CN1625149A - Method for access control list - Google Patents
Method for access control list Download PDFInfo
- Publication number
- CN1625149A CN1625149A CNA2003101110706A CN200310111070A CN1625149A CN 1625149 A CN1625149 A CN 1625149A CN A2003101110706 A CNA2003101110706 A CN A2003101110706A CN 200310111070 A CN200310111070 A CN 200310111070A CN 1625149 A CN1625149 A CN 1625149A
- Authority
- CN
- China
- Prior art keywords
- address
- access control
- acl
- control list
- source
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This invention discloses a method adopting ASIC chip of special integrated circuit to realize the access control list (ACL), in order to solve the weakness that the present network communication device router and switch realize the ACL functions. This method includes the following processes:Parse and detect the resource IP address and target IP address of the head of the data package into the network communication device; detect the route information and ACL address corresponding to the resource and target IP addresses, if the resource or the target IP address does not find the matching address, use the default ACL address. According to the ACL address to look for the ACL content and choose to process correspondingly the data package. The advantage is saving CPU resources.
Description
Technical field
The present invention relates to a kind of method of access control list (ACL), especially a kind of method that adopts the application-specific integrated circuit ASIC chip to realize access control list (ACL).
Background technology
In today that network technology is maked rapid progress, along with the continuous emergence and the establishment of Virtual network operator, network communication field is more and more higher to the requirement of network communication equipment.At present, network communication equipment---router and L3 switch mainly contain following dual mode in the realization at " Access Control List (ACL) " function:
One, most router and switch do not support Access Control List (ACL), only support basic exchange and routing function, just table look-up, obtain purpose routed port and some other relevant informations of this packet by the IP address in packet packet header of entering router and switch and MAC Address are resolved.The routing function of this mode can not be finished the network filtering based on source IP address and purpose IP address, just can not be at the restriction that conducts interviews from some special IP address or the packet that arrives some special IP address.And this network filtering technology is improving network security, guarantees that be very important today of communication quality.
Two, part router and switch also support " Access Control List (ACL) " (ACL) function except supporting basic exchange and routing function.What but these router and switch adopted when finishing " Access Control List (ACL) " function all is the mode that software is realized.Use software to realize that " Access Control List (ACL) " function exists certain defective in the assurance of the consumption of system resource and network speed.Because when using back-end software to finish " Access Control List (ACL) ", can take cpu resource greatly, make very heavy router and switch CPU (CPU will finish many other functions) handling property of original just burden decline to a great extent, thereby have influence on the performance of whole router and switch.And, use software to realize that " Access Control List (ACL) " processing speed is lower, as router and switch when to be in network congestion be busy, router and switch may just can't satisfy the basic function that the network communication equipment linear speed exchanges.
Summary of the invention
The present invention is intended to solve the existing network communication equipment---and router and switch are in the defective that realizes existing on the access list feature, overcome the system resource that the software realization mode that adopted brings and consume the drawback big, that processing speed is low, a kind of method that adopts asic chip to realize Access Control List (ACL) is provided.
For solving the problems of the technologies described above, the technical solution adopted in the present invention is as follows:
A kind of method of the Access Control List (ACL) based on source IP address and purpose IP address, this method comprises the steps:
A,, the source IP address in packet packet header of entering network communication equipment and purpose IP address table look-up by being resolved;
B, according to a item tables look-up and will obtain source IP address and pairing relevant routing iinformation in purpose IP address and Access Control List (ACL) address, if match address is not found in source IP or purpose IP address, then uses default accessing to control address.
C, can select this packet is done various respective handling according to the content of Access Control List (ACL) address search access control list.
The described concrete processing mode of above-mentioned c item is set in advance by the network manager, comprises " normally transmitting packet ", " preferentially sending CPU ", " abandoning ".
Parsing of the present invention is tabled look-up, and what obtain is routing table, obtains route related information according to the source IP address and the purpose IP address of using on the described routing table, and these relevant informations comprise IP address, purpose output port, access control group.
Access control group of the present invention is a kind of index signal of Access Control List (ACL), is to dispose when switch being write the list item information of routing table entry.
Beneficial effect of the present invention shows:
One, the present invention is not limited by CPU owing to adopted the ASIC structure to be embedded in L2/L3 layer Ethernet switch when finishing route and access control (ACL), can save cpu resource greatly, CPU is absorbed in finishes other functions, improves the performance of whole system;
Two, the present invention has overcome the slow defective of processing speed that software mode exists, and has improved the high speed processing ability of whole system in network environment.Even be in when congested or busy at the express network of 100/1000/10000M, also can guarantee to carry out the linear speed exchange;
Three, it is simple that the present invention makes the realization of routing function, reliable and stable.
Description of drawings
Fig. 1 is a FB(flow block) of the present invention
Fig. 2 is an ASIC structure chart of the present invention
Embodiment
The concrete steps that the present invention adopts are as follows:
One, the list item information with routing table writes switch; (seeing accompanying drawing Cpu allocation list information);
Two, resolve by source IP address and purpose IP address to packet packet header of entering network communication equipment, finite states machine control is analyzed time sequence information, searches 3 layers of table (built-in 2048 * 112bitRAM).The routing table of gained obtains one group of related information according to the source IP address and the purpose IP address of using, and these related informations comprise IP address, purpose output port, access control group.As shown in Figure 1, search three layers of source address table and three layers of destination address table, obtain selection information and three layers of information according to packet packet header;
Three, whether hit finite state machine judgement source IP address and purpose IP address, the access control table address was the information that finds when these information were effective, otherwise use default information to remove access control list (ACL), wherein access control group signal is a kind of index signal of Access Control List (ACL), as shown in Figure 1, obtain Access Control List (ACL) according to selector;
Four, can select this packet is done various respective handling (processing mode is set in advance by the network manager) according to the content of Access Control List (ACL).Respective handling mode and function have " normally transmitting packet ", " preferentially sending CPU ", " abandoning " etc.
In the access control list item, various functions will be configured according to the real network situation by the network management personnel who uses.
Claims (4)
1, a kind of method of the Access Control List (ACL) based on source IP address and purpose IP address, it is characterized in that: this method comprises the steps:
A,, the source IP address in packet packet header of entering network communication equipment and purpose IP address table look-up by being resolved;
B, according to a item tables look-up and will obtain source IP address and pairing relevant routing iinformation in purpose IP address and Access Control List (ACL) address, if match address is not found in source IP or purpose IP address, then uses default accessing to control address.
C, can select this packet is done various respective handling according to the content of Access Control List (ACL) address search access control list.
2, the method for Access Control List (ACL) according to claim 1 is characterized in that: the described concrete processing mode of above-mentioned c item is set in advance by the network manager, comprises " normally transmitting packet ", " preferentially sending CPU ", " abandoning ".
3, the method for Access Control List (ACL) according to claim 1, it is characterized in that: described parsing is tabled look-up, and what obtain is routing table, obtain route related information according to the source IP address and the purpose IP address of using on the described routing table, these relevant informations comprise IP address, purpose output port, access control group.
4, the method for Access Control List (ACL) according to claim 3 is characterized in that: described access control group is a kind of index signal of Access Control List (ACL), is to dispose when switch being write the list item information of routing table entry.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2003101110706A CN1625149A (en) | 2003-12-02 | 2003-12-02 | Method for access control list |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2003101110706A CN1625149A (en) | 2003-12-02 | 2003-12-02 | Method for access control list |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1625149A true CN1625149A (en) | 2005-06-08 |
Family
ID=34759313
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2003101110706A Pending CN1625149A (en) | 2003-12-02 | 2003-12-02 | Method for access control list |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1625149A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100433009C (en) * | 2005-11-24 | 2008-11-12 | 华为技术有限公司 | Method for managing and maintaining tatic range matching table |
| CN100448227C (en) * | 2005-08-30 | 2008-12-31 | 杭州华三通信技术有限公司 | Business flow idnetifying method |
| CN101572635B (en) * | 2008-04-30 | 2012-06-06 | 新奥特(北京)视频技术有限公司 | Data transmission scheduling method based on channel configuration |
| CN105262766A (en) * | 2015-11-03 | 2016-01-20 | 盛科网络(苏州)有限公司 | Chip realization method of multilevel safety strategy group |
| CN105635167A (en) * | 2016-01-25 | 2016-06-01 | 盛科网络(苏州)有限公司 | Method and device for realizing message edition function by using hardware |
-
2003
- 2003-12-02 CN CNA2003101110706A patent/CN1625149A/en active Pending
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100448227C (en) * | 2005-08-30 | 2008-12-31 | 杭州华三通信技术有限公司 | Business flow idnetifying method |
| CN100433009C (en) * | 2005-11-24 | 2008-11-12 | 华为技术有限公司 | Method for managing and maintaining tatic range matching table |
| CN101572635B (en) * | 2008-04-30 | 2012-06-06 | 新奥特(北京)视频技术有限公司 | Data transmission scheduling method based on channel configuration |
| CN105262766A (en) * | 2015-11-03 | 2016-01-20 | 盛科网络(苏州)有限公司 | Chip realization method of multilevel safety strategy group |
| CN105262766B (en) * | 2015-11-03 | 2018-09-11 | 盛科网络(苏州)有限公司 | The chip implementing method of maltilevel security strategy group |
| CN105635167A (en) * | 2016-01-25 | 2016-06-01 | 盛科网络(苏州)有限公司 | Method and device for realizing message edition function by using hardware |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20230370428A1 (en) | Use of stateless marking to speed up stateful firewall rule processing | |
| US9148374B2 (en) | ARP packet processing method, communication system and device | |
| US8307153B2 (en) | Power efficient and rule movement optimized TCAM management | |
| US9544232B2 (en) | System and method for supporting virtualized switch classification tables | |
| US7602787B2 (en) | Using ternary and binary content addressable memory stages to classify information such as packets | |
| US20040085958A1 (en) | Packet flow forwarding | |
| US20150358290A1 (en) | Use of stateless marking to speed up stateful firewall rule processing | |
| CN111597142B (en) | FPGA-based network security acceleration card and acceleration method | |
| KR20050035722A (en) | A server load balancing device and method using mpls session label | |
| US20170208037A1 (en) | Method and system for providing deep packet inspection as a service | |
| CN1787489A (en) | Method for average distributing interface flow at multi network processor engines | |
| CN1606294A (en) | Access control listing mechanism for routers | |
| CN1758625A (en) | Method for classification processing message | |
| CN109600313A (en) | Message forwarding method and device | |
| CN101035012A (en) | Ethernet multi-layer switcher secure protection method based on DHCP and IP | |
| CN1625149A (en) | Method for access control list | |
| CN112671941A (en) | Message processing method, device, equipment and medium | |
| CN113518130A (en) | Packet burst load balancing method and system based on multi-core processor | |
| CN1577305A (en) | Parallel processing method and system | |
| CN1365216A (en) | High speed fubber managing system of exchanging data base | |
| CN102289453B (en) | TCAM (ternary content addressable memory) rule storing method, device and network equipment | |
| KR20000054938A (en) | Method and Apparatus for Packet Processing in Ethernet Switching System | |
| CN101075920A (en) | Method for monitoring switching system far-end port | |
| CN1581842A (en) | Method for realizing source IP address and source MAC address bound route | |
| US20130246652A1 (en) | Discover IPv4 Directly Connected Host Conversations Using ARP in Distributed Routing Platforms |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |