CN111131039B - Message forwarding control method and device - Google Patents

Message forwarding control method and device Download PDF

Info

Publication number
CN111131039B
CN111131039B CN201911293120.4A CN201911293120A CN111131039B CN 111131039 B CN111131039 B CN 111131039B CN 201911293120 A CN201911293120 A CN 201911293120A CN 111131039 B CN111131039 B CN 111131039B
Authority
CN
China
Prior art keywords
sgt
address
source
terminal device
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911293120.4A
Other languages
Chinese (zh)
Other versions
CN111131039A (en
Inventor
刘洪玉
赵海峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Big Data Technologies Co Ltd
Original Assignee
New H3C Big Data Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Big Data Technologies Co Ltd filed Critical New H3C Big Data Technologies Co Ltd
Priority to CN201911293120.4A priority Critical patent/CN111131039B/en
Publication of CN111131039A publication Critical patent/CN111131039A/en
Application granted granted Critical
Publication of CN111131039B publication Critical patent/CN111131039B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/50Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/745Address table lookup; Address filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a message forwarding control method and a device, wherein the method comprises the following steps: acquiring security group labels SGT of a first terminal device accessed by the switch and a second terminal device accessed by a remote convergence switch, and maintaining the corresponding relation between the IP address of the first terminal device and the SGT and the corresponding relation between the IP address of the second terminal device and the SGT; when a first message is received from a terminal side, respectively inquiring the corresponding relation between the IP address of the first terminal equipment and the SGT and the corresponding relation between the IP address of the second terminal equipment and the SGT based on the source IP address and the destination IP address of the first message so as to determine a first source SGT and a first destination SGT; and performing forwarding control on the first message based on the first source SGT and the first destination SGT. By applying the embodiment of the invention, the waste of network bandwidth between the source gateway and the destination gateway can be reduced, and the potential safety hazard of the network can be reduced.

Description

Message forwarding control method and device
Technical Field
The present invention relates to the field of network communication technologies, and in particular, to a method and an apparatus for controlling packet forwarding.
Background
The business accompanying is a business which limits the range of information or assets which can be accessed by different types of users, and the users can work at any position of the campus network in a mobile mode, so that the access authority can be unchanged, the business following is achieved, and the flexibility and the elasticity of the network are improved.
In the current service accompanying implementation scheme, for a service accompanying scenario crossing a convergence switch (that is, a sender and a destination of a message access different convergence switches), a Security Group tag (Security Group Tags, SGT for short) of a source terminal needs to be sent to the convergence switch (which may be referred to as a destination gateway) accessed by the destination through a Virtual Extensible Local Area Network (VXLAN) tunnel, and the destination gateway controls forwarding of the message according to the SGT of the source terminal, the SGT of the destination terminal, and a pre-configured policy.
However, practice shows that in the current service implementation scheme, a destination gateway performs forwarding control on a packet, and the packet that needs to be discarded according to a preconfigured policy still occupies a network bandwidth between a sink switch (which may be referred to as a source gateway) accessed by a source terminal and the destination gateway, so as to increase network load, and may forward an aggressive packet such as a worm virus to a network, thereby bringing hidden danger to network security.
Disclosure of Invention
In view of this, the present invention provides a method and an apparatus for controlling packet forwarding, so as to solve the problems of network bandwidth waste and high network security hidden danger caused by performing forwarding control on a destination gateway in the prior art.
In a first aspect, the present invention provides a method for controlling packet forwarding, which is applied to a convergence switch, and the method includes:
acquiring security group labels SGT of a first terminal device accessed by the switch and a second terminal device accessed by a remote convergence switch, and maintaining the corresponding relation between the IP address of the first terminal device and the SGT and the corresponding relation between the IP address of the second terminal device and the SGT;
when a first message is received from a terminal side, respectively inquiring the corresponding relation between the IP address of the first terminal equipment and the SGT and the corresponding relation between the IP address of the second terminal equipment and the SGT based on the source IP address and the destination IP address of the first message so as to determine a first source SGT and a first destination SGT;
forwarding control is performed on the first message based on the first source SGT and the first destination SGT
In a second aspect, the present invention provides a packet forwarding control device, applied to a convergence switch, where the device includes:
the system comprises an acquisition unit, a remote aggregation switch and a management unit, wherein the acquisition unit is used for acquiring security group tags SGT of a first terminal device accessed by the switch and a second terminal device accessed by the remote aggregation switch;
the maintenance unit is used for maintaining the corresponding relation between the IP address of the first terminal device and the SGT and the corresponding relation between the IP address of the second terminal device and the SGT;
a receiving unit, configured to receive a packet;
a determining unit, configured to, when the receiving unit receives a first packet from a terminal side, query, based on a source IP address and a destination IP address of the first packet, a corresponding relationship between an IP address of the first terminal device and an SGT and a corresponding relationship between an IP address of a second terminal device and an SGT, respectively, to determine a first source SGT and a first destination SGT;
and the control unit is used for carrying out forwarding control on the first message based on the first source SGT and the first destination SGT.
Therefore, by applying the technical scheme disclosed by the invention, the aggregation switch maintains the corresponding relation between the IP address of the first terminal device and the SGT and the corresponding relation between the IP address of the second terminal device and the SGT by acquiring the security group label SGT of the first terminal device accessed by the aggregation switch and the security group label SGT of the second terminal device accessed by the remote aggregation switch; when a first message is received from a terminal side, the corresponding relation between the IP address of a first terminal device and the SGT and the corresponding relation between the IP address of a second terminal device and the SGT are inquired respectively based on the source IP address and the destination IP address of the first message so as to determine the first source SGT and the first destination SGT, and then the first message is forwarded and controlled based on the first source SGT and the first destination SGT, so that the waste of network bandwidth between a source gateway and a destination gateway is reduced, and the potential safety hazard of a network is reduced.
Drawings
Fig. 1 is a schematic flowchart of a message forwarding control method according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a specific application scenario provided in the embodiment of the present invention;
fig. 3 is a schematic structural diagram of a message forwarding control apparatus according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of another packet forwarding control apparatus according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of another packet forwarding control apparatus according to an embodiment of the present invention;
fig. 6 is a schematic diagram of a hardware structure of a packet forwarding control device according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions in the embodiments of the present invention better understood and make the above objects, features and advantages of the embodiments of the present invention more comprehensible, the technical solutions in the embodiments of the present invention are described in further detail below with reference to the accompanying drawings.
Referring to fig. 1, a schematic flow chart of a message forwarding control method according to an embodiment of the present invention is provided, where the message forwarding control method may be applied to a convergence switch, and as shown in fig. 1, the message forwarding control method may include the following steps:
it should be noted that, in the embodiment of the present invention, unless otherwise specified, all the mentioned messages refer to messages that need to be forwarded across aggregation switches.
In addition, in the embodiment of the present invention, if not specifically described, the aggregation switch and the remote aggregation switch referred to both refer to aggregation switches in the same campus, that is, each aggregation switch (including the local aggregation switch and the remote aggregation switch) is connected to the same core switch, and the following description of the embodiment of the present invention is not repeated.
Step 101, obtaining the SGT of a first terminal device accessed by the switch and the SGT of a second terminal device accessed by the remote aggregation switch, and maintaining the corresponding relationship between the IP address of the first terminal device and the SGT and the corresponding relationship between the IP address of the second terminal device and the SGT.
In the embodiment of the invention, in order to reduce the waste of network bandwidth between the source gateway and the destination gateway and reduce the potential network safety hazard, the message forwarding control can be carried out on the source gateway.
Accordingly, the aggregation switch may obtain the SGT of the terminal device (referred to as a first terminal device herein) accessed by the switch and the SGT of the terminal device (referred to as a second terminal device herein) accessed by the far-end aggregation switch, so that the subsequent aggregation switch performs forwarding control on the message (serving as the source gateway) on the terminal side.
In the embodiment of the present invention, when the aggregation switch acquires the SGT of the first terminal device and the SGT of the second terminal device, the corresponding relationship between the IP address of the first terminal device and the SGT and the corresponding relationship between the IP address of the second terminal device and the SGT may be maintained.
Step 102, when receiving the first message from the terminal side, respectively querying a corresponding relationship between the IP address of the first terminal device and the SGT and a corresponding relationship between the IP address of the second terminal device and the SGT based on the source IP address and the destination IP address of the first message, so as to determine the source SGT and the destination SGT.
In the embodiment of the present invention, the first packet does not refer to a fixed packet, but may refer to any packet received by the aggregation switch from the terminal side.
In this embodiment of the present invention, when the aggregation switch receives the first message from the terminal side (that is, the aggregation switch serves as a source gateway), the aggregation switch may query, based on a source IP address and a destination IP address of the first message, a maintained correspondence between an IP address of the first terminal device and an SGT, and a correspondence between an IP address of the second terminal device and an SGT, to determine an SGT (referred to as a first source SGT herein) corresponding to the source IP address of the first message and an SGT (referred to as a first destination SGT herein) corresponding to the destination IP address of the first message, respectively.
Step 103, performing forwarding control on the first packet based on the first source SGT and the first destination SGT.
In the embodiment of the present invention, when the aggregation switch determines the first source SGT corresponding to the source IP address of the first packet and the first destination SGT corresponding to the first destination IP address, the aggregation switch may perform forwarding control on the first packet based on the first source SGT, the first destination SGT, and a pre-configured policy.
It should be noted that, in the embodiment of the present invention, specific implementation of the source gateway for controlling forwarding of the packet based on the source SGT and the destination SGT may refer to related implementation of the destination gateway for controlling forwarding of the packet based on the source SGT and the destination SGT in the prior art, which is not described in detail herein.
In the embodiment of the invention, the message which needs to be discarded is determined, the aggregation switch does not forward the message but directly discards the message, so that the occupation of the network bandwidth between the source gateway and the destination gateway by the message which needs to be discarded is avoided.
For the message that is determined to be allowed to be forwarded, the aggregation switch may forward the message according to a conventional forwarding procedure, for example, forward the message through a VXLAN tunnel after VXLAN encapsulation is performed on the message.
As can be seen, in the method flow shown in fig. 1, by acquiring the SGT of the terminal device accessed by the aggregation switch, and SGT of terminal equipment accessed by the far-end aggregation switch, and maintaining the corresponding relation between the SGT of the terminal equipment and the IP address, when the aggregation switch is used as a source gateway and receives a message from a terminal side, the corresponding relation between the SGT and the IP address of the terminal equipment which is maintained can be inquired based on the source IP address and the destination IP address of the message respectively, to determine a source SGT and a destination SGT, and to perform message forwarding control based on the source SGT and the destination SGT, compared with the implementation scheme of carrying out message forwarding control on the target gateway, the method avoids the message needing to be discarded from being sent to the target gateway from the source gateway, reduces the waste of network bandwidth between the source gateway and the target gateway, avoids dangerous flow from entering the network, and reduces the potential safety hazard of the network.
Optionally, in a possible embodiment, in step 101, acquiring the SGT of the second terminal device includes:
receiving an SGT (serving gateway) of second terminal equipment issued by a far-end aggregation switch; and the SGT of the second terminal equipment is issued when the far-end aggregation switch detects that the second terminal equipment is on line and acquires the SGT of the second terminal equipment.
In this embodiment, each aggregation switch in the networking can acquire the SGT of the terminal device accessed by the aggregation switch and the SGT of the terminal device accessed by the remote aggregation switch by actively issuing the SGT of the terminal device accessed by the aggregation switch through the aggregation switch.
Correspondingly, the aggregation switch may receive the SGT of the second terminal device issued by the far-end aggregation switch, and maintain a correspondence between the SGT of the second terminal device and the IP address.
In an example, in step 101, after acquiring the SGT of the first terminal accessed by the switch, the method may further include:
and issuing the SGT of the first terminal equipment to the far-end aggregation switch.
In this example, after acquiring the SGT of the first terminal accessed by the aggregation switch, the aggregation switch may issue the SGT of the first terminal device to the far-end aggregation switch.
Illustratively, the aggregation switch may publish the SGT of the first terminal to the remote aggregation switch via host routing.
For example, the SGT of the first terminal may be carried in the community attribute of the host route and issued to the remote aggregation switch.
Optionally, in a possible embodiment, in step 101, maintaining a correspondence between an IP address of the first terminal device and an SGT, and a correspondence between an IP address of the second terminal device and the SGT includes:
and maintaining the ARP table entry comprising the SGT of the first terminal equipment and the ARP table entry comprising the SGT of the second terminal equipment.
Correspondingly, in step 102, querying a corresponding relationship between the IP address of the first terminal device and the SGT based on the source IP address of the first packet to determine the first source SGT, includes:
and performing forced ARP resolution based on the source IP address of the first message to determine a first source SGT.
In this embodiment, the corresponding relationship between the IP Address of the terminal device and the SGT may be maintained by adding an SGT field to an ARP (Address Resolution Protocol) entry.
When the aggregation switch acquires the SGT of the first terminal device (or the second terminal device), the SGT of the first terminal device (or the second terminal device) may be recorded in the ARP entry of the first terminal device (or the second terminal device).
When the convergence switch receives the first message from the terminal side, the forced ARP resolution may be performed based on the source IP address of the first message, that is, the matched ARP entry is queried based on the source IP address of the first message, and the SGT recorded in the queried matched ARP entry is determined as the first source SGT.
Similarly, the aggregation switch may also query the matched ARP entry based on the destination IP address of the first packet (i.e., perform ARP resolution based on the destination IP address of the first packet), and determine the SGT recorded in the queried matched ARP entry as the first destination SGT.
Optionally, in a possible embodiment, the method for controlling packet forwarding provided in the embodiment of the present invention may further include:
when receiving a VXLAN message from the network side, removing VXLAN encapsulation of the VXLAN message to obtain a second message;
inquiring the corresponding relation between the IP address of the first terminal equipment and the SGT and the corresponding relation between the IP address of the second terminal equipment and the SGT respectively based on the source IP address and the destination IP address of the second message so as to determine a second source SGT and a second destination SGT;
and performing forwarding control on the second message based on the second source SGT and the second destination SGT.
In this embodiment, when the aggregation switch receives the VXLAN message from the network side (i.e., the aggregation switch serves as a destination gateway), the aggregation switch may release VXLAN encapsulation of the VXLAN message to obtain a second message, and query the maintained correspondence between the IP address of the terminal device and the SGT based on the source IP address and the destination IP address of the second message, so as to determine an SGT (referred to as a second source SGT herein) corresponding to the source IP address of the second message and an SGT (referred to as a second destination SGT herein) corresponding to the destination IP address.
When the aggregation switch determines the source IP address of the second packet and the second source SGT and the second destination SGT corresponding to the destination IP address, forwarding control may be performed on the second packet based on the second source SGT and the second destination SGT.
For example, the aggregation switch determines specific implementations of the second source SGT and the second destination SGT according to the source IP address and the destination IP address of the second packet, which may refer to the aggregation switch described in the foregoing embodiments to determine related implementations of the first source SGT and the first destination SGT according to the source IP address and the destination IP address of the first packet, and details of the embodiments of the present invention are not repeated here.
In addition, for specific implementation of the convergence switch for performing forwarding control on the second message based on the second source SGT and the second destination SGT, reference may be made to related implementation of the destination gateway for performing forwarding control on the message based on the source SGT and the destination SGT in the prior art, and details of the embodiment of the present invention are not described herein.
It should be noted that, in the embodiment of the present invention, in order to improve compatibility with an existing scheme, a VXLAN packet sent by a source gateway to a destination gateway may also carry a source SGT corresponding to the packet, and when the destination gateway receives the VXLAN packet, the destination gateway may still perform forwarding control on the packet according to the source SGT carried in the VXLAN packet and a determined SGT of a destination terminal (that is, it is not necessary to determine the source SGT based on a source IP address of the packet after the VXLAN encapsulation is removed).
In addition, considering that there is a possibility that some chips may not support forced ARP resolution based on the source IP address of the inner layer packet at the VXLAN tunnel port (that is, after VXLAN encapsulation of the VXLAN packet is not released, forced ARP resolution based on the source IP address of the packet after the VXLAN encapsulation is released), in this case, if the VXLAN encapsulation of the VXLAN packet does not carry a source SGT, the source SGT of the packet may be determined to be a default value, such as 0.
When forwarding control is performed on a message with a source SGT as a default value, the message is not discarded, that is, when the aggregation switch determines that the source SGT of the received message is the default value, forwarding control is not required to be performed based on the source SGT and the destination SGT, but the message is determined to be allowed to pass through.
In order to enable those skilled in the art to better understand the technical solution provided by the embodiment of the present invention, the technical solution provided by the embodiment of the present invention is described below with reference to a specific application scenario.
Referring to fig. 2, which is a schematic diagram of an architecture of a specific application scenario provided in the embodiment of the present invention, as shown in fig. 2, in the application scenario, an aggregation switch 1 (shown as a Leaf node (Leaf)1 in the figure) is a local gateway of a terminal device 1, and an aggregation switch 2 (shown as a Leaf node 2 in the figure) is a local gateway of a terminal device 2. Aggregation switches 1 and 2 pass through core switches (shown as Spine nodes (Spine)). The IP address of terminal device 1 is IP1, and the IP address of terminal device 2 is IP 2.
It should be noted that an access layer switch (not shown in fig. 2) may also be included between the terminal device and the aggregation switch, which is not described in detail in this embodiment of the present invention.
Based on the application scenario shown in fig. 2, the implementation flow of the message forwarding control scheme provided in the embodiment of the present invention is as follows (taking the example that the terminal device 1 sends a message to the terminal device 2):
1. when the terminal device 1 is online and passes the identity authentication, the aggregation switch 1 may obtain an SGT (assumed to be SGT1) of the terminal device 1, on one hand, maintain a corresponding relationship between an IP address of the terminal device 1 and the SGT, and on the other hand, issue a host route corresponding to the terminal device 1, where a community extension attribute of the host route includes the SGT (i.e., SGT1) of the terminal device 1.
The convergence switch 2 obtains the SGT of the terminal device 1 based on the host route corresponding to the terminal device 1 issued by the convergence switch 1, and maintains the correspondence between the IP address of the terminal device 1 and the SGT.
Similarly, when the terminal device 2 is online and passes the identity authentication, the aggregation switch 2 may obtain the SGT (assumed to be SGT2) of the terminal device 2, on one hand, maintain the corresponding relationship between the IP address of the terminal device 1 and the SGT, and on the other hand, issue the host route corresponding to the terminal device 2, where the community extension attribute of the host route includes the SGT (i.e., SGT2) of the terminal device 2.
The convergence switch 1 obtains the SGT of the terminal device 2 based on the host route corresponding to the terminal device 2 issued by the convergence switch 2, and maintains the correspondence between the IP address of the terminal device 2 and the SGT.
The correspondence between the IP address of the terminal device and the SGT maintained on the exemplary aggregation switch 1 (or aggregation switch 2) may be as shown in table 1:
TABLE 1
IP1 SGT1
IP2 SGT2
In this embodiment, taking the correspondence between the IP address of the terminal device and the SGT maintained by the ARP entry as an example, that is, each entry in table 1 may further include other fields (such as a Media Access Control (MAC) address) in the ARP entry, which is not described in detail in this embodiment of the present invention.
2. When the aggregation switch 1 receives the message of the terminal device 1, on one hand, a forced ARP resolution may be performed based on the source IP address (i.e., IP1) of the message to determine the source SGT (i.e., SGT1), and on the other hand, an ARP resolution may be performed based on the destination IP address (i.e., IP2) of the message to determine the destination SGT.
3. The aggregation switch 1 performs forwarding control on the packet of the terminal device 1 based on the source SGT (SGT1) and the destination SGT (i.e., SGT 2).
And if the message is allowed to pass through, carrying out VXLAN packaging on the message (the VXLAN packaging does not include the source SGT information), and sending the message to the aggregation switch 2 through a VXLAN tunnel.
For example, a specific implementation process of the aggregation switch 1 sending the message to the aggregation switch 2 may refer to related implementations in the prior art, and details of the embodiment of the present invention are not described herein.
4. When receiving a VXLAN message from the network side, the aggregation switch 2 decapsulates the VXLAN packet of the VXLAN message, and performs forced ARP resolution on the basis of the source IP address of the packet decapsulated from the VXLAN packet to determine a source SGT (i.e., SGT1), and performs ARP resolution on the basis of the destination IP address of the packet decapsulated from the VXLAN packet to determine a destination SGT (i.e., SGT 2).
5. The aggregation switch 2 performs forwarding control on the packet subjected to the release of VXLAN encapsulation based on the source SGT (SGT1) and the destination SGT (i.e., SGT 2).
As can be seen from the above description, in the technical solution provided in the embodiment of the present invention, the aggregation switch obtains the security group tags SGT of the first terminal device accessed by the local switch and the security group tags SGT of the second terminal device accessed by the remote aggregation switch, and maintains the corresponding relationship between the IP address of the first terminal device and the SGT and the corresponding relationship between the IP address of the second terminal device and the SGT; when a first message is received from a terminal side, the corresponding relation between the IP address of a first terminal device and the SGT and the corresponding relation between the IP address of a second terminal device and the SGT are inquired respectively based on the source IP address and the destination IP address of the first message so as to determine the first source SGT and the first destination SGT, and then the first message is forwarded and controlled based on the first source SGT and the first destination SGT, so that the waste of network bandwidth between a source gateway and a destination gateway is reduced, and the potential safety hazard of a network is reduced.
Referring to fig. 3, a schematic structural diagram of a message forwarding control device is provided for an embodiment of the present invention, where the message forwarding control device may be applied to a convergence switch in the foregoing method embodiment, and as shown in fig. 3, the message forwarding control device may include:
an obtaining unit 310, configured to obtain a security group tag SGT of a first terminal device accessed by a local switch and a security group tag of a second terminal device accessed by a remote aggregation switch;
a maintaining unit 320, configured to maintain a corresponding relationship between an IP address of a first terminal device and an SGT, and a corresponding relationship between an IP address of a second terminal device and the SGT;
a receiving unit 330, configured to receive a message;
a determining unit 340, configured to, when the receiving unit 330 receives a first packet from a terminal side, query, based on a source IP address and a destination IP address of the first packet, a corresponding relationship between an IP address of the first terminal device and an SGT and a corresponding relationship between an IP address of a second terminal device and the SGT, to determine a first source SGT and a first destination SGT;
a control unit 350, configured to perform forwarding control on the first packet based on the first source SGT and the first destination SGT.
In an optional embodiment, the obtaining unit 310 is specifically configured to receive an SGT of the second terminal device, where the SGT is issued by the far-end aggregation switch; and the SGT of the second terminal equipment is issued when the far-end convergence switch detects that the second terminal equipment is on-line and acquires the SGT of the second terminal equipment.
Referring to fig. 4 together, a schematic structural diagram of another message forwarding control apparatus according to an embodiment of the present invention is shown in fig. 4, where, on the basis of the message forwarding control apparatus shown in fig. 3, the apparatus shown in fig. 4 further includes:
a sending unit 360, configured to issue the SGT of the first terminal device to a far-end aggregation switch.
In an optional embodiment, the maintaining unit 320 is specifically configured to maintain an address resolution protocol, ARP, entry including an SGT of a first terminal device and an ARP entry including an SGT of a second terminal device;
the determining unit 340 is specifically configured to perform forced ARP resolution based on the source IP address of the first packet, so as to determine the first source SGT.
Referring to fig. 5, which is a schematic structural diagram of another message forwarding control apparatus according to an embodiment of the present invention, as shown in fig. 5, on the basis of the message forwarding control apparatus shown in fig. 3, the apparatus shown in fig. 5 further includes:
a decapsulating unit 370, configured to, when the receiving unit receives a VXLAN packet from a network side, decapsulate VXLAN encapsulation of the VXLAN packet to obtain a second packet;
the determining unit 340 is further configured to query, based on the source IP address and the destination IP address of the second packet, a corresponding relationship between the IP address of the first terminal device and the SGT and a corresponding relationship between the IP address of the second terminal device and the SGT, respectively, so as to determine a second source SGT and a second destination SGT;
the control unit 350 is further configured to perform forwarding control on the second packet based on the second source SGT and the second destination SGT.
Fig. 6 is a schematic diagram of a hardware structure of a message forwarding control apparatus according to an embodiment of the present invention. The message forwarding control apparatus may include a processor 601, a machine-readable storage medium 602 having machine-executable instructions stored thereon. The processor 601 and the machine-readable storage medium 602 may communicate via a system bus 603. Also, the processor 601 may perform the message forwarding control method described above by reading and executing machine executable instructions corresponding to the message forwarding control logic in the machine readable storage medium 602.
The machine-readable storage medium 602 referred to herein may be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and the like. For example, the machine-readable storage medium may be volatile memory, non-volatile memory, or similar storage medium. In particular, the machine-readable storage medium 602 may be a RAM (random Access Memory), a flash Memory, a storage drive (e.g., a hard drive), a solid state drive, any type of storage disk (e.g., a compact disk, a DVD, etc.), or similar storage medium, or a combination thereof.
Embodiments of the present invention also provide a machine-readable storage medium, such as the machine-readable storage medium 602 in fig. 6, including machine-executable instructions, which are executable by the processor 601 in the message forwarding control apparatus to implement the message forwarding control method described above.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the invention. One of ordinary skill in the art can understand and implement it without inventive effort.
As can be seen from the foregoing embodiment, the aggregation switch maintains the correspondence between the IP address of the first terminal device and the SGT and the correspondence between the IP address of the second terminal device and the SGT by acquiring the security group tags SGT of the first terminal device accessed by the aggregation switch and the security group tags SGT of the second terminal device accessed by the remote aggregation switch; when a first message is received from a terminal side, the corresponding relation between the IP address of a first terminal device and the SGT and the corresponding relation between the IP address of a second terminal device and the SGT are inquired respectively based on the source IP address and the destination IP address of the first message so as to determine the first source SGT and the first destination SGT, and then the first message is forwarded and controlled based on the first source SGT and the first destination SGT, so that the waste of network bandwidth between a source gateway and a destination gateway is reduced, and the potential safety hazard of a network is reduced.
Other embodiments of the invention will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the invention and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the invention being indicated by the following claims.
It will be understood that the invention is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the invention is limited only by the appended claims.

Claims (8)

1. A message forwarding control method is applied to a convergence switch, and is characterized in that the method comprises the following steps:
acquiring security group labels SGT of a first terminal device accessed by the switch and a second terminal device accessed by a remote convergence switch, and maintaining the corresponding relation between the IP address of the first terminal device and the SGT and the corresponding relation between the IP address of the second terminal device and the SGT;
when a first message is received from a terminal side, respectively inquiring the corresponding relation between the IP address of the first terminal equipment and the SGT and the corresponding relation between the IP address of the second terminal equipment and the SGT based on the source IP address and the destination IP address of the first message so as to determine a first source SGT and a first destination SGT;
forwarding control is carried out on the first message based on the first source SGT and the first target SGT; during the process of forwarding control of the first message, a first source SGT is not added to the first message;
acquiring the SGT of the second terminal device, including:
receiving an SGT (serving gateway) of second terminal equipment issued by a far-end aggregation switch; and the SGT of the second terminal equipment is issued when the far-end convergence switch detects that the second terminal equipment is on-line and acquires the SGT of the second terminal equipment.
2. The method according to claim 1, wherein after acquiring the SGT of the first terminal accessed by the local switch, the method further comprises:
and issuing the SGT of the first terminal equipment to a far-end aggregation switch.
3. The method of claim 1, wherein the maintaining the correspondence between the IP address of the first terminal device and the SGT and the correspondence between the IP address of the second terminal device and the SGT comprises:
maintaining an Address Resolution Protocol (ARP) table entry comprising an SGT (serving gateway) of the first terminal equipment and an ARP table entry comprising an SGT of the second terminal equipment;
based on the source IP address of the first packet, querying a correspondence between the IP address of the first terminal device and the SGT to determine a first source SGT, including:
and performing forced ARP resolution based on the source IP address of the first message to determine the first source SGT.
4. The method of claim 1, further comprising:
when receiving a VXLAN message from a network side, removing VXLAN encapsulation of the VXLAN message to obtain a second message;
inquiring the corresponding relation between the IP address of the first terminal equipment and the SGT and the corresponding relation between the IP address of the second terminal equipment and the SGT respectively based on the source IP address and the destination IP address of the second message so as to determine a second source SGT and a second destination SGT;
and performing forwarding control on the second message based on the second source SGT and the second destination SGT.
5. A message forwarding control device is applied to a convergence switch, and is characterized in that the device comprises:
the system comprises an acquisition unit, a remote aggregation switch and a management unit, wherein the acquisition unit is used for acquiring security group tags SGT of a first terminal device accessed by the switch and a second terminal device accessed by the remote aggregation switch;
the maintenance unit is used for maintaining the corresponding relation between the IP address of the first terminal device and the SGT and the corresponding relation between the IP address of the second terminal device and the SGT;
a receiving unit, configured to receive a packet;
a determining unit, configured to, when the receiving unit receives a first packet from a terminal side, query, based on a source IP address and a destination IP address of the first packet, a corresponding relationship between an IP address of the first terminal device and an SGT and a corresponding relationship between an IP address of a second terminal device and an SGT, respectively, to determine a first source SGT and a first destination SGT;
a control unit, configured to perform forwarding control on the first packet based on the first source SGT and a first destination SGT; during the process of forwarding control of the first message, a first source SGT is not added to the first message;
the acquiring unit is specifically configured to receive an SGT of the second terminal device issued by the far-end aggregation switch; and the SGT of the second terminal equipment is issued when the far-end convergence switch detects that the second terminal equipment is on-line and acquires the SGT of the second terminal equipment.
6. The apparatus of claim 5, further comprising:
and the sending unit is used for issuing the SGT of the first terminal device to a far-end aggregation switch.
7. The apparatus of claim 5,
the maintenance unit is specifically configured to maintain an Address Resolution Protocol (ARP) entry including the SGT of the first terminal device and an ARP entry including the SGT of the second terminal device;
the determining unit is specifically configured to perform forced ARP resolution based on the source IP address of the first packet to determine the first source SGT.
8. The apparatus of claim 5, further comprising:
the decapsulation unit is used for removing VXLAN encapsulation of the VXLAN message to obtain a second message when the receiving unit receives the VXLAN message from the network side;
the determining unit is further configured to query, based on the source IP address and the destination IP address of the second packet, a corresponding relationship between the IP address of the first terminal device and the SGT and a corresponding relationship between the IP address of the second terminal device and the SGT, respectively, so as to determine a second source SGT and a second destination SGT;
the control unit is further configured to perform forwarding control on the second packet based on the second source SGT and the second destination SGT.
CN201911293120.4A 2019-12-16 2019-12-16 Message forwarding control method and device Active CN111131039B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911293120.4A CN111131039B (en) 2019-12-16 2019-12-16 Message forwarding control method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911293120.4A CN111131039B (en) 2019-12-16 2019-12-16 Message forwarding control method and device

Publications (2)

Publication Number Publication Date
CN111131039A CN111131039A (en) 2020-05-08
CN111131039B true CN111131039B (en) 2022-03-25

Family

ID=70499018

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911293120.4A Active CN111131039B (en) 2019-12-16 2019-12-16 Message forwarding control method and device

Country Status (1)

Country Link
CN (1) CN111131039B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112468384B (en) * 2020-11-24 2022-04-22 新华三技术有限公司 Communication method, device, switch, AP and AC
CN113285949B (en) * 2021-05-21 2022-03-25 新华三大数据技术有限公司 External network access control method, device, equipment and storage medium
CN113965343A (en) * 2021-09-06 2022-01-21 锐捷网络股份有限公司 Terminal equipment isolation method and device based on local area network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1748401A (en) * 2003-02-13 2006-03-15 思科技术公司 Method and apparatus for enforcing security groups for vlans
CN101277234A (en) * 2007-03-28 2008-10-01 华为技术有限公司 Household network and entry method
CN104639512A (en) * 2013-11-14 2015-05-20 华为技术有限公司 Network security method and device
CN110417741A (en) * 2019-06-28 2019-11-05 苏州浪潮智能科技有限公司 A kind of method and apparatus of filtering safe group

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9755939B2 (en) * 2015-06-26 2017-09-05 Cisco Technology, Inc. Network wide source group tag binding propagation

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1748401A (en) * 2003-02-13 2006-03-15 思科技术公司 Method and apparatus for enforcing security groups for vlans
CN101277234A (en) * 2007-03-28 2008-10-01 华为技术有限公司 Household network and entry method
CN104639512A (en) * 2013-11-14 2015-05-20 华为技术有限公司 Network security method and device
CN110417741A (en) * 2019-06-28 2019-11-05 苏州浪潮智能科技有限公司 A kind of method and apparatus of filtering safe group

Also Published As

Publication number Publication date
CN111131039A (en) 2020-05-08

Similar Documents

Publication Publication Date Title
CN111131039B (en) Message forwarding control method and device
EP3499799B1 (en) Forwarding policy configuration
US10652047B2 (en) Connectivity to internet via shared services in enterprise fabric based network with LISP control plane
EP3605972B1 (en) Packet transmission method, edge device, and machine readable storage medium
EP3499815A1 (en) Packet transmission
CN108199968B (en) Route processing method and device
CN109729012B (en) Unicast message transmission method and device
CN111010329B (en) Message transmission method and device
CN108600074B (en) Method and device for forwarding multicast data message
CN108965092B (en) Data message transmission method and device
EP3451592B1 (en) Packet transmission between vxlan domains
CN106878288B (en) message forwarding method and device
CN107181812B (en) Acceleration agent device, acceleration agent method and content management system
CN107968749B (en) Method for realizing QinQ route termination, switching chip and switch
CN110505621B (en) Terminal migration processing method and device
EP4239973A1 (en) Packet sending method, device, and system
CN109412926B (en) Tunnel establishment method and device
CN108494701B (en) Load sharing method and device
CN109412927B (en) Multi-VPN data transmission method and device and network equipment
CN108600069B (en) Link switching method and device
US11283645B2 (en) Forwarding packet
CN107659484B (en) Method, device and system for accessing VXLAN network from VLAN network
EP3783843B1 (en) Packet transmission between different data centers over segment vxlan tunnels
CN108600109A (en) A kind of message forwarding method and device
EP3968579A1 (en) Creation of method and apparatus for implementing table entry backup

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant