WO2024109009A1 - Method and system for device to interface with firewall, and computer-readable storage medium - Google Patents

Method and system for device to interface with firewall, and computer-readable storage medium Download PDF

Info

Publication number
WO2024109009A1
WO2024109009A1 PCT/CN2023/101875 CN2023101875W WO2024109009A1 WO 2024109009 A1 WO2024109009 A1 WO 2024109009A1 CN 2023101875 W CN2023101875 W CN 2023101875W WO 2024109009 A1 WO2024109009 A1 WO 2024109009A1
Authority
WO
WIPO (PCT)
Prior art keywords
firewall
transmitted
group
flow data
equivalent
Prior art date
Application number
PCT/CN2023/101875
Other languages
French (fr)
Chinese (zh)
Inventor
林宁
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2024109009A1 publication Critical patent/WO2024109009A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/24Multipath
    • H04L45/243Multipath using M+N parallel active paths
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Definitions

  • the present application relates to the field of information security technology, and in particular to a method, system and computer-readable storage medium for connecting a device to a firewall.
  • a firewall is usually set up between the public network and the private network to clean the traffic data passing through the firewall. Therefore, when the firewall is overloaded, the firewall will discard part of the traffic data in order to reduce the pressure of traffic data, which will cause irreparable losses in some scenarios where the integrity of traffic data must be guaranteed.
  • the main purpose of the present application is to provide a method, system and computer-readable storage medium for connecting a device to a firewall, aiming to solve the technical problem of how to avoid the phenomenon that the flow data of the network device is discarded when the firewall is overloaded.
  • the present application provides a method for connecting a digital device to a firewall, comprising:
  • the flow data is transmitted in a split manner based on the escape path and the firewall.
  • the present application also provides a device docking firewall system, which includes a memory, a processor, and a device docking firewall program stored in the memory and executable on the processor.
  • a device docking firewall program stored in the memory and executable on the processor.
  • the present application also provides a computer-readable storage medium, on which a program for connecting a device to a firewall is stored.
  • a program for connecting a device to a firewall is stored on which the program for connecting a device to a firewall is stored.
  • the steps of the device connecting to a firewall method as described above are implemented.
  • the present application selects one or more target equivalent exits from the equivalent exits corresponding to the equivalent multi-path routing group determined in the device after detecting that the traffic data to be transmitted in the device needs to be diverted for transmission, and changes the above-mentioned target equivalent exits from pointing to the firewall to pointing to the escape path, and then controls the diversion and transmission of the traffic data to the escape path and the firewall.
  • the traffic data leading to the firewall can be automatically adjusted by controlling the target equivalent exits in the equivalent multi-path routing group, thereby reducing the load on the firewall and avoiding the phenomenon of discarding the traffic data of the network device when the firewall is overloaded.
  • FIG1 is a schematic diagram of a terminal ⁇ device structure of a hardware operating environment involved in an embodiment of the present application
  • FIG2 is a flow chart of a first embodiment of a method for connecting a device to a firewall according to the present application
  • FIG3 is a schematic diagram of ECMP egress orientation in the first embodiment of the method for connecting a device to a firewall according to the present application;
  • FIG4 is another schematic diagram of the ECMP egress pointing of the first embodiment of the method for connecting a device to a firewall of the present application;
  • FIG5 is a schematic diagram of ECMP egress orientation in a second embodiment of a method for connecting a device to a firewall according to the present application;
  • FIG. 6 is a schematic diagram of the LACP protocol for device docking in the method for device docking with a firewall in the present application.
  • FIG. 1 is a schematic diagram of the structure of a firewall device connected to the hardware operating environment involved in the embodiment of the present application.
  • the device connected to the firewall device may include: a processor 1001, such as a central processing unit (CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005.
  • the communication bus 1002 is used to realize the connection and communication between these components.
  • the user interface 1003 may include a display screen (Display), an input unit such as a keyboard (Keyboard), and the user interface 1003 may also include a standard wired interface and a wireless interface.
  • Network The interface 1004 may include a standard wired interface, a wireless interface (such as a wireless fidelity (Wireless-Fidelity, WI-FI) interface).
  • the memory 1005 may be a high-speed random access memory (Random Access Memory, RAM), or a stable non-volatile memory (Non-Volatile Memory, NVM), such as a disk memory.
  • RAM Random Access Memory
  • NVM Non-Volatile Memory
  • the memory 1005 may also be a storage device independent of the aforementioned processor 1001.
  • FIG. 1 does not constitute a limitation on the device docking with the firewall device, and may include more or fewer components than shown in the figure, or a combination of certain components, or a different arrangement of components.
  • the memory 1005 as a storage medium may include an operating system, a data storage module, a network communication module, a user interface module, and a device docking firewall program.
  • the network interface 1004 is mainly used for data communication with other devices;
  • the user interface 1003 is mainly used for data interaction with the user;
  • the processor 1001 and the memory 1005 in the device docking firewall device of the present application can be set in the device docking firewall device, and the device docking firewall device calls the device docking firewall program stored in the memory 1005 through the processor 1001, and executes the device docking firewall method provided in the embodiment of the present application.
  • the present application provides a method for connecting a device to a firewall.
  • the method for connecting a device to a firewall includes:
  • Step S10 after detecting that the traffic data to be transmitted in the device needs to be split and transmitted, determining a plurality of equal-cost exits corresponding to the equal-cost multipath routing group in the device;
  • the network device uses a physical port or a link aggregation group to connect to the firewall, and cleans the network traffic data through the firewall, wherein the use of the link aggregation group to connect is to increase the bandwidth of the connection between the network device and the firewall.
  • the firewall device in order to ensure the isolation of the public network and the private network, the firewall device is generally set at the junction of the public network and the private network, and the traffic data of the network device entering the firewall and the traffic data after cleaning from the firewall belong to different VRFs (Virtual Routing Forwarding, virtual equivalent routing).
  • VRFs Virtual Routing Forwarding, virtual equivalent routing
  • the traffic data In the scenario where the traffic data must be strictly cleaned by the firewall, it is normal for the traffic data to be discarded; however, in some scenarios where the traffic data is not required to be strictly cleaned by the firewall, that is, in the scenario where the traffic data must not be discarded, it will cause irreparable losses.
  • the firewall when the firewall is overloaded, if the network device forwards the public network route traffic that was originally destined for the firewall to be cleaned to the private network through other paths, it must be configured through the VRF mutual guidance function. Such configuration is relatively complex and cannot be triggered automatically. Configuring the VRF mutual guidance function will cause the routing table in the network device to be deleted and added again, resulting in a long period of network device interruption.
  • the network device when the firewall is overloaded with traffic, the network device can automatically escape part of the traffic to other links to keep the entire traffic data uninterrupted, and the escape traffic data can automatically complete the public and private network isolation operation of VRF without any manual configuration, and can automatically adjust the proportion of the escape traffic data according to the firewall overload situation.
  • the routing export of the network device can be set not to point directly to the firewall, but to point to ECMP (Equal Cost Multi Path, equal cost multi-path routing group), and then all the equivalent exports of the ECMP group are pointed to the firewall, and after receiving the overload message sent by the firewall to the network device, the escape path is added to the ECMP group, so that the escape path and the firewall path form a load balance, reduce the load of the firewall, and the proportion of the firewall load can be adjusted by the number of ECMP exports.
  • the loopback port can be used as an escape path.
  • different VRFs are configured at the export and import of the loopback port to complete the automatic processing of VRF public and private network isolation.
  • the routing exit of the router in the network device can be set to point to an ECMP group in the device.
  • the ECMP group contains several equal-port exits.
  • the network device when the network device detects that the firewall is overloaded, or detects that the firewall is not overloaded but forces the traffic data not to pass through the firewall, or when the firewall fails, it is necessary to process the traffic data flowing to the firewall, such as diverting the traffic data to be transmitted in the device.
  • multiple equivalent exports corresponding to the equivalent multipath routing group in the device can be determined first, and after the ECMP group receives the traffic data sent by the routing export, the traffic data is transmitted to the escape path or the firewall.
  • the traffic data transmitted to the escape path is looped back to the network device by the escape path, and after the firewall recovers from being overloaded, the traffic data is transmitted to the firewall.
  • the firewall device when the firewall is overloaded, the firewall device sends overload information to the network device (it can be sent directly to the network device through a message, or through flow control frame processing, or it can be learned through the network management station and then notified by the network management station). Network settings After receiving the overload information, it is determined that the firewall is overloaded and subsequent traffic diversion processing is performed.
  • all the exports of the ECMP group are equivalent exports, wherein the equivalent export means that the path cost values of the transmission paths corresponding to the exports are equal. Since the ECMP group will give priority to the export with the smallest path cost value to transmit data, and the path cost values of the equivalent exports are equal, all the equivalent exports of the ECMP group will determine an equivalent export to transmit data based on the hash rule, wherein the hash rule refers to transforming an input of any length into an output of a fixed length through a hash algorithm, and the output is the hash value.
  • the traffic data in the network is composed of several data streams, and each data stream has identification information that can uniquely identify the data stream, namely, a data identifier.
  • the data identifier is processed based on the hash rule, and a hash value, namely, a hash value, is calculated, so that the data identifier of each data stream has a unique corresponding hash value, and each hash value has a corresponding equivalent export in the ECMP group. After obtaining the hash value, it can be determined that the data stream is transmitted through the equivalent export.
  • the device can be a network device, specifically a switch, a router, a bridge, a computer, etc.
  • an ECMP group is set in the routing table of the switch, which is denoted as ECMP1.
  • the switch routes 10.1.1.0, 20.1.1.0, and 30.1.1.0 all point to ECMP1.
  • nexthop1, nexthop2, nexthop3, and nexthop4 of ECMP1 all point to the physical port port3 connected to the firewall on the public network side. All traffic data is transmitted through the equivalent exit of ECMP1 to the physical port port3 pointed to by the equivalent exit.
  • the physical port port3 sends the traffic data to the firewall to clean the traffic data, and the firewall sends a firewall overload notification to the network device through the physical port port4 on the private network side.
  • port3 is a physical port on the private network side
  • port4 is a physical port on the public network side.
  • the traffic data to be transmitted in addition to the need to shunt the traffic data to be transmitted after detecting that the firewall is overloaded, it is also possible to shunt the traffic data to be transmitted based on the shunt instruction received from the user or other device. It is also possible to shunt the traffic data to be transmitted when it is detected that the firewall is faulty, such as only being able to transmit traffic data of a certain size. In this embodiment, only firewall overload is used as an example, but it is not limited to this scenario. Any scenario in which the traffic data to be transmitted in the device needs to be shunt can be applied to this embodiment.
  • Step S20 selecting one or more target equivalent exits from the plurality of equivalent exits to change the exits from pointing to the firewall to pointing to a preset escape path;
  • one or more equivalent exports (i.e., target equivalent exports) of the ECMP group can be changed from pointing to the firewall to pointing to a preset escape path according to certain rules, so that the escape path is successfully added to the ECMP group.
  • the preset escape path is used to share the flow data sent to the firewall and loop this flow data back to the network device.
  • the escape path can be a loopback bridge group, and the loopback bridge group can be composed of two physical ports or two link aggregation groups interconnected, wherein the interconnection method can be through an external direct line connection or can be directly interconnected internally through chip support.
  • one end of the loopback bridge group is configured with a public network VRF, and the other end is configured with a private network VRF. Users can configure the public network VRF and private network VRF of the loopback bridge group according to their specific needs.
  • the network device After the loopback bridge group is configured, when a firewall overload message is received, the network device will change the target equivalent export in the ECMP group from pointing to the firewall to pointing to the loopback bridge group. For example, referring to Figure 4, each route 10.1.1.0, 20.1.1.0 and 30.1.1.0 in the routing table of the switch all point to ECMP1, and the escape path of ECMP1 is a loopback bridge group composed of two physical ports port1 and port2 interconnected.
  • the network device After the network device receives the firewall overload message, the network device will point an export nexthop1 of ECMP1 to the physical port port1 on the public network side of the loopback bridge group.
  • the traffic data from the physical port port1 is looped back to the physical port port2 on the private network side of the loopback bridge group through the loopback bridge group.
  • the traffic data is transmitted to the physical port port1 and the physical port port3 through the equivalent export of ECMP1.
  • the traffic data passing through the physical port port1 is looped back to the network device by the escape path, thereby reducing the traffic data pressure of the firewall.
  • the nexthop2, nexthop3 and nexthop4 exports of ECMP1 still point to the physical port port3 connected to the firewall.
  • the traffic data transmitted through the physical port port3 is transmitted to the firewall, and the firewall sends a firewall overload notification to the network device through the physical port port4.
  • port1 is the physical port on the private network side
  • port2 is the physical port on the public network side.
  • Step S30 Divert and transmit the traffic data based on the escape path and the firewall.
  • the network device After changing the target equivalent-cost exit in the ECMP group to point to the escape path, the network device will not directly transmit the traffic data to the firewall. Instead, the ECMP group determines based on the hash rule that each data stream of the traffic data to be transmitted in the network device is transmitted through an equivalent exit to the physical port of the network device pointed to by this equivalent exit, and the data stream is transmitted to the escape path or the firewall through the physical port of the network device. In this embodiment, if a data stream of the traffic data to be transmitted in the network device is determined to be transmitted through the target equivalent exit after being hashed by the ECMP group, it will be transmitted to the escape path, and the escape path will loop this data stream back to the network device; otherwise, it will be transmitted to the firewall.
  • the data stream transmitted through the export nexthop1 will be transmitted to the loopback bridge group, and the data stream will be looped back to the network device through the loopback bridge group without being discarded.
  • the data stream transmitted through the exports nexthop2, nexthop3 and nexthop4 will be transmitted to the firewall, which will complete the cleaning work.
  • the switch is connected to the firewall device through physical port port3 and physical port port4.
  • the public network switch routes 10.1.1.0/20.1.1.0/30.1.1.0 public network traffic that needs to be cleaned by the firewall before reaching the private network.
  • the network device routes 10.1.1.0/20.1.1.0/30.1.1.0 to ECMP1, where all the exits nexthop1, nexthop2, nexthop3 and nexthop4 in ECMP1 point to the physical port port3 connected to the firewall on the public network side.
  • the network device traffic data finds the exit as ECMP1 through the routing table, and ECMP1 sends all traffic data to the firewall based on the hash rule.
  • the network device When the firewall traffic data is overloaded, the network device receives the firewall overload message by directly sending a notification to the device or notifying the device through the network management console.
  • the network device sets a loopback bridge group consisting of two physical ports port1 and port2 interconnected as an escape route, where port1 is located on the public network side and port2 is located on the private network side.
  • the two physical ports port1 and port2 of the loopback bridge group are directly looped back through a connection.
  • the network device points the exit of nexthop1, an exit of ECMP1, to port1 on the public network side of the loopback bridge group.
  • the network device traffic data finds the exit as ECMP1 through the routing table.
  • ECMP1 shares part of the traffic data to nexthop1 based on the hash rule, sends it from port1, and loops it back to the private network side of Port2, and finally returns to the network device, thereby reducing the traffic pressure of the firewall. If the network device continues to receive the firewall overload message, the network device continues to increase the proportion of the equivalent exit pointing to port1 on the public network side of the loopback bridge group in the ECMP group, and continues to reduce the proportion of traffic data sent to the firewall until the firewall overload disappears.
  • the network device After the network device receives the message that the firewall is not overloaded, the network device restores the equivalent export in ECMP1 pointing to the public network side of the loopback bridge interface group to point directly to the firewall, gradually increasing the proportion of firewall traffic data until the proportion of firewall traffic data is balanced and stable.
  • the above completes the automatic traffic data adjustment of the entire network device and the firewall connection, as well as all operations that do not require configuration across VRF.
  • one or more equal-cost exits corresponding to the equal-cost multipath routing group determined in the device are selected.
  • the target equivalent export changes the target equivalent export from pointing to the firewall to pointing to the escape path, and then controls the flow data to be diverted and transmitted to the escape path and the firewall.
  • the flow data leading to the firewall can be automatically adjusted by controlling the target equivalent export in the equal-cost multipath routing group, thereby reducing the load on the firewall and avoiding the phenomenon of discarding the flow data of the network device when the firewall is overloaded.
  • step S30 of the above embodiment, performing split transmission of the flow data based on the escape path and the firewall includes:
  • Step a after the number of the target equivalent outlets is less than the number of the equivalent outlets, determining first sub-flow data in the flow data flowing through the target equivalent outlet, and controlling the first sub-flow data to be transmitted through the escape path;
  • Step b controlling the other sub-flow data in the flow data except the first sub-flow data to be transmitted through the firewall.
  • the firewall has a fault and the traffic data cannot flow through the firewall.
  • a corresponding prompt message can be output to inform the user.
  • the traffic data can be diverted at the next hop, that is, part of the traffic data flows through the firewall, and the other part of the traffic data flows through the escape path.
  • the ECMP group when performing diversion transmission, the ECMP group will determine all data flows (i.e., the first sub-traffic data) flowing through the target equivalent export based on the hash rule, so the first sub-traffic data will be transmitted through the escape path, and other traffic data in all traffic data that is not the first sub-traffic data will still be transmitted through the firewall.
  • the traffic data includes the first sub-traffic data and other sub-traffic data.
  • the first sub-flow data is controlled to be transmitted through the escape path, and other sub-flow data except the first sub-flow data is controlled to be transmitted through the firewall, thereby realizing the diversion transmission of flow data and avoiding the phenomenon of flow data being discarded when the firewall is overloaded.
  • the escape path includes a loopback bridge group
  • the controlling the first sub-flow data to be transmitted through the escape path includes:
  • Step a1 controlling the first sub-flow data to pass through the target equivalent
  • the egress is transmitted to the input end of the loopback bridge group and looped back through the output end of the loopback bridge group.
  • the traffic data sent by the routing exit can be received in ECMP, and after determining that the first sub-traffic data is sent to the loopback bridge group, the first sub-traffic data is controlled to flow through the target equivalent exit, the input end of the loopback bridge group and the output end of the loopback bridge group in sequence, so as to achieve the effect of traffic data escape.
  • the loopback bridge group is the effect of interconnection of two ports or two link aggregation groups (which can be connected by an external direct line, or by internal direct interconnection supported by the chip).
  • the two ports or link aggregation groups are each configured as a VRF of the public network or private network.
  • the route that needs to be converted from the public network to the private network VRF can point the exit to a port or a link aggregation group in this loopback bridge group, and the VRF crossing is completed through the effect of loopback bridging, and there is no need to configure any VRF routing mutual guidance.
  • the public network VRF side of the loopback bridge group is the input end
  • the private network VRF side of the loopback bridge group is the output end.
  • the private network VRF side of the loopback bridge group is the input end
  • the public network VRF side of the loopback bridge group is the output end.
  • the first sub-flow data transmitted through the target equivalent export of the ECMP group is transmitted to the input end of the loopback bridge group, and then looped back to the network device at the output end of the loopback bridge group.
  • the loopback bridge group is used as an escape path, and VRF automatic isolation can be supported without VRF mutual guidance configuration, and VRF traversal can be completed.
  • no manual intervention is required during the entire loopback process, and all actions can be automatically executed.
  • the network device route points to the ECMP group from beginning to end, and the export change of the ECMP group is used to adjust the traffic pressure of the firewall to avoid the phenomenon of discarding traffic data.
  • controlling the first sub-flow data to be transmitted to the input end of the loopback bridge group through the target equivalent exit pointing to the loopback bridge group, and looping back through the output end of the loopback bridge group includes:
  • Step a11 after the loopback bridge group is a link aggregation group, determining a transmission protocol corresponding to the link aggregation group;
  • the link aggregation group needs to dynamically connect to the transmission protocol, such as the LACP protocol (Link Aggregation Control Protocol), during the loopback bridge, the device needs to connect to the LACP protocol itself to make the two link aggregations
  • the groups are interconnected to form a loopback bridge group.
  • Step a12 constructing a transmission message according to the target physical address corresponding to the transmission protocol and the first sub-flow data
  • the target physical address such as a special MAC address
  • Step a13 transmitting the transmission message to the input end of the link aggregation group through the target equivalent export pointing to the link aggregation group, and looping back through the output end of the link aggregation group;
  • Step a14 after the target physical address in the looped-back transmission message matches the preset special source physical address, continue to complete the transmission of the looped-back transmission message.
  • the network device When the network device is connected to the loopback bridge in the link aggregation group, it needs to select a special source MAC address (i.e., the preset special source physical address) for transmission, which is recorded as SMAC, so that the network device itself can connect to the LACP protocol of the link aggregation group with itself.
  • the loopback bridge link aggregation group uses the SMAC address to send messages, while the LACP messages of other non-loopback bridge link aggregation groups continue to use the source MAC address of the device itself to send. Therefore, the message transmitted through the loopback bridge group needs to match the target physical address in the transmission message with the SMAC address.
  • this message is a transmission message on the loopback bridge link aggregation group, and the transmission of the transmission message continues to be looped back. If the two address matching results are not the same, it means that this message is not a transmission message on the loopback bridge link aggregation group, and the transmission message will not be looped back through the loopback bridge group, but the transmission of this transmission message is completed in the usual transmission mode in the network device, or it is directly considered that this transmission message is transmitted to the loopback bridge group by mistake and the transmission message is directly discarded.
  • the transmission message is sent through the target physical to complete the docking of the LACP protocol loopback bridge of the link aggregation group, so that the loopback bridge group can accurately loop back the message, so that the traffic data transmitted to the loopback bridge group can be looped back to the network device.
  • the method after determining the transmission protocol corresponding to the link aggregation group, the method includes:
  • Step a15 determining the device physical address corresponding to the transmission protocol, and obtaining a preset offset address, and constructing a target physical address according to the offset address and the device physical address.
  • the LACP sending process of the network device uses the device's own MAC (Media Access Control) address as the source MAC address, the LACP message sent in this way becomes an LACP message with the network device receiving its own MAC address after looping back. This message will be discarded, and the two link aggregation groups cannot be successfully connected.
  • MAC Media Access Control
  • the loopback bridge group is composed of the link aggregation group Trunk1 and the link aggregation group Trunk2 interconnected.
  • the network device CPU central processing unit
  • the network device itself can connect to the LACP protocol of the link aggregation group with itself, and adding this special source MAC address to the MAC table of the network device realizes that this special source MAC address is learned into the MAC address table.
  • the MAC+offset address of the network device can be used as the special source MAC address, wherein the offset address is also the MAC address assigned to this network device, which can be used legally and will not conflict with the MAC address of other network devices.
  • other special MAC addresses that do not conflict with other network MAC addresses can also be selected as special source MAC addresses to send LACP protocol messages, so that the LACP protocol loopback bridge connection of the link aggregation group of the network device can be completed.
  • the device physical address includes the MAC address.
  • the offset address is the offset address.
  • the target physical address is constructed according to the offset address and the device physical address to ensure that the subsequent escape path can operate normally when using the target physical address to loop back the first sub-flow data.
  • controlling the first sub-flow data to be transmitted to the input end of the loopback bridge group through the target equivalent exit pointing to the loopback bridge group, before being looped back through the output end of the loopback bridge group includes:
  • Step a01 obtaining the public network virtual routing forwarding VRF and the private network VRF corresponding to the device, and configuring the loopback bridge group according to the public network VRF and the private network VRF.
  • the loopback bridge group can be set according to the public network VRF and private network VRF corresponding to the device. For example, as shown in FIG5, each route 10.1.1.0, 20.1.1.0 and 30.1.1.0 in the routing table of the switch points to ECMP1, and the escape path pointed to by the target equivalent export of ECMP1 is a loopback bridge group composed of two link aggregation groups Trunk1 and Trunk2 interconnected. After obtaining the public network VRF and private network VRF corresponding to the network device, Trunk1 is configured with the public network VRF, and Trunk2 is configured with the private network VRF.
  • Trunk1 points to Trunk1, and the traffic data is transmitted to Trunk1 and physical port port3 through the equivalent exit of ECMP1.
  • the traffic data passing through Trunk1 is looped back to the network device through the escape path.
  • the exits nexthop2, nexthop3, and nexthop4 of ECMP1 still point to the physical port port3 connected to the firewall.
  • the traffic data transmitted through the physical port port3 is transmitted to the firewall, and the firewall sends a firewall overload notification to the network device through the physical port port4.
  • Trunk1 is configured with a private network VRF
  • Trunk2 is configured with a public network VRF.
  • the escape path can also be a loopback bridge group composed of two interconnected physical ports.
  • the configuration method of its public network VRF and private network VRF is the same as the configuration method of the loopback bridge group composed of two interconnected link aggregation groups, which will not be described in detail here.
  • the loopback bridge group is configured according to the public network VRF and the private network VRF corresponding to the device to ensure the normal operation of the subsequent loopback bridge group as an escape link.
  • Step c after completing the one-hop transmission of the flow data, if there is remaining flow data that has not been transmitted in the device, detecting whether it is necessary to continue to divert and transmit the remaining target flow data in the remaining flow data that flows to the firewall;
  • the firewall after completing one-hop transmission of the flow data, when it is detected that there is still remaining flow data that has not been transmitted in the device, the firewall can be continuously detected to determine whether to continue to divert the remaining flow data in the next hop. If it is detected again that the firewall is still overloaded, the remaining target flow data flowing to the firewall in the remaining flow data can be continuously diverted for transmission.
  • Step d after the remaining target traffic data needs to be further diverted and transmitted, continue to execute the step of selecting one or more target equivalent exits from the plurality of equivalent exits to change the exits from pointing to the firewall to pointing to a preset escape path;
  • the equivalent exports in the ECMP group can continue to be directed.
  • one or more equivalent exports are selected as the newly added target equivalent exports, that is, the proportion of the target equivalent exports is increased, and the newly added target equivalent exports are changed from pointing to the firewall to pointing to the escape path, and the adjustment of the ECMP group is not completed until the firewall is received.
  • the number of target equivalent exports added in each adjustment can be set by the user.
  • the ECMP group export direction can be continuously adjusted, gradually increasing the number of exports pointing to the escape path and reducing the number of exports pointing to the firewall.
  • Step e after the remaining traffic data needs to be transmitted in a combined manner, the target equivalent exit pointing to the escape path is restored to point to the firewall, and the remaining traffic data is transmitted in a combined manner through the firewall.
  • the diversion processing of the remaining traffic data can be stopped, and the remaining traffic data can be combined and transmitted to the firewall.
  • the direction of the target equivalent exit can be restored, that is, the direction is changed from the escape path to the firewall, so that the remaining traffic data can be transmitted through the firewall later.
  • certain rules such as equal proportion, equal quantity
  • the method includes:
  • Step f setting the routing exit in the device to point to a preset equal-cost multi-path routing group, and setting the equal-cost exit in the equal-cost multi-path routing group to point to the firewall.
  • the routing export of the network device is set not to point directly to the firewall, but to point directly to the ECMP group, and the equivalent export of the ECMP group is pointed to the firewall.
  • the ECMP group contains multiple equivalent exports. When the firewall is not overloaded, all equivalent exports point to the firewall, thereby ensuring that all traffic data can be sent to the firewall to complete the cleaning work. After the firewall is detected to have traffic overload, the direction of the route in the network device will not be changed. The route points to the ECMP group from beginning to end, and the change of the export of the ECMP group is used to adjust the traffic pressure of the firewall. Therefore, the network device will never have obvious interruption, and the switching method is very simple and convenient. There will be no phenomenon of traffic data being discarded due to firewall overload, which ensures the integrity of the traffic data.
  • automatically responding to the firewall overload can improve the network flexibility of switch and router products, improve the maintainability of network equipment, and improve users' network usage perception.
  • an embodiment of the present application also proposes a device docking firewall system, which includes a memory, a processor, and a device docking firewall program stored in the memory and executable on the processor.
  • a device docking firewall program stored in the memory and executable on the processor.
  • the present application also provides a computer-readable storage medium, on which a device docking firewall program is stored.
  • the device docking firewall program is executed by a processor, the steps of the device docking firewall method as described above are implemented.
  • the technical solution of the present application is essentially or the part that contributes to the prior art can be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) as described above, including a number of instructions for a terminal device (which can be a mobile phone, computer, server, or network device, etc.) to execute the methods described in each embodiment of the present application.
  • a storage medium such as ROM/RAM, magnetic disk, optical disk

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed in the present application are a method and system for a device to interface with a firewall, and a computer-readable storage medium. The method for a device to interface with a firewall comprises: after it is detected that flow data to be transmitted in a device needs to be subjected to shunting transmission, determining a plurality of equal-cost egresses corresponding to an equal-cost multipath routing group in the device; selecting one or more target equal-cost egresses from among the plurality of equal-cost egresses to switch from pointing to a firewall to pointing to a preset best-effort path; and performing shunting transmission of the flow data on the basis of the best-effort path and the firewall.

Description

设备对接防火墙的方法、系统及计算机可读存储介质Method, system and computer-readable storage medium for connecting device to firewall
相关申请Related Applications
本申请要求于2022年11月21号申请的、申请号为202211464353.8的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to Chinese patent application No. 202211464353.8 filed on November 21, 2022, the entire contents of which are incorporated by reference into this application.
技术领域Technical Field
本申请涉及信息安全技术领域,尤其涉及一种设备对接防火墙的方法、系统及计算机可读存储介质。The present application relates to the field of information security technology, and in particular to a method, system and computer-readable storage medium for connecting a device to a firewall.
背景技术Background technique
目前,为了保障信息安全,一般会在公网和私网之间设置防火墙,来对经过防火墙的流量数据进行清洗。因此在防火墙出现过载现象时,防火墙为了减轻流量数据压力会将部分流量数据丢弃,在一些必须保证流量数据完整的场景中会出现不可挽回的损失。At present, in order to ensure information security, a firewall is usually set up between the public network and the private network to clean the traffic data passing through the firewall. Therefore, when the firewall is overloaded, the firewall will discard part of the traffic data in order to reduce the pressure of traffic data, which will cause irreparable losses in some scenarios where the integrity of traffic data must be guaranteed.
发明内容Summary of the invention
本申请的主要目的在于提供一种设备对接防火墙的方法、系统及计算机可读存储介质,旨在解决如何避免当出现防火墙过载时,网络设备的流量数据被丢弃的现象发生的技术问题。The main purpose of the present application is to provide a method, system and computer-readable storage medium for connecting a device to a firewall, aiming to solve the technical problem of how to avoid the phenomenon that the flow data of the network device is discarded when the firewall is overloaded.
为实现上述目的,本申请提供一种数设备对接防火墙的方法,包括:To achieve the above object, the present application provides a method for connecting a digital device to a firewall, comprising:
在检测到设备中待传输的流量数据需要进行分流传输之后,确定所述设备中的等价多径路由组对应的多个等价出口;After detecting that traffic data to be transmitted in a device needs to be split for transmission, determining a plurality of equal-cost exits corresponding to an equal-cost multipath routing group in the device;
在多个所述等价出口中选择一个或多个目标等价出口由指向所述防火墙更改为指向预设的逃生路径;Selecting one or more target equivalent exits from the plurality of equivalent exits to change the exits from pointing to the firewall to pointing to a preset escape path;
基于所述逃生路径和所述防火墙进行所述流量数据的分流传输。The flow data is transmitted in a split manner based on the escape path and the firewall.
此外,为实现上述目的,本申请还提供一种设备对接防火墙系统,所述设备对接防火墙系统包括存储器、处理器及存储在所述存储器上并可在所述处理器上执行的设备对接防火墙程序,所述设备对接防火墙程序被所述处理器执行时实现如上述的设备对接防火墙方法的步骤。 In addition, to achieve the above-mentioned purpose, the present application also provides a device docking firewall system, which includes a memory, a processor, and a device docking firewall program stored in the memory and executable on the processor. When the device docking firewall program is executed by the processor, the steps of the device docking firewall method as described above are implemented.
此外,为实现上述目的,本申请还一种计算机可读存储介质,计算机可读存储介质上存储有设备对接防火墙的程序,所述设备对接防火墙的程序被处理器执行时实现如上述的设备对接防火墙方法的步骤。In addition, to achieve the above-mentioned purpose, the present application also provides a computer-readable storage medium, on which a program for connecting a device to a firewall is stored. When the program for connecting a device to a firewall is executed by a processor, the steps of the device connecting to a firewall method as described above are implemented.
本申请通过在检测到设备中待传输的流量数据需要进行分流传输之后,在设备中确定的等价多径路由组对应的等价出口中选择一个或多个目标等价出口并将上述目标等价出口由指向防火墙更改为指向逃生路径,然后控制流量数据分流传输至逃生路径以及防火墙,并且可以通过控制等价多径路由组中的目标等价出口来自动调整通往防火墙的流量数据,减轻了防火墙的负荷,避免了在防火墙出现过载时,将网络设备的流量数据丢弃的现象发生。The present application selects one or more target equivalent exits from the equivalent exits corresponding to the equivalent multi-path routing group determined in the device after detecting that the traffic data to be transmitted in the device needs to be diverted for transmission, and changes the above-mentioned target equivalent exits from pointing to the firewall to pointing to the escape path, and then controls the diversion and transmission of the traffic data to the escape path and the firewall. The traffic data leading to the firewall can be automatically adjusted by controlling the target equivalent exits in the equivalent multi-path routing group, thereby reducing the load on the firewall and avoiding the phenomenon of discarding the traffic data of the network device when the firewall is overloaded.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1是本申请实施例方案涉及的硬件运行环境的终端\装置结构示意图;FIG1 is a schematic diagram of a terminal\device structure of a hardware operating environment involved in an embodiment of the present application;
图2为本申请设备对接防火墙方法第一实施例的流程示意图;FIG2 is a flow chart of a first embodiment of a method for connecting a device to a firewall according to the present application;
图3为本申请设备对接防火墙方法第一实施例的ECMP出口指向示意图;FIG3 is a schematic diagram of ECMP egress orientation in the first embodiment of the method for connecting a device to a firewall according to the present application;
图4为本申请设备对接防火墙方法第一实施例的ECMP出口指向另一示意图;FIG4 is another schematic diagram of the ECMP egress pointing of the first embodiment of the method for connecting a device to a firewall of the present application;
图5为本申请设备对接防火墙方法第二实施例的ECMP出口指向示意图;FIG5 is a schematic diagram of ECMP egress orientation in a second embodiment of a method for connecting a device to a firewall according to the present application;
图6为本申请设备对接防火墙方法中设备对接LACP协议的示意图。FIG. 6 is a schematic diagram of the LACP protocol for device docking in the method for device docking with a firewall in the present application.
本申请目的的实现、功能特点及优点将结合实施例,参照附图做进一步说明。The realization of the purpose, functional features and advantages of this application will be further explained in conjunction with embodiments and with reference to the accompanying drawings.
具体实施方式Detailed ways
应当理解,此处所描述的具体实施例仅仅用以解释本申请,并不用于限定本申请。It should be understood that the specific embodiments described herein are only used to explain the present application and are not used to limit the present application.
参照图1,图1为为本申请实施例方案涉及的硬件运行环境的设备对接防火墙设备结构示意图。Refer to Figure 1, which is a schematic diagram of the structure of a firewall device connected to the hardware operating environment involved in the embodiment of the present application.
如图1所示,该设备对接防火墙设备可以包括:处理器1001,例如中央处理器(Central Processing Unit,CPU),通信总线1002、用户接口1003,网络接口1004,存储器1005。其中,通信总线1002用于实现这些组件之间的连接通信。用户接口1003可以包括显示屏(Display)、输入单元比如键盘(Keyboard),用户接口1003还可以包括标准的有线接口、无线接口。网络 接口1004可以包括标准的有线接口、无线接口(如无线保真(Wireless-Fidelity,WI-FI)接口)。存储器1005可以是高速的随机存取存储器(Random Access Memory,RAM),也可以是稳定的非易失性存储器(Non-Volatile Memory,NVM),例如磁盘存储器。存储器1005还可以是独立于前述处理器1001的存储装置。As shown in FIG1 , the device connected to the firewall device may include: a processor 1001, such as a central processing unit (CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. The communication bus 1002 is used to realize the connection and communication between these components. The user interface 1003 may include a display screen (Display), an input unit such as a keyboard (Keyboard), and the user interface 1003 may also include a standard wired interface and a wireless interface. Network The interface 1004 may include a standard wired interface, a wireless interface (such as a wireless fidelity (Wireless-Fidelity, WI-FI) interface). The memory 1005 may be a high-speed random access memory (Random Access Memory, RAM), or a stable non-volatile memory (Non-Volatile Memory, NVM), such as a disk memory. The memory 1005 may also be a storage device independent of the aforementioned processor 1001.
本领域技术人员可以理解,图1中示出的结构并不构成对设备对接防火墙设备的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。Those skilled in the art will appreciate that the structure shown in FIG. 1 does not constitute a limitation on the device docking with the firewall device, and may include more or fewer components than shown in the figure, or a combination of certain components, or a different arrangement of components.
如图1所示,作为一种存储介质的存储器1005中可以包括操作系统、数据存储模块、网络通信模块、用户接口模块以及设备对接防火墙程序。As shown in FIG. 1 , the memory 1005 as a storage medium may include an operating system, a data storage module, a network communication module, a user interface module, and a device docking firewall program.
在图1所示的设备对接防火墙设备中,网络接口1004主要用于与其他设备进行数据通信;用户接口1003主要用于与用户进行数据交互;本申请设备对接防火墙设备中的处理器1001、存储器1005可以设置在设备对接防火墙设备中,所述设备对接防火墙设备通过处理器1001调用存储器1005中存储的设备对接防火墙程序,并执行本申请实施例提供的设备对接防火墙方法。In the device docking firewall device shown in Figure 1, the network interface 1004 is mainly used for data communication with other devices; the user interface 1003 is mainly used for data interaction with the user; the processor 1001 and the memory 1005 in the device docking firewall device of the present application can be set in the device docking firewall device, and the device docking firewall device calls the device docking firewall program stored in the memory 1005 through the processor 1001, and executes the device docking firewall method provided in the embodiment of the present application.
参照图2,本申请提供一种设备对接防火墙方法,在设备对接防火墙方法的第一实施例中,设备对接防火墙方法包括:2, the present application provides a method for connecting a device to a firewall. In a first embodiment of the method for connecting a device to a firewall, the method for connecting a device to a firewall includes:
步骤S10,在检测到设备中待传输的流量数据需要进行分流传输之后,确定所述设备中的等价多径路由组对应的多个等价出口;Step S10, after detecting that the traffic data to be transmitted in the device needs to be split and transmitted, determining a plurality of equal-cost exits corresponding to the equal-cost multipath routing group in the device;
网络设备使用物理端口或链路聚合组与防火墙进行连接,通过防火墙对网络流量数据进行清洗,其中,使用链路聚合组进行连接是为了加大网络设备与防火墙连接的带宽。在本实施例中,为了保证公网和私网的隔离将防火墙设备一般设置在公网和私网的交界处,网路设备进入防火墙的流量数据和从防火墙清洗之后的流量数据分属于不同的VRF(Virtual Routing Forwarding,虚拟等价路由)。但是,上述网络设备与防火墙的组网方式,在防火墙的流量数据出现过载时,网络设备没有额外的路径可以逃生,就会出现流量数据被丢弃的情况,在流量数据必须严格通过防火墙清洗的场景中,流量数据被丢弃则属于正常情况;但是在某些并不要求流量数据严格通过防火墙清洗的场景中,即必须保证流量数据不可丢弃的场景中,则会造成不可挽回的损失。 此外,在防火墙发生过载时,如果网络设备通过其他的路径将本来去往防火墙清洗的公网部分路由流量转发到私网,则必须通过VRF互导的功能进行配置,这样的配置相对复杂,无法自动触发,且配置VRF互导功能会使得网络设备中路由表被重新删除添加,导致较长时间的网络设备断流。The network device uses a physical port or a link aggregation group to connect to the firewall, and cleans the network traffic data through the firewall, wherein the use of the link aggregation group to connect is to increase the bandwidth of the connection between the network device and the firewall. In this embodiment, in order to ensure the isolation of the public network and the private network, the firewall device is generally set at the junction of the public network and the private network, and the traffic data of the network device entering the firewall and the traffic data after cleaning from the firewall belong to different VRFs (Virtual Routing Forwarding, virtual equivalent routing). However, in the networking mode of the above network device and the firewall, when the traffic data of the firewall is overloaded, the network device has no additional path to escape, and the traffic data will be discarded. In the scenario where the traffic data must be strictly cleaned by the firewall, it is normal for the traffic data to be discarded; however, in some scenarios where the traffic data is not required to be strictly cleaned by the firewall, that is, in the scenario where the traffic data must not be discarded, it will cause irreparable losses. In addition, when the firewall is overloaded, if the network device forwards the public network route traffic that was originally destined for the firewall to be cleaned to the private network through other paths, it must be configured through the VRF mutual guidance function. Such configuration is relatively complex and cannot be triggered automatically. Configuring the VRF mutual guidance function will cause the routing table in the network device to be deleted and added again, resulting in a long period of network device interruption.
因此,在本实施例中为了避免上述缺陷,以使防火墙在流量过载的时候,网络设备自动可以将部分流量逃生到其他的链路上保持整个流量数据的不中断,并且逃生流量数据可以自动完成VRF的公私网隔离操作,无需任何手工配置,并且可以根据防火墙过载情况,自动调节逃生流量数据的比例。Therefore, in order to avoid the above defects, in this embodiment, when the firewall is overloaded with traffic, the network device can automatically escape part of the traffic to other links to keep the entire traffic data uninterrupted, and the escape traffic data can automatically complete the public and private network isolation operation of VRF without any manual configuration, and can automatically adjust the proportion of the escape traffic data according to the firewall overload situation.
在本实施例中,可以设置网络设备的路由出口不直接指向防火墙,而是设置为指向ECMP(Equal Cost Multi Path,等价多路径路由组),再将该ECMP组的所有等价出口指向防火墙,并在接收到防火墙在对网络设备发送的过载消息后,将逃生路径加入ECMP组中,使得逃生路径与防火墙路径形成负载均衡,降低防火墙的负荷,并且可通过ECMP的出口数量,调整防火墙负荷的比例。同时为了无需VRF互导配置即可支持VRF自动隔离,可使用环回端口作为逃生路径,为此环回端口在出口和入口配置不同的VRF以完成VRF的公私网隔离的自动处理。In this embodiment, the routing export of the network device can be set not to point directly to the firewall, but to point to ECMP (Equal Cost Multi Path, equal cost multi-path routing group), and then all the equivalent exports of the ECMP group are pointed to the firewall, and after receiving the overload message sent by the firewall to the network device, the escape path is added to the ECMP group, so that the escape path and the firewall path form a load balance, reduce the load of the firewall, and the proportion of the firewall load can be adjusted by the number of ECMP exports. At the same time, in order to support VRF automatic isolation without VRF mutual conduction configuration, the loopback port can be used as an escape path. For this purpose, different VRFs are configured at the export and import of the loopback port to complete the automatic processing of VRF public and private network isolation.
在本实施例中,当网络设备中的物理出口指向防火墙时,可以设置网络设备中路由器的路由出口指向设备中的一个ECMP组。其中,ECMP组中包含若干个等件出口,在防火墙没有过载的情况下,所有的ECMP出口均写入为指向防火墙的下一跳出口,从而保证100%的流量均可以发往防火墙。In this embodiment, when the physical exit in the network device points to the firewall, the routing exit of the router in the network device can be set to point to an ECMP group in the device. The ECMP group contains several equal-port exits. When the firewall is not overloaded, all ECMP exits are written as the next-hop exit pointing to the firewall, thereby ensuring that 100% of the traffic can be sent to the firewall.
在本实施例中,在网络设备检测到防火墙过载,或者检测到防火墙并没有过载但强行让流量数据不经过防火墙的场景、或者防火墙出现故障时,需要对流向防火墙的流量数据进行处理,如对设备中待传输的流量数据进行分流传输等。在确定需要对待传输的流量数据进行分流传输之后,可以先确定设备中等价多径路由组对应的多个等价出口,并在ECMP组接收到路由出口发送的流量数据后,将流量数据传输至逃生路径或者防火墙,传输至逃生路径上的流量数据由逃生路径环回至网络设备中,在防火墙恢复未过载之后,在将此流量数据传输至防火墙。其中,在防火墙出现过载的时候,防火墙设备向网络设备发送过载信息(可以通过消息直接发送给网络设备,或者通过流控帧处理,亦可通过网管台获知后,由网管台告知网络设备)。网络设置在 接收到过载信息后,则确定防火墙过载,并进行后续的分流处理。In this embodiment, when the network device detects that the firewall is overloaded, or detects that the firewall is not overloaded but forces the traffic data not to pass through the firewall, or when the firewall fails, it is necessary to process the traffic data flowing to the firewall, such as diverting the traffic data to be transmitted in the device. After determining that the traffic data to be transmitted needs to be diverted, multiple equivalent exports corresponding to the equivalent multipath routing group in the device can be determined first, and after the ECMP group receives the traffic data sent by the routing export, the traffic data is transmitted to the escape path or the firewall. The traffic data transmitted to the escape path is looped back to the network device by the escape path, and after the firewall recovers from being overloaded, the traffic data is transmitted to the firewall. Among them, when the firewall is overloaded, the firewall device sends overload information to the network device (it can be sent directly to the network device through a message, or through flow control frame processing, or it can be learned through the network management station and then notified by the network management station). Network settings After receiving the overload information, it is determined that the firewall is overloaded and subsequent traffic diversion processing is performed.
其中,ECMP组的所有出口均为等价出口,其中等价出口是指出口对应传输路径的路径开销值相等,由于ECMP组会优先选择具有最小路径开销值的出口传输数据,而等价出口的路径开销值都相等,因此ECMP组的所有等价出口会基于哈希规则确定一个等价出口传输数据,其中,哈希规则是指把任意长度的输入通过散列算法,变换成固定长度的输出,该输出就是散列值。在一实施方式中,网络中的流量数据是由若干条数据流组成的,且每条数据流具有能够唯一标识该数据流的标识信息即数据标识,在基于哈希规则对数据标识进行处理,计算得到一个散列值,即哈希值,使得每条数据流的数据标识均有一个唯一对应的哈希值,每个哈希值在ECMP组中有一个对应的等价出口,得到哈希值后即可确定通过该等价出口传输数据流。本实施例中设备可以为网络设备,具体可以是交换机、路由器、网桥、计算机等。例如,参照图3,在交换机的路由表中设置一个ECMP组,记为ECMP1,交换机路由10.1.1.0、20.1.1.0和30.1.1.0均指向ECMP1,且假设ECMP1包含四个出口,分别为nexthop1、nexthop2、nexthop3和nexthop4,则这四个出口均为ECMP1的等价出口,且在初始路由表中ECMP1的nexthop1、nexthop2、nexthop3和nexthop4均指向公网侧与防火墙连接的物理端口port3,所有流量数据均经过ECMP1的等价出口传输至等价出口指向的物理端口port3,物理端口port3将流量数据发往防火墙,完成对流量数据的清洗,而防火墙通过私网侧物理端口port4向网络设备发送防火墙过载通知。同样地,如果port3为私网侧物理端口,那么port4则为公网侧物理端口。Among them, all the exports of the ECMP group are equivalent exports, wherein the equivalent export means that the path cost values of the transmission paths corresponding to the exports are equal. Since the ECMP group will give priority to the export with the smallest path cost value to transmit data, and the path cost values of the equivalent exports are equal, all the equivalent exports of the ECMP group will determine an equivalent export to transmit data based on the hash rule, wherein the hash rule refers to transforming an input of any length into an output of a fixed length through a hash algorithm, and the output is the hash value. In one embodiment, the traffic data in the network is composed of several data streams, and each data stream has identification information that can uniquely identify the data stream, namely, a data identifier. The data identifier is processed based on the hash rule, and a hash value, namely, a hash value, is calculated, so that the data identifier of each data stream has a unique corresponding hash value, and each hash value has a corresponding equivalent export in the ECMP group. After obtaining the hash value, it can be determined that the data stream is transmitted through the equivalent export. In this embodiment, the device can be a network device, specifically a switch, a router, a bridge, a computer, etc. For example, referring to FIG3 , an ECMP group is set in the routing table of the switch, which is denoted as ECMP1. The switch routes 10.1.1.0, 20.1.1.0, and 30.1.1.0 all point to ECMP1. Assuming that ECMP1 contains four exits, namely nexthop1, nexthop2, nexthop3, and nexthop4, these four exits are all equivalent exits of ECMP1. In the initial routing table, nexthop1, nexthop2, nexthop3, and nexthop4 of ECMP1 all point to the physical port port3 connected to the firewall on the public network side. All traffic data is transmitted through the equivalent exit of ECMP1 to the physical port port3 pointed to by the equivalent exit. The physical port port3 sends the traffic data to the firewall to clean the traffic data, and the firewall sends a firewall overload notification to the network device through the physical port port4 on the private network side. Similarly, if port3 is a physical port on the private network side, then port4 is a physical port on the public network side.
此外,在本实施例中,除了在检测到防火墙过载之后,需要对待传输的流量数据进行分流传输之外。还可以是在接收到用户或其他设备发送的分流指令,基于分流指令进行待传输的流量数据的分流传输。还可以是在检测到防火墙出现故障,如只能传输一定大小的流量数据时,也可以进行待传输的流量数据的分流传输。在本实施例中仅仅以防火墙过载进行举例说明,但不局限于这一场景中,在需要对设备中待传输的流量数据进行分流传输的任意场景都可以适用于本实施例。In addition, in this embodiment, in addition to the need to shunt the traffic data to be transmitted after detecting that the firewall is overloaded, it is also possible to shunt the traffic data to be transmitted based on the shunt instruction received from the user or other device. It is also possible to shunt the traffic data to be transmitted when it is detected that the firewall is faulty, such as only being able to transmit traffic data of a certain size. In this embodiment, only firewall overload is used as an example, but it is not limited to this scenario. Any scenario in which the traffic data to be transmitted in the device needs to be shunt can be applied to this embodiment.
步骤S20,在多个所述等价出口中选择一个或多个目标等价出口由指向所述防火墙更改为指向预设的逃生路径; Step S20, selecting one or more target equivalent exits from the plurality of equivalent exits to change the exits from pointing to the firewall to pointing to a preset escape path;
在本实施例中,当确定需要进行流量数据的分流传输之后,可以按照一定的规则将ECMP组的一个或多个等价出口(即目标等价出口)由指向防火墙更改为指向预设的逃生路径,这样逃生路径即被成功的添加到了ECMP组中。其中预设的逃生路径用于分担发往防火墙的流量数据,并将此流量数据环回至网络设备中。在一实施方式中,逃生路径可以为环回桥接组,并且该环回桥接组可以为两个物理端口或两个链路聚合组互连组成,其中互连方式可以是通过外部直接连线连接也可以通过芯片支持方式在内部直接互联。In this embodiment, after determining that the flow data needs to be diverted and transmitted, one or more equivalent exports (i.e., target equivalent exports) of the ECMP group can be changed from pointing to the firewall to pointing to a preset escape path according to certain rules, so that the escape path is successfully added to the ECMP group. The preset escape path is used to share the flow data sent to the firewall and loop this flow data back to the network device. In one embodiment, the escape path can be a loopback bridge group, and the loopback bridge group can be composed of two physical ports or two link aggregation groups interconnected, wherein the interconnection method can be through an external direct line connection or can be directly interconnected internally through chip support.
此外,环回桥接组的一端配置公网VRF,另一端配置私网VRF,用户可根据具体需求自行配置环回桥接组的公网VRF和私网VRF。在配置好环回桥接组之后,当收到防火墙过载消息时,网络设备即将ECMP组中的目标等价出口由指向防火墙更改为指向环回桥接组。例如,参照图4,在交换机的路由表中的各个路由10.1.1.0、20.1.1.0和30.1.1.0均指向ECMP1,ECMP1的逃生路径为两个物理端口port1和port2互连组成的环回桥接组,网络设备接收到防火墙过载消息之后,网络设备会将ECMP1的一个出口nexthop1指向环回桥接组公网侧物理端口port1,来自物理端口port1的流量数据通过环回桥接组环回至环回桥接组私网侧物理端口port2,流量数据经过ECMP1的等价出口传输至物理端口port1和物理端口port3上,通过物理端口port1的流量数据由逃生路径环回至网络设备中,从而减轻防火墙的流量数据压力,ECMP1的nexthop2、nexthop3和nexthop4出口仍指向与防火墙连接的物理端口port3,通过物理端口port3传输的流量数据传输至防火墙中,而防火墙通过物理端口port4向网络设备发送防火墙过载通知。同样的,如果port1为私网侧物理端口,则port2为公网侧物理端口。In addition, one end of the loopback bridge group is configured with a public network VRF, and the other end is configured with a private network VRF. Users can configure the public network VRF and private network VRF of the loopback bridge group according to their specific needs. After the loopback bridge group is configured, when a firewall overload message is received, the network device will change the target equivalent export in the ECMP group from pointing to the firewall to pointing to the loopback bridge group. For example, referring to Figure 4, each route 10.1.1.0, 20.1.1.0 and 30.1.1.0 in the routing table of the switch all point to ECMP1, and the escape path of ECMP1 is a loopback bridge group composed of two physical ports port1 and port2 interconnected. After the network device receives the firewall overload message, the network device will point an export nexthop1 of ECMP1 to the physical port port1 on the public network side of the loopback bridge group. The traffic data from the physical port port1 is looped back to the physical port port2 on the private network side of the loopback bridge group through the loopback bridge group. The traffic data is transmitted to the physical port port1 and the physical port port3 through the equivalent export of ECMP1. The traffic data passing through the physical port port1 is looped back to the network device by the escape path, thereby reducing the traffic data pressure of the firewall. The nexthop2, nexthop3 and nexthop4 exports of ECMP1 still point to the physical port port3 connected to the firewall. The traffic data transmitted through the physical port port3 is transmitted to the firewall, and the firewall sends a firewall overload notification to the network device through the physical port port4. Similarly, if port1 is the physical port on the private network side, port2 is the physical port on the public network side.
步骤S30,基于所述逃生路径和所述防火墙进行所述流量数据的分流传输。Step S30: Divert and transmit the traffic data based on the escape path and the firewall.
将ECMP组中目标等价出口指向更改为指向逃生路径之后,网络设备不会直接将流量数据传输至防火墙,而是通过ECMP组基于哈希规则确定网络设备中待传输流量数据的每条数据流通过一个等价出口传输至此等价出口指向的网络设备物理端口,通过网络设备的物理端口数据流传输至逃生路径或者防火墙中。在本实施例中,若网络设备中待传输流量数据的一条数据流经过ECMP组哈希后确定通过目标等价出口传输,则会被传输至逃生路径上,由逃生路径将此数据流环回至网络设备中;否则就会被传输至防火墙。例如, 在ECMP1中通过出口nexthop1传输的数据流会传输至环回桥接组,通过环回桥接组将此数据流环回至网络设备,而不会将此数据流丢弃,此外通过出口nexthop2、nexthop3和nexthop4传输的数据流则是传输至防火墙,由防火墙完成清洗工作。After changing the target equivalent-cost exit in the ECMP group to point to the escape path, the network device will not directly transmit the traffic data to the firewall. Instead, the ECMP group determines based on the hash rule that each data stream of the traffic data to be transmitted in the network device is transmitted through an equivalent exit to the physical port of the network device pointed to by this equivalent exit, and the data stream is transmitted to the escape path or the firewall through the physical port of the network device. In this embodiment, if a data stream of the traffic data to be transmitted in the network device is determined to be transmitted through the target equivalent exit after being hashed by the ECMP group, it will be transmitted to the escape path, and the escape path will loop this data stream back to the network device; otherwise, it will be transmitted to the firewall. For example, In ECMP1, the data stream transmitted through the export nexthop1 will be transmitted to the loopback bridge group, and the data stream will be looped back to the network device through the loopback bridge group without being discarded. In addition, the data stream transmitted through the exports nexthop2, nexthop3 and nexthop4 will be transmitted to the firewall, which will complete the cleaning work.
此外,为辅助理解本实施例中的设备对接防火墙执行方法流程的理解,下面进行举例说明。In addition, to assist in understanding the process of executing the method for connecting a device to a firewall in this embodiment, an example is given below.
如图3所示,交换机与防火墙设备连接,通过物理端口port3和物理端口port4相连,公网的交换机路由10.1.1.0/20.1.1.0/30.1.1.0公网流量需要防火墙清洗后到达私网中。在防火墙未过载时,网络设备将路由10.1.1.0/20.1.1.0/30.1.1.0指向ECMP1,其中ECMP1中所有出口nexthop1、nexthop2、nexthop3和nexthop4均指向公网侧与防火墙连接的物理端口port3,网络设备流量数据通过路由表查找到出口为ECMP1,ECMP1基于哈希规则将所有流量数据均发往防火墙。防火墙流量数据出现过载时,通过直接发送通知给设备或者通过网管台通知设备网络设备接收到防火墙的过载消息后,如图4所示,网络设备设置由两个物理端口port1和port2互连组成的环回桥接组,作为逃生路径,其中port1位于公网侧,port2位于私网侧,环回桥接组的两个物理端口port1和port2之间直接通过连线环回,网络设备将ECMP1的一个出口nexthop1的出口指向环回桥接组公网侧的port1,网络设备流量数据通过路由表查找到出口为ECMP1,ECMP1基于哈希规则将部分流量数据分担到nexthop1上,从port1发出,并环回到Port2私网侧,最后回到网络设备中,从而减轻防火墙的流量压力。若网络设备持续接收到防火墙过载的消息,则网络设备继续增加指向环回桥接组公网侧的port1的等价出口在ECMP组中的占比,持续减少发往防火墙的流量数据占比,直到防火墙过载消失。直到网络设备接收到防火墙恢复未过载的消息后,网络设备将ECMP1中指向环回桥接口组公网侧的等价出口恢复为直接指向防火墙,逐步增加防火墙的流量数据占比,直至达到防火墙流量数据占比平衡稳定。以上即完成了整个网络设备与防火墙连接的自动的流量数据调整,以及免配置跨越VRF的所有操作。As shown in Figure 3, the switch is connected to the firewall device through physical port port3 and physical port port4. The public network switch routes 10.1.1.0/20.1.1.0/30.1.1.0 public network traffic that needs to be cleaned by the firewall before reaching the private network. When the firewall is not overloaded, the network device routes 10.1.1.0/20.1.1.0/30.1.1.0 to ECMP1, where all the exits nexthop1, nexthop2, nexthop3 and nexthop4 in ECMP1 point to the physical port port3 connected to the firewall on the public network side. The network device traffic data finds the exit as ECMP1 through the routing table, and ECMP1 sends all traffic data to the firewall based on the hash rule. When the firewall traffic data is overloaded, the network device receives the firewall overload message by directly sending a notification to the device or notifying the device through the network management console. As shown in Figure 4, the network device sets a loopback bridge group consisting of two physical ports port1 and port2 interconnected as an escape route, where port1 is located on the public network side and port2 is located on the private network side. The two physical ports port1 and port2 of the loopback bridge group are directly looped back through a connection. The network device points the exit of nexthop1, an exit of ECMP1, to port1 on the public network side of the loopback bridge group. The network device traffic data finds the exit as ECMP1 through the routing table. ECMP1 shares part of the traffic data to nexthop1 based on the hash rule, sends it from port1, and loops it back to the private network side of Port2, and finally returns to the network device, thereby reducing the traffic pressure of the firewall. If the network device continues to receive the firewall overload message, the network device continues to increase the proportion of the equivalent exit pointing to port1 on the public network side of the loopback bridge group in the ECMP group, and continues to reduce the proportion of traffic data sent to the firewall until the firewall overload disappears. After the network device receives the message that the firewall is not overloaded, the network device restores the equivalent export in ECMP1 pointing to the public network side of the loopback bridge interface group to point directly to the firewall, gradually increasing the proportion of firewall traffic data until the proportion of firewall traffic data is balanced and stable. The above completes the automatic traffic data adjustment of the entire network device and the firewall connection, as well as all operations that do not require configuration across VRF.
在本实施例中,通过在检测到设备中待传输的流量数据需要进行分流传输之后,在设备中确定的等价多径路由组对应的等价出口中选择一个或多个 目标等价出口并将上述目标等价出口由指向防火墙更改为指向逃生路径,然后控制流量数据分流传输至逃生路径以及防火墙,并且可以通过控制等价多径路由组中的目标等价出口来自动调整通往防火墙的流量数据,减轻了防火墙的负荷,避免了在防火墙出现过载时,将网络设备的流量数据丢弃的现象发生。In this embodiment, after detecting that the traffic data to be transmitted in the device needs to be split and transmitted, one or more equal-cost exits corresponding to the equal-cost multipath routing group determined in the device are selected. The target equivalent export changes the target equivalent export from pointing to the firewall to pointing to the escape path, and then controls the flow data to be diverted and transmitted to the escape path and the firewall. The flow data leading to the firewall can be automatically adjusted by controlling the target equivalent export in the equal-cost multipath routing group, thereby reducing the load on the firewall and avoiding the phenomenon of discarding the flow data of the network device when the firewall is overloaded.
基于上述本申请的第一实施例,提出本申请设备对接防火墙方法的第二实施例,在本实施例中,上述实施例步骤S30,基于所述逃生路径和所述防火墙进行所述流量数据的分流传输,包括:Based on the first embodiment of the present application, a second embodiment of the method for connecting a device to a firewall of the present application is proposed. In this embodiment, step S30 of the above embodiment, performing split transmission of the flow data based on the escape path and the firewall, includes:
步骤a,在所述目标等价出口的数量小于所述等价出口的数量之后,确定所述流量数据中流经所述目标等价出口的第一子流量数据,控制所述第一子流量数据通过所述逃生路径进行传输;Step a, after the number of the target equivalent outlets is less than the number of the equivalent outlets, determining first sub-flow data in the flow data flowing through the target equivalent outlet, and controlling the first sub-flow data to be transmitted through the escape path;
步骤b,控制所述流量数据中除所述第一子流量数据之外的其它子流量数据通过所述防火墙进行传输。Step b: controlling the other sub-flow data in the flow data except the first sub-flow data to be transmitted through the firewall.
在本实施例中,在目标等价出口的数量和等价出口的数量一致时,则确定防火墙存在故障,流量数据无法流径防火墙,此时可以输出相应的提示信息以告知用户。在目标等价出口的数量小于等价出口的数量之后,则可以确定可以在下一跳,对流量数据进行分流处理,即一部分流量数据流径防火墙,另一部分流量数据流径逃生路径。因此在进行分流传输时,ECMP组会基于哈希规则确定流经目标等价出口的所有数据流(即第一子流量数据),因此第一子流量数据就会通过逃生路径进行传输,而所有流量数据中非第一子流量数据的其他流量数据仍通过防火墙进行传输。其中,流量数据包括第一子流量数据和其它子流量数据。In this embodiment, when the number of target equivalent exports is consistent with the number of equivalent exports, it is determined that the firewall has a fault and the traffic data cannot flow through the firewall. At this time, a corresponding prompt message can be output to inform the user. After the number of target equivalent exports is less than the number of equivalent exports, it can be determined that the traffic data can be diverted at the next hop, that is, part of the traffic data flows through the firewall, and the other part of the traffic data flows through the escape path. Therefore, when performing diversion transmission, the ECMP group will determine all data flows (i.e., the first sub-traffic data) flowing through the target equivalent export based on the hash rule, so the first sub-traffic data will be transmitted through the escape path, and other traffic data in all traffic data that is not the first sub-traffic data will still be transmitted through the firewall. Among them, the traffic data includes the first sub-traffic data and other sub-traffic data.
在本实施例中,通过在目标等价出口的数量小于等价出口的数量之后,控制第一子流量数据通过逃生路径进行传输,并控制除第一子流量数据之外的其它子流量数据通过防火墙进行传输,从而实现流量数据的分流传输,避免防火墙过载时,流量数据被丢弃的现象发生。In this embodiment, after the number of target equivalent outlets is less than the number of equivalent outlets, the first sub-flow data is controlled to be transmitted through the escape path, and other sub-flow data except the first sub-flow data is controlled to be transmitted through the firewall, thereby realizing the diversion transmission of flow data and avoiding the phenomenon of flow data being discarded when the firewall is overloaded.
在一实施方式中,逃生路径包括环回桥接组,所述控制所述第一子流量数据通过所述逃生路径进行传输,包括:In one embodiment, the escape path includes a loopback bridge group, and the controlling the first sub-flow data to be transmitted through the escape path includes:
步骤a1,控制所述第一子流量数据通过指向所述环回桥接组的目标等价 出口传输至所述环回桥接组的输入端,经过所述环回桥接组的输出端环回。Step a1, controlling the first sub-flow data to pass through the target equivalent The egress is transmitted to the input end of the loopback bridge group and looped back through the output end of the loopback bridge group.
在本实施例中,当逃生路径包括环回桥接组时,也就是网络设置中设置有和目标等价出口连接的环回桥接组之后,就可以在ECMP接收到路由出口发送的流量数据,且确定第一子流量数据发送至环回桥接组之后,控制第一子流量数据依次流径目标等价出口、环回桥接组的输入端和环回桥接组的输出端,以此达到流量数据逃生的效果。其中,环回桥接组为两个端口或两个链路聚合组互连的效果(可通过外部直接连线连接,或通过芯片支持的内部直接互联)。两个端口或链路聚合组各自配置为公网或私网的VRF。这样,需要进行公网私网VRF转化的路由,即可将出口指向送往此环回桥接组中的某个端口或某个链路聚合组,通过环回桥接的效果,完成VRF的穿越,并且无需配置任何VRF路由互导。在一实施方式中,假设第一子流量数据的数据流向为公网到私网,则环回桥接组的公网VRF侧为输入端,环回桥接组的私网VRF侧输出端,同样如果第一子流量数据的数据流向为私网到公网,则环回桥接组的私网VRF侧为输入端,环回桥接组的公网VRF侧为输出端。In this embodiment, when the escape path includes a loopback bridge group, that is, after a loopback bridge group connected to the target equivalent exit is set in the network setting, the traffic data sent by the routing exit can be received in ECMP, and after determining that the first sub-traffic data is sent to the loopback bridge group, the first sub-traffic data is controlled to flow through the target equivalent exit, the input end of the loopback bridge group and the output end of the loopback bridge group in sequence, so as to achieve the effect of traffic data escape. Among them, the loopback bridge group is the effect of interconnection of two ports or two link aggregation groups (which can be connected by an external direct line, or by internal direct interconnection supported by the chip). The two ports or link aggregation groups are each configured as a VRF of the public network or private network. In this way, the route that needs to be converted from the public network to the private network VRF can point the exit to a port or a link aggregation group in this loopback bridge group, and the VRF crossing is completed through the effect of loopback bridging, and there is no need to configure any VRF routing mutual guidance. In one embodiment, assuming that the data flow direction of the first sub-traffic data is from the public network to the private network, the public network VRF side of the loopback bridge group is the input end, and the private network VRF side of the loopback bridge group is the output end. Similarly, if the data flow direction of the first sub-traffic data is from the private network to the public network, the private network VRF side of the loopback bridge group is the input end, and the public network VRF side of the loopback bridge group is the output end.
在本实施例中,通过ECMP组目标等价出口传输的第一子流量数据传输至环回桥接组的输入端,在由环回桥接组的输出端环回至网络设备,使用环回桥接组作为逃生路径,无需VRF互导配置即可支持VRF自动隔离,完成VRF的穿越,同时在整个环回过程中不需要进行人工干预,所有动作均可自动执行。并且,由于不需要更改网路设备路由的指向,网路设备路由自始至终均指向ECMP组,而使用ECMP组的出口变化来调节防火墙的流量压力,避免出现将流量数据被丢弃的现象。In this embodiment, the first sub-flow data transmitted through the target equivalent export of the ECMP group is transmitted to the input end of the loopback bridge group, and then looped back to the network device at the output end of the loopback bridge group. The loopback bridge group is used as an escape path, and VRF automatic isolation can be supported without VRF mutual guidance configuration, and VRF traversal can be completed. At the same time, no manual intervention is required during the entire loopback process, and all actions can be automatically executed. In addition, since there is no need to change the direction of the network device route, the network device route points to the ECMP group from beginning to end, and the export change of the ECMP group is used to adjust the traffic pressure of the firewall to avoid the phenomenon of discarding traffic data.
在一实施方式中,控制所述第一子流量数据通过指向所述环回桥接组的目标等价出口传输至所述环回桥接组的输入端,经过所述环回桥接组的输出端环回,包括:In one embodiment, controlling the first sub-flow data to be transmitted to the input end of the loopback bridge group through the target equivalent exit pointing to the loopback bridge group, and looping back through the output end of the loopback bridge group includes:
步骤a11,在所述环回桥接组为链路聚合组之后,确定所述链路聚合组对应的传输协议;Step a11, after the loopback bridge group is a link aggregation group, determining a transmission protocol corresponding to the link aggregation group;
在本实施例中,若ECMP组中目标等价出口指向的逃生路径的选择由两个链路聚合组互连组成环回桥接组,则由于链路聚合组需要动态对接传输协议,如LACP协议(Link Aggregation Control Protocol,链路聚合控制协议),因此环回桥接时,需要设备自己与自己对接LACP协议才能使得两个链路聚合 组互连形成环回桥接组。In this embodiment, if the escape path pointed to by the target equivalent exit in the ECMP group is selected by interconnecting two link aggregation groups to form a loopback bridge group, then since the link aggregation group needs to dynamically connect to the transmission protocol, such as the LACP protocol (Link Aggregation Control Protocol), during the loopback bridge, the device needs to connect to the LACP protocol itself to make the two link aggregations The groups are interconnected to form a loopback bridge group.
步骤a12,根据所述传输协议对应的目标物理地址和所述第一子流量数据构建传输报文;Step a12, constructing a transmission message according to the target physical address corresponding to the transmission protocol and the first sub-flow data;
在成功完成网络设备的链路聚合组的LACP协议环回桥接对接后,由于第一子流量数据需要被正确的传输至环回桥接组中完成环回,因此需要将在链路聚合组对接LACP环回桥接时选择的目标物理地址(如特殊MAC地址)与第一子流量数据封装为传输报文传输到环回桥接中,这样第一子流量数据通过环回桥接组完成第一子流量数据的准确环回。After successfully completing the LACP protocol loopback bridging docking of the link aggregation group of the network device, since the first sub-flow data needs to be correctly transmitted to the loopback bridging group to complete the loopback, it is necessary to encapsulate the target physical address (such as a special MAC address) selected when the link aggregation group is docked with the LACP loopback bridging and the first sub-flow data into a transmission message and transmit it to the loopback bridge, so that the first sub-flow data completes the accurate loopback of the first sub-flow data through the loopback bridging group.
步骤a13,将所述传输报文通过指向所述链路聚合组的目标等价出口传输至所述链路聚合组的输入端,经过所述链路聚合组的输出端环回;Step a13, transmitting the transmission message to the input end of the link aggregation group through the target equivalent export pointing to the link aggregation group, and looping back through the output end of the link aggregation group;
步骤a14,在环回的所述传输报文中的目标物理地址和预设的特殊源物理地址匹配之后,继续完成环回的所述传输报文的传输。Step a14, after the target physical address in the looped-back transmission message matches the preset special source physical address, continue to complete the transmission of the looped-back transmission message.
网络设备在链路聚合组对接环回桥接时,需要选择一个特殊源MAC地址(即预设的特殊源物理地址)进行发送,记为SMAC,使得网络设备自身可以与自身对接链路聚合组的LACP协议。环回桥接链路聚合组上使用SMAC地址发送报文,而其他的非环回桥接链路聚合组的LACP报文继续使用设备本身的源MAC地址发送。因此通过环回桥接组传输的报文需要将传输报文中的目标物理地址与SMAC地址进行匹配,如果两个地址匹配结果为相同,才能确定此报文是环回桥接链路聚合组上的传输报文,继续环回该传输报文的传输。若两个地址匹配结果不相同,则说明此报文不是环回桥接链路聚合组上的传输报文,也就不会通过环回桥接组环回此传输报文,而是以网络设备中通常的传输方式完成此输报文的传输,或者直接认为此传输报文被错误的传输到了环回桥接组上而直接丢弃此传输报文。When the network device is connected to the loopback bridge in the link aggregation group, it needs to select a special source MAC address (i.e., the preset special source physical address) for transmission, which is recorded as SMAC, so that the network device itself can connect to the LACP protocol of the link aggregation group with itself. The loopback bridge link aggregation group uses the SMAC address to send messages, while the LACP messages of other non-loopback bridge link aggregation groups continue to use the source MAC address of the device itself to send. Therefore, the message transmitted through the loopback bridge group needs to match the target physical address in the transmission message with the SMAC address. If the two address matching results are the same, it can be determined that this message is a transmission message on the loopback bridge link aggregation group, and the transmission of the transmission message continues to be looped back. If the two address matching results are not the same, it means that this message is not a transmission message on the loopback bridge link aggregation group, and the transmission message will not be looped back through the loopback bridge group, but the transmission of this transmission message is completed in the usual transmission mode in the network device, or it is directly considered that this transmission message is transmitted to the loopback bridge group by mistake and the transmission message is directly discarded.
在本实施例中,在确定了ECMP组的目标等价出口指向的逃生路径是由两个链路聚合组互连组成的环回桥接组之后,通过目标物理发送传输报文,完成链路聚合组的LACP协议环回桥接的对接,使得环回桥接组能够准确环回报文,使得传输到环回桥接组的流量数据能够完成环回至网络设备中。In this embodiment, after determining that the escape path pointed to by the target equivalent export of the ECMP group is a loopback bridge group composed of two interconnected link aggregation groups, the transmission message is sent through the target physical to complete the docking of the LACP protocol loopback bridge of the link aggregation group, so that the loopback bridge group can accurately loop back the message, so that the traffic data transmitted to the loopback bridge group can be looped back to the network device.
在一实施方式中,确定所述链路聚合组对应的传输协议之后,包括:In one implementation, after determining the transmission protocol corresponding to the link aggregation group, the method includes:
步骤a15,确定所述传输协议对应的设备物理地址,并获取预设的偏移地址,根据所述偏移地址和所述设备物理地址构建目标物理地址。 Step a15, determining the device physical address corresponding to the transmission protocol, and obtaining a preset offset address, and constructing a target physical address according to the offset address and the device physical address.
由于网络设备LACP发送流程是使用设备自己的MAC(Media Access Control,媒体访问控制)地址作为源MAC地址发送,通过这种方式发送的LACP报文环回之后即成为网络设备收到自己的MAC地址的LACP报文,此报文将被丢弃,两个链路聚合组则无法正确对接成功。Since the LACP sending process of the network device uses the device's own MAC (Media Access Control) address as the source MAC address, the LACP message sent in this way becomes an LACP message with the network device receiving its own MAC address after looping back. This message will be discarded, and the two link aggregation groups cannot be successfully connected.
因此,在本实施例中,参照图6,环回桥接组为链路聚合组Trunk1和链路聚合组Trunk2互连组成,在链路聚合组对接LACP环回桥接时,网络设备CPU(central processing unit,中央处理器)选择一个特殊源MAC地址发送LACP协议报文,其中,LACP协议报文使用特殊源MAC地址。网络设备自身可以与自身对接链路聚合组的LACP协议,将此特殊源MAC地址添加到网络设备的MAC表中即实现了此特殊源MAC地址被学习到MAC地址表。具体来说,可以使用网络设备的MAC+offset的地址作为特殊源MAC地址进行,其中offset地址也是属于分配给此网络设备的MAC地址,可以合法使用,且不会出现与其他网络设备的MAC地址冲突,此外也可以选用其他网络MAC地址不冲突的其他特殊MAC地址作为特殊源MAC地址发送LACP协议报文,这样即可完成网络设备的链路聚合组的LACP协议环回桥接对接。其中,设备物理地址包括MAC地址。偏移地址为offset地址。Therefore, in this embodiment, referring to FIG. 6 , the loopback bridge group is composed of the link aggregation group Trunk1 and the link aggregation group Trunk2 interconnected. When the link aggregation group is connected to the LACP loopback bridge, the network device CPU (central processing unit) selects a special source MAC address to send the LACP protocol message, wherein the LACP protocol message uses the special source MAC address. The network device itself can connect to the LACP protocol of the link aggregation group with itself, and adding this special source MAC address to the MAC table of the network device realizes that this special source MAC address is learned into the MAC address table. Specifically, the MAC+offset address of the network device can be used as the special source MAC address, wherein the offset address is also the MAC address assigned to this network device, which can be used legally and will not conflict with the MAC address of other network devices. In addition, other special MAC addresses that do not conflict with other network MAC addresses can also be selected as special source MAC addresses to send LACP protocol messages, so that the LACP protocol loopback bridge connection of the link aggregation group of the network device can be completed. Among them, the device physical address includes the MAC address. The offset address is the offset address.
在本实施例中,通过根据偏移地址和设备物理地址来构建目标物理地址,以保障后续逃生路径使用目标物理地址进行第一子流量数据的环回时能正常运行。In this embodiment, the target physical address is constructed according to the offset address and the device physical address to ensure that the subsequent escape path can operate normally when using the target physical address to loop back the first sub-flow data.
在一实施方式中,控制所述第一子流量数据通过指向所述环回桥接组的目标等价出口传输至所述环回桥接组的输入端,经过所述环回桥接组的输出端环回之前,包括:In one embodiment, controlling the first sub-flow data to be transmitted to the input end of the loopback bridge group through the target equivalent exit pointing to the loopback bridge group, before being looped back through the output end of the loopback bridge group, includes:
步骤a01,获取所述设备对应的公网虚拟路由转发VRF和私网VRF,根据所述公网VRF和所述私网VRF对所述环回桥接组进行配置。Step a01, obtaining the public network virtual routing forwarding VRF and the private network VRF corresponding to the device, and configuring the loopback bridge group according to the public network VRF and the private network VRF.
在本实施例中,在进行分流传输之前,若逃生路径为环回桥接组,则可以根据设备对应的公网VRF和私网VRF对环回桥接组进行设置。例如,如图5所示,在交换机的路由表中的各个路由10.1.1.0、20.1.1.0和30.1.1.0均指向ECMP1,ECMP1的目标等价出口指向的逃生路径是两个链路聚合组Trunk1和Trunk2互连组成的环回桥接组,在得到了网络设备对应的公网VRF和私网VRF之后,Trunk1配置公网VRF,则Trunk2则配置私网VRF,ECMP1的一 个出口nexthop1指向Trunk1,流量数据经过ECMP1的等价出口传输至Trunk1和物理端口port3上,通过Trunk1的流量数据由逃生路径环回至网络设备中,ECMP1的nexthop2、nexthop3和nexthop4出口仍指向与防火墙连接的物理端口port3,通过物理端口port3传输的流量数据传输至防火墙中,而防火墙通过物理端口port4向网络设备发送防火墙过载通知。同样的如果Trunk1配置私网VRF,则Trunk2配置公网VRF。In this embodiment, before the traffic is diverted and transmitted, if the escape path is a loopback bridge group, the loopback bridge group can be set according to the public network VRF and private network VRF corresponding to the device. For example, as shown in FIG5, each route 10.1.1.0, 20.1.1.0 and 30.1.1.0 in the routing table of the switch points to ECMP1, and the escape path pointed to by the target equivalent export of ECMP1 is a loopback bridge group composed of two link aggregation groups Trunk1 and Trunk2 interconnected. After obtaining the public network VRF and private network VRF corresponding to the network device, Trunk1 is configured with the public network VRF, and Trunk2 is configured with the private network VRF. One of ECMP1 The exit nexthop1 points to Trunk1, and the traffic data is transmitted to Trunk1 and physical port port3 through the equivalent exit of ECMP1. The traffic data passing through Trunk1 is looped back to the network device through the escape path. The exits nexthop2, nexthop3, and nexthop4 of ECMP1 still point to the physical port port3 connected to the firewall. The traffic data transmitted through the physical port port3 is transmitted to the firewall, and the firewall sends a firewall overload notification to the network device through the physical port port4. Similarly, if Trunk1 is configured with a private network VRF, then Trunk2 is configured with a public network VRF.
此外,逃生路径也可以是两个物理端口互连组成的环回桥接组,其公网VRF与私网VRF的配置方式与由两个链路聚合组互联组成的环回桥接组的配置方式相同,这里不再详述。In addition, the escape path can also be a loopback bridge group composed of two interconnected physical ports. The configuration method of its public network VRF and private network VRF is the same as the configuration method of the loopback bridge group composed of two interconnected link aggregation groups, which will not be described in detail here.
在本实施例中,通过根据设备对应的公网VRF和私网VRF对环回桥接组进行配置,以保障后续环回桥接组作为逃生链路的正常运行。In this embodiment, the loopback bridge group is configured according to the public network VRF and the private network VRF corresponding to the device to ensure the normal operation of the subsequent loopback bridge group as an escape link.
在一实施方式中,基于所述逃生路径和所述防火墙进行所述流量数据的分流传输之后,包括:In one embodiment, after the flow data is split and transmitted based on the escape path and the firewall, the following steps are included:
步骤c,在完成对所述流量数据的一跳传输之后,若所述设备中存在未传输完成的剩余流量数据,检测是否需要继续对所述剩余流量数据中流向防火墙的剩余目标流量数据继续进行分流传输;Step c, after completing the one-hop transmission of the flow data, if there is remaining flow data that has not been transmitted in the device, detecting whether it is necessary to continue to divert and transmit the remaining target flow data in the remaining flow data that flows to the firewall;
在本实施例中,在完成对流量数据的一跳传输之后,当检测到设备中还存在没有完成传输的剩余流量数据之后,此时可以继续对防火墙进行检测,以确定是否在下一跳继续对剩余流量数据进行分流处理。若再次检测到防火墙继续过载,则可以继续对剩余流量数据中流向防火墙的剩余目标流量数据进行分流传输处理。In this embodiment, after completing one-hop transmission of the flow data, when it is detected that there is still remaining flow data that has not been transmitted in the device, the firewall can be continuously detected to determine whether to continue to divert the remaining flow data in the next hop. If it is detected again that the firewall is still overloaded, the remaining target flow data flowing to the firewall in the remaining flow data can be continuously diverted for transmission.
步骤d,在需要对所述剩余目标流量数据继续进行分流传输之后,继续执行所述在多个所述等价出口中选择一个或多个目标等价出口由指向所述防火墙更改为指向预设的逃生路径的步骤;Step d, after the remaining target traffic data needs to be further diverted and transmitted, continue to execute the step of selecting one or more target equivalent exits from the plurality of equivalent exits to change the exits from pointing to the firewall to pointing to a preset escape path;
在确定需要继续对剩余目标流量数据再次进行分流传输处理之后,可以继续对ECMP组中的等价出口进行指向调整。在一实施方式中,选择一个或多个等价出口作为新增加的目标等价出口,即增加目标等价出口的占比,且新增加的目标等价出口由指向防火墙更改为指向逃生路径,直到接收到防火墙未过载信息,才结束对ECMP组的调整。此外,每次调整增加的目标等价出口数量可由用户自行设置。 After determining that the remaining target traffic data needs to be diverted and transmitted again, the equivalent exports in the ECMP group can continue to be directed. In one embodiment, one or more equivalent exports are selected as the newly added target equivalent exports, that is, the proportion of the target equivalent exports is increased, and the newly added target equivalent exports are changed from pointing to the firewall to pointing to the escape path, and the adjustment of the ECMP group is not completed until the firewall is received. In addition, the number of target equivalent exports added in each adjustment can be set by the user.
并且,因为ECMP组的出口数量是确定的,一般芯片可支持8/16/32组出口数量。因此可以不断调整ECMP组出口指向,逐步增加指向逃生路径的出口数量,减少指向防火墙的出口数量。In addition, because the number of ECMP group exports is fixed, and general chips can support 8/16/32 groups of exports, the ECMP group export direction can be continuously adjusted, gradually increasing the number of exports pointing to the escape path and reducing the number of exports pointing to the firewall.
步骤e,在需要对所述剩余流量数据进行合流传输之后,将指向所述逃生路径的目标等价出口恢复至指向所述防火墙,并通过所述防火墙进行所述剩余流量数据的合流传输。Step e: after the remaining traffic data needs to be transmitted in a combined manner, the target equivalent exit pointing to the escape path is restored to point to the firewall, and the remaining traffic data is transmitted in a combined manner through the firewall.
在本实施例中,在检测到防火墙未过载,且资源充足时,可以停止对剩余流量数据的分流处理,将剩余流量数据合流传输至防火墙,此时可以进行目标等价出口的指向恢复,即由指向逃生路径更改为指向防火墙,以便后续将剩余流量数据通过防火墙进行传输。其中,在进行目标等价出口的指向恢复时可以是按照一定的规则(如等比例,等数量)进行恢复,如一次恢复一条目标等价出口的指向。In this embodiment, when it is detected that the firewall is not overloaded and has sufficient resources, the diversion processing of the remaining traffic data can be stopped, and the remaining traffic data can be combined and transmitted to the firewall. At this time, the direction of the target equivalent exit can be restored, that is, the direction is changed from the escape path to the firewall, so that the remaining traffic data can be transmitted through the firewall later. Among them, when restoring the direction of the target equivalent exit, it can be restored according to certain rules (such as equal proportion, equal quantity), such as restoring the direction of one target equivalent exit at a time.
在本实施例中,通过在完成流量数据的一跳传输之后,且存在剩余流量数据,在需要对剩余流量数据中流向防火墙的剩余目标流量数据再次进行分流传输之后,继续进行等价出口的指向更改,在需要对剩余流量数据进行合流传输之后,进行目标等价出口的指向恢复,从而可以实现动态调整,在保障流量数据的正常传输的同时,避免由于防火墙过载,导致流量数据被丢弃的现象发生。In this embodiment, after completing one-hop transmission of traffic data and there is remaining traffic data, after the remaining target traffic data flowing to the firewall in the remaining traffic data needs to be diverted and transmitted again, the direction of the equivalent export is continued to be changed, and after the remaining traffic data needs to be merged and transmitted, the direction of the target equivalent export is restored, thereby realizing dynamic adjustment, while ensuring the normal transmission of traffic data, avoiding the phenomenon of traffic data being discarded due to firewall overload.
在一实施方式中,在检测到设备中待传输的流量数据需要进行分流传输之后,确定所述设备中的等价多径路由组对应的多个等价出口之前,包括:In one embodiment, after detecting that traffic data to be transmitted in a device needs to be split for transmission, before determining a plurality of equal-cost exits corresponding to an equal-cost multipath routing group in the device, the method includes:
步骤f,设置设备中的路由出口指向预设的等价多径路由组,并设置所述等价多径路由组中的等价出口指向所述防火墙。Step f, setting the routing exit in the device to point to a preset equal-cost multi-path routing group, and setting the equal-cost exit in the equal-cost multi-path routing group to point to the firewall.
在本实施例中,设置网络设备的路由出口不直接指向防火墙时,而是直接指向ECMP组,同时将ECMP组的等价出口指向防火墙,一般的ECMP组中包含多个等价出口,在防火墙没有过载的情况下,所有的等价出口均指向防火墙,从而保证所有流量数据均可以发往防火墙完成清洗工作。而在检测到防火墙出现流量过载后,不会更改网络设备中路由的指向,路由自始至终均指向ECMP组,而使用ECMP组的出口变化来调节防火墙的流量压力,因此网络设备始终不会出现明显的断流,且切换方式非常简单方便,亦不会出现因为防火墙过载导致流量数据被丢弃的现象,保证了流量数据的完整。 In this embodiment, the routing export of the network device is set not to point directly to the firewall, but to point directly to the ECMP group, and the equivalent export of the ECMP group is pointed to the firewall. Generally, the ECMP group contains multiple equivalent exports. When the firewall is not overloaded, all equivalent exports point to the firewall, thereby ensuring that all traffic data can be sent to the firewall to complete the cleaning work. After the firewall is detected to have traffic overload, the direction of the route in the network device will not be changed. The route points to the ECMP group from beginning to end, and the change of the export of the ECMP group is used to adjust the traffic pressure of the firewall. Therefore, the network device will never have obvious interruption, and the switching method is very simple and convenient. There will be no phenomenon of traffic data being discarded due to firewall overload, which ensures the integrity of the traffic data.
在本实施例中,只需要使用ECMP组来调节设备与防火墙的连接,并且使用一组环回桥接口接入不同的VRF,即可对设备发往防火墙的流量进行自动控制,且过程中无需人工干预,亦不会出现断流或者长时间的丢包现象。在设备对接防火墙的场景中,自动应对防火墙过载情况,可以提升交换机路由器产品的网络灵活性,提升网络设备的可维能力,并提升用户的网络使用感知。In this embodiment, you only need to use the ECMP group to adjust the connection between the device and the firewall, and use a group of loopback bridge interfaces to access different VRFs to automatically control the traffic sent from the device to the firewall, and no manual intervention is required during the process, and there will be no interruption or long-term packet loss. In the scenario where the device is connected to the firewall, automatically responding to the firewall overload can improve the network flexibility of switch and router products, improve the maintainability of network equipment, and improve users' network usage perception.
此外,本申请实施例还提出一种设备对接防火墙系统,设备对接防火器系统包括存储器、处理器及存储在所述存储器上并可在所述处理器上执行的设备对接防火墙程序,所述设备对接防火墙程序被所述处理器执行时实现如上述的设备对接防火墙方法的步骤。In addition, an embodiment of the present application also proposes a device docking firewall system, which includes a memory, a processor, and a device docking firewall program stored in the memory and executable on the processor. When the device docking firewall program is executed by the processor, the steps of the device docking firewall method as described above are implemented.
此外,为实现上述目的,本申请还提供一种计算机可读存储介质,计算机可读存储介质上存储有设备对接防火墙程序,设备对接防火墙程序被处理器执行时实现如上述的设备对接防火墙方法的步骤。In addition, to achieve the above-mentioned purpose, the present application also provides a computer-readable storage medium, on which a device docking firewall program is stored. When the device docking firewall program is executed by a processor, the steps of the device docking firewall method as described above are implemented.
本申请计算机可读存储介质具体实施方式与上述设备对接防火墙方法各实施例基本相同,在此不再赘述。The specific implementation of the computer-readable storage medium of the present application is basically the same as the embodiments of the above-mentioned device docking firewall method, and will not be repeated here.
需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者系统不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者系统所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者系统中还存在另外的相同要素。It should be noted that, in this article, the terms "include", "comprises" or any other variations thereof are intended to cover non-exclusive inclusion, so that a process, method, article or system including a series of elements includes not only those elements, but also other elements not explicitly listed, or also includes elements inherent to such process, method, article or system. In the absence of further restrictions, an element defined by the sentence "comprises a ..." does not exclude the existence of other identical elements in the process, method, article or system including the element.
上述本申请实施例序号仅仅为了描述,不代表实施例的优劣。The serial numbers of the embodiments of the present application are for description only and do not represent the advantages or disadvantages of the embodiments.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在如上所述的一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,或者网络设备等)执行本申请各个实施例所述的方法。Through the description of the above implementation methods, those skilled in the art can clearly understand that the above-mentioned embodiment methods can be implemented by means of software plus a necessary general hardware platform, and of course by hardware, but in many cases the former is a better implementation method. Based on such an understanding, the technical solution of the present application is essentially or the part that contributes to the prior art can be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) as described above, including a number of instructions for a terminal device (which can be a mobile phone, computer, server, or network device, etc.) to execute the methods described in each embodiment of the present application.
以上仅为本申请的可选实施例,并非因此限制本申请的专利范围,凡是 利用本申请说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本申请的专利保护范围内。 The above are only optional embodiments of the present application, and do not limit the patent scope of the present application. Equivalent structures or equivalent process changes made using the contents of the description and drawings of this application, or directly or indirectly applied in other related technical fields, are also included in the scope of patent protection of this application.

Claims (10)

  1. 一种设备对接防火墙的方法,包括:A method for connecting a device to a firewall, comprising:
    在检测到设备中待传输的流量数据需要进行分流传输之后,确定所述设备中的等价多径路由组对应的多个等价出口;After detecting that traffic data to be transmitted in a device needs to be split for transmission, determining a plurality of equal-cost exits corresponding to an equal-cost multipath routing group in the device;
    在多个所述等价出口中选择一个或多个目标等价出口由指向所述防火墙更改为指向预设的逃生路径;Selecting one or more target equivalent exits from the plurality of equivalent exits to change the exits from pointing to the firewall to pointing to a preset escape path;
    基于所述逃生路径和所述防火墙进行所述流量数据的分流传输。The flow data is transmitted in a split manner based on the escape path and the firewall.
  2. 如权利要求1所述的设备对接防火墙的方法,其中,所述基于所述逃生路径和所述防火墙进行所述流量数据的分流传输,包括:The method for connecting a device to a firewall according to claim 1, wherein the split transmission of the traffic data based on the escape path and the firewall comprises:
    在所述目标等价出口的数量小于所述等价出口的数量之后,确定所述流量数据中流经所述目标等价出口的第一子流量数据,控制所述第一子流量数据通过所述逃生路径进行传输;After the number of the target equivalent exits is less than the number of the equivalent exits, determining first sub-flow data in the flow data that flows through the target equivalent exit, and controlling the first sub-flow data to be transmitted through the escape path;
    控制所述流量数据中除所述第一子流量数据之外的其它子流量数据通过所述防火墙进行传输。Control the other sub-flow data in the flow data except the first sub-flow data to be transmitted through the firewall.
  3. 如权利要2所述的设备对接防火墙的方法,其中,所述逃生路径包括环回桥接组,所述控制所述第一子流量数据通过所述逃生路径进行传输,包括:The method for connecting a device to a firewall as claimed in claim 2, wherein the escape path includes a loopback bridge group, and the controlling the first sub-flow data to be transmitted through the escape path includes:
    控制所述第一子流量数据通过指向所述环回桥接组的目标等价出口传输至所述环回桥接组的输入端,经过所述环回桥接组的输出端环回。The first sub-flow data is controlled to be transmitted to the input end of the loopback bridge group through a target equivalent exit pointing to the loopback bridge group, and is looped back through the output end of the loopback bridge group.
  4. 如权利要3所述的设备对接防火墙的方法,其中,所述控制所述第一子流量数据通过指向所述环回桥接组的目标等价出口传输至所述环回桥接组的输入端,经过所述环回桥接组的输出端环回,包括:The method for connecting a device to a firewall as claimed in claim 3, wherein the controlling the first sub-flow data to be transmitted to the input end of the loopback bridge group through the target equivalent exit pointing to the loopback bridge group, and looping back through the output end of the loopback bridge group, comprises:
    在所述环回桥接组为链路聚合组之后,确定所述链路聚合组对应的传输协议;After the loopback bridge group is a link aggregation group, determining a transmission protocol corresponding to the link aggregation group;
    根据所述传输协议对应的目标物理地址和所述第一子流量数据构建传输报文; Constructing a transmission message according to the target physical address corresponding to the transmission protocol and the first sub-flow data;
    将所述传输报文通过指向所述链路聚合组的目标等价出口传输至所述链路聚合组的输入端,经过所述链路聚合组的输出端环回;Transmitting the transmission message to the input end of the link aggregation group through a target equivalent export pointing to the link aggregation group, and looping back through the output end of the link aggregation group;
    在环回的所述传输报文中的目标物理地址和预设的特殊源物理地址匹配之后,继续完成环回的所述传输报文的传输。After the target physical address in the looped-back transmission message matches the preset special source physical address, the transmission of the looped-back transmission message continues to be completed.
  5. 如权利要求4所述的设备对接防火墙的方法,其中,所述确定所述链路聚合组对应的传输协议之后,包括:The method for connecting a device to a firewall according to claim 4, wherein after determining the transmission protocol corresponding to the link aggregation group, the method further comprises:
    确定所述传输协议对应的设备物理地址,并获取预设的偏移地址,根据所述偏移地址和所述设备物理地址构建目标物理地址。Determine the device physical address corresponding to the transmission protocol, obtain a preset offset address, and construct a target physical address according to the offset address and the device physical address.
  6. 如权利要求3所述的设备对接防火墙的方法,其中,所述控制所述第一子流量数据通过指向所述环回桥接组的目标等价出口传输至所述环回桥接组的输入端,经过所述环回桥接组的输出端环回之前,包括:The method for interconnecting a device to a firewall according to claim 3, wherein the controlling the first sub-flow data to be transmitted to the input end of the loopback bridge group through the target equivalent exit pointing to the loopback bridge group, before being looped back through the output end of the loopback bridge group, comprises:
    获取所述设备对应的公网虚拟路由转发VRF和私网VRF,根据所述公网VRF和所述私网VRF对所述环回桥接组进行配置。Obtain a public network virtual routing forwarding VRF and a private network VRF corresponding to the device, and configure the loopback bridge group according to the public network VRF and the private network VRF.
  7. 如权利要求1所述的设备对接防火墙的方法,其中,所述基于所述逃生路径和所述防火墙进行所述流量数据的分流传输之后,包括:The method for connecting a device to a firewall according to claim 1, wherein after the flow data is diverted and transmitted based on the escape path and the firewall, the method further comprises:
    在完成对所述流量数据的一跳传输之后,若所述设备中存在未传输完成的剩余流量数据,检测是否需要继续对所述剩余流量数据中流向防火墙的剩余目标流量数据继续进行分流传输;After completing one-hop transmission of the flow data, if there is remaining flow data that has not been transmitted in the device, detecting whether it is necessary to continue to divert and transmit the remaining target flow data in the remaining flow data that flows to the firewall;
    在需要对所述剩余目标流量数据继续进行分流传输之后,继续执行所述在多个所述等价出口中选择一个或多个目标等价出口由指向所述防火墙更改为指向预设的逃生路径的步骤;After the remaining target traffic data needs to continue to be diverted and transmitted, continue to perform the step of selecting one or more target equivalent exits from the multiple equivalent exits to change the exits from pointing to the firewall to pointing to a preset escape path;
    在需要对所述剩余流量数据进行合流传输之后,将指向所述逃生路径的目标等价出口恢复至指向所述防火墙,并通过所述防火墙进行所述剩余流量数据的合流传输。After the remaining traffic data needs to be transmitted in a combined manner, the target equivalent exit pointing to the escape path is restored to point to the firewall, and the remaining traffic data is transmitted in a combined manner through the firewall.
  8. 如权利要求1所述的设备对接防火墙的方法,其中,所述在检测到设备中待传输的流量数据需要进行分流传输之后,确定所述设备中的等价多径 路由组对应的多个等价出口之前,包括:The method for connecting a device to a firewall as claimed in claim 1, wherein after detecting that the traffic data to be transmitted in the device needs to be split for transmission, determining the equivalent multipath in the device The multiple equal-cost egresses corresponding to the routing group include:
    设置设备中的路由出口指向预设的等价多径路由组,并设置所述等价多径路由组中的等价出口指向所述防火墙。The routing exit in the device is set to point to a preset equal-cost multi-path routing group, and the equal-cost exit in the equal-cost multi-path routing group is set to point to the firewall.
  9. 一种设备对接防火墙系统,其中,所述设备对接防火墙系统包括存储器、处理器及存储在所述存储器上并可在所述处理器上执行的设备对接防火墙程序,所述设备对接防火墙程序被所述处理器执行时实现如权利要求1至8任一项所述的设备对接防火墙方法的步骤。A device docking firewall system, wherein the device docking firewall system includes a memory, a processor, and a device docking firewall program stored in the memory and executable on the processor, and when the device docking firewall program is executed by the processor, the steps of the device docking firewall method as described in any one of claims 1 to 8 are implemented.
  10. 一种计算机可读存储介质,其中,所述计算机可读存储介质上存储有设备对接防火墙的程序,所述设备对接防火墙的程序被处理器执行时实现如权利要求1至8任一项所述的设备对接防火墙方法的步骤。 A computer-readable storage medium, wherein a program for connecting a device to a firewall is stored on the computer-readable storage medium, and when the program for connecting a device to a firewall is executed by a processor, the steps of the method for connecting a device to a firewall as described in any one of claims 1 to 8 are implemented.
PCT/CN2023/101875 2022-11-21 2023-06-21 Method and system for device to interface with firewall, and computer-readable storage medium WO2024109009A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202211464353.8A CN118057786A (en) 2022-11-21 2022-11-21 Method, system and computer readable storage medium for interfacing a device to a firewall
CN202211464353.8 2022-11-21

Publications (1)

Publication Number Publication Date
WO2024109009A1 true WO2024109009A1 (en) 2024-05-30

Family

ID=91069225

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/101875 WO2024109009A1 (en) 2022-11-21 2023-06-21 Method and system for device to interface with firewall, and computer-readable storage medium

Country Status (2)

Country Link
CN (1) CN118057786A (en)
WO (1) WO2024109009A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101420383A (en) * 2008-12-12 2009-04-29 北京邮电大学 ECMP path soft resuming method in MPLS-TP packet transmission network
US10237157B1 (en) * 2015-06-10 2019-03-19 Amazon Technologies, Inc. Managing host failures in a traffic forwarding system
US20200186460A1 (en) * 2018-12-10 2020-06-11 Microsoft Technology Licensing, Llc Server redundant network paths
US20220321476A1 (en) * 2021-03-31 2022-10-06 Cisco Technology, Inc. Local congestion mitigation

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101420383A (en) * 2008-12-12 2009-04-29 北京邮电大学 ECMP path soft resuming method in MPLS-TP packet transmission network
US10237157B1 (en) * 2015-06-10 2019-03-19 Amazon Technologies, Inc. Managing host failures in a traffic forwarding system
US20200186460A1 (en) * 2018-12-10 2020-06-11 Microsoft Technology Licensing, Llc Server redundant network paths
US20220321476A1 (en) * 2021-03-31 2022-10-06 Cisco Technology, Inc. Local congestion mitigation

Also Published As

Publication number Publication date
CN118057786A (en) 2024-05-21

Similar Documents

Publication Publication Date Title
US11588733B2 (en) Slice-based routing
CN109873760B (en) Method and device for processing route, and method and device for data transmission
US8570857B2 (en) Resilient IP ring protocol and architecture
US20200396162A1 (en) Service function chain sfc-based communication method, and apparatus
US11563680B2 (en) Pseudo wire load sharing method and device
CN110247798B (en) Transmitting specific traffic along a blocked link
US10992570B2 (en) Packet forwarding method and device for a virtual private wire service (VPWS) pseudo wire (PW) network using traffic balancing
EP4030704A1 (en) Message sending method and first network device
US20160014032A1 (en) Method and Device for Flow Path Negotiation in Link Aggregation Group
WO2020244439A1 (en) Method and apparatus for realizing message mirroring, and storage medium
CN107154896B (en) Data transmission method and forwarding equipment
EP3255838B1 (en) Method, switching device and network controller for protecting links in software-defined network (sdn)
WO2017201750A1 (en) Method, device and system for processing multicast data
CN107592259A (en) A kind of flow switch method in VRRP protections scene
US6724734B1 (en) Creating a spanning tree of a network including clusters
US11296980B2 (en) Multicast transmissions management
US20230269186A1 (en) Packet Sending Method, Device, and System
López-Rodríguez et al. A robust SDN network architecture for service providers
WO2024109009A1 (en) Method and system for device to interface with firewall, and computer-readable storage medium
US20150036508A1 (en) Method and Apparatus For Gateway Selection In Multilevel SPB Network
US20220294728A1 (en) Packet Transmission Path Switching Method, Device, and System
CN112202668B (en) Local area network, wide area network fault transfer backup system and method thereof
WO2020156355A1 (en) Load sharing method, device, system, single board and storage medium
WO2016152701A1 (en) Control apparatus, communication system, control method, and program
KR102092091B1 (en) Methods, apparatus and computer programs for providing high availability and reliability in software defined network