Novel self-defining ethernet out-of-band data packet filtering method and device

Abstract

The present invention relates to a method and a device for filtering a novel custom Ethernet out-band data packet. The key of the method and the device is that a filter module is additionally arranged between the out-band management interface of the Ethernet switcher and the CPU to extract the keyword of the data packet, to filter the content of the relative data packet, and to operate the discarding or the flow control operation. The method and the device can provide one to seven layers of filtering to the Ethernet out- band data packet, to pre filters the layer 2 or layer 3 or layer 4 data packets used to be processed by the CPU, and the present invention can pre process the special protocol data packets such as an Ethernet broadcast packet, a multicast packet, other Ethernet management protocols, the IP and a high-level IP protocol data packet, an ICMP and an ARP, etc., therefore, the processing efficiency of the CPU is improved, and the overload operation caused by the protocol data packets flooding is avoided, thereby the reliability of the complete Ethernet switcher system is improved.

Description

technical field [0001] The invention relates to the technical field of Ethernet and its high-layer protocol data packet filtering, in particular to a method and a device for filtering Ethernet data packet types, high-level protocol fields and ARP protocol fields. Background technique [0002] With the increasing requirement of the Internet for its main bearer Ethernet equipment to have stronger processing capabilities, Ethernet should be able to provide protocol processing capabilities for data packets based on high-level protocol fields in addition to simple data forwarding. , generally speaking, this processing capability is provided by higher-level Ethernet switches, but for Ethernet switches that are not powerful enough, many protocol processing and network management functions must be provided by the central processing unit (CPU) attached to the device. As shown in Figure 1, this structure greatly enhances the functions of the Layer 2 Ethernet switch, but it also increa...

AI Technical Summary

Problems solved by technology

[0002] With the increasing requirement of the Internet for its main bearer Ethernet equipment to have stronger processing capabilities, Ethernet should be able to provide protocol processing capabilities for data packets based on high-level protocol fields in addition to simple data forwarding. , generally speaking, this processing capability is provided by higher-level Ethernet switches, but for Ethernet switches that are not powerful enough, many protocol processing and network management functions must be provided by the central processing unit (CPU) attached to the device. As shown in Figure 1, this structure greatly enhances the functions of the Layer 2 Ethernet switch, but it also increases the CPU processing load, causing the CPU to crash easily and greatly reducing the reliability of the system.

For example, the CPU must run a protocol stack and support functions such as ARP, ICMP, high-level network management communication, and web interface. Processing the Ethernet and high-level data packets required for various management at a full line speed of 100M brings heavy load to the CPU. Due to the limited processing power of the CPU, it also brings opportunities for external malicious attackers. External attackers can send a large number of Ethernet broadcasts or group Broadcast data packets and BPDU data packets cause flooding on the network, and can also send a large number of ARP requests to the CPU, causing the CPU to continuously process ARP requests and thus fail to complete normal network management functions, and attack on higher-level protocols , such as sending a large number of TCP connection requests, so that the CPU is constantly waiting for the establishment of the connection to delay the normal management process. You can also use the fragmentation function in the IP protocol to send some isolated fragments to the CPU. Only after merging can it be submitted to the upper layer software for processing, so when receiving an isolated fragment, the CPU has to buffer the fragment in the memory buffer. If other fragments of the same data packet do not come, the fragments in the buffer will be It will not be released, which will permanently occupy the storage resources of the CPU

Considering the various unsafe factors and low efficiency of the current CPU+Ethernet switch mode, it is necessary to provide a coprocessor mechanism between the network management interface of the Ethernet switch and the CPU, so that the coprocessor can Filter a large number of meaningless or even dangerous data packets for the CPU, thereby saving CPU resources and computing power, so that the CPU in the switch can concentrate on device management and protocol processing functions. Its new device structure is shown in Figure 2

Images