CN100542144C - Message forwarding system and method and safety means based on safety means - Google Patents

Message forwarding system and method and safety means based on safety means Download PDF

Info

Publication number
CN100542144C
CN100542144C CNB2007101197943A CN200710119794A CN100542144C CN 100542144 C CN100542144 C CN 100542144C CN B2007101197943 A CNB2007101197943 A CN B2007101197943A CN 200710119794 A CN200710119794 A CN 200710119794A CN 100542144 C CN100542144 C CN 100542144C
Authority
CN
China
Prior art keywords
safety means
same
source messages
address designation
interface
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB2007101197943A
Other languages
Chinese (zh)
Other versions
CN101106528A (en
Inventor
孙加君
金峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CNB2007101197943A priority Critical patent/CN100542144C/en
Publication of CN101106528A publication Critical patent/CN101106528A/en
Application granted granted Critical
Publication of CN100542144C publication Critical patent/CN100542144C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses a kind of message forwarding system and a kind of message forwarding method based on safety means based on safety means.Each safety means among the present invention are all by the network equipment and all receiving equipment cascades, and therefore, each safety means can send in all receiving equipments any one with message by the network equipment; All safety means all are provided with the address designation of same receiving equipment in source messages, thereby can guarantee that all send to identical receiving equipment with source messages, realize the homology chummage.And each safety means is all by the network equipment and all receiving equipment cascades, realized that all safety means share all receiving equipments, improved the utilance of receiving equipment, reduced system cost.The corresponding receiving equipment of outgoing interface in the safety means, and outgoing interface can be logical subinterface such as ethernet sub-interface, makes outgoing interface quantity not be subjected to the restriction of physical interface quantity, thereby can effectively realize the dilatation of safety means.

Description

Message forwarding system and method and safety means based on safety means
Technical field
The present invention relates to flow control technique, particularly a kind of message forwarding system, a kind of message forwarding method and a kind of safety means based on safety means based on safety means.
Background technology
For all message flows on the trunk link or part message flow are detected, processing such as supervision and flow analysis, usually the message flow on the trunk link is transmitted at least one receiving equipment by safety means, for example Analysis server carries out respective handling by receiving equipment to the message flow that receives.
Wherein, in each safety means, an outgoing interface directly links to each other with a receiving equipment; At least one outgoing interface that links to each other with receiving equipment can be described as a balanced group; Safety means can be according to different message characterisitic parameters, and for example Hash (Hash) computing is carried out in source IP address, purpose IP address etc., thereby realize message flow load balancing on each outgoing interface in the equilibrium group.
Yet, along with the variation of Network on the trunk link, the also proportional increase of message flow.Therefore, the separate unit safety means can not have been born all flows in the trunk link.
Therefore, in order to increase message flow that safety means can bear and the quantity that increases its corresponding receiving equipment, can be by increasing the capacity that outgoing interface quantity in the balanced group increases safety means.Yet the outgoing interface in the existing balanced group can only be physical interfaces such as Ethernet main interface, because the physical interface limited amount in the safety means, thereby make the outgoing interface quantity in the balanced group unrestrictedly to increase, thus effectively dilatation.
In order to address the above problem, in existing a kind of scheme, the a plurality of optical splitters of series connection on the trunk link, each optical splitter connects safety means, the incoming interface of each safety means receives different message flows by coupled optical splitter, for example, the incoming interface of each safety means receives the message flow of coupling different service quality (Qos) strategy and/or access control list (ACL) rule, and need in message flow total flow that each safety means receives and the trunk link to guarantee the message flow total amount handled identical, thereby will need all message flows of processing to be diverted in a plurality of safety means in the trunk link.
Fig. 1 is the structural representation of existing a kind of message forwarding system based on safety means.As shown in Figure 1, with two safety means, each safety means is that outgoing interface in secure router, the balanced group is that Ethernet main interface, receiving equipment are that Analysis server is an example, comprises in this system: 4 Analysis servers of secure router A and secure router B and secure router A correspondence and other 4 Analysis servers of secure router B correspondence.
The incoming interface of secure router A links to each other with optical splitter A on the trunk link; Comprise 4 Ethernet main interfaces among the secure router A, 4 Ethernet main interfaces constitute balanced group a, and the Analysis server that each Ethernet main interface is corresponding with 1 secure router A directly links to each other, and promptly balanced group a adopts the direct connection pattern to link to each other with Analysis server.
The incoming interface of secure router B links to each other with optical splitter B on the trunk link; Comprise 4 Ethernet main interfaces among the secure router B, 4 Ethernet main interfaces constitute balanced group b, and the Analysis server that each Ethernet main interface is corresponding with 1 secure router B directly links to each other, and promptly balanced group b adopts the direct connection pattern to link to each other with Analysis server.
Default Qos strategy among the secure router A allows protocol port number to enter its incoming interface greater than 32768 message; And default Qos strategy among the secure router B allows protocol port number to enter its incoming interface smaller or equal to 32768 message, thereby guarantees that message flow total amount that secure router A and secure router B receive respectively equals the total message flow in the trunk link.
Like this, secure router A and secure router B will carry out flow control and the load balancing on each outgoing interface from the message flow that its incoming interface enters respectively, and the outgoing interface by correspondence sends to corresponding Analysis server, respectively the message flow in the trunk link carried out analyzing and processing by 8 Analysis servers.
As seen, by increasing the mode of safety means, the message flow in the trunk link is diverted in each safety means, alleviated the burden of each safety means, assurance can be born all flows in the trunk link based on the message forwarding system of safety means, and can improve the quantity of receiving equipment.
But still there is following problem in said system:
If secure router A and secure router B all carry out the Hash computing according to the source IP address of message, all messages that then have identical source IP address are called same source messages.And,, handle in the Analysis server by secure router A correspondence if protocol port number greater than 32768, then enters secure router A for the message of identical source IP address in the trunk link; If protocol port number smaller or equal to 32768, then enters secure router B, handle in the Analysis server by secure router B correspondence.As seen, the message of same source IP address has been sent to different Analysis servers.
In like manner, if secure router A and secure router B all carry out the Hash computing according to the purpose IP address of message, all messages that then have identical purpose IP address are called same source messages.For the message of identical purpose IP address in the trunk link,, handle in the Analysis server by secure router A correspondence if protocol port number greater than 32768, then enters secure router A; If protocol port number smaller or equal to 32768, then enters secure router B, handle in the Analysis server by secure router B correspondence.As seen, the message of same purpose IP address has been sent to different Analysis servers.
The homology chummage of message is the most important principle that flow control requires, and the message of homology is only delivered to same receiving equipment could carry out continuous analysis and processing to flow.Yet, in the message forwarding system of existing many safety means, because the message that each safety means can only receive it sends to the receiving equipment corresponding with these safety means, thereby can't guarantee the message of homology is sent to same receiving equipment, promptly can't guarantee the homology chummage of message.
And, no matter be the message forwarding system of single safety means or the message forwarding system of many safety means, the a limited number of problems of physical interface that all have safety means, limited the outgoing interface quantity in balanced group, make that the dilatation ability of safety means is not high, and then make effectively dilatation of system.
Summary of the invention
In view of this, the invention provides a kind of message forwarding system and a kind of safety means and a kind of message forwarding method, can under the situation of carrying out the message forwarding based on many safety means, guarantee the homology chummage of message based on safety means based on safety means.
A kind of message forwarding system based on safety means provided by the invention comprises: safety means and receiving equipment, each safety means receive the message flow in the same trunk link, and this system further comprises: the network equipment of interconnection;
Each safety means that are connected on the network equipment links to each other with receiving equipment on being connected each network equipment by this network equipment;
Each safety means is provided with same address designation in the same source messages that receives, and sends to the coupled network equipment;
Receive the network equipment with source messages according to being arranged on, will send to the receiving equipment of described address designation correspondence with source messages with the address designation in the source messages.
Comprise outgoing interface in each safety means, described outgoing interface is physical interface or logical subinterface.
Described address designation is the media access control MAC address of receiving equipment, and the MAC Address of described same receiving equipment is arranged in the destination address field (DAF) with source messages;
Perhaps, described address designation is VLAN ID VLAN ID, and the VLAN ID of described same receiving equipment is arranged in the VLAN id field with source messages.
Stored default outgoing interface and described address designation corresponding relation in the described safety means;
Each safety means carries out Hash Hash computing according to the message characteristic to all messages that receive, to be assigned to same outgoing interface with source messages, and this outgoing interface corresponding address sign is set in being assigned to the same source messages of same outgoing interface, be implemented in same address designation is set in the source messages.
A kind of safety means provided by the invention, include interface and outgoing interface, these safety means link to each other with all receiving equipments on each network equipment by the network equipment of interconnection, and these safety means are provided with same address designation in the same source messages that its incoming interface receives, and send to the outside coupled network equipment by the outgoing interface of described address designation correspondence;
The described network equipment will send to the receiving equipment of described address designation correspondence with source messages according to being arranged on the address designation in the source messages.
A kind of message forwarding method based on safety means provided by the invention comprises: each safety means receives the message flow in the same trunk link, and each safety means links to each other with all receiving equipments on each network equipment by the network equipment of interconnection; This method comprises:
Each safety means is provided with same address designation in the same source messages that receives, and sends to the coupled network equipment; Receive the network equipment with source messages according to being arranged on, with the described receiving equipment that sends to described address designation correspondence with source messages with the address designation in the source messages.
Comprise outgoing interface in each safety means, described outgoing interface is physical interface or logical subinterface;
The described network equipment that links to each other with these safety means that sends to is: send to the network equipment that links to each other with these safety means by corresponding outgoing interface.
Described address designation is the media access control MAC address of receiving equipment, describedly in the same source messages that receives same address designation is set and is: the MAC Address that same receiving equipment is set in the destination address field (DAF) of the same source messages that is receiving;
Perhaps, described address designation is VLAN ID VLAN ID, describedly in the same source messages that receives same address designation is set and is: the VLAN ID that same receiving equipment is set in the VLAN id field of the same source messages that is receiving.
Describedly in the same source messages that receives, same address designation is set and is:
According to the message characteristic all messages that receive are carried out Hash Hash computing, will be assigned to same outgoing interface with source messages;
According to the default outgoing interface and the corresponding relation of address designation, this outgoing interface corresponding address sign is set in being assigned to the same source messages of same outgoing interface.
The present invention also provides another kind of message forwarding system and another kind of safety means based on safety means, can realize the dilatation of system.
Another kind provided by the invention is based on the message forwarding system of safety means, comprise the receiving equipment and the network equipment, this system further comprises the network equipment of interconnection, and safety means link to each other with all receiving equipments on each network equipment by the network equipment of interconnection;
Safety means comprise outgoing interface, and described outgoing interface is a logical subinterface, and logical subinterface is by the corresponding receiving equipment that connects of the described network equipment;
Safety means are provided with same address designation in the same source messages that receives, and send to the coupled network equipment;
The network equipment will send to the receiving equipment of described address designation correspondence with source messages according to being arranged on the address designation in the source messages.
Described address designation is the media access control MAC address of receiving equipment, and the MAC Address of described same receiving equipment is arranged in the destination address field (DAF) with source messages;
Perhaps, described address designation is VLAN ID VLAN ID, and the VLAN ID of described same receiving equipment is arranged in the VLAN id field with source messages.
Another kind of safety means provided by the invention, include interface and outgoing interface, these safety means link to each other with all outside receiving equipments on each outside network device by the outside network device of interconnection, and the outgoing interface of these safety means is a logical subinterface, and logical subinterface is by the outside receiving equipment of the corresponding connection of outside network device;
These safety means are provided with same address designation in the same source messages that its incoming interface receives, and send to the outside coupled network equipment by the outgoing interface of described address designation correspondence;
The described network equipment will send to the receiving equipment of described address designation correspondence with source messages according to being arranged on the address designation in the source messages.
As seen from the above technical solution, each safety means among the present invention are all by the network equipment and all receiving equipment cascades, and therefore, each safety means can send in all receiving equipments any one with message by the network equipment; All safety means all are provided with the address designation of same receiving equipment in source messages, promptly guarantee all with comprising identical address designation in the source messages, thereby can guarantee that all send to identical receiving equipment with source messages, realize the homology chummage.
And each safety means is all by the network equipment and all receiving equipment cascades, realized that all safety means share all receiving equipments, improved the utilance of receiving equipment, reduced system cost.
The corresponding receiving equipment of outgoing interface in the safety means, and outgoing interface is logical subinterface such as ethernet sub-interface, makes outgoing interface quantity not be subjected to the restriction of physical interface quantity, thereby can effectively realize the dilatation of safety means.
Description of drawings
Fig. 1 is the structural representation of existing a kind of message forwarding system based on safety means.
Fig. 2 among the present invention based on the exemplary block diagram of the message forwarding system of safety means.
In Fig. 3 embodiment of the invention based on the structural representation of the message forwarding system 1 of safety means.
Fig. 4 is based on the structural representation of the message forwarding system 2 of safety means in the embodiment of the invention.
Fig. 5 is based on the message flow schematic diagram in the message forwarding system of safety means in the embodiment of the invention.
Fig. 6 is based on the schematic flow sheet of the message forwarding method of safety means in the embodiment of the invention.
Embodiment
For making purpose of the present invention, technical scheme and advantage clearer, below with reference to the accompanying drawing embodiment that develops simultaneously, the present invention is described in more detail.
Among the present invention, all by a plurality of switches and all receiving equipment cascades of interconnection, like this, each safety means can send in all receiving equipments any one with message by switch to each safety means; All safety means all are provided with the address designation of same receiving equipment in source messages, guarantee that promptly all are with comprising identical address designation in the source messages, like this, can guarantee that switch sends to identical receiving equipment with all with source messages, realize the homology chummage.
Fig. 2 among the present invention based on the exemplary block diagram of the message forwarding system of safety means.As shown in Figure 2, this system comprises: N safety means and M receiving equipment, N and M are the positive integer more than or equal to 2.
N safety means that link to each other with same trunk link, still receive the message flow in the same trunk link, for example, the incoming interface of each safety means receives the message flow of coupling different Q os strategy and/or acl rule, and guarantees that message flow total amount that each safety means receives need in the trunk link to equal the message flow total amount of handling.
The switch that also comprises N interconnection in this system, wherein, N switch series connection, in the practical application, N switch also can be continuous in twos; Each safety means comprises M outgoing interface, and the M of each a safety means outgoing interface links to each other with same switch, and each outgoing interface is by a corresponding different respectively receiving equipment of the switch of interconnection; In M the receiving equipment, at least one different receiving equipments links to each other with a switch respectively.
Like this, because each safety means is all by switch and all receiving equipment cascades, therefore, each safety means can be by N continuous switch, and message is sent in M the receiving equipment any one.
All safety means will send to the switch that links to each other with this outgoing interface, and be arranged on the address designation of same receiving equipment above-mentioned with in the source messages with the outgoing interface of source messages by corresponding same receiving equipment.
Wherein, can be with source messages for having identical source IP address, have identical purpose IP address, having all messages of any one or multiple message characterisitic parameter such as identical sources port; With the identical message characterisitic parameter of source messages indication, carry out the message characterisitic parameter of Hash computing institute foundation for safety means.
Each switch directly or by other switches sends to corresponding receiving equipment according to the address designation that is arranged in the message with the message that receives.
Like this, all safety means all are provided with the address designation of same receiving equipment in source messages, promptly guarantee all with comprising identical address designation in the source messages, thereby can guarantee that switch will send to identical receiving equipment with source messages, realize the homology chummage.
In the said system, all outgoing interfaces in each safety means still can be described as a balanced group, and this equilibrium group adopts the cascade pattern to link to each other with all receiving equipments, rather than adopts associated mode to link to each other.
A balanced group list item all is set in each safety means, comprises: the address designation tabulation of the receiving equipment of the equilibrium group cascade of the tabulation of the outgoing interface that comprises in the equilibrium group of these safety means, all safety means and the corresponding relation of outgoing interface and receiving equipment address designation.
Equilibrium group list item according to correspondence, and according to the respective classified mode, all messages that all safety means all will have an identical source IP address are assigned to the outgoing interface of corresponding same receiving equipment address designation, and after the content in the destination address of these messages being replaced with the address designation of receiving equipment of this outgoing interface correspondence, send to the switch that links to each other with this outgoing interface, utilize its forwarding capability by switch again, directly or by other inter-exchanges receive and send to the receiving equipment corresponding with the message destination address, thereby make each balanced group any one that message can be sent in the corresponding receiving equipment of all balanced groups, and all messages of identical source IP address can be sent to identical receiving equipment, thereby realize the homology chummage.
Among the present invention, the outgoing interface in the balanced group still can be physical interfaces such as for example Ethernet main interface.But because physical interface can't effectively be expanded the capacity of safety means as the outgoing interface in the equilibrium group, therefore, the outgoing interface in the equilibrium group among the present invention can be logical subinterface such as for example ethernet sub-interface.
If as the outgoing interface in the equilibrium group, in the equilibrium group list item that then is provided with in each safety means, the outgoing interface tabulation comprises with logical subinterface such as for example ethernet sub-interfaces: the logical subinterface tabulation of physical interface tabulation, each physical interface correspondence; And the corresponding relation of outgoing interface and receiving equipment address designation is the corresponding relation of logical subinterface and receiving equipment address designation.
Like this, each logical subinterface in the balanced group all can be passed through receiving equipment of switch cascade, outgoing interface quantity in the feasible balanced group is not subjected to the restriction of safety means physical interface quantity, thereby the receiving equipment quantity that makes safety means to connect is multiplied, and has effectively expanded the capacity of safety means.
For example, suppose that each safety means can only have 10 physical interfaces at most, then in the Dui Ying equilibrium group 10 outgoing interfaces can only be arranged at most also, and 10 receiving equipments of cascade.And if each physical interface in the above-mentioned safety means all is divided into 10 logical subinterface, then can comprise 100 outgoing interfaces in the equilibrium group of each safety means at most, and 100 receiving equipments of cascade.
And, if comprise 10 safety means in the system, because the equilibrium group and 100 corresponding receiving equipment cascades of each safety means, and link to each other by switch between all balanced groups, thereby the equilibrium group of 10 safety means can be shared all receiving equipments of all safety means correspondences, i.e. each balanced directly or indirectly 1000 receiving equipment of other in cascade of organizing all.
In like manner, for the message forwarding system of separate unit safety means,, also can improve the dilatation ability of safety means and message forwarding system if adopt logical subinterface as outgoing interface.
Comprise in the message forwarding system based on the separate unit safety means: safety means and a plurality of receiving equipment.
Comprise a plurality of logical subinterface in the safety means, a logical subinterface is by receiving equipment of the corresponding connection of switch.The physical interface of supposing these safety means can only be 10 at most, each physical interface is divided the dilatation that has then realized these safety means for a plurality of logical subinterface, and corresponding receiving equipment of logical subinterface, make receiving equipment quantity also be doubled and redoubled, promptly realized the dilatation of system.
Based on also needing to guarantee the homology chummage in the message forwarding system of separate unit safety means, therefore, safety means are provided with same address designation in the same source messages that receives, and send to coupled switch; Switch will send to the receiving equipment of address designation correspondence with source messages according to being arranged on the address designation in the source messages.
As seen, for the message forwarding system based on the separate unit safety means, the present invention can also can realize effective dilatation of system under the prerequisite that guarantees the homology chummage.
Among the present invention, be the situation of physical interface for outgoing interface, receiving equipment corresponding address sign can be medium access control (MAC) address of receiving equipment, and MAC Address can be arranged in the destination address field (DAF) of message; For outgoing interface is the situation of logical subinterface, and receiving equipment corresponding address sign can be the MAC Address of receiving equipment or the VLAN ID (VLANID) of counterlogic sub-interface, and VLAN ID can be arranged in the VLAN id field of message.
Below, be that secure router, outgoing interface are that ethernet sub-interface is an example with safety means, the message forwarding system based on safety means among the present invention is elaborated.
Fig. 3 is based on the structural representation of the message forwarding system 1 of safety means in the embodiment of the invention.As shown in Figure 3, with 2 secure routers, 8 Analysis servers, with source messages is that all messages of identical source IP address are example, and the message forwarding system 1 based on safety means in the present embodiment comprises: secure router A and secure router B, Analysis server 1~8.
Secure router A and secure router B receive the different message flows in the same trunk link respectively.
Comprise Ethernet main interface GigabitEthernet2/1/1, Ethernet main interface GigabitEthernet2/1/2 among the secure router A, 2 Ethernet main interfaces link to each other with switch A.
Comprise Ethernet main interface GigabitEthernet2/1/1, Ethernet main interface GigabitEthernet2/1/2 among the secure router B, 2 Ethernet main interfaces link to each other with switch b.
Switch A links to each other with Analysis server 1~Analysis server 4, and switch b links to each other with Analysis server 5~Analysis server 8, and switch A links to each other with switch b.
In the present embodiment, Ethernet main interface GigabitEthernet2/1/1 is divided into 4 ethernet sub-interface GigabitEthernet2/1/1.1~GigabitEthernet2/1/1.4 again; Ethernet main interface GigabitEthernet2/1/2 also is divided into 4 ethernet sub-interface GigabitEthernet2/1/2.5~GigabitEthernet2/1/2.8.
Like this, secure router A comprises above-mentioned 8 ethernet sub-interfaces, be equilibrium group a, 4 ethernet sub-interfaces wherein are by one in switch A difference correspondence analysis server 1~Analysis server 4, and 4 ethernet sub-interfaces in addition are by one in switch A and the switch b difference correspondence analysis server 5~Analysis server 8; Secure router B also comprises above-mentioned 8 ethernet sub-interfaces, be equilibrium group b, 4 ethernet sub-interfaces wherein are by one in switch b difference correspondence analysis server 5~Analysis server 8, and 4 ethernet sub-interfaces in addition are by one in switch b and the switch A difference correspondence analysis server 1~Analysis server 4.
Storing the equilibrium group list item of the equilibrium group a that sets in advance among the secure router A, comprising in this list item: the corresponding relation of the logical subinterface tabulation of physical interface tabulation, each physical interface correspondence, the tabulation of Analysis server address designation and logical subinterface and Analysis server address designation.
The equilibrium group list item of balanced group a is as shown in table 1 in the present embodiment, each ethernet sub-interface in the logical subinterface tabulation, a MAC Address in the correspondence analysis server address identification list respectively.
Wherein, MAC1~MAC8 is respectively the MAC Address of Analysis server 1~Analysis server 8.
Figure C20071011979400151
Table 1
Storing the equilibrium group list item of the equilibrium group b that sets in advance among the secure router B, comprising in this list item: the corresponding relation of the logical subinterface tabulation of physical interface tabulation, each physical interface correspondence, the tabulation of Analysis server address designation and logical subinterface and Analysis server address designation.
In the present embodiment, the equilibrium group list item of balanced group b also can be as shown in table 1.
Also storing default hash algorithm among the secure router A, the ethernet sub-interface quantity among the source IP address of the message that receives according to incoming interface and the balanced group a is carried out the Hash computing, and the message of identical source IP address is assigned to identical ethernet sub-interface; Search the equilibrium group list item of balanced group a,, replace with the MAC Address of Analysis server of the ethernet sub-interface correspondence of appointment, then each message is sent to switch A from the ethernet sub-interface of appointment the content in the destination address of each message.
Also storing default hash algorithm among the secure router B, because the equilibrium group list item of balanced group b is identical with balanced group a, therefore, in order to guarantee that secure router B and secure router A send to same Analysis server with the message of identical source IP address, the hash algorithm of storing among the secure router B can with secure router A in identical; Ethernet sub-interface quantity among the source IP address of the message that receives according to incoming interface and the balanced group b is carried out the Hash computing, and the message of identical source IP address and protocol port number is assigned to identical ethernet sub-interface; Search the equilibrium group list item of balanced group b,, replace with the MAC Address of Analysis server of the ethernet sub-interface correspondence of appointment, then each message is sent to switch b from the ethernet sub-interface of appointment the content in the destination address of each message.
In the specific implementation, can be according to equilibrium group list item as shown in table 1, the MAC Address of the Analysis server of configuration correspondence on the ethernet sub-interface of correspondence, when message sent to corresponding ethernet sub-interface, the content in its destination address can replace with the MAC Address of the correspondence analysis server that disposes on this ethernet sub-interface.
If the destination address of the message that switch A receives is any one a MAC Address in Analysis server 1~Analysis server 4, then switch A directly sends to this message one corresponding with MAC Address in Analysis server 1~Analysis server 4; If the destination address of the message that switch A receives is any one a MAC Address in Analysis server 5~Analysis server 8, then switch A is transmitted to switch b with this message, by switch b this message is sent to one corresponding with MAC Address in Analysis server 5~Analysis server 8.
If the destination address of the message that switch b receives is any one a MAC Address in Analysis server 5~Analysis server 8, then switch b directly sends to this message one corresponding with MAC Address in Analysis server 5~Analysis server 8; If the destination address of the message that switch b receives is any one a MAC Address in Analysis server 1~Analysis server 4, then switch b is transmitted to switch A with this message, by switch A this message is sent to one corresponding with MAC Address in Analysis server 1~Analysis server 4.
Fig. 4 is based on the structural representation of the message forwarding system 2 of safety means in the embodiment of the invention.As shown in Figure 4, still with 2 secure routers, 8 Analysis servers, be that all messages of identical purpose IP address are example with source messages, the message forwarding system 2 based on safety means in the present embodiment comprises: secure router A and secure router B, Analysis server 1~8.
Than the message forwarding system 1 based on safety means, the difference based on the message forwarding system 2 of safety means in the present embodiment is, the address designation of Analysis server is the VLAN ID of the ethernet sub-interface corresponding with it.
Switch A also links to each other with Analysis server 1~Analysis server 4 by inserting (Access) interface, and the VLAN ID that connects the access interface of Analysis server 1~Analysis server 4 is respectively the VLAN ID of ethernet sub-interface GigabitEthernet2/1/1.1~GigabitEthernet2/1/1.4.
Switch b also links to each other with Analysis server 5~Analysis server 8 by access interface, and the VLAN ID that connects the access interface of Analysis server 5~Analysis server 8 is respectively the VLAN ID of ethernet sub-interface GigabitEthernet2/1/2.5~GigabitEthernet2/1/2.8.
The interface that links to each other between switch A and the switch b is not limit, for example main line (Trunk) interface.
Like this, the equilibrium group list item of equilibrium group a and balanced group b can be as shown in table 2.
Figure C20071011979400171
Table 2
Ethernet sub-interface quantity among the purpose IP address of the message that secure router A receives according to incoming interface and the balanced group a is carried out the Hash computing, and the message of identical purpose IP address is assigned to identical ethernet sub-interface; Search the equilibrium group list item of balanced group a,, replace with the VLAN ID of the ethernet sub-interface correspondence of appointment, then each message is sent to switch A from the ethernet sub-interface of appointment the content in the destination address of each message.
Ethernet sub-interface quantity among the purpose IP address of the message that secure router B receives according to incoming interface and the balanced group b, carry out with secure router A in identical Hash computing, the message of identical purpose IP address and protocol port number is assigned to identical ethernet sub-interface; Search the equilibrium group list item of balanced group b,, replace with the VLAN ID of the ethernet sub-interface correspondence of appointment, then each message is sent to switch b from the ethernet sub-interface of appointment the content in the destination address of each message.
In the specific implementation, can be according to equilibrium group list item as shown in table 2, the corresponding VLAN ID of configuration on the ethernet sub-interface of correspondence, when message sent to corresponding ethernet sub-interface, the content in its destination address can replace with the corresponding VLAN ID that disposes on this ethernet sub-interface.
If the destination address of the message that switch A receives is any one VLANID among V1~V4, then message can be broadcasted in VLAN ID, and this message can send to the Analysis server that links to each other with access interface; If the VLAN ID in the message that switch A receives is any one the VLAN ID among V5~V8, then message is broadcasted in VLAN ID through switch A and is transmitted to switch b.
If the destination address of the message that switch b receives is any one VLANID among V5~V8, then message can be broadcasted in VLAN ID, and this message can send to the Analysis server that links to each other with access interface; If the VLAN ID in the message that switch b receives is any one the VLAN ID among V1~V4, then message is broadcasted in VLAN ID through switch b and is transmitted to switch A.
In above-mentioned two systems, secure router A and secure router B will carry out flow control and the load balancing on each outgoing interface from the message flow that its incoming interface enters respectively, and the outgoing interface by correspondence sends to corresponding Analysis server, respectively the message flow in the trunk link carried out analyzing and processing by 8 Analysis servers.
In the practical application, also can be with the Ethernet main interface as the outgoing interface in the equilibrium group, like this,, also can guarantee the homology chummage of message though make the restriction that physical interface quantity is received in the dilatation of secure router.
Fig. 5 is based on the message flow schematic diagram in the message forwarding system of safety means in the embodiment of the invention.As shown in Figure 5, message P1 is a protocol port number greater than 32768 message, message P2 is protocol port number smaller or equal to 32768 message, and message P1 and message P2 be same source messages, for example identical source IP address or purpose IP address.
For above-mentioned two systems, suppose among the secure router A default Qos strategy, allow protocol port number to enter its incoming interface greater than 32768 message; And default Qos strategy among the secure router B allows protocol port number to enter its incoming interface smaller or equal to 32768 message.
Message P1 has entered secure router A, carry out after Hash calculates according to the source IP address of message by secure router A, message P1 enters the ethernet sub-interface GigabitEthernet2/1/1.1 of balanced group a, and the content in its destination address field (DAF) be replaced by ethernet sub-interface GigabitEthernet2/1/1.1 go up be added among the MAC Address of Analysis server 1 of configuration or the message P1 that ethernet sub-interface GigabitEthernet2/1/1.1 goes up configuration with switch A in connect the identical VLAN ID of access interface of Analysis server 1; Message P1 has been sent to switch A then, and through the message forwarding capability of switch, message P1 has finally delivered to Analysis server 1.
Message P2 has then entered secure router B, carry out after Hash calculates according to the source IP address of message by secure router B, message P2 enters the sub-interface GigabitEthernet2/1/1.1 of balanced group b, and the content in its destination address field (DAF) be replaced by ethernet sub-interface GigabitEthernet2/1/1.1 go up be added among the MAC Address of Analysis server 1 of configuration or the message P2 that ethernet sub-interface GigabitEthernet2/1/1.1 goes up configuration with switch A in connect the identical VLAN ID of access interface of Analysis server 1; Then, message P2 has been sent to switch b, and through the message forwarding capability of switch, message has been sent to switch A, finally message has been delivered to Analysis server 1 by switch A again.
As seen, though message P1 and message P2 are because different protocol port number, be divided to secure router A and secure router B respectively, but because secure router A and secure router B are respectively by switch A and switch b and corresponding Analysis server cascade, and switch A and switch b interconnect, therefore, secure router A and secure router B send to message P1 and message P2 the ethernet sub-interface of corresponding same Analysis server respectively, can utilize the message forwarding capability of switch, the message P1 and the message P2 of homology are sent to same Analysis server, realized the homology chummage.
The foregoing description is illustrating technical solution of the present invention just, also can realize the function of secure router with the router of other types, and, for the difference of the message flow total amount that needs in the trunk link to handle, the safety means in the system and the quantity of switch can be set arbitrarily.
More than be in the embodiment of the invention based on the detailed description of the message forwarding system of safety means, below, again to being elaborated based on message forwarding method in the embodiment of the invention based on safety means.
Fig. 6 is based on the schematic flow sheet of the message forwarding method of safety means in the embodiment of the invention.As shown in Figure 6, based on system as shown in Figure 2, the message forwarding method based on safety means in the present embodiment comprises:
Step 601, each safety means receive the different message flows in the same trunk link respectively.
In this step, different safety means can receive in the same trunk link, the different message flows of coupling different Q os strategy and/or acl rule.
Step 602, each safety means is provided with same address designation in the same source messages that receives, and sends to coupled switch.
Wherein, be meant all messages of message characterisitic parameters such as having identical source IP address or purpose IP address with source messages.
In this step, address designation can be the MAC Address of receiving equipment, is arranged in the destination address field (DAF) with source messages; Also can be arranged in the VLAN id field with source messages for connecting the VLAN ID of the access interface of receiving equipment in the switch.
If address designation is VLAN ID, then before this step, also need the VLAN ID of access interface that switch is linked to each other with each receiving equipment, be set to the VLANID of the outgoing interface corresponding with this receiving equipment.
Step 603 receives switch with source messages according to being arranged on the address designation in the source messages, will send to the receiving equipment of address designation correspondence with source messages.
So far, this flow process finishes.
As seen from the above-described embodiment, each safety means is all by switch and all receiving equipment cascades, and therefore, each safety means can send in all receiving equipments any one with message by switch; All safety means all are provided with the address designation of same receiving equipment in source messages, thereby can guarantee that switch sends to identical receiving equipment with all with source messages, realize the homology chummage.
And each safety means is all by switch and all receiving equipment cascades, realized that all safety means share all receiving equipments, improved the utilance of receiving equipment, reduced system cost.
If logical subinterface as the outgoing interface in the equilibrium group, is made that then the outgoing interface quantity in the balanced group is not subjected to the restriction of physical interface quantity, thereby can effectively realize the dilatation of safety means.
The above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of being done, be equal to and replace and improvement etc., all should be included within protection scope of the present invention.

Claims (12)

1, a kind of message forwarding system based on safety means comprises: safety means and receiving equipment, and each safety means receives the message flow in the trunk link, it is characterized in that,
This system further comprises: the network equipment of interconnection;
Each safety means that are connected on the network equipment links to each other with receiving equipment on being connected each network equipment by this network equipment;
Each safety means is provided with same address designation in the same source messages that receives, and sends to the coupled network equipment;
Receive the network equipment with source messages according to being arranged on, will send to the receiving equipment of described address designation correspondence with source messages with the address designation in the source messages.
2, the system as claimed in claim 1 is characterized in that, comprises outgoing interface in each safety means, and described outgoing interface is physical interface or logical subinterface.
3, system as claimed in claim 2 is characterized in that, described address designation is the media access control MAC address of receiving equipment, and the MAC Address of described same receiving equipment is arranged in the destination address field (DAF) with source messages;
Perhaps, described address designation is VLAN ID VLAN ID, and the VLAN ID of described same receiving equipment is arranged in the VLAN id field with source messages.
4, as claim 2 or 3 described systems, it is characterized in that, stored default outgoing interface and described address designation corresponding relation in the described safety means;
Each safety means carries out Hash Hash computing according to the message characteristic to all messages that receive, to be assigned to same outgoing interface with source messages, and this outgoing interface corresponding address sign is set in being assigned to the same source messages of same outgoing interface, be implemented in same address designation is set in the source messages.
5, a kind of safety means, include interface and outgoing interface, it is characterized in that, these safety means link to each other with all receiving equipments on each network equipment by the network equipment of interconnection, and these safety means are provided with same address designation in the same source messages that its incoming interface receives, and send to the outside coupled network equipment by the outgoing interface of described address designation correspondence;
The described network equipment will send to the receiving equipment of described address designation correspondence with source messages according to being arranged on the address designation in the source messages.
6, a kind of message forwarding method based on safety means, each safety means receives the message flow in trunk link, it is characterized in that, and each safety means links to each other with all receiving equipments on each network equipment by the network equipment of interconnection;
This method comprises:
Each safety means is provided with same address designation in the same source messages that receives, and sends to the coupled network equipment;
Receive the network equipment with source messages according to being arranged on, with the described receiving equipment that sends to described address designation correspondence with source messages with the address designation in the source messages.
7, method as claimed in claim 6 is characterized in that, comprises outgoing interface in each safety means, and described outgoing interface is physical interface or logical subinterface;
The described network equipment that links to each other with these safety means that sends to is: send to the network equipment that links to each other with these safety means by corresponding outgoing interface.
8, method as claimed in claim 7, it is characterized in that, described address designation is the media access control MAC address of receiving equipment, describedly in the same source messages that receives same address designation is set and is: the MAC Address that same receiving equipment is set in the destination address field (DAF) of the same source messages that is receiving;
Perhaps, described address designation is VLAN ID VLAN ID, describedly in the same source messages that receives same address designation is set and is: the VLAN ID that same receiving equipment is set in the VLAN id field of the same source messages that is receiving.
9, as claim 7 or 8 described methods, it is characterized in that, describedly in the same source messages that receives, same address designation be set and be:
According to the message characteristic all messages that receive are carried out Hash Hash computing, will be assigned to same outgoing interface with source messages;
According to the default outgoing interface and the corresponding relation of address designation, this outgoing interface corresponding address sign is set in being assigned to the same source messages of same outgoing interface.
10, a kind of message forwarding system based on safety means, comprise: safety means and receiving equipment, it is characterized in that this system further comprises the network equipment of interconnection, safety means link to each other with all receiving equipments on each network equipment by the network equipment of interconnection;
Safety means comprise outgoing interface, and described outgoing interface is a logical subinterface, and logical subinterface is by the corresponding receiving equipment that connects of the described network equipment;
Safety means are provided with same address designation in the same source messages that receives, and send to the coupled network equipment;
The network equipment will send to the receiving equipment of described address designation correspondence with source messages according to being arranged on the address designation in the source messages.
11, system as claimed in claim 10 is characterized in that, described address designation is the media access control MAC address of receiving equipment, and the MAC Address of described same receiving equipment is arranged in the destination address field (DAF) with source messages;
Perhaps, described address designation is VLAN ID VLAN ID, and the VLAN ID of described same receiving equipment is arranged in the VLAN id field with source messages.
12, a kind of safety means, include interface and outgoing interface, it is characterized in that, these safety means link to each other with all outside receiving equipments on each outside network device by the outside network device of interconnection, and the outgoing interface of these safety means is a logical subinterface, and logical subinterface is by the outside receiving equipment of the corresponding connection of outside network device;
These safety means are provided with same address designation in the same source messages that its incoming interface receives, and send to the outside coupled network equipment by the outgoing interface of described address designation correspondence;
The described network equipment will send to the receiving equipment of described address designation correspondence with source messages according to being arranged on the address designation in the source messages.
CNB2007101197943A 2007-07-31 2007-07-31 Message forwarding system and method and safety means based on safety means Expired - Fee Related CN100542144C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2007101197943A CN100542144C (en) 2007-07-31 2007-07-31 Message forwarding system and method and safety means based on safety means

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2007101197943A CN100542144C (en) 2007-07-31 2007-07-31 Message forwarding system and method and safety means based on safety means

Publications (2)

Publication Number Publication Date
CN101106528A CN101106528A (en) 2008-01-16
CN100542144C true CN100542144C (en) 2009-09-16

Family

ID=39000211

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2007101197943A Expired - Fee Related CN100542144C (en) 2007-07-31 2007-07-31 Message forwarding system and method and safety means based on safety means

Country Status (1)

Country Link
CN (1) CN100542144C (en)

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9276768B2 (en) 2008-05-23 2016-03-01 Nokia Solutions And Networks Oy Providing station context and mobility in a wireless local area network having a split MAC architecture
US8422513B2 (en) * 2008-05-23 2013-04-16 Nokia Siemens Networks Oy Providing station context and mobility in a wireless local area network having a split MAC architecture
CN102546364B (en) * 2010-12-22 2014-12-10 深圳市恒扬科技有限公司 Network data distribution method and device
CN102209031A (en) * 2011-05-24 2011-10-05 南京烽火星空通信发展有限公司 Distributed linear speed traffic splitting device and method
CN102497385B (en) * 2011-12-31 2015-09-16 曙光信息产业股份有限公司 A kind of network traffics auditing method and auditing system
CN102624727B (en) * 2012-03-07 2014-12-24 福建星网锐捷网络有限公司 Interface configuration method, device, master control central processing unit and network equipment
CN102647343B (en) * 2012-03-30 2016-01-06 汉柏科技有限公司 The flow control methods of secure networking device and system
CN105122740B (en) * 2014-02-26 2018-07-20 华为技术有限公司 It is a kind of to shunt method, interchanger, controller and the system reported
CN105227480B (en) * 2014-06-13 2018-10-19 腾讯科技(深圳)有限公司 Message forwarding method and relevant apparatus and communication system
CN105515932B (en) * 2014-09-24 2019-01-29 新华三技术有限公司 Improve the method and device of safe cluster process performance
CN107046503B (en) * 2017-04-24 2020-08-04 新华三技术有限公司 Message transmission method, system and device
CN107196798A (en) * 2017-05-26 2017-09-22 烽火通信科技股份有限公司 Network apparatus management system and its method in telecommunication management network
CN108683598B (en) * 2018-04-20 2020-04-10 武汉绿色网络信息服务有限责任公司 Asymmetric network traffic processing method and processing device
CN108965483B (en) * 2018-09-28 2021-04-23 武汉慧联无限科技有限公司 System implementation method for storing and pushing data of mass equipment in Internet of things system
CN112468469B (en) * 2020-11-17 2022-01-04 武汉绿色网络信息服务有限责任公司 Method and device for ensuring homologous co-homing of multi-homing messages of SCTP (stream control Transmission protocol)
CN113206791B (en) * 2021-03-31 2022-04-01 新华三信息安全技术有限公司 Message forwarding method and device

Also Published As

Publication number Publication date
CN101106528A (en) 2008-01-16

Similar Documents

Publication Publication Date Title
CN100542144C (en) Message forwarding system and method and safety means based on safety means
US8274980B2 (en) Ethernet link aggregation
CN103338161B (en) A kind of method and apparatus realizing cross-equipment aggregation
CN100417142C (en) Method for average distributing interface flow at multi network processor engines
CN107819663B (en) Method and device for realizing virtual network function service chain
CN101335709B (en) Method for implementing load sharing among flow analysis servers and shunting equipment
CN100596351C (en) Firewall method and system based on high-speed network data processing platform
US10855480B2 (en) Systems and methods for processing packets in a computer network
CN104106244A (en) Control device, communication system, communication method and program
CN100525237C (en) Data transferring system, method and network transferring apparatus
CN106161335A (en) A kind for the treatment of method and apparatus of network packet
CN101175078A (en) Identification of potential network threats using a distributed threshold random walk
CN102158421A (en) Method and unit for creating layer three interface
CN102307136A (en) Method for processing message and device thereof
RU2007111857A (en) RING NETWORK, COMMUNICATION DEVICE AND OPERATIONAL MANAGEMENT METHOD USED FOR THE RING NETWORK AND COMMUNICATION DEVICE
CN101651626B (en) Traffic-forwarding method and device
CN101115010B (en) Method for extending security system, security system and security processing equipment
CN102377640A (en) Message processing apparatus, message processing method and preprocessor
CN101296185B (en) Flow control method and device of equalization group
CN107483341A (en) A kind of across fire wall packet fast forwarding method and device
CN102255816A (en) Method and device for load sharing
US8677471B2 (en) Port allocation in a firewall cluster
CN103905324A (en) Dispatching and distributing method and system based on message five-element set
CN100486181C (en) Flexibly grouping method and its related route apparatus
CN101060432B (en) An IPS equipment flexible arrangement method and relevant equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Patentee after: Xinhua three Technology Co., Ltd.

Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base

Patentee before: Huasan Communication Technology Co., Ltd.

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20090916

Termination date: 20200731