CN101764741B - Filtering and shunting device and method supporting multi-service function - Google Patents

Filtering and shunting device and method supporting multi-service function Download PDF

Info

Publication number
CN101764741B
CN101764741B CN200910199468.7A CN200910199468A CN101764741B CN 101764741 B CN101764741 B CN 101764741B CN 200910199468 A CN200910199468 A CN 200910199468A CN 101764741 B CN101764741 B CN 101764741B
Authority
CN
China
Prior art keywords
rule
result
label
policy
packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN200910199468.7A
Other languages
Chinese (zh)
Other versions
CN101764741A (en
Inventor
张诗超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Constant technology (Shanghai) Limited by Share Ltd
Original Assignee
Shanghai EmbedWay Information Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai EmbedWay Information Technologies Co Ltd filed Critical Shanghai EmbedWay Information Technologies Co Ltd
Priority to CN200910199468.7A priority Critical patent/CN101764741B/en
Publication of CN101764741A publication Critical patent/CN101764741A/en
Application granted granted Critical
Publication of CN101764741B publication Critical patent/CN101764741B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a filtering and shunting device and a method supporting a multi-service function. The method comprises the following steps of: matching input original data packets with regular policy library subunits established by different users one by one to form match results; processing the match results to form result labels, and establishing a mapping table among the result labels and output ports; and adding the result labels to the heads of the original data packets, obtaining the output ports according to the result labels and the mapping table, and sending the original data packets to users from the output ports. The shunting and filtering functions of a plurality of services share the processing resources in the same input unit and device, a plurality of sets of filtering and shunting policies are supported in a set of filtering and shunting devices, are completely independent, and do not interfered one another, and the requirement of the multi-service function is effectively solved.

Description

Support the filtration part flow arrangement and the method thereof of multiservice functionality
Technical field
The present invention relates to a kind of filtration shunting of packet, relate in particular to a kind of filtration part flow arrangement and method of supporting multiservice functionality.
Background technology
Recent years, the construction development of China aspect backbone network and metropolitan area network is very swift and violent, and overall size is also quite big; The bandwidth of nearly all regional backbone network has all reached 10G (Gigabit; Kilomegabit), the bandwidth of part backbone network has been upgraded to 40G, and total outlet bandwidth has reached the capacity of G up to a hundred in large size city, provincial city; The part megapolis has reached the capacity of last T (Terabit, gigabit).The various broadband services that infrastructure Network Based makes up are also flourish, and various broadband services and the attached safety guarantee that thereupon develops are professional, make the filtration part flow arrangement that adapts to the roomy flow of high-band become the key element of service deployment.
Relatively the exemplary wideband business comprises at present: flow settlement system, virus are cleaned professional between telecommunication value-added type green internet business, broadband network service analysis, net; The safety guarantee business comprises: system for monitoring intrusion, network security audit.Because service feature and behavior is different; The deployment of many business all needs and meets separately that the filtration part flow arrangement of business need carries out the preliminary treatment of front end data bag; The different rule and policies that filter and shunt are set, and the equipment of the real bearer service of convenience system is done corresponding operation and processing.These service needed are provided with corresponding filtration shunting device at same network node, and same group of backbone traffic filtered shunting.
The Chinese invention patent application of application number 200710036221.4 discloses a kind of based on integration of useful connecting data complete safe information filtering shunt; Earlier packet content being carried out coarseness filters; Filtered data is carried out fine granularity by content rule expression formula matching module to packet and is filtered the temporary transient caching system that does not have the useful data entering FPGA composition of coupling.In case the follow-up data bag matees successfully, then system stamps corresponding label with the follow-up packet that reaches of buffer memory, keeps being issued to each backend application treatment facility by the order that successively arrives then with connecting.
But existing filtration shunting device is subject to the restriction of technical system framework and handling property, can only realize that a cover filters and distributing strategy, satisfies a business function, and it is supporting with it that a plurality of business just need many covers to filter part flow arrangement.For example, the packet that the professional corresponding filtering current shunt of network security audit is exported can only satisfy the professional needs of security audit, can't satisfy other broadband services and the professional packet demands of safety guarantee such as green internet business, broadband network service analysis.Caused the significant wastage of fiber resource, equipment, the energy so undoubtedly.
Summary of the invention
The problem that the present invention solves is; Under broadband services and the professional complicated main trend of safety guarantee; A kind of filtration part flow arrangement of supporting multiservice functionality is provided; The deployment that solves many Networks in the prior art needs many covers to filter part flow arrangement support, the fiber resource that causes, equipment, energy significant wastage.
In order to solve the problems of the technologies described above, the present invention provides a kind of filtration part flow arrangement of supporting multiservice functionality, comprising: administrative unit, and provide the interface to formulate all kinds of professional corresponding rule and policies to the user, export said rule and policy to rule and policy library unit; The rule and policy library unit, all kinds of professional corresponding said rule and policy according to different user is formulated stores and forms the rule and policy storehouse subelement that belongs to different user; The classification and matching engine; Receive packet; Said packet is mated the formation matching result with the said rule and policy storehouse subelement that belongs to different user one by one; Send said matching result to service label processing engine, the reception result label adds said label as a result and also sends to converging switching engine to the packet head; The service label processing engine is handled said matching result and is formed said label as a result, exports said label as a result to the classification and matching engine, sets up the mapping table of label and output port as a result, exports said mapping table to converging switching engine; Converge switching engine; Receive the packet that the packet head has said label as a result; According to the mapping table of said label as a result and output port, obtain the output port of said packet, send said packet to the user according to the mode of multicast or clean culture from said output port.
Said rule and policy storehouse subelement comprises said rule and policy, and said rule and policy comprises rule and forwarding behavior.
Said classification and matching engine carries out protocal analysis to said raw data packets, extracts the protocol fields content of said raw data packets, and said protocol fields content is mated with said rule and policy storehouse subelement one by one.
Said protocol fields content meets the said rule in the subelement of said rule and policy storehouse, and the said forwarding behavior of said rule correspondence is as said matching result.
Said matching result comprises: abandon, be forwarded to appointment an output port, be forwarded to one group of output port of appointment.
Said service label processing engine is carried out shifting processing and add operation to the output port in the said matching result, forms label as a result.
Said classification and matching engine adds said label as a result to the part of said initial data packet header as target MAC (Media Access Control) address.
The present invention also provides a kind of filtration shunt method of supporting multiservice functionality, it is characterized in that, comprising: formulate all kinds of professional corresponding rule and policies; Said rule and policy according to corresponding with all kinds of business forms the rule and policy storehouse subelement that belongs to different user; Receive packet, said packet is mated the formation matching result with the said rule and policy storehouse subelement that belongs to different user one by one, send said matching result; Handle said matching result and form said label as a result, export said label as a result, set up the mapping table of label and output port as a result, export said mapping table; The reception result label adds said label as a result to packet head and output; Receive the packet that the packet head has said label as a result,, obtain the output port of said packet, send said packet to the user from said output port according to the mode of multicast or clean culture according to the mapping table of said label as a result and output port.
During said formation matching result; Raw data packets is carried out protocal analysis; Extract the protocol fields content of packet; This protocol fields content is mated with rule and policy storehouse subelement one by one, the rule in the subelement of the said rule and policy of protocol fields content match storehouse, the forwarding behavior of said rule correspondence is as matching result.
Said formation during label, is carried out shifting processing to the output port in the said matching result as a result, the result after the shifting processing is carried out add operation form label as a result.
Compared with prior art; The present invention provides a kind of filtration part flow arrangement and method of supporting the multi-service kind; Input unit that the shunt filtering function sharing of multiple business is identical and the processing resource of filtering in the part flow arrangement; In a cover filtration part flow arrangement, support many covers to filter distributing strategy; And fully independently do not disturb mutually, meet the different packets that filter distributing strategies and export to corresponding back-end processing system from different output ports and carry out Business Processing, effectively solved the multiservice functionality demand.The present invention also provides the multi-user management interface, greatly facilitates multiple services deployment and enforcement, with rule and behavior combination, the basic-level support at convenient multi-purpose family.
Description of drawings
Fig. 1 is the structure chart that the present invention supports the filtration part flow arrangement of multiservice functionality;
Fig. 2 is the flow chart that the present invention supports the filtration shunt method of multiservice functionality.
Embodiment
Below in conjunction with accompanying drawing and embodiment the present invention is described further.In following description, be not described in detail known function and structure, because they can make the present invention because unnecessary details and confusion.
As shown in Figure 1, the present invention provides a kind of filtration part flow arrangement of supporting multiservice functionality, comprising: administrative unit 1, rule and policy library unit 2, classification and matching engine 3, service label processing engine 4, converge switching engine 5.
Administrative unit 1: provide the interface to formulate all kinds of professional corresponding rule and policies to the user, good rule and policy to rule and policy library unit 2 is formulated in output.
Particularly, administrative unit 1 offers different user with good read-write independent of each other and administration interface, and the user sets up the corresponding rule and policy of different business according to business demand separately.After rule and policy was formulated, administrative unit 1 imported the rule and policy library unit 2 in the high-speed internal memory with the rule and policy that the user sets up.
Rule and policy library unit 2: all kinds of professional corresponding rule and policy according to different user is formulated stores and forms the rule and policy storehouse subelement that belongs to different user.
In the rule and policy library unit 2 of high-speed internal memory, the rule and policy that belongs to different user foundation is dispensed in the different memory headrooms, forms separate rule and policy storehouse subelement.Each policy library subelement comprises the rule and policy that the user formulates, and rule and policy comprises rule and forwarding behavior, and said rule is to use AD HOC to describe the characteristic of coupling, and the forwarding behavior is to meet the behavior that this regular packet sends from the appointed output terminal mouth.
The classification and matching engine 3: receive raw data packets, with raw data packets one by one with rule and policy library unit 2 in belong to different user rule and policy storehouse subelement mate the formation matching result, send said matching result to service label processing engine 4; Receive the label as a result of service label processing engine 4 outputs, add said label as a result and also send to converging switching engine 5 to the initial data packet header.
Particularly, the packet of being accomplished various physical interfaces by the hardware interface chip inserts, and the raw data packets that network router is obtained exports the classification and matching engine 3 to.The classification and matching engine 3 receives raw data packets, carries out protocal analysis, extracts the protocol fields content of packet.With this protocol fields content one by one with rule and policy storehouse 2 in the rule and policy storehouse subelement set up of different user mate.After the rule in certain rule and policy storehouse subelement of protocol fields content match, the corresponding forwarding behavior of this rule is regarded as matching result.Matching result comprises: abandon, be forwarded to appointment certain output port, be forwarded to one group of output port of appointment.
The classification and matching engine 3 also receives the label data bag that service label processing engine 4 is handled output; Add this as a result label to the initial data packet header as purpose MAC (Media Access Control; Medium access control) part of address is sent to and converges switching engine 5.
Service label processing engine 4: handle matching result and form label as a result, export this label to classification and matching engine 3 as a result, set up the mapping table of label and output port as a result, export said mapping table to converging switching engine 5.
Service label processing engine 4 is at first carried out shifting processing to the output port in the different matching results, then the result after the shifting processing is carried out add operation, forms label as a result; And, set up this mapping table of output port in label and the matching result as a result, send this mapping table to converging switching engine 5.
Converge switching engine 5: receive the packet head and have the packet of label as a result, according to the mapping table of label and output port as a result, the output port of acquisition packet sends said raw data packets to the user from said output port.
Particularly, converge switching engine 5, inquire the corresponding output port of label as a result, send packet to the user from this output port according to the label as a result of service label processing engine 4 foundation and the mapping table of output port.The mode of packet distribution can be multicast, clean culture.Belong to a plurality of user's data bag streams, be distributed to corresponding output port according to multicast mode; The data packet stream that belongs to unique user is distributed to the port of appointment according to the mode of clean culture.
Make exemplary illustration below in conjunction with Fig. 1 with the filtration part flow arrangement of supporting three business functions.In preferred embodiment, system also provides a power user, and the power user is provided with three users' management threshold number of the account, for each user disposes an Ethernet output port.Limit three user accounts and can't interfere with other either party function and administration behaviours between mutually.Accomplish the initiation parameter configuration of input port, comprise parameters such as CRC (Cyclic Redundancy Check, CRC), scrambler.
First user, second user, the 3rd user have different numbers of the account, and each number of the account has different ID.Three users pass through network SSH (Secure Shell) respectively with the long-range entrance management of number of the account separately unit 1.Administrative unit 1 provides three separate read-writes and administration interface to three users.Behind the entrance management unit 1, three users will have corresponding authority, as check parameter, configuration, state and the traffic statistics information of input port; Dispose the rule and policy of this account, add, delete, check rule; Check parameter, configuration, state and the traffic statistics information of the output port that this number of the account has, the port working pattern of configuration expectation.
Three users are provided with its filtering rule and forwarding behavior according to the demand of different business, form rule and policy separately.The form of rule and policy is as follows:
Agreement: protocol=< tcp|udp|icmp|protocolnum >
Bag is long: size=< minsize-maxsize >
Source port: sport=< port_list >
Destination interface: dport=< port_list >
Source IP:sip=< ip>[/ < mask >]
Purpose IP:dip=< ip>[/ < mask >]
Tcp?flag:tcpflag=<flaglist>
Burst: ipfrag=< true|false >
Input port: interface=< interface_id >
User-defined domain: ud <ud_id >=< data >/< mask >
Forwarding behavior: abandon drop; Be forwarded to certain output port fw rr < port_list>of appointment; Be forwarded to one group of output port fw hash < hash_mode>< port_list>of appointment
Administrative unit 1 will be formulated good rule and policy and import the rule and policy library unit 2 in the high-speed internal memory.In the rule and policy library unit 2 of high-speed internal memory, form the rule and policy storehouse subelement that belongs to different user.In high-speed internal memory, the rule and policy storehouse subelement that each user sets up is distinguished with the ID of setting up this rule and policy storehouse subelement, and therefore, the rule and policy storehouse subelement that different user is set up is distributed in the different memory headrooms.The size of the memory headroom that Different Rule strategy subelement is occupied according to its regular complexity, is applied for dynamically and is discharged.This partial function can be realized by CAM (Content Addressable Memory, Content Addressable Memory) technology or high-speed internal memory technology.In the present embodiment, high-speed internal memory is divided into three different spaces according to three IDs.
First user sets up the corresponding rule and policy of Email audit operations through administrative unit 1.Administrative unit 1 imports the rule and policy library unit 2 in the high-speed internal memory with the rule and policy that first user sets up, and in rule and policy library unit 2, forms the first rule and policy storehouse subelement that belongs to first user.The corresponding rule and policy regulation protocol port of the Email audit operations that first user sets up number is 25 UDP message bag, is forwarded to the output port 2 that filters part flow arrangement.The rule and policy storehouse that first user sets up is:
Matched rule: protocol=udp dport=25
Forwarding behavior: forward to port 2
Second user sets up the professional rule of correspondence policy library of intrusion detection through administrative unit 1.Administrative unit 1 imports the rule and policy library unit 2 in the high-speed internal memory with the rule and policy that second user sets up, and in rule and policy library unit 2, forms the second rule and policy storehouse subelement that belongs to second user.The professional corresponding rule and policy regulation of the intrusion detection that second user sets up meets all packets of IP section to be checked, is forwarded to the output port 23 that filters part flow arrangement.Second user's rule and policy storehouse is:
Matched rule: ip=121.15.0.0/255.255.0.0
Forwarding behavior: forward to port 23
The 3rd user sets up Web through administrative unit 1 and detects professional rule of correspondence policy library.Administrative unit 1 imports the rule and policy library unit 2 in the high-speed internal memory with the rule and policy that the 3rd user sets up, and in rule and policy library unit 2, forms the three sigma rule policy library subelement that belongs to the 3rd user.The Web that the 3rd user sets up detects professional corresponding rule and policy regulation http bag (protocol port number is 80 or 8080 Tcp bag), is forwarded to the output port 25 that filters part flow arrangement.The 3rd user's rule and policy storehouse is:
Matched rule: protocol=tcp dport=80||Protocol=tcp dport=8080
Forwarding behavior: forward to port 25
When not having rule match, the forwarding behavior of acquiescence is to abandon, and transmitting port is 0.At this moment, three users have set up three independently packet output port and rule and policy subelement, shared data bag input port and classification and matching engine 3s respectively.
Router obtains raw data packets from network, the raw data packets that input unit obtains router exports the classification and matching engine 3 to.Input unit comprises interfaces such as the 10/100/1000M, 10G of OC3/12/48/192/768 and the Ethernet (Ethernet) of SDH (Synchronous Digital Hierarchy, SDH).
The raw data packets that enters into the classification and matching engine 3 will be carried out matching inquiry one by one in belonging to three rule and policy storehouse subelements of three users, obtain three different forwarding behaviors.
In one embodiment, the IP address is that the user of 121.15.4.31 sends the SMTP packet, and input unit exports packet to the classification and matching engine 3.The classification and matching engine 3 carries out full scan and protocal analysis to this packet, extracts the protocol fields content of packet.With this protocol fields content one by one with rule and policy storehouse 2 in three users first rule and policy storehouse subelement, the second rule and policy storehouse subelement, the three sigma rule policy library subelement set up mate one by one, the result is following:
First user: the rule of coupling protocol=udp dport=25, follow forwarding behavior forward to port 2, drawing and transmitting port is 2.
Second user: the rule of coupling ip=121.15.0.0/255.255.0.0, follow forwarding behavior forward to port 23, drawing and transmitting port is 23.
The 3rd user 73: any rule that do not match, follow default forwarding behavior drop, drawing and transmitting port is 0 (0 port implication is drop).
Therefore, the IP address for the matching result of the smtp packet that 121.15.4.31 user sends is: transmit to output port 2,23 and 0 simultaneously, the classification and matching engine 3 exports this matching result to service label processing engine 4.
Service label processing engine 4 through displacement and additional calculation, obtains label as a result according to matching result.In preferred embodiment, the forwarding port numbers of service label processing engine 4 after with three users coupling transfers binary system to, makes transmitting port numbers after first user's the coupling and moving to left 30, and the room mends 0; Transmit port numbers after second user's the coupling and move to left 20, the room mends 0; Transmit port numbers after second user's the coupling and move to left 10, the room mends 0; Carry out add operation then, not enough position replenishes with 0, obtains the label as a result of a 40bit.
Transmitting port numbers after first user's the coupling is " 2 ", is converted into binary system " 10 " and moves to left 30, and the room mends 0; Transmitting port numbers after second user's the coupling is " 23 ", is converted into binary system and moves to left 20 for " 10111 ", and the room mends 0; Transmit port numbers " 0 " after the 3rd user's the coupling, be converted into binary zero and move to left 10, the room mends 0.Carry out the binary addition computing then, not enough position replenishes with 0, and result is gathered into the label as a result of a 40bit, obtain as a result that the label result be " ... 1,000 0001 0111... (front is omitted 80 that are used to supply the position, omits 20 0 at the back) ".For the ease of record, also can the binary system port numbers be converted into hexadecimal " 0081700000 " (perhaps the decimal system 2171600896) label as a result of.Detailed process is as follows:
Figure GDA0000068882820000101
Label " ... 1,000 0001 0111... (front is omitted 80, and the back is omitted 20 0) " is recorded in the target MAC (Media Access Control) address field of this packet head as a result, along with packet is delivered to the classification and matching engine 3 together.Service label processing engine 4 is set up as a result the mapping table of the corresponding output port 2,23 of label " ... 1,000 0001 0111... (front is omitted 80, and the back is omitted 20 0) " and 0, and this mapping table is sent to converges switching engine 5.
The transfer of data that the classification and matching engine 3 has as a result label " ... 1,000 0001 0111... (front is omitted 80, and the back is omitted 20 0) " with data packet head is to converging switching engine 5.Converge switching engine 5 and receive the mapping table of setting up according to service label processing engine 4, find out the corresponding output port 2,23 and 0 of label as a result in the data packet head " ... 1,000 0001 0111... (front is omitted 80, and the back is omitted 20 0) ".
Owing to need to send same packet to output port 2,23 simultaneously, therefore, converge switching engine 5 this packet content is duplicated two parts, send packet to the first user from output port 2, first user has obtained the required packet of Email audit operations; Send packet to the second user from output port 23, second user has obtained the required packet of intrusion detection Business Processing.A plurality of output ports have caused many piece of data bag flow; But not after coupling, just to duplicate production; But produce converging output element, the great like this packet of having saved is transferred to from the classification and matching engine 3 and converges switching engine 5 shared bandwidth, has improved processing forward efficient.
In another specific embodiment, the tcp80 port data bag that send for 121.15.4.31 user the IP address.The classification and matching engine 3 receives this packet; With the protocol fields content of packet one by one with three rule and policy storehouses 2 in the rule and policy storehouse subelement set up of three users mate one by one; Matching result is for transmitting to output port 0,23 and 25 simultaneously, and is specific as follows:
First user: any rule that do not match, follow default forwarding behavior drop.Drawing and transmitting port is 0 (0 port implication is drop).
Second user: the rule of coupling ip=121.15.0.0/255.255.0.0, follow forwarding behavior forward to port 23, drawing and transmitting port is 23.
The 3rd user: the rule of coupling protocol=tcp dport=80, follow forwarding behavior forward to port 25, drawing and transmitting port is 25.
Service label processing engine 4 is according to matching result; Through displacement and additional calculation; Obtain as a result label " ... 00000101110000011001... (front is omitted 10 0; back is omitted 10 0) ", and set up as a result the mapping table of the corresponding output port 0,23 of label " ... 00000101110000011001... (front is omitted 10 0, and the back is omitted 10 0) " and 25.The data packet transmission that the classification and matching engine 3 has as a result label " ... 00000101110000011001... (front is omitted 10 0, and the back is omitted 10 0) " with packet header is to converging switching engine 5.Converge the mapping table that switching engine 5 is set up according to service label processing engine 4, find out the corresponding output port 0,23 and 25 of label as a result in the data packet head " ... 00000101110000011001... (front is omitted 10 0, and the back is omitted 10 0) ".Then converge switching engine 5 and duplicate two parts of these packet contents, send data to second user from output port 23, second user has obtained the required packet of intrusion detection Business Processing; Send data to the 3rd user from output port 25, the 3rd user has obtained Web and has detected the required packet of Business Processing.
The present invention also provides a kind of filtration shunt method of supporting multiservice functionality, comprising: S1: formulate all kinds of professional corresponding rule and policies; S2: according to said rule and policy, formation rule policy library subelement; S3: receive packet, said packet is mated the formation matching result with said rule and policy storehouse subelement one by one, send said matching result; S4: handle said matching result and form said label as a result, export said label as a result, set up the mapping table of label and output port as a result, export said mapping table; S5: the reception result label, add said label as a result to packet head and output; S6: receive packet,, obtain the output port of said packet, send said packet to the user from said output port according to the mapping table of said label as a result and output port with said label as a result.
In step S1, different user has different ID, and the user formulates the rule and policy that belongs to professional separately through separate read-write and administration interface.
In step S2, the rule and policy that will belong to different user ID is distributed in the different memory headrooms, formation rule policy library subelement.The size of the memory headroom that the rule and policy subelement of different I D is occupied according to its regular complexity, is applied for dynamically and is discharged.This partial function can be realized by CAM (Content Addressable Memory, Content Addressable Memory) technology or high-speed internal memory technology.
In step S3, raw data packets is carried out protocal analysis, extract the protocol fields content of packet.This protocol fields content is mated with rule and policy storehouse subelement one by one.When the protocol fields content met regular in certain rule and policy storehouse subelement, the corresponding forwarding behavior of this rule was regarded as matching result.
In step S4, the output port in the different matching results is carried out shifting processing, then the result after the shifting processing is carried out add operation, form label as a result.Set up this mapping table and output of output port in label and the matching result as a result.
In step S5, the reception result label adds this label data bag to the part of initial data packet header as target MAC (Media Access Control) address, and output has the raw data packets of label as a result.
In step S6, the mode of sending packet can be multicast, clean culture.Belong to a plurality of user's data bag streams, be distributed to corresponding output port according to multicast mode; The data packet stream that belongs to unique user is distributed to the port of appointment according to the mode of clean culture.
Though the present invention discloses as above with preferred embodiment, the present invention is defined in this.Any those skilled in the art are not breaking away from the spirit and scope of the present invention, all can do various changes and modification, so protection scope of the present invention should be with claim institute limited range.

Claims (10)

1. a filtration part flow arrangement of supporting multiservice functionality is characterized in that, comprising:
Administrative unit provides the interface to formulate all kinds of professional corresponding rule and policies to the user, exports said rule and policy to rule and policy library unit;
The rule and policy library unit, all kinds of professional corresponding said rule and policy according to different user is formulated stores and forms the rule and policy storehouse subelement that belongs to different user;
The classification and matching engine; Receive packet; Said packet is mated the formation matching result with the said rule and policy storehouse subelement that belongs to different user one by one; Send said matching result to service label processing engine, the reception result label adds said label as a result and also sends to converging switching engine to the packet head;
The service label processing engine is handled said matching result and is formed said label as a result, exports said label as a result to the classification and matching engine, sets up the mapping table of label and output port as a result, exports said mapping table to converging switching engine;
Converge switching engine; Receive the packet that the packet head has said label as a result; According to the mapping table of said label as a result and output port, obtain the output port of said packet, send said packet to the user according to the mode of multicast or clean culture from said output port.
2. filtration part flow arrangement according to claim 1 is characterized in that, said rule and policy storehouse subelement comprises said rule and policy, and said rule and policy comprises rule and forwarding behavior.
3. filtration part flow arrangement according to claim 2; It is characterized in that; Said classification and matching engine carries out protocal analysis to said raw data packets, extracts the protocol fields content of said raw data packets, and said protocol fields content is mated with said rule and policy storehouse subelement one by one.
4. filtration part flow arrangement according to claim 3 is characterized in that, said protocol fields content meets the said rule in the subelement of said rule and policy storehouse, and the said forwarding behavior of said rule correspondence is as said matching result.
5. filtration part flow arrangement according to claim 4 is characterized in that, said matching result comprises: abandon, be forwarded to appointment an output port, be forwarded to one group of output port of appointment.
6. filtration part flow arrangement according to claim 5 is characterized in that, said service label processing engine is carried out shifting processing and add operation to the output port in the said matching result, forms label as a result.
7. filtration part flow arrangement according to claim 1 is characterized in that, said classification and matching engine adds said label as a result to the part of said initial data packet header as target MAC (Media Access Control) address.
8. a filtration shunt method of supporting multiservice functionality is characterized in that, comprising:
Formulate all kinds of professional corresponding rule and policies;
Said rule and policy according to corresponding with all kinds of business forms the rule and policy storehouse subelement that belongs to different user;
Receive packet, said packet is mated the formation matching result with the said rule and policy storehouse subelement that belongs to different user one by one, send said matching result;
Handle said matching result and form label as a result, export said label as a result, set up the mapping table of label and output port as a result, export said mapping table;
Receive said label as a result, add said label as a result to packet head and output;
Receive the packet that the packet head has said label as a result,, obtain the output port of said packet, send said packet to the user from said output port according to the mode of multicast or clean culture according to the mapping table of said label as a result and output port.
9. filtration shunt method according to claim 8; It is characterized in that, during said formation matching result, raw data packets is carried out protocal analysis; Extract the protocol fields content of packet; This protocol fields content is mated with rule and policy storehouse subelement one by one, the rule in the subelement of the said rule and policy of protocol fields content match storehouse, the forwarding behavior of said rule correspondence is as matching result.
10. filtration shunt method according to claim 8 is characterized in that, said formation during label, is carried out shifting processing to the output port in the said matching result as a result, the result after the shifting processing is carried out add operation form label as a result.
CN200910199468.7A 2009-11-27 2009-11-27 Filtering and shunting device and method supporting multi-service function Active CN101764741B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200910199468.7A CN101764741B (en) 2009-11-27 2009-11-27 Filtering and shunting device and method supporting multi-service function

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200910199468.7A CN101764741B (en) 2009-11-27 2009-11-27 Filtering and shunting device and method supporting multi-service function

Publications (2)

Publication Number Publication Date
CN101764741A CN101764741A (en) 2010-06-30
CN101764741B true CN101764741B (en) 2012-06-06

Family

ID=42495734

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200910199468.7A Active CN101764741B (en) 2009-11-27 2009-11-27 Filtering and shunting device and method supporting multi-service function

Country Status (1)

Country Link
CN (1) CN101764741B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9450870B2 (en) * 2011-11-10 2016-09-20 Brocade Communications Systems, Inc. System and method for flow management in software-defined networks
CN103179109B (en) * 2013-02-04 2016-12-28 恒为科技(上海)股份有限公司 Filter bypass devices and methods therefors based on two grades of session query functions
CN106713260B (en) * 2013-12-27 2020-07-10 恒为科技(上海)股份有限公司 Method for dynamic data injection in virtual private dial-up network
CN105550232A (en) * 2015-12-04 2016-05-04 珠海多玩信息技术有限公司 Multi-strategy information filtering system and method
CN107342926A (en) * 2017-06-13 2017-11-10 国家计算机网络与信息安全管理中心 A kind of method of multi-service Rapid matching distribution
CN109194759B (en) * 2018-09-14 2020-12-15 广州牧云网络科技有限公司 Network access method and system for degrading at front end
CN109379292A (en) * 2018-10-09 2019-02-22 郑州云海信息技术有限公司 A kind of method of multicasting, virtual switch, SDN controller and storage medium
CN113360740B (en) * 2021-06-04 2022-10-11 上海天旦网络科技发展有限公司 Data packet labeling method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1564547A (en) * 2004-03-25 2005-01-12 上海复旦光华信息科技股份有限公司 High speed filtering and stream dividing method for keeping connection features
CN1610335A (en) * 2004-11-25 2005-04-27 上海复旦光华信息科技股份有限公司 Safety filtering current shunt of exchange structure based on network processor and CPU array
CN101217455A (en) * 2007-01-05 2008-07-09 上海复旦光华信息科技股份有限公司 A secure content filtering shunt based on the integration of useful connecting data
CN101478478A (en) * 2008-12-31 2009-07-08 华为技术有限公司 Packet processing method, apparatus and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1564547A (en) * 2004-03-25 2005-01-12 上海复旦光华信息科技股份有限公司 High speed filtering and stream dividing method for keeping connection features
CN1610335A (en) * 2004-11-25 2005-04-27 上海复旦光华信息科技股份有限公司 Safety filtering current shunt of exchange structure based on network processor and CPU array
CN101217455A (en) * 2007-01-05 2008-07-09 上海复旦光华信息科技股份有限公司 A secure content filtering shunt based on the integration of useful connecting data
CN101478478A (en) * 2008-12-31 2009-07-08 华为技术有限公司 Packet processing method, apparatus and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
刘鹏等.基于分流过滤算法的分布式高速网络监控.《计算机工程》.2003,(第13期), *

Also Published As

Publication number Publication date
CN101764741A (en) 2010-06-30

Similar Documents

Publication Publication Date Title
CN101764741B (en) Filtering and shunting device and method supporting multi-service function
CN100583773C (en) Method and device for controlling data link layer elements with network layer elements
US6967949B2 (en) Method and apparatus for forwarding packets in an ethernet passive optical network
US8391286B2 (en) Packet switch methods
US8644332B1 (en) System, method and device for high bit rate data communication over twisted pair cables
CN102857428B (en) A kind of message forwarding method based on Access Control List (ACL) and equipment
CN101227404B (en) Method and apparatus for in-band managing for Ethernet switch without network manage
CN101258414A (en) Enhanced multicast VLAN registration
CN101594243A (en) A kind of multicast spanning virtual local area networks implementation method based on optical network unit
JP2011078135A (en) Data stream filtering apparatus and method
CN107689992A (en) A kind of high performance firewall cluster implementation method
US7646713B1 (en) Method and access node configured for providing intelligent cross connection functionality
US20100254396A1 (en) Method of connecting vlan systems to other networks via a router
CN107579963A (en) A kind of high performance firewall cluster
CN103179109A (en) Secondary session query function based filtering and distribution device and method thereof
CN100544303C (en) The distribution method of VLAN ID
CN106888105A (en) A kind of three layers of discovery method and device of virtual link end to end
CN2938596Y (en) Device for realizing IPV6 group broadcast filter in EPON network
CN100512186C (en) Device and method for realizing IPV6 multicast filtering in EPON network via hardware loop mode
CN101098287B (en) Apparatus and method for implementing IPV6 multicast filtering on EPON using hardware extended mode
CN101184044A (en) Packet processing method of multicast monitoring discovery protocol
CN2912126Y (en) Device for realizing IPV6 cluster broadcast filtration in EPON network by means of hardware loop
CN101605275B (en) Controlled multicasting system and use method thereof
CN2922305Y (en) Apparatus for realizing IPV6 group broadcasting filtering on EPON utilizing hardware extending mode
JP5681658B2 (en) Distribution network system, filter control method, distribution node device, and reception node device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: Filtering and shunting device and method supporting multi-service function

Effective date of registration: 20130105

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Shanghai Embedway Information Technologies Co., Ltd.

Registration number: 2013990000008

Denomination of invention: Filtering and shunting device and method supporting multi-service function

Effective date of registration: 20130105

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Shanghai Embedway Information Technologies Co., Ltd.

Registration number: 2013990000008

PLDC Enforcement, change and cancellation of contracts on pledge of patent right or utility model
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: Filtering and shunting device and method supporting multi-service function

Effective date of registration: 20140109

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Shanghai Embedway Information Technologies Co., Ltd.

Registration number: 2014990000024

Denomination of invention: Filtering and shunting device and method supporting multi-service function

Effective date of registration: 20140109

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Shanghai Embedway Information Technologies Co., Ltd.

Registration number: 2014990000024

PLDC Enforcement, change and cancellation of contracts on pledge of patent right or utility model
PC01 Cancellation of the registration of the contract for pledge of patent right

Date of cancellation: 20131216

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Shanghai Embedway Information Technologies Co., Ltd.

Registration number: 2013990000008

Date of cancellation: 20131216

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Shanghai Embedway Information Technologies Co., Ltd.

Registration number: 2013990000008

PLDC Enforcement, change and cancellation of contracts on pledge of patent right or utility model
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20100630

Assignee: Yangzhou Wanfang Electronic Technology Co., Ltd.

Assignor: Shanghai Embedway Information Technologies Co., Ltd.

Contract record no.: 2014320000650

Denomination of invention: Filtering and shunting device and method supporting multi-service function

Granted publication date: 20120606

License type: Exclusive License

Record date: 20140812

Application publication date: 20100630

Assignee: Yangzhou Wanfang Electronic Technology Co., Ltd.

Assignor: Shanghai Embedway Information Technologies Co., Ltd.

Contract record no.: 2014320000650

Denomination of invention: Filtering and shunting device and method supporting multi-service function

Granted publication date: 20120606

License type: Exclusive License

Record date: 20140812

LICC Enforcement, change and cancellation of record of contracts on the licence for exploitation of a patent or utility model
PC01 Cancellation of the registration of the contract for pledge of patent right

Date of cancellation: 20141125

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Shanghai Embedway Information Technologies Co., Ltd.

Registration number: 2014990000024

Date of cancellation: 20141125

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Shanghai Embedway Information Technologies Co., Ltd.

Registration number: 2014990000024

PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: Filtering and shunting device and method supporting multi-service function

Effective date of registration: 20141126

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Shanghai Embedway Information Technologies Co., Ltd.

Registration number: 2014990000988

Denomination of invention: Filtering and shunting device and method supporting multi-service function

Effective date of registration: 20141126

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Shanghai Embedway Information Technologies Co., Ltd.

Registration number: 2014990000988

PLDC Enforcement, change and cancellation of contracts on pledge of patent right or utility model
C56 Change in the name or address of the patentee

Owner name: HENGWEI TECHNOLOGY TECHNOLOGY (SHANGHAI) CO., LTD.

Free format text: FORMER NAME: SHANGHAI EMBEDWAY INFORMATION TECHNOLOGY CO., LTD.

CP03 Change of name, title or address

Address after: 200030 Leshan Road, Shanghai, room 33, No. 103, room

Patentee after: Constant technology (Shanghai) Limited by Share Ltd

Address before: Pudong Shanghai 200127 Lane 91, Eshan Road No. 20 (Lujiazui Software Park Building 9 Unit 2 floor tower)

Patentee before: Shanghai Embedway Information Technologies Co., Ltd.

Address after: 200030 Leshan Road, Shanghai, room 33, No. 103, room

Patentee after: Constant technology (Shanghai) Limited by Share Ltd

Address before: Pudong Shanghai 200127 Lane 91, Eshan Road No. 20 (Lujiazui Software Park Building 9 Unit 2 floor tower)

Patentee before: Shanghai Embedway Information Technologies Co., Ltd.

PC01 Cancellation of the registration of the contract for pledge of patent right

Date of cancellation: 20151218

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Constant technology (Shanghai) Limited by Share Ltd

Registration number: 2014990000988

Date of cancellation: 20151218

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Constant technology (Shanghai) Limited by Share Ltd

Registration number: 2014990000988

PLDC Enforcement, change and cancellation of contracts on pledge of patent right or utility model
PM01 Change of the registration of the contract for pledge of patent right

Change date: 20151218

Registration number: 2014990000988

Pledgor after: Constant technology (Shanghai) Limited by Share Ltd

Pledgor before: Shanghai Embedway Information Technologies Co., Ltd.

Change date: 20151218

Registration number: 2014990000988

Pledgor after: Constant technology (Shanghai) Limited by Share Ltd

Pledgor before: Shanghai Embedway Information Technologies Co., Ltd.

PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: Filtering and shunting device and method supporting multi-service function

Effective date of registration: 20151231

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Constant technology (Shanghai) Limited by Share Ltd

Registration number: 2015990001204

Denomination of invention: Filtering and shunting device and method supporting multi-service function

Effective date of registration: 20151231

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Constant technology (Shanghai) Limited by Share Ltd

Registration number: 2015990001204

PLDC Enforcement, change and cancellation of contracts on pledge of patent right or utility model
PC01 Cancellation of the registration of the contract for pledge of patent right

Date of cancellation: 20161214

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Constant technology (Shanghai) Limited by Share Ltd

Registration number: 2015990001204

Date of cancellation: 20161214

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Constant technology (Shanghai) Limited by Share Ltd

Registration number: 2015990001204

PC01 Cancellation of the registration of the contract for pledge of patent right
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: Filtering and shunting device and method supporting multi-service function

Effective date of registration: 20161214

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Constant technology (Shanghai) Limited by Share Ltd

Registration number: 2016990001097

Denomination of invention: Filtering and shunting device and method supporting multi-service function

Effective date of registration: 20161214

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Constant technology (Shanghai) Limited by Share Ltd

Registration number: 2016990001097

PE01 Entry into force of the registration of the contract for pledge of patent right
PC01 Cancellation of the registration of the contract for pledge of patent right

Date of cancellation: 20180112

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Constant technology (Shanghai) Limited by Share Ltd

Registration number: 2016990001097

Date of cancellation: 20180112

Granted publication date: 20120606

Pledgee: Xuhui Shanghai financing Company limited by guarantee

Pledgor: Constant technology (Shanghai) Limited by Share Ltd

Registration number: 2016990001097

PC01 Cancellation of the registration of the contract for pledge of patent right
EC01 Cancellation of recordation of patent licensing contract
EC01 Cancellation of recordation of patent licensing contract

Assignee: YANGZHOU WANFANG ELECTRONIC TECHNOLOGY LLC

Assignor: SHANGHAI EMBEDWAY INFORMATION TECHNOLOGIES Co.,Ltd.

Contract record no.: 2014320000650

Date of cancellation: 20200628