Netflow collection, also called netstream collection, refers to sampling of the packets in a network. The sampling results are presented to the operator and the customer of the operator for the purpose of network planning, network detection, user monitoring, application layer monitoring, and security analysis.
In the netflow collection, the traffic sampling device such as router obtains the packet protocol type of the packet according to the packet header of the packet to be sampled, and then resolves the packet according to the packet protocol type, and finishes the packet sampling through resolution.
Currently, the Virtual Private Network (VPN) based on the Multi-Protocol Label Switch (MPLS) technology connects different branches of a private network through a Label Switching Path (LSP), thus forming a unified network.
FIG. 1 shows the MPLS-based VPN networking diagram. The VPN includes: a Customer Edge (CE) device, a Provider Edge (PE) router, and an intermediate (P) router. The CE device is adapted to connect the private network into a backbone network. A CE device may be a router, switch or host. The PE router is located in the backbone network, and is directly connected with the CE device. The PE router is adapted to manage VPN users, create an LSP connection between PE routers, and distribute routes between PE routers. The route distribution between PE routers is performed according to the protocols such as the Label Distribution Protocol (LDP), the Border Gateway Protocol (BGP), and the Resource ReSerVation Protocol (RSVP). The P router is a backbone router in a network of the service provider. It is not directly connected with the CE device. The P router needs to provide only the basic MPLS forwarding capability, and does not maintain VPN information.
During transmission of a packet between PE1 and PE2, when the packet arrives at PE1, the packet is labeled and encapsulated with an MPLS packet header. The packet arrives at PE2 along an LSP composed of a series of P routers according to the label and the label forwarding table. The PE2 removes the label in the packet, and takes the MPLS packet header off the packet before the packet is further forwarded.
The PE1, the PE2 or the intermediate P router may need to collect netflows. For the ingress node PE1, because the packet received by the PE1 is not encapsulated with an MPLS header, the PE1 can obtain the protocol type of the packet by resolving the packet header directly, and then resolve the packet according to the packet protocol type. The packet sampling is performed through resolution. For the egress node PE2, the packet protocol type of the label carried in the packet can be obtained through searching the label distribution information, the packet is resolved according to the packet protocol type, and the packet sampling is performed through resolution. For the intermediate P router, the packet received by the P router is encapsulated with an MPLS header, and the packet protocol type cannot be obtained by resolving the packet header. Conventionally, the netflows are collected on the P router in the following two modes:
Mode 1: The range of labels is sorted out for the PE. For example, a label range corresponds to the packet protocol type “L2VPN”, and another label range corresponds to the packet protocol type “L3VPN”. Afterward, static configuration is performed on the P router. The configured P router stores the information about the packet protocol type corresponding to different label ranges allocated for the PEs. When a P router collects netflows, the P router obtains the address of the node PE2 according to the outer label value carried in the packet, and then searches for the label range of the inner layer carried in the packet among the label information corresponding to the PE2 address. The protocol type corresponding to the label range is the protocol type of the packet. After the packet protocol type is determined, the packet can be resolved according to the packet protocol type. The packets are sampled through resolution. For example, if the packet protocol type is determined as Internet Protocol Version 4 (IPv4), the packets are resolved according to the IP header to implement sampling. If the packet protocol type is determined as L2 Ethernet, the packet is resolved according to the Ethernet header to implement sampling.
Mode 2: The P router determines the packet protocol type of the MPLS packet by testing the Cyclical Redundancy Check (CRC) code. For example, the P router assumes that the packet protocol type is IPv4, and then calculates the CRC code of the IPv4, and checks whether the calculated CRC code is consistent with the CRC code carried in the packet. If they are consistent, it indicates that the packet protocol type is IPv4; if they are not consistent, the P router assumes that the packet protocol type is Internet Protocol Version 6 (IPv6) and then calculates the CRC code of the IPv6, and checks whether the calculated CRC code is consistent with the CRC code carried in the packet. That process goes on until the matching packet protocol type is found.
In the process of implementing the present invention, the inventor finds at least the following defects in the above conventional technical arts:
For the first mode of collecting netflows through the P router, it is necessary to sort out the label range and perform configuration on the P router. Once the label range changes, the configuration information on each P router needs to be modified accordingly. The modification is performed manually, and is vulnerable to errors. Moreover, the sorting of the label range is not detailed enough. Consequently, it is not perform accurate sampling for the packet. For example, currently the label range is sorted according to L3VPN and L2VPN, but the L2VPN is subdivided into different link layers such as Point to Point Protocol (PPP), thus making it impossible to determine whether the packet is resolved according to the Ethernet header or according to the IP header before sampling. Meanwhile, each different manufacturer sorts the label range according to different criteria in the case of interworking between different manufacturers, thus leading to inaccurate sampling.
In the second mode of netflow collection through the P router described above, CRC calculation needs to be performed repeatedly, thus decreasing the sampling efficiency drastically. Moreover, due to low precision, the packet protocol type tends to be determined incorrectly, and the packet sampling is inaccurate.