A software-defined network (Software Defined Network, hereinafter referred to as SDN) is a network architecture that separates a control plane of a network from a forwarding plane of the network. A controller on the control plane deploys a higher-layer policy, and a network device on the forwarding plane forwards a data flow under guidance of the higher-layer policy, thereby reducing various complex functions carried by the original network device, and improving network flexibility and integrity.
In an existing SDN, a controller uses a preset network defense policy to perform defense against a data flow that is to enter each subnet, that is, the controller uses the preset network defense policy to perform data flow filtering on the data flow before the data flow enters each subnet. Only a filtered data flow can be forwarded to each subnet by using a switch in each subnet, to ensure network security.
However, when network defense is performed by using the method in the prior art, because the controller needs to perform data flow filtering on all data flow that enter subnets, a load of the controller is increased, and processing performance of the controller is reduced.