[go: up one dir, main page]

CN102263679B - Source role information processing method and forwarding chip - Google Patents

Source role information processing method and forwarding chip Download PDF

Info

Publication number
CN102263679B
CN102263679B CN2010101873581A CN201010187358A CN102263679B CN 102263679 B CN102263679 B CN 102263679B CN 2010101873581 A CN2010101873581 A CN 2010101873581A CN 201010187358 A CN201010187358 A CN 201010187358A CN 102263679 B CN102263679 B CN 102263679B
Authority
CN
China
Prior art keywords
data message
vtag
source case
tag
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN2010101873581A
Other languages
Chinese (zh)
Other versions
CN102263679A (en
Inventor
宋玉兵
杨小朋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN2010101873581A priority Critical patent/CN102263679B/en
Publication of CN102263679A publication Critical patent/CN102263679A/en
Application granted granted Critical
Publication of CN102263679B publication Critical patent/CN102263679B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a source role information processing method and a source role information processing forwarding chip. The method comprises the following steps of: when an Ingress function is enabled, inserting a source role tag into a data message as an inner-layer virtual local area network (VLAN) tag of the data message; when an intermediate equipment function is enabled and the data message is forwarded, keeping the source role tag serving as the inner-layer VLAN tag in the data message unchanged; and when an Egress function is enabled, acquiring the source role tag serving as the inner-layer VLAN tag from the data message, thereby performing role-based access control. By the method, the QinQ function of the conventional forwarding chip is utilized, and the function of conventional network equipment is not required to be relatively more changed, so the upgrading cost of a network is reduced. The invention simultaneously provides the universal forwarding chip. A more flexible foundation is laid for upper-layer software, and convenience is brought to management over the forwarding chip.

Description

A kind of method and forwarding chip of processing source case information
Technical field
The present invention relates to network communications technology field, particularly a kind of method and forwarding chip of processing source case information.
Background technology
In order to guarantee the safety of network, when user access network, need to authenticate the user, also need after authentication namely to limit by the access rights of configuration access control lists (ACL) to the user by the access control means.Traditional connection control method mainly is based on the IP address, but can cause the large shortcoming of configuration management workload that ACL configuration quantity is too much and the ip address change is brought.So, being suggested based on role's connection control method, its basic thought is: for user assignment source case label (tag), for server-assignment purpose role tag, ACL is corresponding carries out access control based on source case tag and purpose role tag.This mode based on the role is equivalent to by Role Information, the ACL based on the ip address be carried out polymerization, greatly reduced the quantity of ACL configuration, and no matter how the ip address changes, role's label can not change, ACL based on the role all can not change, and obviously greatly reduces the workload of configuration management.
Access control framework based on the role can be as shown in Figure 1, subscriber equipment obtains source case after by authentication, this source case information is stored in entrance (Ingress) equipment, resource side apparatus (in figure take server as example) obtains the purpose role after by authentication, this purpose Role Information is stored in outlet (Egress) equipment, and forms the access control lists (RBACL) based on the role.Subscriber equipment sends message to Ingress equipment, and Ingress equipment will carry the source case information of subscriber equipment in this message, and this message all carries this source case information until arrive Egress equipment in follow-up repeating process.After Egress equipment receives this message, determine the purpose Role Information of this message, according to source case information and purpose Role Information coupling RBACL, according to matching result, this message is carried out access control, comprise allowing to forward, refuse forwarding or forwarding rate restriction etc.Need to prove, in framework shown in Figure 1, Ingress and Egress equipment can also can be in three-layer networks at double layer network, can there be general network equipment between Ingress equipment and subscriber equipment and between Egress equipment and server, can has intermediary network device between Ingress equipment and Egress equipment.
In existing implementation method, the carrying mode of source case information in message mainly exists following several:
The first: the mode of carrying by physical layer.Namely carry by the Ethernet lead code of 8 bytes in message.But this mode needs the lead code of Standard modification Ethernet, and the physical layer function of current device is not supported, need to carry out whole net upgrading, and upgrade cost is high, is difficult to transition and popularization.
The second: the mode of carrying by link layer.Namely carry by role's control information field of neotectonics in message.But this mode is owing to having constructed new field, and current device is not supported, need to carry out whole net upgrading, and upgrade cost is high.
The third: the mode of carrying by IPv4 option (Option) field.Namely new Option type of definition is carried source case information in the IPv4 field, need to carry out upgrading processing to whole net equally, make all devices to process the Option type that newly increases, the upgrading cost is high, and does not support other type message except IPv4.
The 4th kind: the mode of carrying by IPv6 Option field.Namely define a new IPv6 extension header in the IPv6 field, namely SGT option head carries source case information.Need the new function of chip support but the hardware of SGT option head inserts, need to carry out the upgrading of chip functions equally, the upgrading cost is high, and does not support other type message except IPv6.
Can find out, above-mentioned several modes of the prior art all need the function of existing equipment is carried out larger change, and upgrade cost is higher.
Summary of the invention
The invention provides a kind of method and forwarding chip of processing source case information, so that the function with existing equipment is compatible preferably, reduce upgrade cost.
A kind of method of processing source case information, the method comprises:
When determining to enable the Ingress function, with the internal layer virtual LAN VLAN data inserting message of source case label tag as data message;
When determining to enable the intermediate equipment function, in the process of forwarding data packets, the source case tag as the inner VLAN label is remained unchanged;
When determining to enable the Egress function, obtain the source case tag as the inner VLAN label from data message, for the access control of described data message being carried out based on the role.
A kind of forwarding chip of processing source case information, this forwarding chip comprises: Ingress functional module, intermediate equipment functional module and Egress functional module;
Described Ingress functional module is used for when being enabled, with the internal layer virtual LAN VLAN data inserting message of source case label tag as data message;
Described intermediate equipment functional module is used in the process of forwarding data packets, the source case tag as the inner VLAN label being remained unchanged when being enabled;
Described Egress functional module is used for obtaining the source case tag as the inner VLAN label from data message when being enabled, for the access control of described data message being carried out based on the role.
As can be seen from the above technical solutions, the present invention is when enabling the Ingress function, with the inner VLAN label insertion message of source case tag as message, when enabling the intermediate equipment function, the inner VLAN label that carries source case tag is remained unchanged, carry out access control based on the role thereby obtain source case tag as the inner VLAN label when enabling the Egress function from message.The present invention is ingenious has utilized the existing QinQ function of existing forwarding chip, and fully uses existing message structure, need not the function of conventional network equipment is carried out larger change, has reduced the upgrade cost of network.
In addition, forwarding chip provided by the invention integrated Ingress function, intermediate equipment function and Egress function, can be residing according to the network equipment network site different, enable corresponding function, thereby the respective handling to source case tag be provided.That is to say, provide a kind of general forwarding chip can both adopt in Ingress equipment, intermediate equipment or Egress equipment, for relating to, upper layer software (applications) provides basis more flexibly, simultaneously the normalized of forwarding chip is more convenient for management to each forwarding chip, has reduced the management cost of hardware and software.In addition, above-mentioned three functions correlation is strong, after integrated repertoire, chip cost increases and is few, but range of application has but obtained expansion, therefore, the chip of integrated Ingress function, intermediate equipment function and Egress function be after the inexorable trend of technical development.
Description of drawings
Fig. 1 is the access control configuration diagram based on the role;
Fig. 2 is the schematic diagram of the first application scenarios;
Fig. 3 is the schematic diagram of the second application scenarios;
Fig. 4 is the schematic diagram of the third application scenarios;
Fig. 5 is the schematic diagram of the 4th kind of application scenarios;
Fig. 6 is first example schematic that Ingress equipment provided by the invention adopts authentication mode configuration corresponding relation;
Fig. 7 is second example schematic that Ingress equipment provided by the invention adopts authentication mode configuration corresponding relation;
Fig. 8 is that Egress equipment provided by the invention adopts the mode of authentication to configure the method schematic diagram of RBACL;
Fig. 9 is a kind of structural representation of Ingress equipment provided by the invention;
Figure 10 is the another kind of structural representation of Ingress equipment provided by the invention;
Figure 11 is the structural representation of Egress equipment provided by the invention;
Figure 12 is the structural representation of intermediate equipment provided by the invention;
Figure 13 is the structural representation of general forwarding chip provided by the invention.
Embodiment
In order to make the purpose, technical solutions and advantages of the present invention clearer, describe the present invention below in conjunction with the drawings and specific embodiments.
Core concept of the present invention is: after Ingress equipment is determined source case tag according to the source-information of the message that receives, this source case tag is forwarded after in the inner VLAN label insertion message of message, wherein the role of this source case tag relative user equipment; If have intermediate equipment between Ingress equipment and Egress equipment, this intermediate equipment remains unchanged to the source case tag as the inner VLAN label until forward this message to Egress equipment in repeating process; Egress equipment obtains the source case tag as the inner VLAN label from message, for the access control of the data message being carried out based on the role.
That is to say, the present invention has utilized the existing QinQ function of the network equipment, source case tag is inserted message with the form of the inner VLAN label of message, only intermediate equipment need be set the inner VLAN label that carries source case tag is remained unchanged, Egress equipment obtains from message as the source case tag in the inner VLAN label and gets final product.
Wherein, the message source-information that relates in said method can for: receive the four floor port numbers, three layer protocols number of source address information, the message of ingress port information, the message of message or application layer protocol number etc.Egress equipment carries out can comprising based on role's access control to the data message: obtain source case tag from the inner VLAN label of the data message that receives, and the purpose Role Information of definite this message, according to source case tag and purpose Role Information coupling RBACL, and according to matching result, message is carried out corresponding access control and process
Below in conjunction with specific embodiment, said method is described in detail.Mainly can comprise following four kinds of application scenarioss according to the access control framework based on the role shown in Figure 1:
The first application scenarios: as shown in Figure 2, subscriber equipment directly accesses Ingress equipment, and then connects intermediate equipment through double layer network, accesses three-layer network by intermediate equipment.Server directly accesses Egress equipment, then connects intermediate equipment through double layer network, accesses three-layer network by intermediate equipment.Between Ingress and Egress on the path all devices all can be used as intermediate equipment.Ingress equipment and Egress equipment directly and the access authentication server carry out alternately.
The second application scenarios: as shown in Figure 3, subscriber equipment accesses Ingress equipment by conventional equipment, and then connects intermediate equipment through double layer network, accesses three-layer network by intermediate equipment.Server accesses Egress equipment by conventional equipment, then connects intermediate equipment through double layer network, accesses three-layer network by intermediate equipment.Between Ingress and Egress on the path all devices all can be used as intermediate equipment.Conventional equipment and access authentication server carry out alternately, and will send to Ingress equipment by the Role Information of authentication.
The third application scenarios: as shown in Figure 4, different from the first application scenarios is that subscriber equipment and server directly access respectively Ingress equipment and Egress equipment, and Ingress equipment and Egress equipment carry out three layers of forward process.
The 4th kind of application scenarios: as shown in Figure 5, different from the third application scenarios is, and subscriber equipment is connected conventional equipment with server connect respectively Ingress equipment and Egress equipment, conventional equipment and access authentication server carry out alternately, and will send to Ingress equipment by the Role Information of authentication.
The conventional equipment that relates in above-mentioned scene is the network equipment that does not possess label insertion and processing capacity.
In the present invention, store the source-information of message and the corresponding relation between source case tag in Ingress equipment, and the RBACL in Egress equipment can adopt the mode of static configuration, also can adopt the mode of dynamic authentication.The below is described in detail the mode that adopts dynamic authentication.
For Ingress equipment, adopt the source-information of the mode configuration message that authenticates and the method for the corresponding relation between source case tag to comprise: to determine by the device role information of authentication and the source-information of message identifying, the corresponding relation between this source-information and source case tag to be handed down to hardware view.Wherein source-information can comprise: receive the four floor port numbers, three layer protocols number of source address information, the message of ingress port information, the message of message or application layer protocol number etc.
According to different application scenarioss, Ingress equipment is determined by the mode of the source-information of the device role information of authentication and message identifying also not identical, and the below enumerates respectively two examples.
Example one: if subscriber equipment directly accesses Ingress equipment, Ingress equipment and access authentication server direct interaction, be corresponding above-mentioned the first application scenarios and the third application scenarios, the process of the source-information of the mode configuration message of Ingress employing authentication and the corresponding relation between source case tag as shown in Figure 6, can comprise the following steps:
Step 601: subscriber equipment is initiated authentication request to Ingress equipment.
Step 602:Ingress equipment is transmitted to the access authentication server with authentication request.
Step 603: the access authentication server is handed down to Ingress equipment with the Role Information of subscriber equipment after subscriber equipment is by authentication.
The corresponding relation that step 604:Ingress equipment will receive between the inbound port of the authentication request source case tag corresponding with this Role Information is handed down to hardware view.
That is to say, this inbound port is as the source-information of this message at this moment.When issuing this corresponding relation, source case tag can be stored in the inner VLAN field that inbound port comprises.Because Ingress equipment itself has possessed the QinQ function, therefore, after the inbound port of Ingress exists the inner VLAN field to be used for receiving message by inbound port, the content in this inner VLAN field is inserted in message as the inner VLAN label.
Example two: if subscriber equipment accesses Ingress equipment by conventional equipment, conventional equipment and access authentication server carry out alternately, be corresponding above-mentioned the second application scenarios and the 4th kind of application scenarios, the process of the source-information of the mode configuration message of Ingress employing authentication and the corresponding relation between source case tag as shown in Figure 7, can comprise the following steps:
Step 701: subscriber equipment is initiated authentication request to conventional equipment.
Step 702: conventional equipment is transmitted to the access authentication server with authentication request.
Step 703: the access authentication server is handed down to conventional equipment with the Role Information of subscriber equipment after subscriber equipment is by authentication.
Step 704: conventional equipment sends to Ingress equipment with the corresponding relation between the source address information of the Role Information of subscriber equipment and authentication request.
The source case tag that step 705:Ingress equipment is corresponding with the Role Information of subscriber equipment and the corresponding relation between source address information are handed down to hardware view.
That is to say, the source address information of message as the source-information of this message, can adopt source IP address or source MAC at this moment.When issuing this corresponding relation, corresponding relation between source case tag and source address information can be stored as the form of hardware table item, follow-up Ingress equipment is searched this hardware table item according to the source address information of the message that receives can determine corresponding source case tag.
For Egress equipment, the method that adopts the mode that authenticates to configure RBACL can as shown in Figure 8, comprise the following steps:
Step 801:Egress equipment receives the authentication request of resource side apparatus.
This authentication request can be that the resource side apparatus directly sends, and can be also that the resource side apparatus sends by conventional equipment.
Step 802:Egress equipment is transmitted to the access authentication server with authentication request.
Step 803: the access authentication server sends to Egress equipment with the Role Information of the resource side apparatus by authentication after the server that sends authentication request is by authentication.
Step 804:Egress equipment is issued to hardware view with the source address information of authentication request and the corresponding relation between this Role Information.
Why corresponding relation between this source address information and Role Information is issued to hardware view, when for Egress equipment is follow-up, message being carried out access control, determine corresponding purpose role thereby search this corresponding relation according to the destination address information of the message that receives, this partial content will relate in subsequent descriptions.
In addition, the corresponding relation between this source address information and this Role Information can store in hardware table item, such as two-layer retransmitting table or three layer retransmitting tables etc., the zone of this Role Information in list item do not affect other forwarding capability, implication is unique, and the space is special-purpose, thereby avoids function to disturb.
Step 805:Egress equipment is to the control strategy based on role of this Role Information of access authentication server request as the purpose role.
Step 806: the access authentication server issues with the control strategy based on role of this Role Information as the purpose role to Egress equipment.
Usually, can be provided with all in advance based on role's control strategy in the access authentication server, after the request that receives step 805, all control strategies based on the role take this Role Information as the purpose role can be handed down to Egress equipment, should comprise based on the content of each list item in role's control strategy source case information, purpose Role Information and access control processing mode (allow to forward, refusal forwardings, forwarding rate restriction, mirror image, redirected, priority heavy label, statistics, further mate the access control processing mode such as other message field (MFLD)).
Step 807:Egress equipment is issued to hardware view with RBACL after replacing with corresponding source case tag based on the source case information in role's control strategy.
Owing to being issued to the source case tag that comprises in the RBACL of hardware view this moment, even if the address of subscriber equipment changes, but the Role Information due to subscriber equipment, and then source case tag is constant, therefore, this RBACL remains unchanged, so the variation that the address of subscriber equipment occurs can not produce any impact to Forwarding plane.In addition, issuing of this RBACL can be based on outbound port, also can be based on the overall situation.
The access control that the below realizes in the message repeating process hardware view specifically describes.
For Ingress equipment, be divided into Ingress function and forward process function.Wherein, the Ingress function is: with the inner VLAN label data inserting message of source case tag as data message; Specifically comprise: after receiving the data message from subscriber equipment, determine source case tag according to the source-information of this data message, this source case tag is forwarded after in the inner VLAN label data inserting message of this data message.
The forward process function is: network residing according to Ingress equipment, if be in double layer network, carry out two layers of forward process, if be in three-layer network carry out three layers of forward process.Concrete two layers and three layers of repeating process are described in subsequent process.
The source case tag that in Ingress equipment, the data message is inserted is corresponding with the role of subscriber equipment, wherein subscriber equipment can be actual network entity, it can be also logic entity, the application protocol in network equipment for example, for different application protocols, different roles can be set, corresponding different source case tag.
Ingress equipment inserts when source case tag can receive this data message at the inbound port place and carries out, carry out in the time of also can forwarding this data message at the outbound port place, the any time that also can be after receiving data message and forward before this data message carries out, in the following description all to insert source case tag as example when the inbound port place receives data message.
The below for four kinds of above-mentioned application scenarioss, is described the processing procedure of Ingress equipment to the data message respectively.
For the first application scenarios shown in Figure 2, what Ingress equipment received is the data message that does not comprise label, is designated as the data message of untag.after Ingress equipment receives this data message, determine source case tag according to inbound port or acl, and definite corresponding outside VLAN label (Vtag), with source case tag as the inner VLAN label, Vtag is inserted this data message (certainly as the outside VLAN label, if do not need to insert the message of passing by on one's way of source case tag in the flow in the same VLAN of this outbound port, for example the message that sends of CPU or definite inbound port do not arrange corresponding source case tag, do not carry out the operation of inserting source case tag, only carry out the insertion of Vtag, also like this in subsequent instance, repeat no more).
Need to prove, Ingress equipment is determined source case tag and Vtag, can determine according to inbound port, also can determine according to the acl that the inbound port place arranges.Such as can in advance the source case tag corresponding to feature such as message source address information or protocol number being arranged in acl, after receiving data message, just can determine corresponding source case tag by searching acl.Like this too for intermediate equipment, Egress equipment, give unnecessary details no longer one by one in the following description, all be described to be defined as example by inbound port.
In addition, Vtag determines be used to E-Packeting, this is the content of prior art, the present invention does not change this partial content, can be with this Vtag data inserting message after determining Vtag, also data inserting message not, the present invention also is not particularly limited, and unified in an embodiment of the present invention is that example is described according to inserting Vtag.
Ingress equipment is searched two-layer retransmitting table according to the target MAC (Media Access Control) address of Vtag and message and is determined port, and the data message that inserts Vtag and source case tag is forwarded by the outbound port of determining.Peel off if be provided with Vtag on outbound port, before forwarding this data message, forward by the outbound port of determining after peeling off the Vtag of this data message, the message that forward this moment only carries source case tag.
For the second application scenarios shown in Figure 3, what Ingress equipment received is the data message that comprises Vtag, search corresponding relation between source address information and source case tag according to the source address information of this data message, determine the source case tag that this source address information is corresponding, this source case tag is inserted this data message as the inner VLAN label.
Ingress equipment is searched two-layer retransmitting table according to the target MAC (Media Access Control) address of Vtag and message and is determined port, and the data message that has carried Vtag and source case tag is forwarded by the outbound port of determining.Peel off if be provided with Vtag on outbound port, before forwarding this data message, forward by the outbound port of determining after peeling off the Vtag of this data message, the message that forward this moment only carries source case tag.
For the third application scenarios shown in Figure 4, what Ingress equipment received is the data message of untag.After Ingress equipment receives this data message, search corresponding relation between inbound port and source case tag according to inbound port, determine the source case tag that this inbound port is corresponding, and Vtag corresponding to definite inbound port, source case tag as the inner VLAN label, is inserted this data message with Vtag as the outside VLAN label.
Determine port at Ingress equipment according to Vtag and purpose IP address search three layer retransmitting tables, forward by determining port after Vtag, source MAC and purpose MAC are replaced, the message that forward this moment carries Vtag and source case tag.Peel off if be provided with Vtag on outbound port, before forwarding this data message, forward by the outbound port of determining after peeling off the Vtag (Vtag after replacement) of this data message, the message that forward this moment only carries source case tag.
For the 4th kind of application scenarios shown in Figure 5, what Ingress equipment received is the data message that comprises Vtag, search corresponding relation between source address information and source case tag according to the source address information of this data message, determine the source case tag that this source address information is corresponding, this source case tag is inserted this data message as the inner VLAN label.
Ingress equipment is determined port according to Vtag and purpose IP address search three layer retransmitting tables, forwards by determining port after Vtag, source MAC and purpose MAC are replaced, and the message that forward this moment carries Vtag and source case tag.Peel off if be provided with Vtag on outbound port, before forwarding this data message, forward by the outbound port of determining after peeling off the Vtag (Vtag after replacement) of this data message, the message that forward this moment only carries source case tag.
In the processing procedure of above-mentioned Ingress equipment, when source case tag inserts message as the inner VLAN label, it is source case tag that the tag protocol identifier of this inner VLAN label (TPID, Tag Protocol Identifier) adopts the set point of non-zero x8100 to identify this inner VLAN label.The TPID of source case tag is configurable, and the overall situation is unified.
Need to prove, in some situation (for example the data message that sends of CPU or inbound port place arrange the situation of not inserting source case tag), the data message that receives is not needed to insert source case tag, if forward from same outbound port for such data message and the above-mentioned message that has inserted source case tag, the form that keeps each data message, non-interference.
For intermediate equipment, possess equally intermediate equipment function and forward process function.Wherein, the intermediate equipment function is: after receiving data message, keep message is carried out in the process of two layers or three layers forwarding, the source case tag as the inner VLAN label is remained unchanged.If it is source case tag that the TPID namely by the inner VLAN label identifies this inner VLAN label, keep the inner VLAN label constant.
The forward process function is identical with the forward process function of Ingress equipment, also can be two layers of forward process or three layers of forward process.
For the first application scenarios shown in Figure 2, what intermediate equipment received is the data message that only carries source case tag, determines the Vtag that inbound port is corresponding, and Vtag is inserted this data message as the outside VLAN label; Search two-layer retransmitting table according to the target MAC (Media Access Control) address of Vtag and message and determine port, this data message is forwarded by the outbound port of determining.Peel off if be provided with Vtag on outbound port, before forwarding this data message, forward by the outbound port of determining after peeling off the Vtag of this data message, the message that forward this moment only carries source case tag.
For the second application scenarios shown in Figure 3, what intermediate equipment received is the data message that comprises Vtag and source case tag, search two-layer retransmitting table according to the target MAC (Media Access Control) address of Vtag and message and determine port, the data message that has carried Vtag and source case tag is forwarded by the outbound port of determining.Peel off if be provided with Vtag on outbound port, before forwarding this data message, forward by the outbound port of determining after peeling off the Vtag of this data message, the message that forward this moment only carries source case tag.
For the third application scenarios shown in Figure 4, what intermediate equipment received is the data message that only carries source case tag, determines the Vtag that inbound port is corresponding, and Vtag is inserted this data message as the outside VLAN label; Determine port according to Vtag and purpose IP address search three layer retransmitting tables, forward by determining port after Vtag, source MAC and purpose MAC are replaced, the message that forward this moment carries Vtag and source case tag.Peel off if be provided with Vtag on outbound port, before forwarding this data message, forward by the outbound port of determining after peeling off the Vtag (Vtag after replacement) of this data message, the message that forward this moment only carries source case tag.
For the 4th kind of application scenarios shown in Figure 5, what intermediate equipment received is the data message that comprises Vtag and source case tag, determine port according to Vtag and purpose IP address search three layer retransmitting tables, forward by determining port after Vtag, source MAC and purpose MAC are replaced, the message that forward this moment carries Vtag and source case tag.Peel off if be provided with Vtag on outbound port, before forwarding this data message, forward by the outbound port of determining after peeling off the Vtag (Vtag after replacement) of this data message, the message that forward this moment only carries source case tag.
For Egress equipment, possess Egress function and forward process function.Wherein, the Egress function is: obtain source case tag from the inner VLAN label of data message, for the access control of the data message being carried out based on the role.Specifically comprise: when receiving the data message that intermediate equipment sends, search 804 corresponding relations that issue in Fig. 8, determine the purpose Role Information corresponding to destination address (as purpose IP address) of this data message; Obtain source case tag from the inner VLAN label of data message, utilize source case tag and purpose Role Information that BRACL is mated, according to the result of coupling, this data message is carried out access control and process.
Due in the step 807 of Fig. 8, Egress equipment has issued RBACL to hardware view, comprises source case tag, purpose Role Information and access control processing mode in the list item of this RBACL.After source case tag that utilization is obtained and purpose Role Information mate BRACL, if there is the list item of coupling, can determine corresponding access control processing mode, such as allow to forward, the access control processing modes such as refusal forwardings, forwarding rate restriction, mirror image, redirected, priority heavy label, statistics.
In addition, in Egress equipment except carrying out above-mentioned access control process, also can realize the forward process function, namely carry out two layers or three layers of forward process at device interior, the forward process function of Egress equipment and Ingress equipment and intermediate equipment are slightly different.The below is described in detail for the processing procedure of above-mentioned four kinds of application scenarioss to the Egress device interior.
For the first application scenarios shown in Figure 2, what Egress equipment received is to comprise source case tag and Vtag, perhaps only carries the data message of source case tag.
If data message only carries source case tag, when Egress equipment is determined this inner VLAN label and is source case tag by the TPID type of data message inner VLAN label, obtain this source case tag.Simultaneously determine Vtag based on inbound port, Vtag is inserted this data message as the outside VLAN label.Utilize Vtag and target MAC (Media Access Control) address to search two-layer retransmitting table and determine port.Determine the purpose Role Information corresponding to destination address of this data message; Utilize source case tag and purpose Role Information that BRACL is mated, according to the result of coupling, this data message is carried out access control and process.For example, if matching result is to allow to forward, forward by the outbound port of determining after all labels of data message.Forward if matching result is refusal, abandon this data message.When forwarding by outbound port, peel off source case tag and Vtag, the message that namely forwards is the data message of untag.
Wherein, the above-mentioned operation that BRACL is mated can searched before two layers or three layer retransmitting tables determine the operation of port, also can after.
If the message that Egress equipment receives carries source case tag and Vtag, from to the processing mode of the data message that only carries source case tag different be, need not to determine Vtag based on inbound port, other processing mode is identical with processing mode to the data message that only carries source case tag.
For the second application scenarios shown in Figure 3, its processing mode and the first application scenarios are basic identical, just only peel off source case tag at the outbound port place, and the data message that namely forwards by outbound port carries Vtag.
For the third application scenarios shown in Figure 4, if the data message that Egress equipment receives only carries source case tag, when determining this inner VLAN label and be source case tag by the TPID type of data message inner VLAN label, obtain this source case tag.Simultaneously determine Vtag based on inbound port, Vtag is inserted this data message as the outside VLAN label.Utilize Vtag and purpose IP address search three layer retransmitting tables to determine port, Vtag, source MAC and purpose MAC are replaced.Determine the purpose Role Information corresponding to destination address of this data message; Utilize source case tag and purpose Role Information that BRACL is mated, according to the result of coupling, this data message is carried out access control and process.For example, if matching result is to allow to forward, forward by the outbound port of determining after all labels of data message.Forward if matching result is refusal, abandon this data message.When forwarding by outbound port, the Vtag after peeling off source case tag and replacing, the message that namely forwards is the data message of untag.
If the message that Egress equipment receives carries source case tag and Vtag, from to the processing mode of the data message that only carries source case tag different be, need not to determine Vtag based on inbound port, other processing mode is identical with processing mode to the data message that only carries source case tag.
For the 4th kind of application scenarios shown in Figure 5, its processing mode and the third application scenarios are basic identical, just only peel off source case tag at the outbound port place, and the data message that namely forwards by outbound port carries Vtag (replace processing after Vtag).
In said method provided by the invention, each device interior does not exert an influence mutually to the processing procedure of inner VLAN label and outside VLAN label, and, after the source case tag that inserts as the inner VLAN label, the equipment that can not affect is to the outside VLAN label of message and coupling and the processing of other message field (MFLD).
In addition, all be described as an example of the data message of clean culture example in said method, need to prove, the present invention supports multicast equally for the processing mode of source case tag, Ingress equipment, intermediate equipment or Egress equipment message is carried out three layers or two layers copy after, the message that copies carries the source case tag identical with the multicast source message equally.
Said method can be applied to cpu port too except the common port that is applied to the network equipment, the logical process of cpu port is identical with common port.
In method provided by the invention, Ingress function, intermediate equipment function and Egress function can be integrated in a forwarding chip, be that Ingress equipment, intermediate equipment and Egress equipment can adopt this general forwarding chip, just configure by software and enable different functions.When this general forwarding chip determines to enable the Ingress function, with the internal layer virtual LAN VLAN data inserting message of source case tag as data message; When determining to enable the intermediate equipment function, in the process of forwarding data packets, the source case tag as the inner VLAN label is not processed; When determining to enable the Egress function, obtain source case tag from the inner VLAN label of data message.
When enabling Ingress function and intermediate equipment function in this general-purpose chip, can enable simultaneously the forward process function that above-mentioned Ingress equipment and intermediate equipment realize; When enabling the Egress function, can enable simultaneously the forward process function that above-mentioned Egress equipment is realized, no longer repeat to give unnecessary details at this.
Be more than the detailed description that method provided by the present invention is carried out, the below is described in detail Ingress equipment provided by the present invention, intermediate equipment and Egress equipment.
Fig. 9 is the structural representation of Ingress equipment provided by the invention, and as shown in Figure 9, this Ingress equipment can comprise: message receiving element 901, role's label determining unit 902, role's label plug-in unit 903 and forward processing unit 904.
Message receiving element 901 is used for receiving the data message from subscriber equipment.
Role's label determining unit 902 is used for determining source case label tag according to the source-information of data message; The role of source case tag relative user equipment wherein.
Role's label plug-in unit 903 is used for the inner VLAN label data inserting message of source case tag as data message.
Forward processing unit 904 is used for forwarding the data message after role's label plug-in unit 903 is processed.
Above-mentioned message receiving element 901, role's label determining unit 902, role's label plug-in unit 903 and forward processing unit 904 are the unit of hardware view, can realize by forwarding chip.
In addition, this Ingress equipment can also comprise: authentication processing unit 911 and the first tag configurations unit 912 carry out the relevant information configuration of hardware view.
Authentication processing unit 911 is used for being transmitted to from the authentication request of user's equipment the access authentication server.
The first tag configurations unit 912 is used for obtaining the Role Information of the subscriber equipment that the access authentication server issues, and the corresponding relation that will receive between the inbound port of the authentication request source case tag corresponding with the Role Information of subscriber equipment is handed down to hardware view.
At this moment, above-mentioned role's label determining unit 902 carries out according to the corresponding relation that is handed down to hardware view the operation of determining source case label tag according to the source-information of data message; Wherein source-information is the inbound port of receiving data packets.
Difference according to the network architecture, if have conventional equipment between Ingress equipment and subscriber equipment, and undertaken alternately by conventional equipment and access authentication server, Ingress equipment can adopt another kind of mode, as shown in figure 10, utilize role's acquiring unit 913 and the second tag configurations unit 914 to carry out the relevant information configuration of hardware view.
Role's acquiring unit 913 is used for obtaining Role Information and the source address information of authentication request or the corresponding relation between protocol number of the subscriber equipment that conventional equipment sends; Wherein the Role Information of subscriber equipment is after to be conventional equipment be forwarded to the access authentication server with the authentication request of subscriber equipment, is handed down to conventional equipment by the access authentication server.
The second tag configurations unit 914 is used for the source case tag that the Role Information of subscriber equipment is corresponding and the corresponding relation between source address information or protocol number and is handed down to hardware view.
At this moment, above-mentioned role's label determining unit 902 carries out according to the corresponding relation that is handed down to hardware view the operation of determining source case label tag according to the source-information of data message; Wherein source-information is source address information or the protocol number of data message.
Above-mentioned authentication processing unit 911, the first tag configurations unit 912, role's acquiring unit 913 and the second tag configurations unit 914 are unit of software control aspect.
Particularly, during as the inner VLAN label data inserting message of data message, the tag protocol identifier TPID of inner VLAN label is set to the set point of non-zero X8100 to role's label plug-in unit 903 with source case tag.
Wherein, the forward processing unit 904 in Ingress equipment can specifically comprise: outer layer label intron unit 941, transmit and search subelement 942 and subelement 943 is processed in outlet.
Outer layer label intron unit 941 is used for when the data message that message receiving element 901 receives does not comprise virtual local area network tags Vtag, the Vtag of specified data message, and with this Vtag as outside VLAN label data inserting message.
Transmit and search subelement 942, Vtag and destination address information that the data message that is used for utilizing message receiving element 901 to receive comprises, perhaps utilize the Vtag and the destination address information that comprise in the data message after outer layer label intron unit 941 is processed, search two layers or three layer retransmitting tables and determine port.
Subelement 943 is processed in outlet, after being used for peeling off or do not peel off the Vtag that data message carries, the data message that carries source case tag is forwarded by the outbound port of determining.Determined by the concrete configuration of outbound port as for the Vtag that peels off or do not peel off data message.
In addition, forward processing unit 904 carries out is three layers when forwarding, and this forward processing unit also can comprise: the unit that Vtag, source MAC and the purpose MAC of data message replaced, because this part is existing content in existing protocol, do not illustrate in the drawings, no longer specifically describe yet.
Figure 11 is the structural representation of Egress equipment provided by the invention, and as shown in figure 11, this Egress equipment can comprise: message receiving element 1101, role's label acquiring unit 1102 and access control unit 1103.
Message receiving element 1101 is used for receiving the data message from user's side.
Role's label acquiring unit 1102 is for the source case tag that obtains from data message as the inner VLAN label; The role of the subscriber equipment that sends datagram of source case tag correspondence wherein.
Access control unit 1103 is used for utilizing source case tag to carry out access control based on the role to the data message.
Above-mentioned message receiving element 1101, role's label acquiring unit 1102 and access control unit 1103 are unit of hardware view, can adopt forwarding chip to realize.
Wherein, access control unit 1103 can specifically comprise: purpose role determines subelement 1131, access control coupling subelement 1132 and access control processing subelement 1133.
Purpose role determines subelement 1131, is used for the purpose Role Information of specified data message.
Access control coupling subelement 1132 is used for according to source case tag and the purpose Role Information coupling access control lists RBACL based on the role.
Subelement 1133 is processed in access control, is used for according to the matching result of access control coupling subelement 1132, the data message being carried out the access control processing.
In addition, this Egress equipment also comprises: authentication processing unit 1111, purpose role's dispensing unit 1112, control list acquiring unit 1113 and control the relevant information configuration that hardware view is realized in list configuration unit 1114.
Authentication processing unit 1111 is used for being transmitted to from the authentication request of resource side apparatus the access authentication server, obtains the Role Information of the resource side apparatus that the access authentication server issues.
Purpose role's dispensing unit 1112 is used for the corresponding relation between the Role Information of the source address information of authentication request and resource side apparatus is issued to hardware view.
Control list acquiring unit 1113, be used for obtaining control strategy based on the role from the access authentication server, the Role Information that should issue with the access authentication server based on role's control strategy is as the purpose Role Information.
Control list configuration unit 1114, obtain RBACL after being used for will be above-mentioned replacing with the source case tag of correspondence based on the source case information of role's control strategy, RBACL is issued to hardware view.
At this moment, purpose role determines that subelement 1131 is according to the corresponding relation that is issued to hardware view, the purpose Role Information that the destination address of specified data message is corresponding.1132 pairs, subelement of access control coupling is issued to the accurate RBACL that sends out aspect of hardware and carries out matching treatment.
Above-mentioned authentication processing unit 1111, purpose role's dispensing unit 1112, to control list acquiring unit 1113 and control list configuration unit 1114 are unit of software control plane.
Further, this Egress equipment can also comprise existing forward processing unit 1104, and this forward processing unit 1104 can specifically comprise: outer layer label intron unit 1141, transmit and search subelement 1142 and subelement 1143 is processed in outlet.
Outer layer label intron unit 1141 is used for when the data message that message receiving element 1101 receives does not comprise virtual local area network tags Vtag, the specified data message Vtag, and with this Vtag as outside VLAN label data inserting message.
Transmit and search subelement 1142, Vtag and destination address information that the data message that is used for utilizing message receiving element 1101 to receive comprises, perhaps utilize the Vtag and the destination address information that comprise in the data message after outer layer label intron unit 1141 is processed, search two layers or three layer retransmitting tables and determine port.
Subelement 1143 is processed in outlet, be used for peeling off the source case tag of data message, after peeling off or not peeling off the Vtag that carries in data message, 1103 when determining to need forwarding data packets in the access control unit, and data message is forwarded by the outbound port of determining.
In addition, forward processing unit 1104 carries out is three layers when forwarding, this forward processing unit 1104 also can comprise: the unit that Vtag, source MAC and the purpose MAC of data message replaced, because this part is existing content in existing protocol, do not illustrate in the drawings, no longer specifically describe yet.
Figure 12 is the structural representation of intermediate equipment provided by the invention, and as shown in figure 12, this intermediate equipment specifically comprises: message receiving element 1201, tag recognition unit 1202 and forward processing unit 1203.
Message receiving element 1201 is used for receiving the data message from Ingress equipment or other intermediate equipment.
Tag recognition unit 1202 is used for the inner VLAN label of data message is identified.
Forward processing unit 1203 is used at the repeating process to the data message, is source case tag if tag recognition unit 1202 identifies the inner VLAN label, keeps the inner VLAN label constant.The role of the subscriber equipment that sends datagram of source case tag correspondence wherein.
Wherein, if the tag protocol identifier TPID that tag recognition unit 1202 parses the inner VLAN label is the set point of non-zero X8100, identifying the inner VLAN label is source case tag.
Above-mentioned forward processing unit 1203 can specifically comprise: outer layer label intron unit 1231, transmit and search subelement 1232 and subelement 1233 is processed in outlet.
Outer layer label intron unit 1231 is used for when the data message that message receiving element 1201 receives does not comprise virtual local area network tags Vtag, the Vtag of specified data message, and with this Vtag as outside VLAN label data inserting message.
Transmit and search subelement 1232, Vtag and destination address information that the data message that is used for utilizing message receiving element 1201 to receive comprises, perhaps utilize the Vtag and the destination address information that comprise in the data message after outer layer label intron unit 1231 is processed, search two layers or three layer retransmitting tables and determine port.
Subelement 1233 is processed in outlet, after being used for peeling off or do not peel off the Vtag that data message carries, forwards by the outbound port of determining carrying source case tag data message.
In addition, forward processing unit 1203 carries out is three layers when forwarding, this forward processing unit 1203 also can comprise: the unit that Vtag, source MAC and the purpose MAC of data message replaced, because this part is existing content in existing protocol, do not illustrate in the drawings, no longer specifically describe yet.
Above-mentioned message receiving element 1201, tag recognition unit 1202 and forward processing unit 1203 are all unit of hardware view in intermediate equipment, can realize by the mode of forwarding chip.
In addition, need to prove, each unit of hardware view in above-mentioned Ingress equipment, intermediate equipment and Egress equipment can be integrated on a forwarding chip and realize, when this forwarding chip determines that self need to complete the function of Ingress equipment, the function of each unit on hardware view in execution Ingress equipment; When this forwarding chip determines that self need to complete the function of intermediate equipment, the function of each unit on hardware view in the execution intermediate equipment; When this forwarding chip determines that self need to complete the function of Egress equipment, the function of each unit on hardware view in execution Egress equipment.
Figure 13 is the structural representation of general forwarding chip provided by the invention, and as shown in figure 13, this forwarding chip can comprise: Ingress functional module 1301, intermediate equipment functional module 1302 and Egress functional module 1303.
Ingress functional module 1301 is used for when being enabled, with the inner VLAN data inserting message of source case tag as data message.
Intermediate equipment functional module 1302 is used in the process of forwarding data packets, the source case tag as the inner VLAN label being remained unchanged when being enabled.
Egress functional module 1303 is used for obtaining the source case tag as the inner VLAN label from data message when being enabled, for the access control of the data message being carried out based on the role.
Wherein, Egress functional module 1303 can specifically comprise: source case obtains submodule 1331 and access control submodule 1332.
Source case obtains submodule 1331, is used for obtaining source case tag and offering access control submodule 1332 from the inner VLAN label of data message.
Access control submodule 1332 for the purpose Role Information of specified data message, according to source case tag and purpose Role Information matching list RBACL, carries out access control according to matching result to the data message and processes.
Wherein, the tag protocol identifier TPID of above-mentioned inner VLAN label is the set point of non-zero X8100.
Further, this forwarding chip can also comprise: the first forwarding capability module 1304, be enabled or intermediate equipment functional module 1302 when being enabled in Ingress functional module 1301, and the first forwarding capability module 1304 is enabled.
The structure of the first forwarding capability module 1304 is identical with forward processing unit 904 and the forward processing unit 1203 in Figure 12 in Fig. 9, does not repeat them here.
In addition, this chip can also comprise: the second forwarding capability module 1305, when Egress functional module 1303 was enabled, the second forwarding capability module 1305 was enabled.
The structure of this second forwarding capability module is identical with the forward processing unit in Figure 11, does not repeat them here.
The above is only preferred embodiment of the present invention, and is in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of making, is equal to replacement, improvement etc., within all should being included in the scope of protection of the invention.

Claims (8)

1. a method of processing source case information, is characterized in that, the method comprises:
When determining to enable the Ingress function, with the internal layer virtual LAN VLAN data inserting message of source case label tag as data message;
When determining to enable the intermediate equipment function, in the process of forwarding data packets, the source case tag as the inner VLAN label is remained unchanged;
When determining to enable the Egress function, obtain the source case tag as the inner VLAN label from data message, for the access control of described data message being carried out based on the role;
Wherein, described data message is carried out comprising based on role's access control: the purpose Role Information of determining described data message, according to the access control lists RBACL of the source case tag that obtains and described purpose Role Information coupling based on the role, according to the result of coupling, described data message is carried out access control and process.
2. method according to claim 1, is characterized in that, described source case tag is during as the inner VLAN label, and the tag protocol identifier TPID of described inner VLAN label is the set point of non-zero X8100;
When determining to enable the intermediate equipment function, if when identifying the TPID of the inner VLAN label of the data message that receives and being described set point, the inner VLAN label of described data message is remained unchanged;
When determining to enable the Egress function, when the TPID that identifies the inner VLAN label of the data message that receives is described set point, obtain the source case tag as the inner VLAN label from described data message.
3. method according to claim 1 and 2, is characterized in that, when determining to enable the Ingress function or determining to enable the intermediate equipment function, also comprises:
If do not comprise virtual local area network tags Vtag in the data message that A1 receives, determine the Vtag of this data message, and with this Vtag as outside VLAN label data inserting message, carry out A2; If comprised Vtag in the data message that receives, directly carry out A2;
A2, utilize the destination address information of Vtag that data message comprises and data message to search two layers or three layer retransmitting tables to determine port;
A3, will peel off or not peel off described Vtag, and the data message that carries described source case tag forwards by the outbound port of determining.
4. method according to claim 1 and 2, is characterized in that, when determining to enable the Egress function, also comprises:
If do not comprise Vtag in the data message that B1 receives, determine the Vtag of this data message, and with this Vtag as outside VLAN label data inserting message, carry out B2; If comprised Vtag in the data message that receives, directly carry out B2;
B2, utilize the destination address information of Vtag that data message comprises and data message to search two layers or three layer retransmitting tables to determine port;
B3, peel off the source case tag of data message, peel off or do not peel off described Vtag, process when needing forwarding data packets in described access control, by the outbound port forwarding data packets of determining.
5. a forwarding chip of processing source case information, is characterized in that, this forwarding chip comprises: Ingress functional module, intermediate equipment functional module and Egress functional module;
Described Ingress functional module is used for when being enabled, with the internal layer virtual LAN VLAN data inserting message of source case label tag as data message;
Described intermediate equipment functional module is used in the process of forwarding data packets, the source case tag as the inner VLAN label being remained unchanged when being enabled;
Described Egress functional module is used for obtaining the source case tag as the inner VLAN label from data message when being enabled, for the access control of described data message being carried out based on the role;
Described Egress functional module specifically comprises: source case obtains submodule and access control submodule;
Described source case obtains submodule, is used for obtaining source case tag and offering described access control submodule from the inner VLAN label of data message;
Described access control submodule, be used for determining the purpose Role Information of described data message, according to the access control lists RBACL of described source case tag and described purpose Role Information coupling based on the role, according to matching result, described data message is carried out access control and process.
6. forwarding chip according to claim 5, is characterized in that, the tag protocol identifier TPID of described inner VLAN label is the set point of non-zero X8100.
7. according to claim 5 or 6 described forwarding chips, it is characterized in that, this forwarding chip also comprises: the first forwarding capability module, be enabled or described intermediate equipment functional module when being enabled in described Ingress functional module, and the first forwarding capability module is enabled;
Described the first forwarding capability module specifically comprises:
The first outer layer label intron unit when being used for data message that this forwarding chip receives and not comprising virtual local area network tags Vtag, is determined the Vtag of described data message, and this Vtag is inserted described data message as the outside VLAN label;
First transmits and searches subelement, Vtag and destination address information that the data message that is used for utilizing this forwarding chip to receive comprises, perhaps utilize the Vtag and the destination address information that comprise in the data message after described the first outer layer label intron cell processing, search two layers or three layer retransmitting tables and determine port;
Subelement is processed in the first outlet, after being used for peeling off or do not peel off the Vtag that data message carries, the data message that carries described source case tag is forwarded by the outbound port of determining.
8. according to claim 5 or 6 described forwarding chips, is characterized in that, this forwarding chip also comprises: the second forwarding capability module, and when described Egress functional module was enabled, the second forwarding capability module was enabled;
Described the second forwarding capability module specifically comprises:
The second outer layer label intron unit is used for determining the Vtag of described data message when the data message that this forwarding chip receives does not comprise Vtag, and this Vtag is inserted described data message as the outside VLAN label;
Second transmits and searches subelement, Vtag and destination address information that the data message that is used for utilizing this forwarding chip to receive comprises, perhaps utilize the Vtag and the destination address information that comprise in the data message after described the second outer layer label intron cell processing, search two layers or three layer retransmitting tables and determine port;
Subelement is processed in the second outlet, be used for peeling off the source case tag of described data message, after peeling off or not peeling off the Vtag that carries in data message, when described Egress functional module is determined to need forwarding data packets, data message is forwarded by the outbound port of determining.
CN2010101873581A 2010-05-24 2010-05-24 Source role information processing method and forwarding chip Active CN102263679B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2010101873581A CN102263679B (en) 2010-05-24 2010-05-24 Source role information processing method and forwarding chip

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010101873581A CN102263679B (en) 2010-05-24 2010-05-24 Source role information processing method and forwarding chip

Publications (2)

Publication Number Publication Date
CN102263679A CN102263679A (en) 2011-11-30
CN102263679B true CN102263679B (en) 2013-11-06

Family

ID=45010148

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010101873581A Active CN102263679B (en) 2010-05-24 2010-05-24 Source role information processing method and forwarding chip

Country Status (1)

Country Link
CN (1) CN102263679B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104780147B (en) * 2014-01-14 2019-05-07 新华三技术有限公司 A kind of method and device of BYOD access control
CN106302143B (en) * 2015-05-26 2019-06-11 中兴通讯股份有限公司 Message processing method and device
CN107547332B (en) * 2016-06-28 2021-06-04 中兴通讯股份有限公司 Data transmission method and device
CN113728600B (en) * 2019-09-11 2023-10-24 Oppo广东移动通信有限公司 Access control method, equipment and storage medium
CN110958334B (en) * 2019-11-25 2022-08-09 新华三半导体技术有限公司 Message processing method and device

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101155113A (en) * 2006-09-29 2008-04-02 华为技术有限公司 Multiplexing method and VLAN switching domain of a VLAN switching tunnel

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040223497A1 (en) * 2003-05-08 2004-11-11 Onvoy Inc. Communications network with converged services
US8223669B2 (en) * 2008-04-07 2012-07-17 Futurewei Technologies, Inc. Multi-protocol label switching multi-topology support

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101155113A (en) * 2006-09-29 2008-04-02 华为技术有限公司 Multiplexing method and VLAN switching domain of a VLAN switching tunnel

Also Published As

Publication number Publication date
CN102263679A (en) 2011-11-30

Similar Documents

Publication Publication Date Title
CN102263774B (en) Method and device for processing source role information
EP3461072B1 (en) Access control in a vxlan
KR101015130B1 (en) Data distribution device, data distribution method and distribution control program
CN1153416C (en) Packet switch communication method
US8321908B2 (en) Apparatus and method for applying network policy at a network device
JP6982104B2 (en) BRAS system-based packet encapsulation methods and equipment
EP2725749B1 (en) Method, apparatus and system for processing service flow
CN109660443A (en) Physical equipment and virtual network communication method and system based on SDN
CN101877671B (en) Sending method of mirror image message, switch chip and Ethernet router
CN101141304B (en) Management method and equipment of ACL regulation
CN107733670A (en) A kind of forwarding strategy collocation method and device
CN104486589B (en) Access method and device in video monitoring system based on GVRP
US20070081535A1 (en) Method and system for implementing virtual router redundacy protocol on a resilient packet ring
CN103685006A (en) Packet forwarding method for edge device and edge device
CN103581274B (en) Message forwarding method and device in stacking system
CN102263679B (en) Source role information processing method and forwarding chip
JP2005073230A (en) NETWORK SWITCH DEVICE AND ROUTE MANAGEMENT SERVER, NETWORK INTERFACE DEVICE, ITS CONTROL METHOD, ROUTE MANAGEMENT SERVER COMPUTER PROGRAM, AND COMPUTER-READABLE STORAGE MEDIUM
CN101106532A (en) Method for Realizing Mixed Forwarding of Switch Chip and Network Processor
CN102158421A (en) Method and unit for creating layer three interface
CN101635702B (en) Method for forwarding data packet using security strategy
CN105553853A (en) Method, device and system for management of IPC through NVR
CN108833979A (en) The provisioning file introduction method and dual system convergent terminal of dual system convergent terminal
CN102916874B (en) A kind of file transmitting method and equipment
CN105991391A (en) Method and device for uploading protocol message to CPU
US20040095941A1 (en) Layer 2 switch and method of processing expansion VLAN tag of layer 2 frame

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Patentee after: Xinhua three Technology Co., Ltd.

Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base

Patentee before: Huasan Communication Technology Co., Ltd.

CP03 Change of name, title or address