CN107241208B - A message forwarding method, first switch and related system - Google Patents
A message forwarding method, first switch and related system Download PDFInfo
- Publication number
- CN107241208B CN107241208B CN201610186891.3A CN201610186891A CN107241208B CN 107241208 B CN107241208 B CN 107241208B CN 201610186891 A CN201610186891 A CN 201610186891A CN 107241208 B CN107241208 B CN 107241208B
- Authority
- CN
- China
- Prior art keywords
- firewall
- switch
- network
- session
- interface
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0654—Management of faults, events, alarms or notifications using network fault recovery
- H04L41/0663—Performing the actions predefined by failover planning, e.g. switching to standby network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/10—Packet switching elements characterised by the switching fabric construction
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本申请实施例公开了一种报文转发方法,第一交换机及相关系统,该方法包括:第一交换机接收来自于第一网络的多个报文,第一交换机分别向第一防火墙和第二防火墙发送多个报文,第一交换机向第一防火墙和第二防火墙发送的报文是相同的,以使第一防火墙和第二防火墙均根据多个报文中的会话首报文建立会话首报文所属会话的会话表项,会话表项包含五元组,五元组用于判断流经防火墙的报文是否属于会话;第一交换机接收第一防火墙发送的来自于第二网络的会话的报文;第一交换机向第一网络转发来自于第二网络的会话的报文。采用本申请,第二防火墙能够在第一防火墙故障时基于自身建立的会话表项接替该第一防火墙的业务,避免了业务中断。
The embodiment of the present application discloses a packet forwarding method, a first switch and a related system. The method includes: the first switch receives a plurality of packets from the first network, and the first switch respectively forwards the packets to the first firewall and the second firewall. The firewall sends multiple packets, and the packets sent by the first switch to the first firewall and the second firewall are the same, so that both the first firewall and the second firewall establish a session header according to the session header in the multiple packets. The session entry of the session to which the packet belongs. The session entry contains a quintuple, and the quintuple is used to determine whether the packet flowing through the firewall belongs to the session; the first switch receives the session from the second network sent by the first firewall. packet; the first switch forwards the packet from the session of the second network to the first network. With the present application, the second firewall can take over the service of the first firewall based on the session entry established by itself when the first firewall fails, thereby avoiding service interruption.
Description
技术领域technical field
本发明涉及计算机技术领域,尤其涉及一种报文转发方法、第一交换机及相关系统。The present invention relates to the technical field of computers, and in particular, to a message forwarding method, a first switch and a related system.
背景技术Background technique
虚拟机软件(Virtual Machine ware,VMware)、内核虚拟机(Kernel-basedVirtual Machine,KVM)等环境的虚拟化技术的原理是将一台物理机的物理资源虚拟成多个虚拟机(Virtual Machine,VM),使得每个VM都可以实现物理机的功能。随着网络功能虚拟化(Network Function Virtualization,NFV)的不断演进,很多传统的网关,如防火墙、路由器等,都将部署到虚拟机上。多个虚拟机之间形成互为备份的容灾机制可以避免网关在的运行过程中出现网络流量所承载的业务中断的情况。The principle of virtualization technology in environments such as virtual machine software (Virtual Machine ware, VMware), kernel virtual machine (Kernel-based Virtual Machine, KVM) is to virtualize the physical resources of a physical machine into multiple virtual machines (Virtual Machine, VM). ), so that each VM can implement the functions of a physical machine. With the continuous evolution of Network Function Virtualization (NFV), many traditional gateways, such as firewalls and routers, will be deployed on virtual machines. The mutual backup disaster recovery mechanism between multiple virtual machines can avoid the interruption of services carried by network traffic during the operation of the gateway.
请参见图1,图1是现有技术中的基于虚拟技术的防火墙,即虚拟防火墙,转发报文的场景示意图,其中除了以虚拟防火墙101和虚拟防火墙102为例的虚拟防火墙之外,还可能存在其他虚拟防火墙,图1只是以2个虚拟防火墙为例进行举例说明。虚拟防火墙101和虚拟防火墙102通过虚拟路由器冗余协议(Virtual Router Redundancy Protocol,VRRP)形成备份组100,该备份组100会从包含的多个虚拟防火墙中选举出一个虚拟防火墙作为主虚拟防火墙,除该主虚拟防火墙之外的虚拟防火墙均为备虚拟防火墙。主防火墙基于会话表项对报文进行包过滤,或者策略匹配等处理。当主虚拟防火墙出现故障时,备份组100会重新选举出一个虚拟防火墙作为新的主虚拟防火墙,交换机103和交换机104向该备份组100发送的报文时,只会由主虚拟防火墙来接收和转发该报文。Please refer to FIG. 1. FIG. 1 is a schematic diagram of a firewall based on virtualization technology in the prior art, that is, a virtual firewall, and a scenario of forwarding packets. There are other virtual firewalls, and FIG. 1 only takes two virtual firewalls as an example for illustration. The virtual firewall 101 and the virtual firewall 102 form a backup group 100 through the virtual router redundancy protocol (Virtual Router Redundancy Protocol, VRRP). The virtual firewalls other than the primary virtual firewall are backup virtual firewalls. The main firewall performs packet filtering or policy matching on packets based on session entries. When the primary virtual firewall fails, the backup group 100 will re-elect a virtual firewall as the new primary virtual firewall. When the switches 103 and 104 send packets to the backup group 100, only the primary virtual firewall will receive and forward them. the message.
现有技术的缺陷在于,由于防火墙通常是基于会话表项对报文进行包过滤,或者策略匹配等处理。因此当前主虚拟防火墙需要周期性的将当前主虚拟防火墙上的会话表项备份到当前的备虚拟防火墙上,才能保证备虚拟防火墙在主虚拟防火墙出现故障时能够基于已备份的会话表项接替该主虚拟防火墙上的业务。如果备份该会话表项不及时则会导致一些业务中断。The disadvantage of the prior art is that the firewall usually performs packet filtering or policy matching on packets based on session entries. Therefore, the current active virtual firewall needs to periodically back up the session entries on the current active virtual firewall to the current standby virtual firewall to ensure that the standby virtual firewall can take over the session based on the backed up session entries when the active virtual firewall fails. Business on the main virtual firewall. If the session entry is not backed up in time, some services will be interrupted.
发明内容SUMMARY OF THE INVENTION
本发明实施例公开了一种业务转发方法、第一交换机及相关系统,能够解决未及时备份会话表项而导致业务中断的问题。The embodiment of the present invention discloses a service forwarding method, a first switch and a related system, which can solve the problem of service interruption caused by failure to backup session entries in time.
第一方面,本发明实施例提供一种业务转发方法,该方法包括:In a first aspect, an embodiment of the present invention provides a service forwarding method, which includes:
第一交换机接收来自于第一网络的多个报文,所述第一交换机与第一防火墙、第二防火墙和所述第一网络相连,所述多个报文是所述第一网络与第二网络之间传输的报文,所述第一防火墙为主用防火墙,所述第二防火墙为备用防火墙,所述第一防火墙和第二防火墙分别与所述第一交换机和第二交换机连接,所述第二交换机还与所述第二网络连接;The first switch receives multiple packets from the first network, the first switch is connected to the first firewall, the second firewall, and the first network, and the multiple packets are the first network and the first network. For packets transmitted between two networks, the first firewall is the active firewall, the second firewall is the backup firewall, and the first firewall and the second firewall are respectively connected to the first switch and the second switch, the second switch is also connected to the second network;
所述第一交换机分别向所述第一防火墙和所述第二防火墙发送所述多个报文,所述第一交换机向所述第一防火墙和所述第二防火墙发送的报文是相同的,以使所述第一防火墙和所述第二防火墙均根据所述多个报文中的会话首报文建立所述会话首报文所属会话的会话表项,所述会话表项包含五元组,所述五元组用于判断流经防火墙的报文是否属于所述会话;The first switch sends the multiple packets to the first firewall and the second firewall respectively, and the packets sent by the first switch to the first firewall and the second firewall are the same , so that both the first firewall and the second firewall create a session entry of the session to which the session first packet belongs according to the session first packet in the multiple packets, and the session entry contains five group, and the five-tuple is used to judge whether the packet flowing through the firewall belongs to the session;
所述第一交换机接收所述第一防火墙发送的来自于所述第二网络的所述会话的报文;receiving, by the first switch, a packet from the session of the second network sent by the first firewall;
所述第一交换机向所述第一网络转发所述来自于所述第二网络的所述会话的报文。The first switch forwards the message of the session from the second network to the first network.
通过执行上述步骤,第一交换机向第一防火墙和第二防火墙发送同样的报文,使得该第一防火墙和第二防火墙根据该报文中的首报文建立相同的会话表项,这样一来,该第二防火墙不需要从该第一防火墙上备份该会话表项,当第一防火墙出现故障时,该第二防火墙可以直接基于自身建立的会话表项接替该第一防火墙上的业务,避免了业务中断。By performing the above steps, the first switch sends the same packet to the first firewall and the second firewall, so that the first firewall and the second firewall establish the same session entry according to the first packet in the packet. , the second firewall does not need to back up the session entry from the first firewall. When the first firewall fails, the second firewall can directly take over the service on the first firewall based on the session entry established by itself, avoiding business interruption.
结合第一方面,在第一方面的第一种可能的实现方式中,所述第一交换机分别向所述第一防火墙和所述第二防火墙发送所述多个报文之后,所述方法还包括:With reference to the first aspect, in a first possible implementation manner of the first aspect, after the first switch sends the multiple packets to the first firewall and the second firewall respectively, the method further include:
所述第一交换机检测所述第一防火墙是否发生故障,或者所述第一交换机与所述第一防火墙之间的链路是否中断;The first switch detects whether the first firewall is faulty, or whether the link between the first switch and the first firewall is interrupted;
如果所述第一交换机检测到所述第一防火墙故障、或者所述第一交换机与所述第一防火墙之间的链路中断,则所述第一交换机接收并转发所述第二防火墙发送的来自于所述第二网络的所述会话的报文。If the first switch detects that the first firewall is faulty or the link between the first switch and the first firewall is interrupted, the first switch receives and forwards the data sent by the second firewall. A message from the session of the second network.
结合第一方面的第一种可能的实现方式,在第一方面的第二种可能的实现方式中,所述第一交换机检测所述第一防火墙是否发生故障,具体为:With reference to the first possible implementation manner of the first aspect, in the second possible implementation manner of the first aspect, the first switch detects whether the first firewall is faulty, specifically:
所述第一交换机通过双向转发检测机制BFD检测所述第一防火墙是否故障。The first switch detects whether the first firewall is faulty through a bidirectional forwarding detection mechanism BFD.
具体地,交换机自身检测该第一防火墙是否故障,以便在检测到该第一防火墙故障时及时调整报文转发策略,提升了交换机的性能。Specifically, the switch itself detects whether the first firewall is faulty, so as to adjust the packet forwarding policy in time when detecting the fault of the first firewall, thereby improving the performance of the switch.
结合第一方面的第一种可能的实现方式,或者第一方面的第二种可能的实现方式,在第一方面的第三种可能的实现方式中,所述第一交换机检测到所述第一防火墙故障、或者所述第一交换机与所述第一防火墙之间的链路中断之前,所述方法还包括:With reference to the first possible implementation manner of the first aspect, or the second possible implementation manner of the first aspect, in the third possible implementation manner of the first aspect, the first switch detects that the third Before a firewall fails or the link between the first switch and the first firewall is interrupted, the method further includes:
所述第一交换机不接收所述第二防火墙发送的来自于所述第二网络的所述会话的报文,或者接收并丢弃所述第二防火墙发送的来自于所述第二网络的所述会话的报文。The first switch does not receive the packets sent by the second firewall from the session of the second network, or receives and discards the packets sent by the second firewall from the second network. Session messages.
结合第一方面的第三种可能的实现方式,在第一方面的第四种可能的实现方式中,所述第一交换机包括所述第一交换机与所述第一防火墙相连的第一接口,以及所述第一交换机与所述第二防火墙相连的第二接口,With reference to the third possible implementation manner of the first aspect, in a fourth possible implementation manner of the first aspect, the first switch includes a first interface connecting the first switch to the first firewall, and a second interface connecting the first switch to the second firewall,
所述第一交换机检测到所述第一防火墙故障、或者所述第一交换机与所述第一防火墙之间的链路中断之前,所述第一接口被设置为主接口,所述第二接口被设置为备接口;所述第一交换机通过所述第一接口接收并转发所述第一防火墙发送的来自于所述第二网络的所述会话的报文,所述第一交换机不接收所述第二防火墙发送的来自于所述第二网络的所述会话的报文,或者通过所述备接口接收所述第二防火墙发送的来自于所述第二网络的所述会话的报文,并丢弃通过所述备接口接收到的来自于所述第二网络的所述会话的报文;Before the first switch detects that the first firewall is faulty or the link between the first switch and the first firewall is interrupted, the first interface is set as the primary interface, and the second interface is set as the primary interface. is set as a standby interface; the first switch receives and forwards the packets from the session of the second network sent by the first firewall through the first interface, and the first switch does not receive all the message from the session of the second network sent by the second firewall, or the message from the session of the second network sent by the second firewall is received through the standby interface, and discarding the message from the session of the second network received through the standby interface;
所述第一交换机检测到所述第一防火墙故障、或者所述第一交换机与所述第一防火墙之间的链路中断之后,所述方法还包括:After the first switch detects that the first firewall is faulty or the link between the first switch and the first firewall is interrupted, the method further includes:
将所述第一接口设置为备接口,将所述第二接口设置为主接口,通过所述第二接口接收并转发所述第二防火墙发送的来自于所述第二网络的所述会话的报文。Set the first interface as a standby interface, set the second interface as a primary interface, and receive and forward the session data from the second network sent by the second firewall through the second interface. message.
第二方面,本发明实施例提供一种第一交换机,所述第一交换机包括网络接口,处理器和存储器,其中:In a second aspect, an embodiment of the present invention provides a first switch, where the first switch includes a network interface, a processor, and a memory, wherein:
所述网络接口用于接收报文和发送报文;The network interface is used for receiving messages and sending messages;
所述存储器用于存储指令和数据;the memory is used to store instructions and data;
所述处理器,用于读取所述存储器中存储的指令和数据,执行如下操作:The processor, for reading the instructions and data stored in the memory, performs the following operations:
通过所述网络接口接收来自于第一网络的多个报文,所述第一交换机与第一防火墙、第二防火墙和所述第一网络相连,所述多个报文是所述第一网络与第二网络之间传输的报文,所述第一防火墙为主用防火墙,所述第二防火墙为备用防火墙,所述第一防火墙和第二防火墙分别与所述第一交换机和第二交换机连接,所述第二交换机还与所述第二网络连接;Receive multiple packets from the first network through the network interface, the first switch is connected to the first firewall, the second firewall and the first network, and the multiple packets are the first network For the packets transmitted between the first firewall and the second network, the first firewall is the active firewall, the second firewall is the backup firewall, and the first firewall and the second firewall are connected to the first switch and the second switch respectively. connected, the second switch is also connected to the second network;
通过所述网络接口分别向所述第一防火墙和所述第二防火墙发送所述多个报文,通过所述网络接口向所述第一防火墙和所述第二防火墙发送的报文是相同的,以使所述第一防火墙和所述第二防火墙均根据所述多个报文中的会话首报文建立所述会话首报文所属会话的会话表项,所述会话表项包含五元组,所述五元组用于判断流经防火墙的报文是否属于所述会话;The multiple packets are respectively sent to the first firewall and the second firewall through the network interface, and the packets sent to the first firewall and the second firewall through the network interface are the same , so that both the first firewall and the second firewall create a session entry of the session to which the session first packet belongs according to the session first packet in the multiple packets, and the session entry contains five group, and the five-tuple is used to judge whether the packet flowing through the firewall belongs to the session;
通过所述网络接口接收所述第一防火墙发送的来自于所述第二网络的所述会话的报文;receiving, by using the network interface, the message of the session from the second network and sent by the first firewall;
通过所述网络接口向所述第一网络转发所述来自于所述第二网络的所述会话的报文。The packet of the session from the second network is forwarded to the first network through the network interface.
通过执行上述操作,第一交换机向第一防火墙和第二防火墙发送同样的报文,使得该第一防火墙和第二防火墙根据该报文中的首报文建立相同的会话表项,这样一来,该第二防火墙不需要从该第一防火墙上备份该会话表项,当第一防火墙出现故障时,该第二防火墙可以直接基于自身建立的会话表项接替该第一防火墙上的业务,避免了业务中断。By performing the above operations, the first switch sends the same packet to the first firewall and the second firewall, so that the first firewall and the second firewall establish the same session entry according to the first packet in the packet. , the second firewall does not need to back up the session entry from the first firewall. When the first firewall fails, the second firewall can directly take over the service on the first firewall based on the session entry established by itself, avoiding business interruption.
结合第二方面,在第二方面的第一种可能的实现方式中,所述处理器通过所述网络接口分别向所述第一防火墙和所述第二防火墙发送所述多个报文之后,所述处理器还用于:With reference to the second aspect, in a first possible implementation manner of the second aspect, after the processor sends the multiple packets to the first firewall and the second firewall through the network interface, respectively, The processor is also used to:
检测所述第一防火墙是否发生故障,或者所述第一交换机与所述第一防火墙之间的链路是否中断;Detecting whether the first firewall is faulty, or whether the link between the first switch and the first firewall is interrupted;
如果所述第一防火墙故障、或者所述第一交换机与所述第一防火墙之间的链路中断,则通过所述网络接口接收并转发所述第二防火墙发送的来自于所述第二网络的所述会话的报文。If the first firewall fails or the link between the first switch and the first firewall is interrupted, receiving and forwarding the data sent by the second firewall from the second network through the network interface and forwarding the message of the session.
结合第二方面的第一种可能的实现方式,在第二方面的第二种可能的实现方式中,所述处理器检测所述第一防火墙是否发生故障,具体为:With reference to the first possible implementation manner of the second aspect, in a second possible implementation manner of the second aspect, the processor detects whether the first firewall is faulty, specifically:
通过双向转发检测机制BFD检测所述第一防火墙是否故障。Whether the first firewall is faulty is detected through the bidirectional forwarding detection mechanism BFD.
具体地,交换机自身检测该第一防火墙是否故障,以便在检测到该第一防火墙故障时及时调整报文转发策略,提升了交换机的性能。Specifically, the switch itself detects whether the first firewall is faulty, so as to adjust the packet forwarding policy in time when detecting the fault of the first firewall, thereby improving the performance of the switch.
结合第二方面的第一种可能的实现方式,或者第二方面的第二种可能的实现方式,在第二方面的第三种可能的实现方式中,所述处理器检测到所述第一防火墙故障、或者所述第一交换机与所述第一防火墙之间的链路中断之前,所述处理器还用于:With reference to the first possible implementation manner of the second aspect, or the second possible implementation manner of the second aspect, in a third possible implementation manner of the second aspect, the processor detects that the first Before the firewall is faulty or the link between the first switch and the first firewall is interrupted, the processor is further configured to:
不接收所述第二防火墙发送的来自于所述第二网络的所述会话的报文,或者通过所述网络接口接收所述第二防火墙发送的来自于所述第二网络的所述会话的报文,并丢弃所述第二防火墙发送的来自于所述第二网络的所述会话的报文。Do not receive packets from the session of the second network sent by the second firewall, or receive packets from the session of the second network sent by the second firewall through the network interface. packet, and discard the packet sent by the second firewall from the session of the second network.
结合第二方面的第三种可能的实现方式,在第二方面的第四种可能的实现方式中,所述网络接口包括所述第一交换机与所述第一防火墙相连的第一接口,以及所述第一交换机与所述第二防火墙相连的第二接口,With reference to the third possible implementation manner of the second aspect, in a fourth possible implementation manner of the second aspect, the network interface includes a first interface connecting the first switch to the first firewall, and a second interface connecting the first switch to the second firewall,
所述处理器检测到所述第一防火墙故障、或者所述第一交换机与所述第一防火墙之间的链路中断之前,所述第一接口被设置为主接口,所述第二接口被设置为备接口;所述第一交换机通过所述第一接口接收并转发所述第一防火墙发送的来自于所述第二网络的所述会话的报文,所述第一交换机不接收所述第二防火墙发送的来自于所述第二网络的所述会话的报文,或者通过所述第二接口接收所述第二防火墙发送的来自于所述第二网络的所述会话的报文,并丢弃通过所述第二接口接收到的来自于所述第二网络的所述会话的报文;Before the processor detects that the first firewall is faulty or the link between the first switch and the first firewall is interrupted, the first interface is set as the primary interface, and the second interface is set as the primary interface. Set as a standby interface; the first switch receives and forwards the packets from the session of the second network sent by the first firewall through the first interface, and the first switch does not receive the The packet sent by the second firewall from the session of the second network, or the packet sent by the second firewall from the session of the second network is received through the second interface, and discarding the packets from the session of the second network received through the second interface;
所述处理器检测到所述第一防火墙故障、或者所述第一交换机与所述第一防火墙之间的链路中断之后,将所述第一接口设置为备接口,将所述第二接口设置为主接口,通过所述第二接口接收并转发所述第二防火墙发送的来自于所述第二网络的所述会话的报文。After detecting that the first firewall is faulty or the link between the first switch and the first firewall is interrupted, the processor sets the first interface as a standby interface, and sets the second interface It is set as the main interface, and the packet from the session of the second network sent by the second firewall is received and forwarded through the second interface.
第三方面,本发明实施例提供一种第一交换机,所述第一交换机包括用于执行本发明实施例第一方面任一实现方式的部分或全部步骤的功能单元。In a third aspect, an embodiment of the present invention provides a first switch, where the first switch includes a functional unit for executing part or all of the steps of any implementation manner of the first aspect of the embodiment of the present invention.
第四方面,本发明实施例提供一种报文转发系统,所述系统包括第一交换机、第二交换机、第一防火墙和第二防火墙,其中,所述第一交换机与第一防火墙、第二防火墙和所述第一网络相连,所述第一防火墙为主用防火墙,所述第二防火墙为备用防火墙,所述第一防火墙和第二防火墙分别与所述第一交换机和第二交换机连接,所述第二交换机还与所述第二网络连接,其中:In a fourth aspect, an embodiment of the present invention provides a packet forwarding system, where the system includes a first switch, a second switch, a first firewall, and a second firewall, wherein the first switch is connected to the first firewall, the second firewall, and the second firewall. A firewall is connected to the first network, the first firewall is a primary firewall, the second firewall is a backup firewall, and the first firewall and the second firewall are respectively connected to the first switch and the second switch, The second switch is also connected to the second network, wherein:
第一交换机,用于接收来自于第一网络的多个报文,所述多个报文是所述第一网络与第二网络之间传输的报文;分别向所述第一防火墙和所述第二防火墙发送所述多个报文,所述第一交换机向所述第一防火墙和所述第二防火墙发送的报文是相同的;a first switch, configured to receive multiple packets from the first network, where the multiple packets are packets transmitted between the first network and the second network; the second firewall sends the multiple packets, and the packets sent by the first switch to the first firewall and the second firewall are the same;
所述第一防火墙和所述第二防火墙,分别用于根据所述第一交换机发送的所述多个报文中的会话首报文建立所述会话首报文所属会话的会话表项,所述会话表项包含五元组,所述五元组用于判断流经防火墙的报文是否属于所述会话;The first firewall and the second firewall are respectively configured to establish a session entry of the session to which the session header packet belongs according to the session header packet in the plurality of packets sent by the first switch, and the The session entry includes a quintuple, and the quintuple is used to determine whether the packet flowing through the firewall belongs to the session;
所述第一防火墙,还用于向所述第一交换机转发来自所述第二网络的所述会话的报文;the first firewall, further configured to forward the message of the session from the second network to the first switch;
所述第一交换机,还用于接收所述第一防火墙发送的来自于所述第二网络的所述会话的报文;the first switch is further configured to receive a packet from the session of the second network sent by the first firewall;
所述第一交换机,还用于向所述第一网络转发所述来自于所述第二网络的所述会话的报文。The first switch is further configured to forward the packet of the session from the second network to the first network.
通过运行该系统,第一交换机向第一防火墙和第二防火墙发送同样的报文,使得该第一防火墙和第二防火墙根据该报文中的首报文建立相同的会话表项,这样一来,该第二防火墙不需要从该第一防火墙上备份该会话表项,当第一防火墙出现故障时,该第二防火墙可以直接基于自身建立的会话表项接替该第一防火墙上的业务,避免了业务中断。By running the system, the first switch sends the same packet to the first firewall and the second firewall, so that the first firewall and the second firewall establish the same session entry according to the first packet in the packet, so that , the second firewall does not need to back up the session entry from the first firewall. When the first firewall fails, the second firewall can directly take over the service on the first firewall based on the session entry established by itself, avoiding business interruption.
结合第四方面,在第四方面的第一种可能的实现方式中,所述第一交换机包括所述第一交换机与所述第一防火墙相连的第一接口,以及所述第一交换机与所述第二防火墙相连的第二接口,所述第二防火墙,还用于向所述第一交换机转发来自所述第二网络的所述会话的报文;With reference to the fourth aspect, in a first possible implementation manner of the fourth aspect, the first switch includes a first interface connecting the first switch and the first firewall, and the first switch and all a second interface connected to the second firewall, the second firewall is further configured to forward the message of the session from the second network to the first switch;
所述第一交换机,用于检测所述第一防火墙是否故障、或者所述第一交换机与所述第一防火墙之间的链路是否中断,并在检测出所述第一防火墙故障、或者所述第一交换机与所述第一防火墙之间的链路中断之前将所述第一接口设置为主接口,将所述第二接口设置为备接口;在检测出所述第一防火墙故障、或者所述第一交换机与所述第一防火墙之间的链路中断之后将所述第一接口设置为备接口,将所述第二接口设置为主接口;The first switch is configured to detect whether the first firewall is faulty, or whether the link between the first switch and the first firewall is interrupted, and when detecting that the first firewall is faulty, or before the link between the first switch and the first firewall is interrupted, the first interface is set as the primary interface, and the second interface is set as the standby interface; after detecting that the first firewall is faulty, or After the link between the first switch and the first firewall is interrupted, the first interface is set as a standby interface, and the second interface is set as a primary interface;
在检测出所述第一防火墙故障、或者所述第一交换机与所述第一防火墙之间的链路中断之前,通过所述第一接口和所述第二接口分别接收所述第一防火墙和所述第二防火墙发送的来自于所述第二网络的所述会话的报文,并丢弃通过所述第二接口接收到的来自所述第二网络的所述会话的报文;Before detecting that the first firewall is faulty or the link between the first switch and the first firewall is interrupted, receive the first firewall and the first firewall through the first interface and the second interface respectively. The second firewall sends the packet from the session of the second network, and discards the packet from the session of the second network received through the second interface;
在检测出所述第一防火墙故障、或者所述第一交换机与所述第一防火墙之间的链路中断之后,通过所述第二接口分别接收所述第二防火墙发送的来自于所述第二网络的所述会话的报文,并向所述第一网络转发通过所述第二接口接收到的来自于所述第二网络的所述会话的报文。After detecting that the first firewall is faulty or the link between the first switch and the first firewall is interrupted, the second interface is used to respectively receive messages from the second firewall sent by the second firewall from the first firewall. The packets of the session of the second network are forwarded to the first network, and the packets of the session from the second network received through the second interface are forwarded.
结合第四方面,在第四方面的第二种可能的实现方式中,所述第二防火墙,还用于检测所述第二防火墙是否为备用防火墙,若第二防火墙为备用防火墙,则禁止向所述第一交换机转发来自所述第二网络的所述会话的报文,禁止向所述第二交换机转发来自所述第一网络的所述会话的报文。With reference to the fourth aspect, in a second possible implementation manner of the fourth aspect, the second firewall is further configured to detect whether the second firewall is a backup firewall, and if the second firewall is a backup firewall, prohibiting The first switch forwards the packet from the session of the second network, and prohibits forwarding the packet from the session of the first network to the second switch.
通过实施本发明实施例,第一交换机向第一防火墙和第二防火墙发送同样的报文,使得该第一防火墙和第二防火墙根据该报文中的首报文建立相同的会话表项,这样一来,该第二防火墙不需要从该第一防火墙上备份该会话表项,当第一防火墙出现故障时,该第二防火墙可以直接基于自身建立的会话表项接替该第一防火墙上的业务,避免了业务中断。By implementing the embodiment of the present invention, the first switch sends the same message to the first firewall and the second firewall, so that the first firewall and the second firewall establish the same session entry according to the first message in the message, so that First, the second firewall does not need to back up the session entry from the first firewall. When the first firewall fails, the second firewall can directly take over the service on the first firewall based on the session entry established by itself. , avoiding business interruption.
附图说明Description of drawings
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍。In order to illustrate the embodiments of the present invention or the technical solutions in the prior art more clearly, the following briefly introduces the accompanying drawings that are required in the description of the embodiments or the prior art.
图1是现有技术中的基于虚拟技术的防火墙转发业务的场景示意图;Fig. 1 is the scene schematic diagram of the firewall forwarding service based on virtual technology in the prior art;
图2是本发明实施例提供的一种业务转发方法的流程示意图;2 is a schematic flowchart of a service forwarding method provided by an embodiment of the present invention;
图3是本发明实施例提供的一种业务转发的场景示意图;3 is a schematic diagram of a scenario of service forwarding provided by an embodiment of the present invention;
图4是本发明实施例提供的一种逻辑链路的场景示意图;4 is a schematic diagram of a scenario of a logical link provided by an embodiment of the present invention;
图5是本发明实施例提供的一种第一交换机的结构示意图;FIG. 5 is a schematic structural diagram of a first switch according to an embodiment of the present invention;
图6是本发明实施例提供的又一种第一交换机的结构示意图;6 is a schematic structural diagram of another first switch provided by an embodiment of the present invention;
图7是本发明实施例提供的一种报文转发系统的结构示意图。FIG. 7 is a schematic structural diagram of a message forwarding system according to an embodiment of the present invention.
具体实施方式Detailed ways
下面将结合本发明实施例的附图对本发明实施例的技术方案进行详细描述。The technical solutions of the embodiments of the present invention will be described in detail below with reference to the accompanying drawings of the embodiments of the present invention.
请参见图2,图2是本发明实施例提供的一种业务转发方法的流程示意图,该方法包括但不限于如下步骤。Please refer to FIG. 2. FIG. 2 is a schematic flowchart of a service forwarding method provided by an embodiment of the present invention. The method includes but is not limited to the following steps.
步骤S201:第一交换机接收来自于第一网络的多个报文。Step S201: The first switch receives multiple packets from the first network.
为了更好的理解本发明实施例的方案,首先参照图3对本发明实施例的应用场景进行介绍。图3中,第一交换机311与第一防火墙312、第二防火墙313和第一网络相连,该第二交换机314与第一防火墙312、第二防火墙313和第二网络相连,第一防火墙312为主用防火墙,第二防火墙313为备用防火墙,该第一交换机311和该第二交换机314均获知该第一防火墙311为主用防火墙,获知该第二防火墙314为备用防火墙;该第一网络中存在一个或多个客户端,该第二网络中也存在一个或多个客户端,不管该第一网络中的客户端向该第二网络中的客户端发送什么报文,都要首先将该报文发送给该第一交换机311,上述“多个报文”可以为同一时刻发送的,也可以为一段时间内先后发送的,上述“多个报文”中的“多个”旨在不限定发送的报文的类型。相应地,第一交换机311接收从该第一网络中发来的报文。In order to better understand the solution of the embodiment of the present invention, an application scenario of the embodiment of the present invention is first introduced with reference to FIG. 3 . In FIG. 3, the
需要说明的是,本发明实施例中的第一防火墙312和第二防火墙313对外具有相同的地址信息,例如,具有相同的虚拟的网络协议(Internet Protocol,IP)地址和虚拟的媒体访问控制(Media Access Control,MAC)地址,该第一防火墙312向该第一交换机311发送的报文的源地址与该第二防火墙313向该第一交换机311发送的报文的源地址相同,该第一防火墙312向该第二交换机314发送的报文的源地址与该第二防火墙313向该第二交换机314发送的报文的源地址相同。可选的,该第一防火墙312和该第二防火墙313可以为虚拟的防火墙或物理防火墙,该第一交换机311和该第二交换机314可以为虚拟交换机或物理交换机。It should be noted that the
在一种可选的方案中,该第一交换机311上包括第一接口3111和第二接口3112,该第二交换机314上包括第三接口3141和第四接口3142,该第一交换机311通过该第一接口3111与该第一防火墙312相连,形成连接第一交换机314和第一防火墙312的第一链路315,该第一交换机311通过该第二接口3112与该第二防火墙313相连,形成连接该第一交换机311和第二防火墙的第二链路316,该第二交换机314通过第三接口3141与该第一防火墙312相连,形成连接第二交换机314和第一防火墙312的第三链路317,第二交换机314通过该第四接口3142与该第二防火墙313相连,形成连接第二交换机314和第二防火墙313的第四链路318。如图4所示,可以通过链路聚合的方式将第一链路315和第二链路316捆绑在一起形成一条逻辑链路,图4中的防火墙实际是指第一防火墙312和第二防火墙313,未单独分别画出。类似地,通过链路聚合的方式将第三链路317和第四链路318捆绑在一起形成一条逻辑链路,该链路聚合可以为手工链路聚合,也可以为基于静态链路聚合控制协议(LinkAggregation Control Protocol,LACP)的链路聚合。第一交换机311和第二交换机314均可以基于预先设置的第一防火墙312和第二防火墙313的主备关系,并检测第一防火墙312和第二防火墙313的运行状态,然后基于该主备关系及运行状态等来确定使用哪个链路,第一交换机311和第二交换机314可以通过eth-trunk机制将需要使用的链路上的接口切换为主接口,即优先级较高的接口,使报文可以通过该主接口对应的链路发送和接收。后续为了描述简洁,描述各个设备、接口、链路等时都不再标明编号,例如,第一交换机311描述为第一交换机,不再带编号311。In an optional solution, the
步骤S202:第一交换机分别向第一防火墙和第二防火墙发送该多个报文。Step S202: The first switch sends the multiple packets to the first firewall and the second firewall respectively.
具体地,该第一交换机接收到该多个报文后将该多个报文分别转发给该第一防火墙和该第二防火墙,该第一交换机向该第一防火墙发送的多个报文和向该第二防火墙发送的多个报文相同。例如,该第一交换机通过该第一接口和第二接口发送该多个报文来实现向该第一防火墙和第二防火墙发送该多个报文。该第一交换机可以同时给该第一防火墙和第二防火墙发送该多个报文,也可以分先后顺序发送,当分先后顺序发时哪个先发哪个后发此处暂不作限制,优选的,该第一交换机同时给该第一防火墙和第二防火墙发送该多个报文。Specifically, after receiving the multiple packets, the first switch forwards the multiple packets to the first firewall and the second firewall respectively, and the multiple packets sent by the first switch to the first firewall and The multiple packets sent to the second firewall are the same. For example, the first switch implements sending the multiple packets to the first firewall and the second firewall by sending the multiple packets through the first interface and the second interface. The first switch can send the multiple packets to the first firewall and the second firewall at the same time, and can also send the packets in sequence. When the packets are sent in sequence, which one will be sent first and which will be sent later is not limited here. Preferably, the The first switch sends the multiple packets to the first firewall and the second firewall simultaneously.
步骤S203:所述第一防火墙和所述第二防火墙接收该第一交换机发送的报文,判断接收到的报文中是否存在首报文,若存在则根据该首报文建立会话。Step S203: The first firewall and the second firewall receive the message sent by the first switch, determine whether there is a first message in the received messages, and if so, establish a session according to the first message.
具体地,该第一防火墙和该第二防火墙各自接收该第一交换机发送的报文,并各自对接收到的报文进行解析以判断接收到的报文中是否包含首报文;以下举例对该首报文进行说明,第一网络中的客户端A与第二网络中的客户端B进通信话之前需要先建立会话,会话建立后可以基于该会话传输数据,客户端A与客户端B建立会话需要通过发送首报文来实现,该首报文为建立TCP/IP连接时三次握手过程中的SYN(全称:synchronous)报文,客户端A与客户端B之间建立了会话后,即可基于该会话发送数据报文以传输数据。该第一防火墙和该第二防火墙在接收到报文后对报文进行解析来判断该接收到的报文是首报文还是会话建立后的数据报文。Specifically, the first firewall and the second firewall each receive the message sent by the first switch, and each parses the received message to determine whether the received message includes the first message; This first message explains that before the client A in the first network communicates with the client B in the second network, a session needs to be established first. After the session is established, data can be transmitted based on the session. Client A and client B The establishment of a session needs to be achieved by sending the first packet, which is the SYN (full name: synchronous) packet during the three-way handshake process when establishing a TCP/IP connection. After a session is established between client A and client B, That is, a data packet can be sent based on the session to transmit data. After receiving the packet, the first firewall and the second firewall parse the packet to determine whether the received packet is a first packet or a data packet after session establishment.
该第一防火墙判断出接收到的报文为首报文时,获取该首报文中包含的五元组,该五元组包括:源IP地址、源端口、目的IP地址、目的端口和协议号,然后根据该五元组建立会话表项,该会话表项中包含上述五元组的信息;同样地,该第二防火墙判断出接收到的报文为首报文时,也获取该首报文中的五元组并基于该五元组建立会话表项;由于该第一交换机向该第一防火墙和该第二防火墙发送的报文相同,因此只要发送的首报文在传输过程中没有出现丢包的情况,则该第一防火墙与该第二防火墙会基于接收到的相同首报文建立相同的会话表项。When the first firewall determines that the received packet is the first packet, it obtains a quintuple included in the first packet, where the quintuple includes: source IP address, source port, destination IP address, destination port and protocol number , and then establish a session entry according to the quintuple, and the session entry contains the information of the above quintuple; similarly, when the second firewall determines that the received packet is the first packet, it also obtains the first packet and establishes session entries based on the quintuple; since the packets sent by the first switch to the first firewall and the second firewall are the same, as long as the first packet sent does not appear in the transmission process In the case of packet loss, the first firewall and the second firewall will establish the same session entry based on the same first packet received.
以下对本发明实施例中的“五元组”进行举例说明,假设该客户端A的IP地址是192.168.1.1,用户abc使用端口20000向客户端B发起TCP连接,通过文件传输协议(FileTransfer Protocol,FTP)从客户端B下载文件,客户端B的IP地址是1.1.1.1,提供服务的端口号是30000,那么客户端A向客户端B发送的首报文包含的五元组的信息如表1所示。The “five-tuple” in the embodiment of the present invention is illustrated below. Assume that the IP address of the client A is 192.168.1.1, the user abc uses the port 20000 to initiate a TCP connection to the client B, and the file transfer protocol (FileTransfer Protocol, FTP) to download files from client B, the IP address of client B is 1.1.1.1, and the port number for providing services is 30000, then the information of the quintuple contained in the first packet sent by client A to client B is shown in the table 1 shown.
表1Table 1
该五元组用于该第一防火墙和该第二防火墙判断后续接收到的报文是否为已建立的该会话的报文,如果对后续接收到的报文解析后发现接收到的报文中包含的五元组与已建立的会话中的五元组相同,则表明接收到的报文属于上述会话的报文。需要说明的是,虽然表1和表2中的源IP与目的IP地址进行对换,源端口与目的端口进行了对换,但表2所示的五元组与表1所示的五元组相同。The quintuple is used by the first firewall and the second firewall to determine whether the packets received subsequently are packets of the established session. If the included quintuple is the same as the quintuple in the established session, it indicates that the received packet belongs to the packet of the above session. It should be noted that although the source IP and destination IP addresses in Table 1 and Table 2 are exchanged, and the source port and destination port are exchanged, the quintuple shown in Table 2 is the same as the quintuple shown in Table 1. same group.
表2Table 2
在一种可选的方案中,该第一防火墙和第二防火墙还可以基于七元组建立会话,该七元组在五元组的基础上多了“应用”和“用户”两个因素,例如,该“应用”为上述FTP,该“用户”为上述abc。需要说明的是,在判断报文是否为已建立的该会话的报文时,除了判断该报文是否包含上述五元组,或者七元组外,还可能要判断该报文是否包含其他因素,其他因素具体有哪些因素此处暂不作限制。In an optional solution, the first firewall and the second firewall can also establish a session based on a 7-tuple, and the 7-tuple has two additional factors of "application" and "user" on the basis of the quintuple, For example, the "application" is the above-mentioned FTP, and the "user" is the above-mentioned abc. It should be noted that when judging whether the packet is a packet of the established session, in addition to judging whether the packet contains the above-mentioned five-tuple or seven-tuple, it may also be necessary to judge whether the packet contains other factors. , the specific factors of other factors are not limited here.
步骤S204:该第一防火墙将接收到的报文转发给第二交换机。Step S204: The first firewall forwards the received packet to the second switch.
具体地,当该第一防火墙接收到的报文包含首报文时,该第一防火墙除了基于该首报文建立会话外,在一种可选的方案中,该第一防火墙还会判断自身是备用防火墙还是主用防火墙,如果是主用防火墙则该第一防火墙将该首报文转发给该第二交换机,由于该第一防火墙在开始时被配置为主用防火墙,因此该第一防火墙会将该首报文转发该第二交换机;在又一种可选的方案中,该第一防火墙不判断自身是主用防火墙还是备用防火墙,而是直接将接收到的该首报文转发给该第二交换机。该首报文通过该第二交换机最终发送给该客户端B后以便建立客户端A与客户端B之间的会话。Specifically, when the packet received by the first firewall includes the first packet, in addition to establishing a session based on the first packet, in an optional solution, the first firewall also judges itself Whether it is the standby firewall or the active firewall, if it is the active firewall, the first firewall forwards the first packet to the second switch. Since the first firewall is configured as the active firewall at the beginning, the first firewall The first packet will be forwarded to the second switch; in another optional solution, the first firewall does not determine whether it is the active firewall or the standby firewall, but directly forwards the received first packet to the second switch. After the first packet is finally sent to the client B through the second switch, a session between the client A and the client B is established.
进一步地,当该第一防火墙接收该第一交换机发送的报文中包含除首报文以外的数据报文时,该第一防火墙根据已经建立的会话表项判断该数据报文是否为该会话表项对应的会话的报文,若该数据报文是该会话的报文,在一种可选的方案中,该第一防火墙在获知自身为主用防火墙后,根据与该会话对应的过滤策略或转发策略对报文进行处理,例如根据与该会话对应的策略将该数据报文转发给该第二交换机;在又一种可选的方案中,该第一防火墙直接将接收到的该数据报文转发给该第二交换机。Further, when the first firewall receives a data packet other than the first packet in the packet sent by the first switch, the first firewall determines whether the data packet is the session according to the established session entry. For the packet of the session corresponding to the entry, if the data packet is the packet of the session, in an optional solution, the first firewall, after learning that it is the active firewall, filters the packets corresponding to the session according to the The policy or forwarding policy processes the packet, for example, forwards the data packet to the second switch according to the policy corresponding to the session; in another optional solution, the first firewall directly forwards the received The data message is forwarded to the second switch.
第二防火墙的对报文的处理方法与第一防火墙类似。当该第二防火墙接收到的报文包含首报文时,该第二防火墙除了基于该首报文建立会话外,在一种可选的方案中,该第二防火墙还会判断自身是备用防火墙还是主用防火墙,如果是备用防火墙,则该第二防火墙接收到该首报文并基于该首报文建立会话后,丢弃掉该首报文,由于该第二防火墙在开始时被配置为备用防火墙,因此该第二防火墙会丢弃掉该首报文。在又一种可选的方案中,该第二防火墙不判断自身是主用防火墙还是备用防火墙,而是直接将接收到的该首报文转发给该第二交换机。The packet processing method of the second firewall is similar to that of the first firewall. When the packet received by the second firewall includes the first packet, in addition to establishing a session based on the first packet, in an optional solution, the second firewall also determines that it is a backup firewall. Or the active firewall, if it is a standby firewall, the second firewall will discard the first packet after receiving the first packet and establishing a session based on the first packet, because the second firewall is initially configured as a standby firewall firewall, so the second firewall will discard the first packet. In yet another optional solution, the second firewall does not determine whether it is the active firewall or the standby firewall, but directly forwards the received first packet to the second switch.
进一步地,当第二防火墙接收该第一交换机发送的报文中包含除首报文以外的数据报文时,该第二防火墙根据已经建立的会话表项判断该数据报文是否为该会话表项对应的会话的报文,若该数据报文是该会话的报文,在一种可选的方案中,该第二防火墙获知自身为备用防火墙后,将该数据报文丢弃掉;在又一种可选的方案中,该第二防火墙直接将接收到的该数据报文转发给该第二交换机。Further, when the second firewall receives a data message other than the first message in the message sent by the first switch, the second firewall determines whether the data message is the session table item according to the established session table entry. In an optional solution, the second firewall discards the data packet after learning that it is the standby firewall; In an optional solution, the second firewall directly forwards the received data packet to the second switch.
以下举例说明该第一防火墙和该第二防火墙如何判断自己是主用防火墙还是备用防火墙:例如,当该第一防火墙和该第二防火墙处于VRRP协议中的相同备份组时,该第一防火墙和该第二防火墙可以通过VRRP协议来获知自身在备份组中的优先级,如果该第一防火墙的优先级不是最高的则表明该第一防火墙在该备份组中属于备用防火墙,如果该第一防火墙的优先级最高的则表明该第一防火墙在该备份组中属于主用防火墙;如果该第二防火墙的优先级不是最高的则表明该第二防火墙在该备份组中属于备用防火墙,如果该第二防火墙的优先级最高的则表明该第二防火墙在该备份组中属于主用防火墙;该第一防火墙还可以通过其他方式获知自身优先级的高低,例如,该第一交换机或该第二交换机发送通知消息给该第二防火墙和第二防火墙,以告知哪个为主用防火墙,哪个为备用防火墙。The following example illustrates how the first firewall and the second firewall determine whether they are the active firewall or the backup firewall: For example, when the first firewall and the second firewall are in the same backup group in the VRRP protocol, the first firewall and the second firewall are in the same backup group in the VRRP protocol. The second firewall can learn its own priority in the backup group through the VRRP protocol. If the priority of the first firewall is not the highest, it indicates that the first firewall belongs to the backup firewall in the backup group. The highest priority indicates that the first firewall belongs to the active firewall in the backup group; if the priority of the second firewall is not the highest, it indicates that the second firewall belongs to the backup firewall in the backup group. The second firewall with the highest priority indicates that the second firewall belongs to the active firewall in the backup group; the first firewall can also learn its own priority in other ways, for example, the first switch or the second switch A notification message is sent to the second firewall and the second firewall to inform which is the active firewall and which is the backup firewall.
步骤S205:第二交换机向该第一防火墙发送来自该第二网络的报文。Step S205: The second switch sends the packet from the second network to the first firewall.
具体地,当客户端A与客户端B之间的会话建立成功后,客户端B可以通过该第二网络向客户端A发送该会话的报文,当发送的该会话的报文转发到该第二交换机后,第二交换机将接收到的报文转发给第一防火墙和第二防火墙,例如,通过第三接口转发该会话的报文和通过第四接口转发该会话的报文。同样的,客户端A可以通过该第一网络向该客户端B发送该会话的报文,当发送的该会话的报文转发到该第一交换机后,该第一交换机将接收到的报文转发给该第一防火墙和该第二防火墙,例如,通过第一接口转发该会话的报文和通过第二接口转发该会话的报文。Specifically, after the session between client A and client B is successfully established, client B can send the message of the session to client A through the second network, and when the sent message of the session is forwarded to the After the second switch, the second switch forwards the received packets to the first firewall and the second firewall, for example, forwards the packets of the session through the third interface and forwards the packets of the session through the fourth interface. Similarly, client A can send the message of the session to client B through the first network. After the sent message of the session is forwarded to the first switch, the first switch will send the received message Forwarding to the first firewall and the second firewall, for example, forwarding the packet of the session through the first interface and forwarding the packet of the session through the second interface.
步骤S206:该第一防火墙接收并向该第一交换机转发该会话的报文。Step S206: the first firewall receives and forwards the message of the session to the first switch.
具体地,该第一防火墙接收该第二交换机转发的该报文,在一种可选的方案中,该第一防火墙在获知自身为主用防火墙后判断该报文中是否包含上述会话表项中的五元组,若包含则将该报文转发给第一交换机。在又一种可选的方案中,该第一防火墙无需确认自身为主用防火墙还是备用防火墙,而是直接判断接收到的该报文中是否包含上述会话表项中的五元组,若包含则将该报文转发给第一交换机。Specifically, the first firewall receives the packet forwarded by the second switch. In an optional solution, the first firewall determines whether the packet contains the above session entry after learning that it is the active firewall. The five-tuple in the packet is forwarded to the first switch if it is included. In yet another optional solution, the first firewall does not need to confirm that it is the active firewall or the standby firewall, but directly determines whether the received packet contains the quintuple in the session entry. The packet is then forwarded to the first switch.
当上述第二交换机给该第二防火墙发送了与向第一防火墙发送的报文同样的报文时,在一种可选的方案中,该第二防火墙在获知自身为备用防火墙时,丢弃接收到的该会话的报文,在又一种可选的方案中,该第二防火墙接收该第二交换机发送的该报文,无需确认自身为主用防火墙还是备用防火墙,直接判断该报文中是否包含已建立的会话表中的五元组信息,若包含则将接收到的该报文转发给该第一交换机。When the above-mentioned second switch sends the second firewall the same message as the message sent to the first firewall, in an optional solution, when the second firewall learns that it is the standby firewall, it discards the received message. In yet another optional solution, the second firewall receives the packet sent by the second switch without confirming whether it is the active firewall or the standby firewall, and directly determines whether the packet is in the packet. Whether the quintuple information in the established session table is included, if included, forward the received message to the first switch.
步骤S207:该第一交换机接收该第一防火墙发送的报文。Step S207: the first switch receives the message sent by the first firewall.
步骤S208:该第一交换机向该第一网络转发该第一防火墙发送报文。Step S208: The first switch forwards the message sent by the first firewall to the first network.
具体地,该第一交换机接收到该第一防火墙发送的报文后,将接收到的报文转发到该第一网络中。需要说明的是,当上述第二防火墙有向该第一交换机转发上述会话的报文时,该第一交换机不接收该第二防火墙发送的报文,或者该第一交换机接收该第二防火墙发送的报文,但是丢弃该第二防火墙发送的报文,例如,该第一交换机可以将与该第一防火墙相连的第一接口设置为主接口,将与该第二防火墙相连的第二接口设置为备接口,该第一交换机通过该第一接口和该第二接口接收报文,但是丢弃通过备接口接收到的报文,或者该第一交换机根本就不通过作为备接口的第二接口接收报文。Specifically, after receiving the packet sent by the first firewall, the first switch forwards the received packet to the first network. It should be noted that when the second firewall forwards the packet of the session to the first switch, the first switch does not receive the packet sent by the second firewall, or the first switch receives the packet sent by the second firewall. but discard the packets sent by the second firewall. For example, the first switch can set the first interface connected to the first firewall as the main interface, and set the second interface connected to the second firewall to As the standby interface, the first switch receives packets through the first interface and the second interface, but discards the packets received through the standby interface, or the first switch does not receive packets through the second interface as the standby interface at all message.
通过执行步骤S201~208,该第一防火墙和该第二防火墙根据相同的首报文建立了同一会话的会话表项,该第一防火墙未故障时转发该会话的报文,当该第一防火墙故障时无需将该会话表项备份到该第二防火墙,该第二防火墙自身建立的上述会话表项即可用于接替该会话的报文的转发。By performing steps S201-208, the first firewall and the second firewall establish a session entry for the same session according to the same first packet, and the first firewall forwards the session packet when the first firewall is not faulty. In the event of a failure, the session entry does not need to be backed up to the second firewall, and the session entry established by the second firewall itself can be used to take over the forwarding of the session's packets.
以下通过步骤S209~S212描述发生主备倒换后,第二防火墙作为新的主用防火墙接替该报文转发的一种实现方式。The following describes an implementation manner in which the second firewall acts as the new active firewall to take over the forwarding of the packet after the active/standby switchover occurs through steps S209 to S212.
步骤S209:该第二交换机向该第二防火墙发送该会话的报文。Step S209: the second switch sends the message of the session to the second firewall.
具体地,该第二交换机可以实时或者定时检测该第一防火墙是否故障;也可以由其他设备来检测该第一防火墙是否故障,然后将检测的结果通知给该第二交换机。该第二交换机检测该第一防火墙是否故障的方式可以具体为:通过双向转发检测(BidirectionalForwarding Detection,BFD)机制检测与该第一防火墙相连的链路,或者该第一防火墙所在的设备的软件,或者该第一防火墙所在的设备的网卡是否故障;或者判断持续未接收到该第一防火墙发送的报文的时间是否超过预先设定的一个时间阈值,超过该时间阈值则表明故障。当然还可以通过其他方式检测该第一防火墙是否故障,其他方式此处不一一举例。Specifically, the second switch can detect whether the first firewall is faulty in real time or periodically; other devices can also detect whether the first firewall is faulty, and then notify the second switch of the detection result. The manner in which the second switch detects whether the first firewall is faulty may be specifically: detecting the link connected to the first firewall through a bidirectional forwarding detection (Bidirectional Forwarding Detection, BFD) mechanism, or the software of the device where the first firewall is located, Or whether the network card of the device where the first firewall is located is faulty; or it is judged whether the time for continuously not receiving the packets sent by the first firewall exceeds a preset time threshold, and exceeding the time threshold indicates a fault. Of course, other methods may also be used to detect whether the first firewall is faulty, and other methods are not listed here.
当检测出该第一防火墙故障或者所述第一交换机与所述第一防火墙之间的链路中断时,该第二交换机将该第二防火墙作为主用防火墙,如果该第二交换机再接收到来自第二网络的报文,在一种可选的方案中,该第二交换机向该第二防火墙发送该报文,而不再向该第一防火墙发送该报文,例如,该第二交换机将第四接口设置为新的主接口,将第三接口设置为备接口,然后通过作为新主接口的第四接口发送报文,不通过作为备接口的第三接口发送报文。在又一种可选的方案中,该第二交换机重新设置主接口和备接口之后,向该第一防火墙和该第二防火墙都发送该报文。在又一种可选的方案中,该第二交换机向该第二防火墙发送该报文,并且检测该第一防火墙故障或者所述第一交换机与所述第一防火墙之间的链路中断后是否恢复正常了,如果恢复正常了,那么该第二交换机下一次接收到来自该第二网络的报文时,将接收到的该报文发送给该第一防火墙和该第二防火墙。其他的可选方案在这里不再一一列举。When detecting that the first firewall is faulty or the link between the first switch and the first firewall is interrupted, the second switch takes the second firewall as the active firewall, and if the second switch receives the The packet from the second network, in an optional solution, the second switch sends the packet to the second firewall, and no longer sends the packet to the first firewall, for example, the second switch The fourth interface is set as the new primary interface, and the third interface is set as the standby interface, and then the packets are sent through the fourth interface as the new primary interface, and the packets are not sent through the third interface as the standby interface. In another optional solution, the second switch sends the packet to both the first firewall and the second firewall after resetting the primary interface and the backup interface. In yet another optional solution, the second switch sends the packet to the second firewall, and detects that the first firewall is faulty or the link between the first switch and the first firewall is interrupted. Whether it is back to normal, if it is back to normal, the next time the second switch receives a packet from the second network, it will send the received packet to the first firewall and the second firewall. Other options are not listed here.
步骤S210:该第二防火墙接收并向第一交换机转发该会话的报文。Step S210: The second firewall receives and forwards the message of the session to the first switch.
具体地,该第二防火墙接收该第二交换机发送的报文并判断接收到的报文中是否存在首报文;当该第二防火墙接收到的报文包含首报文时,该第二防火墙除了基于该首报文建立会话外,在一种可选的方案中,该第二防火墙还会判断自身是备用防火墙还是主用防火墙,如果是主用防火墙则该第二防火墙将该首报文转发给该第一交换机,由于该第一防火墙已经故障,因此该第二防火墙已被配置为了主用防火墙,因此该第二防火墙会将该首报文转发该第一交换机。在又一种可选的方案中,该第二防火墙不判断自身是主用防火墙还是备用防火墙,而是直接将接收到的该首报文转发给该第一交换机。Specifically, the second firewall receives the message sent by the second switch and judges whether there is a first message in the received message; when the message received by the second firewall includes the first message, the second firewall In addition to establishing a session based on the first packet, in an optional solution, the second firewall will also determine whether it is the standby firewall or the active firewall, and if it is the active firewall, the second firewall will use the first packet Forwarded to the first switch, since the first firewall has failed, the second firewall has been configured as the active firewall, so the second firewall will forward the first packet to the first switch. In yet another optional solution, the second firewall does not determine whether it is the active firewall or the standby firewall, but directly forwards the received first packet to the first switch.
进一步地,当该第二防火墙接收该第二交换机发送的报文中包含除首报文以外的数据报文时,该第二防火墙根据已经建立的会话表项判断该数据报文是否为该会话表项对应的会话的报文,若该数据报文是该会话的报文,在一种可选的方案中,该第二防火墙在获知自身为主用防火墙后,将该数据报文转发给该第一交换机;在又一种可选的方案中,该第二防火墙省略确认自身为主用防火墙或备用防火墙,而是直接将接收到的该数据报文转发给该第一交换机。Further, when the second firewall receives a data packet other than the first packet in the packet sent by the second switch, the second firewall determines whether the data packet is the session according to the established session entry. The packet of the session corresponding to the entry, if the data packet is the packet of the session, in an optional solution, the second firewall, after learning that it is the active firewall, forwards the data packet to The first switch; in another optional solution, the second firewall omits confirming itself as the active firewall or the standby firewall, but directly forwards the received data packet to the first switch.
需要说明的是,当该第一防火墙也接收到该第二交换机发送的报文,且该报文中包含首报文时,该第一防火墙除了基于该首报文建立会话外,在一种可选的方案中,该第一防火墙还会判断自身是备用防火墙还是主用防火墙,如果是备用防火墙则该第一防火墙接收到该首报文并基于该首报文建立会话后,丢弃掉该首报文。由于该第一防火墙在步骤S209中被检测出故障,因此该第一防火墙被配置为了备用防火墙而不再是主用防火墙,因此该第一防火墙会丢弃掉该首报文。在又一种可选的方案中,该第一防火墙省略判断自身是主用防火墙还是备用防火墙,而是直接将接收到的该首报文转发给该第一交换机。It should be noted that, when the first firewall also receives the message sent by the second switch, and the message includes the first message, the first firewall will not only establish a session based on the first message, but also in a In an optional solution, the first firewall will also determine whether it is a backup firewall or an active firewall, and if it is a backup firewall, the first firewall will discard the first packet after receiving the first packet and establishing a session based on the first packet. first message. Since the first firewall is detected to be faulty in step S209, the first firewall is configured as a backup firewall instead of an active firewall, so the first firewall will discard the first packet. In yet another optional solution, the first firewall omits determining whether it is the active firewall or the standby firewall, and directly forwards the received first packet to the first switch.
进一步地,当第一防火墙接收该第二交换机发送的报文中包含除首报文以外的数据报文时,该第一防火墙根据已经建立的会话表项判断该数据报文是否为该会话表项对应的会话的报文,若该数据报文是该会话的报文,在一种可选的方案中,该第一防火墙获知自身为备用防火墙后,将该数据报文丢弃掉;在又一种可选的方案中,该第一防火墙省略判断自身是主用防火墙还是备用防火墙,直接将接收到的该数据报文转发给该第一交换机。Further, when the first firewall receives a data packet other than the first packet in the packet sent by the second switch, the first firewall determines whether the data packet is the session table entry according to the established session table entry. If the data packet is a packet of the session, in an optional solution, the first firewall discards the data packet after learning that it is the standby firewall; In an optional solution, the first firewall omits determining whether it is the active firewall or the standby firewall, and directly forwards the received data packet to the first switch.
步骤S211:该第一交换机接收该第二防火墙发送的报文。Step S211: the first switch receives the message sent by the second firewall.
步骤S212:该第一交换机向该第一网络转发该第二防火墙发送报文。Step S212: The first switch forwards the message sent by the second firewall to the first network.
具体地,该第一交换机可以实时或者定时检测该第一防火墙是否故障;也可以由其他设备来检测该第一防火墙是否故障,然后将检测的结果通知给该第一交换机。该第一交换机检测该第一防火墙是否故障的方式可以具体为:通过BFD机制检测与该第一防火墙相连的链路,或者该第一防火墙所在的设备的软件,或者该第一防火墙所在的设备的网卡是否故障;或者判断持续未接收到该第一防火墙发送的报文的时间是否超过预先设定的一个时间阈值,超过该时间阈值则表明故障。当然还可以通过其他方式检测该第一防火墙是否故障,其他方式此处不一一举例。Specifically, the first switch can detect whether the first firewall is faulty in real time or periodically; other devices can also detect whether the first firewall is faulty, and then notify the first switch of the detection result. The manner in which the first switch detects whether the first firewall is faulty may be specifically: detecting the link connected to the first firewall through the BFD mechanism, or the software of the device where the first firewall is located, or the device where the first firewall is located Whether the network card of the first firewall is faulty; or determine whether the time for continuously not receiving the message sent by the first firewall exceeds a preset time threshold, and exceeding the time threshold indicates a fault. Of course, other methods may also be used to detect whether the first firewall is faulty, and other methods are not listed here.
如果该第一交换机在第一防火墙未故障且该第一防火墙与该第一交换机之间的链路未中断时,不接收该第二防火墙发送的报文,则在检测出该第一防火墙故障或者该链路中断时,将该第二防火墙作为主用防火墙,并接收该第二防火墙发送的报文并将该报文转发到第一网络中。If the first switch does not receive the message sent by the second firewall when the first firewall is not faulty and the link between the first firewall and the first switch is not interrupted, then it is detected that the first firewall is faulty Or when the link is interrupted, the second firewall is used as the active firewall, and the packet sent by the second firewall is received and forwarded to the first network.
如果该第一交换机在第一防火墙未故障且该第一防火墙与该第一交换机之间的链路未中断时,接收并丢弃该第二防火墙发送的报文,则在检测出该第一防火墙故障或者该链路中断时,将该第二防火墙作为主用防火墙,不再丢弃该第二防火墙发送的报文而是将该报文转发到第一网络中。If the first switch receives and discards the packet sent by the second firewall when the first firewall is not faulty and the link between the first firewall and the first switch is not interrupted, then the first firewall is detected when the first firewall is detected. When a fault occurs or the link is interrupted, the second firewall is used as the active firewall, and the packet sent by the second firewall is no longer discarded but the packet is forwarded to the first network.
例如,该第一交换机将第二接口设置为新的主接口,将第一接口设置为备接口,第一交换机可以通过作为新主接口的第二接口接收报文,并将通过该第二接口接收到的报文转发给该第一网络。For example, the first switch sets the second interface as a new primary interface and sets the first interface as a backup interface, the first switch can receive packets through the second interface that is the new primary interface, and sends packets through the second interface The received message is forwarded to the first network.
在图2所描述的方法中,第一交换机向第一防火墙和第二防火墙发送同样的报文,使得该第一防火墙和第二防火墙根据该报文中的首报文建立相同的会话表项,这样一来,该第二防火墙不需要从该第一防火墙上备份该会话表项,当第一防火墙出现故障时,该第二防火墙可以直接基于自身建立的会话表项接替该第一防火墙上的业务,避免了业务中断。In the method described in FIG. 2, the first switch sends the same packet to the first firewall and the second firewall, so that the first firewall and the second firewall establish the same session entry according to the first packet in the packet In this way, the second firewall does not need to back up the session entry from the first firewall. When the first firewall fails, the second firewall can directly replace the session entry on the first firewall based on the session entry established by itself. business and avoid business interruption.
上述详细阐述了本发明实施例的方法,为了便于更好地实施本发明实施例的上述方案,相应地,下面提供了本发明实施例的交换机。The methods of the embodiments of the present invention are described in detail above. In order to facilitate better implementation of the above solutions of the embodiments of the present invention, correspondingly, the switches of the embodiments of the present invention are provided below.
请参见图5,图5是本发明实施例提供的一种第一交换机50,该第一交换机50包括处理器501、存储器502和网络接口503,所述处理器501、存储器502和网络接口503通过总线相互连接。Please refer to FIG. 5. FIG. 5 is a first switch 50 provided by an embodiment of the present invention. The first switch 50 includes a processor 501, a memory 502, and a network interface 503. The processor 501, the memory 502, and the network interface 503 connected to each other via a bus.
存储器502包括但不限于是随机存取存储器(RAM)、只读存储器(ROM)、可擦除可编程只读存储器(EPROM或者快闪存储器)、或便携式只读存储器(CD-ROM)。Memory 502 includes, but is not limited to, random access memory (RAM), read only memory (ROM), erasable programmable read only memory (EPROM or flash memory), or portable read only memory (CD-ROM).
处理器501可以是一个或多个中央处理器(Central Processing Unit,简称CPU),在处理器501是一个CPU的情况下,该CPU可以是单核CPU,也可以是多核CPU。The processor 501 may be one or more central processing units (Central Processing Unit, CPU for short). In the case where the processor 501 is a CPU, the CPU may be a single-core CPU or a multi-core CPU.
网络接口503可以是有线接口,例如光纤分布式数据接口(Fiber DistributedData Interface,简称FDDI)、千兆以太网(Gigabit Ethernet,简称GE)接口;网络接口503也可以是无线接口。The network interface 503 may be a wired interface, such as a fiber distributed data interface (Fiber Distributed Data Interface, FDDI for short), a Gigabit Ethernet (Gigabit Ethernet, GE for short) interface; the network interface 503 may also be a wireless interface.
存储器502还用于存储会话表项、相关指令及数据等信息。The memory 502 is also used to store information such as session entries, related instructions and data.
所述第一交换机50中的处理器501用于读取所述存储器502中存储的程序代码后,执行以下操作:After the processor 501 in the first switch 50 is configured to read the program code stored in the memory 502, the following operations are performed:
通过所述网络接口503接收来自于第一网络的多个报文,所述第一交换机50与第一防火墙、第二防火墙和所述第一网络相连,所述多个报文是所述第一网络与第二网络之间传输的报文,所述第一防火墙为主用防火墙,所述第二防火墙为备用防火墙,所述第一防火墙和第二防火墙分别与所述第一交换机50和第二交换机连接,所述第二交换机还与所述第二网络连接;Receive multiple packets from the first network through the network interface 503, the first switch 50 is connected to the first firewall, the second firewall and the first network, the multiple packets are the first For packets transmitted between a network and a second network, the first firewall is the active firewall, the second firewall is the backup firewall, and the first firewall and the second firewall are connected to the first switch 50 and the second firewall, respectively. A second switch is connected, and the second switch is also connected to the second network;
通过所述网络接口503分别向所述第一防火墙和所述第二防火墙发送所述多个报文,通过所述网络接口503向所述第一防火墙和所述第二防火墙发送的报文是相同的,以使所述第一防火墙和所述第二防火墙均根据所述多个报文中的会话首报文建立所述会话首报文所属会话的会话表项,所述会话表项包含五元组,所述五元组用于判断流经防火墙的报文是否属于所述会话;The multiple packets are respectively sent to the first firewall and the second firewall through the network interface 503, and the packets sent to the first firewall and the second firewall through the network interface 503 are: The same, so that both the first firewall and the second firewall create a session entry of the session to which the session first packet belongs according to the session header in the multiple packets, and the session entry contains Five-tuple, the five-tuple is used to judge whether the packet flowing through the firewall belongs to the session;
通过所述网络接口503接收所述第一防火墙发送的来自于所述第二网络的所述会话的报文;receiving, through the network interface 503, the message from the session of the second network sent by the first firewall;
通过所述网络接口503向所述第一网络转发所述来自于所述第二网络的所述会话的报文。The packet of the session from the second network is forwarded to the first network through the network interface 503 .
通过执行上述操作,第一交换机50向第一防火墙和第二防火墙发送同样的报文,使得该第一防火墙和第二防火墙根据该报文中的首报文建立相同的会话表项,这样一来,该第二防火墙不需要从该第一防火墙上备份该会话表项,当第一防火墙出现故障时,该第二防火墙可以直接基于自身建立的会话表项接替该第一防火墙上的业务,避免了业务中断。By performing the above operations, the first switch 50 sends the same packet to the first firewall and the second firewall, so that the first firewall and the second firewall establish the same session entry according to the first packet in the packet, so that The second firewall does not need to back up the session entry from the first firewall. When the first firewall fails, the second firewall can directly take over the service on the first firewall based on the session entry established by itself. Business interruption is avoided.
在一种可选的方案中,所述处理器501通过所述网络接口503分别向所述第一防火墙和所述第二防火墙发送所述多个报文之后,所述处理器501还用于:In an optional solution, after the processor 501 sends the multiple packets to the first firewall and the second firewall respectively through the network interface 503, the processor 501 is further configured to :
检测所述第一防火墙是否发生故障,或者所述第一交换机50与所述第一防火墙之间的链路是否中断;Detecting whether the first firewall is faulty, or whether the link between the first switch 50 and the first firewall is interrupted;
如果所述第一防火墙故障、或者所述第一交换机50与所述第一防火墙之间的链路中断,则通过所述网络接口503接收并转发所述第二防火墙发送的来自于所述第二网络的所述会话的报文。If the first firewall fails, or the link between the first switch 50 and the first firewall is interrupted, the network interface 503 receives and forwards the data sent by the second firewall from the first firewall. Two network packets of the session.
在又一种可选的方案中,所述处理器501检测所述第一防火墙是否发生故障,具体为:通过双向转发检测机制BFD检测所述第一防火墙是否故障。In yet another optional solution, the processor 501 detects whether the first firewall is faulty, specifically: detecting whether the first firewall is faulty through a bidirectional forwarding detection mechanism BFD.
具体地,交换机自身检测该第一防火墙是否故障,以便在检测到该第一防火墙故障时及时调整报文转发策略,提升了交换机的性能。Specifically, the switch itself detects whether the first firewall is faulty, so as to adjust the packet forwarding policy in time when detecting the fault of the first firewall, thereby improving the performance of the switch.
在又一种可选的方案中,所述处理器501检测到所述第一防火墙故障、或者所述第一交换机50与所述第一防火墙之间的链路中断之前,所述处理器501还用于:In yet another optional solution, before the processor 501 detects that the first firewall is faulty or the link between the first switch 50 and the first firewall is interrupted, the processor 501 Also used for:
不接收所述第二防火墙发送的来自于所述第二网络的所述会话的报文,或者通过所述网络接口503接收所述第二防火墙发送的来自于所述第二网络的所述会话的报文,并丢弃所述第二防火墙发送的来自于所述第二网络的所述会话的报文。Do not receive the message of the session from the second network sent by the second firewall, or receive the session from the second network sent by the second firewall through the network interface 503 and discard the packets sent by the second firewall from the session of the second network.
在又一种可选的方案中,所述网络接口503包括所述第一交换机50与所述第一防火墙相连的第一接口,以及所述第一交换机50与所述第二防火墙相连的第二接口,In yet another optional solution, the network interface 503 includes a first interface connecting the first switch 50 to the first firewall, and a first interface connecting the first switch 50 to the second firewall. Two interface,
所述处理器501检测到所述第一防火墙故障、或者所述第一交换机50与所述第一防火墙之间的链路中断之前,所述第一接口被设置为主接口,所述第二接口被设置为备接口;所述第一交换机50通过所述第一接口接收并转发所述第一防火墙发送的来自于所述第二网络的所述会话的报文,所述第一交换机50不接收所述第二防火墙发送的来自于所述第二网络的所述会话的报文,或者通过所述第二接口接收所述第二防火墙发送的来自于所述第二网络的所述会话的报文,并丢弃通过所述第二接口接收到的来自于所述第二网络的所述会话的报文;Before the processor 501 detects that the first firewall is faulty or the link between the first switch 50 and the first firewall is interrupted, the first interface is set as the main interface, and the second interface is set as the main interface. The interface is set as a standby interface; the first switch 50 receives and forwards the packets from the session of the second network sent by the first firewall through the first interface, and the first switch 50 Do not receive the message of the session from the second network sent by the second firewall, or receive the session from the second network sent by the second firewall through the second interface packets, and discard the packets from the session of the second network received through the second interface;
所述处理器501检测到所述第一防火墙故障、或者所述第一交换机50与所述第一防火墙之间的链路中断之后,将所述第一接口设置为备接口,将所述第二接口设置为主接口,通过所述第二接口接收并转发所述第二防火墙发送的来自于所述第二网络的所述会话的报文。After the processor 501 detects that the first firewall is faulty or the link between the first switch 50 and the first firewall is interrupted, the processor 501 sets the first interface as a standby interface, and sets the first interface as a standby interface. The second interface is set as the main interface, and the packet from the session of the second network sent by the second firewall is received and forwarded through the second interface.
需要说明的是,该交换机50的具体实现还可以对应参照图2所示的方法实施例的相应描述,此处不再赘述。It should be noted that, the specific implementation of the switch 50 may also correspond to the corresponding description with reference to the method embodiment shown in FIG. 2 , which will not be repeated here.
通过执行上述操作,第一交换机50向第一防火墙和第二防火墙发送同样的报文,使得该第一防火墙和第二防火墙根据该报文中的首报文建立相同的会话表项,这样一来,该第二防火墙不需要从该第一防火墙上备份该会话表项,当第一防火墙出现故障时,该第二防火墙可以直接基于自身建立的会话表项接替该第一防火墙上的业务,避免了业务中断。By performing the above operations, the first switch 50 sends the same packet to the first firewall and the second firewall, so that the first firewall and the second firewall establish the same session entry according to the first packet in the packet, so that The second firewall does not need to back up the session entry from the first firewall. When the first firewall fails, the second firewall can directly take over the service on the first firewall based on the session entry established by itself. Business interruption is avoided.
请参见图6,图6是本发明实施例提供的又一种第一交换机60的结构示意图,该第一交换机60可以包括接收单元601和发送单元602,接收单元601和发送单元602的详细描述如下。Please refer to FIG. 6. FIG. 6 is a schematic structural diagram of another
接收单元601用于接收来自于第一网络的多个报文,所述第一交换机60与第一防火墙、第二防火墙和所述第一网络相连,所述多个报文是所述第一网络与第二网络之间传输的报文,所述第一防火墙为主用防火墙,所述第二防火墙为备用防火墙,所述第一防火墙和第二防火墙分别与所述第一交换机60和第二交换机连接,所述第二交换机还与所述第二网络连接;The receiving
发送单元602用于分别向所述第一防火墙和所述第二防火墙发送所述多个报文,所述第一交换机60向所述第一防火墙和所述第二防火墙发送的报文是相同的,以使所述第一防火墙和所述第二防火墙均根据所述多个报文中的会话首报文建立所述会话首报文所属会话的会话表项,所述会话表项包含五元组,所述五元组用于判断流经防火墙的报文是否属于所述会话;The sending
接收单元601还用于接收所述第一防火墙发送的来自于所述第二网络的所述会话的报文;The receiving
发送单元602还用于向所述第一网络转发所述来自于所述第二网络的所述会话的报文。The sending
通过运行上述单元,第一交换机60向第一防火墙和第二防火墙发送同样的报文,使得该第一防火墙和第二防火墙根据该报文中的首报文建立相同的会话表项,这样一来,该第二防火墙不需要从该第一防火墙上备份该会话表项,当第一防火墙出现故障时,该第二防火墙可以直接基于自身建立的会话表项接替该第一防火墙上的业务,避免了业务中断。By running the above unit, the
在一种可选的方案中,所述第一交换机60还包括检测单元,该检测单元用于在发送单元602分别向所述第一防火墙和所述第二防火墙发送所述多个报文之后,检测所述第一防火墙是否发生故障,或者所述第一交换机60与所述第一防火墙之间的链路是否中断;In an optional solution, the
如果所述第一交换机60检测到所述第一防火墙故障、或者所述第一交换机60与所述第一防火墙之间的链路中断,则接收单元601还用于接收所述第二防火墙发送的来自于所述第二网络的所述会话的报文,所述发送单元602还用于转发所述第二防火墙发送的来自于所述第二网络的所述会话的报文。If the
在又一种可选的方案中,所述检测单元具体用于通过双向转发检测机制BFD检测所述第一防火墙是否故障。In another optional solution, the detection unit is specifically configured to detect whether the first firewall is faulty through a bidirectional forwarding detection mechanism BFD.
具体地,交换机自身检测该第一防火墙是否故障,以便在检测到该第一防火墙故障时及时调整报文转发策略,提升了交换机的性能。Specifically, the switch itself detects whether the first firewall is faulty, so as to adjust the packet forwarding policy in time when detecting the fault of the first firewall, thereby improving the performance of the switch.
在又一种可选的方案中,所述第一交换机60还包括丢弃单元,在所述检测单元检测到所述第一防火墙故障、或者所述第一交换机60与所述第一防火墙之间的链路中断之前,接收单元601还用于不接收所述第二防火墙发送的来自于所述第二网络的所述会话的报文,或者接收单元601用于接收所述第二防火墙发送的来自于所述第二网络的所述会话的报文,所述丢弃单元用于丢弃接收单元601接收到的所述第二防火墙发送的来自于所述第二网络的所述会话的报文。In yet another optional solution, the
在又一种可选的方案中,所述第一交换机60包括所述第一交换机60与所述第一防火墙相连的第一接口,以及所述第一交换机60与所述第二防火墙相连的第二接口,In yet another optional solution, the
检测单元检测到所述第一防火墙故障、或者所述第一交换机60与所述第一防火墙之间的链路中断之前,所述第一接口被设置为主接口,所述第二接口被设置为备接口;第一交换机60接收单元601通过所述第一接口接收所述第一防火墙发送的来自于所述第二网络的所述会话的报文,发送单元602转发接收单元601通过所述第一接口接收到的所述第一防火墙发送的来自于所述第二网络的所述会话的报文,第一交换机60接收单元601不接收所述第二防火墙发送的来自于所述第二网络的所述会话的报文,或者接收单元601通过所述备接口接收所述第二防火墙发送的来自于所述第二网络的所述会话的报文,丢弃单元丢弃接收单元601通过所述备接口接收到的来自于所述第二网络的所述会话的报文;Before the detection unit detects that the first firewall is faulty or the link between the
所述第一交换机60还包括配置单元,配置单元用于在检测单元检测到所述第一防火墙故障、或者所述第一交换机60与所述第一防火墙之间的链路中断之后,将所述第一接口设置为备接口,将所述第二接口设置为主接口,接收单元601还用于在该配置单元将第二接口设置为主接口后,通过所述第二接口接收所述第二防火墙发送的来自于所述第二网络的所述会话的报文,发送单元602还用于转发接收单元601通过所述第二接口接收到的所述第二防火墙发送的来自于所述第二网络的所述会话的报。The
需要说明的是,该交换机60的具体实现还可以对应参照图2所示的方法实施例的相应描述,此处不再赘述。It should be noted that, the specific implementation of the
通过运行上述单元,第一交换机60向第一防火墙和第二防火墙发送同样的报文,使得该第一防火墙和第二防火墙根据该报文中的首报文建立相同的会话表项,这样一来,该第二防火墙不需要从该第一防火墙上备份该会话表项,当第一防火墙出现故障时,该第二防火墙可以直接基于自身建立的会话表项接替该第一防火墙上的业务,避免了业务中断。By running the above unit, the
上述详细阐述了本发明实施例的方法和交换机,为了便于更好地实施本发明实施例的上述方案,相应地,下面提供了本发明实施例的系统。The methods and switches of the embodiments of the present invention are described in detail above. In order to facilitate better implementation of the above solutions of the embodiments of the present invention, correspondingly, the systems of the embodiments of the present invention are provided below.
请参见图7、图7是本发明实施例提供的一种报文转发系统70,该文件转发系统70包括第一交换机701、第二交换机702、第一防火墙703和第二防火墙704,其中,所述第一交换机701与第一防火墙703、第二防火墙704和所述第一网络相连,所述第一防火墙703为主用防火墙,所述第二防火墙704为备用防火墙,所述第一防火墙703和第二防火墙704分别与所述第一交换机701和第二交换机702连接,所述第二交换机702还与所述第二网络连接,其中:Please refer to FIG. 7. FIG. 7 is a
第一交换机701,用于接收来自于第一网络的多个报文,所述多个报文是所述第一网络与第二网络之间传输的报文;分别向所述第一防火墙703和所述第二防火墙704发送所述多个报文,所述第一交换机701向所述第一防火墙703和所述第二防火墙704发送的报文是相同的;The
所述第一防火墙703和所述第二防火墙704,分别用于根据所述第一交换机701发送的所述多个报文中的会话首报文建立所述会话首报文所属会话的会话表项,所述会话表项包含五元组,所述五元组用于判断流经防火墙的报文是否属于所述会话;The
所述第一防火墙703,还用于向所述第一交换机701转发来自所述第二网络的所述会话的报文;The
所述第一交换机701,还用于接收所述第一防火墙703发送的来自于所述第二网络的所述会话的报文;The
所述第一交换机701,还用于向所述第一网络转发所述来自于所述第二网络的所述会话的报文。The
通过运行该报文转发系统70,第一交换机701向第一防火墙703和第二防火墙704发送同样的报文,使得该第一防火墙703和第二防火墙704根据该报文中的首报文建立相同的会话表项,这样一来,该第二防火墙704不需要从该第一防火墙703上备份该会话表项,当第一防火墙703出现故障时,该第二防火墙704可以直接基于自身建立的会话表项接替该第一防火墙703上的业务,避免了业务中断。By running the
在一种可选的方案中,In an optional solution,
所述第一交换机701包括所述第一交换机701与所述第一防火墙703相连的第一接口,以及所述第一交换机701与所述第二防火墙704相连的第二接口,所述第二防火墙704,还用于向所述第一交换机701转发来自所述第二网络的所述会话的报文;The
所述第一交换机701,用于检测所述第一防火墙703是否故障、或者所述第一交换机701与所述第一防火墙703之间的链路是否中断,并在检测出所述第一防火墙703故障、或者所述第一交换机701与所述第一防火墙703之间的链路中断之前将所述第一接口设置为主接口,将所述第二接口设置为备接口;在检测出所述第一防火墙703故障、或者所述第一交换机701与所述第一防火墙703之间的链路中断之后将所述第一接口设置为备接口,将所述第二接口设置为主接口;The
在检测出所述第一防火墙703故障、或者所述第一交换机701与所述第一防火墙703之间的链路中断之前,通过所述第一接口和所述第二接口分别接收所述第一防火墙703和所述第二防火墙704发送的来自于所述第二网络的所述会话的报文,并丢弃通过所述第二接口接收到的来自所述第二网络的所述会话的报文;Before detecting that the
在检测出所述第一防火墙703故障、或者所述第一交换机701与所述第一防火墙703之间的链路中断之后,通过所述第二接口分别接收所述第二防火墙704发送的来自于所述第二网络的所述会话的报文,并向所述第一网络转发通过所述第二接口接收到的来自于所述第二网络的所述会话的报文。After detecting that the
在又一种可选的方案中所述第二防火墙704,还用于检测所述第二防火墙704是否为备用防火墙,若第二防火墙704为备用防火墙,则禁止向所述第一交换机701转发来自所述第二网络的所述会话的报文,禁止向所述第二交换机702转发来自所述第一网络的所述会话的报文。In another optional solution, the
进一步地,第一交换机701的具体实现还可以对应参照图5所示实施例中的第一交换机50和图6所示实施例中的第一交换机60的实现;第二交换机702的具体实现还可以对应参照图5和图6所示实施例中的第二交换机实现;第一防火墙703的具体实现还可以对应参照图5和图6所示实施例中的第一防火墙实现;第二防火墙704的具体实现还可以对应参照图5和图6所示实施例中的第二防火墙实现。Further, the specific implementation of the
通过运行该报文转发系统70,第一交换机701向第一防火墙703和第二防火墙704发送同样的报文,使得该第一防火墙703和第二防火墙704根据该报文中的首报文建立相同的会话表项,这样一来,该第二防火墙704不需要从该第一防火墙703上备份该会话表项,当第一防火墙703出现故障时,该第二防火墙704可以直接基于自身建立的会话表项接替该第一防火墙703上的业务,避免了业务中断。By running the
综上所述,通过实施本发明实施例,第一交换机向第一防火墙和第二防火墙发送同样的报文,使得该第一防火墙和第二防火墙根据该报文中的首报文建立相同的会话表项,这样一来,该第二防火墙不需要从该第一防火墙上备份该会话表项,当第一防火墙出现故障时,该第二防火墙可以直接基于自身建立的会话表项接替该第一防火墙上的业务,避免了业务中断。To sum up, by implementing the embodiment of the present invention, the first switch sends the same packet to the first firewall and the second firewall, so that the first firewall and the second firewall establish the same packet according to the first packet in the packet. In this way, the second firewall does not need to back up the session entry from the first firewall. When the first firewall fails, the second firewall can directly replace the session entry based on the session entry established by itself. A business on a firewall to avoid business interruption.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,所述的程序可存储于计算机可读取存储介质中,该程序在执行时,可包括如上述各方法的实施例的流程。而前述的存储介质包括:ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。Those of ordinary skill in the art can understand that all or part of the processes in the methods of the above embodiments can be implemented by instructing the relevant hardware through a computer program, and the program can be stored in a computer-readable storage medium, and the program is During execution, it may include the processes of the embodiments of the above-mentioned methods. The aforementioned storage medium includes various media that can store program codes, such as ROM, RAM, magnetic disk, or optical disk.
以上实施例仅揭露了本发明中较佳实施例,不能以此来限定本发明之权利范围,本领域普通技术人员可以理解实现上述实施例的全部或部分流程,并依本发明权利要求所作的等同变化,仍属于发明所涵盖的范围。The above embodiments only disclose the preferred embodiments of the present invention, and cannot limit the scope of the rights of the present invention. Those of ordinary skill in the art can understand that all or part of the procedures for realizing the above embodiments are implemented according to the claims of the present invention. Equivalent changes still fall within the scope of the invention.
Claims (13)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610186891.3A CN107241208B (en) | 2016-03-29 | 2016-03-29 | A message forwarding method, first switch and related system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610186891.3A CN107241208B (en) | 2016-03-29 | 2016-03-29 | A message forwarding method, first switch and related system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107241208A CN107241208A (en) | 2017-10-10 |
| CN107241208B true CN107241208B (en) | 2020-02-21 |
Family
ID=59983866
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610186891.3A Active CN107241208B (en) | 2016-03-29 | 2016-03-29 | A message forwarding method, first switch and related system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107241208B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108989352B (en) * | 2018-09-03 | 2022-11-11 | 平安科技(深圳)有限公司 | Firewall implementation method and device, computer equipment and storage medium |
| CN110138656B (en) * | 2019-05-28 | 2022-03-01 | 新华三技术有限公司 | Service processing method and device |
| CN111181985B (en) * | 2019-12-31 | 2022-11-11 | 奇安信科技集团股份有限公司 | Data transmission method, data transmission system, firewall device and storage medium |
| CN111314200B (en) * | 2020-02-29 | 2023-10-20 | 新华三技术有限公司 | Message forwarding method and device |
| CN114301766B (en) * | 2021-12-30 | 2024-07-19 | 山石网科通信技术股份有限公司 | Communication method, device, storage medium and processor |
| CN115225397B (en) * | 2022-07-22 | 2024-05-03 | 山石网科通信技术股份有限公司 | Control method, control device, firewall and computer readable storage medium |
| CN116633885A (en) * | 2023-04-20 | 2023-08-22 | 杭州迪普科技股份有限公司 | Firewall dual-machine switching setting method and device |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101257490A (en) * | 2008-02-03 | 2008-09-03 | 杭州华三通信技术有限公司 | Method and device for processing packet under fireproof wall side road mode |
| CN101848100A (en) * | 2009-03-23 | 2010-09-29 | 北京鼎信高科信息技术有限公司 | Fire wall dual-computer hot-standby system based on CONNTRACK synchronism |
| CN101557317B (en) * | 2009-05-26 | 2011-06-29 | 杭州华三通信技术有限公司 | System, device and method for realizing session active backup in dual-machine hot standby network |
| US8001279B2 (en) * | 2001-12-21 | 2011-08-16 | International Business Machines Corporation | Method of synchronizing firewalls in a communication system based upon a server farm |
| CN102821099A (en) * | 2012-07-24 | 2012-12-12 | 北京星网锐捷网络技术有限公司 | Message forwarding method, message forwarding equipment and message forwarding system |
| CN102904818A (en) * | 2012-09-27 | 2013-01-30 | 北京星网锐捷网络技术有限公司 | Method and device for updating ARP (Address Resolution Protocol) information table |
| CN103441987A (en) * | 2013-07-30 | 2013-12-11 | 曙光信息产业(北京)有限公司 | Method and device for managing dual-computer firewall system |
| CN103973674A (en) * | 2014-04-09 | 2014-08-06 | 汉柏科技有限公司 | Method and device for synchronizing host and backup information |
| CN104506513A (en) * | 2014-12-16 | 2015-04-08 | 北京星网锐捷网络技术有限公司 | Firewall flow graph backup method, firewall and firewall system |
-
2016
- 2016-03-29 CN CN201610186891.3A patent/CN107241208B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8001279B2 (en) * | 2001-12-21 | 2011-08-16 | International Business Machines Corporation | Method of synchronizing firewalls in a communication system based upon a server farm |
| CN101257490A (en) * | 2008-02-03 | 2008-09-03 | 杭州华三通信技术有限公司 | Method and device for processing packet under fireproof wall side road mode |
| CN101848100A (en) * | 2009-03-23 | 2010-09-29 | 北京鼎信高科信息技术有限公司 | Fire wall dual-computer hot-standby system based on CONNTRACK synchronism |
| CN101557317B (en) * | 2009-05-26 | 2011-06-29 | 杭州华三通信技术有限公司 | System, device and method for realizing session active backup in dual-machine hot standby network |
| CN102821099A (en) * | 2012-07-24 | 2012-12-12 | 北京星网锐捷网络技术有限公司 | Message forwarding method, message forwarding equipment and message forwarding system |
| CN102904818A (en) * | 2012-09-27 | 2013-01-30 | 北京星网锐捷网络技术有限公司 | Method and device for updating ARP (Address Resolution Protocol) information table |
| CN103441987A (en) * | 2013-07-30 | 2013-12-11 | 曙光信息产业(北京)有限公司 | Method and device for managing dual-computer firewall system |
| CN103973674A (en) * | 2014-04-09 | 2014-08-06 | 汉柏科技有限公司 | Method and device for synchronizing host and backup information |
| CN104506513A (en) * | 2014-12-16 | 2015-04-08 | 北京星网锐捷网络技术有限公司 | Firewall flow graph backup method, firewall and firewall system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107241208A (en) | 2017-10-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107241208B (en) | A message forwarding method, first switch and related system | |
| CN108574614B (en) | Message processing method, device and network system | |
| CN105164991B (en) | Redundant Network Protocol System | |
| CN113709057B (en) | Network congestion notification method, proxy node, network node and computer equipment | |
| US9219640B2 (en) | Performing failover in a redundancy group | |
| EP3605968B1 (en) | N:1 stateful application gateway redundancy model | |
| CN107005428B (en) | System and method for state replication of virtual network function instances | |
| US9755958B2 (en) | Fast convergence in VRRP with multipoint bidirectional forwarding detection | |
| CN104081731B (en) | Network system and method for managing topology | |
| CN105379208B (en) | Multi-connection system and method for internet protocol | |
| EP3232611B1 (en) | Method, device and system for performing bidirectional forwarding detection on an aggregated link | |
| US10581669B2 (en) | Restoring control-plane connectivity with a network management entity | |
| CN106656857B (en) | Message speed limiting method and device | |
| WO2010000146A1 (en) | Method, firewalls and network system for realizing information backup | |
| CN110324254A (en) | The transmission of message is carried out using the network interface controller on subnet | |
| WO2021093797A1 (en) | Information reporting method and information processing method, and device | |
| WO2017129011A1 (en) | Message processing method and network device | |
| CN103117930B (en) | The detection method of static routing configuration and device | |
| US10447581B2 (en) | Failure handling at logical routers according to a non-preemptive mode | |
| CN107332793B (en) | A message forwarding method, related equipment and system | |
| CN106487696B (en) | Link failure detection method and device | |
| CN109005116B (en) | Message forwarding method and device | |
| EP3291486B1 (en) | Selective transmission of bidirectional forwarding detection (bfd) messages for verifying multicast connectivity | |
| CN109995725A (en) | A kind of implementation method and device of cloud computing status firewall | |
| CN107241455B (en) | Apparatus and method for performing duplicate address detection for integrated routing and bridging devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |