A route switch has become an important forwarding device in the network.

At present, China's route switch equipment is developing very rapidly, and it is also more important in the development of the network, it also promotes the upgrade of routing technology. Traditional route switches are mainly used for Fast Packet forwarding, with emphasis on forwarding performance. With the wide interconnection of LAN and the openness of TCP/IP protocol, network security becomes a prominent problem. Sensitive data and confidential information in the network are leaked and important data devices are attacked, as an important forwarding device in the network environment, the original security features of the routing switch cannot meet the current security requirements. Therefore, the traditional routing switch needs to increase security.

In the opinion of network equipment manufacturers, switches that enhance security are upgraded and improved for general switches. In addition to general functions, such switches also have security policy functions that are not available for general switches. Starting from network security and user business applications, this type of switch can implement specific security policies, prevent viruses and network attacks, restrict illegal access, and conduct post-event analysis, this effectively ensures the normal development of users' network services. One way to achieve security is to embed various security modules in the existing vswitch. Different users have different requirements. 25% of users want to add firewall, VPN, data encryption, identity authentication, and other functions to the switch. 37% of users say they need to directly use security devices, 48% of users indicate that both methods are required.

At this stage, the vast majority of users are interested in vswitches with enhanced security due to their experience of being attacked. 18% of users are interested in purchasing vswitches within three months, 29% of users will purchase within six months, and 19% of users intend to purchase within one year. Only 34% of users indicate that they will not be considered in the near future. At the same time, users also showed a rational attitude towards the price of such enhanced security switches: 8% of users hope to be equal to the price of traditional switches, and 4% of users accept prices higher than 20% of traditional switches, 88% of users accept 10% ~ 20% of the price increases.

A vswitch with enhanced security is more intelligent and secure than a common vswitch. In terms of system security, vswitches implement security mechanisms in the overall architecture from core to edge of the network, that is, they encrypt and control network management information through specific technologies. In terms of access security, security Access mechanisms are used, including 802.1x access verification, RADIUS/TACACST, MAC address verification, and various types of virtual network technologies. In addition, many vswitches also add hardware-based security modules. Some vswitches with Intranet security functions better curb the internal network security risks that flood with WLAN applications. Currently, the following security technologies are commonly used in route switches.

The traffic control technology limits the abnormal traffic through the port to a certain range. Many vswitches have port-based traffic control functions to implement storm control, Port Protection, and port security. The traffic control function is used to notify the other party to temporarily stop sending data packets when the switch and the switch are congested to avoid packet loss. Broadcast storm suppression can limit the size of broadcast traffic and discard broadcast traffic that exceeds the set value. However, the traffic control function of the switch can only limit the speed of all types of traffic passing through the port, and limit the abnormal traffic of broadcast and multicast to a certain range, however, it is impossible to distinguish between normal traffic and abnormal traffic. It is also difficult to set an appropriate threshold.

The access control list (ACL) technology ACL controls the access input and output of network resources to ensure that network devices are not illegally accessed or used as an attack springboard. An ACL is a rule table. The switch executes these rules in sequence and processes each packet that enters the port. Each rule either allows or rejects data packets based on their attributes (such as the source address, destination address, and Protocol. Because the rules are processed in a certain order, the relative location of each rule is crucial to determining which packets are allowed and not allowed to pass through the network. The balance between security and efficiency in our investigation shows that the Failover rate for the switch security problems is as high as 97%. However, about 48% of users are worried that enhancing the security function of the route switch will affect the network throughput efficiency. 34% of users do not matter. users who are concerned about security and efficiency are mainly large and medium-sized enterprises.

Security and efficiency are indeed contradictions between them. Technically, most traditional route switches use software and rely on CPU processing capabilities to provide security defense functions. As we all know, virus attacks have a great impact on the performance of the route switch. When the network traffic reaches a certain level, the switch is paralyzed and the network is interrupted. However, for a vswitch that relies on hardware technology to implement security functions, its processing capability is fully redundant within the load range and does not affect performance. At the same time, because data filtering, Intelligent Recognition of attack sources, and policy search are also implemented based on hardware, the virus-caused traffic does not affect the normal operation of the switch. When the traffic of a virus packet reaches a certain level and is an unknown type of virus, it may affect the normal business of the route switch. The switch with self-protection function can be set according to the priority, discard low-priority and possibly offensive packets to ensure that high-priority services are not interrupted and the system runs stably. From the above analysis, we can see that switching devices with advanced system architecture can ensure security while ensuring performance. For efficiency-oriented users, it is best to choose a switch that relies on hardware to implement security functions.