CN113452619A - ACL-based traffic flow shunting method and device - Google Patents
ACL-based traffic flow shunting method and device Download PDFInfo
- Publication number
- CN113452619A CN113452619A CN202110729558.3A CN202110729558A CN113452619A CN 113452619 A CN113452619 A CN 113452619A CN 202110729558 A CN202110729558 A CN 202110729558A CN 113452619 A CN113452619 A CN 113452619A
- Authority
- CN
- China
- Prior art keywords
- flow
- board card
- shunting
- acl
- matching
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 63
- 238000012545 processing Methods 0.000 claims abstract description 54
- 230000009471 action Effects 0.000 claims abstract description 48
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 25
- 238000013519 translation Methods 0.000 claims abstract description 24
- 230000008859 change Effects 0.000 claims description 15
- 101100435070 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) APN2 gene Proteins 0.000 description 9
- 101100401199 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) SAM2 gene Proteins 0.000 description 9
- 101100268779 Solanum lycopersicum ACO1 gene Proteins 0.000 description 9
- 238000010586 diagram Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 7
- 238000006243 chemical reaction Methods 0.000 description 6
- 230000002159 abnormal effect Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 101100513046 Neurospora crassa (strain ATCC 24698 / 74-OR23-1A / CBS 708.71 / DSM 1257 / FGSC 987) eth-1 gene Proteins 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000003780 insertion Methods 0.000 description 2
- 230000037431 insertion Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000000750 progressive effect Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a traffic shunting method and device based on ACL, which are applied to NAT equipment, and the method comprises the following steps: receiving the flow entering the NAT equipment through an interface board card, and acquiring a shunting characteristic corresponding to the flow; matching the shunting characteristics corresponding to the flow with matching items in an ACL rule maintained by the interface board card, and determining a service board card to which the flow is to be shunted; and shunting the flow to the appointed service board card through redirection. Based on the technical scheme, the traffic characteristics are obtained and matched with the matching items of the ACL rules, the service board card to which the traffic is distributed is determined, the processing action in the ACL rules is executed, and the traffic is distributed to the specified service board card through redirection, so that the NAT network address translation service can still be realized when the switching chip of the interface board card in the NAT equipment only supports one distribution algorithm.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for flow splitting based on an ACL.
Background
The basic principle of NAT (Network Address Translation) technology is that an intranet host is assigned a legal extranet Address only when it needs to access the extranet, and an intranet Address is used when it is interconnected internally. When the message accessing the external network passes through the NAT equipment, the NAT equipment replaces the source IP address in the original message by a legal external network address and records the conversion; then, when the message returns from the external network side, the NAT equipment searches the original record, replaces the destination IP address of the message back to the original internal network address, and returns the destination IP address to the host sending the request.
The NAT device may be a frame network device with a plurality of slots built therein, and the slots may support insertion of a main control board, an interface board, a service board, a switch board, and the like. The service board card can process various network services including network address conversion.
However, a single service board card has limited address translation capability and poor reliability, and a plurality of service board cards can be configured and virtualized as a cloud board card, so that load sharing of traffic among each member service board card of the cloud board card is realized, each member service board card is redundant and backups, and the performance bandwidth of the service board card is expanded.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for traffic diversion based on an ACL, so that an exchange chip supporting only one diversion algorithm can still adapt to an NAT device deployed with a cloud board based on a matching item of an ACL rule and a corresponding processing action.
Specifically, the method is realized through the following technical scheme:
in a first aspect, the present application provides a flow shunting method based on ACL, which is applied to NAT equipment, where the NAT equipment includes an interface board card and a plurality of service board cards for performing NAT address translation; the method comprises the following steps that an exchange chip of an interface board card maintains an ACL rule which is issued in advance and used for flow shunting; the ACL rule comprises a corresponding relation between a matching item and a processing action; the matching item comprises a flow distribution characteristic corresponding to the flow, and the processing action comprises redirecting the flow to a specified service board card; the flow distribution characteristics comprise message characteristics that the flow does not change when passing through the NAT equipment; the method comprises the following steps:
receiving the flow entering the NAT equipment through an interface board card, and acquiring a shunting characteristic corresponding to the flow;
matching the shunting characteristics corresponding to the flow with matching items in an ACL rule maintained by the interface board card, and determining a service board card to which the flow is to be shunted;
and shunting the flow to the appointed service board card through redirection.
In a second aspect, the present application provides another flow shunting method based on ACL, which is applied to NAT equipment, where the NAT equipment includes an interface board card and a plurality of service board cards for performing NAT address translation; the method comprises the following steps that an exchange chip of an interface board card maintains an ACL rule which is issued in advance and used for flow shunting; the ACL rule comprises a corresponding relation between a matching item and a processing action; the matching item comprises the message characteristics that the flow does not change when passing through the NAT equipment, and the processing action comprises redirecting the flow to a target service board card; the method comprises the following steps:
receiving the flow entering the NAT equipment through an interface board card, and acquiring message characteristics corresponding to the flow;
matching the message characteristics corresponding to the flow with matching items in an ACL rule maintained by the interface board card;
if the traffic flow is matched with the traffic flow, calculating the message characteristics based on a preset algorithm, and determining a target service board card corresponding to the traffic flow according to the calculated result;
and shunting the flow to the target service board card through redirection.
In a third aspect, the present application further provides an ACL-based traffic offload device, which is applied to NAT equipment, where the NAT equipment includes an interface board and a plurality of service boards for performing NAT address translation; the method comprises the following steps that an exchange chip of an interface board card maintains an ACL rule which is issued in advance and used for flow shunting; the ACL rule comprises a corresponding relation between a matching item and a processing action; the matching item comprises a flow distribution characteristic corresponding to the flow, and the processing action comprises redirecting the flow to a specified service board card; the flow distribution characteristics comprise message characteristics that the flow does not change when passing through the NAT equipment; the device includes:
the receiving unit is used for receiving the flow entering the NAT equipment through an interface board card and acquiring the shunting characteristics corresponding to the flow;
the matching unit is used for matching the flow distribution characteristics corresponding to the flow with matching items in an ACL rule maintained by the interface board card and determining a service board card to which the flow is distributed;
and the shunting unit is used for shunting the flow to the specified service board card through redirection.
In a fourth aspect, the present application further provides another ACL-based traffic offload device, which is applied to NAT equipment, where the NAT equipment includes an interface board and a plurality of service boards for performing NAT address translation; the method comprises the following steps that an exchange chip of an interface board card maintains an ACL rule which is issued in advance and used for flow shunting; the ACL rule comprises a corresponding relation between a matching item and a processing action; the matching item comprises the message characteristics that the flow does not change when passing through the NAT equipment, and the processing action comprises redirecting the flow to a target service board card; the device includes:
the receiving unit is used for receiving the flow entering the NAT equipment through an interface board card and acquiring the message characteristics corresponding to the flow;
the matching unit is used for matching the message characteristics corresponding to the flow with matching items in an ACL rule maintained by the interface board card;
the calculating unit is used for calculating the message characteristics based on a preset algorithm during matching and determining a target service board card corresponding to the flow according to the calculated result;
and the shunting unit is used for shunting the flow to the target service board card through redirection.
The technical scheme provided by the embodiment of the application can have the following beneficial effects:
by acquiring the flow characteristics and matching with the matching items of the ACL rules, the service board card to which the flow is shunted is determined, the processing action in the ACL rules is executed, and the flow is shunted to the appointed service board card through redirection, so that the NAT network address translation service can still be realized when the switching chip of the interface board card in the NAT equipment only supports one shunt algorithm.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
Fig. 1 is a schematic diagram illustrating NAT address translation according to an exemplary embodiment of the present application;
FIG. 2 is a flow chart illustrating a method for ACL based traffic offload in accordance with an exemplary embodiment of the present application;
FIG. 3 is a flow chart illustrating another ACL based traffic offload method according to an exemplary embodiment of the present application;
fig. 4 is a hardware structure diagram of an electronic device where an ACL-based traffic offload device according to an exemplary embodiment of the present application is located;
FIG. 5 is a block diagram of an ACL based traffic offload device shown in an exemplary embodiment of the present application;
fig. 6 is a block diagram of another ACL-based traffic offload device according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
The cloud board cards are that a plurality of service board cards are virtualized into one cloud board card, logically, the cloud board card is equivalent to one service board card working, physical service board cards are communicated with one another by using a high-speed binding interface inside equipment, cloud board card resources are reasonably distributed through a certain flow distribution algorithm, flow can be shared by loads among all member service board cards of the cloud board cards, all member service board cards can be mutually redundant and backup, and meanwhile, the performance bandwidth of the service board cards is expanded.
Generally, considering the slot resource of the subrack device and the mechanism of mixed insertion of multiple types of board cards, the number of members of the cloud board cards is at most 8.
In addition, when the member service board is abnormal or needs to be restarted, the cloud board can remove the service board from the member list, so that the service board does not process network services any more.
For example, please refer to fig. 1, fig. 1 is a schematic diagram illustrating NAT address translation according to an exemplary embodiment of the present application.
As shown in fig. 1, the NAT device includes 2 interface boards for receiving and forwarding traffic and 1 cloud board for processing NAT conversion services, where the cloud board is virtualized by 4 service boards. The interface board card is respectively connected with the internal network and the external network through external interfaces Eth1 and Eth2 of the NAT equipment.
Assuming that the source IP address of the intranet host is a.b.c.d and the destination IP address of the external network to be accessed is w.x.y.z, when the interface board 1 receives a traffic (commonly referred to as forward traffic) from the intranet through the interface Eth1, the switch chip of the interface board needs to determine a service board that processes the traffic, send the traffic to the service board to process a corresponding NAT conversion service, replace the source IP with m.n.o.p, record the conversion, and forward the traffic to the external network through the interface board 2.
Correspondingly, when the interface board 2 receives the traffic (commonly referred to as reverse traffic) from the external network through the interface Eth2, because the source IP is w.x.y.z and the destination IP is m.n.o.p in the message characteristics carried by the traffic, the NAT device needs to perform NAT recovery service processing, and searches the original translation record and replaces the destination IP address with the original intranet address a.b.c.d, so that the traffic can be sent to the correct intranet host.
In the above process, if the forward flow and the reverse flow corresponding to a certain service are sent to different service boards for NAT service processing, when NAT is restored, because the corresponding translation record cannot be found, NAT restoration cannot be implemented, resulting in abnormal service. Therefore, for the received reverse traffic, it needs to be shunted to the same service board that processes the forward traffic for processing.
Specifically, various shunting algorithms can be preset on a switching chip of the interface board card, the interface board card 1 shunts forward flow based on a destination IP, and the interface board card 2 shunts reverse flow based on a source IP.
For example, a hash value of a destination IP of the received forward traffic or a source IP of the received reverse traffic may be calculated based on a hash algorithm, and then the member number of the cloud board is remainder, and a remainder result is used as a label of the member service board, and the traffic is sent to the member service board. Because the destination IP of the forward flow is the same as the source IP of the reverse flow, the result after the hash calculation and the remainder calculation is the same, and the flow can be distributed to the same service board card for processing.
However, when the switch chip only supports one offload algorithm, the above scheme depending on multiple offload algorithms cannot be used, and the forward traffic and the corresponding reverse traffic cannot be offloaded to the same service board for processing.
In view of this, the present application provides a technical solution for configuring an ACL rule on a switch chip of an interface board card, so as to match a flow distribution characteristic corresponding to a flow and control the flow to be distributed to a determined service board card by redirection.
When the method is realized, receiving the flow entering the NAT equipment through an interface board card, and acquiring the shunting characteristics corresponding to the flow; matching the shunting characteristics corresponding to the flow with matching items in an ACL rule maintained by the interface board card, and determining a service board card to which the flow is to be shunted; and shunting the flow to the appointed service board card through redirection.
The method comprises the following steps that an exchange chip of an interface board card maintains an ACL rule which is issued in advance and used for flow shunting; the ACL rule comprises a corresponding relation between a matching item and a processing action; the matching item comprises a flow distribution characteristic corresponding to the flow, and the processing action comprises redirecting the flow to a specified service board card; the flow distribution characteristics comprise message characteristics that the flow does not change when passing through the NAT equipment.
For example, after receiving a forward flow entering the NAT device through the interface board, a destination IP of the forward flow may be obtained, and a flow splitting feature corresponding to the forward flow is calculated based on boolean operations; matching the shunting characteristics with matching items in an ACL rule maintained by a switching chip of the interface board card, and determining processing actions corresponding to the matching items in the ACL rule when the matching is passed; and executing the processing action, and shunting the forward flow to a specified service board card through redirection.
In the above technical solution, by obtaining the traffic characteristics, matching with the matching items of the ACL rules, determining the service board to which the traffic is shunted, executing the processing action in the ACL rules, and shunting the traffic to the specified service board by redirection, the switching chip of the interface board in the NAT device can still realize the NAT network address translation service when only one shunting algorithm is supported by the switching chip.
Next, examples of the present application will be described in detail.
Referring to fig. 2, fig. 2 is a flowchart illustrating an ACL-based traffic offload method according to an exemplary embodiment of the present application, and as shown in fig. 2, the method includes the following steps:
step 201: receiving the flow entering the NAT equipment through an interface board card, and acquiring a shunting characteristic corresponding to the flow;
step 202: matching the shunting characteristics corresponding to the flow with matching items in an ACL rule maintained by the interface board card, and determining a service board card to which the flow is to be shunted;
step 203: and shunting the flow to the appointed service board card through redirection.
The ACL (Access Control List) technique is a packet filtering-based Access Control technique, which can filter the data packets on the interface according to a set rule, and allow the data packets to pass through or drop. ACL is widely used in routers and three-layer switches, and by means of ACL, user access to a network can be effectively controlled, thereby maximally securing network security.
Generally, all switching chips of a network device support an ACL technology, and an ACL rule is set for an interface of the network device, so that the ACL rule can be used to control data packets flowing in and out of the interface traffic.
Specifically, the ACL rules include the correspondence between matching items and processing actions, and the ACL rules perform specific processing actions, such as speed limiting, redirection, statistics, and the like, on the messages satisfying the characteristics by matching the specified characteristics of the messages.
For example, assuming that the matching entry in the ACL rule is destination IP 192.168.10.11 and the corresponding processing action is blocking, when a message with destination IP 192.168.10.11 is received, the corresponding processing action is performed as blocking on the message because the specified feature of the message matches the matching entry in the ACL rule.
In this embodiment, an interface board card is used to receive traffic entering the NAT device, and obtain a flow distribution characteristic corresponding to the traffic;
the NAT device may include an interface board card and a plurality of service board cards for performing NAT address translation; the switching chip of the interface board card maintains an ACL rule which is issued in advance and used for flow shunting; the ACL rule comprises a corresponding relation between a matching item and a processing action; the matching item comprises a flow distribution characteristic corresponding to the flow, and the processing action comprises redirecting the flow to a specified service board card; the flow distribution characteristics comprise message characteristics that the flow does not change when passing through the NAT equipment.
In one embodiment shown, the message characteristics may include a destination IP of forward traffic or a source IP of reverse traffic entering the NAT device.
In order to send the forward traffic and the reverse traffic to the same service board card, the invariant message features in the forward traffic and the reverse traffic corresponding to the NAT service may be selected as the shunting features for shunting, that is, the destination IP of the forward traffic and the source IP of the reverse traffic.
For example, the interface board card receiving the intranet traffic may use the destination IP as a matching item of the ACL rule, and the interface board card receiving the extranet traffic may use the source IP as a matching item of the ACL rule.
In an embodiment shown, to obtain a flow distribution characteristic corresponding to a flow, a packet characteristic of the flow may be obtained, and the flow distribution characteristic is calculated based on a preset algorithm.
Because the fields of the matching items in the ACL rules are limited, the fields are too long because the message characteristics are directly used as the shunting characteristics, and the message characteristics can be calculated based on a preset algorithm, so that the shunting characteristics are determined.
For example, byte 4 of the destination IP of forward traffic or the source IP of reverse traffic may be selected as a match for the ACL rules.
In one embodiment shown, the predetermined algorithm may comprise a boolean operation.
To further shorten the field of the matching item, the boolean operation may be used to calculate the message characteristics and determine the split characteristics.
For example, the bit and operation may be selected from the 4 th byte of the destination IP of the forward traffic or the 00000111 of the source IP of the reverse traffic, so as to extract the last 3 bits of the 4 th byte as the shunting characteristics, including the following 8 cases: 000. 001, 010, 011, 100, 101, 110, and 111.
In an embodiment shown in the figure, before issuing the ACL rules, a offload rule may be determined according to the number of the service boards, and the ACL rules are determined based on the offload rule; the distribution rule comprises the corresponding relation between each service board card and the distribution characteristic.
In order to ensure that each member service board card of the cloud board card shares flow uniformly, and prevent the use efficiency difference between different member service board cards from being overlarge, the shunting rule can be determined according to the number of the members.
Continuing with the above example, assuming that the offloading characteristic is the last 3 bits of the 4 th byte and the number of members of the cloud board card is 4, the offloading rule shown in table 1 below may be determined according to the number of the service board cards:
| numbering of service boards | Diversion feature |
| FW1 | 000、100 |
| FW2 | 001、101 |
| FW3 | 010、110 |
| FW4 | 011、111 |
TABLE 1
The ACL rules determined based on the breakout rules shown in table 1 are shown in table 2 below:
| matching items | Processing actions |
| 000、100 | Incoming direction message is redirected to FW1 |
| 001、101 | Incoming direction message is redirected to FW2 |
| 010、110 | Incoming direction message is redirected to FW3 |
| 011、111 | Incoming direction message is redirected to FW4 |
TABLE 2
When the number of the members of the cloud board card is 8, each member service board card may correspond to the 8 shunting characteristics one to one, and the shunting rule is as shown in table 3 below:
TABLE 3
The ACL rules determined based on the breakout rules shown in table 3 are shown in table 4 below:
| matching items | Processing actions |
| 000 | Incoming direction message is redirected to FW1 |
| 001 | Incoming direction message is redirected to FW2 |
| 010 | Incoming direction message is redirected to FW3 |
| 011 | Incoming direction message is redirected to FW4 |
| 100 | Incoming direction message is redirected to FW5 |
| 101 | Incoming direction message is redirected to FW6 |
| 110 | Incoming direction message is redirected to FW7 |
| 111 | Incoming direction message is redirected to FW8 |
TABLE 4
After the ACL rule is created, the ACL rule may be applied to a designated direction of a designated interface of the NAT device, the NAT device may issue the ACL rule to a corresponding interface board based on an identifier of the interface board, the ACL rule is maintained by a switch chip of the interface board, and the ACL rule is configured for a specific interface of the interface board.
In an embodiment shown in the present disclosure, it may be determined that the interface board receives an identifier corresponding to an interface of the traffic, and the ACL rule is configured for the interface based on the identifier corresponding to the interface.
The interface can be an interface for receiving the flow to be shunted on an interface board card appointed by a user.
For example, continuing with the ACL rules shown in Table 4, after ACL rule creation, ACL rules can be configured to a specified interface by being published under the ACL rules created as shown in Table 5 below:
| numbering | Specifying an interface | Matching | Processing actions | |
| 1 | ETH1 | 000 | Incoming direction message is redirected to FW1 | |
| 2 | ETH1 | 001 | Incoming direction message is redirected to FW2 | |
| 3 | ETH1 | 010 | Incoming direction message is redirected to FW3 | |
| 4 | ETH1 | 011 | Incoming direction message is redirected to FW4 | |
| 5 | ETH1 | 100 | Incoming direction message is redirected to FW5 | |
| 6 | ETH1 | 101 | Incoming direction message is redirected to FW6 | |
| 7 | ETH1 | 110 | Incoming direction message is redirected to FW7 | |
| 8 | ETH1 | 111 | Incoming direction message is redirected to FW8 | |
| 9 | ETH2 | 000 | Incoming direction message is redirected to FW1 | |
| 10 | ETH2 | 001 | Incoming direction message is redirected to FW2 | |
| 11 | ETH2 | 010 | Incoming direction message is redirected to FW3 | |
| 12 | ETH2 | 011 | Incoming direction message is redirected to FW4 | |
| 13 | ETH2 | 100 | Incoming direction message is redirected to FW5 | |
| 14 | ETH2 | 101 | Incoming direction message is redirected to FW6 | |
| 15 | ETH2 | 110 | Incoming direction message is redirected to FW7 | |
| 16 | ETH2 | 111 | Incoming direction message is redirected to FW8 |
TABLE 5
When the ACL rule is issued, the ACL rule can be published according to the ACL rule, and the identifier corresponding to the specified interface in which the ACL rule takes effect is determined. In order to configure the ACL rules to the designated interfaces, the ACL rules can be issued to the interface board cards where the designated interfaces are located;
assuming that the identifier of the interface board card corresponding to the ETH1 is the interface board card 1, and the identifier of the interface board card corresponding to the ETH2 is the interface board card 2, the entries with the numbers of 1 to 8 in the lower publication can be issued to the interface board card 1, and the entries with the numbers of 9 to 16 are issued to the interface board card 2;
the identifier may be an identifier of a slot of the interface board card in the NAT device.
After receiving the corresponding table entry, the interface board card may be maintained by a switch chip of the interface board card, and configure the ACL rule in the table entry to the specified interface based on the identifier of the specified interface in the table entry.
It should be noted that each interface can only apply one ACL rule in each direction, and in combination with the application scenario of the present application, it is necessary to shunt the received traffic, so that the ACL rule is applied to the ingress direction.
In an embodiment shown in the present invention, when the number of the service boards changes, the offload rule may be determined again according to the number of the service boards, and the ACL rule may be determined again according to the determined offload rule.
For example, when the number of members of the cloud board card is changed from 8 to 4, the shunting rule needs to be re-determined, the shunting rule in table 3 may be changed to the shunting rule in table 1, and a new ACL rule shown in table 2 is re-determined based on the shunting rule in table 1;
in order to avoid occurrence of abnormal flow in the process of changing the number of the service board cards, the new ACL rules can be issued to each interface board card before the service board cards are changed, and the new ACL rules are configured to the designated interfaces by the switching chip.
Different shunting rules and corresponding ACL rules are formulated according to the number of the service board cards, so that the deployment scene of the cloud board cards can be flexibly adapted, and when the number of members of the cloud board cards is adjusted according to service requirements or a certain member service board card is abnormally moved out, flow can still be shunted to the appointed service board card to realize NAT conversion service.
In the above technical solution, by obtaining the traffic characteristics, matching with the matching items of the ACL rules, determining the service board to which the traffic is shunted, executing the processing action in the ACL rules, and shunting the traffic to the specified service board by redirection, the switching chip of the interface board in the NAT device can still realize the NAT network address translation service when only one shunting algorithm is supported by the switching chip.
Corresponding to the above method embodiments, the present application also provides another method embodiment.
Referring to fig. 3, fig. 3 is a flowchart illustrating another ACL-based traffic offload method according to an exemplary embodiment of the present application, and as shown in fig. 3, the method includes the following steps:
step 301: receiving the flow entering the NAT equipment through an interface board card, and acquiring message characteristics corresponding to the flow;
step 302: matching the message characteristics corresponding to the flow with matching items in an ACL rule maintained by the interface board card;
step 303: if the traffic flow is matched with the traffic flow, calculating the message characteristics based on a preset algorithm, and determining a target service board card corresponding to the traffic flow according to the calculated result;
step 304: and shunting the flow to the target service board card through redirection.
The NAT equipment comprises an interface board card and a plurality of service board cards for NAT address translation; the method comprises the following steps that an exchange chip of an interface board card maintains an ACL rule which is issued in advance and used for flow shunting; the ACL rule comprises a corresponding relation between a matching item and a processing action; the matching item comprises the message characteristics that the flow does not change when passing through the NAT equipment, and the processing action comprises redirecting the flow to a target service board card.
In the foregoing method embodiment, the processing action corresponding to the matching item in the ACL rule is used to redirect the traffic to the specified service board, when the traffic is shunted, the shunting feature corresponding to the traffic is obtained first, and after the matching with the matching item in the ACL rule passes, the corresponding processing action is executed, so as to shunt the traffic to the specified service board.
In this embodiment, the traffic flow can be directly matched with the matching item in the ACL rule according to the message feature corresponding to the traffic flow, and when the matching passes, the message feature is calculated based on a preset algorithm, the destination service board card is determined according to the calculated result, the processing action corresponding to the matching item in the ACL rule is executed, and the traffic flow is redirected and shunted to the destination service board card.
For example, the matching item in the ACL rule may be a destination IP of the forward traffic or a source IP of the reverse traffic, or may be a fourth byte of the destination IP of the forward traffic or a fourth byte of the source IP of the reverse traffic, and the corresponding processing action may be that the incoming direction packet is redirected to the destination service board.
In an embodiment shown, the message characteristics may be calculated based on boolean operations, and the identifier of the destination service board may be determined according to the calculated result.
For example, when the number of the service boards is 8, the identifiers of the service boards are FW 1-8, for the matched message, bitwise and operation can be performed on the fourth byte of the destination IP or the source IP of the message and 00000111, the result is 0-7, the calculation result and the identifiers of the service boards are mapped to form a one-to-one correspondence relationship, and therefore the identifier of the destination service board is determined according to the boolean operation result.
The embodiments in the present application are described in a progressive manner, and the same/similar parts in the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. Since the embodiment of the method is basically similar to the embodiment of the method, the description is simple, and reference may be made to the partial description of the embodiment of the method for relevant points, which is not described again.
Corresponding to the method embodiment, the application also provides an embodiment of the device.
Corresponding to the above method embodiment, the present application also provides an embodiment of an ACL-based traffic offload device. The embodiment of the flow shunting device based on the ACL can be applied to electronic equipment. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. Taking a software implementation as an example, as a logical device, the device is formed by reading, by a processor of the electronic device where the device is located, a corresponding computer program instruction in the nonvolatile memory into the memory for operation. In terms of hardware, as shown in fig. 4, a hardware structure diagram of an electronic device where an ACL-based traffic offload apparatus is shown in an exemplary embodiment of the present application is shown, except for the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 4, the electronic device where the apparatus is located in the embodiment may also include other hardware according to an actual function of the electronic device, which is not described again.
Referring to fig. 5, fig. 5 is a block diagram of an ACL-based traffic offload device according to an exemplary embodiment of the present application, and as shown in fig. 5, the group management device 500 may be applied in the electronic device shown in fig. 4, and includes:
a receiving unit 501, configured to receive traffic entering the NAT device through an interface board card, and obtain a flow splitting characteristic corresponding to the traffic;
a matching unit 502, configured to match a flow splitting characteristic corresponding to the traffic with a matching item in an ACL rule maintained by the interface board card, and determine a service board card to which the traffic is to be split;
a shunting unit 503, configured to shunt the traffic to the specified service board via redirection.
The NAT equipment comprises an interface board card and a plurality of service board cards for NAT address translation; the switching chip of the interface board card maintains an ACL rule which is issued in advance and used for flow shunting; the ACL rule comprises a corresponding relation between a matching item and a processing action; the matching item comprises a flow distribution characteristic corresponding to the flow, and the processing action comprises redirecting the flow to a specified service board card; the flow distribution characteristics comprise message characteristics that the flow does not change when passing through the NAT equipment.
In an embodiment, the message characteristics include a destination IP of forward traffic or a source IP of reverse traffic entering the NAT device.
In one embodiment, the receiving unit 501 includes:
and the calculating unit is used for acquiring the message characteristics of the flow and calculating the shunting characteristics based on a preset algorithm.
In an embodiment, the predetermined algorithm includes a boolean operation.
In one embodiment, the group management device 500 further comprises:
the generating unit is used for determining a shunting rule according to the number of the service board cards and determining the ACL rule based on the shunting rule; the distribution rule comprises the corresponding relation between each service board card and the distribution characteristic.
In one embodiment, the group management device 500 comprises:
and the configuration unit is used for determining that the interface board card receives the identifier corresponding to the interface of the flow, and configuring the ACL rule for the interface based on the identifier corresponding to the interface.
In one embodiment, the group management device 500 further comprises:
and the updating unit is used for re-determining the shunting rules according to the number of the service board cards when the number of the service board cards changes, and re-determining the ACL rules according to the re-determined shunting rules.
Referring to fig. 6, fig. 6 is a block diagram of another ACL-based traffic offload device according to an exemplary embodiment of the present application, and as shown in fig. 6, the group management device 600 may be applied in the electronic device shown in fig. 4, and includes:
a receiving unit 601, configured to receive traffic entering the NAT device through an interface board, and obtain a message feature corresponding to the traffic;
a matching unit 602, configured to match the packet characteristics corresponding to the traffic with a matching item in an ACL rule maintained by the interface board;
a calculating unit 603, configured to calculate the message characteristics based on a preset algorithm during matching, and determine a target service board corresponding to the traffic according to a calculated result;
a shunting unit 604, configured to shunt the traffic to the destination service board by redirection.
The NAT equipment comprises an interface board card and a plurality of service board cards for NAT address translation; the switching chip of the interface board card maintains an ACL rule which is issued in advance and used for flow shunting; the ACL rule comprises a corresponding relation between a matching item and a processing action; the matching item comprises the message characteristics that the flow does not change when passing through the NAT equipment, and the processing action comprises redirecting the flow to a target service board card.
In an embodiment, the computing unit 603 further:
and calculating the message characteristics based on Boolean operation, and determining the identification of the target service board card according to the calculated result.
The embodiments in the present application are described in a progressive manner, and the same/similar parts in the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. Especially, for the embodiments of the client device and the apparatus, since they are substantially similar to the embodiments of the method, the description is simple, and for the relevant points, refer to the partial description of the embodiments of the method.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, wherein the modules described as separate parts may or may not be physically separate, and the parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The apparatuses, modules or modules illustrated in the above embodiments may be implemented by a computer chip or an entity, or by an article with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
Corresponding to the method embodiment, the present specification also provides an embodiment of an electronic device. The electronic device includes: a processor and a memory for storing machine executable instructions; wherein the processor and the memory are typically interconnected by an internal bus. In other possible implementations, the device may also include an external interface to enable communication with other devices or components.
In this embodiment, the processor is caused to:
receiving the flow entering the NAT equipment through an interface board card, and acquiring a shunting characteristic corresponding to the flow;
matching the shunting characteristics corresponding to the flow with matching items in an ACL rule maintained by the interface board card, and determining a service board card to which the flow is to be shunted;
and shunting the flow to the appointed service board card through redirection.
The NAT equipment comprises an interface board card and a plurality of service board cards for NAT address translation; the switching chip of the interface board card maintains an ACL rule which is issued in advance and used for flow shunting; the ACL rule comprises a corresponding relation between a matching item and a processing action; the matching item comprises a flow distribution characteristic corresponding to the flow, and the processing action comprises redirecting the flow to a specified service board card; the flow distribution characteristics comprise message characteristics that the flow does not change when passing through the NAT equipment.
The present specification also provides another embodiment of an electronic device, corresponding to the above-described method embodiment. The electronic device includes: a processor and a memory for storing machine executable instructions; wherein the processor and the memory are typically interconnected by an internal bus. In other possible implementations, the device may also include an external interface to enable communication with other devices or components.
In this embodiment, the processor is caused to:
receiving the flow entering the NAT equipment through an interface board card, and acquiring message characteristics corresponding to the flow;
matching the message characteristics corresponding to the flow with matching items in an ACL rule maintained by the interface board card;
if the traffic flow is matched with the traffic flow, calculating the message characteristics based on a preset algorithm, and determining a target service board card corresponding to the traffic flow according to the calculated result;
and shunting the flow to the target service board card through redirection.
The NAT equipment comprises an interface board card and a plurality of service board cards for NAT address translation; the switching chip of the interface board card maintains an ACL rule which is issued in advance and used for flow shunting; the ACL rule comprises a corresponding relation between a matching item and a processing action; the matching item comprises the message characteristics that the flow does not change when passing through the NAT equipment, and the processing action comprises redirecting the flow to a target service board card.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (10)
1. A flow shunting method based on ACL is applied to NAT equipment, the NAT equipment comprises an interface board card and a plurality of service board cards for NAT address translation; the method comprises the following steps that an exchange chip of an interface board card maintains an ACL rule which is issued in advance and used for flow shunting; the ACL rule comprises a corresponding relation between a matching item and a processing action; the matching item comprises a flow distribution characteristic corresponding to the flow, and the processing action comprises redirecting the flow to a specified service board card; the flow distribution characteristics comprise message characteristics that the flow does not change when passing through the NAT equipment; the method comprises the following steps:
receiving the flow entering the NAT equipment through an interface board card, and acquiring a shunting characteristic corresponding to the flow;
matching the shunting characteristics corresponding to the flow with matching items in an ACL rule maintained by the interface board card, and determining a service board card to which the flow is to be shunted;
and shunting the flow to the appointed service board card through redirection.
2. The method of claim 1, wherein the message characteristics include a destination IP for forward traffic or a source IP for reverse traffic entering the NAT device.
3. The method of claim 1, wherein the obtaining of the flow splitting characteristic corresponding to the flow rate comprises:
and acquiring message characteristics of the flow, and calculating the shunting characteristics based on a preset algorithm.
4. The method of claim 3, the predetermined algorithm comprising a Boolean operation.
5. The method of claim 1, prior to issuing the ACL rule, further comprising:
determining a shunting rule according to the number of the service board cards, and determining the ACL rule based on the shunting rule; the distribution rule comprises the corresponding relation between each service board card and the distribution characteristic.
6. The method of claim 5, wherein the switching chip of the interface board maintains an ACL rule issued in advance for traffic offload, and the method includes:
and determining that the interface board card receives the identifier corresponding to the interface of the flow, and configuring the ACL rule for the interface based on the identifier corresponding to the interface.
7. The method of claim 5, further comprising:
and when the number of the service board cards changes, re-determining the shunting rules according to the number of the service board cards, and re-determining the ACL rules according to the re-determined shunting rules.
8. A flow shunting method based on ACL is applied to NAT equipment, the NAT equipment comprises an interface board card and a plurality of service board cards for NAT address translation; the method comprises the following steps that an exchange chip of an interface board card maintains an ACL rule which is issued in advance and used for flow shunting; the ACL rule comprises a corresponding relation between a matching item and a processing action; the matching item comprises the message characteristics that the flow does not change when passing through the NAT equipment, and the processing action comprises redirecting the flow to a target service board card; the method comprises the following steps:
receiving the flow entering the NAT equipment through an interface board card, and acquiring message characteristics corresponding to the flow;
matching the message characteristics corresponding to the flow with matching items in an ACL rule maintained by the interface board card;
if the traffic flow is matched with the traffic flow, calculating the message characteristics based on a preset algorithm, and determining a target service board card corresponding to the traffic flow according to the calculated result;
and shunting the flow to the target service board card through redirection.
9. A flow shunting device based on ACL is applied to NAT equipment, the NAT equipment comprises an interface board card and a plurality of service board cards for NAT address translation; the method comprises the following steps that an exchange chip of an interface board card maintains an ACL rule which is issued in advance and used for flow shunting; the ACL rule comprises a corresponding relation between a matching item and a processing action; the matching item comprises a flow distribution characteristic corresponding to the flow, and the processing action comprises redirecting the flow to a specified service board card; the flow distribution characteristics comprise message characteristics that the flow does not change when passing through the NAT equipment; the device comprises:
the receiving unit is used for receiving the flow entering the NAT equipment through an interface board card and acquiring the shunting characteristics corresponding to the flow;
the matching unit is used for matching the flow distribution characteristics corresponding to the flow with matching items in an ACL rule maintained by the interface board card and determining a service board card to which the flow is distributed;
and the shunting unit is used for shunting the flow to the specified service board card through redirection.
10. A flow shunting device based on ACL is applied to NAT equipment, the NAT equipment comprises an interface board card and a plurality of service board cards for NAT address translation; the method comprises the following steps that an exchange chip of an interface board card maintains an ACL rule which is issued in advance and used for flow shunting; the ACL rule comprises a corresponding relation between a matching item and a processing action; the matching item comprises the message characteristics that the flow does not change when passing through the NAT equipment, and the processing action comprises redirecting the flow to a target service board card; the device comprises:
the receiving unit is used for receiving the flow entering the NAT equipment through an interface board card and acquiring the message characteristics corresponding to the flow;
the matching unit is used for matching the message characteristics corresponding to the flow with matching items in an ACL rule maintained by the interface board card;
the calculating unit is used for calculating the message characteristics based on a preset algorithm during matching and determining a target service board card corresponding to the flow according to the calculated result;
and the shunting unit is used for shunting the flow to the target service board card through redirection.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110729558.3A CN113452619A (en) | 2021-06-29 | 2021-06-29 | ACL-based traffic flow shunting method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110729558.3A CN113452619A (en) | 2021-06-29 | 2021-06-29 | ACL-based traffic flow shunting method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113452619A true CN113452619A (en) | 2021-09-28 |
Family
ID=77814249
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110729558.3A Pending CN113452619A (en) | 2021-06-29 | 2021-06-29 | ACL-based traffic flow shunting method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113452619A (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010020151A1 (en) * | 2008-08-18 | 2010-02-25 | 成都市华为赛门铁克科技有限公司 | A method, apparatus and system for packet processing |
| CN101707569A (en) * | 2009-12-21 | 2010-05-12 | 杭州华三通信技术有限公司 | Method and device for processing NAT service message |
| CN104065759A (en) * | 2013-03-22 | 2014-09-24 | 杭州迪普科技有限公司 | Method for improving utilization efficiency of NAT address pool resource and device thereof |
| CN105227463A (en) * | 2014-06-13 | 2016-01-06 | 杭州迪普科技有限公司 | Communication means in a kind of distributed apparatus between business board |
| CN105939324A (en) * | 2016-01-11 | 2016-09-14 | 杭州迪普科技有限公司 | Message forwarding method and device |
| CN105991444A (en) * | 2015-08-06 | 2016-10-05 | 杭州迪普科技有限公司 | Business processing method and business processing apparatus |
| CN106878179A (en) * | 2016-12-14 | 2017-06-20 | 新华三技术有限公司 | A kind of message forwarding method and device |
| CN107896196A (en) * | 2017-12-28 | 2018-04-10 | 杭州迪普科技股份有限公司 | A kind of method and apparatus of assignment message |
| CN108390954A (en) * | 2018-03-26 | 2018-08-10 | 新华三信息安全技术有限公司 | A kind of message transmitting method and equipment |
| CN112738290A (en) * | 2020-12-25 | 2021-04-30 | 杭州迪普科技股份有限公司 | NAT (network Address translation) conversion method, device and equipment |
-
2021
- 2021-06-29 CN CN202110729558.3A patent/CN113452619A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010020151A1 (en) * | 2008-08-18 | 2010-02-25 | 成都市华为赛门铁克科技有限公司 | A method, apparatus and system for packet processing |
| CN101707569A (en) * | 2009-12-21 | 2010-05-12 | 杭州华三通信技术有限公司 | Method and device for processing NAT service message |
| CN104065759A (en) * | 2013-03-22 | 2014-09-24 | 杭州迪普科技有限公司 | Method for improving utilization efficiency of NAT address pool resource and device thereof |
| CN105227463A (en) * | 2014-06-13 | 2016-01-06 | 杭州迪普科技有限公司 | Communication means in a kind of distributed apparatus between business board |
| CN105991444A (en) * | 2015-08-06 | 2016-10-05 | 杭州迪普科技有限公司 | Business processing method and business processing apparatus |
| CN105939324A (en) * | 2016-01-11 | 2016-09-14 | 杭州迪普科技有限公司 | Message forwarding method and device |
| CN106878179A (en) * | 2016-12-14 | 2017-06-20 | 新华三技术有限公司 | A kind of message forwarding method and device |
| CN107896196A (en) * | 2017-12-28 | 2018-04-10 | 杭州迪普科技股份有限公司 | A kind of method and apparatus of assignment message |
| CN108390954A (en) * | 2018-03-26 | 2018-08-10 | 新华三信息安全技术有限公司 | A kind of message transmitting method and equipment |
| CN112738290A (en) * | 2020-12-25 | 2021-04-30 | 杭州迪普科技股份有限公司 | NAT (network Address translation) conversion method, device and equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3069484B1 (en) | Shortening of service paths in service chains in a communications network | |
| US8117503B1 (en) | Fast port failover in a network switch | |
| US7650429B2 (en) | Preventing aliasing of compressed keys across multiple hash tables | |
| JP4890613B2 (en) | Packet switch device | |
| CN106878194B (en) | Message processing method and device | |
| CN105227463A (en) | Communication means in a kind of distributed apparatus between business board | |
| JP6618610B2 (en) | Routing management | |
| US20220045875A1 (en) | Multicast message processing method and apparatus, storage medium and processor | |
| CN108737217B (en) | Packet capturing method and device | |
| US11184291B2 (en) | Scheduling resources | |
| CN108390954B (en) | Message transmission method and device | |
| CN110784345A (en) | Network traffic processing method and device, electronic equipment and machine-readable storage medium | |
| CN108123901A (en) | A kind of message transmitting method and device | |
| CN113132257B (en) | Message processing method and device | |
| CN105939397B (en) | A kind of transmission method and device of message | |
| CN107896196B (en) | Method and device for distributing messages | |
| CN112187636B (en) | ECMP route storage method and device | |
| CN106789671B (en) | Service message forwarding method and device | |
| CN113452619A (en) | ACL-based traffic flow shunting method and device | |
| CN111131048A (en) | Network traffic forwarding method and device, electronic equipment and machine-readable storage medium | |
| KR101952187B1 (en) | Method and apparatus for processing service node ability, service classifier and service controller | |
| CN111431921A (en) | Configuration synchronization method | |
| CN111107142B (en) | Service access method and device | |
| US10389626B2 (en) | Transfer device | |
| CN111404705B (en) | SDN optimization method and device and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210928 |