Disclosure of Invention
The embodiment of the application provides a resource pool data forwarding method and a system, which are used for solving the problem that all traffic is processed by a firewall, so that the traffic forwarding efficiency is reduced and becomes a bottleneck of network forwarding efficiency.
In a first aspect, an embodiment of the present application provides a method for forwarding data in a resource pool, where the method is applied to a data transmission system, where the data transmission system includes a private branch exchange, an access switch, a central switch, a firewall, and an access switch, and the private branch exchange and the access switch are connected through a VPN tunnel through the central switch, where the method includes:
The user exchanger receives a first data packet from a data source, detects the validity of the first data packet through a preset flow detection mechanism, takes the detected first data packet as a second data packet, and takes the detected first data packet as a third data packet if not;
the access switch performs message encapsulation on the second data packet to obtain a fourth data packet, performs message encapsulation on the third data packet to obtain a fifth data packet, and transmits the fourth data packet and the fifth data packet to the central switch through the VPN tunnel;
The central switch forwards the fourth data packet to the access switch through the VPN tunnel and forwards the fifth data packet to the access switch through a gateway link through the firewall; the firewall is used for verifying the fifth data packet;
The access switch decapsulates the fourth data packet to obtain a second data packet, and decapsulates the fifth data packet passing verification to obtain a third data packet.
In one possible design, detecting validity of the first data packet by a preset traffic detection mechanism, using the detected first data packet as the second data packet, otherwise, using the detected first data packet as the third data packet, including:
Sending an authentication request of the first data packet to an authentication server to acquire an authentication result of the first data packet; the authentication result is used for indicating whether the first data packet comprises abnormal data or not;
decoding and analyzing the first data packet to obtain an analysis result of the first data packet;
the analysis result is used for indicating whether the first data packet comprises abnormal behaviors or not;
and taking the first data packet which does not comprise the abnormal data and the abnormal behavior as the second data packet, and taking the first data packet which comprises the abnormal data and/or the abnormal behavior as the third data packet.
In one possible design, the access switch performs packet encapsulation on the second data packet to obtain a fourth data packet, and performs packet encapsulation on the third data packet to obtain a fifth data packet, including:
Packaging the second data packet, and inserting the first identifier into a reserved field of the message header to obtain a fourth data packet; packaging the third data packet, and inserting a second identifier into a reserved field of the message header to obtain a fifth data packet; the central switch takes the data packet carrying the first identifier as a fourth data packet and takes the data packet carrying the second identifier as a fifth data packet.
In one possible design, an access switch performs VxLAN formatted packet encapsulation on a data packet;
The second data packet is subjected to message encapsulation, and a first identifier is inserted into a reserved field of a message header to obtain a fourth data packet, wherein the method comprises the following steps:
The second data packet is encapsulated by a virtual extensible local area network, and a first identifier is inserted into a Reserved field of the VxLAN Header to obtain a fourth data packet;
the third data packet is subjected to message encapsulation, and a second identifier is inserted into a reserved field of a message header to obtain a fifth data packet, wherein the method comprises the following steps:
the third data packet is packaged in a virtual extensible local area network, and a second identifier is inserted into a Reserved field of the VxLAN Header to obtain a fifth data packet; wherein the Reserved field where the second identifier is located is the same as the Reserved field where the first identifier is located.
In one possible design, before the access switch performs message encapsulation on the second data packet to obtain the fourth data packet and performs message encapsulation on the third data packet to obtain the fifth data packet, the method further includes:
the access switch writes a plurality of first message information in the second data packet into one item of the white list; wherein the plurality of first message information includes: a source address and a destination address.
In one possible design, after the central switch forwards the fourth data packet to the access switch through the virtual private network tunnel and forwards the fifth data packet to the access switch through the gateway link through the firewall, the method further comprises:
The central switch writes a plurality of second message information in the fourth data packet into one entry of the maintenance table; wherein the plurality of second message information includes: vxLAN ID and destination MAC address.
In one possible design, after the access switch writes the first plurality of message information in the second data packet to an entry of the whitelist, the method further comprises:
the access switch sets the failure time of a plurality of first message information in the white list;
After the central switch writes the plurality of second message information in the fourth data packet into an entry of the maintenance table, the method further comprises:
The central switch sets the failure time of a plurality of second message information in the maintenance table.
In one possible design, forwarding the fifth data packet to the access switch via the gateway link through the firewall includes:
the central switch transmits the fifth data packet to the firewall through the gateway link;
the firewall verifies a plurality of data information of the fifth data packet according to the predefined rule; wherein the predefined rules include filter verification, status verification, and intrusion verification, the plurality of data information including source address, destination address, protocol type, and data content;
the firewall forwards the verified fifth data packet to the access switch through the gateway link.
In one possible design, before detecting the validity of the first data packet by using a preset traffic detection mechanism, the method further includes:
the user exchanger collects own equipment operation data and obtains the resource utilization rate of the data transmission system according to the equipment operation data, wherein the equipment operation data comprises interface flow and session quantity, and the resource utilization rate comprises CPU utilization rate and memory utilization rate;
when the resource utilization is greater than a preset threshold, the access switch forwards the first data packet to the access switch over a gateway link through the firewall.
In a second aspect, an embodiment of the present application provides a resource pool data forwarding system, where the method includes:
The user exchanger is used for receiving a first data packet from a data source, detecting the validity of the first data packet through a preset flow detection mechanism, taking the detected first data packet as a second data packet, and taking the detected first data packet as a third data packet;
The access switch is used for carrying out message encapsulation on the second data packet to obtain a fourth data packet, carrying out message encapsulation on the third data packet to obtain a fifth data packet, and transmitting the fourth data packet and the fifth data packet to the central switch through the virtual private network tunnel;
A central switch for forwarding the fourth data packet to the access switch via the virtual private network tunnel and forwarding the fifth data packet to the access switch via a gateway link via the firewall; the firewall is used for verifying the fifth data packet;
And the access switch is used for decapsulating the fourth data packet to obtain the second data packet, and decapsulating the verified fifth data packet to obtain the third data packet.
The user exchanger receives a first data packet from a data source, detects the validity of the first data packet through a preset flow detection mechanism, takes the detected first data packet as a second data packet, and takes the detected first data packet as a third data packet; the access switch performs message encapsulation on the second data packet to obtain a fourth data packet, performs message encapsulation on the third data packet to obtain a fifth data packet, and transmits the fourth data packet and the fifth data packet to the central switch through the virtual private network tunnel;
The central switch forwards the fourth data packet to the access switch through the virtual private network tunnel and forwards the fifth data packet to the access switch through a gateway link through the firewall; the firewall is used for verifying the fifth data packet; the access switch decapsulates the fourth data packet to obtain a second data packet, and decapsulates the fifth data packet passing verification to obtain a third data packet. The following technical effects are realized: by avoiding all traffic from bypassing the firewall, unnecessary traffic revolution is reduced, so that the forwarding efficiency of the data packet is improved;
the data transmission is encrypted by a virtual private network tunnel technology, so that the safety of data transmission between different devices and networks is ensured, and the data package is prevented from being stolen or tampered; the central exchanger establishes and maintains a dynamic table according to the legitimacy of the flow, assists the forwarding decision of the subsequent flow, and further optimizes the flow path.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the accompanying claims.
In the embodiments of the present application, the words "first", "second", etc. are used to distinguish between the same item or similar items that have substantially the same function and effect. It will be appreciated by those of skill in the art that the words "first," "second," and the like do not limit the amount and order of execution, and that the words "first," "second," and the like do not necessarily differ. It should be noted that, in the embodiments of the present application, words such as "exemplary" or "such as" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "for example" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion. In the embodiments of the present application, "at least one" means one or more, and "a plurality" means two or more.
It should be noted that "at … …" in the embodiment of the present application may be an instant when a certain situation occurs, or may be a period of time after a certain situation occurs, which is not particularly limited in the embodiment of the present application. In addition, the data transmission method of edge calculation provided by the embodiment of the application is only used as an example, and the data transmission method of edge calculation can also comprise more or less contents.
In order to facilitate the clear description of the technical solutions of the embodiments of the present application, the following simply describes some terms and techniques involved in the embodiments of the present application:
Virtual private network (Virtual Private Network, VPN): a secure, encrypted professional channel can be established over the public network. Through this channel, the user can transmit data as in a private network, ensuring the privacy, security and integrity of the data message.
Virtual professional network tunnel: generally referred to as tunneling in VPN. Virtual private network tunnels create a secure, encrypted private channel over the public network to simulate a point-to-point direct connection.
User plane function (User Plane Function, UPF): is a key component in 5G network architecture, mainly responsible for handling traffic of user data plane, deep packet inspection can be performed, analyzing packet content to identify and filter content-based policies.
Fifth generation mobile communication technology (The 5thGenerationMobileCommunication Technology, 5G).
Access switch (Edge of Routing, EOR): usually referred to as the edge portion of the network, the last router or switch between the network core and the user device, is responsible for routing the user's traffic to the core network or internet, and also is the endpoint of the VPN tunnel, and for encrypting and decrypting data transmitted through the VPN.
Data center network (Spine-and-Leaf): the SPINE switch acts as a core switching layer, responsible for connecting multiple LEAF switches, forwarding packets, and in MEC environments, the SPINE switch may take on additional roles, for example, as a bridge connecting MEC nodes to other network components, supporting efficient data forwarding and network services.
LEAF switches are typically located at the edge of the network fabric, directly connected to terminals, servers, or resource pools, and have a high density of ports that support the connection of a large number of terminal devices.
Firewall (FW): the user monitors the data flow entering and exiting the network, controls and filters the flow according to a set of preset safety rules, and ensures the safety of the resource pool.
Virtual extension local network (Virtual eXtensible Local Area Network, vxLAN) messages: refers to a message in VxLAN format. Which is encapsulated on the basis of standard ethernet frames for transmitting two-layer data frames in an internet protocol (Internet Protocol, IP) network.
Network identifier (VxLAN Network Identifier, VNI): is a key field of VxLAN messages. And is 24 bits in size to distinguish and identify different VxLAN networks.
Source physical address (src.mac Addr): an ethernet header (INNER ETHERNET HEADER) located at the inner layer of the VxLAN message. It represents the physical (MEDIA ACCESS Control Address, MAC) Address of the source device that sent the VxLAN encapsulated packet.
Outer source internet protocol address (Outer src.ip): refers to the source IP address encapsulated in the outermost IP header of the VxLAN message. Which is the IP address of the device sending the VxLAN message, specifically the IP address of the source VxLAN Tunnel Endpoint (VTEP).
Destination internet protocol address (Outer dst.ip): refers to the destination IP address encapsulated in the outermost IP header of the VxLAN message. Which is the IP address of the device receiving the VxLAN message, i.e., the IP address of the destination VxLAN Tunnel Endpoint (VTEP).
Original ethernet frame (Original ETHERNET FRAME): refers to the two-layer data frame prior to the VXLAN encapsulation process. Which contains all the basic components of a conventional ethernet frame.
Reserved identifier (Reserved): the Reserved field is Reserved for future protocol expansion or new characteristics, so that new functions can be added on the premise of not changing the existing protocol structure, and the Reserved field is used for marking the data packet corresponding to legal flow.
Edge computing aims to extend data processing and storage functions from a conventional cloud computing center to edge locations near data sources. In edge computing, data processing occurs closer to the data generation site, typically on a device, sensor, or edge server, rather than on a traditional remote cloud server. Edge computing has wide application potential in various industries, and can realize real-time data analysis and processing and reduce data transmission delay.
MEC is a pool of resources that centralizes computing, storage, and network functions. These resources can be dynamically allocated and managed as needed to meet the computing needs in different application scenarios. The resource pool of the MEC is typically made up of a plurality of physical or virtual nodes that may be deployed on edge devices, base stations, routers, or other edge facilities. The resource pool of the MEC allows for dynamic allocation of computing, storage and network resources according to demand. This means that the application can automatically adjust resource usage based on user location, real-time data requirements, or other conditions to provide better performance and response time. The MEC nodes are located at the edge of the network, closer to the user and the data source. This positional advantage reduces the delay of data transmission and improves data access speed and bandwidth utilization. Particularly for applications requiring fast response (e.g. intelligent transportation, industrial automation), the low latency characteristics of MECs are critical. Moving computing and storage functions to the network edge may help protect data privacy and improve security. Sensitive data can be processed on edge devices, so that abnormal problems of data transmission in a network are reduced, and privacy regulations and safety standards are met.
In the prior art, data sent by a terminal finally reaches a spin switch through network equipment (a base station, a UPF, an EOR switch and a carrier network routing device), and then, the traffic is transmitted to a firewall, and the firewall deploys related policies to selectively process the traffic. The traffic then returns to the SPINE switch, after which it passes through the LEAF switch to the resource pool.
In this process, the firewall is a gateway of the whole network, all traffic (uplink or downlink) needs to be processed by the firewall, and the traffic sent by the MEC resource pool reaches the spin switch through the LEAF switch, then enters the firewall again, returns to the spin after passing through the firewall, and then is sent by the spin, passes through the bearer network, the EOR device and the like, and finally reaches the user terminal.
Since MEC resource pools typically have a high level of security, it is a standard configuration that all traffic enters the firewall. In order to enhance the security of the system, all legal traffic and illegal traffic bypass the firewall, and this operation increases the revolution of the traffic and reduces the forwarding efficiency.
However, in practice, the firewall does not need to configure different flows in a targeted manner, so that the flows are not necessary to revolve around in many times, and may become a bottleneck for network forwarding efficiency.
In order to solve the problem that the flow forwarding efficiency is low due to the fact that all uplink and downlink flows are processed through a firewall and the revolution of the flows is increased, the embodiment of the application designs a flow detection mechanism, and by means of participation of EOR (Ethernet over coax) equipment and the like, marking of characteristic flows and establishment and maintenance of a security policy dynamic table, bypass forwarding processing of all uplink and downlink flows can be avoided, and meanwhile the security of an MEC resource pool is guaranteed.
Based on the above, the embodiment of the application provides a method, a device and a system for forwarding data in a resource pool, which can be used in the field of data transmission and aims to solve the problem that the efficiency of forwarding the traffic is low due to the fact that all uplink and downlink traffic is processed through a firewall and the revolution of the traffic is increased.
The following describes the technical scheme of the present application and how the technical scheme of the present application solves the above technical problems in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
Fig. 1 is a schematic view of a scenario of a resource pool data forwarding method according to an embodiment of the present application. It should be noted that fig. 1 is only an example of a scenario in which an embodiment of the present application may be applied to help those skilled in the art understand the technical content of the present application, but it does not mean that an embodiment of the present application may not be applied to other devices, systems, environments, or scenarios.
As shown in fig. 1, a topology of a data transmission method of edge computation is shown, including: a terminal 110; a base station 120; UPF130; EOR140; SPINE150; a firewall 160; LEAF170; MEC180.
In this scenario, the terminal 110 sends an access request through the base station 120 to request to access the resource pool 180, the back of the base station is connected with the UPF130, the data packet sent by the terminal 110 is received, the flow of the data packet is detected, the UPF130 is connected with two EORs 140 to represent different networks of signal flow, the EORs 140 package the data packet through a VPN tunnel between the EORs 140 and the pline 150, the pline 150 is connected with the firewall 160 and the LEAF170, the data packet is forwarded to the firewall 160 through the pline 150, after verification, the data packet is returned to the pline 150, or the data packet is directly forwarded to the LEAF170 without going around the firewall 160, and a plurality of LEAF170 are connected with different resource pools 180, and finally the data packet sent by the terminal 110 is transmitted to the resource pool 180.
Fig. 2 is a schematic flow chart of a resource pool data forwarding method according to an embodiment of the present application. As shown in fig. 2, the method is applied to a data transmission system, and then the method includes:
S201, a user exchanger receives a first data packet from a data source, detects the validity of the first data packet through a preset flow detection mechanism, takes the detected first data packet as a second data packet, and takes the detected first data packet as a third data packet if not;
Specifically, the UPF receives a data packet through an N3 interface, the N3 interface is an interface between the base station and the UPF, and the data packet sent by the terminal device is not necessarily legal, so that the preset flow detection mechanism judges the validity of the first data packet, and for the legal data packet and the common data packet processing mode, the legal data packet and the common data packet need to be marked out, the detected first data packet is marked as a second data packet, and the first data packet which does not pass through detection is marked as a third data packet.
S202, the access switch performs message encapsulation on the second data packet to obtain a fourth data packet, performs message encapsulation on the third data packet to obtain a fifth data packet, and transmits the fourth data packet and the fifth data packet to the central switch through the VPN tunnel;
Specifically, the EOR device receives a second data packet and a third data packet with marks, which are sent by the UPF side, and encapsulates the data packet before transmission, wherein the header of the encapsulated packet has two null fields, and bit information in the null fields is set to distinguish the second data packet from the third data packet;
A VPN is a data tunnel in which data transmitted by one VPN and another VPN are isolated from each other and data is not changed during the transmission in the tunnel. This means that if the data enters the VPN tunnel at EOR is legitimate traffic, then it is also legitimate traffic when it exits the tunnel and arrives at the spine switch.
S203, the central switch forwards the fourth data packet to the access switch through the VPN tunnel, and forwards the fifth data packet to the access switch through a gateway link through a firewall;
specifically, the firewall is used for verifying the fifth data packet;
The SPINE receives the fourth data packet, forwards the fourth data packet to the LEAF through the VPN channel, receives the fifth data packet, forwards the fifth data packet to the firewall for verification, returns the verified fifth data packet to the SPINE, forwards the fifth data packet to the LEAF through the VPN channel, and enters the resource pool after the fifth data packet is verified by the firewall as the fifth data packet in the prior art.
S204, the access switch de-encapsulates the fourth data packet to obtain a second data packet, and de-encapsulates the fifth data packet passing the verification to obtain a third data packet;
specifically, the LEAF receives a fourth data packet, decapsulates the fourth data packet to obtain a second data packet, accesses a corresponding resource pool according to a destination address in the second data packet, and receives
And the fifth data packet is unpacked to obtain a third data packet, and the corresponding resource pool is accessed according to the destination address in the second data packet.
The embodiment of the application provides a method for forwarding data in a resource pool, wherein a user switch receives a first data packet from a data source, detects the validity of the first data packet through a preset flow detection mechanism, takes the detected first data packet as a second data packet, and takes the detected first data packet as a third data packet; the access switch performs message encapsulation on the second data packet to obtain a fourth data packet, performs message encapsulation on the third data packet to obtain a fifth data packet, and transmits the fourth data packet and the fifth data packet to the SPINE through the VPN tunnel; the SPINE forwards the fourth data packet to the LEAF through the VPN tunnel, and forwards the fifth data packet to the LEAF through a gateway link through the firewall; the firewall is used for verifying the fifth data packet;
And the LEAF decapsulates the fourth data packet to obtain a second data packet, and decapsulates the verified fifth data packet to obtain a third data packet. The following technical effects are realized: by avoiding all traffic from bypassing the firewall, unnecessary traffic revolution is reduced, so that the forwarding efficiency of the data packet is improved; the data transmission is encrypted by VPN tunnel technology, so that the safety of data transmission between different devices and networks is ensured, and the data package is prevented from being stolen or tampered;
The SPINE exchanger establishes and maintains a dynamic table according to the legitimacy of the flow, assists the forwarding decision of the subsequent flow, and further optimizes the flow path.
Fig. 3 is a second flowchart of a resource pool data forwarding method according to an embodiment of the present application. As shown in fig. 3, the method is applied to a data transmission system, and then the method includes:
s301, a user exchanger collects own equipment operation data and obtains the resource utilization rate of a data transmission system according to the equipment operation data;
Specifically, the device operational data includes interface traffic and number of sessions, the resource utilization includes CPU utilization and memory utilization,
And when the resource utilization rate is greater than a preset threshold, the SPINE forwards the first data packet to the LEAF through a gateway link of the firewall, so that the pressure of the UPF is reduced, the UPF and the firewall are ensured to maintain a dynamic adjustment process on the data packet processing, and the stability of the network is enhanced.
S302, a user switch sends an authentication request of a first data packet to an authentication server to acquire an authentication result of the first data packet; decoding and analyzing the first data packet to obtain an analysis result of the first data packet;
Specifically, the authentication server selected in this embodiment is an AAA server, which is a server for network security and management, and the AAA represents identity authentication, authorization and accounting, and in this embodiment, an authentication result is returned by sending an authentication request to the AAA server, where the authentication result is used to indicate whether the first data packet includes abnormal data;
in the embodiment, a deep packet inspection technology is utilized to decode and analyze a first data packet, each field of the first data packet is analyzed, key information such as a source address, a destination address, a protocol type, a port number and the like is extracted, protocol identification is carried out on the first data packet, a network protocol of the data packet is determined, and whether the first data packet has abnormal behaviors can be distinguished by the protocol identification;
UPF predefines security rules matching the characteristics of the first packet, which rules may include blacklisting (refusing access to a specific IP address or domain name) that the first packet cannot access if in the blacklist, detecting large-scale connection requests and first packet size anomalies, etc., UPF has various analysis mechanisms, takes as the second packet a first packet that does not include anomalous data and anomalous behavior, and takes as the third packet a first packet that includes anomalous data and/or anomalous behavior.
S303, the access switch performs message encapsulation on the second data packet to obtain a fourth data packet, performs message encapsulation on the third data packet to obtain a fifth data packet, and transmits the fourth data packet and the fifth data packet to the central switch through the VPN tunnel.
S304, the central switch forwards the fourth data packet to the access switch through the VPN tunnel and forwards the fifth data packet to the access switch through the gateway link through the firewall.
S305, the access switch de-encapsulates the fourth data packet to obtain a second data packet, and de-encapsulates the fifth data packet passing the verification to obtain a third data packet.
S303, S304 and S305 are similar to S202, S203 and S204, and will not be described in detail in this embodiment.
The technical effects of the embodiment of the application are as follows: the method comprises the steps of presetting a flow detection mechanism in the UPF, analyzing abnormal data and abnormal behaviors of a first data packet through the flow detection mechanism, distinguishing the first data packet, and respectively marking the first data packet as a second data packet and a third data packet, so that the problems that all data packets sent by a terminal bypass a firewall side for verification, the firewall pressure is increased, and the data packet forwarding efficiency is reduced are solved.
Fig. 4 is a flowchart of a method for forwarding data in a resource pool according to an embodiment of the present application. As shown in fig. 4, the method is applied to a data transmission system, and then the method includes:
S401, the user exchanger receives a first data packet from a data source, detects the validity of the first data packet through a preset flow detection mechanism, takes the detected first data packet as a second data packet, and takes the detected first data packet as a third data packet;
s401 is similar to S201, and this embodiment is not described in detail.
S402, the access switch writes a plurality of first message information in the second data packet into one item of the white list, and sets the failure time of the second message information in the maintenance table;
Specifically, the first message information includes: source and destination addresses, including IP addresses and MAC addresses,
The second data packet is a legal data packet which is detected, the source address and the destination address in the second data packet are extracted and written into a white list, the white list only allows the access of known and trusted data sources, the source address and the destination in the second data packet are written into the white list, and the data packet corresponding to the second data packet is directly marked as the second data packet without flow detection when the data packet sends an access request;
legal data packets are not always legal, so that the invalid time is set for all items in the white list, and after the invalid time is exceeded, the data source corresponding to the data packet needs to be authenticated again, and the transmitted data packet needs to be detected again through a flow detection mechanism.
S403, packaging the second data packet, and inserting a first identifier into a reserved field of the message header to obtain a fourth data packet; packaging the third data packet, and inserting a second identifier into a reserved field of the message header to obtain a fifth data packet;
specifically, EOR takes a data packet carrying a first identifier as a fourth data packet, and takes a data packet carrying a second identifier as a fifth data packet;
the EOR device receives a second data packet and a third data packet sent by UPF, the EOR packages the second data packet, in order to distinguish the second data packet from the third data packet after packaging the packet, identifiers are inserted into a reserved field when packaging the packet, the packet format heads of the second data packet and the third data packet are the same, the outer layer of the packet is the source address and the scaring address of the data packet, the data packet is forwarded to the next device according to the scaring address of the packet, and the first identifier and the second identifier are used for distinguishing the second data packet and the third data packet.
S404, performing virtual extensible local area network encapsulation on the second data packet, and inserting a first identifier into a Reserved field of the VxLAN Header to obtain a fourth data packet;
Specifically, EOR encapsulates the data packet in a message of a VxLAN format;
In the EOR encapsulated packet, there is a VxLAN header, in which two Reserved fields are occupied empty fields, and the identifier may be any one of the two Reserved fields, and in this embodiment, the bit in the Reserved field of the second data packet is set to 1 to obtain the fourth data packet.
S405, performing virtual extensible local area network encapsulation on the third data packet, and inserting a second identifier into a Reserved field of the VxLAN Header to obtain a fifth data packet;
Specifically, EOR encapsulates the data packet in a message of a VxLAN format;
in the EOR encapsulated packet, there is a VxLAN header, in which two Reserved fields are occupied empty fields, and the identifier may be any one of the two Reserved fields, and in this embodiment, the bit in the Reserved field of the third data packet is kept unchanged to obtain the fifth data packet.
S406, the central switch forwards the fourth data packet to the access switch through the VPN tunnel and forwards the fifth data packet to the access switch through the gateway link through the firewall.
S407, the access switch de-encapsulates the fourth data packet to obtain a second data packet, and de-encapsulates the fifth data packet passing the verification to obtain a third data packet.
S406 and S407 are similar to S203 and S204, and the description of this embodiment is omitted.
The technical effects of the embodiment of the application are as follows: and the EOR performs message encapsulation in a VxLAN format on the received data packet, and is used for distinguishing the second data packet from the third data packet, the encapsulated message is convenient for transmission in a data transmission system, and the fourth data packet and the fifth data packet are forwarded to next hop equipment according to the address of the outer layer of the message.
Fig. 5 is a flow chart diagram of a resource pool data forwarding method according to an embodiment of the present application. As shown in fig. 5, the method is applied to a data transmission system, and then the method includes:
S501, the user exchanger receives a first data packet from a data source, detects the validity of the first data packet through a preset flow detection mechanism, takes the detected first data packet as a second data packet, and takes the detected first data packet as a third data packet if not.
S502, the access switch performs message encapsulation on the second data packet to obtain a fourth data packet, performs message encapsulation on the third data packet to obtain a fifth data packet, and transmits the fourth data packet and the fifth data packet to the central switch through the VPN tunnel.
S501 and S502 are similar to S201 and S202, and the description thereof is omitted.
S503, the central switch writes a plurality of second message information in the fourth data packet into one entry of the maintenance table, and sets the failure time of the plurality of second message information in the maintenance table;
specifically, the VxLAN ID and destination MAC address,
Extracting a source address and a destination address in a fourth data packet, writing the source address and the destination address into a maintenance table, wherein the fourth data packet is in an uplink direction, and when the data packet descends from a resource pool to a terminal, the maintenance table mainly aims at the data packet descending, and then the data packet sent by the resource pool address corresponding to the destination address is also defaulted to be a legal data packet, namely the data packet is directly forwarded to EOR through SPINE without passing through a firewall;
The legal data packet is not always legal, so that a failure time is set for the data packet address in the maintenance table, when the failure time is exceeded, the VXLAN ID and the destination address in the maintenance table can be automatically deleted, and when the downlink data packet passes through the SPINE, the data packet is verified by the bypass firewall and then returned to the SPINE, and is forwarded to the EOR.
S504, the central switch transmits the fifth data packet to the firewall through the gateway link;
Specifically, the fifth data packet of the SPINE is transmitted to the firewall, and in the prior art, the data transmission system needs to forward all the data packets to the firewall, return the SPINE after passing the firewall verification, and forward the data packets to the next hop device;
In this embodiment, the fifth data packet is obtained by packaging a third data packet, where the third data packet is a data packet passing through a flow detection mechanism, that is, a data packet corresponding to a common flow, and needs to be verified by a firewall before the data packet enters the resource pool, and the fifth data packet enters the firewall through a gateway link.
S505, the firewall verifies a plurality of data information of the fifth data packet according to a predefined rule, and forwards the verified fifth data packet to the access switch through the gateway link;
specifically, a firewall is a network security device that monitors and controls network traffic in and out;
The firewall decides whether to allow or organize a specific data packet according to a predefined rule, and for a fifth data packet, the firewall verifies the fifth data packet, and verifies the source address, the destination address, the protocol type and the data content of the fifth data packet through filtering verification, state verification and intrusion verification;
the SPINE forwards the fifth data packet to the firewall, the fifth data packet which passes the firewall verification returns to the SPINE, the fifth data packet which passes the firewall verification is forwarded to the LEAF through the SPINE and LEAF transmission link, and the fifth data packet which does not pass the firewall verification is not transmitted;
the firewall forwards the verified fifth data packet to the LEAF through the gateway link.
S306, the access switch de-encapsulates the fourth data packet to obtain a second data packet, and de-encapsulates the verified fifth data packet to obtain a third data packet.
S306 is similar to S204, and the description of this embodiment is omitted.
The technical effects of the embodiment of the application are as follows: before the SPINE forwards the fifth data packet to the LEAF, the fifth data packet is verified through the firewall, only the fifth data packet passing verification can be continuously forwarded, a data packet verification mechanism and a data packet forwarding path are increased, the flexibility of the data transmission system is enhanced, and meanwhile the safety of the system is guaranteed.
In one possible design, EOR sets a failure time of the plurality of first message information in the white list;
Specifically, legal data packets are not always legal, the expiration time is required to be set for entries in the white list, after the expiration time is exceeded, the first message information in the white list is automatically deleted, and the data packet corresponding to the source address needs to be detected again through the flow detection mechanism.
In one possible design, SPINE sets a failure time of a plurality of second message information in the maintenance table;
Specifically, the legal data packet is not always legal, so that a failure time is set for the data packet address in the maintenance table, when the failure time is exceeded, the VXLAN ID and the destination address in the maintenance table are automatically deleted, and when the downlink data packet passes through the SPINE, the data packet is verified by the bypass firewall and then returns to the SPINE, and is forwarded to the EOR.
The application also provides a resource pool data forwarding system, as shown in fig. 2, comprising:
The UPF is used for receiving a first data packet from a data source, detecting the validity of the first data packet through a preset flow detection mechanism, taking the detected first data packet as a second data packet, and taking the detected first data packet as a third data packet if the detected first data packet is not the second data packet;
The EOR is used for carrying out message encapsulation on the second data packet to obtain a fourth data packet, carrying out message encapsulation on the third data packet to obtain a fifth data packet, and transmitting the fourth data packet and the fifth data packet to the central switch through the virtual private network tunnel;
SPINE for forwarding the fourth data packet to the access switch through the virtual private network tunnel and forwarding the fifth data packet to the access switch through the gateway link via the firewall; the firewall is used for verifying the fifth data packet;
The LEAF is used for decapsulating the fourth data packet to obtain a second data packet, and decapsulating the verified fifth data packet to obtain a third data packet;
The resource pool data forwarding system is used for realizing a resource pool data forwarding method.
While the present application has been described with reference to the preferred embodiments shown in the drawings, it will be readily understood by those skilled in the art that the scope of the application is not limited to those specific embodiments, and the above examples are intended only to illustrate the technical aspects of the application, not to limit it; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the application.