WO2017063578A1 - Data packet processing method and apparatus - Google Patents

Data packet processing method and apparatus Download PDF

Info

Publication number
WO2017063578A1
WO2017063578A1 PCT/CN2016/102045 CN2016102045W WO2017063578A1 WO 2017063578 A1 WO2017063578 A1 WO 2017063578A1 CN 2016102045 W CN2016102045 W CN 2016102045W WO 2017063578 A1 WO2017063578 A1 WO 2017063578A1
Authority
WO
WIPO (PCT)
Prior art keywords
mac
entry
learned
data packet
mac address
Prior art date
Application number
PCT/CN2016/102045
Other languages
French (fr)
Chinese (zh)
Inventor
龙裕
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2017063578A1 publication Critical patent/WO2017063578A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Definitions

  • MAC Media Access Control or Medium Access Control
  • IP whitelist/blacklist IP binding
  • TCP connection limit TCP connection limit
  • MAC binding/IP binding needs to design a special binding table. After the service receives a specific port data stream and obtains the MAC/IP address used by the port, it sets its MAC/IP address to the relevant binding table, and Prevents subsequent data forwarding of MAC/IP addresses in (whitelisted) or not (blacklisted) binding tables.
  • the MAC learning restriction function can be based on a port or a VLAN. After the number of MAC entries learned from a specified port or VLAN reaches a limit, the new MAC address is no longer learned, and the data stream containing the new source MAC address is discarded.
  • the TCP connection limit technology analyzes the number of TCP connections established by the user. After the number of connections is reached, the new connection data packet is discarded.
  • Some of the above mentioned technologies require more resources to implement and may reduce system performance, such as MAC/IP binding technology; some require upper layer protocols to participate more, such as MAC/IP binding technology and TCP connection limit technology; After the learning limit function is enabled, a malicious user, an illegal user, or a new device of the user can access the MAC address entry of a specific port.
  • the embodiment of the invention provides a data forwarding method and device, which can solve at least the problem that the MAC learning function in the related art cannot restrict user access after the MAC address entry of a specific port is aged.
  • a data packet processing method including: configuring a non-aging function for a dynamic media access control MAC entry of a predetermined port, where the non-aging function is to the MAC table.
  • the item is not aged.
  • the data packet is processed according to the configuration of the port.
  • the data packet is forwarded; or the data packet is discarded if the MAC address entry corresponding to the source MAC address is not learned.
  • the method further includes: configuring the number of MAC entry entries allowed to learn for the dynamic MAC address of the predetermined port.
  • the learning of the MAC address of the data packet according to the configuration of the port includes: determining, if the number of learned MAC entry entries is less than the number of MAC entry entries allowed to learn, determining whether the learned MAC entry is If the result of the determination is negative, it is determined that the MAC entry corresponding to the source MAC address is learned; if the determination result is yes, the data packet is directly forwarded; the number of MAC entry entries learned is learned. If the number of MAC entry entries that are allowed to learn is greater than that, the MAC entry corresponding to the source MAC address is not learned.
  • configuring the non-aging function for the dynamic MAC entry of the predetermined port by: retaining all bit positions 1 of the MAC entry aging time field; and/or The no aging field is set to 1.
  • a data packet processing apparatus including: a configuration module, configured to configure a non-aging function for a dynamic media access control MAC entry of a predetermined port, where the non-aging function The function is that the MAC entry is not aged; the processing module is configured to process the data packet according to the configuration of the port.
  • the learning unit includes: a determining subunit, configured to determine whether the learned MAC entry already exists if the number of learned MAC entry entries is less than the number of MAC entry entries allowed to learn, If the judgment result is negative, it is determined that the MAC entry corresponding to the source MAC address is learned; if the judgment result is yes, the data packet is directly forwarded; the subunit is determined, and the MAC address is set to be learned. If the number of entry entries is greater than the number of MAC entry entries allowed to learn, it is determined that the MAC entry corresponding to the source MAC address is not learned.
  • a storage medium is also provided.
  • the storage medium is arranged to store program code for performing the following steps:
  • the dynamic media access control MAC entry for the predetermined port is configured to not perform the aging function, wherein the non-aging function does not perform aging processing on the MAC entry; and the data packet is configured according to the configuration of the port.
  • the problem is that the MAC learning function in the related art cannot limit the access of the user after the aging of the MAC address entry of the specific port, which effectively limits the access of the user after the MAC entry is aged.
  • FIG. 2 is a block diagram of a data message processing apparatus according to an embodiment of the present invention.
  • FIG. 3 is a block diagram 1 of a data message processing apparatus in accordance with a preferred embodiment of the present invention.
  • FIG. 4 is a block diagram 2 of a data message processing apparatus in accordance with a preferred embodiment of the present invention.
  • FIG. 1 is a flowchart of a data packet processing method according to an embodiment of the present invention.
  • Step S102 Configure a non-aging function for the dynamic media access control MAC address entry of the predetermined port, where the non-aging function does not perform aging processing on the MAC entry.
  • Step S104 processing the data packet according to the configuration of the port.
  • the dynamic media access control MAC address entry of the predetermined port is not aged; the data packet is processed according to the configuration of the port, and the MAC learning function in the related art cannot limit the user after the MAC address entry of the specific port is aged.
  • the access problem effectively limits the access of users after the MAC entry is aged.
  • the processing of the data packet according to the configuration of the port may include: learning the source MAC address of the data packet according to the configuration of the port; and forwarding the datagram if the MAC entry corresponding to the source MAC address is learned. Or, if the MAC entry corresponding to the source MAC address is not learned, the data packet is discarded.
  • the number of MAC entry entries allowed for learning is configured for the dynamic MAC address of the predetermined port, and is prepared for learning the MAC address.
  • the learning of the MAC address of the data packet according to the configuration of the port may include: determining, if the number of learned MAC entry entries is less than the number of MAC entry entries allowed to learn, determining whether the learned MAC entry is If the result of the determination is negative, it is determined that the MAC entry corresponding to the source MAC address is learned; if the judgment result is yes, the data packet is directly forwarded; the number of learned MAC entry entries is greater than In the case where the number of MAC entry entries allowed to be learned is determined, it is determined that the MAC entry corresponding to the source MAC address is not learned.
  • configuring the non-aging function for the dynamic MAC entry of the predetermined port by: retaining all bit positions 1 of the MAC entry aging time field; and/or setting the dynamic non-aging field to 1.
  • FIG. 2 is a block diagram of a data packet processing apparatus according to an embodiment of the present invention. As shown in FIG. 2, the method includes:
  • the configuration module 22 is configured to configure a dynamic media access control MAC entry for the predetermined port.
  • the aging function does not perform aging processing on MAC entries.
  • the processing module 24 is configured to process the data packet according to the configuration of the port.
  • FIG. 3 is a block diagram of a data message processing apparatus according to a preferred embodiment of the present invention. As shown in FIG. 3, the processing module 24 includes:
  • the forwarding unit 34 is configured to forward the data packet if the MAC entry corresponding to the source MAC address is learned; or
  • FIG. 4 is a block diagram 2 of a data message processing apparatus according to a preferred embodiment of the present invention. As shown in FIG. 4, the apparatus further includes:
  • FIG. 5 is a block diagram 3 of a data message processing apparatus according to a preferred embodiment of the present invention.
  • the learning unit 32 includes:
  • the determining sub-unit 52 is configured to determine whether the learned MAC entry already exists if the number of learned MAC entry entries is less than the number of learned MAC entry entries, and if the determination result is negative, Determining to learn the MAC entry corresponding to the source MAC address; if the judgment result is yes, directly forwarding the data packet;
  • FIG. 6 is a block diagram 4 of a data message processing apparatus according to a preferred embodiment of the present invention. As shown in FIG. 6, the apparatus further includes:
  • the user port attribute table is set, wherein the user attribute table describes various attributes of the user port, and a dynamic MAC address non-aging function switch field is added to the attribute table.
  • the MAC address table is used as the basis for data packet exchange.
  • the maximum value of the dynamic aging time field or the aging time field is added to the table.
  • the aging time maximum value indicates that the entry is not aged. This value is not used for general purposes. ).
  • the MAC entry processing module, the MAC entry restriction function module, and the MAC address entry aging module can work together to complete MAC address entry processing, MAC entry restriction, and aging.
  • the specific limitation of the user access of the present invention includes: configuring a dynamic MAC address non-aging function switch of a specific user port, and the number of MAC entry entries that the port is allowed to learn.
  • the MAC processing module determines whether to learn the MAC address of the packet according to the port configuration, and whether the MAC entry is dynamically aged or not, and forwards or discards the data packet according to the result.
  • the MAC address entry aging module polls the MAC entry, it determines whether the MAC entry is aged according to the aging time field of the MAC entry and/or the dynamic aging field.
  • Step S704 If the MAC entry is a static MAC entry, the entry is not operated, and the packet is forwarded. If the MAC entry is a dynamic MAC address entry, the aging time of the entry is updated, and the packet is forwarded.
  • step S802 it is determined whether the MAC entry is a dynamic entry, if the determination result is yes, step S804 is performed, and if the determination result is negative, step S808 is performed;

Abstract

Disclosed are a data packet processing method and apparatus. The method comprises: configuring an aging-skipping function for a dynamic media control access (MAC) entry of a pre-determined port, the aging-skipping function is skipping aging processing for the MAC entry; and processing a data packet according to the configuration of the port. In this way, the problem in the related art that a MAC learning function cannot restrict user access after a MAC entry of a specified port ages is resolved, and the user access after the MAC entry ages is effectively restricted.

Description

数据报文处理方法及装置Data message processing method and device 技术领域Technical field
本发明涉及通信领域,具体而言,涉及一种数据报文处理方法及装置。The present invention relates to the field of communications, and in particular to a data packet processing method and apparatus.
背景技术Background technique
随着宽带网络的普及,运营商在为用户提供服务的同时,也要防止恶意用户攻击系统,以及非法用户接入网络,造成系统安全问题或运营收入流失。With the popularity of broadband networks, operators are also providing services to users while also preventing malicious users from attacking the system and illegal users accessing the network, resulting in system security problems or loss of operating revenue.
目前接入设备或交换设备发展出了很多端口安全/用户安全方面的技术,例如MAC(Media Access Control或者Medium Access Control)地址,译为媒体访问控制,或称为物理地址、硬件地址,绑定(MAC白名单/黑名单)、IP绑定(IP白名单/黑名单)、MAC学习限制、TCP连接数限制等。Currently, access devices or switching devices have developed a number of port security/user security technologies, such as MAC (Media Access Control or Medium Access Control) addresses, translated into media access control, or called physical addresses, hardware addresses, and bindings. (MAC whitelist/blacklist), IP binding (IP whitelist/blacklist), MAC learning restriction, TCP connection limit, etc.
这些技术有各自不同的特点,如下:These technologies have different characteristics, as follows:
MAC绑定/IP绑定需要设计专门的绑定表,在业务收到特定端口数据流,得到该端口使用的MAC/IP地址后,将其MAC/IP地址设置到相关绑定表中,并阻止后续MAC/IP地址在(白名单)或不在(黑名单)绑定表中的数据流转发。MAC binding/IP binding needs to design a special binding table. After the service receives a specific port data stream and obtains the MAC/IP address used by the port, it sets its MAC/IP address to the relevant binding table, and Prevents subsequent data forwarding of MAC/IP addresses in (whitelisted) or not (blacklisted) binding tables.
MAC学习限制功能可基于端口或VLAN,当从指定端口或VLAN学习到的MAC条目数达到限制数后,不再学习新的MAC地址,并将含新源MAC地址的数据流丢弃。The MAC learning restriction function can be based on a port or a VLAN. After the number of MAC entries learned from a specified port or VLAN reaches a limit, the new MAC address is no longer learned, and the data stream containing the new source MAC address is discarded.
TCP连接数限制技术分析用户建立的TCP连接数,达到限制的连接数后,丢弃新连接数据报文。The TCP connection limit technology analyzes the number of TCP connections established by the user. After the number of connections is reached, the new connection data packet is discarded.
以上提到的技术,有些需要较多资源实现并可能降低系统性能,如MAC/IP绑定技术;有些需要上层协议较多参与,如MAC/IP绑定技术和TCP连接数限制技术;而MAC学习限制功能,则在特定端口MAC表项老化后,恶意用户、非法用户或用户的新设备可以进行接入。 Some of the above mentioned technologies require more resources to implement and may reduce system performance, such as MAC/IP binding technology; some require upper layer protocols to participate more, such as MAC/IP binding technology and TCP connection limit technology; After the learning limit function is enabled, a malicious user, an illegal user, or a new device of the user can access the MAC address entry of a specific port.
针对相关技术中MAC学习功能在特定端口MAC表项老化后不能限制用户接入的问题,还未提出有效的解决方案。For the problem that the MAC learning function in the related art cannot limit the access of the user after the MAC entry of the specific port is aged, an effective solution has not been proposed.
发明内容Summary of the invention
本发明实施例提供了一种数据转发方法及装置,以至少解决相关技术中MAC学习功能在特定端口MAC表项老化后不能限制用户接入的问题。The embodiment of the invention provides a data forwarding method and device, which can solve at least the problem that the MAC learning function in the related art cannot restrict user access after the MAC address entry of a specific port is aged.
根据本发明实施例的一个方面,提供了一种数据报文处理方法,包括:为预定端口的动态媒体访问控制MAC表项配置不老化功能,其中,所述不老化功能为对所述MAC表项不做老化处理;根据端口的配置对数据报文进行处理。According to an aspect of the embodiments of the present invention, a data packet processing method is provided, including: configuring a non-aging function for a dynamic media access control MAC entry of a predetermined port, where the non-aging function is to the MAC table. The item is not aged. The data packet is processed according to the configuration of the port.
进一步地,根据端口的配置对数据报文进行处理包括:根据端口的配置对数据报文的源MAC地址进行学习;Further, processing the data packet according to the configuration of the port includes: learning the source MAC address of the data packet according to the configuration of the port;
在学习到源MAC地址对应的MAC表项的情况下,转发所述数据报文;或者,在没有学习到源MAC地址对应的MAC表项的情况下,丢弃所述数据报文。If the MAC address entry corresponding to the source MAC address is learned, the data packet is forwarded; or the data packet is discarded if the MAC address entry corresponding to the source MAC address is not learned.
进一步地,在根据端口的配置对数据报文的MAC地址进行学习之前,所述方法还包括:为预定端口的动态MAC地址配置允许学习的MAC表项条目数。Further, before learning the MAC address of the data packet according to the configuration of the port, the method further includes: configuring the number of MAC entry entries allowed to learn for the dynamic MAC address of the predetermined port.
进一步地,根据端口的配置对数据报文的MAC地址进行学习包括:在学习到的MAC表项条目数小于所述允许学习的MAC表项条目数的情况下,判断学习到的MAC表项是否已经存在,在判断结果为否的情况下,确定为学习到源MAC地址对应的MAC条目;在判断结果为是的情况下,直接转发所述数据报文;在学习到的MAC表项条目数大于所述允许学习的MAC表项条目数的情况下,确定为没有学习到源MAC地址对应的MAC表项。Further, the learning of the MAC address of the data packet according to the configuration of the port includes: determining, if the number of learned MAC entry entries is less than the number of MAC entry entries allowed to learn, determining whether the learned MAC entry is If the result of the determination is negative, it is determined that the MAC entry corresponding to the source MAC address is learned; if the determination result is yes, the data packet is directly forwarded; the number of MAC entry entries learned is learned. If the number of MAC entry entries that are allowed to learn is greater than that, the MAC entry corresponding to the source MAC address is not learned.
进一步地,通过以下方式为预定端口的动态MAC表项配置不老化功能包括:保留MAC表项老化时间字段的所有比特位置1;和/或,将动态 不老化字段设置为1。Further, configuring the non-aging function for the dynamic MAC entry of the predetermined port by: retaining all bit positions 1 of the MAC entry aging time field; and/or The no aging field is set to 1.
根据本发明实施例的另一方面,还提供了一种数据报文处理装置,包括:配置模块,设置为为预定端口的动态媒体访问控制MAC表项配置不老化功能,其中,所述不老化功能为对所述MAC表项不做老化处理;处理模块,设置为根据端口的配置对数据报文进行处理。According to another aspect of the present invention, a data packet processing apparatus is provided, including: a configuration module, configured to configure a non-aging function for a dynamic media access control MAC entry of a predetermined port, where the non-aging function The function is that the MAC entry is not aged; the processing module is configured to process the data packet according to the configuration of the port.
进一步地,所述处理模块包括:学习单元,设置为根据端口的配置对数据报文的源MAC地址进行学习;转发单元,设置为在学习到源MAC地址对应的MAC表项的情况下,转发所述数据报文;或者,丢弃单元,设置为在没有学习到源MAC地址对应的MAC表项的情况下,丢弃所述数据报文。Further, the processing module includes: a learning unit configured to learn the source MAC address of the data packet according to the configuration of the port; and the forwarding unit is configured to forward the MAC address entry corresponding to the source MAC address. And the data packet; or the discarding unit is configured to discard the data packet if the MAC entry corresponding to the source MAC address is not learned.
进一步地,所述装置还包括:第一配置单元,设置为为预定端口的动态MAC地址配置允许学习的MAC表项条目数。Further, the apparatus further includes: a first configuration unit configured to configure a number of MAC entry entries allowed to learn for the dynamic MAC address of the predetermined port.
进一步地,所述学习单元包括:判断子单元,设置为在学习到的MAC表项条目数小于所述允许学习的MAC表项条目数的情况下,判断学习到的MAC表项是否已经存在,在判断结果为否的情况下,确定为学习到源MAC地址对应的MAC表项;在判断结果为是的情况下,直接转发所述数据报文;确定子单元,设置为在学习到的MAC表项条目数大于所述允许学习的MAC表项条目数的情况下,确定为没有学习到源MAC地址对应的MAC表项。Further, the learning unit includes: a determining subunit, configured to determine whether the learned MAC entry already exists if the number of learned MAC entry entries is less than the number of MAC entry entries allowed to learn, If the judgment result is negative, it is determined that the MAC entry corresponding to the source MAC address is learned; if the judgment result is yes, the data packet is directly forwarded; the subunit is determined, and the MAC address is set to be learned. If the number of entry entries is greater than the number of MAC entry entries allowed to learn, it is determined that the MAC entry corresponding to the source MAC address is not learned.
进一步地,所述装置还包括:第二配置单元,设置为通过以下方式为预定端口的动态MAC表项配置不老化功能包括:保留MAC表项老化时间字段的所有比特位置1;和/或,将动态不老化字段设置为1。Further, the apparatus further includes: a second configuration unit, configured to configure, by using the following manner, the non-aging function for the dynamic MAC entry of the predetermined port, including: retaining all bit positions 1 of the MAC entry aging time field; and/or, Set the dynamic non-aging field to 1.
根据本发明的又一个实施例,还提供了一种存储介质。该存储介质设置为存储用于执行以下步骤的程序代码:According to still another embodiment of the present invention, a storage medium is also provided. The storage medium is arranged to store program code for performing the following steps:
为预定端口的动态媒体访问控制MAC表项配置不老化功能,其中,所述不老化功能为对所述MAC表项不做老化处理;根据端口的配置对数据报文进行处理。 The dynamic media access control MAC address entry of the predetermined port is configured to perform the non-aging function, wherein the non-aging function does not perform aging processing on the MAC entry; and processes the data packet according to the configuration of the port.
通过本发明实施例,采用为预定端口的动态媒体访问控制MAC表项配置不老化功能,其中,所述不老化功能为对所述MAC表项不做老化处理;根据端口的配置对数据报文进行处理,解决了相关技术中MAC学习功能在特定端口MAC表项老化后不能限制用户接入的问题,有效限制了MAC表项老化后用户的接入。According to the embodiment of the present invention, the dynamic media access control MAC entry for the predetermined port is configured to not perform the aging function, wherein the non-aging function does not perform aging processing on the MAC entry; and the data packet is configured according to the configuration of the port. The problem is that the MAC learning function in the related art cannot limit the access of the user after the aging of the MAC address entry of the specific port, which effectively limits the access of the user after the MAC entry is aged.
附图说明DRAWINGS
此处所说明的附图用来提供对本发明实施例的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The drawings are intended to provide a further understanding of the embodiments of the present invention, and are intended to be a part of the present invention, and the description of the present invention is not intended to limit the invention. In the drawing:
图1是根据本发明实施例的数据报文处理方法的流程图;1 is a flowchart of a data packet processing method according to an embodiment of the present invention;
图2是根据本发明实施例的数据报文处理装置的框图;2 is a block diagram of a data message processing apparatus according to an embodiment of the present invention;
图3是根据本发明优选实施例的数据报文处理装置的框图一;3 is a block diagram 1 of a data message processing apparatus in accordance with a preferred embodiment of the present invention;
图4是根据本发明优选实施例的数据报文处理装置的框图二;4 is a block diagram 2 of a data message processing apparatus in accordance with a preferred embodiment of the present invention;
图5是根据本发明优选实施例的数据报文处理装置的框图三;Figure 5 is a block diagram 3 of a data message processing apparatus in accordance with a preferred embodiment of the present invention;
图6是根据本发明优选实施例的数据报文处理装置的框图四;6 is a block diagram 4 of a data message processing apparatus in accordance with a preferred embodiment of the present invention;
图7是根据本发明实施例的MAC表项处理模块对数据报文消息的处理流程图;7 is a flowchart of processing a data message message by a MAC entry processing module according to an embodiment of the present invention;
图8是根据本发明实施例的MAC表项老化流程图;FIG. 8 is a flowchart of aging of a MAC entry according to an embodiment of the present invention;
图9是根据本发明实施例中数据报文处理装置的结果示意图。FIG. 9 is a schematic diagram showing the result of a data message processing apparatus according to an embodiment of the present invention.
具体实施方式detailed description
下文中将参考附图并结合实施例来详细说明本发明实施例。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。Embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict.
本发明实施例提供了一种数据报文处理方法,图1是根据本发明实施例的数据报文处理方法的流程图,如图1所示,包括: The embodiment of the present invention provides a data packet processing method. FIG. 1 is a flowchart of a data packet processing method according to an embodiment of the present invention.
步骤S102,为预定端口的动态媒体访问控制MAC表项配置不老化功能,其中,该不老化功能为对MAC表项不做老化处理;Step S102: Configure a non-aging function for the dynamic media access control MAC address entry of the predetermined port, where the non-aging function does not perform aging processing on the MAC entry.
步骤S104,根据端口的配置对数据报文进行处理。Step S104, processing the data packet according to the configuration of the port.
通过上述步骤,为预定端口的动态媒体访问控制MAC表项配置不老化功能;根据端口的配置对数据报文进行处理,解决了相关技术中MAC学习功能在特定端口MAC表项老化后不能限制用户接入的问题,有效限制了MAC表项老化后用户的接入。Through the above steps, the dynamic media access control MAC address entry of the predetermined port is not aged; the data packet is processed according to the configuration of the port, and the MAC learning function in the related art cannot limit the user after the MAC address entry of the specific port is aged. The access problem effectively limits the access of users after the MAC entry is aged.
进一步地,根据端口的配置对数据报文进行处理可以包括:根据端口的配置对数据报文的源MAC地址进行学习;在学习到源MAC地址对应的MAC表项的情况下,转发该数据报文;或者,在没有学习到源MAC地址对应的MAC表项的情况下,丢弃该数据报文。Further, the processing of the data packet according to the configuration of the port may include: learning the source MAC address of the data packet according to the configuration of the port; and forwarding the datagram if the MAC entry corresponding to the source MAC address is learned. Or, if the MAC entry corresponding to the source MAC address is not learned, the data packet is discarded.
进一步地,在根据端口的配置对数据报文的MAC地址进行学习之前,为预定端口的动态MAC地址配置允许学习的MAC表项条目数,为学习MAC地址做好准备。Further, before learning the MAC address of the data packet according to the configuration of the port, the number of MAC entry entries allowed for learning is configured for the dynamic MAC address of the predetermined port, and is prepared for learning the MAC address.
进一步地,根据端口的配置对数据报文的MAC地址进行学习可以包括:在学习到的MAC表项条目数小于该允许学习的MAC表项条目数的情况下,判断学习到的MAC表项是否已经存在,在判断结果为否的情况下,确定为学习到源MAC地址对应的MAC条目;在判断结果为是的情况下,直接转发该数据报文;在学习到的MAC表项条目数大于该允许学习的MAC表项条目数的情况下,确定为没有学习到源MAC地址对应的MAC表项。Further, the learning of the MAC address of the data packet according to the configuration of the port may include: determining, if the number of learned MAC entry entries is less than the number of MAC entry entries allowed to learn, determining whether the learned MAC entry is If the result of the determination is negative, it is determined that the MAC entry corresponding to the source MAC address is learned; if the judgment result is yes, the data packet is directly forwarded; the number of learned MAC entry entries is greater than In the case where the number of MAC entry entries allowed to be learned is determined, it is determined that the MAC entry corresponding to the source MAC address is not learned.
进一步地,通过以下方式为预定端口的动态MAC表项配置不老化功能包括:保留MAC表项老化时间字段的所有比特位置1;和/或,将动态不老化字段设置为1。Further, configuring the non-aging function for the dynamic MAC entry of the predetermined port by: retaining all bit positions 1 of the MAC entry aging time field; and/or setting the dynamic non-aging field to 1.
本发明实施例还提供了一种数据报文处理装置,图2是根据本发明实施例的数据报文处理装置的框图,如图2所示,包括:The embodiment of the present invention further provides a data packet processing apparatus. FIG. 2 is a block diagram of a data packet processing apparatus according to an embodiment of the present invention. As shown in FIG. 2, the method includes:
配置模块22,设置为为预定端口的动态媒体访问控制MAC表项配置 不老化功能,其中,该不老化功能为对MAC表项不做老化处理;The configuration module 22 is configured to configure a dynamic media access control MAC entry for the predetermined port. The aging function does not perform aging processing on MAC entries.
处理模块24,设置为根据端口的配置对数据报文进行处理。The processing module 24 is configured to process the data packet according to the configuration of the port.
图3是根据本发明优选实施例的数据报文处理装置的框图一,如图3所示,处理模块24包括:FIG. 3 is a block diagram of a data message processing apparatus according to a preferred embodiment of the present invention. As shown in FIG. 3, the processing module 24 includes:
学习单元32,设置为根据端口的配置对数据报文的源MAC地址进行学习;The learning unit 32 is configured to learn the source MAC address of the data packet according to the configuration of the port;
转发单元34,设置为在学习到源MAC地址对应的MAC表项的情况下,转发该数据报文;或者,The forwarding unit 34 is configured to forward the data packet if the MAC entry corresponding to the source MAC address is learned; or
丢弃单元36,设置为在没有学习到源MAC地址对应的MAC表项的情况下,丢弃该数据报文。The discarding unit 36 is configured to discard the data packet if the MAC entry corresponding to the source MAC address is not learned.
图4是根据本发明优选实施例的数据报文处理装置的框图二,如图4所示,该装置还包括:4 is a block diagram 2 of a data message processing apparatus according to a preferred embodiment of the present invention. As shown in FIG. 4, the apparatus further includes:
第一配置单元42,设置为为预定端口的动态MAC地址配置允许学习的MAC表项条目数。The first configuration unit 42 is configured to configure the number of MAC entry entries allowed to learn for the dynamic MAC address of the predetermined port.
图5是根据本发明优选实施例的数据报文处理装置的框图三,如图5所示,学习单元32包括:FIG. 5 is a block diagram 3 of a data message processing apparatus according to a preferred embodiment of the present invention. As shown in FIG. 5, the learning unit 32 includes:
判断子单元52,设置为在学习到的MAC表项条目数小于该允许学习的MAC表项条目数的情况下,判断学习到的MAC表项是否已经存在,在判断结果为否的情况下,确定为学习到源MAC地址对应的MAC表项;在判断结果为是的情况下,直接转发该数据报文;The determining sub-unit 52 is configured to determine whether the learned MAC entry already exists if the number of learned MAC entry entries is less than the number of learned MAC entry entries, and if the determination result is negative, Determining to learn the MAC entry corresponding to the source MAC address; if the judgment result is yes, directly forwarding the data packet;
确定子单元54,设置为在学习到的MAC表项条目数大于该允许学习的MAC表项条目数的情况下,确定为没有学习到源MAC地址对应的MAC表项。The determining sub-unit 54 is configured to determine that the MAC entry corresponding to the source MAC address is not learned if the number of learned MAC entry entries is greater than the number of learned MAC entry entries.
图6是根据本发明优选实施例的数据报文处理装置的框图四,如图6所示,该装置还包括:FIG. 6 is a block diagram 4 of a data message processing apparatus according to a preferred embodiment of the present invention. As shown in FIG. 6, the apparatus further includes:
第二配置单元62,设置为通过以下方式为预定端口的动态MAC表项 配置不老化功能包括:保留MAC表项老化时间字段的所有比特位置1;和/或,将动态不老化字段设置为1。The second configuration unit 62 is configured to be a dynamic MAC entry of the predetermined port by the following manner The configuration of the non-aging function includes: retaining all bit positions 1 of the MAC entry aging time field; and/or setting the dynamic non-aging field to 1.
下面结合具体实施例对本发明实施例进行进一步说明。The embodiments of the present invention are further described below in conjunction with specific embodiments.
本发明实施例在已有的MAC学习限制技术基础上,通过对特定端口学习到的MAC表项不进行老化,可以使得用户一旦确定其要连接接入网的设备后,不能再随意增加或更换其设备,从而实现系统安全。仅涉及到数据流的二层处理,不需要上层协议处理,相关实现几乎不增加系统的资源消耗,也不会降低系统处理性能。On the basis of the existing MAC learning restriction technology, the MAC entry that is learned by a specific port does not age, so that the user can no longer add or replace it after determining that it wants to connect to the access network device. Its equipment, thus achieving system security. It only involves the Layer 2 processing of the data stream, and does not require the upper layer protocol processing. The related implementation hardly increases the system resource consumption and does not reduce the system processing performance.
首先,对用户端口属性表进行设置,其中,用户属性表描述的是用户端口的各种属性,在该属性表中增加一个动态MAC地址不老化功能开关字段。MAC地址表是数据报文交换的依据,在该表中增加一个动态不老化字段标志或保留老化时间字段的最大值(即老化时间最大值标识表项动态不老化,这个取值不用于一般用途)。可以通过MAC表项处理模块,以及MAC表项限制功能模块和MAC表项老化模块等,共同协作完成MAC表项处理、MAC表项限制功能及老化功能。本发明所述限制用户接入的具体包括:配置特定用户端口的动态MAC地址不老化功能开关,以及该端口允许学习的MAC表项条目数。数据报文消息到达MAC表项处理模块后,MAC处理模块根据端口配置决定是否学习该报文MAC地址,以及是否将该MAC表项设为动态不老化,并根据结果转发或丢弃数据报文。MAC表项老化模块轮询到MAC表项时,根据MAC表项老化时间字段和/或动态不老化字段决定是否老化MAC表项。First, the user port attribute table is set, wherein the user attribute table describes various attributes of the user port, and a dynamic MAC address non-aging function switch field is added to the attribute table. The MAC address table is used as the basis for data packet exchange. The maximum value of the dynamic aging time field or the aging time field is added to the table. The aging time maximum value indicates that the entry is not aged. This value is not used for general purposes. ). The MAC entry processing module, the MAC entry restriction function module, and the MAC address entry aging module can work together to complete MAC address entry processing, MAC entry restriction, and aging. The specific limitation of the user access of the present invention includes: configuring a dynamic MAC address non-aging function switch of a specific user port, and the number of MAC entry entries that the port is allowed to learn. After the data packet message arrives at the MAC address entry processing module, the MAC processing module determines whether to learn the MAC address of the packet according to the port configuration, and whether the MAC entry is dynamically aged or not, and forwards or discards the data packet according to the result. When the MAC address entry aging module polls the MAC entry, it determines whether the MAC entry is aged according to the aging time field of the MAC entry and/or the dynamic aging field.
通过本发明实施例,与现有技术相比,不需要上层协议处理,只需要进行两个简单配置,在几乎不增加系统资源,并且不降低系统处理性能的情况下,使得用户一旦确定其要连接接入网的设备后,不能再随意增加或更换其设备,实现了系统安全。Compared with the prior art, the upper layer protocol processing is not required, and only two simple configurations are required. When the system resources are hardly increased, and the system processing performance is not lowered, the user is determined to be determined by the user. After connecting the devices connected to the network, you can no longer add or replace devices at any time to achieve system security.
图7是根据本发明实施例的MAC表项处理模块对数据报文消息的处理流程图,如图7所示,MAC表项采用的是增加1个1比特位动态不老 化开关字段,其它实现方法包括保留老化时间字段最大取值,该取值指示表项为动态不老化MAC表项,事先配置特定用户端口的动态MAC地址不老化功能开关,以及该端口允许学习的MAC表项条目数,对数据报文消息的处理方法包括以下步骤:FIG. 7 is a flowchart of processing a data packet message by a MAC entry processing module according to an embodiment of the present invention. As shown in FIG. 7, a MAC entry is added by adding one 1-bit bit. The switch field, the other implementation method includes the maximum value of the aging time field. The value indicates that the entry is a dynamic unaged MAC entry, and the dynamic MAC address does not age the function switch of the specific user port, and the port allows learning. The number of MAC entry entries. The method for processing data packet messages includes the following steps:
步骤S702,数据报文进入MAC表项处理模块后,判断该报文源MAC对应的MAC表项是否存在,如存在,则执行步骤S704,否则执行步骤S706;Step S702, after the data packet enters the MAC entry processing module, it is determined whether the MAC address entry corresponding to the source MAC address of the packet exists, if yes, step S704 is performed, otherwise step S706 is performed;
步骤S704,如果MAC表项为静态MAC表项,则不操作表项,转发报文;如果MAC表项为动态MAC表项,则刷新表项老化时间,并转发报文。Step S704: If the MAC entry is a static MAC entry, the entry is not operated, and the packet is forwarded. If the MAC entry is a dynamic MAC address entry, the aging time of the entry is updated, and the packet is forwarded.
步骤S706,判断报文进入端口学习到的MAC条目数是否已达到限制值,如已达到,则执行步骤S708,否则执行步骤S710;Step S706, it is determined whether the number of MAC entries learned by the packet entry port has reached the limit value, if yes, step S708 is performed, otherwise step S710 is performed;
步骤S708,丢弃报文。Step S708, discarding the message.
步骤S710,判断报文进入端口的动态不老化开关是否打开,如打开,则执行步骤S712;否则执行步骤S714;In step S710, it is determined whether the dynamic non-aging switch of the packet entering the port is opened, if yes, step S712 is performed; otherwise, step S714 is performed;
步骤S712,学习MAC表项,并将MAC表项中的动态不老化字段置1,转步骤S716;Step S712, learning the MAC entry, and setting the dynamic non-aging field in the MAC entry to 1, and proceeding to step S716;
步骤S714,学习MAC表项,并将MAC表项中的动态不老化字段置0,转步骤S716;Step S714, learning the MAC entry, and setting the dynamic non-aging field in the MAC entry to 0, and then proceeding to step S716;
步骤S716,端口学习到的MAC条目数加1,并转发报文。In step S716, the number of MAC entries learned by the port is increased by 1, and the packet is forwarded.
图8是根据本发明实施例的MAC表项老化流程图,如图8所示,如果轮询到的MAC表项为动态表项,且表项的动态不老化字段为1,则不进行任何处理。其它处理流程与MAC表项原有流程一致。包括以下步骤:FIG. 8 is a flowchart of aging of a MAC entry according to an embodiment of the present invention. As shown in FIG. 8 , if the MAC address entry that is polled is a dynamic entry, and the dynamic non-aging field of the entry is 1, no deal with. The other processing flow is consistent with the original process of the MAC entry. Includes the following steps:
步骤S802,判断MAC表项是否为动态表项,在判断结果为是的情况下,执行步骤S804,在判断结果为否的情况下,执行步骤S808;In step S802, it is determined whether the MAC entry is a dynamic entry, if the determination result is yes, step S804 is performed, and if the determination result is negative, step S808 is performed;
步骤S804,判断MAC表项动态不老化字段是否为1,在判断结果为 是的情况下,执行步骤S808,在判断结果为否的情况下,执行步骤S806;Step S804, determining whether the dynamic non-aging field of the MAC entry is 1, and the result of the determination is If yes, go to step S808, and if the result of the determination is no, go to step S806;
步骤S808,访问下一条MAC表项。Step S808, accessing the next MAC entry.
本发明实施例中描述的老化时间字段为多个比特位,可以表达比较精细的老化时间。部分接入设备或交换设备也可能只使用1个比特位用于指示老化,这种二次老化机制需要应用本发明技术的话,必须增加1比特位动态不老化开关字段。The aging time field described in the embodiment of the present invention is a plurality of bits, and can express a relatively fine aging time. A part of the access device or the switching device may also use only one bit for indicating aging. If the secondary aging mechanism needs to apply the technique of the present invention, the 1-bit dynamic non-aging switch field must be added.
本发明的实施例还提供了一种存储介质。可选地,在本实施例中,上述存储介质可以被设置为存储用于执行以下步骤的程序代码:Embodiments of the present invention also provide a storage medium. Optionally, in the embodiment, the foregoing storage medium may be configured to store program code for performing the following steps:
步骤S1,为预定端口的动态媒体访问控制MAC表项配置不老化功能,其中,该不老化功能为对MAC表项不做老化处理;In the step S1, the dynamic media access control MAC address entry of the predetermined port is not aged, and the non-aging function does not perform aging processing on the MAC entry.
步骤S2,根据端口的配置对数据报文进行处理。In step S2, the data packet is processed according to the configuration of the port.
可选地,在本实施例中,上述存储介质可以包括但不限于:U盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。Optionally, in this embodiment, the foregoing storage medium may include, but not limited to, a USB flash drive, a Read-Only Memory (ROM), a Random Access Memory (RAM), a mobile hard disk, and a magnetic memory. A variety of media that can store program code, such as a disc or a disc.
图9是根据本发明实施例中数据报文处理装置的结果示意图,如图9所示,该数据报文处理装置可以为接入设备或交换设备,该数据报文处理装置包括存储器92和处理器94,该存储器92用于存储指令,该处理器94执行该指令使得所述数据报文处理装置预定端口的动态媒体访问控制MAC表项配置不老化功能,其中,该不老化功能为对MAC表项不做老化处理;该处理器94还用于根据端口的配置对数据报文进行处理。FIG. 9 is a schematic diagram showing the result of a data packet processing apparatus according to an embodiment of the present invention. As shown in FIG. 9, the data packet processing apparatus may be an access device or a switching device, and the data packet processing apparatus includes a memory 92 and processing. The memory 92 is configured to store an instruction, and the processor 94 executes the instruction, so that the dynamic media access control MAC entry configuration of the predetermined port of the data packet processing device is not aged, wherein the non-aging function is a pair of MAC addresses. The entry is not processed by the aging process; the processor 94 is further configured to process the data packet according to the configuration of the port.
在本发明实施例中,可选地,该处理器94还用于根据端口的配置对数据报文的源MAC地址进行学习;在学习到源MAC地址对应的MAC表项的情况下,转发所述数据报文;或者,在没有学习到源MAC地址对应的MAC表项的情况下,丢弃所述数据报文。In the embodiment of the present invention, the processor 94 is further configured to: learn the source MAC address of the data packet according to the configuration of the port; and, in the case of learning the MAC entry corresponding to the source MAC address, forward the The data packet is discarded; or the data packet is discarded if the MAC entry corresponding to the source MAC address is not learned.
在本发明实施例中,可选地,该处理器94还用于为预定端口的动态MAC地址配置允许学习的MAC表项条目数。 In the embodiment of the present invention, the processor 94 is further configured to configure the number of MAC entry entries allowed to learn for the dynamic MAC address of the predetermined port.
在本发明实施例中,可选地,该处理器94还用于根据端口的配置对数据报文的MAC地址进行学习包括:在学习到的MAC表项条目数小于所述允许学习的MAC表项条目数的情况下,判断学习到的MAC表项是否已经存在,在判断结果为否的情况下,确定为学习到源MAC地址对应的MAC条目;在判断结果为是的情况下,直接转发所述数据报文;在学习到的MAC表项条目数大于所述允许学习的MAC表项条目数的情况下,确定为没有学习到源MAC地址对应的MAC表项。In the embodiment of the present invention, optionally, the processor 94 is further configured to learn, according to the configuration of the port, the MAC address of the data packet, where the number of learned MAC entry entries is smaller than the MAC table that is allowed to learn. In the case of the number of item entries, it is determined whether the learned MAC entry already exists. If the result of the determination is negative, it is determined to learn the MAC entry corresponding to the source MAC address; if the determination result is yes, the direct forwarding is performed. The data packet is determined to have not learned the MAC entry corresponding to the source MAC address if the number of learned MAC entry entries is greater than the number of MAC entry entries allowed to learn.
在本发明实施例中,可选地,该处理器94还用于通过以下方式为预定端口的动态MAC表项配置不老化功能包括:保留MAC表项老化时间字段的所有比特位置1;和/或,将动态不老化字段设置为1。In the embodiment of the present invention, optionally, the processor 94 is further configured to: configure the non-aging function for the dynamic MAC entry of the predetermined port by: retaining all bit positions 1 of the MAC entry aging time field; and Or, set the dynamic non-aging field to 1.
显然,本领域的技术人员应该明白,上述的本发明的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。It will be apparent to those skilled in the art that the various modules or steps of the present invention described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein. The steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.
以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above description is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.
工业实用性Industrial applicability
本发明实施例,应用于通信领域,解决了相关技术中MAC学习功能在特定端口MAC表项老化后不能限制用户接入的问题,有效限制了MAC表项老化后用户的接入。 The embodiment of the present invention is applicable to the communication field, and solves the problem that the MAC learning function in the related art cannot limit the access of the user after the aging of the MAC address entry of the specific port, and effectively limits the access of the user after the MAC entry is aged.

Claims (10)

  1. 一种数据报文处理方法,包括:A data packet processing method includes:
    为预定端口的动态媒体访问控制MAC表项配置不老化功能,其中,所述不老化功能为对所述MAC表项不做老化处理;Configuring a non-aging function for the dynamic media access control MAC address entry of the predetermined port, where the non-aging function does not perform aging processing on the MAC entry;
    根据端口的配置对数据报文进行处理。Data packets are processed according to the configuration of the port.
  2. 根据权利要求1所述的方法,其中,根据端口的配置对数据报文进行处理包括:The method of claim 1, wherein processing the data message according to the configuration of the port comprises:
    根据端口的配置对数据报文的源MAC地址进行学习;Learning the source MAC address of the data packet according to the configuration of the port;
    在学习到源MAC地址对应的MAC表项的情况下,转发所述数据报文;或者,If the MAC address entry corresponding to the source MAC address is learned, the data packet is forwarded; or
    在没有学习到源MAC地址对应的MAC表项的情况下,丢弃所述数据报文。If the MAC entry corresponding to the source MAC address is not learned, the data packet is discarded.
  3. 根据权利要求2所述的方法,其中,在根据端口的配置对数据报文的MAC地址进行学习之前,所述方法还包括:The method of claim 2, wherein before the learning of the MAC address of the data packet according to the configuration of the port, the method further comprises:
    为预定端口的动态MAC地址配置允许学习的MAC表项条目数。Configure the number of MAC entry entries allowed to learn for the dynamic MAC address of the predetermined port.
  4. 根据权利要求3所述的方法,其中,根据端口的配置对数据报文的MAC地址进行学习包括:The method of claim 3, wherein learning the MAC address of the data packet according to the configuration of the port comprises:
    在学习到的MAC表项条目数小于所述允许学习的MAC表项条目数的情况下,判断学习到的MAC表项是否已经存在,在判断结果为否的情况下,确定为学习到源MAC地址对应的MAC条目;在判断结果为是的情况下,直接转发所述数据报文;If the number of learned MAC entry entries is smaller than the number of MAC entry entries allowed to learn, it is determined whether the learned MAC entry already exists, and if the determination result is negative, it is determined to learn the source MAC address. The MAC entry corresponding to the address; if the judgment result is yes, the data packet is directly forwarded;
    在学习到的MAC表项条目数大于所述允许学习的MAC表项条目数的情况下,确定为没有学习到源MAC地址对应的MAC表项。 If the number of learned MAC entry entries is greater than the number of MAC entry entries allowed to learn, it is determined that the MAC entry corresponding to the source MAC address is not learned.
  5. 根据权利要求1至4中任一项所述的方法,其中,通过以下方式为预定端口的动态MAC表项配置不老化功能包括:The method according to any one of claims 1 to 4, wherein configuring the non-aging function for the dynamic MAC entry of the predetermined port by:
    保留MAC表项老化时间字段的所有比特位置1;和/或,All bit positions 1 of the MAC entry aging time field are reserved; and/or,
    将动态不老化字段设置为1。Set the dynamic non-aging field to 1.
  6. 一种数据报文处理装置,包括:A data message processing apparatus includes:
    配置模块,设置为为预定端口的动态媒体访问控制MAC表项配置不老化功能,其中,所述不老化功能为对所述MAC表项不做老化处理;The configuration module is configured to configure a non-aging function for the dynamic media access control MAC address entry of the predetermined port, where the non-aging function does not perform aging processing on the MAC entry.
    处理模块,设置为根据端口的配置对数据报文进行处理。The processing module is configured to process data packets according to the configuration of the port.
  7. 根据权利要求6所述的装置,其中,所述处理模块包括:The apparatus of claim 6 wherein said processing module comprises:
    学习单元,设置为根据端口的配置对数据报文的源MAC地址进行学习;The learning unit is configured to learn the source MAC address of the data packet according to the configuration of the port;
    转发单元,设置为在学习到源MAC地址对应的MAC表项的情况下,转发所述数据报文;或者,The forwarding unit is configured to forward the data packet when the MAC entry corresponding to the source MAC address is learned; or
    丢弃单元,设置为在没有学习到源MAC地址对应的MAC表项的情况下,丢弃所述数据报文。The discarding unit is configured to discard the data packet if the MAC entry corresponding to the source MAC address is not learned.
  8. 根据权利要求7所述的装置,其中,所述装置还包括:The apparatus of claim 7 wherein said apparatus further comprises:
    第一配置单元,设置为为预定端口的动态MAC地址配置允许学习的MAC表项条目数。The first configuration unit is configured to configure the number of MAC entry entries allowed to learn for the dynamic MAC address of the predetermined port.
  9. 根据权利要求8所述的装置,其中,所述学习单元包括:The apparatus of claim 8 wherein said learning unit comprises:
    判断子单元,设置为在学习到的MAC表项条目数小于所述允许 学习的MAC表项条目数的情况下,判断学习到的MAC表项是否已经存在,在判断结果为否的情况下,确定为学习到源MAC地址对应的MAC表项;在判断结果为是的情况下,直接转发所述数据报文;Judging the subunit, setting the number of MAC entry entries learned to be less than the allowable If the number of MAC entry entries is learned, it is determined whether the learned MAC entry already exists. If the result of the determination is negative, it is determined to learn the MAC entry corresponding to the source MAC address; In case, the data packet is directly forwarded;
    确定子单元,设置为在学习到的MAC表项条目数大于所述允许学习的MAC表项条目数的情况下,确定为没有学习到源MAC地址对应的MAC表项。The determining sub-unit is configured to determine that the MAC entry corresponding to the source MAC address is not learned if the number of learned MAC entry entries is greater than the number of learned MAC entry entries.
  10. 根据权利要求6至9中任一项所述的装置,其中,所述装置还包括:The device according to any one of claims 6 to 9, wherein the device further comprises:
    第二配置单元,设置为通过以下方式为预定端口的动态MAC表项配置不老化功能包括:保留MAC表项老化时间字段的所有比特位置1;和/或,将动态不老化字段设置为1。 The second configuration unit is configured to configure the non-aging function for the dynamic MAC entry of the predetermined port by: retaining all bit positions 1 of the MAC entry aging time field; and/or setting the dynamic non-aging field to 1.
PCT/CN2016/102045 2015-10-15 2016-10-13 Data packet processing method and apparatus WO2017063578A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510669960.1 2015-10-15
CN201510669960.1A CN106603468A (en) 2015-10-15 2015-10-15 Data message processing method and device

Publications (1)

Publication Number Publication Date
WO2017063578A1 true WO2017063578A1 (en) 2017-04-20

Family

ID=58517084

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/102045 WO2017063578A1 (en) 2015-10-15 2016-10-13 Data packet processing method and apparatus

Country Status (2)

Country Link
CN (1) CN106603468A (en)
WO (1) WO2017063578A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108418759B (en) * 2018-05-31 2020-09-08 新华三技术有限公司 MAC address table item processing method and device
CN114390023A (en) * 2021-12-27 2022-04-22 锐捷网络股份有限公司 Dynamic address non-aging method and device, electronic equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1571349A (en) * 2003-07-25 2005-01-26 华为技术有限公司 Network access control method based on MAC address
CN102594704A (en) * 2012-03-20 2012-07-18 神州数码网络(北京)有限公司 Control method for address accessing network based on security port
CN103019858A (en) * 2012-12-03 2013-04-03 中兴通讯股份有限公司 Media access control ageing method and network processor

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1571349A (en) * 2003-07-25 2005-01-26 华为技术有限公司 Network access control method based on MAC address
CN102594704A (en) * 2012-03-20 2012-07-18 神州数码网络(北京)有限公司 Control method for address accessing network based on security port
CN103019858A (en) * 2012-12-03 2013-04-03 中兴通讯股份有限公司 Media access control ageing method and network processor

Also Published As

Publication number Publication date
CN106603468A (en) 2017-04-26

Similar Documents

Publication Publication Date Title
EP3192230B1 (en) System and method for providing an integrated firewall for secure network communication in a multi-tenant environment
US9654395B2 (en) SDN-based service chaining system
JP5111618B2 (en) Facilitating protection against MAC table overflow attacks
EP3151506A1 (en) Improved assignment and distribution of network configuration parameters to devices
US8576866B2 (en) Hierarchical rate limiting of control packets
US10701582B2 (en) Dynamic application QoS profile provisioning
US10397047B2 (en) Apparatus, system, and method for secure remote configuration of network devices
WO2017063458A1 (en) Physical address bypass authentication method and apparatus based on software defined networking
CN105635084A (en) Apparatus and method for authenticating terminal
US7826447B1 (en) Preventing denial-of-service attacks employing broadcast packets
US20230198939A1 (en) System And Method For Remotely Filtering Network Traffic Of A Customer Premise Device
CN107707435A (en) A kind of message processing method and device
WO2016086544A1 (en) Network interface configuration method and apparatus for network device and storage medium
WO2017063578A1 (en) Data packet processing method and apparatus
US11201781B2 (en) Systems and methods for automatically configuring network isolation
WO2014169812A1 (en) Forwarding processing method and device for message
CN110224932B (en) Method and system for rapidly forwarding data
US20160352637A1 (en) Client-based port filter table
KR101629089B1 (en) Hybrid openFlow method for combining legacy switch protocol function and SDN function
US20150085666A1 (en) Communication Apparatus, Control Apparatus, Communication System, Communication Method, Method for Controlling Communication Apparatus, and Program
EP3160080A1 (en) Method, apparatus and system for configuring quality of service (qos) parameters
EP3687131A1 (en) Method, apparatus and system for rapidly restoring service during path switching
US9118555B1 (en) Secure unauthenticated virtual local area network
US10574596B2 (en) Software defined networking FCoE initialization protocol snooping bridge system
JP2012142824A (en) Network device, communication system, and data transfer method used for them

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16854954

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16854954

Country of ref document: EP

Kind code of ref document: A1