[go: up one dir, main page]

CN104734986A - Message forwarding method and device - Google Patents

Message forwarding method and device Download PDF

Info

Publication number
CN104734986A
CN104734986A CN201310704097.XA CN201310704097A CN104734986A CN 104734986 A CN104734986 A CN 104734986A CN 201310704097 A CN201310704097 A CN 201310704097A CN 104734986 A CN104734986 A CN 104734986A
Authority
CN
China
Prior art keywords
message
territory
outbound port
encapsulated
acl
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201310704097.XA
Other languages
Chinese (zh)
Other versions
CN104734986B (en
Inventor
于来凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201310704097.XA priority Critical patent/CN104734986B/en
Publication of CN104734986A publication Critical patent/CN104734986A/en
Application granted granted Critical
Publication of CN104734986B publication Critical patent/CN104734986B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明实施例公开了一种报文转发方法和装置。输入交换机获取通过ACL策略引入的报文;根据预先配置的ACL策略与VN域的对应关系,获取所述ACL策略所对应的VN域;对获取的所述报文进行VxLAN封装得到已封装报文;将所述已封装报文根据VxLAN标准转发到对应的输出交换机。本发明通过在对网络流量进行检测时,预先配置ACL策略与VN域之间的对应关系以及VN域与出端口之间的对应关系,将由ACL策略引入的报文使用VxLAN协议的方式进行转发到出端口,当需要对根据ACL策略引入的报文增加或删除出端口时,只需要修改对应该ACL策略的VN域的出端口信息即可,由此大大提高了流量监控网络的可扩展性。

The embodiment of the invention discloses a message forwarding method and device. Enter the switch to obtain the packets imported through the ACL policy; obtain the VN domain corresponding to the ACL policy according to the corresponding relationship between the pre-configured ACL policy and the VN domain; perform VxLAN encapsulation on the obtained packet to obtain the encapsulated packet ; Forwarding the encapsulated message to the corresponding output switch according to the VxLAN standard. The present invention forwards the message introduced by the ACL policy to the For the outbound port, when it is necessary to add or delete the outbound port for the packets imported according to the ACL policy, it is only necessary to modify the outbound port information of the VN domain corresponding to the ACL policy, thus greatly improving the scalability of the traffic monitoring network.

Description

一种报文转发方法和装置A message forwarding method and device

技术领域technical field

本发明涉及互联网领域,特别是涉及一种报文转发方法和装置。The invention relates to the Internet field, in particular to a message forwarding method and device.

背景技术Background technique

网络是信息传递的桥梁,通过网络,用户可以便捷的发送或者获取信息,但是,网络上除了有用信息以外,也有用户或团体通过网络散布一些违法的信息,所以网络信息安全必须纳入法制化管理,在正常报文转发过程中进行有效信息监控,以此检索出不良信息,净化网络。The network is a bridge for information transmission. Users can easily send or obtain information through the network. However, in addition to useful information on the network, there are also users or groups disseminating some illegal information through the network. Therefore, network information security must be included in legal management. Effective information monitoring is performed during normal message forwarding to retrieve bad information and purify the network.

而流量是指由报文组成的数据量,也就是说,对流量的业务监控实际上就是对组成流量的报文的业务监控,现有针对网上转发的报文的业务监控,一般是采用访问控制列表(英文:Access Control List,缩写:ACL)策略通过重定向的方式进行的,比如说,如果部门需要监控一个网站所转发的报文内容是否合法,首先通过ACL的方式配置策略路由,将该网站的输出报文重定向到该部门指定的出端口,即将所述输出报文复制一份,将复制的报文发送到该部门指定的出端口,然后由连接该出端口的单台设备对接收到的流量进行业务监控。The traffic refers to the amount of data composed of packets, that is to say, the business monitoring of the traffic is actually the business monitoring of the packets that make up the traffic. The existing business monitoring of the packets forwarded on the Internet generally adopts the method of access Control list (English: Access Control List, abbreviation: ACL) policy is carried out through redirection. For example, if the department needs to monitor whether the content of the message forwarded by a website is legal, first configure policy routing through ACL, and then The output message of the website is redirected to the output port specified by the department, that is, to copy the output message, and send the copied message to the output port specified by the department, and then a single device connected to the output port Perform service monitoring on received traffic.

然而,随着监控项目的不断丰富,单台设备难以满足业务监控的需求,需要加入其它设备或者需要其它部门协同监控时,通过ACL策略就只能对新加入的设备进行重新配置策略路由,网络规模很难扩展,网络建设成本非常高。However, with the continuous enrichment of monitoring items, a single device is difficult to meet the needs of business monitoring. When other devices need to be added or other departments need to monitor collaboratively, the ACL policy can only reconfigure policy routing for the newly added device. The scale is difficult to expand, and the cost of network construction is very high.

发明内容Contents of the invention

为了解决上述技术问题,本发明提供了一种报文转发方法和装置,通过使用VxLAN协议有效的扩展监控网络规模,提高监控网络的可扩展性。In order to solve the above technical problems, the present invention provides a message forwarding method and device, which can effectively expand the scale of the monitoring network and improve the scalability of the monitoring network by using the VxLAN protocol.

本发明公开了如下技术方案:The invention discloses the following technical solutions:

一方面,本发明提供一种报文转发方法,所述方法包括:In one aspect, the present invention provides a message forwarding method, the method comprising:

输入交换机获取通过访问控制列表ACL策略引入的报文;Enter the switch to obtain the packets imported through the access control list ACL policy;

所述输入交换机根据预先配置的ACL策略与虚拟可扩展局域网网络VN域的对应关系,获取所述ACL策略所对应的VN域;The input switch obtains the VN domain corresponding to the ACL policy according to the corresponding relationship between the pre-configured ACL policy and the VN domain of the virtual scalable local area network;

所述输入交换机对获取的所述报文进行虚拟可扩展局域网VxLAN封装得到已封装报文,所述已封装报文的封装外层头中包含所述VN域的地址信息;The input switch performs virtual extensible local area network VxLAN encapsulation on the obtained message to obtain an encapsulated message, and the encapsulated outer header of the encapsulated message contains the address information of the VN domain;

所述输入交换机将所述已封装报文根据VxLAN标准转发到对应的输出交换机。The input switch forwards the encapsulated packet to a corresponding output switch according to the VxLAN standard.

在第一方面的第一种可能的实现方式中,所述ACL策略与VN域的对应关系中:In the first possible implementation of the first aspect, in the correspondence between the ACL policy and the VN domain:

一个ACL策略对应一个VN域,一个VN域对应至少一个ACL策略。An ACL policy corresponds to a VN domain, and a VN domain corresponds to at least one ACL policy.

结合第一方面和第一方面的第一种可能的实现方式,在第二种可能的实现方式中,所述VN域的地址信息包括所述VN域的标识VNI以及所述VN域的IP地址。In combination with the first aspect and the first possible implementation manner of the first aspect, in a second possible implementation manner, the address information of the VN domain includes an identifier VNI of the VN domain and an IP address of the VN domain .

结合第一方面和第一方面的第一种或第二种可能的实现方式,在第三种可能的实现方式中,所述输入交换机获取通过ACL策略引入的报文之前,所述方法还包括:In combination with the first aspect and the first or second possible implementation of the first aspect, in a third possible implementation, before the input switch obtains the packets imported through the ACL policy, the method further includes :

所述输入交换机对接收到的报文根据所述报文的五元组进行ACL匹配,确定所述报文为能够通过ACL策略引入的报文,所述五元组包括所述报文的源IP地址、目的IP地址、源端口号、目的端口号以及协议号。The input switch performs ACL matching on the received message according to the quintuple of the message, and determines that the message is a message that can be imported through the ACL policy, and the quintuple includes the source of the message IP address, destination IP address, source port number, destination port number, and protocol number.

第二方面,本发明提供一种输入交换机,包括:In a second aspect, the present invention provides an input switch, including:

报文获取单元,用于获取通过ACL策略引入的报文;A packet acquisition unit, configured to acquire packets introduced through the ACL policy;

确定单元,用于根据预先配置的ACL策略与虚拟可扩展局域网网络VN域的对应关系,获取所述ACL策略所对应的VN域;A determining unit, configured to obtain the VN domain corresponding to the ACL policy according to the correspondence between the pre-configured ACL policy and the VN domain of the virtual scalable local area network;

封装单元,用于对获取的所述报文进行虚拟可扩展局域网VxLAN封装得到已封装报文,所述已封装报文的封装外层头中包含所述VN域的地址信息;An encapsulation unit, configured to perform virtual extensible local area network (VxLAN) encapsulation on the acquired message to obtain an encapsulated message, the encapsulated outer header of the encapsulated message includes the address information of the VN domain;

发送单元,用于将所述已封装报文根据VxLAN标准转发到对应的输出交换机。A sending unit, configured to forward the encapsulated message to a corresponding output switch according to the VxLAN standard.

在第二方面的第一种可能的实现方式中,所述ACL策略与VN域的对应关系中:In the first possible implementation of the second aspect, in the correspondence between the ACL policy and the VN domain:

一个ACL策略对应一个VN域,一个VN域对应至少一个ACL策略。An ACL policy corresponds to a VN domain, and a VN domain corresponds to at least one ACL policy.

结合第二方面和第二方面的第一种可能的实现方式,在第二种可能的实现方式中,所述VN域的地址信息包括所述VN域的标识VNI以及所述VN域的IP地址。With reference to the second aspect and the first possible implementation of the second aspect, in the second possible implementation, the address information of the VN domain includes the identifier VNI of the VN domain and the IP address of the VN domain .

结合第二方面和第二方面的第一种或第二种可能的实现方式,在第三种可能的实现方式中,还包括:In combination with the second aspect and the first or second possible implementation manner of the second aspect, the third possible implementation manner further includes:

ACL匹配单元,用于对接收到的报文根据所述报文的五元组进行ACL匹配,确定所述报文为能够通过ACL策略引入的报文,所述五元组包括所述报文的源IP地址、目的IP地址、源端口号、目的端口号以及协议号。The ACL matching unit is configured to perform ACL matching on the received message according to the quintuple of the message, and determine that the message is a message that can be introduced through an ACL policy, and the quintuple includes the message source IP address, destination IP address, source port number, destination port number, and protocol number.

第三方面,本发明提供一种报文转发方法,所述方法包括:In a third aspect, the present invention provides a message forwarding method, the method comprising:

输出交换机接收输入交换机发送的已封装报文,所述已封装报文的封装外层头中包含虚拟可扩展局域网网络VN域的地址信息;The output switch receives the encapsulated message sent by the input switch, and the encapsulated outer header of the encapsulated message contains the address information of the virtual scalable local area network network VN domain;

所述输出交换机根据所述已封装报文的外层头中的所述VN域的地址信息查找预先配置的VN域与出端口的对应关系,获取所述VN域对应的出端口;The output switch searches for the pre-configured correspondence between the VN domain and the outgoing port according to the address information of the VN domain in the outer header of the encapsulated message, and obtains the corresponding outgoing port of the VN domain;

所述输出交换机将所述已封装报文解封装,得到解封装后的报文,所述解封装后的报文为输入交换机通过ACL策略引入的报文,将所述解封装后的报文发送给所述出端口。The output switch decapsulates the encapsulated message to obtain a decapsulated message, the decapsulated message is a message introduced by the input switch through an ACL policy, and the decapsulated message is sent to the outgoing port.

在第三方面的第一种可能的实现方式中,所述VN域与出端口的对应关系中:In the first possible implementation of the third aspect, in the correspondence between the VN domain and the egress port:

一个VN域与至少一个出端口相对应。A VN domain corresponds to at least one egress port.

结合第三方面和第三方面的第一种可能的实现方式,在第二种可能的实现方式中,Combining the third aspect with the first possible implementation of the third aspect, in the second possible implementation,

所述VN域的地址信息包括VN域的标识VNI以及VN域的IP地址。The address information of the VN domain includes the identifier VNI of the VN domain and the IP address of the VN domain.

结合第三方面的第一种可能的实现方式,在第三种可能的实现方式中,所述输出交换机向所述出端口发送所述已封装报文,并在送达出端口之前将所述已封装报文解封装,以使得所述出端口获得通过ACL策略引入的报文包括:With reference to the first possible implementation manner of the third aspect, in a third possible implementation manner, the output switch sends the encapsulated packet to the egress port, and sends the encapsulated packet to the egress port The encapsulated packet is decapsulated so that the egress port obtains the packet imported through the ACL policy, including:

所述输出交换机在获取到N个出端口时,复制所述已封装报文得到N份所述已封装报文,N为大于等于2的自然数;When the output switch obtains N output ports, copy the encapsulated message to obtain N copies of the encapsulated message, where N is a natural number greater than or equal to 2;

所述输出交换机分别向每个所述出端口发送一份已封装流量,并在送达出端口之前将所述已封装报文解封装,以使得所述出端口获得通过ACL策略引入的报文。The output switch respectively sends a copy of the encapsulated traffic to each of the egress ports, and decapsulates the encapsulated packets before being delivered to the egress port, so that the egress port obtains the packets imported through the ACL policy .

第四方面,本发明提供一种输出交换机,包括:In a fourth aspect, the present invention provides an output switch, including:

接收单元,用于接收输入交换机发送的已封装报文,所述已封装报文的封装外层头中包含虚拟可扩展局域网网络VN域的地址信息;The receiving unit is used to receive the encapsulated message sent by the input switch, the encapsulated outer header of the encapsulated message contains the address information of the virtual scalable local area network network VN domain;

出端口获取单元,用于根据所述已封装报文的外层头中的所述VN域的地址信息查找预先配置的VN域与出端口的对应关系,获取所述VN域对应的出端口;an egress port acquisition unit, configured to search for a pre-configured correspondence between a VN domain and an egress port according to the address information of the VN domain in the outer header of the encapsulated message, and acquire the egress port corresponding to the VN domain;

发送单元,用于向所述出端口发送所述已封装报文,并在送达出端口之前将所述已封装报文解封装,以使得出端口获得通过ACL策略引入的报文。A sending unit, configured to send the encapsulated packet to the egress port, and decapsulate the encapsulated packet before being delivered to the egress port, so that the egress port obtains the packet imported through the ACL policy.

在第四方面的第一种可能的实现方式中,所述VN域与出端口的对应关系具体为:In the first possible implementation manner of the fourth aspect, the corresponding relationship between the VN domain and the egress port is specifically:

一个VN域与至少一个出端口相对应。A VN domain corresponds to at least one egress port.

结合第四方面和第四方面的第一种可能的实现方式,在第二种可能的实现方式中,Combining the fourth aspect with the first possible implementation of the fourth aspect, in the second possible implementation,

所述VN域的地址信息包括VN域的标识VNI以及VN域的IP地址。The address information of the VN domain includes the identifier VNI of the VN domain and the IP address of the VN domain.

结合第四方面的第一种可能的实现方式,在第三种可能的实现方式中,所述发送单元具体用于:With reference to the first possible implementation manner of the fourth aspect, in a third possible implementation manner, the sending unit is specifically configured to:

当所述出端口获取单元获取到N个出端口时,复制所述已封装报文得到N份所述已封装报文,N为大于等于2的自然数,分别向每个所述出端口发送一份已封装报文,并在送达出端口之前将所述已封装报文解封装,以使得所述出端口获得通过ACL策略引入的报文。When the outlet port obtaining unit obtains N outlet ports, copy the encapsulated message to obtain N copies of the encapsulated message, N is a natural number greater than or equal to 2, and send a message to each of the outlet ports respectively An encapsulated packet is obtained, and the encapsulated packet is decapsulated before being delivered to the egress port, so that the egress port obtains the packet imported through the ACL policy.

由上述技术方案可以看出,本发明技术方案在对网络流量进行检测时,预先配置ACL策略与VN域之间的对应关系以及VN域与出端口之间的对应关系,将由ACL策略引入的报文使用VxLAN协议的方式进行转发到出端口,当需要对根据ACL策略引入的报文增加或删除出端口时,只需要修改对应该ACL策略的VN域的出端口信息即可,由此大大提高了流量监控网络的可扩展性。As can be seen from the above technical solution, when the technical solution of the present invention detects network traffic, the corresponding relationship between the ACL policy and the VN domain and the corresponding relationship between the VN domain and the outgoing port are pre-configured, and the report introduced by the ACL policy The text is forwarded to the egress port using the VxLAN protocol. When it is necessary to add or delete the egress port for the packet imported according to the ACL policy, it is only necessary to modify the egress port information of the VN domain corresponding to the ACL policy, which greatly improves the It improves the scalability of the traffic monitoring network.

附图说明Description of drawings

为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings that need to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present invention. For those skilled in the art, other drawings can also be obtained based on these drawings without any creative effort.

图1为本发明ACL策略与VxLAN协议结合示意图;Fig. 1 is a schematic diagram of the combination of ACL policy and VxLAN protocol in the present invention;

图2为本发明一种报文转发方法的方法流程图之一;Fig. 2 is one of the method flowcharts of a message forwarding method of the present invention;

图3为本发明一种报文转发方法的方法流程图之二;Fig. 3 is the second method flow chart of a message forwarding method in the present invention;

图4为本发明的报文转发示意图;FIG. 4 is a schematic diagram of message forwarding in the present invention;

图5为本发明一种输入交换机的装置结构图之一;Fig. 5 is one of the device structure diagrams of an input switch of the present invention;

图6为本发明一种输入交换机的装置结构图之二;Fig. 6 is the second structure diagram of the device of an input switch in the present invention;

图7为本发明一种交换机的硬件构成示意图;Fig. 7 is a schematic diagram of the hardware configuration of a switch of the present invention;

图8为本发明一种输出交换机的装置结构图;Fig. 8 is a device structure diagram of an output switch of the present invention;

图9为本发明一种交换机的硬件构成示意图。FIG. 9 is a schematic diagram of a hardware configuration of a switch according to the present invention.

具体实施方式Detailed ways

本发明实施例提供了一种报文转发方法和装置。将ACL策略与虚拟可扩展局域网(英文:Virtual eXtensible LAN,缩写:VxLAN)协议进行结合需要至少对网络上的报文引入端口以及指向检测该流量的检测服务器的报文输出端口进行对应的扩展,请参阅图1,其为本发明ACL策略与VxLAN协议结合示意图,需要预先配置好引入报文所使用的ACL策略与虚拟可扩展局域网网络(英文:VxLAN Network,缩写:VN)域的对应关系以及VN域与出端口的对应关系,这里VN域所对应的出端口就是连接对通过对应该VN域的ACL策略引入的报文进行检测的检测服务器的端口。由此将VN域可预先灵活设定的出端口与报文的出端口有机的结合起来,当针对一待监控报文时,因业务监控的需要或者其他情况需要加入其它报文监控设备或者需要其它部门协同监控时,只需要调整引入该报文所使用的ACL策略所对应的VN域的出端口的信息即可。The embodiment of the present invention provides a message forwarding method and device. Combining the ACL policy with the Virtual Extensible LAN (English: Virtual eXtensible LAN, abbreviation: VxLAN) protocol requires at least corresponding expansion of the packet input port on the network and the packet output port pointing to the detection server that detects the traffic. Please refer to Figure 1, which is a schematic diagram of the combination of the ACL policy and the VxLAN protocol of the present invention. It is necessary to pre-configure the correspondence between the ACL policy used by the incoming message and the virtual extensible local area network (English: VxLAN Network, abbreviation: VN) domain and The corresponding relationship between the VN domain and the outgoing port. Here, the outgoing port corresponding to the VN domain is the port connected to the detection server that detects the packets imported through the ACL policy corresponding to the VN domain. In this way, the outgoing port that can be flexibly set in advance in the VN domain is organically combined with the outgoing port of the message. When targeting a message to be monitored, other message monitoring equipment or needs to be added due to the needs of business monitoring or other circumstances When other departments coordinate monitoring, it is only necessary to adjust the information of the egress port of the VN domain corresponding to the ACL policy used to import the message.

为使本发明的上述目的、特征和优点能够更加明显易懂,下面结合附图对本发明实施例进行详细描述。In order to make the above objects, features and advantages of the present invention more comprehensible, the embodiments of the present invention will be described in detail below in conjunction with the accompanying drawings.

实施例一Embodiment one

本实施例以报文引入端口的输入交换机为执行主体,对本发明的技术方案进行描述,请参阅图2,其为本发明一种报文转发方法的方法流程图之一,该方法包括以下步骤:This embodiment takes the input switch of the message import port as the execution subject, and describes the technical solution of the present invention. Please refer to FIG. 2, which is one of the method flow charts of a message forwarding method in the present invention. The method includes the following steps :

S201:输入交换机获取通过ACL策略引入的报文;S201: Input the switch to obtain the packets imported through the ACL policy;

这里需要说明的是,输入交换机接收到的流量中不仅包括由ACL策略所引入的报文,还包括其他网络报文,这种情况下,需要输入交换机对接收到的报文进行有效的匹配,从中确定出哪些是由ACL策略引入的报文,本发明的技术方案中提供了一种优选的匹配报文的方法,通过匹配接收到的报文的报文五元组来进行筛选,符合匹配规则的即被确定为通过ACL策略引入的报文,这里所述的报文五元组包括所述报文的源IP、目的IP、源端口号、目的端口号以及协议号。这种匹配方法仅仅是一个优选的例子,报文五元组是报文L2~L3层上的信息,也可以匹配处于报文L2~L7层中能够用于匹配ACL策略的其他信息,本发明对如何匹配出由ACL策略引入的报文的方法不进行限定。What needs to be explained here is that the traffic received by the input switch includes not only the packets imported by the ACL policy, but also other network packets. In this case, the input switch needs to effectively match the received packets. Determining therefrom which are the messages introduced by the ACL policy, a preferred method for matching messages is provided in the technical solution of the present invention, and screening is carried out by matching the message quintuples of the received messages to meet the matching requirements. A rule is determined to be a packet imported through an ACL policy, and the packet quintuple here includes the source IP, destination IP, source port number, destination port number, and protocol number of the packet. This matching method is only a preferred example. The message quintuple is the information on the L2-L3 layer of the message, and can also match other information that can be used to match the ACL policy in the L2-L7 layer of the message. The present invention There is no limitation on how to match the packets imported by the ACL policy.

S202:所述输入交换机根据预先配置的ACL策略与虚拟可扩展局域网网络VN域的对应关系,获取发送所述ACL策略所对应的VN域;S202: The input switch obtains the corresponding VN domain for sending the ACL policy according to the corresponding relationship between the pre-configured ACL policy and the VN domain of the virtual scalable local area network;

这里需要说明的是,预先定义好不同ACL策略与不同VN域之间的对应关系,其中可以根据实际情况设定一个或者多个ACL策略均对应同一个VN域,这样通过这几个ACL策略转发的流量均可以根据该对应关系映射到用一个VN域中,也就是说,一个ACL策略对应一个VN域,一个VN域对应至少一个ACL策略。在实际组网环境中,该预先设定对应关系的步骤在转发报文的过程中并不需要每次都执行。What needs to be explained here is that the corresponding relationship between different ACL policies and different VN domains is defined in advance, and one or more ACL policies can be set to correspond to the same VN domain according to the actual situation, so that forwarding through these ACL policies All traffic can be mapped to a VN domain according to the corresponding relationship, that is, an ACL policy corresponds to a VN domain, and a VN domain corresponds to at least one ACL policy. In an actual networking environment, the step of presetting the corresponding relationship does not need to be performed every time in the process of forwarding the message.

S203:所述输入交换机对获取的所述报文进行VxLAN封装得到已封装报文,所述已封装报文的封装外层头中包含所述VN域的地址信息;S203: The input switch performs VxLAN encapsulation on the obtained message to obtain an encapsulated message, and the encapsulated outer header of the encapsulated message includes the address information of the VN domain;

这里需要说明的是,这种封装方式与现有的VxLAN标准的封装方式不同,首先封装的是由ACL策略引入的报文,然后进行封装,在封装后的报文的外层头中加入包含所述VN域的地址信息,以便接收该已封装报文的输出交换机可以根据VN域的地址信息确定出端口。所述VN域的地址信息至少要包括VN域的标识VNI以及VN域的IP地址,VN域的标识是处在一定数值范围内的一个数值,比如说20、30或40,输出交换机可以根据这个标识,通过预先配置的VN域与出端口的对应关系来确定出该VN域所对应的出端口的信息。VN域的IP地址一般在现有技术中为组播IP地址的形式,比如说239.0.0.2等,属于该已封装报文的目的IP,输入交换机由此将已封装报文映射到该VN域中。What needs to be explained here is that this encapsulation method is different from the existing VxLAN standard encapsulation method. First, the packet introduced by the ACL policy is encapsulated, and then encapsulated, and the outer header of the encapsulated packet is added to include The address information of the VN domain, so that the output switch receiving the encapsulated message can determine the egress port according to the address information of the VN domain. The address information of the VN domain must at least include the identification VNI of the VN domain and the IP address of the VN domain. The identification of the VN domain is a value within a certain range of values, such as 20, 30 or 40. The output switch can be based on this ID, through the pre-configured correspondence between the VN domain and the egress port to determine the information of the egress port corresponding to the VN domain. The IP address of the VN domain is generally in the form of a multicast IP address in the prior art, such as 239.0.0.2, etc., which belong to the destination IP of the encapsulated message, and the input switch maps the encapsulated message to the VN domain. middle.

S204:所述输入交换机将所述已封装报文根据VxLAN标准转发到对应的输出交换机。S204: The input switch forwards the encapsulated packet to a corresponding output switch according to the VxLAN standard.

这一步骤的转发是使用VxLAN标准进行的,这里不再赘述。至于转发到输出交换机的具体处理步骤,将在实施例二中进行描述。The forwarding of this step is carried out using the VxLAN standard, and will not be repeated here. As for the specific processing steps of forwarding to the output switch, it will be described in Embodiment 2.

由本实施例可以看出,本发明技术方案在对网络流量进行检测时,预先配置ACL与VN域之间的对应关系,将由ACL策略引入的报文使用VxLAN协议的方式进行转发,当需要对根据ACL策略引入的报文增加或删除出端口时,只需要修改对应该ACL策略的VN域的出端口信息即可,由此大大提高了流量监控网络的可扩展性。It can be seen from this embodiment that when the technical solution of the present invention detects network traffic, the corresponding relationship between the ACL and the VN domain is pre-configured, and the message introduced by the ACL policy is forwarded using the VxLAN protocol. When adding or deleting outbound ports for packets imported by an ACL policy, you only need to modify the outbound port information of the VN domain corresponding to the ACL policy, thus greatly improving the scalability of the traffic monitoring network.

实施例二Embodiment two

本实施例将以作为指向检测该流量的检测服务器的流量输出端口的输出交换机为执行主体,对本发明的技术方案进行描述,请参阅图3,其为本发明一种报文转发方法的方法流程图之二,该方法包括以下步骤:This embodiment will take the output switch as the output switch pointing to the traffic output port of the detection server that detects the traffic as the execution subject, and describe the technical solution of the present invention. Please refer to FIG. 3, which is a method flow of a message forwarding method of the present invention Figure 2, the method includes the following steps:

S301:输出交换机接收输入交换机发送的已封装报文,所述已封装报文的封装外层头中包含VN域的地址信息;S301: The output switch receives the encapsulated message sent by the input switch, and the encapsulated outer header of the encapsulated message includes the address information of the VN domain;

这里接收到的已封装报文是实施例一中步骤S204中按照VxLAN标准转发来的,转发到接收均是按照VxLAN标准来进行,这里不再赘述。The encapsulated message received here is forwarded according to the VxLAN standard in step S204 in the first embodiment, and the forwarding and receiving are all carried out according to the VxLAN standard, which will not be repeated here.

S302:所述输出交换机根据所述已封装报文的外层头中的所述VN域的地址信息查找预先配置的VN域与出端口的对应关系,获取所述VN域对应的出端口;S302: The output switch searches for a pre-configured correspondence between a VN domain and an egress port according to the address information of the VN domain in the outer header of the encapsulated message, and obtains an egress port corresponding to the VN domain;

在实施例一的步骤S203中已经提到过,所述VN域的地址信息至少要包括VN域的标识VNI以及VN域的IP地址,VN域的标识是处在一定数值范围内的一个数值,比如说20、30或40,输出交换机可以根据这个标识,通过预先配置的VN域与出端口的对应关系来确定出该VN域所对应的出端口的信息。需要说明的是,这里所说的预先定义的对应关系,是指可以根据实际情况设定一个VN域对应的一个或者多个出端口,这里的实际情况主要是指与该VN域对应的一个或多个ACL策略所引入的报文都需要通过哪些检测业务,或者说需要由哪些检测服务器进行检测,该VN域的出端口的具体位置和信息将根据这些检测服务器进行设定。也就是说,如果该VN域对应的ACL策略所引入的报文只需一台检测服务器进行检测,则只需设定一个与该检测服务器相连的出端口。如果需要多台检测服务器进行检测,则需设定分别与该多台检测服务器相连的出端口。VN域与出端口的对应关系可以以出端口列表的形式,如下表所示:As mentioned in step S203 of Embodiment 1, the address information of the VN domain must at least include the identifier VNI of the VN domain and the IP address of the VN domain, and the identifier of the VN domain is a value within a certain range of values. For example, 20, 30 or 40, the output switch can determine the information of the egress port corresponding to the VN domain through the pre-configured correspondence between the VN domain and the egress port according to the identifier. It should be noted that the predefined correspondence mentioned here means that one or more outbound ports corresponding to a VN domain can be set according to the actual situation. The actual situation here mainly refers to one or more outbound ports corresponding to the VN domain. The packets imported by multiple ACL policies need to pass through which inspection services, or which inspection servers need to be inspected. The specific location and information of the outgoing port of the VN domain will be set according to these inspection servers. That is to say, if the packets imported by the ACL policy corresponding to the VN domain need only one detection server to detect, then only one output port connected to the detection server needs to be set. If multiple detection servers are required for detection, the outgoing ports connected to the multiple detection servers need to be set respectively. The correspondence between VN domains and outgoing ports can be in the form of a list of outgoing ports, as shown in the following table:

VNIVNI 出端口列表Outgoing port list 2020 Port1、Port2Port1, Port2 4040 Port3、Port4Port3, Port4

一个VNI对应的出端口可以为一个或多个。There can be one or more egress ports corresponding to a VNI.

S303:所述输出交换机向所述出端口发送所述已封装报文,并在送达出端口之前将所述已封装报文解封装,以使得所述出端口获得通过ACL策略引入的报文。S303: The output switch sends the encapsulated packet to the egress port, and decapsulates the encapsulated packet before being delivered to the egress port, so that the egress port obtains the packet imported through the ACL policy .

这里需要说明的是,如果步骤S302中所提到的确定出多个出端口的情况时,将复制出的多份已封装报文分别向每一个出端口发送一份已封装报文,并在送达出端口之前将已封装报文解封,还原成原始的报文,以使得每个检测服务器都能获得完整的通过ACL策略引入的报文进行相关的检测业务。还有一种可以实现为多个出端口发送报文的实施方式是,先将已封装报文进行解封装,还原成原始的由ACL策略引入的报文,然后再将该报文复制多份,将复制出的报文发送到对应的多个出端口,以使得每个检测服务器都能够获得一份完整的报文用于进行相关的检测。也就是说,在本发明的技术方案中,既可以先将已封装报文复制后分别发送到确定出的多个出端口处,然后在出端口之前解封,或者也可以先将已封装报文解封,还原为原始的由ACL策略引入的报文,然后再复制成多份并分别发送到所述多个出端口处,到底采用先解封后复制还是先复制再解封的方式,可以事先设置好或者根据实际的应用场景来决定。What needs to be explained here is that, if the situation mentioned in step S302 is determined to have a plurality of outgoing ports, the multiple copies of encapsulated messages that will be copied will be sent to each outgoing port respectively. Before being sent to the outgoing port, the encapsulated message is decapsulated and restored to the original message, so that each detection server can obtain the complete message imported through the ACL policy for related detection services. There is also an implementation method that can realize sending packets for multiple egress ports, which is to first decapsulate the encapsulated packets, restore them to the original packets introduced by the ACL policy, and then copy the packets into multiple copies. The copied message is sent to corresponding multiple output ports, so that each detection server can obtain a complete message for related detection. That is to say, in the technical solution of the present invention, the encapsulated message can be copied first and then sent to the determined multiple outgoing ports respectively, and then unpacked before the outgoing port, or the encapsulated message can also be sent first The document is unpacked, restored to the original message introduced by the ACL policy, and then copied into multiple copies and sent to the multiple outgoing ports respectively. Whether to use the method of first unpacking and then copying or first copying and then unpacking, It can be set in advance or determined according to the actual application scenario.

由本实施例可以看出,本发明技术方案在对网络流量进行检测时,预先配置VN域与出端口之间的对应关系,将由ACL策略引入的报文使用VxLAN协议的方式进行转发,当需要对根据ACL策略引入的报文增加或删除出端口时,只需要修改对应该ACL策略的VN域的出端口信息即可,由此大大提高了流量监控网络的可扩展性。As can be seen from this embodiment, when the technical solution of the present invention detects network traffic, the corresponding relationship between the VN domain and the outgoing port is pre-configured, and the message introduced by the ACL policy is forwarded using the VxLAN protocol. When adding or deleting outbound ports according to the packets imported by the ACL policy, you only need to modify the outbound port information of the VN domain corresponding to the ACL policy, thus greatly improving the scalability of the traffic monitoring network.

实施例三Embodiment three

结合实施例一和实施例二的输入交换机和输出交换机的部分,以整个从接收到由ACL策略引入的报文到将该报文送达检测服务器的流程,举例进行描述。请参阅图4,其为本发明的报文转发示意图:Combining the parts of the input switch and the output switch in Embodiment 1 and Embodiment 2, the entire process from receiving a packet introduced by an ACL policy to sending the packet to the detection server is described as an example. Please refer to Fig. 4, which is a schematic diagram of message forwarding of the present invention:

假设,配置的输入交换机401从接收到的报文中匹配出两条由ACL策略引入的报文A和B,其中,报文A的源IP地址为:2.2.2.2,报文B的源IP地址为:3.3.3.3。Assume that the configured input switch 401 matches two packets A and B imported by the ACL policy from the received packets, where the source IP address of packet A is: 2.2.2.2, and the source IP address of packet B is 2.2.2.2. The address is: 3.3.3.3.

输入交换机401的设备IP地址为:1.1.1.3;输入交换机通过预先配置的ACL策略与VN域的对应关系,确定出源IP地址为2.2.2.2的报文A所对应的VN域的标识为20,组播IP地址为239.0.0.1;确定出源IP地址为3.3.3.3的报文B所对应的VN域的标识为40,组播IP地址为239.0.0.2。The device IP address of the input switch 401 is: 1.1.1.3; the input switch determines the identity of the VN domain corresponding to the message A with the source IP address 2.2.2.2 through the pre-configured ACL policy and the VN domain as 20 , the multicast IP address is 239.0.0.1; it is determined that the identifier of the VN domain corresponding to packet B whose source IP address is 3.3.3.3 is 40, and the multicast IP address is 239.0.0.2.

确定好这两个由ACL策略引入的报文所对应的VN域后,输入交换机401将报文A和报文B进行VxLAN封装,在已封装报文A的外层头中封装了所对应的VN域的标识20,组播IP地址239.0.0.1和输入交换机的设备IP地址1.1.1.3,在已封装报文B的外层头中封装了所对应的VN域的标识40,组播IP地址239.0.0.2和输入交换机的设备IP地址1.1.1.3。After determining the VN domains corresponding to the two packets imported by the ACL policy, the input switch 401 performs VxLAN encapsulation of packet A and packet B, and encapsulates the corresponding VN domain in the outer header of the encapsulated packet A. The identifier 20 of the VN domain, the multicast IP address 239.0.0.1 and the device IP address 1.1.1.3 of the input switch, the corresponding VN domain identifier 40 and the multicast IP address are encapsulated in the outer header of the encapsulated message B 239.0.0.2 and 1.1.1.3, the device IP address of the input switch.

然后输入交换机401按照标准的VxLAN协议将已封装的报文A和B分别映射到对应的VN域中进行组播转发。Then the input switch 401 maps the encapsulated packets A and B to corresponding VN domains for multicast forwarding according to the standard VxLAN protocol.

当已封装报文A到达对应的输出交换机402后,输出交换机402通过分析已封装报文A的外层头获得VN域的标识20,然后根据预先配置的VN域与出端口的对应关系确定出对应该VN域的出端口有两个,分别是Port1和Port2,这两个出端口分别连接需要对报文A进行检测的两个检测服务器。After the encapsulated message A arrives at the corresponding output switch 402, the output switch 402 obtains the identifier 20 of the VN domain by analyzing the outer header of the encapsulated message A, and then determines the VN domain according to the pre-configured correspondence between the VN domain and the output port. There are two egress ports corresponding to the VN domain, namely Port1 and Port2. These two egress ports are respectively connected to two detection servers that need to detect packet A.

当已封装报文B到达对应的输出交换机403后,输出交换机403通过分析已封装报文B的外层头获得VN域的标识40,然后根据预先配置的VN域与出端口的对应关系确定出对应该VN域的出端口有两个,分别是Port3和Port4,这两个出端口分别连接需要对报文B进行检测的两个检测服务器。After the encapsulated message B arrives at the corresponding output switch 403, the output switch 403 obtains the identifier 40 of the VN domain by analyzing the outer layer header of the encapsulated message B, and then determines the VN domain according to the pre-configured correspondence between the VN domain and the output port. There are two egress ports corresponding to the VN domain, namely Port3 and Port4. These two egress ports are respectively connected to two detection servers that need to detect message B.

输出交换机402将已封装报文A复制为两份,分别发送到Port1和Port2处,并在到达Port1和Port2处之前将该已封装报文A解封装,还原为原始报文A。当然也可以先解封装得到原始报文A,再对报文A进行复制,然后直接将报文A分别发送到两个出端口Port1和Port2,本发明不对此不做限定。The output switch 402 copies the encapsulated message A into two copies, sends them to Port1 and Port2 respectively, and decapsulates the encapsulated message A before reaching Port1 and Port2, and restores the original message A. Of course, the original message A can also be obtained by decapsulating first, and then copy the message A, and then directly send the message A to the two outgoing ports Port1 and Port2 respectively, which is not limited in the present invention.

输出交换机403将已封装报文B复制为两份,分别发送到Port3和Port4处,并在到达Port3和Port4处之前将该已封装报文B解封装,还原为原始报文B。当然也可以先解封装得到原始报文B,再对报文B进行复制,然后直接将报文B分别发送到两个出端口Port3和Port4,本发明不对此不做限定。The output switch 403 copies the encapsulated message B into two copies, sends them to Port3 and Port4 respectively, and decapsulates the encapsulated message B before reaching Port3 and Port4 to restore the original message B. Of course, the original message B can also be obtained by decapsulating first, and then copy the message B, and then directly send the message B to the two outgoing ports Port3 and Port4 respectively, which is not limited in the present invention.

实施例三Embodiment three

本实施例为对应实施例一的装置实施例,请参阅图5,其为本发明一种输入交换机的装置结构图之一,所述输入交换机包括:This embodiment is a device embodiment corresponding to Embodiment 1. Please refer to FIG. 5, which is one of the device structure diagrams of an input switch according to the present invention. The input switch includes:

报文获取单元501,用于获取通过ACL策略引入的报文;A message obtaining unit 501, configured to obtain a message imported through an ACL policy;

确定单元502,用于根据预先配置的ACL策略与虚拟可扩展局域网网络VN域的对应关系,获取所述ACL策略所对应的VN域;The determining unit 502 is configured to obtain the VN domain corresponding to the ACL policy according to the correspondence between the pre-configured ACL policy and the VN domain of the virtual scalable local area network;

封装单元503,用于对获取的所述报文进行虚拟可扩展局域网VxLAN封装得到已封装报文,所述已封装报文的封装外层头中包含所述VN域的地址信息;The encapsulating unit 503 is configured to perform virtual extensible local area network (VxLAN) encapsulation on the obtained message to obtain an encapsulated message, and the encapsulated outer header of the encapsulated message contains the address information of the VN domain;

发送单元504,用于将所述已封装报文根据VxLAN标准转发到对应的输出交换机。The sending unit 504 is configured to forward the encapsulated message to a corresponding output switch according to the VxLAN standard.

其中,优选的,所述ACL策略与VN域的对应关系中:Wherein, preferably, in the corresponding relationship between the ACL policy and the VN domain:

一个ACL策略对应一个VN域,一个VN域对应至少一个ACL策略。An ACL policy corresponds to a VN domain, and a VN domain corresponds to at least one ACL policy.

优选的,preferred,

所述VN域的地址信息包括VN域的标识VNI以及VN域的IP地址。The address information of the VN domain includes the identifier VNI of the VN domain and the IP address of the VN domain.

优选的,在前述实施例保护的输入交换机还可以进一步包括ACL匹配单元,如图6所示为如在图5所示的输入交换机中还包括:Preferably, the input switch protected in the foregoing embodiments may further include an ACL matching unit, as shown in FIG. 6, the input switch shown in FIG. 5 also includes:

ACL匹配单元601,用于对接收到的报文根据所述报文的五元组进行ACL匹配,确定所述报文为能够通过ACL策略引入的报文,所述五元组包括所述报文的源IP地址、目的IP地址、源端口号、目的端口号以及协议号。The ACL matching unit 601 is configured to perform ACL matching on the received message according to the quintuple of the message, and determine that the message is a message that can be imported through an ACL policy, and the quintuple includes the message source IP address, destination IP address, source port number, destination port number, and protocol number of the file.

进一步地,本发明实施例还提供了一种交换机,用于实现图2所示的方法。请参阅图7,其为本发明一种交换机的硬件构成示意图,所述交换机包括存储器701、接收器702和发送器704以及分别与存储器701、接收器702和发送器704连接的处理器703:Further, the embodiment of the present invention also provides a switch, which is used to implement the method shown in FIG. 2 . Please refer to FIG. 7, which is a schematic diagram of the hardware configuration of a switch of the present invention, the switch includes a memory 701, a receiver 702, and a transmitter 704, and a processor 703 connected to the memory 701, the receiver 702, and the transmitter 704 respectively:

所述存储器701,用于存储预先配置的ACL策略与虚拟可扩展局域网网络VN域的对应关系;The memory 701 is used to store the corresponding relationship between the pre-configured ACL policy and the VN domain of the virtual scalable local area network;

所述接收器702,用于获取通过访问控制列表ACL策略引入的报文;The receiver 702 is configured to obtain the message imported through the access control list ACL policy;

所述处理器703,用于根据存储器701中预先配置的ACL策略与VN域的对应关系,获取所述ACL策略所对应的VN域;对获取的所述报文进行虚拟可扩展局域网VxLAN封装得到已封装报文,所述已封装报文的封装外层头中包含所述VN域的地址信息;The processor 703 is configured to obtain the VN domain corresponding to the ACL policy according to the corresponding relationship between the ACL policy and the VN domain pre-configured in the memory 701; perform virtual extensible local area network VxLAN encapsulation on the obtained message to obtain An encapsulated message, the encapsulated outer header of the encapsulated message includes the address information of the VN domain;

所述发送器704,用于将所述已封装报文根据VxLAN标准转发到对应的输出交换机。The sender 704 is configured to forward the encapsulated message to a corresponding output switch according to the VxLAN standard.

实施例四Embodiment four

本实施例为对应实施例二的装置实施例,请参阅图8,其为本发明一种输出交换机的装置结构图,所述输出交换机包括:This embodiment is a device embodiment corresponding to Embodiment 2. Please refer to FIG. 8, which is a device structure diagram of an output switch according to the present invention. The output switch includes:

接收单元801,用于用于接收输入交换机发送的已封装报文,所述已封装报文的封装外层头中包含虚拟可扩展局域网网络VN域的地址信息;The receiving unit 801 is configured to receive the encapsulated message sent by the input switch, the encapsulated outer header of the encapsulated message includes the address information of the VN domain of the virtual scalable local area network;

出端口获取单元802,用于根据所述已封装报文的外层头中的所述VN域的地址信息查找预先配置的VN域与出端口的对应关系,获取所述VN域对应的出端口;An outbound port obtaining unit 802, configured to search for a pre-configured correspondence between a VN domain and an outbound port according to the address information of the VN domain in the outer header of the encapsulated message, and obtain the outbound port corresponding to the VN domain ;

发送单元803,用于向所述出端口发送所述已封装报文,并在送达出端口之前将所述已封装报文解封装,以使得出端口获得通过ACL策略引入的报文。The sending unit 803 is configured to send the encapsulated packet to the egress port, and decapsulate the encapsulated packet before being delivered to the egress port, so that the egress port obtains the packet imported through the ACL policy.

其中,优选的,所述VN域与出端口的对应关系具体为:Wherein, preferably, the corresponding relationship between the VN domain and the outgoing port is specifically:

一个VN域与至少一个出端口相对应。A VN domain corresponds to at least one egress port.

优选的,所述VN域的地址信息包括VN域的标识VNI以及VN域的IP地址。Preferably, the address information of the VN domain includes an identifier VNI of the VN domain and an IP address of the VN domain.

优选的,所述发送单元803具体用于:Preferably, the sending unit 803 is specifically configured to:

当所述出端口获取单元获取到N个出端口时,复制所述已封装报文得到N份所述已封装报文,N为大于等于2的自然数,分别向每个所述出端口发送一份已封装报文,并在送达出端口之前将所述已封装报文解封装,以使得所述出端口获得通过ACL策略引入的报文。When the outlet port obtaining unit obtains N outlet ports, copy the encapsulated message to obtain N copies of the encapsulated message, N is a natural number greater than or equal to 2, and send a message to each of the outlet ports respectively An encapsulated packet is obtained, and the encapsulated packet is decapsulated before being delivered to the egress port, so that the egress port obtains the packet imported through the ACL policy.

进一步地,本发明实施例还提供了一种交换机,用于实现图3所示的方法。请参阅图9,其为本发明一种交换机的硬件构成示意图,所述交换机包括存储器901、接收器902和发送器904以及分别与存储器901、接收器902和发送器904连接的处理器903:Further, the embodiment of the present invention also provides a switch, which is used to implement the method shown in FIG. 3 . Please refer to FIG. 9, which is a schematic diagram of the hardware configuration of a switch of the present invention, the switch includes a memory 901, a receiver 902, and a transmitter 904, and a processor 903 connected to the memory 901, the receiver 902, and the transmitter 904 respectively:

所述存储器901,用于存储预先配置的VN域与出端口的对应关系;The memory 901 is used to store the pre-configured correspondence between VN domains and outgoing ports;

所述接收器902,用于接收输入交换机发送的已封装报文,所述已封装报文的封装外层头中包含虚拟可扩展局域网网络VN域的地址信息;The receiver 902 is configured to receive the encapsulated message sent by the input switch, and the encapsulated outer header of the encapsulated message includes the address information of the VN domain of the virtual scalable local area network;

所述处理器903,用于根据所述已封装报文的外层头中的所述VN域的地址信息查找所述存储器901中预先配置的VN域与出端口的对应关系,获取所述VN域对应的出端口;The processor 903 is configured to search for the correspondence between the pre-configured VN domain and the outgoing port in the memory 901 according to the address information of the VN domain in the outer header of the encapsulated message, and obtain the VN domain The output port corresponding to the domain;

所述发送器904,用于向所述出端口发送所述已封装报文,并在送达出端口之前将所述已封装报文解封装,以使得出端口获得通过ACL策略引入的报文。The sender 904 is configured to send the encapsulated packet to the egress port, and decapsulate the encapsulated packet before being delivered to the egress port, so that the egress port obtains the packet imported through the ACL policy .

由上述实施例可以看出,本发明技术方案在对网络流量进行检测时,预先配置ACL策略与VN域之间的对应关系以及VN域与出端口之间的对应关系,将由ACL策略引入的报文使用VxLAN协议的方式进行转发到出端口,当需要对根据ACL策略引入的报文增加或删除出端口时,只需要修改对应该ACL策略的VN域的出端口信息即可,由此大大提高了流量监控网络的可扩展性。As can be seen from the above-mentioned embodiments, when the technical solution of the present invention detects network traffic, the corresponding relationship between the ACL policy and the VN domain and the corresponding relationship between the VN domain and the outgoing port are pre-configured, and the report introduced by the ACL policy The text is forwarded to the egress port using the VxLAN protocol. When it is necessary to add or delete the egress port for the packet imported according to the ACL policy, it is only necessary to modify the egress port information of the VN domain corresponding to the ACL policy, which greatly improves the It improves the scalability of the traffic monitoring network.

需要说明的是,本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,所述的程序可存储于一计算机可读取存储介质中,该程序在执行时,可包括如上述各方法的实施例的流程。其中,所述的存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory,ROM)或随机存储记忆体(Random AccessMemory,RAM)等。It should be noted that those of ordinary skill in the art can understand that all or part of the processes in the methods of the above embodiments can be implemented by instructing related hardware through computer programs, and the programs can be stored in a computer-readable memory In the medium, when the program is executed, it may include the processes of the embodiments of the above-mentioned methods. Wherein, the storage medium may be a magnetic disk, an optical disk, a read-only memory (Read-Only Memory, ROM) or a random access memory (Random Access Memory, RAM), etc.

以上对本发明所提供的一种报文转发方法和装置进行了详细介绍,本文中应用了具体实施例对本发明的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本发明的方法及其核心思想;同时,对于本领域的一般技术人员,依据本发明的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本发明的限制。The message forwarding method and device provided by the present invention have been introduced in detail above, and the principles and implementation modes of the present invention have been explained by using specific embodiments in this paper. The descriptions of the above embodiments are only used to help understand the present invention method and its core idea; at the same time, for those of ordinary skill in the art, according to the idea of the present invention, there will be changes in the specific implementation and application scope. Invention Limitations.

Claims (16)

1. a message forwarding method, is characterized in that, described method comprises:
Input switch obtains the message introduced by access control list ACL strategy;
Described input switch, according to pre-configured ACL strategy and the corresponding relation in virtual easily extensible local net network VN territory, obtains the VN territory corresponding to described ACL strategy;
Described input switch carries out virtual easily extensible local area network (LAN) VxLAN encapsulation to the described message obtained and obtains encapsulated message, comprises the address information in described VN territory in the outer head of encapsulation of described encapsulated message;
Described encapsulated message is forwarded to corresponding output switch according to VxLAN standard by described input switch.
2. method according to claim 1, is characterized in that, described ACL strategy is with the corresponding relation in VN territory:
A corresponding VN territory of ACL strategy, VN territory at least one ACL strategy corresponding.
3. method according to claim 1 and 2, is characterized in that,
The address information in described VN territory comprises the mark VNI in described VN territory and the IP address in described VN territory.
4. method as claimed in any of claims 1 to 3, is characterized in that, before described input switch obtains the message introduced by ACL strategy, described method also comprises:
Described input switch carries out ACL coupling to the message received according to the five-tuple of described message, determine that described message is the message can introduced by ACL strategy, described five-tuple comprises the source IP address of described message, object IP address, source port number, destination slogan and protocol number.
5. input a switch, it is characterized in that, comprising:
Receive message unit, for obtaining the message introduced by ACL strategy;
Determining unit, for according to pre-configured ACL strategy and the corresponding relation in virtual easily extensible local net network VN territory, obtains the VN territory corresponding to described ACL strategy;
Encapsulation unit, obtains encapsulated message for carrying out virtual easily extensible local area network (LAN) VxLAN encapsulation to the described message obtained, and comprises the address information in described VN territory in the outer head of encapsulation of described encapsulated message;
Transmitting element, for being forwarded to corresponding output switch by described encapsulated message according to VxLAN standard.
6. input switch according to claim 5, is characterized in that, described ACL strategy is with the corresponding relation in VN territory:
A corresponding VN territory of ACL strategy, VN territory at least one ACL strategy corresponding.
7. the input switch according to claim 5 or 6, is characterized in that,
The address information in described VN territory comprises the mark VNI in described VN territory and the IP address in described VN territory.
8., according to the input switch in claim 5 to 7 described in any one, it is characterized in that, also comprise:
ACL matching unit, for carrying out ACL coupling to the message received according to the five-tuple of described message, determine that described message is the message can introduced by ACL strategy, described five-tuple comprises the source IP address of described message, object IP address, source port number, destination slogan and protocol number.
9. a message forwarding method, is characterized in that, described method comprises:
Export the encapsulated message that switch receives the transmission of input switch, in the outer head of encapsulation of described encapsulated message, comprise the address information in virtual easily extensible local net network VN territory;
Described output switch searches pre-configured VN territory and the corresponding relation of outbound port according to the address information in the described VN territory in the outer head of described encapsulated message, obtains the outbound port that described VN territory is corresponding;
Encapsulated message described in described output switch sends to described outbound port, and by the decapsulation of described encapsulated message before sending to outbound port, obtains message by the introducing of ACL strategy to make outbound port.
10. want the method described in 9 according to right, it is characterized in that, in the corresponding relation of described VN territory and outbound port:
A VN territory is corresponding with at least one outbound port.
11. methods according to claim 9 or 10, is characterized in that,
The address information in described VN territory comprises the mark VNI in VN territory and the IP address in VN territory.
12. methods according to claim 10, it is characterized in that, encapsulated message described in described output switch sends to described outbound port, and by the decapsulation of described encapsulated message before sending to outbound port, obtain to make described outbound port and comprised by the message of ACL strategy introducing:
Described output switch is when getting N number of outbound port, and described in copying, encapsulated message to obtain described in N part encapsulated message, N be more than or equal to 2 natural number;
Described output switch sends portion respectively to each described outbound port and encapsulates flow, and by the decapsulation of described encapsulated message before sending to outbound port, obtains to make described outbound port the message introduced by ACL strategy.
13. 1 kinds export switch, it is characterized in that, comprising:
Receiving element, for receiving the encapsulated message that input switch sends, comprises the address information in virtual easily extensible local net network VN territory in the outer head of encapsulation of described encapsulated message;
Outbound port acquiring unit, for searching pre-configured VN territory and the corresponding relation of outbound port according to the address information in the described VN territory in the outer head of described encapsulated message, obtains the outbound port that described VN territory is corresponding;
Transmitting element, for encapsulated message described in sending to described outbound port, and by the decapsulation of described encapsulated message before sending to outbound port, obtains message by the introducing of ACL strategy to make outbound port.
14. output switches according to claim 13, is characterized in that, the corresponding relation of described VN territory and outbound port is specially:
A VN territory is corresponding with at least one outbound port.
15. output switches according to claim 13 or 14, is characterized in that,
The address information in described VN territory comprises the mark VNI in VN territory and the IP address in VN territory.
16. output switches according to claim 13, is characterized in that, described transmitting element specifically for:
When described outbound port acquiring unit gets N number of outbound port, described in copying, encapsulated message to obtain described in N part encapsulated message, N be more than or equal to 2 natural number, portion encapsulated message is sent respectively to each described outbound port, and by the decapsulation of described encapsulated message before sending to outbound port, obtain to make described outbound port the message introduced by ACL strategy.
CN201310704097.XA 2013-12-19 2013-12-19 A kind of message forwarding method and device Active CN104734986B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310704097.XA CN104734986B (en) 2013-12-19 2013-12-19 A kind of message forwarding method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310704097.XA CN104734986B (en) 2013-12-19 2013-12-19 A kind of message forwarding method and device

Publications (2)

Publication Number Publication Date
CN104734986A true CN104734986A (en) 2015-06-24
CN104734986B CN104734986B (en) 2018-12-25

Family

ID=53458433

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310704097.XA Active CN104734986B (en) 2013-12-19 2013-12-19 A kind of message forwarding method and device

Country Status (1)

Country Link
CN (1) CN104734986B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105591834A (en) * 2015-07-10 2016-05-18 杭州华三通信技术有限公司 Traffic monitoring method and device in VXLAN
CN105939230A (en) * 2016-04-27 2016-09-14 杭州迪普科技有限公司 Multipoint remote monitoring method and device
CN106230668A (en) * 2016-07-14 2016-12-14 杭州华三通信技术有限公司 Connection control method and device
CN108063718A (en) * 2017-12-18 2018-05-22 迈普通信技术股份有限公司 Message processing method, device and electronic equipment
CN108093051A (en) * 2017-12-20 2018-05-29 迈普通信技术股份有限公司 Packet copy method and device
CN108616463A (en) * 2018-04-25 2018-10-02 新华三技术有限公司 A kind of message processing method and interchanger

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1466340A (en) * 2002-06-24 2004-01-07 �人��������������ι�˾ Method for forwarding data by strategic stream mode and data forwarding equipment
CN101217539A (en) * 2007-12-29 2008-07-09 杭州华三通信技术有限公司 A firewall device and method for treatment of secondary forwarding message
US20110058549A1 (en) * 2009-09-09 2011-03-10 Amir Harel Method and system for layer 2 manipulator and forwarder
CN102307136A (en) * 2011-07-06 2012-01-04 杭州华三通信技术有限公司 Method for processing message and device thereof
US20120033670A1 (en) * 2010-08-06 2012-02-09 Alcatel-Lucent, Usa Inc. EGRESS PROCESSING OF INGRESS VLAN ACLs
US20120287786A1 (en) * 2011-05-14 2012-11-15 International Business Machines Corporation Priority based flow control in a distributed fabric protocol (dfp) switching network architecture
US20130064247A1 (en) * 2010-05-24 2013-03-14 Hangzhou H3C Technologies Co., Ltd. Method and device for processing source role information
CN103152257A (en) * 2013-03-14 2013-06-12 杭州华三通信技术有限公司 Data transmission method and device

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1466340A (en) * 2002-06-24 2004-01-07 �人��������������ι�˾ Method for forwarding data by strategic stream mode and data forwarding equipment
CN101217539A (en) * 2007-12-29 2008-07-09 杭州华三通信技术有限公司 A firewall device and method for treatment of secondary forwarding message
US20110058549A1 (en) * 2009-09-09 2011-03-10 Amir Harel Method and system for layer 2 manipulator and forwarder
US20130064247A1 (en) * 2010-05-24 2013-03-14 Hangzhou H3C Technologies Co., Ltd. Method and device for processing source role information
US20120033670A1 (en) * 2010-08-06 2012-02-09 Alcatel-Lucent, Usa Inc. EGRESS PROCESSING OF INGRESS VLAN ACLs
US20120287786A1 (en) * 2011-05-14 2012-11-15 International Business Machines Corporation Priority based flow control in a distributed fabric protocol (dfp) switching network architecture
CN102307136A (en) * 2011-07-06 2012-01-04 杭州华三通信技术有限公司 Method for processing message and device thereof
CN103152257A (en) * 2013-03-14 2013-06-12 杭州华三通信技术有限公司 Data transmission method and device

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105591834A (en) * 2015-07-10 2016-05-18 杭州华三通信技术有限公司 Traffic monitoring method and device in VXLAN
CN105591834B (en) * 2015-07-10 2018-12-11 新华三技术有限公司 Flux monitoring method and device in VXLAN
CN105939230A (en) * 2016-04-27 2016-09-14 杭州迪普科技有限公司 Multipoint remote monitoring method and device
CN106230668A (en) * 2016-07-14 2016-12-14 杭州华三通信技术有限公司 Connection control method and device
CN106230668B (en) * 2016-07-14 2020-01-03 新华三技术有限公司 Access control method and device
CN108063718A (en) * 2017-12-18 2018-05-22 迈普通信技术股份有限公司 Message processing method, device and electronic equipment
CN108063718B (en) * 2017-12-18 2021-02-05 迈普通信技术股份有限公司 Message processing method and device and electronic equipment
CN108093051A (en) * 2017-12-20 2018-05-29 迈普通信技术股份有限公司 Packet copy method and device
CN108093051B (en) * 2017-12-20 2021-02-05 迈普通信技术股份有限公司 Message copying method and device
CN108616463A (en) * 2018-04-25 2018-10-02 新华三技术有限公司 A kind of message processing method and interchanger
CN108616463B (en) * 2018-04-25 2021-04-30 新华三技术有限公司 Message processing method and switch

Also Published As

Publication number Publication date
CN104734986B (en) 2018-12-25

Similar Documents

Publication Publication Date Title
US11336696B2 (en) Control access to domains, servers, and content
US11240152B2 (en) Exposing a subset of hosts on an overlay network to components external to the overlay network without exposing another subset of hosts on the overlay network
US10237230B2 (en) Method and system for inspecting network traffic between end points of a zone
CN107332812B (en) Method and device for realizing network access control
US9729578B2 (en) Method and system for implementing a network policy using a VXLAN network identifier
US9397929B2 (en) Forwarding multicast packets over different layer-2 segments
US9281955B2 (en) Interoperability of data plane based overlays and control plane based overlays in a network environment
US8073936B2 (en) Providing support for responding to location protocol queries within a network node
WO2017016494A1 (en) Handling consumer mobility in information-centric networks
US10263808B2 (en) Deployment of virtual extensible local area network
CN104734986A (en) Message forwarding method and device
CA2935874A1 (en) System and method for securing source routing using public key based digital signature
CN104243269A (en) Processing method and device of messages in VxLAN (virtual extensible local area network)
CN104869042A (en) Message forwarding method and message forwarding device
CN105681198B (en) A kind of business chain processing method, equipment and system
US10587521B2 (en) Hierarchical orchestration of a computer network
CN108322338B (en) Broadcast suppression method and VTEP device
US20210273915A1 (en) Multi-access interface for internet protocol security
US10587515B2 (en) Stateless information centric forwarding using dynamic filters
CN108632147B (en) Message multicast processing method and device
CN112134776A (en) Method and access gateway for generating multicast forwarding entry
CN104852855A (en) Congestion control method, device and equipment
CN105591967B (en) A kind of data transmission method and device
Bernardo et al. Multi-layer security analysis and experimentation of high speed protocol data transfer for GRID
CN113472667A (en) Message forwarding method, device, node equipment and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
EXSB Decision made by sipo to initiate substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant