Summary of the invention
For the defect of prior art, the invention provides a kind of control strategy and generate method and device.
The present invention provides a kind of control strategy to generate method, is applied to the master control borad of the network equipment, described networkEquipment also includes business board and has the interface board of forwarding chip, and wherein the method includes:
Generating at least one forwarding control strategy, described forwarding control strategy is for the forwarding chip at interface boardAfter receiving data message, search in the route forwarding table items prestored according to the message information of this data messageCorresponding goes out port, and goes out whether port is configured with safety service described in judgement, if having, determines this datagramLiterary composition carries out the message of Business Processing for sending to business board, and by described forwarding chip according to described in go out port generalDescribed data message sends to corresponding business board;
Described forwarding control strategy is issued to forwarding chip, so that after described interface board receives data message,Described data message is processed according to described forwarding control strategy by described forwarding chip.
The present invention also provides for a kind of control strategy generating means, is applied to the network equipment and has master control borad, describedThe network equipment also includes business board and has the interface board of forwarding chip, and described device includes:
Signal generating unit, for generating at least one forwarding control strategy, described forwarding control strategy is for connecingAfter the forwarding chip of oralia receives data message, according to the message information of this data message in the route prestoredForwarding-table item is searched the corresponding port that goes out, and goes out whether port is configured with safety service described in judgement, if having,Determine that this data message is to send to business board to carry out the message of Business Processing, and by described forwarding chip according toDescribed go out port described data message is sent to corresponding business board;
Issue unit, for described forwarding control strategy being issued to forwarding chip, so that described interface board connectsAfter receiving data message, described forwarding chip process described data message according to described forwarding control strategy.
The control strategy that the present invention provides generates method and device, by under the forwarding control strategy that will generateSend to forwarding chip, so that after interface board receives data message, however, it is determined that the port that goes out of this data message is joinedPut safety service, then by described forwarding chip according to forwarding control strategy by this data message forwarding to correspondingBusiness board process, it can be seen that, present invention, avoiding by receive all data messages all send to businessPlate processes, and then reduces the service processing pressure of business board, improves the forward efficiency of data message, reducesThe quantity that business board is disposed, has saved cost for user.
Detailed description of the invention
For making the purpose of the application, technical scheme and advantage clearer, referring to the drawings to this ShenPlease scheme be described in further detail.
In order to solve problems of the prior art, the invention provides a kind of control strategy generate method withAnd device.
Fig. 1 shows the network environment schematic diagram that the inventive method is applied, including being positioned at same LANMultiple main frames (such as Host1 and Host2), the distributed network equipment and externally-located network remoteEnd server, wherein this network equipment can be the distributed network equipment of frame, has multiple port (exampleSuch as Port1, Port2, Port3 and Port4).
Refer to Fig. 2, for the handling process schematic diagram of the control strategy generation method that the present invention provides, this controlStrategy-generating method is applied to the master control borad of the network equipment, this network equipment also include business board and have turnSend out the interface board of chip.Wherein, this control strategy generation method comprises the following steps:
Step 201, generates at least one forwarding control strategy, and described forwarding control strategy is at interface boardAfter forwarding chip receives data message, according to the message information of this data message at the route forwarding table prestoredSearching the corresponding port that goes out in Xiang, and go out whether port is configured with safety service described in judgement, if having, determiningThis data message is the message that transmission to business board carries out Business Processing, and by described forwarding chip according to describedGo out port to send described data message to corresponding business board;
In actual application, master control borad can be to business board and the forwarding of interface board by the way of issuing configurationChip issues control strategy, controls forwarding chip and different data messages is drained to different business boards.The embodiment of the present invention can utilize master control borad to control forwarding chip enter data message by issuing control strategyThe feature that row processes, generates at least one forwarding control strategy, controls interface board and receiving data messageAfter, forwarding chip the data message received is carried out Business Processing according to whether needs and make a distinction, andBy needing the message carrying out Business Processing to send to corresponding business board, the report of Business Processing will be made withoutLiterary composition directly forwards, to solve, in prior art, (message received from interface board is included Intranet exchanging visit datagramLiterary composition and access the data message of outer net) data message that causes business board on the business board all delivered to is excessive,The problem reducing the performance of business board.
In the embodiment of the present invention, the control strategy that master control borad generates can include at least one forwarding control strategy.
This forwarding control strategy is particularly used for after interface board receives data message, controls forwarding chip rootGo out port according to what the message information of this data message searched correspondence in the route forwarding table items prestored, and judgeDescribed go out port whether be configured with safety service, if having, determine that this data message is carried out for sending to business boardThe message of Business Processing, and by described forwarding chip according to described in go out port described data message sent to the most rightThe business board answered.
Wherein, this forwarding control strategy can be ACL (Access Control List accesses and controls list),Can certainly be other strategies of the prior art, such as, control the forwarding etc. of message by configuring list item,This is limited by the present invention without concrete.
Step 202, is issued to forwarding chip by described forwarding control strategy, so that described interface board receives numberAfter message, described forwarding chip process described data message according to described forwarding control strategy.
The control strategy of generation, after generating forwarding control strategy, can be issued to forwarding chip by master control borad,The data message received is processed according to this forwarding control strategy by forwarding chip.
The forwarding chip of interface board prestores route forwarding table items, and in this route forwarding table items, record has and dataWhat the message information of message was corresponding goes out port.As shown in table 1:
| Source IP address | Purpose IP address | Inbound port | Go out port |
| Host1-IP | Host2-IP | Port1 | Port2 |
| Host1-IP | Far-end server-IP | Port1 | Port3 |
| Host2-IP | Far-end server-IP | Port2 | Port4 |
Table 1
Table 1 illustrates route forwarding table items, is only the example for being further appreciated by the present invention, is not limited toThe particular content of route forwarding table items in the embodiment of the present invention.
In order to ensure the safety of business in network, can also be the most in advance for referring in the embodiment of the present inventionFixed goes out port configuration safety service, and preserves out port and the safety service information for its configuration.Such as,It is referred to shown in table 2:
| Go out port | Business board identifies | Safety service information |
| Port3 | Business board 1 | Packet filtering |
| Port4 | Business board 2 | Attack-defending |
Table 2
Table 2 shows out port and the safety service information for its configuration, is only for being further appreciated by thisBright example, is not limited in the embodiment of the present invention go out port and the safety service information for its configurationParticular content.
At the forwarding chip of interface board after receiving data message, first, obtain the message of this data messageInformation, this message information can be source IP address and the purpose IP address of this data message.
Afterwards, the source IP address of this data message and purpose IP address are carried out in route forwarding table itemsJoining, search whether correspondence goes out port.
If having, then further determine whether that going out port for this is configured with safety service, it may be assumed that go out port andFor the information (table 2) of its safety service configured searching whether go out the safety service letter that port is corresponding with thisBreath, if having, determining that this goes out port and is configured with safety service, and having hit forwarding control strategy, illustrates to receiveData message be the message (usually accessing the data message of outer net) needing to carry out Business Processing, then canThe transmission of this data message is pacified to the most corresponding business board according to the business board mark going out port with this correspondingFull-service processes, and according to correspondence after corresponding business board carries out safety service process to this data messageGo out port and forward this data message;If it is determined that do not go out port for this to be configured with safety service, it may be assumed that going out portAnd for its configuration safety service information (table 2) in do not search go out with this port corresponding safety service letterBreath, determines that this goes out port and does not configures safety service, illustrates that the data message received is for being made without at businessThe message (data message that typically internal network is exchanged visits) of reason, then can be by forwarding chip by this datagramLiterary composition is forwarded by the port that goes out corresponding in this route forwarding table items.
So, after forwarding chip receives data message, i.e. can be by the data message receivedMake a distinction, determine that mailing to business board carries out the message of Business Processing and directly forwarded by forwarding chipMessage, and only the message (such as accessing the data message of outer net) carrying out Business Processing will be needed to send to industryBusiness plate processes, by straight for the message (the such as internal data message exchanged visits) being made without Business ProcessingThe port that goes out connecting correspondence forwards, and then the pressure of business board is greatly reduced, and improves business boardForward efficiency.
It addition, after described interface board receives data message, if forwarding chip is according to the source of this data messageAfter IP address and purpose IP address are mated in the route forwarding table items prestored, do not search going out of correspondencePort, it may be determined that this data message is unknown data message, then can be by this unknown data packet loss.
It should be noted that the content shown in above-mentioned table 2 can also be added to route forwarding table items, connecingAfter receiving data message, can according to route forwarding table items search whether correspondence go out port and for go out endThe safety service information of mouth configuration.
In sum, the control strategy that the present invention provides generates method, by the forwarding control strategy that will generateBe issued to forwarding chip, so that after interface board receives data message, however, it is determined that this data message go out portIt is configured with safety service, then by described forwarding chip according to forwarding control strategy by this data message forwarding to rightThe business board answered processes, it can be seen that, present invention, avoiding and all data messages received all are sent to industryBusiness plate processes, and then reduces the service processing pressure of business board, improves the forward efficiency of data message, subtractsLack the quantity that business board is disposed, save cost for user.
The present invention also provides for a kind of control strategy generating means, and Fig. 3 is the structure of this control strategy generating meansSchematic diagram, this device can apply to the network equipment, and this control strategy generating means can include signal generating unit301 and issue unit 302, wherein:
Signal generating unit 301, for generating at least one forwarding control strategy, described forwarding control strategy is used forAfter the forwarding chip of interface board receives data message, according to the message information of this data message on the road prestoredBy forwarding-table item is searched the corresponding port that goes out, and go out whether port is configured with safety service described in judgement, ifHave, determine that this data message is the message that transmission to business board carries out Business Processing, and by described forwarding chipAccording to described go out port described data message is sent to corresponding business board;
Issue unit 302, for described forwarding control strategy is issued to forwarding chip, so that described interface boardAfter receiving data message, described forwarding chip process described data message according to described forwarding control strategy.
Further, described signal generating unit 301 is additionally operable to generate at least one and abandons control strategy, described in loseAbandon control strategy after receiving data message at described interface board, if described forwarding chip is in routing forwardingThat does not finds correspondence in list item goes out port, then abandon described data message.
Further, described forwarding control strategy is additionally operable to believe according to the message of this data message at forwarding chipBreath find in route forwarding table items correspondence go out port after, however, it is determined that described in go out port and be not configured with safetyBusiness, then forwarded described data message by forwarding chip according to the port that goes out of described correspondence.
Further, described forwarding control strategy is ACL.
The present invention is applied to the control strategy generating means of the network equipment can be with in concrete handling processThe handling process that above-mentioned control strategy generates method is consistent, does not repeats them here.
Said apparatus can be realized by software, it is also possible to is realized by hardware, and control strategy of the present invention generatesThe hardware structure schematic diagram of the device place network equipment all refers to shown in Fig. 4, and its basic hardware environment includesCentral processor CPU, forwarding chip, memorizer and other hardware, wherein memory device includes machineInstructions, CPU reads and performs machine readable instructions and performs the function of each unit in Fig. 3.
From the embodiment of any of the above method and apparatus it can be seen that the embodiment of the present invention provide controlStrategy-generating method and device, by being issued to forwarding chip by the forwarding control strategy of generation, so that connecingAfter oralia receives data message, however, it is determined that the port that goes out of this data message is configured with safety service, then by instituteState forwarding chip this data message forwarding to be processed to corresponding business board according to forwarding control strategy, thus may be usedSee, present invention, avoiding and all data messages received all are sent to business board process, and then reduce industryThe service processing pressure of business plate, improves the forward efficiency of data message, decreases the quantity that business board is disposed,Cost has been saved for user.
The foregoing is only presently preferred embodiments of the present invention, not in order to limit the present invention, all at thisWithin the spirit of invention and principle, any modification, equivalent substitution and improvement etc. done, should be included inWithin the scope of protection of the invention.