CN101072239B - Method and device for realizing IP address filtering - Google Patents
Method and device for realizing IP address filtering Download PDFInfo
- Publication number
- CN101072239B CN101072239B CN200710123368.7A CN200710123368A CN101072239B CN 101072239 B CN101072239 B CN 101072239B CN 200710123368 A CN200710123368 A CN 200710123368A CN 101072239 B CN101072239 B CN 101072239B
- Authority
- CN
- China
- Prior art keywords
- address
- mac
- packet
- subclauses
- clauses
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 18
- 238000001914 filtration Methods 0.000 title claims description 22
- 230000005540 biological transmission Effects 0.000 claims description 6
- 230000008878 coupling Effects 0.000 claims description 6
- 238000010168 coupling process Methods 0.000 claims description 6
- 238000005859 coupling reaction Methods 0.000 claims description 6
- 238000007689 inspection Methods 0.000 claims description 6
- 238000012545 processing Methods 0.000 claims description 3
- 230000006870 function Effects 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 2
- 230000000052 comparative effect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000011982 device technology Methods 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
Images
Landscapes
- Small-Scale Networks (AREA)
Abstract
The method includes procedures: using exchanger equipment receives data a packet sent from user, and analyzing the data packet obtains source MAC address, VLAN ID, and source IP address; carrying outbinding configuration check for entry matched to the source MAC address, VLAN ID in MAC address table of exchanger equipment; comparing the source IP address with bound IP address in MAC address tableof exchanger equipment; in the two addresses are different, then the data packet is filtered out; otherwise, the data packet is sent out. The invention implements function of binding VID + MAC +IP intwo layer exchanger equipment. Thus, user must use bound IP address, cannot do optional configuration so as to prevent issue of IP address confliction, and guarantee centralized control.
Description
Technical field
The present invention relates to realize in the switch device technology of IP address filtering, relate in particular to method and the device of in the switch device that has network processing unit of supporting the VID+MAC+IP binding, realizing the IP address filtering.
Background technology
Described VID, i.e. VLAN ID, VLAN (Virtual LAN, VLAN), now in the network, each user's network insertion mouth all corresponding a VID, to realize carrying out two layers of isolation with other VLAN, described VID is used for distinguishing different VLAN.
MAC, promptly MAC Address is the address that the Ethernet agreement is used, and is the physical address of the used network interface card of PC, is kept at the EPROM the inside of network interface card, the MAC Address of each PC all is unique, and the MAC Address of same network interface card is constant.
IP, i.e. the Internet agreement address of using is mainly used in the exchanges data of IP layer, and the user can dispose the IP address of PC voluntarily.
Expansion day by day along with network sizes such as enterprise network and campus networks, the user is after obtaining the IP address, if the random IP address of configure host again, be easy to cause IP address conflict, adopt the filtering technique of VID+MAC+IP binding, can after obtaining the IP address, reconfigure the IP address again by limited subscriber, thereby avoid IP address conflict, guarantee centralized management.
Existing VID+MAC+IP binding technology, can be divided into two kinds of three layer-switching technologies and two layer-switching technologies, three layer-switching technologies mainly are based on DHCP (Dynamic Host Configuration Protocol, DHCP) Relay (relaying) realizes, three layer interfaces must be played and filtering function can be realized binding, and existing two layer-switching technologies, be to adopt ACL (Access Control List, access control list) configuration, illegal IP address is filtered, but the acl entry of being supported for switch device is limited
In sum, exist in the prior art, when realizing in the Layer 2 switch equipment that the IP address is filtered in the VID+MAC+IP binding, too much take the problem of acl entry.
Summary of the invention
The objective of the invention is to propose a kind of method and device of the IP of realization address filtering, be used for solving that prior art exists when realizing that in Layer 2 switch equipment the IP address is filtered in the VID+MAC+IP binding, too much take the problem of acl entry.
In order to realize the foregoing invention purpose, the present invention specifically is achieved in that
A kind of method of the IP of realization address filtering comprises, adopts switch device that the packet that sends from the user is received, and comprising:
Step 2 is to binding configuration inspection with the clauses and subclauses of described source MAC, VLAN ID coupling in the mac address table of switch device;
Step 3, the IP address of binding in the mac address table with described source IP address and switch device compares, if two addresses are inequality, then filters out packet, otherwise two addresses are identical, then packet sent.
In the method for described realization IP address filtering, in the described step 2,
If clauses and subclauses in the mac address table of switch device and described source MAC, VLAN ID do not match, then directly carry out the transmission of packet.
In the method for described realization IP address filtering, described step 2,
Clauses and subclauses in the mac address table of described switch device if do not bind configuration, are then directly carried out the transmission of packet.
The device that the present invention also proposes a kind of IP of realization address filtering comprises, is used for the user is sent the receiver module that packet receives;
Be used for described packet is analyzed and obtained the analysis module of source MAC, VLAN ID and source IP address;
Be used for configuration inspection module that the mac address table of switch device and the clauses and subclauses of described source MAC, VLAN ID coupling are bound the filtering function configuration inspection;
The IP address that is used for the mac address table of described source IP address and switch device is bound compares, if the address identical judgement/processing module of carrying out the packet transmission of Packet Filtering and address of carrying out inequality.
Adopt the present invention, not only in Layer 2 switch equipment, realized the function of VID+MAC+IP binding, make the user must use the IP address of binding, must not arbitrarily dispose again, avoided the IP address conflict problem effectively, guaranteed centralized management, and the present invention implements simply, flexibly.
Description of drawings
Fig. 1 uses the diagram of the IP online of binding for the user;
Fig. 2 uses the diagram of the IP online of unbundling for the user;
Fig. 3 is for realizing the main flow chart of the method for the invention.
Embodiment
Major technique thought of the present invention is, if bind user's MAC Address, VLAN ID and IP address, special MAC clauses and subclauses in switch device, have just been generated, binding flag bit in the clauses and subclauses is put, bound IP address also is written in the MAC clauses and subclauses simultaneously, and the user must use bound IP address, if change another one IP address, just can not proper communication, the packet that sends all can be filtered.
Below in conjunction with accompanying drawing the specific embodiment of the present invention is elaborated.
As shown in Figure 1, a PC, MAC Address is 00-11-C6-5B-D5-80, VLAN is 1, use IP (192.168.1.1) online of binding, switch device is looked into the mac learning table with MAC+VLAN earlier, and the corresponding MAC clauses and subclauses that obtain have binding function, need carry out IP relatively, comparative result: the IP that binds in the source IP of packet and the MAC clauses and subclauses is identical, do not filter, so the normal forwarding is user and extraneous proper communication.
As shown in Figure 2, a PC, MAC Address is 00-11-C6-5B-D5-80, and VLAN is 1, and the IP address of binding is 192.168.1.1, uses IP (192.168.1.5) online of unbundling.Switch device is looked into the mac learning table with MAC+VLAN earlier, the corresponding MAC clauses and subclauses that obtain have binding function, need carry out IP relatively, comparative result: the IP that binds in the source IP of packet and the MAC clauses and subclauses is different, the user filters out this packet, so can't communicate by letter with the external world.
Be illustrated in figure 3 as the main flow chart of realizing the method for the invention.
Describe the method for realization of the present invention IP address filtering from the angle of data forwarding, mainly comprise the steps:
The first step, switch device are received the packet that sends from the user, analyze source MAC, VLAN ID and the source IP address of packet from packet;
Second step, the mac address table of inquiring about switch device with the source MAC and the VLAN ID of packet;
In the 3rd step, according to the result of inquiry, whether the clauses and subclauses of the mac address table of the source MAC of judgment data bag and VLAN ID and switch device mate, if do not match, then do not carry out IP relatively, directly carry out the normal forwarding of data, otherwise, if coupling changed for the 4th step over to;
The 4th step, check the binding flag bit in the clauses and subclauses of mac address table of switch device of coupling, if flag bit is 0, then these MAC clauses and subclauses do not dispose the binding filtering function, do not need to carry out IP relatively, directly carry out the normal forwarding of data; If flag bit is 1, then these MAC clauses and subclauses have disposed the binding filtering function, need carry out IP relatively, change for the 5th step over to;
The 5th step compared with the IP address of binding in the source IP address of packet and the mac address table, if inequality, with this data packet discarding, promptly filtered out this packet, otherwise, if identical, this packet is normally transmitted.
Claims (4)
1. a method that realizes the IP address filtering comprises, adopt switch device that the packet that sends from the user is received, it is characterized in that, if bind user's MAC Address, VLAN ID and IP address, special MAC clauses and subclauses in switch device, have just been generated, binding flag bit in the clauses and subclauses is put, and bound IP address also is written in the MAC clauses and subclauses simultaneously, and this method also comprises:
Step 1 is analyzed described packet, obtains source MAC, VLAN ID and source IP address;
Step 2 is to binding configuration inspection with the clauses and subclauses of described source MAC, VLAN ID coupling in the mac address table of switch device;
Step 3, the IP address of binding in the mac address table with described source IP address and switch device compares, if two addresses are inequality, then filters out packet, otherwise two addresses are identical, then packet sent.
2. the method for realization IP address filtering as claimed in claim 1 is characterized in that, in the described step 2,
If clauses and subclauses in the mac address table of switch device and described source MAC, VLAN ID do not match, then directly carry out the transmission of packet.
3. the method for realization IP address filtering as claimed in claim 1 or 2 is characterized in that, described step 2,
Clauses and subclauses in the mac address table of described switch device if do not bind configuration, are then directly carried out the transmission of packet.
4. a device of realizing the IP address filtering comprises, be used for the user is sent the receiver module that packet receives,
It is characterized in that, if bind user's MAC Address, VLAN ID and IP address, in switch device, just generated special MAC clauses and subclauses, the binding flag bit in the clauses and subclauses is put, bound IP address also is written in the MAC clauses and subclauses simultaneously, and this device also comprises:
Be used for described packet is analyzed and obtained the analysis module of source MAC, VLAN ID and source IP address;
Be used for configuration inspection module that the mac address table of switch device and the clauses and subclauses of described source MAC, VLAN ID coupling are bound the filtering function configuration inspection;
The IP address that is used for the mac address table of described source IP address and switch device is bound compares, if the address identical judgement/processing module of carrying out the packet transmission of Packet Filtering and address of carrying out inequality.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710123368.7A CN101072239B (en) | 2007-06-25 | 2007-06-25 | Method and device for realizing IP address filtering |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710123368.7A CN101072239B (en) | 2007-06-25 | 2007-06-25 | Method and device for realizing IP address filtering |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101072239A CN101072239A (en) | 2007-11-14 |
| CN101072239B true CN101072239B (en) | 2010-06-02 |
Family
ID=38899226
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200710123368.7A Expired - Fee Related CN101072239B (en) | 2007-06-25 | 2007-06-25 | Method and device for realizing IP address filtering |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101072239B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101610258B (en) * | 2009-07-21 | 2012-03-28 | 北京九方中实电子科技有限责任公司 | Method for filtering DOCSIS MAC address |
| US8837281B2 (en) | 2010-09-10 | 2014-09-16 | Futurewei Technologies, Inc. | Use of partitions to reduce flooding and filtering database size requirements in large layer two networks |
| CN103501355B (en) * | 2013-09-04 | 2017-09-19 | 福建星网锐捷网络有限公司 | Internet protocol address collision detection method, device and gateway device |
| CN104316873B (en) * | 2014-11-13 | 2017-07-28 | 云南电网公司电力科学研究院 | A kind of breaker and mechanism status quaternity identifying system |
| CN104348696B (en) * | 2014-11-17 | 2018-03-27 | 京信通信系统(中国)有限公司 | A kind of method and apparatus for dividing multi-VLAN |
| CN105681490B (en) * | 2016-03-29 | 2019-10-22 | 上海斐讯数据通信技术有限公司 | A kind of anti-IP address conflict method based on software defined network |
| CN112019653B (en) * | 2020-09-09 | 2022-08-12 | 迈普通信技术股份有限公司 | Access switch, IP address deployment method, device and readable storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1357997A (en) * | 2000-12-15 | 2002-07-10 | 华为技术有限公司 | Virtual local area network access method in Ethernet access network |
| CN1403952A (en) * | 2002-09-24 | 2003-03-19 | 武汉邮电科学研究院 | Ethernet confirming access method |
| CN1416239A (en) * | 2001-10-31 | 2003-05-07 | 华为技术有限公司 | Method for switching in virtual local area network of the access network with mixed optical fiber and coaxial line |
| US20060221960A1 (en) * | 2005-04-01 | 2006-10-05 | Gaetano Borgione | Performing extended lookups on mac-based tables |
-
2007
- 2007-06-25 CN CN200710123368.7A patent/CN101072239B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1357997A (en) * | 2000-12-15 | 2002-07-10 | 华为技术有限公司 | Virtual local area network access method in Ethernet access network |
| CN1416239A (en) * | 2001-10-31 | 2003-05-07 | 华为技术有限公司 | Method for switching in virtual local area network of the access network with mixed optical fiber and coaxial line |
| CN1403952A (en) * | 2002-09-24 | 2003-03-19 | 武汉邮电科学研究院 | Ethernet confirming access method |
| US20060221960A1 (en) * | 2005-04-01 | 2006-10-05 | Gaetano Borgione | Performing extended lookups on mac-based tables |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101072239A (en) | 2007-11-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101072239B (en) | Method and device for realizing IP address filtering | |
| US7869432B1 (en) | Peer-to-peer link aggregation across a service provider network | |
| CN102263774B (en) | Method and device for processing source role information | |
| JP4738901B2 (en) | VLANID dynamic allocation method and packet transfer apparatus | |
| CN101098291B (en) | Method for Preventing Disturbance of Media Access Control Address Table on Access Device | |
| US20070168499A1 (en) | Configurable Modular Networking System and Method Thereof | |
| US20030161333A1 (en) | Broadband modem residential gateway with efficient network traffic processing | |
| CN101834783B (en) | Method and device for forwarding messages and network equipment | |
| CN105490931B (en) | Multifunctional internet of things gateway device based on FPGA | |
| CN1454355A (en) | Method and device for processing network data transmission | |
| KR20040024917A (en) | Apparatus and method for allocating the ip address | |
| CN1347601A (en) | Methods and apparatus for providing high speed connectivity to hotel environment | |
| CN102158421A (en) | Method and unit for creating layer three interface | |
| US10795912B2 (en) | Synchronizing a forwarding database within a high-availability cluster | |
| CN103747116A (en) | Business access method and device based on Layer 2 Tunneling Protocol (L2TP) | |
| US10331598B2 (en) | Adding a network port to a network interface card | |
| EP2680141A1 (en) | Security for TCP/IP-based access from a virtual machine to network attached storage by creating dedicated networks, MAC address authentification and data direction control | |
| JP2011078135A (en) | Data stream filtering apparatus and method | |
| CN104092684A (en) | Method and device for supporting VPN based on OpenFlow protocol | |
| CN105635335B (en) | Social resource access method, device and system | |
| RU2602333C2 (en) | Network system, packet processing method and storage medium | |
| CN101098290B (en) | Devices for implementing anti-spurious IP address on AN and methods therefor | |
| CN102263679B (en) | Source role information processing method and forwarding chip | |
| CN101931607A (en) | Method and device for preventing user address spoofing in broadband access equipment | |
| CN1997036A (en) | Access multiplexer |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100602 Termination date: 20160625 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |