CN104022973A

CN104022973A - Message forwarding method, switching module, firewall card and switch

Info

Publication number: CN104022973A
Application number: CN201410273242.8A
Authority: CN
Inventors: 熊昭荣; 秦本鹏
Original assignee: Fujian Star Net Communication Co Ltd
Current assignee: Fujian Star Net Communication Co Ltd
Priority date: 2014-06-18
Filing date: 2014-06-18
Publication date: 2014-09-03

Abstract

The invention provides a message forwarding method, a switching module, a firewall card and a switch. The method comprises the steps that the switching module receives a data message comprising a target IP address from a first interface connected with the internal virtual local area network; according to the target IP address, whether a second interface for rolling out the data message to be processed is an interface connected with the external internet is determined, and the first interface and the second interface are three-layer interfaces; if yes, according to routing table items of preset hardware, the data message to be processed is redirected to the embedded firewall card for fire preventing and routing processing; the data message processed through fire preventing and routing processing is received and forwarded. Whether the interface for rolling out the data message input from the three-layer internal network interface is the external network interface is determined, if yes, the data message is redirected to the firewall card according to the routing table items of the preset hardware, and therefore the switching module can manage firewall cards uniformly, the configuration is convenient and fast to carry out, and the management is convenient.

Description

Message forwarding method, switching module, firewall card and switch

Technical Field

The present invention relates to the field of communications technologies, and in particular, to a packet forwarding method, an exchange module, a firewall card, and an exchange.

Background

Since Internet (Internet) Protocol is based on the open Transmission Control Protocol/Internet Protocol (TCP/IP), security of various enterprise networks and campus networks is becoming more and more important. The switch combines the security scheme of preventing hot wall not only can solve some network security problems, can also bring bigger convenience for the user through embedding hot wall card at the core switch in some occasions, and the concrete presentation is in: the firewall card has extremely strong processing performance which can reach ten-trillion processing level, and is embedded in the switch, so that a user can conveniently arrange wires and save space. Therefore, an application mode in which a firewall card is embedded on a switch is becoming more popular. The firewall card has a plurality of working modes, such as a transparent mode, a routing mode and a mixed mode. In the routing mode, the firewall card acts as a router in forwarding data.

Although the firewall card is embedded in the switch, i.e., plugged into a slot of the switch, the switch cannot manage the firewall card. This is because the existing switch and firewall card work independently, which is equivalent to two independent devices. For a user to use the firewall routing mode function, corresponding configuration needs to be performed on both the switch and the firewall card, such as configuring the working mode of the firewall card, configuring the corresponding relationship between each port of the switch and each port of the firewall card, and the like.

In the existing message forwarding process, the switch and the firewall card need to be configured independently, the configuration is complicated, the high requirement is provided for the user capacity, and the unified management of the firewall card and the switch is inconvenient.

Disclosure of Invention

Aiming at the problems in the prior art, the invention provides a message forwarding method, a switching module, a firewall card and a switch, which are used for overcoming the defect of complicated configuration caused by independent configuration of the switch and the firewall card respectively in the prior art.

The invention provides a message forwarding method, which comprises the following steps:

when a switching module in a switch receives a first data message to be processed from a first interface, the first data message is forwarded as follows, wherein the first data message to be processed includes a destination IP address, and the first interface is an interface connected with an internal virtual local area network:

the switching module determines whether a second interface for transferring the first data message to be processed is an interface connected with an external internet or not according to the destination IP address, wherein the first interface and the second interface are both three-layer interfaces;

if the second interface is an interface connected with the external Internet, the exchange module redirects the first data message to be processed to an embedded firewall card for fire prevention and routing processing according to a preset hardware routing table item;

the exchange module receives the first data message after the fireproof and routing processing, and forwards the processed first data message;

or,

when the switching module in the switch receives a second data message to be processed from a fourth interface, the following forwarding processing is performed on the second data message, wherein a destination MAC address in the second data message to be processed is an MAC address of the switch, and the fourth interface is an interface connected with an external internet:

the exchange module sends the second data message to be processed to an embedded firewall card according to a preset address table item, so that the firewall card carries out fire prevention processing on the second data message to be processed;

and the switching module receives the second data message subjected to the fireproof processing and performs routing processing on the second data message subjected to the fireproof processing.

when an embedded firewall card in a switch receives a first data message to be processed, redirected to the firewall card by a switching module in the switch, the first data message is forwarded as follows:

the firewall card performs fire prevention and routing processing on the first data message;

the firewall card returns the processed first data message to the switching module so that the switching module forwards the processed first data message;

the first data message redirected to the firewall card is redirected to the firewall card according to a preset hardware routing table item when the switching module determines that a second interface for transferring the first data message is an interface connected with an external internet according to a destination IP address in the first data message after receiving the first data message from a first interface connected with an internal virtual local area network on the switch, wherein the first interface and the second interface are both three-layer interfaces;

or,

when the embedded firewall card in the switch receives a second data message to be processed sent by a switching module in the switch, the second data message is forwarded as follows:

the firewall card carries out fireproof processing on the second data message to be processed;

the firewall card sends the second data message subjected to the fireproof processing to the switching module, so that the switching module performs routing processing on the second data message subjected to the fireproof processing;

after receiving the second to-be-processed data message with the destination MAC address being the MAC address of the switch from the fourth interface, the switching module in the switch queries a preset address table entry according to the MAC address of the switch and the fourth interface, determines that a next hop interface of the second to-be-processed data message is a fifth interface in-line with the firewall card, and forwards the next hop interface to the firewall card through the fifth interface, where the fourth interface is an interface connected with an external internet.

The invention provides a switching module, comprising:

the device comprises a receiving module, a processing module and a processing module, wherein the receiving module is used for receiving a first data message to be processed from a first interface, the first data message to be processed comprises a destination IP address, and the first interface is an interface connected with an internal virtual local area network;

a determining module, configured to determine, according to the destination IP address, whether a second interface that forwards the first data packet to be processed is an interface connected to an external internet, where the first interface and the second interface are both three-layer interfaces;

the redirection module is used for redirecting the first data message to be processed to an embedded firewall card for fire prevention and routing processing according to a preset hardware routing table item if the second interface is an interface connected with the external internet;

and the forwarding module is used for receiving the first data message after the fireproof and routing processing and forwarding the processed first data message.

The receiving module is further configured to receive a second data packet to be processed from a fourth interface, where a destination MAC address in the second data packet to be processed is an MAC address of the switch, and the fourth interface is an interface connected to an external internet;

the switching module further comprises:

the sending module is used for sending the second data message to be processed to an embedded firewall card according to a preset address table item so that the firewall card carries out fire prevention processing on the second data message to be processed;

and the processing module is used for receiving the second data message after the fireproof processing and carrying out routing processing on the second data message after the fireproof processing.

The invention provides a firewall card, comprising:

the receiving module is used for receiving a first data message to be processed, redirected to the firewall card by the switching module in the switch;

the processing module is used for performing fire prevention and routing processing on the first data message;

the sending module is used for returning the processed first data message to the switching module so that the switching module forwards the processed first data message;

the receiving module is further configured to receive a second data packet to be processed, which is sent by a switching module in the switch, and is forwarded to the firewall card through a fifth interface after the switching module in the switch receives the second data packet to be processed from the fourth interface, where a destination MAC address of the second data packet to be processed is an MAC address of the switch, and a preset address table entry is queried according to the MAC address of the switch and the fourth interface to determine that a next hop interface of the second data packet to be processed is the fifth interface in-line with the firewall card, and the fourth interface is an interface connected to an external internet;

the processing module is further configured to perform fire protection processing on the second data message to be processed;

the sending module is further configured to send the second data packet after the fire protection processing to the switching module, so that the switching module performs routing processing on the second data packet after the fire protection processing.

The present invention provides a switch, comprising:

such as the switching module above and such as the firewall card above.

The invention provides a message forwarding method, a switching module, a firewall card and a switch.A switching module in the switch receives a data message to be processed from a first interface connected with an internal virtual local area network, when a second interface for transferring the data message to be processed is determined to be an interface connected with an external internet according to a destination IP address in the data message to be processed, the first interface and the second interface are both three-layer interfaces, so that the switching module can redirect the data message to be processed to an embedded firewall card for fire prevention and routing processing according to a preset hardware routing table item, and forwards the processed data message after receiving the data message subjected to the fire prevention and routing processing. By determining whether the transfer-out interface of the data message input from the three-layer intranet interface is the extranet interface or not and redirecting the data message to the firewall card according to the preset hardware routing table entry under the condition of yes determination, the unified management of the switching module on the firewall card can be realized, the configuration is convenient and fast, and the management is convenient.

Drawings

FIG. 1 is a schematic diagram of a network architecture employed in an embodiment of the present invention;

fig. 2 is a flowchart of a first embodiment of a message forwarding method according to the present invention;

fig. 3 is a flowchart of a second embodiment of the packet forwarding method of the present invention;

fig. 4 is a flowchart of a third embodiment of a message forwarding method according to the present invention;

fig. 5 is a flowchart of a fourth embodiment of the packet forwarding method of the present invention;

FIG. 6 is a schematic structural diagram of a first switch module according to a first embodiment of the present invention;

FIG. 7 is a diagram illustrating a first embodiment of a firewall card according to the present invention;

fig. 8 is a schematic structural diagram of a first embodiment of the switch of the present invention.

Detailed Description

Fig. 1 is a schematic diagram of a network architecture adopted in an embodiment of the present invention, as shown in fig. 1, an internal virtual lan 100 corresponding to a server area and a virtual lan 111 corresponding to an office area interact with an external internet such as a virtual lan 11 corresponding to a telecommunication network and a virtual lan 12 corresponding to a communication network through a switch, where the switch mainly includes two main parts, i.e., a switching module and a firewall card, the switching module is connected with the external internet through, for example, an external network interface 1 and an external network interface 2, and is connected with the internal virtual lan through, for example, an internal network interface 1 and an internal network interface 2, where the internal network interface and the external network interface are both three-layer interfaces, i.e., interfaces having IP layer routing functions. In addition, the exchange module is connected with the firewall card through an internal connection port. The following will respectively introduce the forwarding process of the data message from two directions of the internal virtual local area network user accessing the external internet user and the external internet user accessing the internal virtual local area network user.

The message forwarding method provided by the embodiment of the invention not only relates to the situation that an internal virtual local area network user accesses an external Internet user, but also relates to the situation that the external Internet user accesses the internal virtual local area network user. Specifically, on one hand, when a switching module in a switch receives a first data packet to be processed from a first interface, the following forwarding processing is performed on the first data packet, where the first data packet to be processed includes a destination IP address, and the first interface is an interface connected to an internal virtual local area network:

on the other hand, when the switching module in the switch receives a second data packet to be processed from a fourth interface, the following forwarding processing is performed on the second data packet, where a destination MAC address in the second data packet to be processed is the MAC address of the switch, and the fourth interface is an interface connected to an external internet:

The above two-way packet forwarding process will be described in detail in the following with several embodiments.

Fig. 2 is a flowchart of a first embodiment of a message forwarding method according to the present invention, where a scenario in which an internal vlan user accesses an external internet user is applicable, and a data message to be processed in this embodiment corresponds to the first data message, as shown in fig. 2, the method includes:

step 101, a switching module in a switch receives a data message to be processed from a first interface, wherein the data message to be processed comprises a destination IP address, and the first interface is an interface connected with an internal virtual local area network;

step 102, the switching module determines whether a second interface for transferring out the data packet to be processed is an interface connected with an external internet according to the destination IP address, wherein the first interface and the second interface are both three-layer interfaces, if yes, step 103 is executed, otherwise, the data packet is directly forwarded by the two layers;

103, the switching module redirects the data message to be processed to an embedded firewall card for fire prevention and routing processing according to a preset hardware routing table entry;

and step 104, the exchange module receives the data message after the fire prevention and routing processing, and forwards the processed data message.

In this embodiment, when a certain internal vlan user, for example, a certain user (for short, an intranet user) in the vlan 111 in fig. 1, wants to communicate with a certain user (for short, an extranet user) in the vlan 12 corresponding to a certain external internet, for example, a communication network, a to-be-processed data packet sent by the intranet user enters a first interface corresponding to the intranet in the switching module, that is, the first interface in this embodiment is an interface connected to the internal vlan, and in the above example, the first interface is the intranet interface 2 in fig. 1.

Because each virtual local area network corresponds to a segment of IP address, after the switching module receives the data packet of the intranet user, the forwarding outlet of the data packet on the switching module is determined according to the destination IP address in the data packet, for example, if the forwarding outlet of the data packet is determined to be the second interface connected to the external internet, for example, the forwarding outlet of the data packet of the intranet user is determined to be the external network interface 2 connected to the virtual local area network 12 of the external communication network in the above example, that is, if the second interface is an interface connected to the external internet, the switching module performs the following routing process, otherwise, if the second interface is not an interface connected to the external internet, that is, the switching module does not need to perform the three-layer routing process, and only needs to forward the data packet by two layers.

If the second interface is an interface connected with an external internet, for example, the second interface is an external network interface 2 in fig. 1, the switching module redirects the data packet to be processed to the embedded firewall card for fire prevention and routing processing according to the preset hardware routing table entry, receives the data packet sent by the firewall card and subjected to fire prevention and routing processing, and forwards the processed data packet.

Specifically, in this embodiment, a hardware routing table entry is configured in the switching module in advance, and the function of the hardware routing table entry is to redirect an outgoing port of a data packet received from an internal network interface to an internal interface connected with an embedded firewall card if the outgoing port of the data packet is an external network interface. That is, in this embodiment, if the roll-out outlet corresponding to the destination IP address in the data packet to be processed is the second interface connected to the external internet, the data packet to be processed is redirected to the firewall card according to the hardware routing table entry to perform the fire prevention and routing processing, where the fire prevention processing generally filters the data packet according to a certain preset rule, and is similar to the prior art and is not described again. The firewall card performs routing processing on the data message, namely determines a transmission path of the data message to an external network user corresponding to a destination IP address, and then returns the processed data message to the switching module after performing fire prevention and routing processing on the data message, and the switching module forwards the processed data message to a target external network user in a two-layer mode.

In this embodiment, a switching module in a switch receives a data packet to be processed from a first interface connected to an internal vlan, and when it is determined that a second interface for forwarding the data packet to be processed is an interface connected to an external internet according to a destination IP address in the data packet to be processed, the first and second interfaces are both three-layer interfaces, so that the switching module can redirect the data packet to be processed to an embedded firewall card according to a preset hardware routing table entry for fire prevention and routing processing, and forward the processed data packet after receiving the data packet subjected to the fire prevention and routing processing. By determining whether the transfer-out interface of the data message input from the three-layer intranet interface is the extranet interface or not and redirecting the data message to the firewall card according to the preset hardware routing table entry under the condition that the transfer-out interface is determined to be the extranet interface, the user does not need to carry out complicated configuration on the firewall card and the switching module respectively, so that the switching module can realize the unified management of the firewall card, the configuration is convenient and the management is convenient.

Further, in step 103 of the foregoing embodiment, the method for redirecting the data packet to be processed to the embedded firewall card for fire prevention and routing processing by the switching module according to the preset hardware routing table entry includes the following steps:

the switching module determines that a next hop interface of the data message to be processed is a third interface according to the hardware routing table entry, wherein the third interface is an internal connection interface between the switching module and the firewall card;

a switching module modifies a source Media Access Control (MAC) Address of the header of the data packet To be processed into a preset MAC Address, and keeps a Virtual Local Area network identifier (VID) field and a Time To Live (TTL) identifier field of the header of the data packet To be processed unchanged, wherein a value of the VID identifier field is an identifier of an internal vlan connected To the first interface;

and the exchange module redirects the modified data message to the firewall card through the third interface.

Specifically, the switching module queries a preset routing table entry by using a first interface receiving a data packet to be processed and a roll-out second interface determined according to a destination IP address of the data packet to be processed as a keyword, and sends the data packet to be processed to a next hop interface in the table entry if a matched table entry is queried. Since the next hop interface in the preset hardware routing table entry is an internal connection interface connected to the firewall card, that is, the third interface in this embodiment, the switching module needs to send the data message to be processed to the firewall card through the third interface. It should be noted that, before sending the data message to be processed to the firewall card through the third interface, the switching module needs to perform the following processing on the data message to be processed: the MAC address of the header of the data packet to be processed is modified to a preset MAC address, and the VID field and the TTL field of the header of the data packet to be processed are kept unchanged, where the value of the VID identification field is an identification of a virtual local area network corresponding to the first interface, such as the virtual local area network 111 in fig. 1. The VID and TTL fields are kept unchanged because forwarding the to-be-processed data packet to the firewall card through the hardware routing table entry is performed inside the switch, and is not routing forwarding in a real sense. The firewall card performs the following routing processing on the data message to be processed:

and subtracting one from the value of the TTL field, modifying the source MAC address into the MAC address of the switch, modifying the destination MAC address into the MAC address of the next hop equipment connected with the second interface, and modifying the value of the VID field into the identifier of the external Internet connected with the second interface. I.e. the value of the VID field is modified to the identity of the external internet to which the destination IP address belongs. Wherein, the TTL field is equivalent to a counter for counting the number of forwarding data packets.

Further, in step 104 of the foregoing embodiment, the receiving, by the switching module, the data packet after the fire prevention and the routing processing, and forwarding the processed data packet includes:

and the switching module receives the data message which is sent by the firewall card through the third interface and is subjected to the routing processing, and forwards the processed data message to the next hop equipment according to the modified destination MAC address.

Specifically, after the firewall card performs fire prevention and routing processing on the data message, the processed data message is returned to the switching module through the third interface, that is, the third interface is an internal connection interface with the switching module, the switching module forwards the processed data message to the next-hop device through the second interface, that is, an interface connected with the external internet, according to the modified destination MAC address, and sends the processed data message to the external network user equipment corresponding to the destination IP address through the next-hop device, that is, the processed data message is subjected to two-layer forwarding.

Fig. 3 is a flowchart of a second embodiment of the message forwarding method of the present invention, as shown in fig. 3, in this embodiment, the following first interface, second interface, and third interface have the same definition as that in the embodiment shown in fig. 2, and the data packet described in this embodiment corresponds to the first data packet, where the method includes:

step 201, an embedded firewall card in a switch receives a data message redirected to the firewall card by a switching module in the switch;

step 202, the firewall card performs fire prevention and routing processing on the data message;

step 203, the firewall card returns the processed data message to the switching module, so that the switching module forwards the processed data message.

The data message redirected to the firewall card is redirected to the firewall card according to a preset hardware routing table item when the switching module determines that a second interface for transferring out the data message to be processed is an interface connected with an external internet according to a destination IP address in the data message to be processed after receiving the data message to be processed from a first interface connected with an internal virtual local area network on the switch, wherein the first interface and the second interface are both three-layer interfaces.

This embodiment is still described by taking as an example a scenario in which a certain internal vlan user in the embodiment shown in fig. 2, such as a certain user in the vlan 111 in fig. 1 (an intranet user for short) wants to communicate with a certain user in a vlan 12 corresponding to a certain external internet, such as a connected network (an extranet user for short). The data packet to be processed sent by the intranet user enters a first interface corresponding to the intranet in the exchange module, that is, the first interface in this embodiment is an interface connected to an internal virtual local area network, and in the above example, the first interface is an intranet interface 2 in fig. 1. And when the switching module determines that the second interface for transferring the data message to be processed is an interface connected with the external Internet according to the destination IP address contained in the data message to be processed, the switching module redirects the data message to be processed to the embedded firewall card according to the preset hardware routing table item so as to enable the firewall card to perform fire prevention and routing processing on the data message, and returns the processed data message to the switching module after processing so as to enable the switching module to forward the processed data message.

Specifically, the step 201 of receiving, by the embedded firewall card in the switch, the data packet redirected to the firewall card by the switching module in the switch includes:

the firewall card receives a data message redirected to the firewall card by the exchange module through a third interface, wherein the third interface is a next hop interface of the data message to be processed, which is determined by the exchange module according to the hardware routing table entry, and the third interface is an internal connection interface between the exchange module and the firewall card;

the data message redirected to the firewall card is obtained by the exchange module keeping a VID field and a TTL field of the header of the data message to be processed unchanged and modifying a source MAC address of the header of the data message to be processed into a preset MAC address, wherein the value of the VID identification field is the identification of an internal virtual local area network connected with the first interface.

Specifically, the switching module queries a preset routing table entry by using a first interface receiving a data packet to be processed and a roll-out second interface determined according to a destination IP address of the data packet to be processed as a keyword, and sends the data packet to be processed to a next hop interface in the table entry if a matched table entry is queried. Since the next hop interface in the preset hardware routing table entry is an internal connection interface connected to the firewall card, that is, the third interface in this embodiment, the switching module needs to redirect the data message to be processed to be sent to the firewall card through the third interface. In addition, before the exchange module sends the data packet to be processed to the firewall card through the third interface, the data packet to be processed needs to be processed as follows: the MAC address of the header of the data packet to be processed is modified to a preset MAC address, and the VID field and the TTL field of the header of the data packet to be processed are kept unchanged, where the value of the VID identification field is an identification of a virtual local area network corresponding to the first interface, such as the virtual local area network 111 in fig. 1. The VID and TTL fields are kept unchanged because forwarding the to-be-processed data packet to the firewall card through the hardware routing table entry is performed inside the switch, and is not routing forwarding in a real sense.

Further, the step 203 of the firewall card performing fire prevention and routing processing on the data packet includes:

the firewall card determines whether a source MAC address in the data message header received by redirection is a preset MAC address;

if the current MAC address is the preset MAC address, the firewall card subtracts one from the value of the TTL field, modifies the source MAC address into the MAC address of the switch, modifies the target MAC address into the MAC address of the next hop equipment connected with the second interface, and modifies the value of the VID field into the identifier of the external Internet connected with the second interface;

and the firewall card sends the data message after the routing processing to the switching module through the third interface.

In this embodiment, the switching module triggers the firewall card to perform routing processing on the data packet by modifying the source MAC address of the data packet.

In this embodiment, a switching module in a switch receives a data packet to be processed from a first interface connected to an internal vlan, and when it is determined that a second interface for forwarding the data packet to be processed is an interface connected to an external internet according to a destination IP address in the data packet to be processed, the first and second interfaces are both three-layer interfaces, so that the switching module can redirect the data packet to be processed to an embedded firewall card according to a preset hardware routing table entry for fire prevention and routing processing, and forward the processed data packet after receiving the data packet subjected to the fire prevention and routing processing. By determining whether the transfer-out interface of the data message input from the three-layer intranet interface is the extranet interface or not and redirecting the data message to the firewall card according to the preset hardware routing table entry under the condition of yes determination, the unified management of the switching module on the firewall card can be realized, the configuration is convenient and fast, and the management is convenient.

Fig. 4 is a flowchart of a third embodiment of the packet forwarding method of the present invention, where the applicable scenario of the embodiment is a scenario in which an external internet user accesses an internal virtual local area network user, and the data packet to be processed in the embodiment corresponds to the second data packet, as shown in fig. 4, the method includes:

step 301, a switching module in a switch receives a data message to be processed from a fourth interface, where a destination MAC address in the data message to be processed is an MAC address of the switch, and the fourth interface is an interface connected to an external internet;

step 302, the exchange module sends the data message to be processed to an embedded firewall card according to a preset address table entry, so that the firewall card performs fire prevention processing on the data message to be processed;

step 303, the switching module receives the data packet after the fire protection processing, and performs routing processing on the data packet after the fire protection processing.

When a certain external network user wants to communicate with a certain internal network user, the data packet of the external network user enters the switching module through a fourth interface of the switching module in the switch, where the fourth interface is an interface connected to the external internet, that is, an interface connected to the network to which the external network user belongs, such as the external network interface 1 in fig. 1. Wherein, the destination MAC address in the data packet is the MAC address of the switch.

The switching module is locally pre-configured with an address table entry, the address table entry is used for forwarding a to-be-processed data message entering from a fourth interface connected with the external internet to an embedded firewall card of the switch, after receiving the to-be-processed data message, the firewall card performs fire prevention processing on the to-be-processed data message, namely, the to-be-processed data message is filtered according to a preset rule, and then the to-be-processed data message is returned to the switching module so that the switching module performs routing forwarding processing.

Specifically, the sending, by the switch module, the data packet to be processed to an embedded firewall card according to a preset address table entry, so that the firewall card performs a fire protection process on the data packet to be processed, including:

the switching module inquires the preset address table item according to the fourth interface and the MAC address of the switch, and determines that a next hop interface of the data message to be processed is a fifth interface, wherein the fifth interface is an internal connection interface between the switching module and the firewall card;

and the switching module sends the data message to be processed to the firewall card through the fifth interface, so that the firewall card performs fire prevention processing on the data message to be processed, and modifies the destination MAC address of the head of the data message to be processed according to the message type of the data message to be processed.

Correspondingly, the receiving, by the switching module, the data packet after the fire protection processing, and performing routing processing on the data packet after the fire protection processing includes:

and the switching module receives the modified data message sent by the firewall card through the fifth interface and performs routing processing on the modified data message.

In this embodiment, after receiving a data packet to be processed from a fourth interface, an exchange module queries a preset address table entry by using a destination MAC address in the fourth interface and the data packet as a keyword, and if a corresponding table entry is found, the exchange module forwards the data packet to be processed to a firewall card through the fifth interface because an outlet in the corresponding address table entry indicates an internal connection port connected to the firewall card, that is, a fifth interface, so that the firewall card performs a fire protection process on the data packet to be processed, and modifies the destination MAC address of the header of the data packet to be processed according to the packet type of the data packet to be processed. For example, if the data packet to be processed is a data packet of a general application type, such as a data packet sent by a mail, a data packet transmitted by an FTP file, and the like, modifying a destination MAC address of a header of the data packet to be processed to a first preset MAC address; and if the data message to be processed is the control type data message, modifying the target MAC address of the head of the data message to be processed into a second preset MAC address. And the first preset MAC address is used for indicating the switching module to carry out routing processing on the modified data message, and the second preset MAC address is used for indicating the switching module to carry out local processing on the modified data message. After the modification, the firewall card returns the modified data message to the switching module through a fifth interface, namely the internal connection interface, so that the switching module performs routing processing on the modified data message. It should be noted that the fifth interface in the present embodiment is preferably the same interface as the third interface in the embodiments shown in fig. 2 and fig. 3.

Optionally, the receiving, by the switching module, the modified data packet sent by the firewall card through the fifth interface, and performing routing processing on the modified data packet by the switching module includes:

if the modified destination MAC address is a first preset MAC address used for instructing the switching module to perform routing processing on the modified data packet, the switching module decrements the value of the TTL field of the modified data packet header, modifies the source MAC address of the modified data packet header to the MAC address of the switch, modifies the destination MAC address to the MAC address of the next hop device connected to a sixth interface, and modifies the value of the VID field to the identifier of the virtual local area network corresponding to the sixth interface, where the sixth interface is an interface connected to an internal virtual local area network corresponding to the destination IP address in the data packet to be processed, such as intranet interface 1 in fig. 1, and the sixth interface is a three-layer interface.

In this embodiment, after the switching module receives the data packet whose destination MAC address is the first preset MAC address, the routing processing is performed on the data packet. It should be noted that the data packet to be processed is sent to the firewall card, and after the firewall card performs the fire protection processing on the data packet, only the destination MAC address of the data packet is modified, and the values of the TTL field and the VID field of the data packet are kept unchanged.

When the firewall card modifies the destination MAC address into a first preset MAC address, the switching module performs routing processing on the data message by identifying the first preset MAC address, namely determining an outlet of the data message: and determining that the outlet interface of the data message is a sixth interface according to the corresponding relation between the internal virtual local area network corresponding to the destination IP address in the data message and each interface of the switching module, wherein the sixth interface is configured as a three-layer interface, so that the sixth interface can receive the data message subjected to the routing processing and forward the message.

Further optionally, if the modified destination MAC address is a second preset MAC address used for instructing the switching module to perform local processing on the modified data packet, the switching module queries a preset fast filtering entry (Filter policy, hereinafter abbreviated as FP) according to the second preset MAC address, and determines to send the modified data packet to a processor CPU of the switch for local processing.

On the other hand, if the firewall card determines that the type of the data packet is the control type, the destination MAC address of the data packet is modified to a second preset MAC address different from the first preset MAC address, so that, after receiving the data packet returned by the firewall card from the fifth interface, the switching module queries a locally preset FP table entry according to the second preset MAC address, so as to send the data packet of the control type to the CPU of the switch according to the FP table entry for local processing, that is, for example, perform corresponding control operation according to the control content of the data packet.

In this embodiment, when an extranet user needs to communicate with an intranet user, a switching module in the switch receives a data packet to be processed from a fourth interface connected to the extranet, queries a locally preset address table entry according to a destination MAC address in the data packet to be processed and the fourth interface to determine that an outlet of the data packet is a fifth interface in-line with the firewall card, sends the data packet to the firewall card for processing, receives the data packet processed by the firewall card, and performs corresponding routing processing according to a processing result of the firewall card on the data packet. Through the preset address table entry, the fourth interface and the sixth interface are configured to be three-layer interfaces with a routing function, and an inner connecting port between the switching module and the firewall card is arranged, so that a user does not need to perform complicated configuration on the firewall card and the switching module respectively, unified management of the switching module on the firewall card can be realized, the configuration is convenient, and the management is convenient.

Fig. 5 is a flowchart of a fourth embodiment of the message forwarding method of the present invention, where the following fourth interface, fifth interface, and sixth interface in this embodiment have the same definitions as those in the embodiment shown in fig. 4, and this embodiment is applicable to a scenario where an external internet user accesses an internal virtual local area network to perform communication, and the data message to be processed in this embodiment corresponds to the second data message, as shown in fig. 5, the method includes:

step 401, an embedded firewall card in a switch receives a to-be-processed data message sent by a switching module in the switch, wherein the to-be-processed data message is forwarded to the firewall card through a fifth interface after the switching module in the switch receives the to-be-processed data message with a destination MAC address as an MAC address of the switch from the fourth interface, and a preset address table entry is inquired according to the MAC address of the switch and the fourth interface to determine that a next hop interface of the to-be-processed data message is a fifth interface in-line with the firewall card, and the fourth interface is an interface connected with an external internet;

step 402, the firewall card performs the fire prevention processing on the data message to be processed;

step 403, the firewall card sends the data packet after the fire protection processing to the switching module, so that the switching module performs routing processing on the data packet after the fire protection processing.

When a certain external network user wants to communicate with a certain internal network user, the data message of the external network user enters the exchange module through a fourth interface of the exchange module in the exchanger, and the fourth interface is an interface connected with the external internet, namely an interface connected with the network to which the external network user belongs. Wherein, the destination MAC address in the data packet is the MAC address of the switch.

The switching module is locally pre-configured with an address table entry, and the address table entry is used for forwarding a data message to be processed, which enters from a fourth interface connected with the external Internet, to an embedded firewall card of the switch. Specifically, the switching module queries a preset address table entry according to the fourth interface and the MAC address of the switch, determines that a next hop interface of the data packet to be processed is a fifth interface, which is an internal connection interface between the switching module and the firewall card, and then sends the data packet to be processed to the firewall card through the fifth interface.

And after receiving the data message to be processed, the firewall card performs fireproof processing on the data message to be processed, namely, the data message to be processed is filtered according to a preset rule, a destination MAC address of the head of the data message to be processed is modified according to the message type of the data message to be processed, and then the modified data message is returned to the switching module through the fifth interface so that the switching module performs routing forwarding processing.

The method for modifying the destination MAC address of the head of the data message to be processed by the firewall card according to the message type of the data message to be processed comprises the following steps:

if the data message to be processed is the data message of the application type, the firewall card modifies the target MAC address of the head of the data message to be processed into a first preset MAC address;

or,

and if the data message to be processed is a control type data message, modifying the target MAC address of the head of the data message to be processed into a second preset MAC address by the firewall card.

Specifically, a header of a data packet to be processed contains a field of a packet type, and different values of the field represent different types of the data packet, such as application types such as e-mail sending, FTP file transfer, and the like, and control types. The firewall card modifies different destination MAC addresses according to different message types, if the message type of the data message is an application type, the firewall card modifies the message type into a first preset MAC address, and the first preset MAC address is used for indicating the switching module to perform routing processing on the modified data message; and if the data message is the control type data message, modifying the data message into a second preset MAC address, wherein the second preset MAC address is used for indicating the exchange module to carry out local processing on the modified data message. After the modification, the firewall card returns the modified data message to the switching module through a fifth interface, namely the internal connection interface, so that the switching module performs routing processing on the modified data message.

It should be noted that the data packet to be processed is sent to the firewall card, and after the firewall card performs the fire protection processing on the data packet, only the destination MAC address of the data packet is modified, and the values of the TTL field and the VID field of the data packet are kept unchanged.

Fig. 6 is a schematic structural diagram of a first embodiment of a switch module of the present invention, as shown in fig. 6, the switch module includes:

a receiving module 11, configured to receive a first data packet to be processed from a first interface, where the first data packet to be processed includes a destination IP address, and the first interface is an interface connected to an internal virtual local area network;

a determining module 12, configured to determine, according to the destination IP address, whether a second interface that forwards the first data packet to be processed is an interface connected to an external internet, where the first interface and the second interface are both three-layer interfaces;

a redirection module 13, configured to redirect, according to a preset hardware routing table entry, the to-be-processed first data packet to an embedded firewall card for fire prevention and routing processing if the second interface is an interface connected to an external internet;

and the forwarding module 14 is configured to receive the first data packet after the fire prevention and routing processing, and forward the processed first data packet.

The receiving module 11 is further configured to receive a second data packet to be processed from a fourth interface, where a destination MAC address in the second data packet to be processed is an MAC address of the switch, and the fourth interface is an interface connected to an external internet;

the switching module further comprises:

the sending module 21 is configured to send the second data message to be processed to an embedded firewall card according to a preset address table entry, so that the firewall card performs fire protection processing on the second data message to be processed;

and the processing module 22 is configured to receive the second data packet after the fire protection processing, and perform routing processing on the second data packet after the fire protection processing.

Further, the redirection module 13 includes:

a determining unit 131, configured to determine, according to the hardware routing table entry, that a next hop interface of the first data packet to be processed is a third interface, where the third interface is an internal interface between the switching module and the firewall card;

a modifying unit 132, configured to modify the source media access control MAC address of the header of the to-be-processed first data packet to a preset MAC address, and keep a virtual local area network identifier VID field and a time to live TTL field of the header of the to-be-processed first data packet unchanged, where a value of the VID identifier field is an identifier of an internal virtual local area network connected to the first interface;

the first sending unit 133 is configured to redirect the modified first data packet to the firewall card through the third interface.

And the preset MAC address is used for indicating the firewall card to perform fire prevention and routing processing on the modified first data message.

Further, the forwarding module 14 is specifically configured to:

and receiving the first data message which is sent by the firewall card through the third interface and is subjected to the routing processing, and forwarding the processed first data message to the next hop equipment according to the modified destination MAC address.

Further, the sending module 21 includes:

the query unit 211 is configured to query the preset address table entry according to the fourth interface and the MAC address of the switch, and determine that a next hop interface of the second data packet to be processed is a fifth interface, where the fifth interface is an internal connection interface between the switch module and the firewall card;

a second sending unit 212, configured to send the to-be-processed second data packet to the firewall card through the fifth interface, so that the firewall card performs a fire protection process on the to-be-processed second data packet, and modifies a destination MAC address of a header of the to-be-processed second data packet according to a packet type of the to-be-processed second data packet;

accordingly, the processing module 22 is configured to:

and receiving the modified second data message sent by the firewall card through the fifth interface, and performing routing processing on the modified second data message.

Specifically, the processing module 22 is specifically configured to:

if the modified destination MAC address is a first preset MAC address used for indicating the switching module to perform routing processing on the modified second data message, subtracting one from the value of a TTL field of a header of the modified second data message, modifying a source MAC address of the header of the modified second data message into the MAC address of the switch, modifying a destination MAC address into the MAC address of next-hop equipment connected with a sixth interface, and modifying the value of a VID field into an identifier of a virtual local area network corresponding to the sixth interface, wherein the sixth interface is an interface connected with an internal virtual local area network corresponding to a destination IP address in the second data message to be processed, and the sixth interface is a three-layer interface;

and if the modified destination MAC address is a second preset MAC address used for indicating the switching module to perform local processing on the modified data message, inquiring a preset fast filtering table item FP according to the second preset MAC address, and determining to send the modified second data message to a processor CPU of the switch for local processing.

The switching module of this embodiment may be configured to execute the technical solutions of the method embodiments shown in fig. 2 and fig. 4, and the implementation principles and technical effects are similar, which are not described herein again.

Fig. 7 is a schematic structural diagram of a firewall card according to a first embodiment of the present invention, and as shown in fig. 7, the firewall card provided in this embodiment includes:

a receiving module 31, configured to receive a first data packet to be processed, where the first data packet is redirected to the firewall card by a switching module in the switch;

a processing module 32, configured to perform fire prevention and routing processing on the first data packet;

a sending module 33, configured to return the processed first data packet to the switching module, so that the switching module forwards the processed first data packet;

the receiving module 31 is further configured to receive a second data packet to be processed, which is sent by a switching module in the switch, and after the second data packet to be processed is received by the switching module in the switch from a fourth interface, and a destination MAC address of the second data packet to be processed is an MAC address of the switch, a preset address table entry is queried according to the MAC address of the switch and the fourth interface, and a next hop interface of the second data packet to be processed is determined to be a fifth interface in-line with the firewall card, and then the next hop interface is forwarded to the firewall card through the fifth interface, where the fourth interface is an interface connected to an external internet;

the processing module 32 is further configured to perform fire protection processing on the second data packet to be processed;

the sending module 33 is further configured to send the second data packet after the fire protection processing to the switching module, so that the switching module performs routing processing on the second data packet after the fire protection processing.

Further, the receiving module 31 is specifically configured to:

receiving a first data message redirected to the firewall card by the switching module through a third interface, wherein the third interface is a next hop interface of the first data message to be processed, which is determined by the switching module according to the hardware routing table entry, and the third interface is an internal connection interface between the switching module and the firewall card;

the first data message redirected to the firewall card is obtained by keeping a VID field and a TTL field of a header of the first data message unchanged for the switching module and modifying a source MAC address of the header of the first data message into a preset MAC address, wherein the value of the VID identification field is an identification of an internal virtual local area network connected with the first interface.

Further, the processing module 32 includes:

a determining unit 321, configured to determine whether a source MAC address in the first data packet header received by redirection is a preset MAC address;

a processing unit 322, configured to subtract one from the value of the TTL field if the current MAC address is the preset MAC address, modify the source MAC address to the MAC address of the switch, modify the destination MAC address to the MAC address of the next-hop device connected to the second interface, and modify the value of the VID field to the identifier of the external internet connected to the second interface;

a sending unit 323, configured to send the first data packet after the routing processing to the switching module through the third interface.

Further, the processing module 32 is further configured to:

performing fire prevention processing on the second data message to be processed, and modifying a destination MAC address of the head of the second data message to be processed according to the message type of the second data message to be processed;

correspondingly, the sending module 33 is further configured to:

and sending the modified second data message to the switching module so that the switching module performs routing processing on the modified second data message.

Further, the processing module 32 is further configured to:

if the second data message to be processed is the data message of the application type, modifying the destination MAC address of the head of the second data message to be processed into a first preset MAC address;

or,

and if the second data message to be processed is a control type data message, modifying the destination MAC address of the head of the second data message to be processed into a second preset MAC address.

The firewall card of this embodiment may be used to implement the technical solutions of the method embodiments shown in fig. 3 and fig. 5, and the implementation principles and technical effects are similar, which are not described herein again.

Fig. 8 is a schematic structural diagram of a first embodiment of a switch according to the present invention, as shown in fig. 8, the switch includes:

a switching module as described in fig. 6 and a firewall card as described in fig. 7.

Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.

Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims

1. A message forwarding method is characterized by comprising the following steps:

or,

2. The method according to claim 1, wherein the switching module redirects the first data packet to be processed to an embedded firewall card for fire prevention and routing processing according to a preset hardware routing table entry, and the method comprises:

the switching module determines that a next hop interface of the first data message to be processed is a third interface according to the hardware routing table entry, and the third interface is an internal connection interface between the switching module and the firewall card;

the exchange module modifies the source media access control MAC address of the head of the first data message to be processed into a preset MAC address, and keeps a virtual local area network identification (VID) field and a Time To Live (TTL) field of the head of the first data message to be processed unchanged, wherein the value of the VID identification field is the identification of an internal virtual local area network connected with the first interface;

the exchange module redirects the modified first data message to the firewall card through the third interface;

3. The method according to claim 2, wherein the receiving, by the switching module, the first data packet after the fire prevention and routing processing and forwarding the processed first data packet comprises:

and the switching module receives the first data message which is sent by the firewall card through the third interface and is subjected to the routing processing, and forwards the processed first data message to the next hop equipment according to the modified destination MAC address.

4. The method according to claim 1, wherein the switching module sends the to-be-processed second data message to an embedded firewall card according to a preset address table entry, so that the firewall card performs a fire protection process on the to-be-processed second data message, including:

the switching module inquires the preset address table item according to the fourth interface and the MAC address of the switch, and determines that a next hop interface of the second data message to be processed is a fifth interface, wherein the fifth interface is an internal connection interface between the switching module and the firewall card;

the exchange module sends the second data message to be processed to the firewall card through the fifth interface, so that the firewall card performs fire prevention processing on the second data message to be processed, and modifies a destination MAC address of a header of the second data message to be processed according to a message type of the second data message to be processed;

the switching module receives the second data message after the fire protection processing, and performs routing processing on the second data message after the fire protection processing, including:

and the switching module receives the modified second data message sent by the firewall card through the fifth interface and performs routing processing on the modified second data message.

5. The method according to claim 4, wherein the receiving, by the switching module, the modified second data packet sent by the firewall card through the fifth interface and performing routing processing on the modified second data packet includes:

if the modified destination MAC address is a first preset MAC address used for instructing the switching module to perform routing processing on the modified second data message, the switching module decrements the value of the TTL field of the modified header of the second data message by one, modifies the source MAC address of the modified header of the second data message to the MAC address of the switch, modifies the destination MAC address to the MAC address of the next hop device connected to a sixth interface, and modifies the value of the VID field to the identifier of the virtual local area network corresponding to the sixth interface, where the sixth interface is an interface connected to an internal virtual local area network corresponding to the destination IP address in the second data message to be processed, and the sixth interface is a three-layer interface;

and if the modified destination MAC address is a second preset MAC address used for indicating the switching module to perform local processing on the modified second data message, the switching module inquires a preset fast filtering table item FP according to the second preset MAC address, and determines to send the modified second data message to a processor CPU of the switch for local processing.

6. A message forwarding method is characterized by comprising the following steps:

or,

7. The method of claim 6, wherein receiving the first data packet to be processed by the switching module in the switch, the first data packet being redirected to the firewall card by an embedded firewall card in the switch, comprises:

the firewall card receives the first data message redirected to the firewall card by the exchange module through a third interface, wherein the third interface is a next hop interface of the first data message determined by the exchange module according to the hardware routing table entry, and the third interface is an internal connection interface of the exchange module and the firewall card;

8. The method of claim 7, wherein the firewall card performs firewall and routing processing on the first datagram, comprising:

the firewall card determines whether a source MAC address in the first data message header received by redirection is a preset MAC address;

and the firewall card sends the first data message after the routing processing to the switching module through the third interface.

9. The method of claim 6, wherein the firewall card performs a fire protection process on the second to-be-processed data packet, comprising:

the firewall card carries out fireproof processing on the second data message to be processed and modifies a destination MAC address of the head of the second data message to be processed according to the message type of the second data message to be processed;

correspondingly, the firewall card sends the second data packet after the fire protection processing to the switching module, so that the switching module performs routing processing on the second data packet after the fire protection processing, including:

and the firewall card sends the modified second data message to the switching module so that the switching module performs routing processing on the modified second data message.

10. The method according to claim 9, wherein the modifying, by the firewall card, the destination MAC address of the header of the second data packet to be processed according to the packet type of the second data packet to be processed includes:

if the second data message to be processed is the data message of the application type, the firewall card modifies the destination MAC address of the head of the second data message to be processed into a first preset MAC address;

or,

and if the second data message to be processed is a control type data message, the firewall card modifies the destination MAC address of the head of the second data message to be processed into a second preset MAC address.

11. A switching module, comprising:

the forwarding module is used for receiving the first data message after the fireproof and routing processing and forwarding the processed first data message;

the switching module further comprises:

12. The switching module of claim 11, wherein the redirection module comprises:

a determining unit, configured to determine, according to the hardware routing table entry, that a next hop interface of the first data packet to be processed is a third interface, where the third interface is an internal interface between the switching module and the firewall card;

a modifying unit, configured to modify a source media access control MAC address of the header of the to-be-processed first data packet to a preset MAC address, and keep a virtual local area network identifier VID field and a time to live TTL field of the header of the to-be-processed first data packet unchanged, where a value of the VID identifier field is an identifier of an internal virtual local area network connected to the first interface;

the first sending unit is used for redirecting the modified first data message to the firewall card through the third interface;

and the preset MAC address is used for indicating the firewall card to perform fire prevention and routing processing on the modified data message.

13. The switching module according to claim 12, wherein the forwarding module is specifically configured to:

14. The switching module according to claim 11, wherein the sending module comprises:

the query unit is configured to query the preset address table entry according to the fourth interface and the MAC address of the switch, and determine that a next hop interface of the second data packet to be processed is a fifth interface, where the fifth interface is an internal connection interface between the switch module and the firewall card;

a second sending unit, configured to send the second data packet to be processed to the firewall card through the fifth interface, so that the firewall card performs a fire protection process on the second data packet to be processed, and modifies a destination MAC address of a header of the second data packet to be processed according to a packet type of the second data packet to be processed;

correspondingly, the processing module is configured to:

15. The switching module according to claim 14, wherein the processing module is specifically configured to:

16. A firewall card, comprising:

17. The firewall card of claim 16, wherein the receiving module is specifically configured to:

18. The firewall card of claim 17, wherein the processing module comprises:

a determining unit, configured to determine whether a source MAC address in the first data packet header received by redirection is a preset MAC address;

the processing unit is used for subtracting one from the value of the TTL field if the preset MAC address is the preset MAC address, modifying the source MAC address into the MAC address of the switch, modifying the target MAC address into the MAC address of the next hop equipment connected with the second interface, and modifying the value of the VID field into the identifier of the external Internet connected with the second interface;

and the sending unit is used for sending the first data message after the routing processing to the switching module through the third interface.

19. The firewall card of claim 16, wherein the processing module is further configured to:

correspondingly, the sending module is further configured to:

20. The firewall card of claim 19, wherein the processing module is specifically configured to:

or,

21. A switch, comprising:

the switching module of any of claims 11 to 15 and the firewall card of any of claims 16 to 20.