CN101146027A - Method based on access control list category - Google Patents
Method based on access control list category Download PDFInfo
- Publication number
- CN101146027A CN101146027A CNA2006101275810A CN200610127581A CN101146027A CN 101146027 A CN101146027 A CN 101146027A CN A2006101275810 A CNA2006101275810 A CN A2006101275810A CN 200610127581 A CN200610127581 A CN 200610127581A CN 101146027 A CN101146027 A CN 101146027A
- Authority
- CN
- China
- Prior art keywords
- acl
- behavior
- gbm
- access control
- method based
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a list classifying method based on access control, which includes the following steps: sequentially arranging ACEs in ACL, all of ACEs of the ACL being continuous and having a consistent sequence in the ACL; constructing the index table of Phase 0 according to RFC algorithm to obtain CBM and eqID; constructing the index tables of Phase 1 and subsequent eqID by RFC algorithm and CBM; calculating the first hit regulation number of each ACL group according to each CBM, and constructing GBM using the behavior of the regulation; and sequentially searching bit of a first selected behavior in the GBM according the classification sequence of ACL in each function to obtain corresponding behavior of ACL classification, and storing in a behavior set corresponding to GBM. The invention can search GBM and the behavior set of a message through one searching process, thereby reducing the searching frequency significantly and saving the searching time.
Description
Technical field
The present invention relates to the technology of relevant message classification in the IP network equipment of a kind of communication aspect, specifically, relate to a kind of method based on access control list category.
Background technology
Popularizing when significantly improving the production and operation efficient of enterprise of network application and the Internet also brought such as safety of data.How a network is managed effectively, the negative effect that reduces network as much as possible and brought has just become the important topic of pendulum in face of the network manager.ACL is one of safe practice of using always, ACL uses the packet filtering technology, on router or intelligent exchange, read the information in the 3rd layer and the 4th layer of packet header, for example source address, destination address, source port, destination interface etc., according to the rule that pre-defines bag is filtered, thereby reach the purpose of access control.
ACL is the general designation of ACL and ACE, and ACL (ACL.Access controllist) is an Access Control List (ACL), the tabulation that expression is made up of ACE.And ACE (Access Control Entry) is an access control entry, represents a rule, and the mapping that the condition that is actually arrives behavior (condition → action).Condition is generally used the form of the five-tuple scope of message, and behavior has two kinds, allows (permit) and refusal (deny).If message is eligible, coupling (match), the then behavior of message employing condition correspondence just.
The arrangement of ACE in ACL is orderly, and message can scan all ACE successively, finds first ACE of coupling, return results, otherwise do not hit, be exemplified below:
Example 1 ACL profile instance:
access-list 101 permit tcp host 10.1.6.66 any eq telnet /*ACE1*/
access-list 101 deny tcp any any eq telnet /*ACE2*/
Shown in example 1, ACL 101 has disposed two ACE, and the implication of article one is that source address is that all telnet messages of 10.1.6.66 allow to pass through; The implication of second is that no thoroughfare for the message of all telnet.Because ACE1 before ACE2, so when a message is checked by ACL, search earlier, if message is not the telent message (not matching) from 10.1.6.66, searches again, otherwise return behavior---the permit of ACE1 in ACE2 in ACE1.ACE2 searches the same ACE1 of flow process, if message does not mate ACE2, then adopts the behavior (general manufacturer all can be at the ACE that adds an acquiescence at last of ACL, and condition is all messages, and each manufacturer of behavior is different, and Cisco is deny) of acquiescence.
The most basic application of ACL is packet filtering, and after the going into an of interface (going out) mouthful disposed ACL, all going into (going out) mouthful message all divided the ACE that checks successively among this ACL, obtains the ACE of first coupling, and finally adopts the behavior of this ACE.By such method, network element can filter does not want the message that receives or do not want to send.
It is message classification that ACL also has an important effect.ACL is from can be regarded as the set of message in essence.If establishing the complete or collected works of message is I, example 1 can be expressed as set as shown in Figure 1 so, vertical line region representation Permit wherein, horizontal line region representation deny.If regard the set of each message as a classification, just can represent the classification of message with ACL.
The ACL classification is widely used in numerous functions such as tactful route, QoS, NAT.
We are example with the speed limit function of router, if it is as follows to have disposed rate-limit:
rate-limit input access-group 103 96000 10000 20000 conform-actiontransmit exceed-action continue
rate-limit input access-group 101 48000 5000 10000 conform-actiontransmit exceed-action set-prec-transmit 5
rate-limit input access-group 102 48000 5000 10000 conform-actionset-prec-transmit 7 exceed-action drop
With reference to Fig. 2, after such flow process analyzed, ACL to search number of times uncertain, the time complexity that ACL classification repeating query is searched is O (n).
With reference to shown in Figure 3, existing RFC (Recursive Flow Classification) algorithm can index the matched rule of message apace by multistage several recursive operations under the restriction in limited physical memory space.The RFC algorithm at first index field bit number bigger be subdivided into less index field, and grouping is so that generate the eqID concordance list of each index field, each clauses and subclauses sign class bitmap values (CBM, Class Bit Map) of eqID concordance list.CBM is made up of a plurality of bit position, and n bar rule has been represented in each bit position, and the figure place of CBM is to be determined by total rule entries.The generation of the eqID concordance list by each index field will inevitably be the index field merger that belongs to identical CBM in the same eqID clauses and subclauses, thereby dwindle the memory headroom of eqID concordance list greatly.Next the eqID concordance list of all index fields is carried out repeatedly exponent number computing, each exponent number computing is according to the conflation algorithm of optimum, merger is carried out in each eqID set grouping, will inevitably be integrated into a plurality of eqID clauses and subclauses that belong to same CBM after the merger together like this, thereby significantly reduce the memory headroom of total concordance list.By recurrence exponent number computing repeatedly, can be all regular merger a total concordance list finally, according to final rule index table, can directly navigate to the business rule of the acl rule of coupling at first.
With the acl rule in the table 1 the RFC algorithm flow is described below.
Below configuration:
access-list 101 permit 192.168.1.0 0.0.0.255
access-list 101 permit 192.1 68.2.0 0.0.0.255
access-list 101 deny 192.168.3.0 0.0.0.255
access-list 101 permit 192.178.1.0 0.0.0.255
access-list 101 deny 192.178.2.0 0.0.0.25 5
access-list 101 permit 192.188.3.0 0.0.0.255
access-list 101 deny 0.0.0.0 255.255.255.255
Can be split as the concordance list that two 16Bit set up the first order to IP address range.
Table 1:ACL Sample Rules table
| Rule # | Chunk#0 SRC IP[31..16] | Chunk#1 SRC IP[15..0] | Rule Action |
| R0 | 192.168/0.0 | 1.0/0.255 | Y |
| R1 | 192.168/0.0 | 2.0/0.255 | Y |
| R2 | 192.168/0.0 | 3.0/0.255 | N |
| R3 | 192.178/0.0 | 1.0/0.255 | Y |
| R4 | 192.178/0.0 | 2.0/0.255 | N |
| R5 | 192.188/0.0 | 3.0/0.255 | Y |
| R6 | 0.0/255.255 | 0.0/255.255 | N |
With reference to Fig. 4 and shown in Figure 5, in primary exponent number flow process, at first d the index field according to the IP head of service message is subdivided into a plurality of index field groups, then at each index field group, calculate the eqID concordance list of this group.The index list item of eqID is a CBM value, and each expression rule of correspondence is wherein mated, and the n position represents that promptly n bar rule is mated.
In follow-up exponent number recurrence, each eqID concordance list of last generation is carried out secondary combination merger according to optimal performance, be the merger of a plurality of eqID concordance list a bigger eqID concordance list finally, so once more from the memory headroom an eqID centre of a plurality of index field boil down tos concordance list.
Acl rule table in table 1 owing to only carry out index according to source IP, just can generate total eqID concordance list so only need carry out 1 combination merger.
Concordance list in the middle of the recurrence combination of success has finally generated a total eqID concordance list, can uniquely determine a business rule of coupling at first by the eqID list item of this concordance list.
With source IP 192.168.3.10/0.0.0.255 is example, be Chunk#0 and Chunk#1 in the 3.10/0.255 query graph 5 at first according to high 16 192.168/0.0 and low 16, the index value that obtains C00 is 1, the index value of C01 is 3, then according to Fig. 5, the index that obtains the concordance list of final Result Rule is C00*4+C01=7, and the rule of its correspondence is R2, and business rule is N.
The advantage of RFC algorithm is that the time of searching is very short, and complexity is O (1).But the shortcoming of RFC is also clearly:
(1) take up room greatly, each Phase needs to create concordance list, from Phase1 begin that the size of concordance list will become very big.According to the experience that realizes, the internal memory about the ACL requirement 10M of 1000 ACE.
(2) update time long, as long as ACE change a little, entire RF C table just need be rebuild, this cost is very high, because not only will fill in concordance list, also will calculate EqID and CBM or the like.
Because these shortcomings of RFC table utilize existing RFC algorithm to realize that the message classification of ACL brings following defective:
(1) committed memory is huge, and the ACL classification usually may be a lot, and as nat feature, an ACL can change by a corresponding NAT, and the user may dispose the classification policy of N ACL to the NAT conversion.At this moment the space that just needs N to open RFC table, the internal memory that takies also can be very big.
(2) in specific function, the acl lookup complexity is O (n), still is example with the nat feature, in order to find message to belong to which ACL classification, just must search ACL successively, find wherein that first matching result is the ACL of Permit, adopt the NAT strategy of this ACL correspondence by the order of configuration.If efficient is influential under the many situation of n.
(3) repeatedly divide time-like, search efficiency is low: message may not only carry out classification once in processing procedure, but carries out different classification in different functional modules.For example message is done rate limit earlier, does the NAT conversion again.Just need searching of twice order in this case, the complexity of at every turn searching is O (n).If the number of times of classification is more, then search efficiency can descend more.
When (4) revising a plurality of ACL, update time is long.If once revise N ACL, then these ACL need to upgrade, and be N times of the single ACL of renewal update time.
Summary of the invention
Technical problem solved by the invention provides a kind of method based on access control list category, is applicable to that a large amount of use ACL do the situation of classification.
Method based on access control list category comprises the steps:
(1) ACE among the ACL is arranged in order, all ACE of described ACL are continuous, and with ACL in sequence consensus;
(2) according to the concordance list of RFC algorithm construction Phase 0, obtain CBM and eqID;
(3) according to RFC algorithm construction Phase 1 and afterwards eqID concordance list and CBM;
(4) calculate each ACL according to each CBM and organize first rule of hitting number, and constitute GBM with this regular behavior;
(5) according to the classified order of ACL in each function, in GBM, find the bit of first selected behavior successively, find the corresponding behavior of ACL classification, put into the behavior of this GBM correspondence and concentrate.
Further, in the step (1), the ACE among all ACL is organized into a table successively, and the IP address is divided into the Chunk of two 16 bits.
Further, in the step (4), GBM represents the behavior that this eqID hits in each ACL.
Further, step (4) is specially: the bit of CBM is divided by group, found out each and organize first bit for allowing, and the rule of this bit to organizing, a bit as GBM is read in behavior that again should rule, constitutes GBM thus.
Further, in the step (4), GBM is unit with the group, obtains the corresponding behavior in each ACL group of the affiliated scope of eqID.
Further, in the step (4), do not need to index concrete rule when searching, only judge under the eqID that scope allows or refuses in this ACL group.
Further, in the step (5), described selected behavior is to allow or refusal.
Further, in the step (5), all ACL have formed a RFC table, and the final Query Result of table is a behavior collection.
Further, in the step (5), described behavior collection includes message and whether allows the information of passing through, the speed limit strategy or the NAT conversion of employing.
The present invention overcome committed memory in the existing method big, search the shortcoming that the time is long, update time is long, be particularly useful for using in a large number ACL to do the situation of classification.At first, the RFC table no longer is for an ACL creates, but is that all ACL of this network element create, and the ACE among all ACL is lined up is used to construct the RFC table, has saved the storage resources that original recipe ACL takies.Secondly, (Group BitMap, notion GBM) with the lookup result that a bit represents an ACL group, are saved searching the time based on the ACL group to introducing group bitmap.Once more, transform lookup result, the final result of searching is not simple permit or deny, but the behavior collection of a message place classification is represented this message in follow-up processing, all possible behavior or the processing policy that need adopt.
Description of drawings
Fig. 1 is the set that ACL represents in the prior art;
Fig. 2 is the ACL classification searching flow chart of speed limit function in the prior art;
RFC algorithm schematic diagram in Fig. 3 prior art;
The improved algorithm schematic diagram of Fig. 6 preferred embodiment of the present invention;
The generation GBM schematic diagram of Fig. 9 preferred embodiment of the present invention;
The flow chart of Figure 10 preferred embodiment of the present invention.
Embodiment
According to analysis, after special packet entered network element, the back result was always unique in each classification, that is to say that two identical messages enter network element, and their processing should be living, therefore can think the corresponding class behavior collection of message.If there is a kind of method just can all obtain all behaviors that will do afterwards through a classification searching, just obtain the behavior collection, the efficient of that this method must be the highest, time complexity is O (n).
The present invention and existing RFC algorithm difference are, all ACL have formed a RFC table, and the final Query Result of table is a behavior collection, and the behavior collection can comprise: this message whether allow by, adopt which type of speed limit strategy and carry out which type of NAT conversion or the like.When message enters network element,, just can obtain the behavior collection that this message should adopt like this as long as search once.
Below with reference to Fig. 6 to Figure 10 the preferred embodiments of the present invention are described in detail.
The constructive process of this RFC table also is described with example below:
Following ACL configuration is arranged:
access-list 101 permit 192.168.1.0 0.0.0.255
access-list 101 permit 192.168.2.0 0.0.0.255
access-list 101 deny 0.0.0.0 255.255.255.255
access-list 102 permit 10.10.10.0 0.0.0.255
access-list 102 deny 0.0.0.0 255.255.255.255
access-list 103 permit 10.10.0.0 0.0.255.255
access-list 103 deny 0.0.0.0 255.255.255.255
access-list 104 deny 20.0.0.0 0.255.255.255
access-list 104 permit 0.0.0.0 255.255.255.255
Adopt ACL 104 control that conducts interviews in the porch
Disposed the NAT strategy afterwards again:
access-list 103->NAT pool1
access-list 101->NAT pool2
With ductility limit speed strategy
access-list 102->Rate 1
access-list 101->Rate 2
Step S101: the ACE among the ACL is arranged in order, and all ACE of described ACL are continuous, and with ACL in sequence consensus.
ACE among all ACL is organized into a table successively, and the IP address is divided into the Chunk of two 16 bits.As shown in the table:
Table 2 acl rule sample table
| ACL# | ACE# | Rule# | Chunk# SRC IP[31..16] | |
Rule Action |
| 101 | 0 | R0 | 192.168/0.0 | 1.0/0.255 | Y |
| 101 | 1 | R1 | 192.168/0.0 | 2.0/0.255 | Y |
| 101 | 2 | R2 | 0.0/255.255 | 0.0/255.255 | N |
| 102 | 0 | R3 | 10.10/0.0 | 10.0/0.255 | Y |
| 102 | 1 | R4 | 0.0/255.255 | 0.0/255.255 | N |
| 103 | 0 | R5 | 10.10/0.0 | 0.0/255.255 | Y |
| 103 | 1 | R6 | 0.0/255.255 | 0.0/255.255 | N |
| 104 | 0 | R7 | 20.0/0.255 | 0.0/255.255 | N |
| 104 | 1 | R8 | 0.0/255.255 | 0.0/255.255 | Y |
Step S102: the concordance list according to RFC algorithm construction Phase 0 obtains CBM and eqID.
Above-mentioned Phase 0 schematic diagram as shown in Figure 7.
Step S106: according to RFC algorithm construction Phase 1 and afterwards eqID concordance list and CBM.
The schematic diagram of above-mentioned Phase 1 as shown in Figure 8.
Step S104: calculate each ACL according to each CBM and organize first rule of hitting number, and constitute GBM with this regular behavior.GBM represents the behavior that this eqID hits in each ACL,, whether belong to this ACL classification that is.
Specifically, CBM according to the eqID correspondence calculates GBM, concrete method is as follows: the bit of CBM is divided by group, finding out each, to organize first be 1 bit, the rule of this bit to organizing, behavior (permit is 1, and deny is 0) that again should rule is read, a bit as GBM constitutes GBM thus.Fig. 9 is the GBM schematic diagram that is generated.
The meaning of GBM is with the group to be unit, obtains the corresponding behavior in each ACL group of the affiliated scope of certain eqID '.When searching, not needing to index concrete rule, is that Permit or Deny are just passable as long as know this scope in this ACL group.
Step S105: according to the classified order of ACL in each function, in GBM, find the bit of first selected behavior successively, find the corresponding behavior of ACL classification, put into the behavior of this GBM correspondence and concentrate.Selected behavior can be permit or deny, and permit is 1, and deny is 0.
In this preferred embodiment, according to the classified order of ACL in each function, find successively that first is 1 bit in GBM, the expression message belongs to the ACL classification of this bit correspondence, finds the corresponding behavior of ACL classification again, puts into the behavior of this GBM correspondence and concentrates.
The classification behavior collection of GBM correspondence is as follows:
| eqID′ | GBM | NAT Class | NAT | | Rate | |
| 0 | 0001 | N/A | N/A | N/A | N/ |
|
| 1 | 0011 | 103 | Pool1 | N/A | N/ |
|
| 2 | 0111 | 103 | Pool1 | 102 | |
|
| 3 | 0000 | N/A | N/A | N/A | N/ |
|
| 4 | 1001 | 103 | |
101 | |
In sum, the inventive method can find the GBM and the behavior collection of this message correspondence by a search procedure, has reduced the number of times of searching greatly, has saved the time of searching.
Claims (9)
1. the method based on access control list category comprises the steps:
(1) ACE among the ACL is arranged in order, all ACE of described ACL are continuous, and with ACL in sequence consensus;
(2) according to the concordance list of RFC algorithm construction Phase 0, obtain CBM and eqID;
(3) according to RFC algorithm construction Phase 1 and afterwards eqID concordance list and CBM;
(4) calculate each ACL according to each CBM and organize first rule of hitting number, and constitute GBM with this regular behavior;
(5) according to the classified order of ACL in each function, in GBM, find the bit of first selected behavior successively, find the corresponding behavior of ACL classification, put into the behavior of this GBM correspondence and concentrate.
2. the method based on access control list category according to claim 1 is characterized in that, in the step (1), the ACE among all ACL is organized into a table successively, and the IP address is divided into the Chunk of two 16 bits.
3. the method based on access control list category according to claim 1 is characterized in that, in the step (4), GBM represents the behavior that this eqID hits in each ACL.
4. the method based on access control list category according to claim 1, it is characterized in that, step (4) is specially: the bit of CBM is divided by group, find out each and organize first bit for allowing, the rule of this bit to organizing, behavior that again should rule is read, and a bit as GBM constitutes GBM thus.
5. the method based on access control list category according to claim 4 is characterized in that, in the step (4), GBM is unit with the group, obtains the corresponding behavior in each ACL group of the affiliated scope of eqID.
6. the method based on access control list category according to claim 5 is characterized in that, in the step (4), does not need to index concrete rule when searching, and only judges under the eqID that scope allows in this ACL group or refuses.
7. the method based on access control list category according to claim 1 is characterized in that, in the step (5), described selected behavior is to allow or refusal.
8. the method based on access control list category according to claim 1 is characterized in that, in the step (5), all ACL have formed a RFC table, and the final Query Result of table is a behavior collection.
9. the method based on access control list category according to claim 8 is characterized in that, in the step (5), described behavior collection includes message and whether allows the information of passing through, the speed limit strategy or the NAT conversion of employing.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2006101275810A CN101146027B (en) | 2006-09-14 | 2006-09-14 | Method based on access control list category |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2006101275810A CN101146027B (en) | 2006-09-14 | 2006-09-14 | Method based on access control list category |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101146027A true CN101146027A (en) | 2008-03-19 |
| CN101146027B CN101146027B (en) | 2010-08-18 |
Family
ID=39208327
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2006101275810A Expired - Fee Related CN101146027B (en) | 2006-09-14 | 2006-09-14 | Method based on access control list category |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101146027B (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101645913A (en) * | 2008-08-07 | 2010-02-10 | 九旸电子股份有限公司 | Method for generation entries of access control list |
| CN101834785A (en) * | 2010-04-07 | 2010-09-15 | 中兴通讯股份有限公司 | Method and device for realizing stream filtration |
| CN102457430A (en) * | 2010-10-20 | 2012-05-16 | 正文科技股份有限公司 | Network package processing method and routing equipment |
| CN102571531A (en) * | 2010-12-16 | 2012-07-11 | 上海博达数据通信有限公司 | Classified matching method for access control list |
| CN102638394A (en) * | 2012-03-16 | 2012-08-15 | 北京星网锐捷网络技术有限公司 | Method and device for determining template corresponding to access control list item |
| WO2013061330A1 (en) * | 2011-10-24 | 2013-05-02 | Hewlett-Packard Development Company, L.P. | A communication access control system |
| CN103248498A (en) * | 2012-02-03 | 2013-08-14 | 合肥华云通信技术有限公司 | Multicast implementation method in distributed system |
| CN103560963A (en) * | 2013-11-18 | 2014-02-05 | 中国科学院计算机网络信息中心 | OpenFlow flow table memory space compression method |
| CN103647773A (en) * | 2013-12-11 | 2014-03-19 | 北京中创信测科技股份有限公司 | Fast encoding method of access control list (ACL) behavior set |
| CN104486240A (en) * | 2014-12-08 | 2015-04-01 | 福建星网锐捷网络有限公司 | Method and device for classifying data packets |
| US9019951B2 (en) | 2010-08-24 | 2015-04-28 | Gemtek Technology Co., Ltd. | Routing apparatus and method for processing network packet thereof |
| CN105791107A (en) * | 2014-12-22 | 2016-07-20 | 中兴通讯股份有限公司 | ACL (Access Control List) rule configuration method, matching method and related device |
| CN106230736A (en) * | 2016-07-19 | 2016-12-14 | 东软集团股份有限公司 | A kind of merging method and device of network access policies |
| CN103795644B (en) * | 2014-01-27 | 2017-04-05 | 福建星网锐捷网络有限公司 | Policy Table's list item collocation method, apparatus and system |
| CN110837647A (en) * | 2018-08-16 | 2020-02-25 | 迈普通信技术股份有限公司 | Method and device for managing access control list |
| CN113949664A (en) * | 2020-07-15 | 2022-01-18 | 瑞昱半导体股份有限公司 | Circuit for network device and packet processing method |
| CN115633097A (en) * | 2022-12-21 | 2023-01-20 | 新华三信息技术有限公司 | Access control list ACL compression method and device |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100472427C (en) * | 2002-08-20 | 2009-03-25 | 中兴通讯股份有限公司 | Data packet recursive flow sorting method |
| US7509674B2 (en) * | 2003-10-07 | 2009-03-24 | Alcatel Lucent | Access control listing mechanism for routers |
| CN1282332C (en) * | 2003-11-13 | 2006-10-25 | 中兴通讯股份有限公司 | A method of fast data packet filtering |
-
2006
- 2006-09-14 CN CN2006101275810A patent/CN101146027B/en not_active Expired - Fee Related
Cited By (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101645913A (en) * | 2008-08-07 | 2010-02-10 | 九旸电子股份有限公司 | Method for generation entries of access control list |
| CN101834785A (en) * | 2010-04-07 | 2010-09-15 | 中兴通讯股份有限公司 | Method and device for realizing stream filtration |
| CN101834785B (en) * | 2010-04-07 | 2015-06-03 | 中兴通讯股份有限公司 | Method and device for realizing stream filtration |
| US9019951B2 (en) | 2010-08-24 | 2015-04-28 | Gemtek Technology Co., Ltd. | Routing apparatus and method for processing network packet thereof |
| CN102457430A (en) * | 2010-10-20 | 2012-05-16 | 正文科技股份有限公司 | Network package processing method and routing equipment |
| CN102571531A (en) * | 2010-12-16 | 2012-07-11 | 上海博达数据通信有限公司 | Classified matching method for access control list |
| CN102571531B (en) * | 2010-12-16 | 2016-08-24 | 上海博达数据通信有限公司 | A kind of classified matching method accessing control list |
| WO2013061330A1 (en) * | 2011-10-24 | 2013-05-02 | Hewlett-Packard Development Company, L.P. | A communication access control system |
| US9160750B2 (en) | 2011-10-24 | 2015-10-13 | Hewlett-Packard Development Company, L.P. | Communication access control system |
| CN103248498A (en) * | 2012-02-03 | 2013-08-14 | 合肥华云通信技术有限公司 | Multicast implementation method in distributed system |
| CN102638394A (en) * | 2012-03-16 | 2012-08-15 | 北京星网锐捷网络技术有限公司 | Method and device for determining template corresponding to access control list item |
| CN102638394B (en) * | 2012-03-16 | 2014-10-29 | 北京星网锐捷网络技术有限公司 | Method and device for determining template corresponding to access control list item |
| CN103560963A (en) * | 2013-11-18 | 2014-02-05 | 中国科学院计算机网络信息中心 | OpenFlow flow table memory space compression method |
| CN103560963B (en) * | 2013-11-18 | 2016-08-17 | 中国科学院计算机网络信息中心 | A kind of OpenFlow flow table memory space compression method |
| CN103647773A (en) * | 2013-12-11 | 2014-03-19 | 北京中创信测科技股份有限公司 | Fast encoding method of access control list (ACL) behavior set |
| CN103795644B (en) * | 2014-01-27 | 2017-04-05 | 福建星网锐捷网络有限公司 | Policy Table's list item collocation method, apparatus and system |
| CN104486240A (en) * | 2014-12-08 | 2015-04-01 | 福建星网锐捷网络有限公司 | Method and device for classifying data packets |
| CN104486240B (en) * | 2014-12-08 | 2018-03-06 | 福建星网锐捷网络有限公司 | A kind of data packet classification method and device |
| CN105791107A (en) * | 2014-12-22 | 2016-07-20 | 中兴通讯股份有限公司 | ACL (Access Control List) rule configuration method, matching method and related device |
| CN106230736A (en) * | 2016-07-19 | 2016-12-14 | 东软集团股份有限公司 | A kind of merging method and device of network access policies |
| CN106230736B (en) * | 2016-07-19 | 2019-03-05 | 东软集团股份有限公司 | A kind of merging method and device of network access policies |
| CN110837647A (en) * | 2018-08-16 | 2020-02-25 | 迈普通信技术股份有限公司 | Method and device for managing access control list |
| CN113949664A (en) * | 2020-07-15 | 2022-01-18 | 瑞昱半导体股份有限公司 | Circuit for network device and packet processing method |
| CN113949664B (en) * | 2020-07-15 | 2023-04-07 | 瑞昱半导体股份有限公司 | Circuit for network device and packet processing method |
| CN115633097A (en) * | 2022-12-21 | 2023-01-20 | 新华三信息技术有限公司 | Access control list ACL compression method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101146027B (en) | 2010-08-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101146027B (en) | Method based on access control list category | |
| CN102281196B (en) | Decision tree generation method and equipment, based on decision tree packet classification method and equipment | |
| CN101753542B (en) | Method and device for speeding up matching of filter rules of firewalls | |
| CN100583812C (en) | Method and apparatus for two-stage packet classification using most specific filter matching and transport level sharing | |
| CN101345707B (en) | Method and apparatus for implementing IPv6 packet classification | |
| CN102857493B (en) | Content filtering method and device | |
| CN1957573B (en) | Apparatus and method for two-stage packet classification using most specific filter matching and transport level sharing | |
| Gupta et al. | Top-k interesting subgraph discovery in information networks | |
| CN101594303B (en) | Rapid network packet classification method based on network traffic statistic information | |
| CN101650717B (en) | Method and system for saving storage space of database | |
| CN106452868A (en) | Network traffic statistics implement method supporting multi-dimensional aggregation classification | |
| US20130039366A1 (en) | Packet Classification | |
| CN104579941A (en) | Message classification method in OpenFlow switch | |
| CN100385880C (en) | Packet classification apparatus and method using field level tries | |
| CN105515997B (en) | The higher efficiency range matching process of zero scope expansion is realized based on BF_TCAM | |
| US6633860B1 (en) | Method for fast multi-dimensional packet classification | |
| CN101848248B (en) | Rule searching method and device | |
| CN103248573A (en) | Centralization management switch for OpenFlow and data processing method of centralization management switch | |
| CN105471670A (en) | Flow data classification method and device | |
| CN104486116A (en) | Multidimensional query method and multidimensional query system of flow data | |
| CN102195853B (en) | Method and device for storing bitmap | |
| CN103685222A (en) | A data matching detection method based on a determinacy finite state automation | |
| CN104125146B (en) | A kind of method for processing business and device | |
| CN201577106U (en) | Fire wall policy generating device and system | |
| CN109213881A (en) | A kind of similar mark querying method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100818 Termination date: 20150914 |
|
| EXPY | Termination of patent right or utility model |