TWI774215B - Terminal device management system and method thereof - Google Patents

Abstract

The present invention proposes a terminal device management system and a corresponding method. By pre-defining the correspondence information of labels and port positions, when the central controller detects a label packet from a controllable network switch, it can correctly locate the position of the terminal device, and then the central controller sends a policy to the controllable network switch to achieve network access control of the terminal device. In addition, when the terminal device moves to a new position, the user does not have to change its network settings. When the central controller detects the moved device, it will automatically send another policy to the corresponding controllable network switch to achieve network address portability.

Description

Terminal equipment management and control system and method

The present invention relates to a management and control technology, in particular to a terminal equipment management and control system and method.

After more and more enterprises open up BYOD (Bring Your Own Device), it has become an indispensable function to control different types of terminal devices to comply with information security regulations. In the traditional network architecture, network management and control can be achieved in two ways. One is by setting an Internet Protocol (IP, Internet Protocol) address and a media access control address (MAC address) on the access switch. address, medium access control address), but if the terminal device needs to move across switches, it needs to make the same settings on multiple switches in advance to ensure that the terminal device moves to different switches. Can connect to the Internet. Another method is to set firewall rules on the firewall at the sink to filter and discard the packets sent by the devices that are not allowed to connect to the network. This method is more convenient than the former because it only needs to be set on a single machine, but this method can only prevent the terminal equipment Connected to the external network, the internal network can still transfer data to each other. In addition, in the centralized management and control network architecture, the network controller can detect the location of the terminal device through the terminal device detection function, and dynamically (reactively) add rules to the switch connected to it, so as to achieve network connection at the access end. Management and control functions, simplify network management personnel need to manually to the flow set by each switch, and reduce invalid traffic between switches. However, since the price of most controllable switches is still higher than that of traditional network switches (hereinafter referred to as traditional switches), how to integrate a variety of heterogeneous network switches and achieve terminal device location detection, connection The network management and control and network slicing function (Network Slicing) have become problems to be solved urgently.

At present, there is a technology that uses a master-slave (Client/Server) architecture to install monitoring components on terminal devices, and use this component to establish a connection with the communication interface of the internal network server/external network server (central control host) respectively. During the process, it is determined that the device is located on the internal network or the external network, and information such as the Internet protocol address of the device and the host custodian is sent to the control host, and the control host obtains the corresponding control policy and applies it. Although this method can determine whether the device is located in the internal network environment or the external network environment, and obtain and apply the control policy according to the environment and host custodian information to achieve the purpose of network management and control, but this method requires the installation of monitoring components on the terminal device to be used. , which is inconvenient for both network administrators and users; on the other hand, even in an intranet environment, network administrators cannot accurately know the exact location of the device when checking the network. This leads to inconvenience in management and maintenance.

There is another technology that integrates software-defined networking and traditional networking to provide network slicing and isolation in a hybrid environment. This technology is based on the virtual local area network (VLAN, Virtual Local Area Network) function in the computer network, and implements a controller using the network configuration protocol (NETCONF) to control the traditional network switch, and In a way of representing a network slice by a VLAN Tag, a plurality of virtual links (Virtual Links) belonging to different network slices are dynamically established between traditional network switches. On the other hand, switches (controllable switches) supporting Open Flow Protocol (OpenFlow) are set by the OpenFlow controller to concatenate virtual paths between traditional network switches to achieve access under different switches. End devices are capable of slicing functions in the same network. This technology proposes a cost-saving method with network slicing function, However, due to the fact that the virtual network label field is only 12 bits, only 4096 network slices can be cut at most, and this technology requires complete control of all switches in the topology to establish the network slice function. If the network topology becomes more and more complex due to the demand, the burden on the network controller will gradually increase, which will cause the performance problem of the control layer.

In traditional networks, terminal equipment information is recorded in each switch in a decentralized and fragmented manner, or even the egress only knows that there are terminal equipment in the network environment, but does not know the actual location; in addition, terminal equipment management and control The firewall can only be used at the egress, and the terminal device is not controlled in the internal network.

The present invention collects the information of terminal equipment located in heterogeneous network switches to a central controller through a centralized network structure, obtains the correct location of the terminal equipment, and applies a policy to the controllable switch according to the terminal equipment information. On the server, network administrators can conveniently and flexibly control network access of terminal devices.

The present invention provides a terminal equipment management and control system and method. After the network environment is established, the network topology information is imported to the central controller through automatic detection or manual operation, and the corresponding information of tags and locations is defined. When the central controller detects a packet with a tag, it obtains terminal equipment information according to the data of the packet with a tag, and calculates the correct location of the terminal equipment according to the tag information. When the network administrator wants to allow the terminal device to use the network, a networking policy is formed according to the terminal device information obtained previously, and the central controller sends the policy to the corresponding controllable switch according to the location of the terminal device, so as to achieve Terminal equipment network management and control. In addition, when the terminal equipment moves, the central controller can also detect the movement of the terminal equipment, automatically update the terminal equipment information and send the policy to the corresponding controllable switch. Therefore, the network administrator only needs to operate the central controller to control the terminal devices under the global heterogeneous network structure, which makes it easy for the network administrator to manage outside the network, and also provides network security and convenience for the user.

The terminal equipment management and control system and method of the present invention combines the advantages of centralized management and control and the low cost of traditional network equipment, no software needs to be installed in the terminal equipment, and only a small number of controllable switches need to be imported and controlled. The functions of terminal device location detection, network management and control and network slicing.

Furthermore, the present invention focuses on the unified management and control of terminal equipment connected to heterogeneous network switches. Even if the terminal equipment accesses the network from a traditional network switch that is not controlled by the central controller, it can still be detected by the central controller. And get the correct location, and then the central controller distributes policies to the network switches that the central controller can control (hereinafter referred to as the controllable switches) to meet the network management and control requirements of the terminal equipment, and after the terminal equipment moves The controller can also automatically change the terminal device policy according to the location of the terminal device and maintain the network settings of the terminal device. The present invention is applicable to, but not limited to, software-defined networking. The present invention manages and controls terminal equipment under heterogeneous network, in addition to originally controlling switches, it further extends the control range to traditional switches, so that network administrators can obtain the correct terminal equipment positions, improve management accuracy, and improve management accuracy. The switch can be controlled to perform network management and control of terminal equipment, thereby improving network security. In addition, after the terminal device is moved, the central controller can also detect and automatically dispatch the policy to the corresponding controllable switch to achieve website portability.

1: Terminal equipment

2: traditional switch

3: Controllable switch

4: Gateway

5: Central controller

6: Internet

100: Topology Management Unit

110: Controllable switch management module

120: Traditional switch management module

130:Connection management module

140: Tag Registration Module

200: Terminal equipment information management unit

210: Detection Module

220: Label Conversion Module

230: Terminal equipment information management module

300: Terminal Device Policy Management Unit

310: Terminal device policy management module

500: Terminal equipment management and control system

S11~S18: Process steps of terminal equipment detection and recording

S21, S22, S24, S25: Process steps for terminal device policy application

Please refer to the following detailed description of the present invention and its accompanying drawings, the technical content of the present invention and its purpose and effect will be further understood, wherein:

FIG. 1 is a schematic diagram of the network architecture of the terminal equipment management and control system and method of the present invention;

FIG. 2 is a structural diagram of the terminal equipment management and control system and method of the present invention;

FIG. 3 is a flowchart of terminal device detection and recording of the terminal device management and control system and method of the present invention; and

FIG. 4 is a flowchart of the terminal device policy application of the terminal device management and control system and method of the present invention.

The present invention provides a terminal equipment management and control system and method suitable for heterogeneous networks, wherein the heterogeneous network refers to a network including traditional switches and controllable switches, and the controllable switches refers to the controllable switches of the central controller. Switches, traditional switches refer to switches that are not controlled by a central controller. The terminal equipment management and control system and method of the present invention predefines the network location represented by the label by means of automatic detection or manual setting, wherein the label is an identifiable field in the network packet of the terminal equipment, such as a virtual local area network In the vlan field, when the central controller detects a packet with a label, it will locate the correct location of the terminal device according to the network topology and label information. Finally, the central controller will assign the terminal device according to the terminal device information Policies are dispatched to controllable switches for network management and control of end devices. In addition, when the terminal device moves, the central controller can also detect the device movement and redistribute the policy to the corresponding controllable switch, so that the user does not need to modify the terminal device settings to achieve website portability.

Please refer to the schematic diagram of the network structure of the present invention shown in FIG. 1 . The network in FIG. 1 includes network devices such as a plurality of conventional switches 2 , a plurality of controllable switches 3 , a plurality of gateways 4 , and a central controller 5 . The traffic of the terminal device 1 enters the Internet 6 from the traditional switch 2 through the controllable switch 3 and then to the gateway 4 . First, in the environment construction stage, the network administrator configures the network equipment Completed, including the controllable switch 3 , the legacy switch 2 , and the connection between other network devices, wherein the legacy switch 2 binds a label to the port expected to be connected to the terminal device 1 . After completing the construction, the network topology information is recorded in the system through automatic detection by the central controller 5 or manual import by the network administrator. The network topology information includes the serial number of the controllable switch 3 and Port information, the URL (eg, Internet Protocol address and/or MAC address) of the legacy switch 2 and the port, the connection status of all switches, and the correspondence between labels and network locations.

As shown in FIG. 2 , the terminal device management and control system 500 of the present invention includes a topology management unit 100 , a terminal device information management unit 200 , and a terminal device policy management unit 300 .

The topology management unit 100 includes a controllable switch management module 110, a conventional switch management module 120, a connection management module 130, and a label registration module 140 for managing the controllable switch information in the network, Legacy switch information, wiring relationships between all switches, and correspondence between labels and legacy switch ports.

The terminal equipment information management unit 200 includes a detection module 210, a label conversion module 220, and a terminal equipment information management module 230, which are used for managing terminal equipment information and recording the traditional switch port positions where the terminal equipment is located. In one embodiment, the terminal device information management module 230 is used to record the website address, label and connection port of the terminal device.

The terminal device policy management unit 300 includes a terminal device policy management module 310, which is used to manage and control the terminal device networking policy, so as to allow or block the terminal device networking function. In one embodiment, the terminal device policy management module 310 is used for composing a policy for allowing terminal devices to connect to the Internet according to the records of the terminal device information management module 230 (eg, the website address, label and port of the terminal device).

The terminal equipment management and control system 500 shown in FIG. 2 is implemented in a central controller of the network, such as the central controller 5 in FIG. 1 . Each module in Figure 2 may be software, hardware or firmware; if it is hardware, it may be a processing unit or processor with data processing and computing capabilities; if it is software or firmware, it may include processing Computer instructions executable by a unit or processor.

First, in the environment construction stage, the network administrator completes the settings of the network equipment, including the controllable switch, the traditional switch, and the connection between other network equipment. The traditional switch is expected to be connected to the terminal equipment. Binding label on the port. After completing the construction, the topology management unit 100 records the network topology information in the controllable switch management module 110 , the traditional switch management module 120 , the connection management module 110 , and the connection management module 100 through automatic detection or manual import. In the module 130 and the label registration module 140, the controllable switch management module 110 records the information of all controllable switches in the network topology, including the number and port information of the controllable switches, which can be preset The sequential serial number is used as the number of the controllable switch, or the number of the controllable switch can be determined in other ways, for example, the website address of the controllable switch can be used as the number of the controllable switch, and the port information includes each connection Port number and connection status. The traditional switch management module 120 records the information of all traditional switches in the network topology, including the website address and port information of the traditional switches, and the port information also includes the serial number of each port and the status of whether there is a connection. The connection management module 130 records the connection between network devices, including the connection relationship between each controllable switch and each connection port of each conventional switch. The label registration module 140 records the correspondence between the conventional switch ports and the labels.

After completing the establishment of the network topology information, the terminal equipment information management unit 200 detects and records the terminal equipment information, wherein the detection module 210 enables the detection function of each controllable switch to analyze the detected packets information, including the URL and label information of the terminal device. The label conversion module 220 calculates the position of the traditional switch port where the terminal device is located according to the network topology information and the label information. The terminal equipment information management module 230 records terminal equipment information and its location. After the terminal device information is established, when the network administrator allows the terminal device to use the network, the terminal device policy management unit 300 applies the policy to activate, wherein the terminal device policy management module 310 is composed of the terminal device information and its location. Policy, and apply the policy to the controllable switch according to the network connection information to achieve terminal device control.

The operation of the present invention can be better understood from the process of detecting and recording information of the terminal device shown in FIG. 3 , and this process is executed by each module in the terminal device information management unit 200 .

First, after completing the establishment of the network topology information, in step S11, the detection module 210 enables the detection function of the terminal device of each controllable switch. After the terminal device detection function is enabled, when the controllable switch receives a packet from the terminal device (hereinafter referred to as the detection packet), it will check whether the controllable switch has a policy applicable to the detection packet. If there is an applicable policy, the controllable switch will forward the snoop packet according to that policy to help the snoop packet reach its destination. If no policy is applicable, the controllable switch forwards the detection packet to the central controller.

Next, in step S12, when the terminal device is connected to the conventional switch, the traffic flows from the conventional switch through the controllable switch. When the controllable switch receives the detection packet in the traffic, since there is no applicable policy in the controllable switch initially, the controllable switch will forward the detection packet to the central controller. Before forwarding the detection packet, the controllable switch will attach the number of the port where the controllable switch received the detection packet (hereinafter referred to as the detection port for short) in the detection packet.

Then, in step S13, the label conversion module 220 in the central controller receives the detection packet forwarded by the controllable switch, and determines whether the detection packet contains a label, if yes, the process goes to step S14, if not, the process goes to Step S18. Each port of each conventional switch in the network has a corresponding label. Whenever a packet passes through a port of a conventional switch, the conventional switch will attach the port in the packet. corresponding label. Therefore, if the detection packet has passed through the port of the conventional switch, the label corresponding to the port will be included, and if the detection packet has not passed through the port of the conventional switch, the label will not be included.

In step S14, the label conversion module 220 judges whether the label in the detection packet has been registered in the terminal equipment management system 500 of the central controller in the previous environment construction stage, that is, judges whether the label registration module 140 has Record a connection of the tag to a legacy switch The corresponding relationship between the ports, if yes, the flow goes to step S15, if not, the flow goes to step S18.

In step S15, the label conversion module 220 calculates all conventional switches related to the detection port (directly or indirectly connected) according to the detection port and the network topology information in the detection packet.

Next, in step S16, the label conversion module 220 finds a unique conventional switch port corresponding to the label in the entire network from the related conventional switches according to the detected label in the packet.

In this embodiment, the VLAN number is used as the label, so different conventional switches may have the same label. In another embodiment, other numbering methods can be used to set a unique label in the entire network for each conventional switch port, so step S15 can be omitted, and in step S16, the label conversion module 220 can Detects the tag in the packet and finds the unique legacy switch port corresponding to the tag from all legacy switches.

In step S17, the terminal device information management module 230 records the website address of the terminal device that sent the detection packet, the label in the detection packet, and the unique traditional switch port corresponding to the label found in step S16. The website address of the terminal equipment can be obtained from the detection packet, the traditional switch port corresponds to the network location of the terminal equipment, and the label can also correspond to or represent the network location of the terminal equipment.

In step S18, when the detection packet does not contain a label, or the label is not registered in the central controller, the label conversion module 220 directly discards the detection packet and does not perform any action. network.

The operation of the present invention can be better understood from the terminal device policy application process shown in FIG. 4 , which is executed by the terminal device policy management module 310 of the terminal device policy management unit 300 .

First, after completing the process of establishing terminal equipment information shown in FIG. 3, when the network administrator wants to allow a terminal equipment to connect to the network, in step S21, the traditional switch where the network location of the terminal equipment is located is used as a neighbor search method. starting point.

In step S22, a neighbor search is started to find a controllable switch closest to the terminal device. All switches with a connection relationship, whether controllable switches or traditional switches, are neighbors to each other. In one embodiment, the neighbor search algorithm may use, but is not limited to, breadth-first search or depth-first search.

After neighbor search, in step S24, the controllable switch closest to the terminal device is obtained, and the port of the controllable switch connected to the traditional switch where the network location of the terminal device is located will be The packets of the terminal equipment enter the port of the controllable switch.

Next, in step S25, according to the website address of the terminal device, the label corresponding to the terminal device (the label of the traditional switch port where the network location of the terminal device is located), and the port of the controllable switch, Form a policy for the terminal device and apply the policy to the controllable switch. The policy is the policy applicable to the detection packet described in the description of step S11 in FIG. 3 . The policy includes the URL of the terminal device, the label corresponding to the terminal device, and the port of the controllable switch. After that, whenever the controllable switch receives a packet from the port that matches the URL and label in the policy, it will forward the packet according to the policy to help the terminal device connect to the Internet without forwarding the packet. to the central controller.

In addition to the terminal equipment accessing the network for the first time, the present invention can also detect the terminal equipment after moving for dynamic management and control. After the terminal device is moved, for example, after reconnecting to another conventional switch or reconnecting to another port of the same conventional switch, the processes of FIGS. 3 and 4 are still applicable. Specifically, the detection function of the controllable switch can be enabled through the detection module 210, and then the traditional switch port where the terminal equipment is located is calculated through the label conversion module 220, and then managed by the terminal equipment information The module 230 records the website address and the network location of the terminal device. Finally, the terminal device policy management module 310 updates the policy of the terminal device and applies it to the corresponding controllable switch, so as to achieve dynamic management and control.

The system of the present invention is based on the terminal equipment control of heterogeneous networks, through automatic detection or manual import, the traditional switch port represented by the label is defined, even if the central controller cannot control the traditional switch, the label mechanism can be used. , the terminal equipment detected from the controllable switch is correctly positioned on the traditional switch and its port, and through the terminal equipment policy control on the controllable switch, the terminal equipment that cannot be carried out on the traditional switch can be achieved. Device control, and improve network security.

The terminal equipment management and control system and method of the present invention have the following advantages:

1. Easy to manage: the present invention can accurately detect the correct position of the terminal device under the traditional switch without installing monitoring components on the terminal device; After setting, the control policy can be dispatched to the controllable switch and applied to the terminal device, and after the terminal device moves, there is no need to modify the terminal device settings.

2. High security: Compared with the traditional solution of network management and control at the collection end, the present invention implements policy management and control at the controllable switch, which can prevent terminal equipment from connecting to the internal network and external network. The traditional switch performs network isolation through the VLAN of each connection port to provide complete network slicing and isolation functions; in addition, the present invention does not require an additional controller to control the traditional switch, and the network slicing isolation technology is not affected by virtual The LAN label can only support the maximum limit of 4096, which can support more network slices.

3. Cost reduction: Compared with the solution of introducing controllable switches in the entire network of a centralized homogeneous network, the present invention uses traditional switches as the switches at the terminal access end, and can control a large number of terminal devices in the field Significantly reduces the need for controllable switches and reduces network costs.

The above detailed description is for a specific description of a feasible embodiment of the present invention, but this embodiment is not intended to limit the patent scope of the present invention. Any equivalent implementation or modification that does not depart from the technical spirit of the present invention shall be included in the within the scope of the patent in this case.

To sum up, this case is not only innovative in technical ideas, but also has many of the above-mentioned effects that other existing related technologies cannot achieve. It has fully met the requirements of the statutory invention patent for novelty and progress. Approval of this patent application for invention, in order to encourage invention, is very convenient.

100: Topology Management Unit

110: Controllable switch management module

120: Traditional switch management module

130:Connection management module

140: Tag Registration Module

200: Terminal equipment information management unit

210: Detection Module

220: Label Conversion Module

230: Terminal equipment information management module

300: Terminal Device Policy Management Unit

310: Terminal device policy management module

500: Terminal equipment management and control system

Claims (12)

A terminal equipment management and control system is implemented in a central controller, and the central controller is communicatively connected to a heterogeneous network of at least one controllable switch and at least one traditional switch, and the terminal equipment management and control system comprises: a detection module group, which communicates with the controllable switches through the central controller to enable the terminal equipment detection function of the controllable switches, so that the controllable switches can receive packets from the terminal equipment when they receive the packets. , the packet is forwarded to the terminal equipment control system; the label conversion module communicates with the controllable switches through the central controller, and according to the label contained in the packet, in all the traditional switches In the connection ports, find out the first connection port uniquely corresponding to the label; and the terminal device policy management module is connected to the controllable switches through the central controller communication, and according to the website address of the terminal device, the label and the first connection port to form a policy for allowing the terminal equipment to connect to the network, and then apply the policy to the controllable switch closest to the terminal equipment among the controllable switches. The terminal equipment management system of claim 1, wherein the conventional switches are connected between the terminal equipment and the controllable switches, and one of the conventional switches is earlier than the controllable switches The control switch receives the packet, and the label contained in the packet corresponds to the port in the conventional switch that received the packet. The terminal equipment management and control system as claimed in claim 1, wherein the label conversion module calculates the data according to the second connection port of the controllable switches receiving the packet and the network topology information of the heterogeneous network out all of the legacy switches that are wired to the second port, and then from A unique first port corresponding to the label is found among all conventional switches connected to the second port. The terminal equipment control system according to claim 1, wherein the label conversion module is multiplexed to determine whether the packet contains the label and/or whether the label contained in the packet has been registered in the terminal equipment control system, If the packet does not contain the tag or the tag contained in the packet is not registered in the terminal equipment management system, the tag conversion module discards the packet. The terminal equipment management and control system according to claim 1, wherein the terminal equipment policy management module uses the traditional switch where the first connection port is located as a starting point to perform neighbor search, so as to find the terminal equipment closest to the terminal equipment. controllable switch. The terminal equipment management system of claim 5, wherein the policy includes the website address of the terminal equipment, the label, and the legacy switch where the first connection port is located in the controllable switch closest to the terminal equipment The third port of the server connection for forwarding packets received from the third port that comply with the URL and the label in this policy. A terminal equipment management and control method is used for a heterogeneous network comprising a central controller, at least one controllable switch, and at least one traditional switch, the terminal equipment management and control method comprising: enabling terminal equipment detection of the controllable switches function, so that when the controllable switches receive the packet sent by the terminal equipment, the packet is forwarded to the central controller; according to the label contained in the packet, in all the ports of the traditional switches, find out the first connection port uniquely corresponding to the label; and form a policy for allowing the terminal device to connect to the Internet according to the website address of the terminal device, the label and the first connection port, and then apply the policy to the controllable exchanges The controllable switch in the switch that is closest to the end device. The terminal equipment control method of claim 7, wherein the conventional switches are connected between the terminal equipment and the controllable switches, and one of the conventional switches is earlier than the controllable switches The control switch receives the packet, and the label contained in the packet corresponds to the port in the conventional switch that received the packet. The terminal device control method according to claim 7, wherein the step of finding the first port that uniquely corresponds to the label comprises: according to the second port of the controllable switches that receive the packet and the Network topology information of the heterogeneous network, calculating all the traditional switches connected to the second port in the traditional switches; and finding from all the traditional switches connected to the second port The first port that uniquely corresponds to the label is output. The terminal device control method according to claim 7, further comprising: judging whether the packet contains the tag and/or judging whether the tag contained in the packet has been registered in the central controller; and if the packet does not contain the tag The tag or the tag contained in the packet is not registered in the central controller, then the packet is discarded. The terminal equipment control method according to claim 7, further comprising: starting from the traditional switch where the first connection port is located, performing neighbor search to find the controllable switch closest to the terminal equipment. The terminal equipment control method as claimed in claim 11, wherein the policy includes the website address of the terminal equipment, the label, and the first and second information in the controllable switch closest to the terminal equipment. A third port of the legacy switch line where a port resides for forwarding packets received from the third port and conforming to the URL and the label in the policy.

Images