first source packet tag that the upstream device has inserted.
3. The packet tag policy-based data forwarding method of claim 1, wherein the match lookup of the final source packet tag and the destination packet tag is a match lookup through a policy matching lookup table.
4. The method of claim 1, wherein whether the lookup comparison results in discarding or forwarding is determined by a user security policy.
5. The method of claim 1, wherein the port to which the result of the lookup comparison is forwarded is determined by a user routing forwarding policy.
6. The packet label policy-based data forwarding method according to claim 1, wherein the result of the lookup comparison is divided into a security policy result and a routing policy result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111363981.2A CN114039910B (en) | 2021-11-17 | 2021-11-17 | Data forwarding method based on packet label strategy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111363981.2A CN114039910B (en) | 2021-11-17 | 2021-11-17 | Data forwarding method based on packet label strategy |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114039910A true CN114039910A (en) | 2022-02-11 |
| CN114039910B CN114039910B (en) | 2023-06-27 |
Family
ID=80144705
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111363981.2A Active CN114039910B (en) | 2021-11-17 | 2021-11-17 | Data forwarding method based on packet label strategy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114039910B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115065614A (en) * | 2022-06-22 | 2022-09-16 | 杭州云合智网技术有限公司 | VPWS multi-active business connectivity identification method |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105763454A (en) * | 2016-02-25 | 2016-07-13 | 比威网络技术有限公司 | Data message forwarding method and device based on two-dimensional routing policy |
| CN106161227A (en) * | 2016-06-27 | 2016-11-23 | 杭州华三通信技术有限公司 | A kind of message forwarding method and device |
| CN107968749A (en) * | 2017-11-21 | 2018-04-27 | 锐捷网络股份有限公司 | Realize method, exchange chip and the interchanger of QinQ route terminations |
| CN108965131A (en) * | 2018-07-27 | 2018-12-07 | 新华三技术有限公司 | A kind of method and device of message forwarding |
| US20210176171A1 (en) * | 2019-12-10 | 2021-06-10 | Juniper Networks, Inc. | Combined input and output queue for packet forwarding in network devices |
-
2021
- 2021-11-17 CN CN202111363981.2A patent/CN114039910B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105763454A (en) * | 2016-02-25 | 2016-07-13 | 比威网络技术有限公司 | Data message forwarding method and device based on two-dimensional routing policy |
| CN106161227A (en) * | 2016-06-27 | 2016-11-23 | 杭州华三通信技术有限公司 | A kind of message forwarding method and device |
| CN107968749A (en) * | 2017-11-21 | 2018-04-27 | 锐捷网络股份有限公司 | Realize method, exchange chip and the interchanger of QinQ route terminations |
| CN108965131A (en) * | 2018-07-27 | 2018-12-07 | 新华三技术有限公司 | A kind of method and device of message forwarding |
| US20210176171A1 (en) * | 2019-12-10 | 2021-06-10 | Juniper Networks, Inc. | Combined input and output queue for packet forwarding in network devices |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115065614A (en) * | 2022-06-22 | 2022-09-16 | 杭州云合智网技术有限公司 | VPWS multi-active business connectivity identification method |
| CN115065614B (en) * | 2022-06-22 | 2023-10-13 | 杭州云合智网技术有限公司 | Method for identifying multi-activity service connectivity of VPWS |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114039910B (en) | 2023-06-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11329876B2 (en) | Seamless multi-cloud routing and policy interconnectivity | |
| US7813337B2 (en) | Network packet processing using multi-stage classification | |
| US9065775B2 (en) | Switching apparatus and method based on virtual interfaces | |
| EP1715630B1 (en) | Method and system for implementing a high availability VLAN | |
| EP3210345B1 (en) | Transparent network service header path proxies | |
| US6947419B2 (en) | Apparatus for multicast forwarding in a virtual local area network environment | |
| EP3261294B1 (en) | Remote port mirroring using trill | |
| US5949783A (en) | LAN emulation subsystems for supporting multiple virtual LANS | |
| CN104854819B (en) | Method and apparatus for VLAN interface routing | |
| US20030112808A1 (en) | Automatic configuration of IP tunnels | |
| EP1909437B1 (en) | A method for forwarding service of the data communication device and the forwarding apparatus | |
| WO2009150656A1 (en) | Method and system for transparent lan services in a packet network | |
| CN110113230B (en) | Message statistical method and network equipment | |
| EP2656559B1 (en) | Method and apparatus for applying client associated policies in a forwarding engine | |
| KR100546762B1 (en) | Apparatus and method of dividing virtual sites with policy properties in multi-protocol label switching networks | |
| US20210152473A1 (en) | Method and system for propagating network traffic flows between end points based on service and priority policies | |
| CN114039910B (en) | Data forwarding method based on packet label strategy | |
| JP5592012B2 (en) | Exit VLAN ACL exit processing | |
| JP2004112159A (en) | Routing apparatus and packet type identifying apparatus | |
| EP1646188B1 (en) | A method for ethernet network service safety isolation | |
| CN111628939A (en) | Flow classification processing method and device | |
| CN106973016B (en) | Access control method, device and equipment | |
| CN115834478A (en) | Method for realizing PBR high-speed forwarding by using TCAM | |
| CN112804130A (en) | Message processing method, device, system, storage medium and electronic equipment | |
| CN102006336A (en) | Allocation method and device of Internet protocol version 6 (IPv6) address prefixes |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 3 / F, 665 Zhangjiang Road, China (Shanghai) pilot Free Trade Zone, Pudong New Area, Shanghai Patentee after: Yunhe Zhiwang (Shanghai) Technology Co.,Ltd. Country or region after: China Address before: 311200 Room 202, building 1, Information Port Phase V, No. 733, Jianshe Third Road, economic and Technological Development Zone, Xiaoshan District, Hangzhou City, Zhejiang Province Patentee before: Hangzhou yunhezhi Network Technology Co.,Ltd. Country or region before: China |