[go: up one dir, main page]

CN1310467C - Port based network access control method - Google Patents

Port based network access control method Download PDF

Info

Publication number
CN1310467C
CN1310467C CNB03145612XA CN03145612A CN1310467C CN 1310467 C CN1310467 C CN 1310467C CN B03145612X A CNB03145612X A CN B03145612XA CN 03145612 A CN03145612 A CN 03145612A CN 1310467 C CN1310467 C CN 1310467C
Authority
CN
China
Prior art keywords
message
port
address
network
network access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
CNB03145612XA
Other languages
Chinese (zh)
Other versions
CN1567839A (en
Inventor
夏世长
陈华彬
李中华
谭锐
马敬兴
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNB03145612XA priority Critical patent/CN1310467C/en
Publication of CN1567839A publication Critical patent/CN1567839A/en
Application granted granted Critical
Publication of CN1310467C publication Critical patent/CN1310467C/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Landscapes

  • Small-Scale Networks (AREA)

Abstract

本发明涉及一种基于网络接入设备端口的网络访问控制方法。该方法为:根据报文的地址信息配置经过网络接入设备端口的报文的处理方式;获取经过该端口的报文的地址信息,并根据获取的地址信息及对应的配置信息对该报文进行处理。本发明将用户源MAC地址、源IP地址与相应端口绑定,交换机支持的VLANID与VLAN ID对应的成员绑定,有效地防止假冒源MAC地址、源IP地址、 VLAN ID的非法用户恶意访问或攻击网络。本发明还针对报文的目的地址对经网络接入设备端口进入网络的报文进行访问限制,包括针对广播报文、单播报文、多播报文、发送给服务器的报文,以及特定目的MAC地址的报文的网络访问控制,有效防止合法用户假冒某些目的MAC地址恶意攻击网络。

Figure 03145612

The invention relates to a network access control method based on a network access device port. The method includes: configuring the processing mode of the message passing through the port of the network access device according to the address information of the message; obtaining the address information of the message passing through the port, and processing the message according to the obtained address information and corresponding configuration information to process. The present invention binds the user's source MAC address, source IP address and the corresponding port, and binds the VLAN ID supported by the switch with the member corresponding to the VLAN ID, effectively preventing malicious access or Attack the network. The present invention also restricts the access of the messages entering the network through the network access device port according to the destination address of the messages, including broadcast messages, unicast messages, multicast messages, messages sent to the server, and specific purpose MAC addresses. The network access control of the message of the address effectively prevents legitimate users from forging certain destination MAC addresses to maliciously attack the network.

Figure 03145612

Description

基于端口的网络访问控制方法Port-Based Network Access Control Method

技术领域technical field

本发明涉及网络通信技术领域,尤其涉及一种基于端口的网络访问控制方法。The invention relates to the technical field of network communication, in particular to a port-based network access control method.

背景技术Background technique

随着网络通信技术的发展,以太网已经广泛地应用于人们生活中,网络为人们的工作、生活提供了极大的便利,尤其是一些大中型企业网的应用,极大地方便了企业内部用户间,及内部用户与外部用户间的信息交互。With the development of network communication technology, Ethernet has been widely used in people's lives. The network provides great convenience for people's work and life, especially the application of some large and medium-sized enterprise networks, which greatly facilitates the internal users of enterprises. time, and information interaction between internal users and external users.

在企业网络中,如果用户接入网络的以太网交换机未提供相应的安全保护功能,则用户只要接入以太网交换机,便可以访问Internet(互联网)上的设备和资源,且构成Internet的TCP/IP(传输控制协议/网际协议)本身缺乏安全性,提供了一种开放式的环境,这样,自由、广泛地应用网络,以及黑客的“流行”,将使网络案例面临很大威胁,如机密泄漏、恶意攻击等。为此,作为企业内部网络之间通讯的关键设备的以太网交换机,必需在企业网内部提供充分的安全保护功能,以解决在开放式环境中的网络安全问题。In the enterprise network, if the Ethernet switch that the user accesses to the network does not provide corresponding security protection functions, the user can access the equipment and resources on the Internet (Internet) as long as the user accesses the Ethernet switch, and constitutes the TCP/IP protocol of the Internet. IP (Transmission Control Protocol/Internet Protocol) itself lacks security and provides an open environment. In this way, the free and extensive application of the network, as well as the "popularity" of hackers, will make network cases face great threats, such as confidentiality. leaks, malicious attacks, etc. For this reason, the Ethernet switch, which is a key device for communication between enterprise internal networks, must provide sufficient security protection functions within the enterprise network to solve network security problems in an open environment.

鉴于上述需要,现有的以太网交换机均提供了多种网络安全机制,其中基于端口的地址安全技术成为多种网络案例机制的一个重要的特点,所述的基于端口的地址安全技术是指以太网交换机对通过某个端口的数据包的传输进行相应的控制。In view of the above-mentioned needs, existing Ethernet switches all provide multiple network security mechanisms, wherein the address security technology based on ports becomes an important feature of various network case mechanisms, and the described address security technology based on ports refers to Ethernet The network switch controls the transmission of data packets through a certain port accordingly.

目前所采用的基于端口对接入用户访问网络进行控制和限制的方法可以归纳为以下几种,这几种安全技术主是通过限制端口学习MAC(介质访问控制)地址、查找MAC地址表、软件维护MAC地址表和绑定表检查等实现对接入网络的控制:The methods currently used to control and restrict access to the network based on ports can be summarized into the following types. These security technologies mainly learn MAC (Media Access Control) addresses by restricting ports, search MAC address tables, software Maintain the MAC address table and binding table check to realize the control of the access network:

1、支持配置端口的学习状态:以太网交换机用户可以根据需要设置某个端口禁止学习新的MAC地址,使该端口仅允许以用户手工配置的静态MAC地址为源MAC地址的数据包通过,而来自于其它MAC地址的数据包则将因为相应的MAC地址无法学习到MAC地址表中被丢弃;1. Support configuration of port learning status: Ethernet switch users can set a port to prohibit learning new MAC addresses according to needs, so that the port only allows the data packets with the static MAC address manually configured by the user as the source MAC address to pass through, while Packets from other MAC addresses will be discarded because the corresponding MAC addresses cannot be learned from the MAC address table;

2、支持设置端口最多允许学习的MAC地址数:以太网交换机用户根据实际需要配置相应端口允许学习的MAC地址个数,当端口已经学习到允许的MAC地址个数后,将停止学习新MAC地址,直到部分MAC地址老化后,才可以学习新MAC地址,所以相应的以太网交换机端口只允许设置数量的接入用户接入网络,并进行正常的网络访问;2. Support setting the maximum number of MAC addresses allowed to be learned by the port: Ethernet switch users configure the number of MAC addresses allowed to be learned by the corresponding port according to actual needs. When the port has learned the number of allowed MAC addresses, it will stop learning new MAC addresses. , the new MAC address cannot be learned until some MAC addresses are aged, so the corresponding Ethernet switch port only allows a set number of access users to access the network and perform normal network access;

3、支持端口和MAC地址绑定:将MAC地址与对应的端口绑定,即在端口上配置静态MAC地址,并禁止该端口进行MAC地址学习,从而限定该端口上允许通过的报文的源MAC地址,来自其它MAC地址的报文均被丢弃;3. Support port and MAC address binding: Bind the MAC address to the corresponding port, that is, configure a static MAC address on the port, and prohibit the port from learning the MAC address, thereby limiting the source of the message that is allowed to pass through the port MAC address, packets from other MAC addresses are discarded;

4、支持广播报文转发开关:在端口上配置禁止目的地址为广播地址的报文从该端口转发,以防止Smurf攻击,所述的Smurf攻击为一种网络级的攻击:黑客向网络的广播地址发出大量的IP echo(IP回应)请求,所有请求都是用受害者的IP地址,这样网络上所有的计算机都会响应这些请求,向受害者计算机发出IP echo请求应答消息,导致网络拥塞。4. Support broadcast message forwarding switch: configure on the port to prohibit the forwarding of messages with the destination address as the broadcast address from the port to prevent Smurf attacks. The Smurf attack described is a network-level attack: hackers broadcast to the network The address sends a large number of IP echo (IP response) requests, and all requests use the IP address of the victim, so that all computers on the network will respond to these requests, and send IP echo request response messages to the victim computer, resulting in network congestion.

上述现有技术在一定程度上起到了相应的网络访问控制作用,然而,在具体的应用过程中上述各种方法仍然无法满足网络访问控制的多种需求,因此上述现有技术仍存在以下缺点:The above-mentioned prior art has played a corresponding role in network access control to a certain extent, however, in the specific application process, the above-mentioned various methods still cannot meet the various requirements of network access control, so the above-mentioned prior art still has the following disadvantages:

目前实现防地址假冒可以通过在MAC地址表中配置静态表项实现的,例如可以采用上述的方案1禁止端口学习MAC地址,或采用上述方案3将MAC地址与端口绑定,然而,MAC地址表中的静态表项一般是针对重要的MAC地址而言,如果把来自所有的端口的MAC地址都设成静态表项,那么一方面MAC地址表支持的可自学习的MAC地址数会大大减少,不方便那些灵活接入用户的需求;另一方面也不利于用户移动办公的需求,即用户移动至另一个端口时,如果MAC地址与端口绑定,则该用户将无法访问网络,所以对于不是非常重要的MAC地址通常不将其设置为静态表项,这就导致上述方案和方案3无法有效地避免MAC地址假冒现象。At present, address counterfeiting can be prevented by configuring static entries in the MAC address table. For example, the above-mentioned solution 1 can be used to prohibit the port from learning the MAC address, or the above-mentioned solution 3 can be used to bind the MAC address to the port. However, the MAC address table The static entries in the table are generally for important MAC addresses. If the MAC addresses from all ports are set as static entries, then on the one hand, the number of self-learning MAC addresses supported by the MAC address table will be greatly reduced. It is not convenient for users who need flexible access; on the other hand, it is also not conducive to users' mobile office needs, that is, when a user moves to another port, if the MAC address is bound to the port, the user will not be able to access the network, so for those who are not Very important MAC addresses are usually not set as static entries, which makes the above solution and solution 3 unable to effectively avoid MAC address counterfeiting.

上述的方案3尽管限制了相应端口学习MAC地址数量,即限制了通过某一端口接入网络的用户数量,但仍无法有效解决地址假冒问题。Although the above scheme 3 limits the number of MAC addresses learned by the corresponding port, that is, limits the number of users accessing the network through a certain port, it still cannot effectively solve the problem of address spoofing.

现有技术所提供的方案4可以支持广播报文转发开关实现了可防止用户发送广播报文进行网络攻击,但当根据需要禁止转发广播报文时,可能会阻塞一些特殊报文的转发,如ARP(地址解析协议)报文,从而影响网络的正常通信。Solution 4 provided by the prior art can support broadcast message forwarding switch, which can prevent users from sending broadcast messages to carry out network attacks, but when the forwarding of broadcast messages is prohibited according to needs, the forwarding of some special messages may be blocked, such as ARP (Address Resolution Protocol) packets, thus affecting the normal communication of the network.

除上述基于端口对接入用户访问网络进行控制和限制的方法外,现有技术中还提供了支持IP地址、MAC地址和VLAN ID(虚拟局域网标识)的绑定的网络访问控制方法,即当业务接入点收到一个IP报文时,以太网封装数据包头中的VLAN ID、源MAC地址和源IP地址必须分别符合绑定记录中VLAN ID、MAC地址和IP地址,否则该报文被视为无效并被丢弃。In addition to the above-mentioned method of controlling and restricting access to the network based on ports, the prior art also provides a network access control method that supports the binding of IP addresses, MAC addresses and VLAN IDs (virtual local area network identification), that is, when When the service access point receives an IP message, the VLAN ID, source MAC address, and source IP address in the Ethernet-encapsulated data packet header must match the VLAN ID, MAC address, and IP address in the binding record, otherwise the message is blocked. considered invalid and discarded.

该方案提供了支持IP地址、MAC地址和VLAN ID的相关绑定,但无法满足同一个端口下同一个用户有不同的VLAN ID,例如,某一端口下的同一用户可能属于不同公司或不同的项目组,一般不同公司或不同项目组的VLAN ID是不一样的,所以同一个用户可能发送不同VLAN ID的数据包,如果将VLAN ID与IP地址、MAC地址绑定便无法保证这类用户正常使用网络。而且,该方案只能对发送有IP地址(IP报文和ARP报文)的帧才适用,当发没有IP地址的帧(如协议报文)时,是得不到源IP地址的,所以这样的帧会被丢弃。另外,该方案的配置不灵活,处理方式单一,不能满足不同客户的需求,如客户只要求对源MAC地址绑定,该方案就无法实现。This solution supports the binding of IP addresses, MAC addresses and VLAN IDs, but it cannot satisfy the requirement that the same user on the same port have different VLAN IDs. For example, the same user on a certain port may belong to different companies or different companies. Generally, the VLAN IDs of different companies or different project teams are different for project teams, so the same user may send data packets with different VLAN IDs. If the VLAN ID is bound to the IP address and MAC address, the normal operation of such users cannot be guaranteed. Use the Internet. Moreover, this scheme can only be applied to frames with IP addresses (IP packets and ARP packets). When sending frames without IP addresses (such as protocol packets), the source IP address cannot be obtained, so Such frames are discarded. In addition, the configuration of this solution is not flexible, and the processing method is single, which cannot meet the needs of different customers. If the customer only requires the binding of the source MAC address, this solution cannot be realized.

由上述现有技术的描述还可以看出,现有技术无法防止用户发起的恶意攻击,其中包括合法源MAC地址发出恶意攻击的数据包,尤其对于发往服务器的攻击数据包,如果不有效地对其进行控制,将导致相应服务器无法正常提供相应的服务,给用户和网络运营商带来很大的损失;同时现有技术也无法抑制某个特定的MAC地址收发数据包,例如,需要禁止某一个未付费用户继续收发数据,则现有技术无法实现针对该未付费用户的数据收发进行限制。It can also be seen from the description of the above prior art that the prior art cannot prevent malicious attacks initiated by users, including malicious attack data packets sent by legal source MAC addresses, especially for attack data packets sent to the server, if not effectively Controlling it will cause the corresponding server to fail to provide corresponding services normally, which will bring great losses to users and network operators; at the same time, the existing technology cannot restrain a specific MAC address from sending and receiving data packets, for example, it is necessary to prohibit If a certain non-paying user continues to send and receive data, the existing technology cannot implement restrictions on the data sending and receiving of the non-paying user.

发明内容Contents of the invention

鉴于上述现有技术所存在的问题,本发明的目的是提供一种基于端口的网络访问控制方法,以克服现有技术的缺点,有效对非法接入网络的用户进行网络访问的控制。In view of the above-mentioned problems in the prior art, the purpose of the present invention is to provide a port-based network access control method to overcome the shortcomings of the prior art and effectively control network access to users who illegally access the network.

本发明的目的是通过以下方案实现的:The purpose of the present invention is achieved by the following scheme:

所述的一种基于网络接入设备端口的网络访问控制方法,包括:A network access control method based on a network access device port includes:

根据报文的地址信息,配置经过网络接入设备端口的报文的处理方式,所述的处理方式包括是否允许转发,以及对于允许转发情况还设置对应的报文的转发方式;According to the address information of the message, configure the processing mode of the message passing through the port of the network access device, the processing mode includes whether to allow forwarding, and also set the forwarding mode of the corresponding message for the allowed forwarding situation;

获取经过网络接入设备端口的报文的地址信息,在配置的报文的处理方式中,查找该报文的地址信息对应的处理方式;Obtain the address information of the packet passing through the port of the network access device, and find the processing method corresponding to the address information of the packet in the configured processing method of the packet;

判断所述的处理方式是否为允许转发,若是,则进一步根据该报文的地址信息对应的转发方式进行转发,否则,丢弃所述报文。Judging whether the processing method is to allow forwarding, if yes, further forwarding according to the forwarding method corresponding to the address information of the message, otherwise, discarding the message.

基于网络接入设备端口的网络访问控制方法进一步包括:The network access control method based on the network access device port further includes:

a、为网络接入设备端口配置接入用户的用户地址信息及对应的报文处理方式,所述的用户地址信息包括接入用户的MAC(介质访问控制)地址信息和/或IP(网际协议)地址信息;a, configure the user address information of the access user and the corresponding message processing mode for the port of the network access device, and the user address information includes MAC (Media Access Control) address information and/or IP (Internet Protocol) of the access user )Address information;

b、获取经网络接入设备端口传输来的报文中承载的用户地址信息;b. Obtain the user address information carried in the message transmitted through the port of the network access device;

c、根据获取的用户地址信息及为该端口配置的用户地址信息对应的报文的处理方式对所述的报文进行处理。c. Process the message according to the obtained user address information and the processing method of the message corresponding to the user address information configured for the port.

所述的步骤c包括:Described step c comprises:

c1、判断获取的接入用户的MAC地址和IP地址为该端口配置的合法接入用户的MAC地址和/或IP地址是否匹配,如果匹配,则执行步骤c3,否则,执行步骤c2;c1, judging whether the acquired MAC address and IP address of the access user match the MAC address and/or IP address of the legal access user configured on the port, if they match, then perform step c3, otherwise, perform step c2;

c2、丢弃该报文;c2, discarding the message;

c3、继续报文的转发处理过程。c3. Continue the message forwarding process.

所述步骤a还包括:配置网络接入设备支持的VLAN ID(虚拟局域网标识)与VLAN ID的成员的对应关系,所述的VLAN ID的成员为网络接入设备的端口。Said step a also includes: configuring the corresponding relationship between the VLAN ID (virtual local area network identification) supported by the network access device and the members of the VLAN ID, and the members of the VLAN ID are ports of the network access device.

所述的步骤a中的配置信息采用两张表的进行保存,其中:The configuration information in the step a is saved in two tables, wherein:

第一张表包括:The first table includes:

端口信息字段:用于记录需要对其进行绑定配置的端口信息,即端口号或端口列表;Port information field: used to record the port information that needs to be bound and configured, that is, port number or port list;

MAC地址字段:用于记录与相应端口对应的MAC地址信息,即配置允许经该端口进入网络的报文的源MAC地址;MAC address field: used to record the MAC address information corresponding to the corresponding port, that is, to configure the source MAC address of the packets that are allowed to enter the network through the port;

IP地址字段:用于记录与相应端口对应的IP地址信息,即配置允许经该端口进入网络的报文的源IP地址;IP address field: used to record the IP address information corresponding to the corresponding port, that is, to configure the source IP address of the packets that are allowed to enter the network through the port;

第二张表包括:The second table includes:

VLAN ID字段:用于记录以太网交换机支持的VLAN ID信息;VLAN ID field: used to record the VLAN ID information supported by the Ethernet switch;

VLAN ID对应的端口字段:记录与以太网交换机支持的VLAN ID对应的一个或一组端口信息。Port field corresponding to VLAN ID: record one or a group of port information corresponding to the VLAN ID supported by the Ethernet switch.

所述的步骤c3包括:Described step c3 comprises:

c31、判断获取的接入用户的VLAN ID与为该端口支持的VLAN ID是否匹配,如果匹配,则执行步骤c32,否则,执行步骤c33;c31, judge whether the VLAN ID of the access user that obtains matches with the VLAN ID that this port supports, if match, then execute step c32, otherwise, execute step c33;

c32、判断该报文进入网络接入设备所使用的端口是否为配置的VLANID的成员,如果是,则继续报文的转发处理过程,否则,丢弃该报文;c32, judging whether the port used by the message to enter the network access device is a member of the configured VLANID, if yes, then continue the forwarding process of the message, otherwise, discard the message;

c33、丢弃该报文。c33. Discard the message.

所述的步骤c33包括:Described step c33 comprises:

判断该端口对于未知VLAN的报文是否设置为允许透传,如果是,则根据基于该端口的VLAN透传配置方式进行报文的转发,否则,丢弃该报文。Determine whether the port is set to allow transparent transmission of packets of unknown VLANs, if yes, forward the packets according to the VLAN transparent transmission configuration based on the port, otherwise, discard the packets.

基于网络接入设备端口的网络访问控制方法进一步包括:The network access control method based on the network access device port further includes:

d、根据经网络接入设备端口转发的报文的目的地址配置经过该端口的报文的处理方式;d. Configure the processing mode of the message passing through the port according to the destination address of the message forwarded through the port of the network access device;

e、获取经网络接入设备端口转发的报文的目的地址信息,并根据获取的目的地址对该报文进行相应的处理。e. Obtain the destination address information of the message forwarded through the port of the network access device, and perform corresponding processing on the message according to the obtained destination address.

所述的步骤d为:Described step d is:

根据经网络接入设备端口转发的报文的目的地址配置允许或禁止转发经过该端口的报文。According to the destination address configuration of the packets forwarded through the port of the network access device, allow or prohibit the forwarding of the packets passing through the port.

所述的步骤d还包括:Described step d also includes:

根据经网络接入设备端口转发的报文的目的地址配置允许转发经过该端口的报文的数量。Configure the number of packets allowed to be forwarded through the port according to the destination address of the packets forwarded through the port of the network access device.

所述的目的地址包括:The destination addresses mentioned include:

广播地址、未知单播地址、未知多播地址、服务器的地址和特定的MAC地址。Broadcast addresses, unknown unicast addresses, unknown multicast addresses, addresses of servers, and specific MAC addresses.

所述的步骤e包括:Described step e comprises:

e1、获取经网络接入设备端口转发的报文的目的地址信息;e1. Obtain the destination address information of the message forwarded through the port of the network access device;

e2、根据获取的目的地址信息和步骤d配置的目的地址判断是否允许该报文转发,如果允许,则执行e3,否则,丢弃该报文;e2, judge whether to allow the message forwarding according to the destination address information obtained and the destination address configured in step d, if allowed, then execute e3, otherwise, discard the message;

e3、判断该端口转发的该种类目的地址的报文的数量是否超过设定的数值,如果超过,则丢弃该报文,否则,对该报文进行相应的转发处理。e3. Judging whether the number of messages of this type of destination address forwarded by the port exceeds a set value, if so, discarding the messages, otherwise, performing corresponding forwarding processing on the messages.

步骤e3所述的对该报文进行相应的转发处理为:The corresponding forwarding processing of the message described in step e3 is as follows:

将该报文根据在该端口中配置的对该类型目的地址的报文的转发处理方式进行转发处理,其中:The packet is forwarded according to the packet forwarding processing mode configured on the port for this type of destination address, where:

对于广播报文,向以太网交换机内同一VLAN内所有端口转发;For broadcast messages, forward them to all ports in the same VLAN in the Ethernet switch;

对于未知单播报文和未知多播报文,根据该以太网交换机端口上配置的该类型报文的转发目的地进行报文的转发;For unknown unicast packets and unknown multicast packets, forward the packets according to the forwarding destination of this type of packets configured on the port of the Ethernet switch;

对于发往服务器的报文或发往特定目的MAC地址的报文,则将报文转发至相应的服务器或特定的目的MAC地址。For a message sent to a server or a message sent to a specific destination MAC address, the message is forwarded to the corresponding server or the specific destination MAC address.

本发明中,为在MAC地址表中保存所述的步骤a和d中相应的端口配置信息,需要在所述的MAC地址表中分别设置以下字段:In the present invention, in order to preserve the corresponding port configuration information in the described steps a and d in the MAC address table, the following fields need to be set respectively in the described MAC address table:

目的MAC地址过滤字段:根据该字段确定报文是否需要根据目的MAC地址进行过滤;Destination MAC address filtering field: According to this field, determine whether the message needs to be filtered according to the destination MAC address;

源MAC地址过滤字段:根据该段确定报文是否需要根据源MAC地址进行过滤;Source MAC address filtering field: According to this section, determine whether the packet needs to be filtered according to the source MAC address;

目的MAC地址字段:将确定需要根据目的MAC地址进行过滤的报文的目的MAC地址与该字段中的MAC地址进行匹配,确定针对该报文的转发处理方式;Destination MAC address field: match the destination MAC address of the message that needs to be filtered according to the destination MAC address with the MAC address in this field, and determine the forwarding processing method for the message;

源MAC地址字段:将确定需要根据源MAC地址进行过滤的报文的源MAC地址与该字段中的MAC地址进行匹配,确定针对该报文的处理方式;Source MAC address field: match the source MAC address of the message that needs to be filtered according to the source MAC address with the MAC address in this field, and determine the processing method for the message;

端口信息字段:将确定需要根据源MAC地址或目的MAC地址进行过滤的报文进入网络接入设备的端口与该字段中的端口信息进行匹配,从而确定需要与该报文中的源MAC地址或目的MAC地址匹配的位于源MAC地址或目的MAC地址字段中的MAC地址信息;Port information field: Match the port of the packet that needs to be filtered according to the source MAC address or destination MAC address into the network access device with the port information in this field, so as to determine that the packet needs to be filtered according to the source MAC address or destination MAC address in the packet. The destination MAC address matches the MAC address information in the source MAC address or destination MAC address field;

所述的表中还需要设置静态表项字段:根据该字段确定表项中的MAC地址对应的属性是否可以修改。The table also needs to set a static entry field: according to this field, it is determined whether the attribute corresponding to the MAC address in the entry can be modified.

由上述技术方案可以看出,本发明将用户源MAC地址、源IP地址与以太网交换机端口绑定,用户的VLAN ID与以太网交换机支持的VLAN ID绑定,以太网交换机端口与用户VIAN ID对应的成员绑定的技术方案,因此,可以有效地防止防止假冒源MAC地址、源IP地址、VLAN ID的非法用户恶意访问或攻击网络。本发明中还针对报文的目的地址对经网络接入设备端口进入网络的报文进行了相应的访问限制,包括针对广播报文、单播报文、多播报文、发送给服务器的报文,以及特定目的MAC地址的报文的网络访问控制,因此,本发明还可以有效地防止合法用户假冒某些目的MAC地址恶意攻击网络,以及根据需要控制特定用户的数据收发,例如某个用户因欠费需停机,需要禁止该用户继续收发数据,此时,网络管理员只需在MAC地址表中设置对应该MAC地址的目的地址过滤和源地址过滤,以满足相应的网络访问控制需求,避免欠费用户恶意攻击网络或继续享受网络的服务。另外,本发明的实现还可以阻止合法用户随意移动上网,有效地避免了用户移动上网窃取他人技术资料等现象的发生。As can be seen from the above technical solutions, the present invention binds the user source MAC address, the source IP address and the port of the Ethernet switch, the VLAN ID of the user is bound to the VLAN ID supported by the Ethernet switch, and the port of the Ethernet switch is bound to the user VIAN ID. The corresponding member binding technical solution, therefore, can effectively prevent illegal users who fake source MAC addresses, source IP addresses, and VLAN IDs from maliciously accessing or attacking the network. In the present invention, according to the destination address of the message, corresponding access restrictions are carried out on the message entering the network through the port of the network access device, including broadcast message, unicast message, multicast message, and message sent to the server. And the network access control of the message of specific purpose MAC address, therefore, the present invention can also effectively prevent legitimate users from counterfeiting certain purpose MAC addresses to maliciously attack the network, and control the data sending and receiving of specific users as required The user needs to be shut down, and the user needs to be prohibited from sending and receiving data. At this time, the network administrator only needs to set the destination address filtering and source address filtering corresponding to the MAC address in the MAC address table to meet the corresponding network access control requirements and avoid owed Free users maliciously attack the network or continue to enjoy network services. In addition, the implementation of the present invention can also prevent legitimate users from moving online at will, effectively avoiding the phenomenon that users steal other people's technical data through mobile Internet.

附图说明Description of drawings

图1为本发明的具体实施方式流程图;Fig. 1 is the specific embodiment flowchart of the present invention;

图2a为本发明建立的单播MAC地址表的结构示意图;Fig. 2 a is the structural representation of the unicast MAC address table that the present invention establishes;

图2b为本发明建立的多播MAC地址表的结构示意图;Fig. 2 b is the structural representation of the multicast MAC address table that the present invention establishes;

图2c为本发明建立的MAC地址、IP地址和端口绑定的表的结构示意图;Fig. 2c is the structural representation of the table of MAC address, IP address and port binding that the present invention establishes;

图2d为本发明建立的VLAN ID和VLAN ID对应的成员绑定的表的结构示意图;Fig. 2 d is the structural representation of the table that the VLAN ID that the present invention establishes and the corresponding member of VLAN ID binds;

图3为图1中的步骤12和步骤13的具体实施方式流程图;Fig. 3 is the specific implementation flowchart of step 12 and step 13 in Fig. 1;

图4为图1中的步骤14的具体实施方式流程图。FIG. 4 is a flow chart of a specific implementation of step 14 in FIG. 1 .

具体实施方式Detailed ways

本发明的核心思想是分别根据经过网络接入设备端口的报文的源地址信息和目的地址信息对其进行相应的网络访问控制,从而为网络的安全提供保证,即:将通过网络接入设备端口接入网络的用户的MAC地址、IP地址或VLANID与相应的端口绑定,同时,还根据报文的目的MAC地址对报文的转发处理方式进行控制管理,为网络的安全提供了有效的保证。The core idea of the present invention is to perform corresponding network access control according to the source address information and destination address information of the message passing through the port of the network access device, so as to provide guarantee for the security of the network, that is: the network access device will The MAC address, IP address or VLANID of the user connected to the network through the port is bound to the corresponding port. At the same time, the forwarding and processing of the message is controlled and managed according to the destination MAC address of the message, which provides an effective solution for network security. ensure.

现结合附图对本发明的具体实施方式作进一步说明,首先,参见图1,对本发明所述的方法进行说明,具体包括以下步骤:The specific embodiment of the present invention is described further now in conjunction with accompanying drawing, at first, referring to Fig. 1, the method of the present invention is described, specifically comprises the following steps:

步骤11:根据进入网络的报文的地址信息,在网络接入设备端口(通常为以太网交换机端口)处配置经该端口的报文的转发处理方式;Step 11: according to the address information of the message entering the network, configure the forwarding processing mode of the message through the port at the port of the network access device (usually an Ethernet switch port);

所述的报文的地址信息包括源地址信息和目的地址信息,其中,源地址信息为接入用户的地址信息,包括:报文的源MAC地址信息和源IP地址信息,在应用过程中,可以配置合法接入用户的源MAC地址信息和源IP地址信息;目的地址信息为:报文的目的MAC地址信息,在应用过程中,可以配置限制转发的报文的目的MAC地址信息,如广播地址、特定目的MAC地址等;The address information of the message includes source address information and destination address information, wherein the source address information is the address information of the access user, including: source MAC address information and source IP address information of the message. During the application process, The source MAC address information and source IP address information of legitimate access users can be configured; the destination address information is: the destination MAC address information of the message. During the application process, the destination MAC address information of the message that is restricted to be forwarded can be configured, such as broadcast address, specific purpose MAC address, etc.;

上述配置的地址信息可以以表的形式保存,例如,可以在以太网交换机上创建包含以下字段的MAC地址表进行相应地址信息的保存,参见图2a和图2b,具体包括:The address information configured above can be saved in the form of a table. For example, a MAC address table containing the following fields can be created on the Ethernet switch to save the corresponding address information, see Figure 2a and Figure 2b, specifically including:

目的MAC地址字段:用于记录目的MAC地址信息,即用于记录用户静态配置的经过相应以太网交换机端口进入网络的报文的目的MAC地址信息,在该字段中记录目的MAC地址信息,当与其对应的目的MAC地址过滤字段设置为有效时,则对于目的MAC地址为该字段中记录的MAC地址的报文将作丢弃处理;该字段可以为单播MAC地址、多播MAC地址,且多播MAC地址对应的端口信息字段中为以太网交换机的所有端口;Destination MAC address field: used to record the destination MAC address information, that is, to record the destination MAC address information of the message that is statically configured by the user and enters the network through the corresponding Ethernet switch port. The destination MAC address information is recorded in this field. When the corresponding destination MAC address filtering field is set to valid, the packets whose destination MAC address is the MAC address recorded in this field will be discarded; this field can be unicast MAC address, multicast MAC address, and multicast The port information field corresponding to the MAC address is all ports of the Ethernet switch;

源MAC地址字段:用于记录源MAC地址信息,即用于记录学习的MAC地址或用户静态配置的接入用户的MAC地址信息,在该字段中记录一个源MAC地址,当与其对应的源MAC地址过滤字段设置为有效时,则对于源MAC地址为该字段中记录的MAC地址的报文将作丢弃处理;该字段是现有MAC地址表中的字段;Source MAC address field: used to record the source MAC address information, that is, to record the learned MAC address or the MAC address information of the access user statically configured by the user. A source MAC address is recorded in this field. When the corresponding source MAC address When the address filter field is set to be valid, the message whose source MAC address is the MAC address recorded in this field will be discarded; this field is a field in the existing MAC address table;

端口信息字段:用于记录相应配置的端口号,即所有的配置是基于端口的配置,每一条配置信息均需要对应一个具体的端口,或对应一组端口;Port information field: used to record the port number of the corresponding configuration, that is, all configurations are port-based configurations, and each piece of configuration information needs to correspond to a specific port or a group of ports;

目的MAC地址过滤字段:该字段用于记录是否根据目的MAC地址对报文的转发处理方式进行处理,即:当该字段有效时,将目的MAC地址为该字段对应的MAC地址字段中记录的MAC地址的报文作丢弃处理;Destination MAC address filtering field: This field is used to record whether to process the packet forwarding processing according to the destination MAC address, that is, when this field is valid, the destination MAC address is the MAC address recorded in the MAC address field corresponding to this field. Address packets are discarded;

源MAC地址过滤字段:该字段用于记录是否根据源MAC地址对报文的转发处理方式进行处理,即:当该字段有效时,将源MAC地址为该字段对应的MAC地址字段中记录的MAC地址的报文作丢弃处理;Source MAC address filtering field: This field is used to record whether to process the packet forwarding processing according to the source MAC address, that is, when this field is valid, the source MAC address is the MAC address recorded in the MAC address field corresponding to this field. Address packets are discarded;

静态表项字段:用于记录表项中的MAC地址对应的属性是否可以修改,当该字段有效时,该表项中的MAC地址对应的属性均不可以被修改,所述的MAC地址对应的属性包括:时间标签、镜像标志、端口号等,例如,配置相应端口信息字段时,不希望配置的信息被修改,则将该字段设置为有效;Static entry field: used to record whether the attribute corresponding to the MAC address in the entry can be modified. When this field is valid, the attributes corresponding to the MAC address in the entry cannot be modified. Attributes include: time stamp, mirror flag, port number, etc. For example, when configuring the corresponding port information field, if you do not want the configured information to be modified, set the field to valid;

本发明中还可以设置包含以下字段的表保存与端口绑定的MAC地址和IP地址,如图2c所示,表中的MAC地址和IP地址配置可以根据需要进行设置,从而使用利用本发明进行网络访问控制时,可以选择端口与MAC地址绑定,端口与IP地址绑定,或端口与MAC地址和IP地址绑定等技术方案分别实现,表中包含的字段为:In the present invention, a table containing the following fields can also be set to save the MAC address and IP address bound to the port, as shown in Figure 2c, the MAC address and IP address configuration in the table can be set as required, thereby using the present invention to perform For network access control, you can choose to bind ports to MAC addresses, ports to IP addresses, or ports to MAC addresses and IP addresses, etc. to implement them separately. The fields included in the table are:

端口信息字段:用于记录需要对其进行绑定配置的端口信息,即端口号或端口列表;Port information field: used to record the port information that needs to be bound and configured, that is, port number or port list;

MAC地址字段:用于记录与相应端口对应的MAC地址信息,即配置允许经该端口进入网络的报文的源MAC地址;MAC address field: used to record the MAC address information corresponding to the corresponding port, that is, to configure the source MAC address of the packets that are allowed to enter the network through the port;

IP地址字段:用于记录与相应端口对应的IP地址信息,即配置允许经该端口进入网络的报文的源IP地址;IP address field: used to record the IP address information corresponding to the corresponding port, that is, to configure the source IP address of the packets that are allowed to enter the network through the port;

利用上述表将端口与MAC地址绑定或与IP地址绑定时,可以有效地防止用户移动至另一个端口进行网络访问;When the above table is used to bind the port to the MAC address or to the IP address, it can effectively prevent the user from moving to another port for network access;

为了进一步保证对接入报文的有效控制,还可以在基于报文的地址信息的基础上根据通过相应端口接入网络的用户的VLAN ID信息配置经过该端口的报文的转发处理方式,此时,还需要增加设置包含VLAN ID字段和VLAN ID的成员字段的VLAN ID绑定表,如图2d所示,用于记录以太网交换机支持的VLANID及VLAN ID的成员信息,VLAN ID的成员为对应的以太网交换机的端口,即配置允许以太网交换机支持的VLAN ID向外发送报文所应用的端口,从而使接入用户发送出来的报文在根据其源MAC地址和源IP地址检查其合法性的基础上,还可以根据其VLAN ID进一步检查其合法性,从而进一步保证了网络通信的安全;本发明中还可以仅选择端口与合法接入用户的VLAN ID绑定实现网络访问控制,即仅利用图2d所示的VLAN ID绑定表记录相应的内容,实现网络访问控制;当然,对于那些不信任用户的VLAN ID而直接使用自己配置的端口的VLAN ID进行数据包的收发的以太网交换机来说,则无需根据用户的VLANID配置经过该端口的报文的转发处理方式;In order to further ensure the effective control of incoming packets, it is also possible to configure the forwarding and processing mode of packets passing through the port according to the VLAN ID information of users who access the network through the corresponding port based on the address information of the packets. At the same time, it is also necessary to increase the VLAN ID binding table that contains the VLAN ID field and the member field of the VLAN ID, as shown in Figure 2d, which is used to record the VLANID and VLAN ID member information supported by the Ethernet switch. The members of the VLAN ID are The port of the corresponding Ethernet switch, that is, the port on which the VLAN ID supported by the Ethernet switch is allowed to send out the packet, so that the packet sent by the access user is checked according to its source MAC address and source IP address. On the basis of legitimacy, its legitimacy can also be further checked according to its VLAN ID, thereby further guaranteed the security of network communication; In the present invention, only can also only select port and the VLAN ID binding of legal access user to realize network access control, That is, only use the VLAN ID binding table shown in Figure 2d to record the corresponding content to realize network access control; For network switches, there is no need to configure the forwarding and processing mode of packets passing through the port according to the user's VLAN ID;

步骤12:用户待发送的报文经以太网交换机端口接入网络,获取所述报文的源MAC地址信息和源IP地址信息;Step 12: the message to be sent by the user is connected to the network through the Ethernet switch port, and the source MAC address information and source IP address information of the message are obtained;

步骤13:根据获取的源地址MAC信息和源IP地址信息确定对该报文的处理方式,并进行相应的处理;Step 13: Determine the processing mode of the message according to the obtained source address MAC information and source IP address information, and perform corresponding processing;

即:将获取的源地址MAC信息和源IP地址信息与在该端口配置的相应的源地址MAC信息和源IP地址信息进行匹配,并根据匹配结果确定对该报文的转发处理方式,或者正常地对报文进行转发,或者将报文丢弃,或者执行步骤14,根据目的MAC地址对报文的转发处理方式作进一步认定;That is: match the obtained source MAC information and source IP address information with the corresponding source address MAC information and source IP address information configured on the port, and determine the forwarding and processing mode of the packet according to the matching result, or normal The message is forwarded, or the message is discarded, or step 14 is performed, and the forwarding processing method of the message is further identified according to the destination MAC address;

当在所述端口配置的是合法接入用户的源MAC地址信息和源IP地址信息,则当匹配通过时,进行下一步的VLAN ID检查及目的MAC地址检查。When the port is configured with the source MAC address information and source IP address information of the legal access user, then when the matching is passed, the VLAN ID check and the destination MAC address check of the next step are carried out.

获取报文中的VLAN ID信息,并根据用户的VLAN ID配置,进一步确定针对该报文的转发处理方式,如果配置的是合法接入用户的VLAN ID信息,则当匹配通过时,正常转发报文,否则,丢弃该报文;Get the VLAN ID information in the message, and further determine the forwarding processing method for the message according to the user's VLAN ID configuration. otherwise, discard the message;

步骤14:获取经以太网交换机端口的进入网络的报文中的目的MAC地址信息,并根据目的MAC地址确定对该报文的转发处理方式;Step 14: Obtain the destination MAC address information in the message entering the network through the port of the Ethernet switch, and determine the forwarding processing method of the message according to the destination MAC address;

当根据端口的配置信息确定需要对经过该端口的报文根据目的MAC地址进行过滤处理时,则获取报文中的目的MAC地址,并将获取的目的MAC地址与前面所述的MAC地址表表项中的目的MAC地址字段匹配,并根据匹配结果确定对该报文的转发处理方式。When it is determined according to the configuration information of the port that the message passing through the port needs to be filtered according to the destination MAC address, the destination MAC address in the message is obtained, and the obtained destination MAC address is compared with the above-mentioned MAC address table. The destination MAC address field in the item matches, and determines the forwarding processing mode of the packet according to the matching result.

经过步骤11至步骤14的处理过程可以看出,本发明实现了基于端口对接入网络用户进行相应的网络访问控制,即对经以太网交换机端口接入网络的用户所发送的报文的转发处理方式根据需要进行了相应的限定。Through the processing from step 11 to step 14, it can be seen that the present invention realizes corresponding network access control based on ports for users accessing the network, that is, forwarding of messages sent by users accessing the network via Ethernet switch ports The processing method is limited accordingly.

其中,步骤12和步骤13描述的处理过程的实质为:根据接入用户的地址信息和/或接入用户的VLAN ID信息确定报文的转发处理方式,即将用户的地址信息和/或接入用户的VLAN ID信息与用户接入网络时使用的以太网交换机端口绑定,并将经过以太网交换机端口进入网络的报文根据发送该报文的接入用户的地址信息对其进行相应的转发处理,所述的地址信息包括用户的MAC地址、IP地址,所述的接入用户的VLAN ID信息则可选地与端口绑定,在以太网交换机端口上将合法用户的地址信息与对应的端口绑定,同时将接入用户的VLAN ID信息与以太网交换机支持的VLAN ID绑定,端口与接入用户的VLANID绑定,绑定用户的数目可以根据需要设置,这样,通过检查该端口上绑定的用户的地址信息及接入用户的VLAN ID信息便可以确定从该端口进入网络的报文的转发处理方式。下面首先结合图3对前面所述的步骤12和步骤13作进一步说明,以将接入用户的MAC地址、IP地址与对应的端口绑定,及以太网交换机支持的VLAN ID与VLAN ID的成员绑定,所述的VLAN ID的成员为对应以太网交换机的各端口,通常所述的VLAN ID的成员是以端口列表的形式表示的,具体包括以下各步骤:Among them, the essence of the processing procedure described in step 12 and step 13 is: determine the forwarding processing method of the message according to the address information of the access user and/or the VLAN ID information of the access user, that is, the address information of the user and/or the VLAN ID information of the access user The user's VLAN ID information is bound to the Ethernet switch port used by the user to access the network, and the message entering the network through the Ethernet switch port is forwarded accordingly according to the address information of the access user who sent the message Processing, the address information includes the MAC address and IP address of the user, the VLAN ID information of the access user is optionally bound to the port, and the address information of the legal user is connected to the corresponding port on the Ethernet switch port. Port binding, at the same time, the VLAN ID information of the access user is bound to the VLAN ID supported by the Ethernet switch, and the port is bound to the VLAN ID of the access user. The number of bound users can be set as required. In this way, by checking the port The address information of the user bound to the Internet and the VLAN ID information of the access user can determine the forwarding and processing mode of the message entering the network from the port. Firstly, step 12 and step 13 described above will be further explained below in conjunction with Figure 3, so as to bind the MAC address and IP address of the access user to the corresponding port, and the VLAN ID and VLAN ID members supported by the Ethernet switch Binding, the members of the VLAN ID are each port of the corresponding Ethernet switch, usually the members of the VLAN ID are expressed in the form of a port list, and specifically include the following steps:

步骤31:接入用户发送的报文从以太网交换机端口进入网络,获取所述报文的源MAC地址和源IP地址;Step 31: The message sent by the access user enters the network from the Ethernet switch port, and obtains the source MAC address and source IP address of the message;

步骤32:将获取的源MAC地址和源IP地址与该以太网交换机端口上绑定的用户地址信息中的源MAC地址和源IP地址信息匹配,如果匹配,则针对该报文的用户地址信息检查通过,执行步骤34,否则,针对该报文的用户地址信息检查未通过,执行步骤33Step 32: Match the obtained source MAC address and source IP address with the source MAC address and source IP address information in the user address information bound on the port of the Ethernet switch. If they match, then for the user address information of the packet If the check is passed, go to step 34; otherwise, if the user address information check for the packet fails, go to step 33

步骤33:确定该报文为不合法报文,并丢弃该报文;Step 33: Determine that the message is an illegal message, and discard the message;

步骤34:进一步进行VLAN ID是否合法的检查,即获取进入网络的报文中承载的VLAN ID;Step 34: further carry out the legal inspection of the VLAN ID, that is, obtain the VLAN ID carried in the message entering the network;

步骤35:将获取的VLAN ID与该以太网交换机上绑定的VLAN ID信息匹配,并判断是否匹配通过,如果匹配通过,执行步骤36,否则,执行步骤38;Step 35: Match the obtained VLAN ID with the VLAN ID information bound on the Ethernet switch, and judge whether the matching is passed, if the matching is passed, execute step 36, otherwise, execute step 38;

步骤36:进一步确定与其匹配的VLAN ID对应的端口列表中是否包含该端口,即报文进入网络时使用的端口,如果包含该端口,则针对该报文的VLANID检查通过,执行步骤37,否则,针对该报文的VLAN ID检查未通过,执行步骤33;Step 36: further determine whether the port list corresponding to the matching VLAN ID includes the port, that is, the port used when the message enters the network, if the port is included, the VLAN ID check for the message is passed, and step 37 is performed, otherwise , the VLAN ID check for the packet fails, go to step 33;

步骤37:对报文进行正常地转发处理,即通过查找MAC地址表确定目的转发端口,并将报文通过确定的端口转发出去;Step 37: Perform normal forwarding processing on the message, that is, determine the destination forwarding port by searching the MAC address table, and forward the message through the determined port;

通常如果无需对其执行前面所述的步骤14进行目的地址检查,则直接对报文进行正常的转发处理即可,如果需要执行步骤14对该报文作进一步的目的地址是否合法的检查,则需要转至步骤14;Usually, if it is not necessary to carry out the destination address check in step 14 mentioned above, then the normal forwarding process can be directly carried out on the message, if it is necessary to perform step 14 to check whether the destination address of the message is further legal, then Need to go to step 14;

步骤38:确定该以太网交换机端口是否支持VLAN透传,如果支持,则执行步骤39,否则,执行步骤33;Step 38: Determine whether the Ethernet switch port supports VLAN transparent transmission, if it supports, then perform step 39, otherwise, perform step 33;

以太网交换机端口是否支持VLAN透传可以由用户根据需要进行配置,如果支持VLANLAN透传,用户还需要根据需要配置相应的透传转发方式,并将需要透传的报文根据配置的转发方式进行透传;Whether the Ethernet switch port supports VLAN transparent transmission can be configured by the user according to the needs. If it supports VLAN LAN transparent transmission, the user also needs to configure the corresponding transparent transmission forwarding mode according to the needs, and forward the packets that need to be transparently transmitted according to the configured forwarding mode. Penetrate;

在目前的通信系统中,为节省以太网交换机资源,通常仅令其支持一定数量的VLAN ID,对于以太网交换机不支持的VLAN ID的数据包,为保证用户正常收发相应的数据包,便需要以太网交换机支持对该类数据包的透传;对于用户的VLAN ID不在以太网交换机支持的VLAN ID内的情况,是否允许透传该类报文通常为基于以太网交换机端口可配置。In the current communication system, in order to save the resources of the Ethernet switch, it is usually only allowed to support a certain number of VLAN IDs. For the data packets of the VLAN IDs that the Ethernet switch does not support, in order to ensure that the user can normally send and receive the corresponding data packets, it is necessary to The Ethernet switch supports transparent transmission of this type of data packet; for the case where the user's VLAN ID is not in the VLAN ID supported by the Ethernet switch, whether to allow transparent transmission of this type of packet is usually configurable based on the Ethernet switch port.

步骤39:将报文按照该以太网交换机端口上关于VLAN透传配置的转发方式进行报文的转发。Step 39: forward the message according to the forwarding mode of the VLAN transparent transmission configuration on the port of the Ethernet switch.

图1中的步骤14的处理过程实质为:将接入网络用户发送的报文根据报文中承载的目的地址信息确定相应的转发处理方式,并根据确定的转发处理方式对报文进行处理。为实现该方案首先需要在以太网交换机端口上配置目的MAC地址及对应报文的转发处理方式,所述的目的MAC地址可以为广播地址、单播地址、多播地址、服务器地址、特定的MAC地址,从而可以根据由该以太网交换机端口进入网络的报文的目的MAC地址对所述报文进行相应的访问控制,例如,控制广播报文的转发处理方式,或者限制广播报文的转发,或者限制广播报文的转发数量,等等。具体参见图4所示,包括以下步骤:The essence of the processing process of step 14 in FIG. 1 is: determine the corresponding forwarding processing method for the message sent by the access network user according to the destination address information carried in the message, and process the message according to the determined forwarding processing method. For realizing this scheme at first needs to configure the destination MAC address and the forwarding processing mode of corresponding message on Ethernet switch port, described destination MAC address can be broadcast address, unicast address, multicast address, server address, specific MAC address, so that the corresponding access control can be performed on the message according to the destination MAC address of the message entering the network through the Ethernet switch port, for example, to control the forwarding processing mode of the broadcast message, or to limit the forwarding of the broadcast message, Or limit the forwarding number of broadcast packets, and so on. See Figure 4 for details, including the following steps:

步骤41:确定需要对由该以太网交换机端口进入网络的报文进行目的MAC地址的过滤处理;Step 41: Determining that the packets entering the network through the port of the Ethernet switch need to be filtered by the destination MAC address;

步骤42:获取报文中承载的目的MAC地址;Step 42: Obtain the destination MAC address carried in the message;

步骤43:根据获取的报文的目的MAC地址信息查找该以太网交换机端口上配置的该报文的转发处理方式;Step 43: Find the forwarding processing mode of the message configured on the port of the Ethernet switch according to the destination MAC address information of the obtained message;

步骤44:判断所述报文的转发处理方式是否为丢弃,如果是,则执行步骤45,否则,执行步骤46;Step 44: judging whether the forwarding processing method of the message is discarding, if yes, then perform step 45, otherwise, perform step 46;

步骤45:丢弃该报文;Step 45: Discard the message;

步骤46:判断经过该以太网交换机端口正常处理的该目的MAC地址的报文数量是否超过设定的数值,如果超过,则执行步骤45,否则,执行步骤47;Step 46: judging whether the number of packets of the destination MAC address normally processed by the Ethernet switch port exceeds a set value, if exceeded, then perform step 45, otherwise, perform step 47;

步骤47:根据该以太网交换机端口上配置的对该报文的转发方式对报文进行转发处理,包括:Step 47: Carry out forwarding processing on the message according to the forwarding mode of the message configured on the port of the Ethernet switch, including:

对于广播报文,则向以太网交换机内同一个VLAN内的所有端口转发该报文;For a broadcast message, forward the message to all ports in the same VLAN in the Ethernet switch;

对于未知单播报文和未知多播报文,则根据该以太网交换机端口上配置的该类型报文的转发目的地址进行报文的转发;For unknown unicast packets and unknown multicast packets, the packet is forwarded according to the forwarding destination address of this type of packet configured on the port of the Ethernet switch;

对于发往服务器的报文或发往特定目的MAC地址的报文,则将报文转发至相应的服务器或特定的目的MAC地址。For a message sent to a server or a message sent to a specific destination MAC address, the message is forwarded to the corresponding server or the specific destination MAC address.

本发明中针对报文目的MAC地址的网络访问控制,可以根据需要进行选择设置,即根据需要使能针对报文目的MAC地址的网络访问控制功能,或禁止该功能。本发明中提供了分别针对广播报文、未知单播报文、未知多播报文、发往服务器的报文及发往特定MAC地址的报文中目的MAC地址的网络访问控制功能,且各个功能可以各自独立地使能或禁止。In the present invention, the network access control for the message destination MAC address can be selected and set according to needs, that is, the network access control function for the message destination MAC address is enabled or disabled according to needs. The present invention provides the network access control functions for the destination MAC address in broadcast messages, unknown unicast messages, unknown multicast messages, messages sent to servers, and messages sent to specific MAC addresses, and each function can Each is enabled or disabled independently.

Claims (15)

1, a kind of method for network access control of access device port Network Based is characterized in that comprising:
According to the address information of message, configuration is through the processing mode of the message of network access equipment port, and described processing mode comprises whether allowing to transmit, and for allowing the forwarding situation that corresponding message forwarding mode also is set;
Obtain address information, in the processing mode of the message that disposes, search the processing mode of the address information correspondence of this message through the message of network access equipment port;
Judge that whether described processing mode is to allow to transmit, if, then further transmit according to the pass-through mode of the address information correspondence of this message, otherwise, described message abandoned.
2, the method for network access control of access device port Network Based according to claim 1 is characterized in that this method further comprises:
A, be that the network access equipment port arrangement inserts user's station address information and corresponding message processing mode, described station address information comprises medium access control mac address information and/or the IP address information that inserts the user;
B, obtain the station address information of in the message that the network access equipment port transmission is come, carrying;
C, described message is handled according to the station address information obtained and for the processing mode of the message of the station address information correspondence of this port arrangement.
3, the method for network access control of access device port Network Based according to claim 2 is characterized in that described step c comprises:
Whether mate for the legal access user's of this port arrangement MAC Address and/or IP address c1, the MAC Address of judging the access user obtain and IP address, if coupling, execution in step c3 then, otherwise, execution in step c2;
C2, abandon this message;
C3, continuation message forwarding processing procedure.
4, according to the method for network access control of claim 2 or 3 described access device ports Network Based, it is characterized in that described step a also comprises: VLAN ID VLAN ID that the configuration network access device is supported and the member's of VLAN ID corresponding relation, the member of described VLAN ID is the port of network access equipment.
5, the method for network access control of access device port Network Based according to claim 4 is characterized in that the configuration information among the described step a adopts preserving of two tables, wherein:
First table comprises:
Port information field: be used to write down and bind the port information of configuration, i.e. port numbers or port list to it;
The MAC Address field: be used to write down the mac address information corresponding with the corresponding port, i.e. configuration allows to enter through this port the source MAC of the message of network;
IP address field: be used to write down the IP address information corresponding with the corresponding port, i.e. configuration allows to enter through this port the source IP address of the message of network;
Second table comprises:
VLAN id field: be used to write down the VLAN id information that Ethernet switch is supported;
VLAN ID corresponding port field: write down corresponding or one group of port information of VLAN ID of supporting with Ethernet switch.
6, the method for network access control of access device port Network Based according to claim 4 is characterized in that described step c3 comprises:
C31, judge the access user's obtain VLAN ID with for whether the VLAN ID of this port support mates, if mate, execution in step c32 then, otherwise, execution in step c33;
C32, judge that this message enters the member whether employed port of network access equipment is the VLAN ID of configuration, if, then continue the message forwarding processing procedure, otherwise, this message abandoned;
C33, abandon this message.
7, the method for network access control of access device port Network Based according to claim 6 is characterized in that described step c33 comprises:
Judge whether this port is set to allow transparent transmission for the message of unknown VLAN, if, then carry out message forwarding according to VLAN transparent transmission configuration mode based on this port, otherwise, this message abandoned.
8, the method for network access control of access device port Network Based according to claim 1 and 2 is characterized in that this method further comprises:
D, according to the destination address configuration of the message of transmitting through the network access equipment port processing mode through the message of this port;
E, obtain the destination address information of the message of transmitting through the network access equipment port, and this message is handled accordingly according to the destination address that obtains.
9, the method for network access control of access device port Network Based according to claim 8 is characterized in that described steps d is:
Allow or forbid transmitting the message of this port of process according to the destination address configuration of the message of transmitting through the network access equipment port.
10, the method for network access control of access device port Network Based according to claim 9 is characterized in that described steps d also comprises:
Destination address configuration according to the message of transmitting through the network access equipment port allows the quantity of forwarding through the message of this port.
11, the method for network access control of access device port Network Based according to claim 8 is characterized in that described destination address comprises:
The address of broadcast address, unknown unicast address, unknown multicast address, server and specific MAC Address.
12, the method for network access control of access device port Network Based according to claim 11 is characterized in that described step e comprises:
E1, obtain the destination address information of the message of transmitting through the network access equipment port;
The destination address of destination address information that e2, basis are obtained and steps d configuration judges whether to allow this message to transmit, if allow, then carries out e3, otherwise, abandon this message;
E3, judge whether the quantity of the message of this kind destination address that this port is transmitted surpasses the numerical value of setting, if surpass, then abandons this message, otherwise, this message is transmitted processing accordingly.
13, the method for network access control of access device port Network Based according to claim 12 is characterized in that described this message is transmitted accordingly of step e3 is treated to:
This message is transmitted processing according to the message forwarding processing mode to the type destination address that disposes in this port, wherein:
For broadcasting packet, all of the port is transmitted in the same VLAN in Ethernet switch;
For unknown unicast message and unknown multicast message, carry out message forwarding according to the type message forwarding destination that disposes on this ethernet switch port;
For the message that mails to server or mail to the message of specific purpose MAC Address, then message is forwarded to corresponding server or specific target MAC (Media Access Control) address.
14, the method for network access control of access device port Network Based according to claim 8, it is characterized in that:, following field need be set respectively in described mac address table in mac address table, preserving corresponding ports configuration information among described step a and the d:
Target MAC (Media Access Control) address filtered fields: determine according to this field whether needs filter according to target MAC (Media Access Control) address message;
The source MAC address filtering field: whether needs filter according to source MAC according to the definite message of this section;
Target MAC (Media Access Control) address field: will determine that the target MAC (Media Access Control) address of the message that need filter according to target MAC (Media Access Control) address and the MAC Address in this field mate, and determine at this message forwarding processing mode;
Source MAC field: will determine that the source MAC of the message that need filter according to source MAC and the MAC Address in this field mate, and determine processing mode at this message;
The port information field: will determine to enter the port of network access equipment and the port information in this field mates according to the message that source MAC or target MAC (Media Access Control) address filter, thereby determine need with the source MAC in this message or the mac address information that is arranged in source MAC or target MAC (Media Access Control) address field of target MAC (Media Access Control) address coupling;
15, the method for network access control of access device port Network Based according to claim 14 is characterized in that also needing in the described table to be provided with the static entry field: whether the attribute of determining the MAC Address correspondence in the list item according to this field can be revised.
CNB03145612XA 2003-06-24 2003-06-24 Port based network access control method Expired - Lifetime CN1310467C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB03145612XA CN1310467C (en) 2003-06-24 2003-06-24 Port based network access control method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB03145612XA CN1310467C (en) 2003-06-24 2003-06-24 Port based network access control method

Publications (2)

Publication Number Publication Date
CN1567839A CN1567839A (en) 2005-01-19
CN1310467C true CN1310467C (en) 2007-04-11

Family

ID=34471475

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB03145612XA Expired - Lifetime CN1310467C (en) 2003-06-24 2003-06-24 Port based network access control method

Country Status (1)

Country Link
CN (1) CN1310467C (en)

Families Citing this family (36)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8705532B2 (en) * 2006-02-17 2014-04-22 Extreme Networks, Inc. Methods, systems, and computer program products for selective layer 2 port blocking using layer 2 source addresses
CN101043329B (en) * 2006-06-15 2010-05-12 华为技术有限公司 A method and system for preventing network attacks
CN100525179C (en) * 2006-07-06 2009-08-05 华为技术有限公司 Method for preventing IP address leakage
CN101119290B (en) * 2006-08-01 2011-06-01 华为技术有限公司 Ethernet supporting source specific multicast forwarding method and system
CN101001249A (en) * 2006-12-31 2007-07-18 华为技术有限公司 Method and device for preventing IGMP message attack
CN101345743B (en) * 2007-07-09 2011-12-28 福建星网锐捷网络有限公司 Method and system for preventing network attack by utilizing address analysis protocol
JP4852502B2 (en) * 2007-09-12 2012-01-11 株式会社日立製作所 Access server and connection restriction method
WO2009082832A1 (en) * 2007-12-26 2009-07-09 Zte Corporation A method for realizing ip address bindings based on field programmable gate array
CN101252592B (en) * 2008-04-14 2012-12-05 工业和信息化部电信传输研究所 Method and system for tracing network source of IP network
CN101286948B (en) * 2008-05-30 2010-10-06 杭州华三通信技术有限公司 Access authority control method and wireless access equipment
CN101355483B (en) * 2008-08-27 2012-02-22 成都市华为赛门铁克科技有限公司 A method and device for sending data packets through multiple network ports
CN101394360B (en) * 2008-11-10 2011-07-20 北京星网锐捷网络技术有限公司 Processing method, access device and communication system for address resolution protocol
CN102045313B (en) * 2009-10-10 2014-03-12 中兴通讯股份有限公司 Method and system for controlling SILSN (Subscriber Identifier & Locator Separation Network)
CN102045307B (en) * 2009-10-10 2014-08-13 中兴通讯股份有限公司 Method for managing network equipment and corresponding network system
CN102098269A (en) * 2009-12-15 2011-06-15 中兴通讯股份有限公司 Method for filtering MAC (Media Access Control) addresses in broadband access system
CN102123071B (en) * 2010-01-11 2016-06-01 中兴通讯股份有限公司 The method that realizes, network, terminal and the intercommunication service node that Packet Classification processes
CN101820383B (en) * 2010-01-27 2014-12-10 中兴通讯股份有限公司 Method and device for restricting remote access of switcher
CN101834870A (en) * 2010-05-13 2010-09-15 中兴通讯股份有限公司 Method and device for preventing deceptive attack of MAC (Medium Access Control) address
CN103763119A (en) * 2011-03-09 2014-04-30 成都勤智数码科技股份有限公司 Telnet/SSH-based network terminal management method
CN102118398B (en) * 2011-03-31 2014-04-23 北京星网锐捷网络技术有限公司 Access control method, device and system
CN102571807A (en) * 2012-02-08 2012-07-11 神州数码网络(北京)有限公司 Method and system for ensuring security of Internet protocol version 6 (IPv6) redirect message
CN104168199B (en) * 2013-05-15 2019-07-16 中兴通讯股份有限公司 Packet processing method and device
CN103701784B (en) * 2013-12-17 2017-02-15 迈普通信技术股份有限公司 Host machine protection method
CN104065554B (en) * 2014-06-30 2017-09-05 华为技术有限公司 A kind of network-building method and network device
CN104184686B (en) * 2014-08-20 2017-10-17 新华三技术有限公司 The method and apparatus for controlling broadcast traffic on the virtual bridged link in edge
CN106789757B (en) * 2016-03-29 2020-10-13 新华三技术有限公司 Access control method and device
US11038887B2 (en) * 2017-09-29 2021-06-15 Fisher-Rosemount Systems, Inc. Enhanced smart process control switch port lockdown
CN108156424B (en) * 2017-12-27 2020-01-14 浙江宇视科技有限公司 Multicast group port management method and device and video management server
CN109089263B (en) * 2018-07-25 2021-07-30 新华三技术有限公司 Message processing method and device
DE102019210226A1 (en) * 2019-07-10 2021-01-14 Robert Bosch Gmbh Device and method for attack detection in a communications network
CN112217819B (en) * 2020-10-12 2021-04-27 珠海市鸿瑞信息技术股份有限公司 Industrial control message semantic analysis auditing method based on double-factor authentication system
CN112350961B (en) * 2020-11-11 2022-07-12 迈普通信技术股份有限公司 Message processing method and device, electronic equipment and readable storage medium
CN112511523A (en) * 2020-11-24 2021-03-16 超越科技股份有限公司 Network security control method based on access control
CN112737850B (en) * 2020-12-30 2023-03-24 杭州迪普科技股份有限公司 Mutually exclusive access method and device
CN115580437B (en) * 2022-09-16 2024-12-17 超聚变数字技术有限公司 Flow monitoring method and out-of-band controller
CN116015949A (en) * 2022-12-30 2023-04-25 北京天融信网络安全技术有限公司 Processing method, device, electronic equipment and storage medium of lost host

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH09252319A (en) * 1996-03-15 1997-09-22 Toshiba Corp Packet transfer method and packet transfer device
US20010012296A1 (en) * 2000-01-25 2001-08-09 Burgess Jon J. Multi-port network communication device with selective mac address filtering
CN1333617A (en) * 2000-07-06 2002-01-30 三星电子株式会社 MAC address based telecommunication limiting method
CN1416239A (en) * 2001-10-31 2003-05-07 华为技术有限公司 Method for switching in virtual local area network of the access network with mixed optical fiber and coaxial line

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH09252319A (en) * 1996-03-15 1997-09-22 Toshiba Corp Packet transfer method and packet transfer device
US20010012296A1 (en) * 2000-01-25 2001-08-09 Burgess Jon J. Multi-port network communication device with selective mac address filtering
CN1333617A (en) * 2000-07-06 2002-01-30 三星电子株式会社 MAC address based telecommunication limiting method
CN1416239A (en) * 2001-10-31 2003-05-07 华为技术有限公司 Method for switching in virtual local area network of the access network with mixed optical fiber and coaxial line

Also Published As

Publication number Publication date
CN1567839A (en) 2005-01-19

Similar Documents

Publication Publication Date Title
CN1310467C (en) Port based network access control method
CN1057415C (en) Method of maintaining routing paths between selected network stations and mobile stations
CN101034989A (en) Method, system and router for originating the authentication request via the user terminal
CN101060498A (en) A method for realizing the gateway Mac binding, assembly, gateway and layer 2 switch
CN1505338A (en) Subscriber Identification Techniques on Networks with Different Addressing Systems
CN1864390A (en) Method and apparatus for providing network security using security labeling
CN1879348A (en) Method of controlling communication between devices in a network and apparatus for the same
CN1403952A (en) Ethernet confirming access method
CN101030947A (en) Method and apparatus for transmitting message
CN101079746A (en) Secure implementation method and device of broadband access device
CN101068178A (en) Method, system and search engine for using and managing MAC address list
CN1905555A (en) Fire wall controlling system and method based on NGN service
CN101599889B (en) Method for preventing MAC address deceiving in Ethernet exchange equipment
CN1855812A (en) Implementation method of preventing MAC address spoofing
CN1581803A (en) Safety platform for network data exchange
CN1728684A (en) Packet transfer apparatus
CN1856163A (en) Communication system with dialog board controller and its command transmitting method
CN101060521A (en) Information packet filtering method and network firewall
CN1266884C (en) Network access control method based on MAC address
CN1968147A (en) Service processing method, network device, and service processing system
CN1909553A (en) Information processing apparatus, communication control method, and communication control program
CN1859736A (en) Method and system for providing safety service to mobile terminal
CN1925452A (en) Data transferring system, method and network transferring apparatus
CN1671096A (en) Multicast Access Control Method Based on Policy Control
CN1705262A (en) Network security protecting system and method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CX01 Expiry of patent term

Granted publication date: 20070411

CX01 Expiry of patent term