CN201294544Y - Message content detection and flow control device - Google Patents
Message content detection and flow control device Download PDFInfo
- Publication number
- CN201294544Y CN201294544Y CNU2008201597132U CN200820159713U CN201294544Y CN 201294544 Y CN201294544 Y CN 201294544Y CN U2008201597132 U CNU2008201597132 U CN U2008201597132U CN 200820159713 U CN200820159713 U CN 200820159713U CN 201294544 Y CN201294544 Y CN 201294544Y
- Authority
- CN
- China
- Prior art keywords
- programmable logic
- content
- message
- flow control
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The utility model discloses a message content detection and flow control device which is used to monitor network safety, branch network and filter network content, wherein a third input output port of a main controller of the device is connected with a high-speed buffer through a high-speed buffer bus, a forth input output port is connected with a programmable logic controller, a first communication port of the programmable logic controller is connected with an optical fiber output interface through a framer, a second communication port is connected with an optical fiber input interface, and a third communication port of the programmable logic controller is connected with a parallel content addressable memory. The message content detection and flow control device analyzes a data package which is accessed by a 10G rate network, classifies and filters the data package according to some fields in a data package protocol head, and can filter and intercept message data content according to special rules which are set by users. The message content detection and flow control device can distinguish gradually report content grades and control flow of the 10G rate message in a hardware grade, and the analysis ability of a 64K rule list is four times of an original detection rule list.
Description
Technical field
The utility model relates to a kind of device that network security monitoring, network shunting and Web content filter that is used for.
Background technology
At present, network shunting and content filtering device comprise master controller, pci interface, framer, search accelerator, this device mainly is that the packet at the network insertion of 2.5G speed carries out analyzing and processing, and some field that only is directed in the data protocol head is classified, filtered packet.System carries out filtration treatment according to the classifying rules (purpose IP address+source IP address+protocol number+destination slogan+source port number) of user oneself configuration.And its rule list is no more than 16K, 2.5G processing speed also will influence and limit the use of content detection equipment on the express network main line, the condition of search screening simultaneously constantly increases, and the high speed that the 16K rule list also more and more can't adapt to existing network requires the utilization market with complicated more analyzing and testing rule.
Summary of the invention
The purpose of this utility model is to provide a kind of message content to detect and flow control apparatus, and this device processing speed is greater than 2.5G, and the high speed that can satisfy network requires and complicated more analyzing and testing rule.
The purpose of this utility model is achieved in that this device comprises master controller, the communication connector of master controller links to each other with pci interface, first input/output port of master controller and second input/output port are connected with the many queue management devices of high-speed hardware respectively, the 3rd input/output port of master controller links to each other with high-speed buffer by the speed buffering local bus, the 4th input/output port of master controller is connected with programmable logic controller (PLC), first communication port of programmable logic controller (PLC) links to each other with the optical fiber output interface by framer, second communication port of programmable logic controller (PLC) links to each other with the optical fiber input interface, and the 3rd communication port of programmable logic controller (PLC) links to each other with parallel content adressable memory.
The utility model designs at the continuous demand of present stage network high-speed development, having adopted advanced parallel content-based addressing and addressing of address table look-up algorithm, the many queue managements of high speed. not only can table look-up to the content that preceding 20 bytes of source IP address, purpose IP address, source port number, destination slogan and protocol type and message load stem are carried out combination in any, more can realize characteristic key words identification, thereby can pursue identification of newspaper content-level and Flow Control to 10G speed message at hardware level to any position in the message load.
The utlity model has following advantage:
1, the packet of 10G speed network insertion is analyzed;
2, according to some field in the data pack protocol head packet is classified, filtered;
3, preceding 20 bytes of source IP address, purpose IP address, source port number, destination slogan and protocol type and the message load stem content of carrying out combination in any is tabled look-up, and more can realize the characteristic key words identification to any position in the message load;
4, can have more the user sets specific rule the message data content is filtered and intercepted and captured.Thereby can pursue identification of newspaper content-level and Flow Control to 10G speed message at hardware level;
5, the rule list of 64K is 4 times of former detection rule list analysis ability.
Description of drawings
Fig. 1 is the circuit theory schematic diagram of an embodiment of the utility model.
Fig. 2 is the pci interface circuit diagram among Fig. 1.
Fig. 3 is the main controller circuit figure among Fig. 1.
Fig. 4 is many queue management devices of the high-speed hardware circuit diagram among Fig. 1.
Fig. 5 is the parallel content addressable memory circuit figure among Fig. 1.
Embodiment
In Fig. 1, the communication connector A1-A31 of master controller MPU links to each other with pci interface, the first input/output port D0-D30 of master controller MPU is connected with many queue management devices of high-speed hardware IDTI, the second input/output port D31-D63 of master controller MPU is connected with many queue management devices of high-speed hardware IDT2, the 3rd input/output port BA0-BA63 of master controller MPU links to each other with high-speed buffer RAM by speed buffering local bus RAM BUS, the 4th input/output port FPD0-FPD63 of master controller MPU is connected with programmable logic controller (PLC) FPGA, the first communication port FPDQM0-FPDQM63 of programmable logic controller (PLC) FPGA links to each other with optical fiber output interface RJ1 by framer PMC, the second communication port R0-R7 of programmable logic controller (PLC) FPGA links to each other with optical fiber input interface RJ2, and the 3rd communication port FBAA0-FBAA63 of programmable logic controller (PLC) MPU links to each other with parallel content adressable memory CAM.
The each several part power supply adopts direct current 3.3V.
Pci interface partly adopts NS8392.
Flow chart of data processing is as follows:
The 10G network message enters many queue management devices of high-speed hardware IDT and while and parallel content adressable memory CAM collaborative work by optical fiber, and the collaborative high-speed buffer RAM rule list of MPU control search accelerator PMC TEMU X336 carries out message header and message content comparison match by the rule that is stored among the CAM to the data message.And the result is sent into Control Server by pci interface handle by setting.
For the 10Gbit/s port, this device combines with parallel content addressed memory technology in employing RAMBUS technology and finally makes test result reach re-set target.
Master controller MPU is responsible for the management and the control of entire equipment, directly receive instruction from network management center, and be issued to each interface board execution command, each interface board is sent to master controller MPU to running status and statistics simultaneously, carry out necessary processing by master controller MPU, issue network management center when needing.Master controller MPU adopts the NP4GS3C 2.5G network processing unit of IBM, is the strong guarantee of handling top every information for the energy precise and high efficiency.
Parallel content adressable memory CAM (Content Addressable Memory) is a kind of special storage array.It has all data item of will store among input data and the CAM and compares simultaneously, judge rapidly the input data whether with CAM in stored data items be complementary, and provide the characteristics of data item corresponding address and match information, and this equipment adopts the CAM chip of MOTOROLA company--and MCM69C233 realizes data retrieval and matching feature. be the high performance content addressable memory of a 10Gbps
It is 64 data item that MCM69C233 can store 4096 width.MCM69C233 has two data ports: control port (Control Port) and coupling port (Match Port).Control port is used for the operation of content-addressable memory (CAM Table), except that the increase/deletion that is used for data item, verification, statistics, can also read the information of chip internal status register.The retrieval of data is finished by the coupling port.MCM69C233 is not used in the address bus of determining contents storage address, and address wire A0~A2 is used for the addressing to sheet inner control register.Writing under the CAM pattern, MCM69C233 reads the data item that need write from control port data wire DQ0~DQ15, and the memory address of data item is by the chip internal logic control.The user can programme to the matched rule of MCM69C233, when reading CAM pattern (searching coupling), MCM69C233 directly reads in data from a coupling mouthful data wire MQ0~MQ31, and all data item that will import in data item and the array according to predefined matched rule walk abreast relatively.If data item exists, the index value of coupling mouthful this data item of output, and MS is 0; If data item does not exist, MS is 1.Because comparison procedure only needs a clock cycle, so speed is exceedingly fast.
Many queue management devices of high-speed hardware IDTI, 1DT2:
This device adopts many formations of 10Gbps flow control chip id T 72P51777L6, and the novel memory technology of many formations of employing FIFO of this chip can be supported the realization of High Speed of QoS effectively.And can network service quality and other need design the application of queuing data rearrangement in order to improve, it had both supported that data separation was used flexibly, had avoided complicated sheet to control logic outward again.It is connected mainly by 18 read-write controller (WADEN/FSTR/WRADD/WEN/WCLK with master control borad, RADEN/ESTR/RDADD/REN/RCLK) and read-write state controller (OV/PAE/PR/PAEN/PRN, FF/PAF/PAFN), demux64 position input data line, and 64 continuous detection and queuings of finishing the data hardware level of mux output data lines.
1, many formations FIFO introduces
This device is equipped with embedded FIFO memory core and high speed queue logic, has very high data transfer bandwidth and configurability flexibly.The highest support of this device single-chip 10.2Gbps continues transmission rate and supports 32 subqueues at most, and 256 subqueues are supported in the device cascade at most.Only need a FIFO buffer memory several data to flow, help the user to select different formations to carry out independently read-write capability.
Many formations FIFO not only provides such as traditional FIFO functions such as metadata cache, the indication of queue full dummy status, Writing/Reading clock independence and Writing/Reading bus couplings, and support whole package operation pattern (Packet Mode) and data separation queuing, realize similar functions thereby eliminated the expensive complicated operations logic of former usefulness.Many formations FIFO is the memory that differentiable a plurality of logical sub formations are provided in a physical device.Can distinguish and be meant that each subqueue can independent Writing/Reading, and each subqueue there is independently state indication.
The FPGA control of the FIFO of formation more than 2
FPGA is to present three aspects of the control volume of many formations FIFO: configuration, write operation and read operation.
2.1 the configuration of many formations FIFO
Trendy many formations of IDT flow control device provides up-to-date solution to the system designer, makes only just can carry out selectable a plurality of differentiable sequential data accesses operation with a height integrated device.This flexibly function can option be set by a series of devices and realize.Different with former single formation FIFO device (as IDT 3690) is, many formations FIFO has the configurability of relative complex, except that Writing/Reading port bus width can directly be set by chip pin, also have corresponding two kinds of configuration modes: default configuration and series arrangement, wherein series arrangement claims the User Defined configuration again, is a kind of new device property.
Configurable of many formations FIFO has: (a) logical sub number of queues in the device: (b) storage depth of each subqueue; (c) PAF of each subqueue (almost full) deviant; (d) PAE of each subqueue (almost empty) deviant (general mode down effectively changes whole bag indication PR under the whole pack mode).
The user is to the very big flexibility of disposing of many formations FIFO.For instance, IDT72V51336~IDT72V51356 can be configured to 1~8 formation, and it all is separate that the degree of depth of each formation is set.Flag bit is a user-programmable, and each subqueue is independent.Configuration can be undertaken by special serial programming mouth, also can not use default mode if do not need to device programming.
Series arrangement is meant that the data of configuration many formations FIFO send into device by bit serial.At many formations FIFO device inside the register of depositing configuration data is arranged, these registers are a base unit with 18.If Q is the subqueue number of cell configuration, the maximum subqueue number that Qmax supports for this device then has (the individual register of Qmax * 4+1) in the device.The required Bit data amount Sum of single cell configuration is: 18+Qx72+1.Last bit finishes indication for configuration, if Q=8, then Sum=19+8x72=595 bit in the design.
2.2 write operation
Many formations FIFO is used in formation address Wradd/Rdadd and distinguishes each Writing/Reading subqueue, specifies new Writing/Reading subqueue with the high level of locking useful signal Waden/Raden, and it is Wen/Ren that Writing/Reading enables.The switching that many formations FIFO write operation is compared the write queue address exists delays effect, and promptly to send into new subqueue be that second of occurring in behind the new subqueue of the locking address writes the clock cycle to the data on the write bus.If can utilize this temporal aspect, two new subqueue addresses of cycle locking can accomplish that then 100% uses the write bus cycle in advance.When group queue full indication FF was effective, new data can't write this formation, and loss of data can take place.Generally, all to configure the PAF deviant, after seeing that PAFn~drag down effectively, stop write operation for fear of this situation.
2.3 read operation
Also have the relative effect of delaying of reading the formation address with the similar read operation of write operation, promptly the 3rd after the locking of new formation address reads the clock cycle, and the transformation of data that presents on the read bus is the data in the new subqueue.So lock new formation if can shift to an earlier date three cycles, then can accomplish 100% read bus utilance.When selected quene state is sky, present the overall height level on the read port.After configuring the PAE deviant, by checking the empty or non-dummy status of PAEn~just can learn formation, and carry out the action of reading or switching new formation in advance.
Claims (1)
1. a message content detects and flow control apparatus, this device comprises master controller, the communication connector of master controller links to each other with pci interface, first input/output port of master controller and second input/output port are connected with the many queue management devices of high-speed hardware respectively, the 3rd input/output port that it is characterized in that master controller links to each other with high-speed buffer by the speed buffering local bus, the 4th input/output port of master controller is connected with programmable logic controller (PLC), first communication port of programmable logic controller (PLC) links to each other with the optical fiber output interface by framer, second communication port of programmable logic controller (PLC) links to each other with the optical fiber input interface, and the 3rd communication port of programmable logic controller (PLC) links to each other with parallel content adressable memory.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNU2008201597132U CN201294544Y (en) | 2008-10-27 | 2008-10-27 | Message content detection and flow control device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNU2008201597132U CN201294544Y (en) | 2008-10-27 | 2008-10-27 | Message content detection and flow control device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN201294544Y true CN201294544Y (en) | 2009-08-19 |
Family
ID=41008026
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNU2008201597132U Expired - Fee Related CN201294544Y (en) | 2008-10-27 | 2008-10-27 | Message content detection and flow control device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN201294544Y (en) |
-
2008
- 2008-10-27 CN CNU2008201597132U patent/CN201294544Y/en not_active Expired - Fee Related
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101771627B (en) | Equipment and method for analyzing and controlling node real-time deep packet on internet | |
| US8949500B2 (en) | Non-blocking processor bus bridge for network processors or the like | |
| CN109412914A (en) | Flow data and AXI interface communication equipment | |
| US20150127691A1 (en) | Efficient implementations for mapreduce systems | |
| WO2006069126A2 (en) | Method and apparatus to support multiple memory banks with a memory block | |
| CN107995061A (en) | Collection and playback system and method when more specification 10Gbps network signals are long | |
| CN102904729A (en) | Intelligent boost network card supporting multiple applications according to protocol and port shunt | |
| CN102360342A (en) | Solid state disk for rapidly storing and displaying massive image data | |
| CN102761466A (en) | IEEE (Institute of Electrical and Electronics Engineers) 1394 bus data record processing system and method | |
| CN103731364B (en) | X86 platform based method for achieving trillion traffic rapid packaging | |
| CN110266679A (en) | Capacitor network partition method and device | |
| CN103517085B (en) | Method for implementing remote server management based on video decoding design | |
| CN108337286A (en) | One kind cutting packet method and device | |
| CN106372029A (en) | Point-to-point on-chip communication module based on interruption | |
| CN101488949A (en) | Packet content detection and flow control apparatus | |
| CN201294544Y (en) | Message content detection and flow control device | |
| CN116136748B (en) | High-bandwidth NVMe SSD read-write system and method based on FPGA | |
| CN105939238A (en) | SOC isolation Memory-based 10Gbps Ethernet real-time data acquisition method | |
| CN100471175C (en) | Message storage forwarding method and message storage forwarding circuit | |
| CN110321300A (en) | A kind of implementation method of signal processing data high-speed record and playback module | |
| CN109285580A (en) | Data prediction device, method and asynchronous double-end randon access memory system | |
| CN101964759A (en) | Multiuser-supporting high-speed message diversion method | |
| Lu et al. | System design of network data classification based on deep packet inspection | |
| CN108108149A (en) | A kind of performance statistics circuit efficiently collected based on separation statistics | |
| CN107391403A (en) | Communication means and device in a kind of storage device between multiplexer (MUX |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090819 Termination date: 20101027 |