[go: up one dir, main page]

CN110138656B - Service processing method and device - Google Patents

Service processing method and device Download PDF

Info

Publication number
CN110138656B
CN110138656B CN201910453594.4A CN201910453594A CN110138656B CN 110138656 B CN110138656 B CN 110138656B CN 201910453594 A CN201910453594 A CN 201910453594A CN 110138656 B CN110138656 B CN 110138656B
Authority
CN
China
Prior art keywords
service
session information
standby
firewall
backup
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910453594.4A
Other languages
Chinese (zh)
Other versions
CN110138656A (en
Inventor
温卫真
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Information Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201910453594.4A priority Critical patent/CN110138656B/en
Publication of CN110138656A publication Critical patent/CN110138656A/en
Application granted granted Critical
Publication of CN110138656B publication Critical patent/CN110138656B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/22Alternate routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/28Routing or path finding of packets in data switching networks using route fault recovery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides a service processing method and a device, wherein the embodiment of the invention sends local service session information to a standby firewall device for backup by acquiring the fault of an external network outlet of a Border router Border, and sends a path switching notice to a gateway to switch a path from the gateway to the firewall device into a path from the gateway to the standby firewall device according to the path switching notice after determining that the local service session information is backed up to the standby firewall device, so that the standby firewall device forwards a service message when the external network outlet of the Border router Border has the fault, thereby avoiding service interruption and improving user experience.

Description

Service processing method and device
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a service processing method and apparatus.
Background
A Fabric network is a data center network that employs a spine/leaf (spine/leaf) architecture. FIG. 1 is an exemplary diagram of a spine/leaf architecture. As shown in FIG. 1, there is no connection between spine and leaf, and there is a full mesh connection between spine and leaf. In a data center network, users may have deployment across the Fabric network according to different networking scenarios.
And the firewall equipment forwards the service message of each service through the external network outlet of the border router border. Different processing strategies are set by the firewall equipment for different services. For each service, when receiving a first service packet belonging to the service, the firewall device creates service session (session) information of the service. The service session information may include a source IP address, a destination IP address, and the like of a service packet of the service. When creating the service session information, the processing policy corresponding to the service is also included in the service session information. Therefore, when the service message belonging to the service is received again in the subsequent process, the firewall equipment directly forwards the service message according to the service session information of the service without inquiring the processing strategy corresponding to the service.
In the related art, if the external network outlet of the Border router Border fails, the firewall device cannot forward the service packet through the failed external network outlet, thereby causing service interruption.
Disclosure of Invention
In order to overcome the problems in the related art, the invention provides a service processing method and a service processing device, which can improve the efficiency and reduce the influence on the service processing performance of the main firewall equipment.
In a first aspect, the present invention provides a method for processing a service, where the method is applied to a firewall device, and includes:
acquiring an external network outlet fault of a Border router Border;
sending the session information of the local service session to the standby firewall equipment for backup;
and if the fact that the local service session information is backed up to the standby firewall equipment is determined, sending a path switching notification to a gateway, so that the gateway switches the path from the gateway to the standby firewall equipment into the path from the gateway to the standby firewall equipment according to the path switching notification.
With reference to the first aspect, in a first possible implementation manner, the sending the local service session information to the standby firewall device for backup includes:
and aiming at the local service session, determining a target service to which the service session belongs, selecting target standby firewall equipment for processing the target service from the standby firewall equipment corresponding to the firewall equipment, and sending the service session to the target standby firewall equipment for backup.
With reference to the first aspect, in a second possible implementation manner, the sending of the local service session information to the standby firewall device for backup is triggered by receiving a first service packet that needs to be sent through the failed external network outlet;
the sending the service session to the target backup firewall device for backup comprises:
and if the first service message is matched with the service session, sending the first service message and the service session to the target standby firewall equipment together, so that the target standby firewall equipment stores the received service session and forwards the received first service message.
With reference to the first aspect, in a third possible implementation manner, the method further includes:
establishing a point-to-point tunnel for backing up service session information between the main firewall equipment and the standby firewall equipment;
the sending the first service packet and the service session together to the target standby firewall device includes:
and sending the first service message and the service session together to the target standby firewall equipment through a point-to-point tunnel between the main firewall equipment and the target standby firewall equipment.
With reference to the first aspect, in a fourth possible implementation manner, in a process of sending the session information of the local service session to the standby firewall device for backup, if a second service packet is received, the method further includes:
checking whether the session information of the service session matched with the second service message is backed up to a first standby firewall device, wherein the first standby firewall device is a standby firewall device for processing the service of the second service message;
if yes, the second service message is sent to the first standby firewall equipment for forwarding through a point-to-point tunnel between the firewall equipment and the first standby firewall equipment; and if not, sending the second service message and the service session information matched with the second service message to the first standby firewall equipment together through a point-to-point tunnel between the firewall equipment and the first standby firewall equipment, so that the first standby firewall equipment stores the received service session and forwards the received second service message.
In a second aspect, the present invention provides a service processing apparatus, which is applied to a firewall device, and includes:
the acquisition module is used for acquiring the outer network outlet fault of the Border router Border;
the backup module is used for sending the session information of the local service session to the backup firewall equipment for backup;
and the path switching module is used for sending a path switching notification to the gateway when determining that the local service session information is backed up to the standby firewall device, so that the gateway switches the path from the gateway to the firewall device into the path from the gateway to the standby firewall device according to the path switching notification.
With reference to the second aspect, in a first possible implementation manner, when the backup module is configured to send the session information of the local service session to the firewall backup device for backup, the backup module is specifically configured to:
and aiming at the local service session, determining a target service to which the service session belongs, selecting target standby firewall equipment for processing the target service from the standby firewall equipment corresponding to the firewall equipment, and sending the service session to the target standby firewall equipment for backup.
With reference to the second aspect, in a second possible implementation manner, the sending of the local service session information to the standby firewall device for backup is triggered by receiving a first service packet that needs to be sent through the failed external network outlet;
when the backup module is used for sending the service session to the target backup firewall device for backup, the backup module is specifically configured to:
and if the first service message is matched with the service session, sending the first service message and the service session to the target standby firewall equipment together, so that the target standby firewall equipment stores the received service session and forwards the received first service message.
With reference to the second aspect, in a third possible implementation manner, the method further includes:
the tunnel establishing module is used for establishing a point-to-point tunnel for backing up the service session information between the firewall equipment and the standby firewall equipment;
when the backup module is configured to send the first service packet and the service session to the target backup firewall device, the backup module is specifically configured to:
and sending the first service message and the service session together to the target standby firewall equipment through a point-to-point tunnel between the main firewall equipment and the target standby firewall equipment.
With reference to the second aspect, in a fourth possible implementation manner, in the process of sending the session information of the local service session to the standby firewall device for backup, if a second service packet is received, the apparatus further includes:
the checking module is used for checking whether the service session information matched with the second service message is backed up to a first standby firewall device, and the first standby firewall device is a standby firewall device used for processing the service to which the second service message belongs;
a sending module, configured to send the second service packet to the first standby firewall device through a point-to-point tunnel between the firewall device and the first standby firewall device for forwarding if the second service packet is received from the first standby firewall device; and if not, sending the second service message and the service session information matched with the second service message to the first standby firewall equipment together through a point-to-point tunnel between the firewall equipment and the first standby firewall equipment, so that the first standby firewall equipment stores the received service session and forwards the received second service message.
Therefore, the service processing method provided by the invention sends the local service session information to the standby firewall equipment for backup by acquiring the fault of the external network outlet of the Border router Border, and sends the path switching notice to the gateway so as to switch the path from the gateway to the firewall equipment into the path from the gateway to the standby firewall equipment according to the path switching notice after determining that the local service session information is backed up to the standby firewall equipment, thereby realizing that the standby firewall equipment forwards the service message when the external network outlet of the Border router Border has the fault, avoiding service interruption and improving user experience.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the specification.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present specification and together with the description, serve to explain the principles of the specification.
FIG. 1 is an exemplary diagram of a spine/leaf architecture.
Fig. 2 is an exemplary diagram of a traffic forwarding path in the prior art.
Fig. 3 is a diagram illustrating an example of a primary and backup traffic forwarding path in the prior art.
Fig. 4 is a flowchart illustrating a service processing method according to an embodiment of the present invention.
Fig. 5 is an example diagram of a shortest path of an alternate traffic forwarding path.
Fig. 6 is a functional block diagram of a service processing apparatus according to an embodiment of the present invention.
Fig. 7 is a hardware structure diagram of a firewall device according to an embodiment of the present invention.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present invention. Rather, they are merely examples of apparatus and methods consistent with certain aspects of embodiments of the invention, as detailed in the following claims.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of embodiments of the invention. As used in the examples of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used to describe various information in embodiments of the present invention, the information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information, without departing from the scope of embodiments of the present invention. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
Fig. 2 is an exemplary diagram of a traffic forwarding path in the prior art. Fig. 3 is a diagram illustrating an example of a primary and backup traffic forwarding path in the prior art. As shown in fig. 2, in the first data center Network, a traffic packet sent by a Virtual Machine (VM) is transmitted to an external Network WAN1 through a path formed by a leaf node-spine node-boundary router border-firewall device-boundary router border-radio Access Network (WAN), where this path (i.e., the path indicated by the dotted line with an arrow in fig. 2) is a traffic forwarding path.
In order to prevent the border router from failing, the firewall device in fig. 2 is provided with a backup firewall device, which is located in another data center network (i.e., a second data center network) as shown in fig. 3. For ease of description, the firewall device in fig. 2 will be referred to as the primary firewall device below. In the related art, when the border router border fails and the service packet cannot be forwarded to the external network WAN1 through the border router border, the service packet is sent to the external network WAN1 through the standby service forwarding path shown in fig. 3 (i.e., the path indicated by the dotted line with an arrow in fig. 3). As shown in fig. 3, the backup service forwarding path passes through the border router border on the side of the main firewall Device, the Edge Device (ED) in the first data center network, the Edge Device in the second data center network, the backup firewall Device, and the border router border on the side of the backup firewall Device (not listed here, the other devices through which the backup service forwarding path passes are shown in detail in fig. 3).
The firewall-ready devices for different services may be located on different data center networks. For example, the main firewall devices of service 1 and service 2 are located on the first data center network shown in fig. 2, the backup firewall device corresponding to service 1 is located on the second data center network shown in fig. 3, and the backup firewall device corresponding to service 2 is located on the third data center network.
In the related art, if the external network outlet of the Border router Border fails, the firewall device cannot forward the service packet through the failed external network outlet, thereby causing service interruption.
In some related technologies, after a session entry is created by a main firewall device, the session entry is backed up to a standby firewall device in real time. When the border router border at the main firewall device side fails, the service forwarding path is switched from the main service forwarding path shown in fig. 2 to the standby service forwarding path shown in fig. 3, and the service packet is forwarded to the external network WAN1 by the border router border at the standby firewall device side. Although it is ensured that the service is not interrupted, the main firewall device transmits the session entry to the standby firewall device in real time, which results in that each pair of main and standby firewall devices need to backup the session entry, but not each standby firewall device needs to use the backup session entry, and actually, the probability of the main service forwarding path failing is usually low, so that the situations that the standby firewall devices need to synchronize the session entries are few, and the backup needs not to be performed regardless of the needs, and thus, the efficiency is low.
Moreover, the real-time transmission session entry unnecessarily occupies the resources of the main firewall device, and the resources that the main firewall device can use for the main service forwarding path are limited, thereby reducing the service processing performance of the main firewall device.
In order to solve the above problem, an embodiment of the present invention provides a service processing method, where the method does not forward a session in real time, but sends a local service session message of a primary firewall device to a backup firewall device for backup when an external network outlet of a Border router Border fails. Therefore, when the outer network outlet of the Border router Border at the main firewall equipment side fails, the service can be forwarded through the outer network outlet of the Border router Border at the standby firewall equipment side, the service terminal is avoided, the influence on the main firewall equipment is reduced, and the main firewall equipment keeps higher service processing performance. .
The service processing method of the embodiment of the invention can be applied to a scene of crossing the Fabric network and can also be applied to a scene of not crossing the Fabric network. The service processing method of the present invention is explained below by way of an embodiment.
Fig. 4 is a flowchart illustrating a service processing method according to an embodiment of the present invention. The service processing method is applied to firewall equipment on a data center network, and as shown in fig. 4, the method may include:
s401, acquiring the outer network outlet fault of the Border router Border.
S402, sending the session information of the local service session to the backup firewall equipment for backup.
And S403, if the local service session information is determined to be backed up to the standby firewall device, sending a path switching notification to the gateway, so that the gateway switches the path from the gateway to the firewall device into the path from the gateway to the standby firewall device according to the path switching notification.
In this embodiment, the local service session information is not sent to the standby firewall device for backup in real time, but is backed up when the external network outlet of the Border router Border on the side of the firewall device fails.
Therefore, under most conditions, the external network outlet of the Border router Border has no fault and is in normal work, the firewall equipment does not need to back up the session information of the local service session to the standby firewall equipment, and the service processing performance of the firewall equipment is not influenced.
When the external network outlet of the Border router Border fails, if the firewall equipment does not receive the service message during the failure, the firewall equipment does not need to backup the session information of the local service session to the standby firewall equipment.
Only when the external network outlet of the Border router Border fails and the firewall device receives the service message during the failure, the firewall device needs to backup the local service session information to the standby firewall device.
Therefore, the backup times are reduced as much as possible, and the efficiency is improved. And the influence on the service processing performance of the firewall equipment is reduced to the greatest extent.
In one example, the firewall device can monitor the outer network outlet of the Border router Border to dynamically sense the outer network outlet failure of the Border router Border.
In one example, a failure monitoring program may be installed in the firewall device for performing failure monitoring on the border router. The firewall device determines whether the border router has a failure based on the results of the failure monitoring program. The fault monitoring mode may be as follows: the firewall equipment sends a Keepalive heartbeat message to the boundary router periodically, and if the heartbeat message returned by the boundary router is not received within the preset response time, the boundary router is considered to have a fault.
In an exemplary implementation, step S402 may include:
and aiming at the local service session information, determining a target service to which the service session information belongs, selecting target standby firewall equipment for processing the target service from the standby firewall equipment corresponding to the firewall equipment, and sending the service session information to the target standby firewall equipment for backup.
For example, assume that three services are handled on the firewall device: the firewall processing method comprises the following steps of a service 1, a service 2 and a service 3, wherein the firewall standby device for processing the service 1 is the firewall device 1 and is used for processing the service, the firewall standby device for processing the service 2 is the firewall device 2, and the firewall standby device for processing the service 3 is the firewall device 3. When the external network outlet of the Border router Border on the firewall device side fails, the firewall device sends the session information of the service 1 to the firewall device 1 for backup, sends the session information of the service 2 to the firewall device 2 for backup, and sends the session information of the service 3 to the firewall device 3 for backup.
In an exemplary implementation process, sending the session information of the local service session to the standby firewall device for backup is triggered by receiving a first service message sent through a failed external network outlet;
sending the service session information to the target backup firewall device for backup comprises the following steps:
and if the first service message is matched with the service session information, sending the first service message and the service session information to the target standby firewall equipment together, so that the target standby firewall equipment stores the received service session information and forwards the received first service message.
In this embodiment, the first service packet matches the service session information, which indicates that the first service packet is a packet of a target service to which the service session information belongs, and the standby firewall device needs to forward the first service packet, where the service session information matched with the first service packet is needed in the standby firewall device.
In this example, when the firewall device receives a first service packet that needs to be sent through a failed external network outlet, the backup of the session information of the local service session is triggered. At this time, the firewall device sends the first service message and the service session information to the target standby firewall device, so that the target standby firewall device can forward the first service message according to the service session information, and the first service is kept continuous.
In one exemplary implementation, the method further comprises:
establishing a point-to-point tunnel for backing up the session information of the service between the firewall equipment and the standby firewall equipment;
the step of sending the first service packet and the service session information to the target standby firewall device includes:
and sending the first service message and the service session information to the target standby firewall equipment through a point-to-point tunnel between the firewall equipment and the target standby firewall equipment.
In one example, in a Virtual eXtensible Local Access Network (VxLAN Overlay) networking, a Virtual Tunnel End Point (VTEP Tunnel) may be employed as a Point-to-Point Tunnel.
In step S402, the firewall device may package the service packet and the corresponding session entry and send the service packet and the corresponding session entry to the standby firewall device.
In an example, a point-to-point Tunnel may be set between the firewall device and the standby firewall device in advance, and in a case where the point-to-point Tunnel is set between the firewall device and the standby firewall device, the firewall device may send local session information and a service packet to the standby firewall device through the point-to-point Tunnel, or send the service packet to the standby firewall device through the point-to-point Tunnel when the session information is backed up to the standby firewall device. The session information and the corresponding service packet may be encapsulated in the tunnel encapsulation at the same time. And under the condition that the session information is backed up, the service message can be independently packaged in the tunnel package and sent to the standby firewall equipment.
In an exemplary implementation process, in the process of sending the session information of the local service session to the backup firewall device for backup, if a second service packet is received, the method further includes:
checking whether the session information of the service session matched with the second service message is backed up to a first standby firewall device, wherein the first standby firewall device is a standby firewall device for processing the service of the second service message;
if yes, sending a second service message to the first standby firewall equipment for forwarding through a point-to-point tunnel between the firewall equipment and the first standby firewall equipment; if not, the second service message and the service session information matched with the second service message are sent to the first standby firewall device through the point-to-point tunnel between the firewall device and the first standby firewall device, so that the first standby firewall device stores the received service session information and forwards the received second service message.
The forwarding of the message of each service requires the use of the service session information matched with the service message. In the backup process of the service session information, if the firewall device receives a new service message, it still needs to check whether the service session information matched with the new service message is backed up to the corresponding standby firewall device, if so, the service message is directly forwarded to the standby firewall device, and if not, the service message and the corresponding service session information need to be forwarded to the standby firewall device, so as to ensure that the standby firewall device can forward the service message according to the corresponding service session information.
In step S403, the firewall device sends a path switching notification to the gateway, so as to implement switching between the main service forwarding path and the standby service forwarding path.
The main service forwarding path refers to a path from the gateway to the firewall device, and the standby service forwarding path refers to a path from the gateway to the standby firewall device.
In step S403, the switching of the service forwarding paths is performed only after the session information of each service is completely backed up, so that it is ensured that the boundary router on the side of the standby firewall device can forward the corresponding service packet according to the session information after the path switching, thereby enabling smooth transition between the main and standby service forwarding paths.
In an exemplary implementation, the backup service forwarding path forwards the service packet to the backup firewall device through shortest path routing.
The shortest path does not pass through the firewall device and the boundary router on the firewall device side, so that the transmission time of the service message is shorter, and the transmission speed is higher. Fig. 5 is an exemplary diagram of a shortest path of a backup traffic forwarding path. As shown in fig. 5, the shortest path directly reaches another ridge node from one ridge node (which may be a gateway), and does not pass through the firewall device and the boundary router on the firewall device side.
In the embodiment of the invention, the failure of the external network outlet of the Border of the Border router is obtained, the local service session information is sent to the standby firewall equipment for backup, and the backup of the local service session information to the standby firewall equipment is determined, and then the path switching notice is sent to the gateway, so that the gateway switches the path from the gateway to the local firewall equipment into the path from the gateway to the standby firewall equipment according to the path switching notice, thereby realizing that the service message is forwarded by the standby firewall equipment when the external network outlet of the Border of the Border router fails, avoiding service interruption and improving user experience.
In addition, the embodiment of the invention starts the session information backup between the main firewall equipment and the standby firewall equipment under the condition that the boundary router has a fault and receives the service message during the fault, thereby reducing the operation times of executing the session information backup, improving the processing efficiency, not needing to backup the session information during the service forwarding path of the main service, and reducing the influence on the service processing performance of the firewall equipment.
Corresponding to the embodiments of the method, the present specification also provides embodiments of the device and the applied equipment.
Fig. 6 is a functional block diagram of a service processing apparatus according to an embodiment of the present invention. The service processing apparatus is applied to a firewall device, as shown in fig. 6, and includes:
an obtaining module 610, configured to obtain an egress failure of an external network of a Border router Border;
the backup module 620 is configured to send the session information of the local service session to the backup firewall device for backup;
a path switching module 630, configured to determine that the local service session information is backed up to the standby firewall device, send a path switching notification to the gateway, so that the gateway switches a path from the gateway to the firewall device to a path from the gateway to the standby firewall device according to the path switching notification.
In an exemplary implementation process, when the backup module 620 is configured to send the local service session information to the backup firewall device for backup, the backup module may specifically be configured to:
and aiming at the local service session information, determining a target service to which the service session information belongs, selecting target standby firewall equipment for processing the target service from the standby firewall equipment corresponding to the firewall equipment, and sending the service session information to the target standby firewall equipment for backup.
In an exemplary implementation process, sending the session information of the local service session to the standby firewall device for backup is triggered by receiving a first service message sent by the external network outlet which needs to pass through the fault;
the backup module 620, when configured to send the service session information to the target backup firewall device for backup, may specifically be configured to:
and if the first service message is matched with the service session information, sending the first service message and the service session information to the target standby firewall equipment together, so that the target standby firewall equipment stores the received service session information and forwards the received first service message.
In an exemplary implementation, the apparatus may further include:
the tunnel establishing module is used for establishing a point-to-point tunnel for backing up the service session information between the firewall equipment and the standby firewall equipment;
when the backup module 620 is configured to send the first service packet and the service session information to the target backup firewall device, the backup module may specifically be configured to:
and sending the first service message and the service session information to the target standby firewall equipment through a point-to-point tunnel between the firewall equipment and the target standby firewall equipment.
In an exemplary implementation process, in the process of sending the session information of the local service session to the backup firewall device for backup, if the second service packet is received, the apparatus further includes:
the checking module is used for checking whether the service session information matched with the second service message is backed up to a first standby firewall device, and the first standby firewall device is a standby firewall device used for processing the service to which the second service message belongs;
a sending module, configured to send the second service packet to the first standby firewall device through a point-to-point tunnel between the firewall device and the first standby firewall device for forwarding if the second service packet is received from the first standby firewall device; and if not, sending the second service message and the service session information matched with the second service message to the first standby firewall equipment together through a point-to-point tunnel between the firewall equipment and the first standby firewall equipment, so that the first standby firewall equipment stores the received service session information and forwards the received second service message.
The embodiment of the present invention further provides a firewall device, which includes a memory, a processor, and a computer program that is stored in the memory and can be run on the processor, where the processor executes the program to implement the following operations:
acquiring an external network outlet fault of a Border router Border;
sending the session information of the local service session to the standby firewall equipment for backup;
and if the fact that the local service session information is backed up to the standby firewall equipment is determined, sending a path switching notification to a gateway, so that the gateway switches the path from the gateway to the standby firewall equipment into the path from the gateway to the standby firewall equipment according to the path switching notification.
In an exemplary implementation process, the sending the local service session information to the backup firewall device for backup includes:
and aiming at the local service session information, determining a target service to which the service session information belongs, selecting target standby firewall equipment for processing the target service from the standby firewall equipment corresponding to the firewall equipment, and sending the service session information to the target standby firewall equipment for backup.
In an exemplary implementation process, the sending of the session information of the local service session to the standby firewall device for backup is triggered by receiving a first service packet that needs to be sent through the failed external network outlet;
the sending the service session information to the target backup firewall device for backup comprises:
and if the first service message is matched with the service session information, sending the first service message and the service session information to the target standby firewall equipment together, so that the target standby firewall equipment stores the received service session information and forwards the received first service message.
In one exemplary implementation, the method further comprises:
establishing a point-to-point tunnel for backing up the session information of the service between the firewall equipment and the standby firewall equipment;
the sending the first service packet and the service session information to the target standby firewall device includes:
and sending the first service message and the service session information to the target standby firewall equipment through a point-to-point tunnel between the firewall equipment and the target standby firewall equipment.
In an exemplary implementation process, in the process of sending the session information of the local service session to the backup firewall device for backup, if a second service packet is received, the method further includes:
checking whether the session information of the service session matched with the second service message is backed up to a first standby firewall device, wherein the first standby firewall device is a standby firewall device for processing the service of the second service message;
if yes, the second service message is sent to the first standby firewall equipment for forwarding through a point-to-point tunnel between the firewall equipment and the first standby firewall equipment; and if not, sending the second service message and the service session information matched with the second service message to the first standby firewall equipment together through a point-to-point tunnel between the firewall equipment and the first standby firewall equipment, so that the first standby firewall equipment stores the received service session information and forwards the received second service message.
The firewall device of the embodiment of the present invention may adopt a hardware structure as shown in fig. 7. Fig. 7 is a hardware structure diagram of a firewall device according to an embodiment of the present invention, in fig. 7, a storage includes a memory and a nonvolatile storage, and a computer program for implementing a service processing method is stored in the memory.
It should be noted that, besides the processor, the network interface, the memory and the non-volatile storage shown in fig. 7, the firewall device may also generally include other hardware in other embodiments, which is not shown in detail in fig. 7.
An embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the program, when executed by a processor, implements the following operations:
acquiring an external network outlet fault of a Border router Border;
sending the session information of the local service session to the standby firewall equipment for backup;
and if the fact that the local service session information is backed up to the standby firewall equipment is determined, sending a path switching notification to a gateway, so that the gateway switches the path from the gateway to the standby firewall equipment into the path from the gateway to the standby firewall equipment according to the path switching notification.
In an exemplary implementation process, the sending the local service session information to the backup firewall device for backup includes:
and aiming at the local service session information, determining a target service to which the service session information belongs, selecting target standby firewall equipment for processing the target service from the standby firewall equipment corresponding to the firewall equipment, and sending the service session information to the target standby firewall equipment for backup.
In an exemplary implementation process, the sending of the session information of the local service session to the standby firewall device for backup is triggered by receiving a first service packet that needs to be sent through the failed external network outlet;
the sending the service session information to the target backup firewall device for backup comprises:
and if the first service message is matched with the service session information, sending the first service message and the service session information to the target standby firewall equipment together, so that the target standby firewall equipment stores the received service session information and forwards the received first service message.
In one exemplary implementation, the method further comprises:
establishing a point-to-point tunnel for backing up the session information of the service between the firewall equipment and the standby firewall equipment;
the sending the first service packet and the service session information to the target standby firewall device includes:
and sending the first service message and the service session information to the target standby firewall equipment through a point-to-point tunnel between the firewall equipment and the target standby firewall equipment.
In an exemplary implementation process, in the process of sending the session information of the local service session to the backup firewall device for backup, if a second service packet is received, the method further includes:
checking whether the session information of the service session matched with the second service message is backed up to a first standby firewall device, wherein the first standby firewall device is a standby firewall device for processing the service of the second service message;
if yes, the second service message is sent to the first standby firewall equipment for forwarding through a point-to-point tunnel between the firewall equipment and the first standby firewall equipment; and if not, sending the second service message and the service session information matched with the second service message to the first standby firewall equipment together through a point-to-point tunnel between the firewall equipment and the first standby firewall equipment, so that the first standby firewall equipment stores the received service session information and forwards the received second service message.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, wherein the modules described as separate parts may or may not be physically separate, and the parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution in the specification. One of ordinary skill in the art can understand and implement it without inventive effort.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Other embodiments of the present description will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This specification is intended to cover any variations, uses, or adaptations of the specification following, in general, the principles of the specification and including such departures from the present disclosure as come within known or customary practice within the art to which the specification pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the specification being indicated by the following claims.
It will be understood that the present description is not limited to the precise arrangements described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present description is limited only by the appended claims.
The above description is only a preferred embodiment of the present disclosure, and should not be taken as limiting the present disclosure, and any modifications, equivalents, improvements, etc. made within the spirit and principle of the present disclosure should be included in the scope of the present disclosure.

Claims (10)

1. A service processing method is applied to firewall equipment in a data center network, and the method comprises the following steps:
acquiring an external network outlet fault of a Border router Border;
sending local service session information to a standby firewall device for backup, wherein the standby firewall device and the firewall device belong to different data center networks respectively;
and if the fact that the local service session information is backed up to the standby firewall equipment is determined, sending a path switching notification to a gateway, so that the gateway switches the path from the gateway to the standby firewall equipment into the path from the gateway to the standby firewall equipment according to the path switching notification.
2. The method of claim 1, wherein sending the local service session information to the backup firewall device for backup comprises:
and aiming at the local service session information, determining a target service to which the service session information belongs, selecting target standby firewall equipment for processing the target service from the standby firewall equipment corresponding to the firewall equipment, and sending the service session information of the target service to the target standby firewall equipment for backup.
3. The method according to claim 2, wherein the sending of the local service session information to the standby firewall device for backup is triggered by receiving a first service packet that needs to be sent through the failed extranet outlet;
the sending the local service session information to the target backup firewall device for backup comprises:
and if the first service message matches the service session information, sending the first service message and the matched service session information to the target standby firewall equipment together, so that the target standby firewall equipment stores the received service session information and forwards the received first service message.
4. The method of claim 3, further comprising:
establishing a point-to-point tunnel for backing up the session information of the service between the firewall equipment and the standby firewall equipment;
the sending the first service packet and the matched service session information to the target standby firewall device includes:
and sending the first service message and the matched service session information to the target standby firewall equipment through a point-to-point tunnel between the firewall equipment and the target standby firewall equipment.
5. The method of claim 2, wherein in the process of sending the local service session information to the standby firewall device for backup, if the second service packet is received, the method further comprises:
checking whether the session information of the service session matched with the second service message is backed up to a first standby firewall device, wherein the first standby firewall device is a standby firewall device for processing the service of the second service message;
if yes, the second service message is sent to the first standby firewall equipment for forwarding through a point-to-point tunnel between the firewall equipment and the first standby firewall equipment; and if not, sending the second service message and the service session information matched with the second service message to the first standby firewall equipment together through a point-to-point tunnel between the firewall equipment and the first standby firewall equipment, so that the first standby firewall equipment stores the received service session information and forwards the received second service message.
6. A service processing apparatus, applied to a firewall device in a data center network, the apparatus comprising:
the acquisition module is used for acquiring the outer network outlet fault of the Border router Border;
the backup module is used for sending the session information of the local service session to the standby firewall equipment for backup, and the standby firewall equipment and the firewall equipment belong to different data center networks respectively;
and the path switching module is used for sending a path switching notification to the gateway when determining that the local service session information is backed up to the standby firewall device, so that the gateway switches the path from the gateway to the firewall device into the path from the gateway to the standby firewall device according to the path switching notification.
7. The apparatus of claim 6, wherein the backup module, when being configured to send the local service session information to the backup firewall device for backup, is specifically configured to:
and aiming at the local service session information, determining a target service to which the service session information belongs, selecting target standby firewall equipment for processing the target service from the standby firewall equipment corresponding to the firewall equipment, and sending the service session information of the target service to the target standby firewall equipment for backup.
8. The apparatus according to claim 7, wherein the sending of the local service session information to the standby firewall device for backup is triggered by receiving a first service packet that needs to be sent through the failed extranet outlet;
when the backup module is used for sending the local service session information to the target backup firewall device for backup, the backup module is specifically used for:
and if the first service message matches the service session information, sending the first service message and the matched service session information to the target standby firewall equipment together, so that the target standby firewall equipment stores the received service session information and forwards the received first service message.
9. The apparatus of claim 8, further comprising:
the tunnel establishing module is used for establishing a point-to-point tunnel for backing up the service session information between the firewall equipment and the standby firewall equipment;
when the backup module is configured to send the first service packet and the matched service session information to the target backup firewall device, the backup module is specifically configured to:
and sending the first service message and the matched service session information to the target standby firewall equipment through a point-to-point tunnel between the firewall equipment and the target standby firewall equipment.
10. The apparatus of claim 7, wherein in the process of sending the local service session information to the standby firewall device for backup, if the second service packet is received, the apparatus further comprises:
the checking module is used for checking whether the service session information matched with the second service message is backed up to a first standby firewall device, and the first standby firewall device is a standby firewall device used for processing the service to which the second service message belongs;
a sending module, configured to send the second service packet to the first standby firewall device through a point-to-point tunnel between the firewall device and the first standby firewall device for forwarding if the second service packet is received from the first standby firewall device; and if not, sending the second service message and the service session information matched with the second service message to the first standby firewall equipment together through a point-to-point tunnel between the firewall equipment and the first standby firewall equipment, so that the first standby firewall equipment stores the received service session information and forwards the received second service message.
CN201910453594.4A 2019-05-28 2019-05-28 Service processing method and device Active CN110138656B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910453594.4A CN110138656B (en) 2019-05-28 2019-05-28 Service processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910453594.4A CN110138656B (en) 2019-05-28 2019-05-28 Service processing method and device

Publications (2)

Publication Number Publication Date
CN110138656A CN110138656A (en) 2019-08-16
CN110138656B true CN110138656B (en) 2022-03-01

Family

ID=67582494

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910453594.4A Active CN110138656B (en) 2019-05-28 2019-05-28 Service processing method and device

Country Status (1)

Country Link
CN (1) CN110138656B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111064826B (en) * 2019-12-31 2022-06-21 奇安信科技集团股份有限公司 Information processing method, apparatus, electronic device and medium executed by firewall
CN112104492A (en) * 2020-09-07 2020-12-18 紫光云(南京)数字技术有限公司 Networking structure of cloud computing data center

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1143664A2 (en) * 1999-06-10 2001-10-10 Alcatel Internetworking, Inc. Object model for network policy management
CN101316271A (en) * 2008-07-04 2008-12-03 华为技术有限公司 Method for realizing information backup, firewall and network system
CN102420767A (en) * 2011-12-15 2012-04-18 北京星网锐捷网络技术有限公司 Method and device for switching forwarding paths, and network equipment
CN104618148A (en) * 2015-01-07 2015-05-13 杭州华三通信技术有限公司 Firewall device and backup method thereof
CN107241208A (en) * 2016-03-29 2017-10-10 华为技术有限公司 A kind of message forwarding method, the first interchanger and related system
CN108092889A (en) * 2017-12-27 2018-05-29 上海地面通信息网络股份有限公司 A kind of end-to-end multilink multinode Full automatic redundant route stand-by system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100211544A1 (en) * 2009-02-19 2010-08-19 Jyshyang Chen System with session synchronization
CN104506513B (en) * 2014-12-16 2018-05-22 北京星网锐捷网络技术有限公司 Fire wall flow table backup method, fire wall and firewall system
CN108322379B (en) * 2018-01-30 2021-04-20 华为技术有限公司 Virtual private network VPN system and implementation method
CN109617920B (en) * 2019-01-23 2021-07-20 新华三信息安全技术有限公司 Message processing method and device, router and firewall equipment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1143664A2 (en) * 1999-06-10 2001-10-10 Alcatel Internetworking, Inc. Object model for network policy management
CN101316271A (en) * 2008-07-04 2008-12-03 华为技术有限公司 Method for realizing information backup, firewall and network system
CN102420767A (en) * 2011-12-15 2012-04-18 北京星网锐捷网络技术有限公司 Method and device for switching forwarding paths, and network equipment
CN104618148A (en) * 2015-01-07 2015-05-13 杭州华三通信技术有限公司 Firewall device and backup method thereof
CN107241208A (en) * 2016-03-29 2017-10-10 华为技术有限公司 A kind of message forwarding method, the first interchanger and related system
CN108092889A (en) * 2017-12-27 2018-05-29 上海地面通信息网络股份有限公司 A kind of end-to-end multilink multinode Full automatic redundant route stand-by system

Also Published As

Publication number Publication date
CN110138656A (en) 2019-08-16

Similar Documents

Publication Publication Date Title
US12120018B2 (en) Method and apparatus for processing transmission path fault, and system
US7206309B2 (en) High availability packet forward apparatus and method
CN111698158B (en) Method and device for electing master equipment and machine-readable storage medium
CN109861867B (en) MEC service processing method and device
US8520509B2 (en) System and a method for routing data traffic
CN110891018B (en) Network traffic recovery method and device, SDN controller and storage medium
US12068955B2 (en) Method for controlling traffic forwarding, device, and system
CN113992569A (en) Multi-path service convergence method and device in SDN network and storage medium
CN112104557A (en) Method and device for detecting link
CN110138656B (en) Service processing method and device
CN112583708B (en) Connection relation control method and device and electronic equipment
CN104717143B (en) For returning the method and apparatus of scene muticast data transmission more
CN101667927B (en) Method and device for rapidly restoring service
US20240235992A9 (en) Packet transmission method and apparatus, and device
US11870686B2 (en) Routing information processing method and apparatus
CN113992571B (en) Multipath service convergence method, device and storage medium in SDN network
CN114585009A (en) UPF dual-computer hot standby switching method and device, electronic equipment and storage medium
EP4325799A1 (en) Data transmission method, communication system, and route advertisement method
US20250175417A1 (en) Packet Processing Method and Related Device
EP4440050A1 (en) Link detection method, public network node, and storage medium
CN116566850A (en) Method and network equipment for establishing SBFD
CN116193385A (en) Signaling transmission method, VRRP networking system, first network entity equipment and storage medium
CN119743451A (en) Data transmission method, system and electronic device
CN116016324A (en) Message transmission method, system, device and electronic equipment
CN116366523A (en) Message processing method and control equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20230625

Address after: 310052 11th Floor, 466 Changhe Road, Binjiang District, Hangzhou City, Zhejiang Province

Patentee after: H3C INFORMATION TECHNOLOGY Co.,Ltd.

Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466

Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd.

TR01 Transfer of patent right