[go: up one dir, main page]

CN1863142A - Method for providing different service quality tactics to data stream - Google Patents

Method for providing different service quality tactics to data stream Download PDF

Info

Publication number
CN1863142A
CN1863142A CNA2005100909049A CN200510090904A CN1863142A CN 1863142 A CN1863142 A CN 1863142A CN A2005100909049 A CNA2005100909049 A CN A2005100909049A CN 200510090904 A CN200510090904 A CN 200510090904A CN 1863142 A CN1863142 A CN 1863142A
Authority
CN
China
Prior art keywords
acl
data flow
template
rule
layer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2005100909049A
Other languages
Chinese (zh)
Other versions
CN100433715C (en
Inventor
熊怡
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNB2005100909049A priority Critical patent/CN100433715C/en
Priority to PCT/CN2006/001080 priority patent/WO2007019755A1/en
Publication of CN1863142A publication Critical patent/CN1863142A/en
Application granted granted Critical
Publication of CN100433715C publication Critical patent/CN100433715C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/50Network service management, e.g. ensuring proper service fulfilment according to agreements
    • H04L41/5003Managing SLA; Interaction between SLA and QoS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0894Policy-based network configuration management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0823Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明提供了一种给数据流提供不同的服务质量策略的方法,该方法主要包括:定制包含各层部分字段信息的ACL(访问控制列表)模板;利用所述ACL模板,对数据流进行分类,给数据流提供不同的QoS(服务质量)策略。利用本发明所述方法,可以实现根据用户需要灵活选择ACL类型,实现更细粒度的数据流分类处理,并给数据流提供相应的不同的QoS策略。

Figure 200510090904

The present invention provides a method for providing different quality of service policies for data streams. The method mainly includes: customizing an ACL (Access Control List) template containing partial field information of each layer; using the ACL template to classify data streams , to provide different QoS (Quality of Service) policies for data streams. By using the method of the invention, it is possible to flexibly select the type of ACL according to user needs, realize finer-grained data flow classification processing, and provide corresponding different QoS policies for the data flow.

Figure 200510090904

Description

给数据流提供不同的服务质量策略的方法Methods of providing different quality of service policies to data streams

技术领域technical field

本发明涉及通讯领域,尤其涉及一种给数据流提供不同的QoS(服务质量)策略的方法。The invention relates to the communication field, in particular to a method for providing different QoS (quality of service) strategies for data streams.

背景技术Background technique

在网络中,需要对数据流进行流分类,即对数据流进行识别、分类。然后,根据流分类的结果,对不同的数据流采取不同的QoS(服务质量)策略,QoS策略也称为“动作”,包括丢弃、改变优先级、带宽限制等操作。In the network, it is necessary to classify the data flow, that is, to identify and classify the data flow. Then, according to the result of flow classification, different QoS (Quality of Service) policies are adopted for different data flows. QoS policies are also called "actions", including operations such as discarding, changing priority, and bandwidth limitation.

传统的流分类方法是根据数据流报文的标准五元组对数据流进行分类,该五元组即数据流IP报文的五个域:源IP地址、目的IP地址、报文IP头中的协议号、TCP(传输控制协议)或UDP(用户数据报协议)源端口号、TCP或UDP目的端口号。该方法首先需要提取报文的五元组并构成一个key(关键字),然后,将key值满足一定条件的数据流归为一类。The traditional flow classification method is to classify the data flow according to the standard quintuple of the data flow message, which is the five fields of the data flow IP message: source IP address, destination IP address, Protocol number, TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) source port number, TCP or UDP destination port number. This method first needs to extract the five-tuple of the message and form a key (keyword), and then classify the data streams whose key values meet certain conditions into one category.

随着网络业务量的增大及用户对QoS需求标准的不断提高,传统的基于五元组的分类方法已不能满足要求,需要对数据流进行更细粒度的划分,因此,对数据流进行分类时又增加了其它域,如源/目的MAC(媒体接入控制)地址、以太类型、VLAN(虚拟局域网)优先级、TOS(服务类型)、分段标志、TCP同步标志等。With the increase of network traffic and the continuous improvement of users' requirements for QoS, the traditional classification method based on five-tuples can no longer meet the requirements, and it is necessary to divide the data flow into a finer granularity. Therefore, the data flow classification Other domains are added, such as source/destination MAC (Media Access Control) address, Ethernet type, VLAN (Virtual Local Area Network) priority, TOS (Type of Service), segmentation flag, TCP synchronization flag, etc.

目前,在数据通信设备中,对数据流进行分类和动作通常通过ACL(访问控制列表)来实现,ACL是规则和动作的组合,规则即用于区分某条数据流的特征,例如{源MAC=2222.2222.2222 AND目的IP=1.1.1.1}即可构成一条规则。ACL的处理流程如图1所示。At present, in data communication equipment, data flow classification and actions are usually implemented through ACL (Access Control List). ACL is a combination of rules and actions. Rules are the characteristics used to distinguish a certain data flow, such as {source MAC =2222.2222.2222 AND destination IP=1.1.1.1} can constitute a rule. Figure 1 shows the ACL processing flow.

在数据通信设备中,实际应用的流分类技术主要有以下几种:In data communication equipment, the practical application of flow classification technology mainly includes the following types:

1、无结构顺序匹配:类似链表,将key和规则逐个进行匹配。1. Unstructured sequential matching: Similar to a linked list, keys and rules are matched one by one.

2、HASH(哈希)散列:先对key值进行一级Hash散列,再匹配规则。2. HASH (hash) hashing: first perform a first-level Hash hashing on the key value, and then match the rules.

3、预编译快速ACL:利用各种树运算技术,快速定位到某个或某些规则节点。3. Precompiled fast ACL: Use various tree computing techniques to quickly locate certain or certain rule nodes.

4、TCAM(三态内容可寻址存储器)技术:由硬件完成key和规则的匹配过程。4. TCAM (Tri-State Content Addressable Memory) technology: the matching process of keys and rules is completed by hardware.

前三种实现均由软件来完成,最大的问题在于匹配时间消耗过大。当前网络传输及路由器转发速度在不断的提高,这就要求在报文处理过程中,ACL规则表的查找速度也要相应地提高,因此,TCAM技术是目前数据通信设备中主要应用的流分类技术。The first three implementations are all completed by software, and the biggest problem is that the matching time is too large. The current network transmission and router forwarding speed are constantly improving, which requires that the search speed of the ACL rule table should be correspondingly increased in the process of message processing. Therefore, TCAM technology is the main flow classification technology used in current data communication equipment. .

TCAM通常应用在ACL实现中,TCAM的特点为通过硬件来完成规则表的查找、匹配过程。其具体处理过程为:首先在TCAM中存放用户配置的各种规则,其中每一条规则都与某个动作相关联。然后,提取需要进行分类的数据流报文的五元组或多元组,构成一个key,根据该key查找在TCAM中存放的规则表,与规则表中各项进行匹配,成功匹配(命中)一条规则后,TCAM便返回对应的动作索引。TCAM is usually used in the implementation of ACL. The feature of TCAM is to complete the search and matching process of the rule table through hardware. The specific processing process is as follows: firstly, various rules configured by the user are stored in the TCAM, and each rule is associated with a certain action. Then, extract the five-tuple or multi-group of the data flow message that needs to be classified to form a key, search the rule table stored in the TCAM according to the key, match with the items in the rule table, and successfully match (hit) one After the rule, TCAM will return the corresponding action index.

TCAM最大的优点在于查找速度快,而且查找时间与表项数量无关,因此在表容量很大时,此优点尤为突出,但TCAM价格比较昂贵,在实际应用中,TCAM容量有一定的限制。目前TCAM硬件规格中定义了几种表项长度:72bits、144bits和288bits,ACL中的一个规则可以看作一个TCAM表项,规则长度等于key值长度,因此,存在如下关系:The biggest advantage of TCAM is that the search speed is fast, and the search time is independent of the number of entries. Therefore, this advantage is particularly prominent when the table capacity is large. However, TCAM is expensive, and in practical applications, the capacity of TCAM is limited. Currently, the TCAM hardware specification defines several entry lengths: 72bits, 144bits, and 288bits. A rule in the ACL can be regarded as a TCAM entry. The length of the rule is equal to the length of the key value. Therefore, the following relationship exists:

TCAM容量=key长度(规则长度)×TCAM表项数。TCAM capacity = key length (rule length) × number of TCAM entries.

为解决标准的五元组不能满足现有网络的需求的问题,现有技术中一种解决方案为:在ACL key中新增针对以太报文的二层头字段(如源/目的MAC地址、以太类型及VLAN ID等)、三层头字段和四层头字段(如TCP同步标志等)。由于受到TCAM表项长度的限制,无法将所有字段(二层、三层和四层)同时放在一个key中,因此出现了所谓的二层ACL及三层ACL(IPv4/IPv6 ACL),在三层ACL中包含了上述三层和四层头字段的内容,其中二层ACL的key结构如图2所示,IPv4三层ACL的key结构如图3所示,Ipv6三层ACL的key结构如图4所示。In order to solve the problem that standard quintuples cannot meet the needs of the existing network, a solution in the prior art is: add a layer-2 header field (such as source/purpose MAC address, Ethernet type and VLAN ID, etc.), three-layer header field and four-layer header field (such as TCP synchronization flag, etc.). Due to the limitation of the length of TCAM entries, all fields (layer 2, layer 3, and layer 4) cannot be placed in a key at the same time, so the so-called layer 2 ACL and layer 3 ACL (IPv4/IPv6 ACL) appear. A layer-3 ACL contains the content of the above-mentioned layer-3 and layer-4 header fields. The key structure of a layer-2 ACL is shown in Figure 2, the key structure of an IPv4 layer-3 ACL is shown in Figure 3, and the key structure of an IPv6 layer-3 ACL As shown in Figure 4.

其中二层ACL和IPv4 ACL的key长度均为144比特,IPv6 ACL的key为288比特,三种ACL的规则表分别占用不同的TCAM区域。The key length of Layer 2 ACL and IPv4 ACL is 144 bits, and the key length of IPv6 ACL is 288 bits. The rule tables of the three ACLs occupy different TCAM areas respectively.

根据上述二层ACL及三层ACL,用户在具体配置ACL时,有两种方式可供选择:According to the above Layer 2 ACL and Layer 3 ACL, the user has two options for configuring the ACL:

1、在上述二层ACL及三层ACL中选择一种ACL类型:二层ACL或者三层ACL。然后,实现模块会根据所选择的ACL类型及需要处理的数据流报文类型进行相应处理,具体处理流程如图5所示,具体处理过程简单介绍如下:1. Select an ACL type from the above Layer 2 ACL and Layer 3 ACL: Layer 2 ACL or Layer 3 ACL. Then, the implementation module will perform corresponding processing according to the selected ACL type and the type of data flow packet to be processed. The specific processing flow is shown in Figure 5. The specific processing process is briefly introduced as follows:

如果用户选择使用二层ACL,则从待分类的数据流报文中提取二层头字段的内容,然后,和二层ACL的规则表进行匹配,如果匹配命中一条规则,则返回该规则对应的动作,执行该动作对数据流报文进行相应的处理;If the user chooses to use Layer 2 ACL, extract the content of the Layer 2 header field from the data flow packet to be classified, and then match it with the rule table of Layer 2 ACL. If a rule is matched, return the corresponding Action, execute this action to process the data flow message accordingly;

如果用户选择使用三层ACL,则从待分类的数据流报文中提取三层和四层头字段的内容,然后,和三层ACL的规则表进行匹配,如果匹配命中一条规则,则返回该规则对应的动作,执行该动作对数据流报文进行相应的处理。If the user chooses to use a layer-3 ACL, extract the contents of the layer-3 and layer-4 header fields from the data flow packet to be classified, and then match it with the rule table of the layer-3 ACL. If the match hits a rule, return the The action corresponding to the rule, execute this action to process the data flow packet accordingly.

2、若用户需要同时匹配报文的二、三层字段,可以通过两次ACL来实现,首先配置第一个ACL(二层ACL),并将其动作指定为“执行三层ACL”,将三层ACL的动作指定为真正的QoS策略。处理流程如图6所示,具体处理过程简单介绍如下:2. If the user needs to match the Layer 2 and Layer 3 fields of the message at the same time, it can be realized through two ACLs. First, configure the first ACL (Layer 2 ACL), and specify its action as "execute Layer 3 ACL". The action of Layer 3 ACL is specified as the real QoS policy. The processing flow is shown in Figure 6, and the specific processing process is briefly introduced as follows:

首先从待分类的数据流报文中提取二层头字段的内容,然后,和二层ACL的规则表进行匹配,如果匹配命中一条规则,则继续从该报文中提取三层和四层头字段的内容,然后,和三层ACL的规则表进行匹配,如果匹配命中一条规则,则返回该规则对应的动作,执行该动作对数据流报文进行相应的处理。First extract the content of the Layer 2 header field from the data flow message to be classified, and then match it with the rule table of the Layer 2 ACL. If the match hits a rule, continue to extract the Layer 3 and Layer 4 headers from the message The content of the field is then matched with the rule table of the three-layer ACL. If a rule is matched, the action corresponding to the rule is returned, and the action is executed to process the data flow packet accordingly.

上述现有技术的解决方案的缺点为:在该方案的第一种方式中,用户只能在二层ACL及三层ACL中选择一种类型的ACL,即不能同时匹配报文的二、三层字段。因此,无法实现细粒度的流量划分,限制了用户的使用效果。The shortcoming of the above-mentioned prior art solution is: in the first mode of this scheme, the user can only select one type of ACL in the two-layer ACL and the three-layer ACL, that is, the second and third layers of the message cannot be matched at the same time. layer field. Therefore, fine-grained traffic division cannot be realized, which limits the user's use effect.

在该方案的第二种方式中,虽然可以实现二、三层字段的同时匹配,但是需要二次访问TCAM,进行二次匹配规则表的操作,甚至还需要多访问一次SRAM(静态存储器)来查找动作,因此,对外设的带宽提出了很高的要求,而在路由设备中,通常外设带宽资源非常有限,因而两次ACL的执行很可能成为转发设备的性能瓶颈。In the second method of this scheme, although the simultaneous matching of the second and third layer fields can be realized, it is necessary to visit the TCAM twice to perform the operation of the second matching rule table, and even need to visit the SRAM (static memory) once more to The search action, therefore, puts forward very high requirements on the bandwidth of the peripheral, and in the routing device, the bandwidth resources of the peripheral are usually very limited, so the execution of the two ACLs is likely to become the performance bottleneck of the forwarding device.

除此之外,在实际应用中,用户配置ACL规则时,很少会将规则表中的字段都用到,如对于以太IPv4数据流,用户可能只想识别出源MAC和目的IP满足某条件的报文,而不关心其它字段。因此,在实际应用中,该方案的规则表项的结构中很多字段没有用到,造成TCAM资源的浪费。In addition, in practical applications, when users configure ACL rules, they seldom use all the fields in the rule table. For example, for Ethernet IPv4 data flows, users may only want to identify that the source MAC and destination IP meet a certain condition. , without caring about other fields. Therefore, in practical applications, many fields in the structure of the rule entry in this scheme are not used, resulting in waste of TCAM resources.

发明内容Contents of the invention

鉴于上述现有技术所存在的问题,本发明的目的是提供一种给数据流提供不同的服务质量策略的方法,从而可以实现根据用户需要灵活选择ACL类型,实现更细粒度的数据流分类处理,并给数据流提供相应的不同的QoS策略。In view of the problems existing in the above-mentioned prior art, the purpose of the present invention is to provide a method for providing different quality of service policies for data streams, so that ACL types can be flexibly selected according to user needs, and finer-grained data stream classification processing can be realized , and provide corresponding different QoS policies for the data flow.

本发明的目的是通过以下技术方案实现的:The purpose of the present invention is achieved through the following technical solutions:

一种给数据流提供不同的服务质量策略的方法,包括:A method of providing different quality of service policies to data streams, including:

A、定制包含各层部分字段信息的访问控制列表ACL模板;A. Customize the access control list ACL template containing partial field information of each layer;

B、利用所述ACL模板,对数据流进行分类,给数据流提供不同的服务质量QoS策略。B. Using the ACL template to classify the data flow, and provide different QoS policies for the data flow.

所述的步骤A具体包括:Described step A specifically comprises:

根据用户需求,定制包括报文的部分二层头字段和部分三层头字段的ACL模板,According to user requirements, customize the ACL template including some Layer 2 header fields and some Layer 3 header fields of the packet,

和/或,and / or,

根据用户需求,定制包括报文的部分二层头字段和部分四层头字段的ACL模板,According to user requirements, customize the ACL template including part of the Layer 2 header field and part of the Layer 4 header field of the packet,

和/或,and / or,

根据用户需求,定制包括报文的部分三层头字段和部分四层头字段的ACL模板。According to user requirements, customize the ACL template including part of the Layer 3 header field and part of the Layer 4 header field of the packet.

所述的ACL模板的长度不超过三态内容可寻址存储器TCAM规格中定义的表项长度。The length of the ACL template does not exceed the entry length defined in the TCAM specification.

所述的步骤A还包括:Described step A also includes:

将所述定制的ACL模板保存在模板库中,用户可以在该模板库中进行增加、删除、修改操作。The customized ACL template is saved in a template library, and the user can add, delete, and modify operations in the template library.

所述的步骤B具体包括:Described step B specifically comprises:

B1、根据待处理的数据流,选择一个ACL模板,并配置该ACL模板的规则;B1. Select an ACL template according to the data flow to be processed, and configure the rules of the ACL template;

B2、将所述规则和待处理的数据流进行匹配处理,并根据匹配的结果给该数据流提供相应的QoS策略。B2. Match the rule with the data flow to be processed, and provide a corresponding QoS policy for the data flow according to the matching result.

所述的步骤B1具体包括:Described step B1 specifically comprises:

通过指定所述ACL模板中各字段的匹配条件来配置该ACL模板的规则。Configure the rules of the ACL template by specifying the matching conditions of each field in the ACL template.

所述的步骤B2具体包括:Described step B2 specifically comprises:

B21、根据所述ACL模板的定义,从待处理的数据流报文中提取出相应的字段内容,并将提取出的字段内容构成关键字key;B21. According to the definition of the ACL template, extract the corresponding field content from the data flow message to be processed, and form the keyword key with the extracted field content;

B22、将所述key和所述配置的ACL模板的规则进行匹配处理,并根据匹配的结果给该数据流提供相应的QoS策略。B22. Perform matching processing on the key and the configured ACL template rules, and provide corresponding QoS policies for the data flow according to the matching result.

所述的步骤B22具体包括:Described step B22 specifically comprises:

如果所述key和所述配置的ACL模板的规则匹配命中,则执行该规则所对应的动作给数据流提供相应的QoS策略;否则,按照正常的转发流程对数据流进行转发。If the key and the rule of the configured ACL template match and hit, then execute the action corresponding to the rule to provide the corresponding QoS policy for the data flow; otherwise, forward the data flow according to the normal forwarding process.

由上述本发明提供的技术方案可以看出,本发明通过给用户定制一些ACL规则模板,和现有技术相比具有如下优点:As can be seen from the technical solution provided by the present invention above, the present invention has the following advantages compared with the prior art by customizing some ACL rule templates for users:

1、本发明无需增加TCAM硬件投资,通过给用户提供ACL规则模板,使用户配置流分类规则时可以根据需要灵活选择ACL类型,实现更细粒度的流分类处理。1. The present invention does not need to increase TCAM hardware investment. By providing the user with an ACL rule template, the user can flexibly select the ACL type according to the need when configuring the flow classification rule, and realize more fine-grained flow classification processing.

2、本发明在用户需要同时匹配报文的二、三层字段时,只需执行一次ACL即可满足用户的要求,从而可以节约外设带宽资源。2. When the user needs to match the second and third layer fields of the message at the same time, the present invention only needs to execute the ACL once to meet the user's requirement, thereby saving peripheral bandwidth resources.

3、本发明可以减少TCAM中的无用字段,提高TCAM资源的利用率。3. The present invention can reduce useless fields in the TCAM and improve the utilization rate of TCAM resources.

附图说明Description of drawings

图1为ACL的具体处理流程图;Fig. 1 is the specific processing flowchart of ACL;

图2为二层ACL的key结构示意图;Figure 2 is a schematic diagram of the key structure of the Layer 2 ACL;

图3为Ipv4三层ACL的key结构示意图;Figure 3 is a schematic diagram of the key structure of the Ipv4 three-layer ACL;

图4为Ipv6三层ACL的key结构示意图;Figure 4 is a schematic diagram of the key structure of the Ipv6 three-layer ACL;

图5为现有技术中使能二层ACL或三层ACL的处理方法的具体处理流程图;FIG. 5 is a specific processing flowchart of a processing method for enabling a layer-2 ACL or a layer-3 ACL in the prior art;

图6为现有技术中同时使能二层ACL和三层ACL的处理方法的具体处理流程图;FIG. 6 is a specific processing flowchart of a processing method for simultaneously enabling Layer 2 ACL and Layer 3 ACL in the prior art;

图7为本发明所述方法的具体处理流程图;Fig. 7 is the specific processing flowchart of the method of the present invention;

图8为本发明所述Ipv4 ACL规则模板实施例示意图;Fig. 8 is a schematic diagram of an embodiment of the Ipv4 ACL rule template of the present invention;

图9为本发明所述IPv6 ACL规则模板实施例示意图;Fig. 9 is a schematic diagram of an embodiment of the IPv6 ACL rule template of the present invention;

图10为本发明所述基于二层ACL、三层ACL和ACL模板的处理方法具体处理流程图。FIG. 10 is a specific processing flow chart of the processing method based on the layer-2 ACL, layer-3 ACL and ACL template of the present invention.

具体实施方式Detailed ways

本发明提供了一种给数据流提供不同的服务质量策略的方法。本发明的核心为:在不增加TCAM key长度的前提下,通过给用户提供一些常用的ACL规则模板,使用户配置ACL时既可以实现细粒度的流分类,又不会对转发性能产生影响。The invention provides a method for providing different quality of service policies for data streams. The core of the present invention is: on the premise of not increasing the length of the TCAM key, by providing some commonly used ACL rule templates for the user, the user can realize fine-grained flow classification when configuring the ACL without affecting the forwarding performance.

下面结合附图来详细描述本发明,本发明所述方法的具体处理流程如图7所示,包括如下步骤:Describe the present invention in detail below in conjunction with accompanying drawing, the specific processing flow of the method of the present invention is as shown in Figure 7, comprises the following steps:

步骤7-1、根据用户的需求,定制一些ACL模板。Step 7-1. Customize some ACL templates according to user requirements.

本发明中,首先需要根据用户的需求,定制一些ACL模板,该ACL模板可以同时包括部分二层ACL信息、部分三层ACL信息及部分四层ACL信息,也可以包括一些其它信息。该模板的长度不能超出现有的TCAM规格中定义的表项长度。因此,定制的ACL模板中不能包括所有的二层ACL和三层ACL信息,但模板的定制基于用户实际使用中常用的配置,因此可以满足大多数用户的需求。In the present invention, firstly, some ACL templates need to be customized according to user's requirements, and the ACL templates may include part of Layer 2 ACL information, part of Layer 3 ACL information and part of Layer 4 ACL information, and may also include some other information. The length of the template cannot exceed the entry length defined in the existing TCAM specification. Therefore, the customized ACL template cannot include all Layer 2 ACL and Layer 3 ACL information, but the customization of the template is based on the configurations commonly used by users in actual use, so it can meet the requirements of most users.

例如,可以给用户定制这样一个识别IPv4报文的ACL模板:<源MAC地址,源IP地址,目的IP地址,TOS,协议号>,该模板的结构如图8所示。For example, such an ACL template for identifying IPv4 packets can be customized for the user: <source MAC address, source IP address, destination IP address, TOS, protocol number>, the structure of the template is shown in Figure 8.

对于IPv6 ACL而言,由于其IP地址的特殊性,同样可以采用类似方法构造一些ACL模板。目前的IPv6 ACL只实现了IPv6的单播流分类处理,IPv6单播地址(也叫全局地址)包括两部分:高64位的地址和低64位的地址。其中高64位地址表示网络前缀,低64位地址表示接口索引。For IPv6 ACL, due to the particularity of its IP address, some ACL templates can also be constructed in a similar way. The current IPv6 ACL only implements IPv6 unicast flow classification processing, and the IPv6 unicast address (also called the global address) includes two parts: the high 64-bit address and the low 64-bit address. Among them, the upper 64-bit address represents the network prefix, and the lower 64-bit address represents the interface index.

因此,我们可以根据用户的需求,定制一些不同的IPv6 ACL模板。即分别选取IPv6地址的高64位地址或低64位地址中的一部分,与部分二层ACL相结合共同组成IPv6 ACL模板,实现更细粒度的IPv6 ACL。例如,可以构造如下的IPv6 ACL模板:<源MAC,源IP(低64bits),目的IP,协议号>Therefore, we can customize some different IPv6 ACL templates according to user needs. That is, a part of the upper 64-bit address or the lower 64-bit address of an IPv6 address is selected, and combined with some Layer 2 ACLs to form an IPv6 ACL template to achieve a finer-grained IPv6 ACL. For example, the following IPv6 ACL template can be constructed: <source MAC, source IP (lower 64 bits), destination IP, protocol number>

步骤7-2、将定制的ACL模板保存在路由器的模板库中。Step 7-2. Save the customized ACL template in the template library of the router.

在根据用户的需求定制了一些ACL模板后,本发明需要在路由器中维护一个模板库,并将上述定制的一些ACL模板保存在该模板库中,用户可以根据实际需要在该模板库中进行增加、删除、修改等操作。After customizing some ACL templates according to the user's needs, the present invention needs to maintain a template library in the router, and save some of the above-mentioned customized ACL templates in the template library, and the user can add them to the template library according to actual needs. , delete, modify and other operations.

步骤7-3、在需要进行流分类操作时,从中选择一个ACL模板并指定匹配条件。Step 7-3. When a traffic classification operation is required, select an ACL template and specify a matching condition.

当用户需要根据上述定制的ACL模板对一具体的数据流进行分类操作时,便从上述模板库选择一个需要的ACL模板。然后指定选择的ACL模板中各字段的匹配条件,即配置一条具体的ACL模板规则,存于TCAM中。When the user needs to classify a specific data flow according to the above-mentioned customized ACL template, he selects a required ACL template from the above-mentioned template library. Then specify the matching conditions for each field in the selected ACL template, that is, configure a specific ACL template rule and store it in the TCAM.

比如,根据上面所述的图8所示的ACL模板,可以配置如下的规则:For example, according to the ACL template shown in Figure 8 above, the following rules can be configured:

{源MAC=00e0.fcfa.0000,源IP=2.2.2.2/24,目的IP=4.4.4.4/24,TOS=0×4c,协议号=6}。{Source MAC=00e0.fcfa.0000, source IP=2.2.2.2/24, destination IP=4.4.4.4/24, TOS=0×4c, protocol number=6}.

根据上面所述的图9所示的ACL模板,可以配置如下的规则:According to the ACL template shown in Figure 9 above, the following rules can be configured:

{源MAC=00e0.fcfa.0000,VLAN ID=0×3,源IP(低64bits)=0:0:C934:12FE,目的IP=2008::1,Traffic Class=0×c,协议号=17}{Source MAC=00e0.fcfa.0000, VLAN ID=0×3, source IP (lower 64bits)=0:0:C934:12FE, destination IP=2008::1, Traffic Class=0×c, protocol number= 17}

步骤7-4、根据选择的ACL模板,从报文中提取出相应的字段内容并构成Key。Step 7-4, according to the selected ACL template, extract the corresponding field content from the packet and form a Key.

根据上述选择的ACL模板的定义,从待处理的数据流报文中提取出相应的字段内容,比如,可以提取出报文的二、三层和四层头字段中的部分内容,然后,将提取出的内容构成一个key。According to the definition of the ACL template selected above, the corresponding field content is extracted from the data flow message to be processed, for example, part of the content in the second, third and fourth layer header fields of the message can be extracted, and then the The extracted content constitutes a key.

步骤7-5、Key和ACL规则是否匹配。Step 7-5: Check whether the key matches the ACL rules.

将所述构成的key与配置的ACL规则进行匹配,如果成功匹配(命中),则执行步骤7-6;否则,执行步骤7-7。Match the constituted key with the configured ACL rule, and if the match is successful (hit), execute step 7-6; otherwise, execute step 7-7.

步骤7-6、执行和该ACL规则对应的动作。Step 7-6, execute the action corresponding to the ACL rule.

如果所述key和配置的ACL模板规则能够匹配,则TCAM会返回对应的动作索引,根据该动作索引找到相应的动作,执行该动作给数据流提供相应的QoS策略。If the key matches the configured ACL template rule, the TCAM will return the corresponding action index, find the corresponding action according to the action index, and execute the action to provide the corresponding QoS policy for the data flow.

步骤7-7、对报文进行正常转发。Step 7-7, normally forwarding the message.

如果所述key和配置的ACL模板规则不能够匹配,则按照正常转发流程,对待处理数据流报文进行正常转发。If the key does not match the configured ACL template rule, the data flow packet to be processed is normally forwarded according to the normal forwarding process.

本发明所述方法可以和现有的基于二层ACL和三层ACL的处理方法相结合,即用户配置ACL规则时,可以根据需要选择ACL类型:二层ACL、三层ACL或ACL模板。具体处理流程如图10所示。具体处理过程简单介绍如下:The method of the present invention can be combined with existing processing methods based on two-layer ACL and three-layer ACL, that is, when a user configures an ACL rule, the ACL type can be selected as required: two-layer ACL, three-layer ACL or ACL template. The specific processing flow is shown in Figure 10. The specific processing process is briefly introduced as follows:

如果用户选择同时使能二层ACL和三层ACL,则首先从待分类的数据流报文中提取二层头字段的内容,然后,和二层ACL的规则表进行匹配,如果匹配命中一条规则,则继续从该报文中提取三层和四层头字段的内容,然后,和三层ACL的规则表进行匹配,如果匹配命中一条规则,则返回该规则对应的动作,执行该动作对数据流报文进行相应的处理。If the user chooses to enable Layer 2 ACL and Layer 3 ACL at the same time, first extract the content of the Layer 2 header field from the data flow packet to be classified, and then match it with the rule table of Layer 2 ACL. If the match matches a rule , then continue to extract the content of the Layer 3 and Layer 4 header fields from the message, and then match it with the rule table of the Layer 3 ACL. If a rule is matched, the action corresponding to the rule will be returned, and the action will be executed for the data Stream packets are processed accordingly.

如果用户选择使能三层ACL,则从待分类的数据流报文中提取三层和四层头字段的内容,然后,和三层ACL的规则表进行匹配,如果匹配命中一条规则,则返回该规则对应的动作,执行该动作对数据流报文进行相应的处理。If the user chooses to enable Layer 3 ACL, extract the content of the Layer 3 and Layer 4 header fields from the data flow packet to be classified, and then match it with the rule table of Layer 3 ACL. If the match matches a rule, return The action corresponding to the rule is executed to perform corresponding processing on the data flow packet.

如果用户选择使能ACL模板,则指定选择的ACL模板中各字段的匹配条件,配置一条具体的ACL模板规则,根据选择的ACL模板的定义,从待分类的数据流报文中提取二层、三层和四层头字段的内容,和配置的ACL模板规则进行匹配,如果匹配命中,则返回该规则对应的动作,执行该动作对数据流报文进行相应的处理。If the user chooses to enable the ACL template, specify the matching conditions for each field in the selected ACL template, configure a specific ACL template rule, and extract Layer 2, The contents of the Layer 3 and Layer 4 header fields are matched with the configured ACL template rule. If the match is found, the action corresponding to the rule is returned, and the action is executed to process the data flow packet accordingly.

以上所述,仅为本发明较佳的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到的变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应该以权利要求的保护范围为准。The above is only a preferred embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any person skilled in the art within the technical scope disclosed in the present invention can easily think of changes or Replacement should be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention should be determined by the protection scope of the claims.

Claims (8)

1, a kind ofly provide the method for different quality of service policy, it is characterized in that, comprising to data flow:
A, customization comprise the access control list ACL template of each layer segment field information;
B, utilize described ACL template, data stream is classified, provide different QoS policy to data flow.
2, provide the method for different quality of service policy according to claim 1 is described to data flow, it is characterized in that described steps A specifically comprises:
According to user's request, customization comprises two layers of the fields of part of message and the ACL template of three layers of fields of part,
And/or,
According to user's request, customization comprises two layers of the fields of part of message and the ACL template of four layers of fields of part,
And/or,
According to user's request, customization comprises three layers of the fields of part of message and the ACL template of four layers of fields of part.
3, provide the method for different quality of service policy according to claim 1 is described to data flow, it is characterized in that the length of described ACL template is no more than the list item length that defines in the three-state content addressable memory TCAM specification.
4, provide the method for different quality of service policy according to claim 1 is described to data flow, it is characterized in that described steps A also comprises:
The ACL template of described customization is kept in the ATL, and the user can increase in this ATL, deletion, retouching operation.
5, describedly provide the method for different quality of service policy according to claim 1,2,3 or 4, it is characterized in that described step B specifically comprises to data flow:
B1, according to pending data flow, select an ACL template, and dispose the rule of this ACL template;
B2, described rule and pending data flow are carried out matching treatment, and corresponding qos policy is provided for this data flow according to the result of coupling.
6, provide the method for different quality of service policy according to claim 5 is described to data flow, it is characterized in that described step B1 specifically comprises:
Dispose the rule of this ACL template by the matching condition of specifying each field in the described ACL template.
7, provide the method for different quality of service policy according to claim 6 is described to data flow, it is characterized in that described step B2 specifically comprises:
B21, according to the definition of described ACL template, from pending data flow message, extract corresponding field contents, and the field contents that extracts constituted keyword key;
B22, the rule of the ACL template of described key and described configuration is carried out matching treatment, and corresponding qos policy is provided for this data flow according to the result of coupling.
8, provide the method for different quality of service policy according to claim 7 is described to data flow, it is characterized in that described step B22 specifically comprises:
If the rule match of the ACL template of described key and described configuration is hit, then carry out the pairing action of this rule and provide corresponding qos policy to data flow; Otherwise, data stream is transmitted according to normal forwarding process.
CNB2005100909049A 2005-08-19 2005-08-19 Method for providing different service quality tactics to data stream Expired - Fee Related CN100433715C (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CNB2005100909049A CN100433715C (en) 2005-08-19 2005-08-19 Method for providing different service quality tactics to data stream
PCT/CN2006/001080 WO2007019755A1 (en) 2005-08-19 2006-05-24 Method for providing the different quality of service for data stream

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2005100909049A CN100433715C (en) 2005-08-19 2005-08-19 Method for providing different service quality tactics to data stream

Publications (2)

Publication Number Publication Date
CN1863142A true CN1863142A (en) 2006-11-15
CN100433715C CN100433715C (en) 2008-11-12

Family

ID=37390472

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2005100909049A Expired - Fee Related CN100433715C (en) 2005-08-19 2005-08-19 Method for providing different service quality tactics to data stream

Country Status (2)

Country Link
CN (1) CN100433715C (en)
WO (1) WO2007019755A1 (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1964325B (en) * 2006-11-24 2010-08-18 中兴通讯股份有限公司 A method for quickly carrying out equivalence partition in packet classification
CN101895467A (en) * 2010-07-08 2010-11-24 中兴通讯股份有限公司 Method and device for filtering message
CN101399747B (en) * 2007-09-27 2011-03-16 中兴通讯股份有限公司 ACL configuration implementation method
CN101447917B (en) * 2008-03-04 2011-09-21 中兴通讯股份有限公司 Policy control method and device thereof
CN101651623B (en) * 2009-09-07 2012-05-23 中兴通讯股份有限公司 Generation method and device for access control list application
CN101594556B (en) * 2008-05-28 2012-08-29 工业和信息化部电信传输研究所 Remote management device for data stream classification in GPON system
CN103685058A (en) * 2012-09-11 2014-03-26 北京信息科技大学 Method for controlling QoS (Quality of Service) of stream data, and OpenFlow controller
CN101933290B (en) * 2007-12-18 2014-04-16 太阳风环球有限责任公司 Method for configuring acls on network device based on flow information
US9019951B2 (en) 2010-08-24 2015-04-28 Gemtek Technology Co., Ltd. Routing apparatus and method for processing network packet thereof
CN104579940A (en) * 2013-10-10 2015-04-29 杭州华三通信技术有限公司 Method and apparatus for searching ACL
US9124533B2 (en) 2007-01-31 2015-09-01 Zte Corporation Service bandwidth configuring method and network management system
CN105591914A (en) * 2014-10-21 2016-05-18 中兴通讯股份有限公司 Openflow flow table look-up method and device
CN106301970A (en) * 2016-10-27 2017-01-04 盛科网络(苏州)有限公司 A kind of chip implementing method using forward table convergence to consume with minimizing TCAM list item
CN107124366A (en) * 2016-02-24 2017-09-01 中兴通讯股份有限公司 A kind of method for realizing service quality control, apparatus and system
CN108632098A (en) * 2013-04-28 2018-10-09 华为技术有限公司 Flow classifier, business route flip-flop, Message processing method and system
CN109194665A (en) * 2018-09-17 2019-01-11 盛科网络(苏州)有限公司 A kind of generation method that message finds key value and device
CN109547502A (en) * 2019-01-22 2019-03-29 成都亚信网络安全产业技术研究院有限公司 Firewall ACL management method and device
WO2020248675A1 (en) * 2019-06-10 2020-12-17 中兴通讯股份有限公司 Access control list issuing method and device

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114785534B (en) * 2022-01-06 2023-10-27 新华三技术有限公司 Communication method and device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1152531C (en) * 2002-04-23 2004-06-02 华为技术有限公司 Network Access Control Method for Fragmented Messages
CN1414757A (en) * 2002-05-08 2003-04-30 华为技术有限公司 Method of automatic sequential arranging access control list rule and its application
CN100437550C (en) * 2002-09-24 2008-11-26 武汉邮电科学研究院 Ethernet confirming access method
US7509674B2 (en) * 2003-10-07 2009-03-24 Alcatel Lucent Access control listing mechanism for routers

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1964325B (en) * 2006-11-24 2010-08-18 中兴通讯股份有限公司 A method for quickly carrying out equivalence partition in packet classification
US9124533B2 (en) 2007-01-31 2015-09-01 Zte Corporation Service bandwidth configuring method and network management system
CN101399747B (en) * 2007-09-27 2011-03-16 中兴通讯股份有限公司 ACL configuration implementation method
CN101933290B (en) * 2007-12-18 2014-04-16 太阳风环球有限责任公司 Method for configuring acls on network device based on flow information
CN101447917B (en) * 2008-03-04 2011-09-21 中兴通讯股份有限公司 Policy control method and device thereof
CN101594556B (en) * 2008-05-28 2012-08-29 工业和信息化部电信传输研究所 Remote management device for data stream classification in GPON system
CN101651623B (en) * 2009-09-07 2012-05-23 中兴通讯股份有限公司 Generation method and device for access control list application
CN101895467A (en) * 2010-07-08 2010-11-24 中兴通讯股份有限公司 Method and device for filtering message
TWI489825B (en) * 2010-08-24 2015-06-21 Gemtek Technolog Co Ltd Routing apparatus and method for processing network packet thereof
US9019951B2 (en) 2010-08-24 2015-04-28 Gemtek Technology Co., Ltd. Routing apparatus and method for processing network packet thereof
CN103685058A (en) * 2012-09-11 2014-03-26 北京信息科技大学 Method for controlling QoS (Quality of Service) of stream data, and OpenFlow controller
CN108632098A (en) * 2013-04-28 2018-10-09 华为技术有限公司 Flow classifier, business route flip-flop, Message processing method and system
CN108632098B (en) * 2013-04-28 2021-08-13 华为技术有限公司 Flow classifier, service routing trigger, packet processing method and system
CN104579940A (en) * 2013-10-10 2015-04-29 杭州华三通信技术有限公司 Method and apparatus for searching ACL
CN104579940B (en) * 2013-10-10 2017-08-11 新华三技术有限公司 Search the method and device of accesses control list
CN105591914A (en) * 2014-10-21 2016-05-18 中兴通讯股份有限公司 Openflow flow table look-up method and device
CN105591914B (en) * 2014-10-21 2020-07-03 中兴通讯股份有限公司 A kind of openflow flow table look-up method and device
CN107124366A (en) * 2016-02-24 2017-09-01 中兴通讯股份有限公司 A kind of method for realizing service quality control, apparatus and system
CN107124366B (en) * 2016-02-24 2020-12-11 中兴通讯股份有限公司 Method, device and system for realizing service quality control
CN106301970A (en) * 2016-10-27 2017-01-04 盛科网络(苏州)有限公司 A kind of chip implementing method using forward table convergence to consume with minimizing TCAM list item
CN109194665A (en) * 2018-09-17 2019-01-11 盛科网络(苏州)有限公司 A kind of generation method that message finds key value and device
CN109194665B (en) * 2018-09-17 2020-10-20 盛科网络(苏州)有限公司 Message lookup key value generation method and device
CN109547502A (en) * 2019-01-22 2019-03-29 成都亚信网络安全产业技术研究院有限公司 Firewall ACL management method and device
WO2020248675A1 (en) * 2019-06-10 2020-12-17 中兴通讯股份有限公司 Access control list issuing method and device

Also Published As

Publication number Publication date
WO2007019755A1 (en) 2007-02-22
CN100433715C (en) 2008-11-12

Similar Documents

Publication Publication Date Title
CN1863142A (en) Method for providing different service quality tactics to data stream
US7957387B2 (en) Packet classification
CN1148687C (en) Full match search method and device for network processor
CN101035060A (en) Integrated processing method for three-folded content addressable memory message classification
CN104168170B (en) packet switching device and method
US20070171911A1 (en) Routing system and method for managing rule entry thereof
CN105577628B (en) Method and device for realizing virtual firewall
CN1404591A (en) Apparatus and method for performing high-speed IP route lookup and managing routing/forwarding tables
CN108476179A (en) Simplified quadrature network set of strategies selection
CN1852240A (en) Bridge-connection transmitting method
CN100352240C (en) Method for controlling number of Layer2 Ethernet ring equipment MAC address learning
CN1465014A (en) Selective routing of data flows using a tcam
Cheng et al. Packet classification using dynamically generated decision trees
CN102487374A (en) A method and device for implementing an access control list
CN1929447A (en) Method and device for searching address prefixion and message transfer method and system
CN101035062A (en) Rule update method for three-folded content addressable memory message classification
CN1744563A (en) Method for realizing strate gic route in Ethernet switch
CN102427428A (en) Stream identifying method and device based on multi-domain longest match
CN1585379A (en) Rapid analyzing method for data pack
CN101222434B (en) Storage policy control list, policy searching method and tri-state addressing memory
CN104641607B (en) A kind of method and device for being used to make ultralow delay disposal decision-making
CN101047649A (en) Method and equipment for transmitting data flow
CN1477494A (en) A method of data packet recursive flow classification
CN114258103A (en) Method, wireless access point and storage medium for application identification and path selection
CN112929281A (en) Message processing method, device and equipment of network equipment based on FPGA

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20081112

Termination date: 20190819