CN101098252A - Legal monitor of IP network - Google Patents
Legal monitor of IP network Download PDFInfo
- Publication number
- CN101098252A CN101098252A CNA2006100959767A CN200610095976A CN101098252A CN 101098252 A CN101098252 A CN 101098252A CN A2006100959767 A CNA2006100959767 A CN A2006100959767A CN 200610095976 A CN200610095976 A CN 200610095976A CN 101098252 A CN101098252 A CN 101098252A
- Authority
- CN
- China
- Prior art keywords
- vlan
- network
- switch
- monitoring device
- legal monitoring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a method for providing legal detection on network device, wherein the network comprises a device for defining virtual local network (VLAN), a legal detector of the network defines a virtual local network, and at least the detected device and the legal detector are the members of the virtual local network.
Description
Technical field
A kind of method that provides the Lawful Interception of the equipment in the network is provided.
Background technology
Lawful Interception (lawful interception) is monitoring and the monitoring to the legal mandate of eavesdropping target's communication.This is a process of monitoring the communication between the relevant party in network.This monitoring is legal authorization, and carries out under by the unwitting situation in monitoring side.Lawful Interception be commonly referred to " tap of making contact " (wiretapping) or " phone tap " (phone-tapping).
Introduced several technology in some article, it can be implemented in the Lawful Interception in the telephone network, but its solution is therefore inapplicable in the packet switching network as IP-based voice (voice over IP) and so on based on circuit switching network.
EP 1389862 discloses the legal monitoring device of the Media Stream of a kind of two IP of monitoring (Internet protocol) side, it comprises SIP (conversation initialized protocol) acting server or MGC (Media Gateway Controller), in order to survey the information in the signaling information that between these two IP sides, transmits, and create instruction according to the signaling information that detects, this instruction is used to indicate RTP (RTP) acting server to generate channel via intermediate storage medium to be the Media Stream setting bypass that will be monitored.Because adaptive to the connection parameter in SDP (Session Description Protocol) part of the sip message that sends to IP side, this monitoring is transparent for IP side.
When carrying out the Lawful Interception of prior art, network needs specially designed acting server.
Summary of the invention
The objective of the invention is provides Lawful Interception under network that does not need particular design and the situation based on the use of existing network protocol.
Provide method to solve problem mentioned above by a kind of to the Lawful Interception of the equipment in the network, this network comprises the device of defining virtual local network (VLAN), wherein the legal monitoring device of network has defined a VLAN, is the member of described VLAN by audiomonitor and legal monitoring device at least.Preferably, legal monitoring device can oneself definition VLAN, does not for example use the function of the switch in the network and defines VLAN.In order to realize this point, legal monitoring device can serve as switch, and with network in " really " switch switched vlan definition information.
In a preferred embodiment, use the virtual local network log-on protocol (GVRP) of Generic Attribute Registration Protocol (GARP) to define legal monitoring device and by the VLAN between the audiomonitor.
In a preferred embodiment, legal monitoring device be in different static broadcast domains by audiomonitor.Static broadcast domain is a kind of network, therein broadcast transmitted is given all devices in the network.This means and between network, place at least one router.In another preferred embodiment, legal monitoring device and be in same static broadcast domain by audiomonitor.Normally this situation in switched lan.
Can also solve problem mentioned above by a kind of ustomer premises access equipment (CPE) of the device that adds VLAN that comprises.Preferably, legal monitoring device comprises the device that serves as switch.In another preferred embodiment, ustomer premises access equipment and/or legal monitoring device comprise that the virtual local network log-on protocol (GVRP) by using Generic Attribute Registration Protocol (GARP) comes the device of exchange message.
Description of drawings
Fig. 1 is the sketch of switching network;
Fig. 2 is the sketch with route network of switch.
Embodiment
Recently, Virtual Local Area Network has developed into the indispensable function of switched lan solution.Only using router to carry out in the network of segmentation, segmentation is corresponding mutually on man-to-man basis with broadcast domain.Each segmentation comprises 30 to 100 users usually.Along with the introducing of exchange, network can be divided into the segmentation of littler second layer definition, realize the bandwidth that the per minute section increases.
VLAN is a kind of switching network, and it is based on carrying out logic section such as the tissue by function, project research group or application, rather than comes segmentation based on physics or geography.For example, particular job all working station and the server that team uses of forming a team can be connected to same VLAN, and may have nothing to do with the fact that other team mix to the physical connection of network or they with it.Finish reconfiguring of network by software rather than by pulling out practically with mobile device or line.
VLAN can be regarded as the broadcast domain that is present in the one group of switch that defines.VLAN comprises a plurality of terminal systems that connected by single bridged domain, and described terminal system can be the main frame or the network equipment (such as bridger and router).Bridged domain is subjected to the support of various network device, and for example, at the lan switch that moves bridged protocol each other, each VLAN has an independent bridger group.
Create VLAN so that the segmentation service that is provided by the router in the LAN configuration traditionally to be provided.VLAN can realize that logical network topology can become the LAN port combination of any amount autonomous user's group or interest group to cover the infrastructure of physical exchange, to make.This technology is being appointed as exchange grouping between the port that belongs in the same VLAN by this from logic network being divided into independent second layer broadcast domain.
The VLAN exchange realizes that by frame tap (frame tagging) business of wherein initiating and being included in the particular virtual topology is carried unique vlan identifier (VLAN ID) along public backbone network or trunk link propagation the time.VLAN ID makes the VLAN switching equipment can carry out the forwarding decision of intelligence based on embedded VLAN ID.Each VLAN distinguishes by color or vlan identifier.Unique VLAN ID has determined to be used for the frame color of this VLAN.The identifier (VLAN ID) that defines this VLAN is uniquely carried in the grouping of initiating and being included in the particular vlan.
VLAN ID makes the VLAN switch can optionally give the port with identical VLAN ID with packet forward with router.Reception is inserted VLAN ID from the switch of the frame of source station, and this is packet-switching on the shared backbone network.When this frame left switched lan, switch was removed header and this frame is transmitted to the interface of this vlan color of coupling.Have some network management products such as VlanDirector (virtual local area net controller), it can carry out color coding to VLAN, and VLAN is monitored graphically.
The realization of a lot of initial VLAN defines member of vlan's qualification (for example, the port one on the switch, 2,3,7 and 8 constitutes VLAN A, and port 4,5 and 6 constitutes VLAN B) with the switch ports themselves group.And in the initial realization of great majority, VLAN only can be based on the support of single switch.The second generation realize to support cross over a plurality of switches VLAN (for example, the port one of switch #1 and 2 and the port 4,5,6 and 7 of switch #2 constitute VLAN A; And the port 3,4,5,6,7 of switch #1 and 8 port ones in conjunction with switch #2,2,3 and 8 constitute VLAN B).The division of port set is still the most general method of definition member of vlan qualification, and configuration is considerably directly simple.Do not allow a plurality of VLAN to comprise identical physical segment (or switch ports themselves) with port set definition VLAN fully.Yet, be with the main limitation of port definition VLAN: when the user when a port moves to another port, network manager must reconfigure member of vlan's qualification.
Use membership qualification to have a different set of merits and demerits based on MAC Address member of vlan's qualification of MAC (media interviews control) layer address definition.Because the mac-layer address rigid line is connected to the network interface unit (NIC) of work station, so the VLAN based on MAC Address makes network manager work station can be moved to the different physical location on the network, and makes this work station automatically keep its member of vlan's qualification.By this way, the VLAN with MAC Address definition can be regarded as VLAN based on the user.One of them shortcoming based on the VLAN solution of MAC Address is: need all users all must initial configuration at least one VLAN.After this initial manual configuration, is possible to the user from motion tracking.
The IP multicast group is represented a kind of different VLAN define method, but VLAN remains suitable as the basic conception of broadcast domain.When the IP grouping sent via multicast, it was sent to an address, and this address is the clearly agency of the IP group of addresses of definition who is used for dynamically setting up.Each work station all has an opportunity to add specific I P multicast group by responding broadcast announcement (it announces the existence of this group) for certain.The member that all working station that adds an IP multicastapackets can be regarded as same virtual lan.Yet these work stations are the member of particular multicast group in certain period only.Therefore, realized the flexibility of high level very and used sensitivity with the dynamic characteristic of the VLAN of IP multicast group definition.In addition, the VLAN that defines with the IP multicast group can cross over a plurality of routers inherently, and therefore can cross over a plurality of WAN connections.
Because the compromise consideration between various types of VLAN can be used multiple VLAN define method simultaneously.The definition of a kind of like this member of vlan flexibly qualification makes network manager can dispose its VLAN to adapt to its particular network environment best.For example, by using the combination of several different methods, utilize the tissue of IP and NetBIOS (network basic input/output) agreement can define IPVLAN simultaneously, and define the VLAN that is used for the NetBIOS terminal station by using the mac-layer address group to divide the NetBIOS terminal station then corresponding to the IP subnet that is pre-existing in.VLAN supports RTP (RTP) transmission, promptly a kind ofly is used to transmit such as the audio or video data so that the Internet protocol of the real time data the multi-medium data.
Fully automatically, the system that carries out the VLAN configuration means: other standards or strategy that work station is preset based on application, user ID or keeper automatically and dynamically add VLAN.When Network when other switches arrive, the switch that transmits member of vlan's membership information must have way to understand member of vlan's qualification (that is, which VLAN which station belongs to); Otherwise VLAN will be confined to single switch.
IEEE 802.1Q frame tagging has defined a kind of method that is used for label is inserted the IEEE mac layer frame, and described IEEE mac layer frame has defined the membership qualification in the virtual lan.In standardisation process, the engineer fills in (sneak) the extra bit of minority with the definition grade of service.802.1Q be designed for configuration and the management of simplifying VLAN.IEEE 802.1Q stipulated such as Ethernet and token ring based on the network of frame in definition and set up the method for VLAN.IEEE 802.1Q is a kind of label mechanism, wherein VLAN ID is inserted second layer frame head.VLAN ID is associated frame with specific VLAN, and provides switch need create the information of VLAN on network.
802.1Q standard definition transmit based on the frame of label information, clear and definite vlan information is shared and the topology information exchange, and the management of VLAN and configuration.
The VLAN agreement that is called GARP (Generic Attribute Registration Protocol) is propagated topology information via label to the network switch and terminal station.Equally, the log-in protocol that is called GVRP (GARP VLAN Registration Protocol) is controlled the various aspects that VLAN adds/withdraw from process.
GARP VLAN log-in protocol (GVRP) has defined the GARP application, and it provides with the VLAN reduction (pruning) of 802.1Q compatibility and the dynamic VLAN on the 802.1Q trunk port and creates.GVRP is a kind of application that defines in the IEEE 802.1P standard, and it realizes the control to 802.1Q VLAN.
GVRP make switch can with other the link of equipment of operation GVRP on dynamically create VLAN with the 802.1Q compatibility.This makes switch automatically to create vlan link between the equipment of perception GVRP (GVRP-aware).(the GVRP link can comprise the intermediate equipment of not perception GVRP.) this operation is by automatically providing VLANID (VID) consistency on whole network, reduced the possibility that makes a mistake in the VLAN configuration.Utilize GVRP, switch can with other GVRP switch switched vlan configuration informations, reduce unnecessary broadcasting service and unknown unicast service, and dynamically create with manage the switch that is connected by the 802.1Q trunk port on VLAN.GVRP uses GID (issue of GARP information) and GIP (propagation of GARP information), and it provides, and the common condition machine of definition is described and the public information mechanism of transmission in order to use in based on the application of GARP.GVRP only operates on the 802.1Q trunk link.GVRP reduces trunk link, so that the VLAN of transmission activity on main line connects only.GVRP is desirably in a VLAN is joined before the main line, receives the adding message from switch.GVRP lastest imformation and maintenance timer can change.With various mode operation GVRP ports, reduce the mode of VLAN to control these GVRP ports.GVRP can be configured to for relaying (trunking) purpose, dynamically VLAN is increased to vlan database and it is managed.
In other words, GVRP has realized the vlan information propagation of slave unit to equipment or terminal node.Utilize GVRP, manually the VLAN with all these network expectations is configured to single switch, and the every other switch on the network is dynamically learnt those VLAN.Terminal node can be inserted into any switch, and can be connected to the VLAN of this terminal node expectation.Terminal node is in order to utilize GVRP, and it needs the network interface unit (NIC) of perception GVRP.The NIC of perception GVRP has disposed one or more VLAN of expectation, is connected to the switch of enabling GVRP then.NIC and switch communicate, thereby have set up the VLAN connectedness between NIC and switch.
Fig. 1 illustration include only easy configuration in the Local Area Network of a switch S, wherein a plurality of equipment (or terminal node) are connected to switch S.In Fig. 1, by IP address designation equipment.For exemplary purposes, that equipment belongs to is different (static) class c network, wherein two belong to 192.168.2.0, and three belong to 192.168.4.0, and one belong to 192.168.3.0.In this configuration, equipment 192.168.2.1 and 192.168.2.2 and equipment 192.168.4.1,192.168.4.2 and 192.168.4.3 can communicate under the situation that does not need route mutually.Communication between subnet can only just can be carried out via router.
Switch S can be for example via definition VLAN such as GARP or GVRP.In addition, (if terminal node can not Dynamic Definition VLAN) equipment (terminal node) 192.168.3.1 can serve as switch.Equipment 192.168.3.1 creates VLAN_1 by sending suitable request to switch S.As shown in fig. 1, equipment 192.168.3.1 (it is " legal monitoring device ") can create the VLAN that has only an other member (equipment 192.168.4.1).
Now, is local (be in same broadcast domain) with the business of going to 192.168.4.1 for equipment 192.168.3.1 from 192.168.4.1, therefore the all-network business of 192.168.3.1 on can checkout facility 192.168.4.1, for example multi-medium data of RTP channel (even particularly voice communication video or facsimile transmission).
The above-mentioned method that is used for a switch also can be applicable to comprise the network of router.Therefore, switch must exchange vlan information on a plurality of routers, and this all is possible in all examples of the initial standard of describing.Fig. 2 has described the example of such route network.Two switch S1 and S2 connect via router R (perhaps a plurality of routers, for example the Internet).Two switches can both be created VLAN.Legal monitoring device 192.168.1.1 among the subnet 192.168.1.0 has created a VLAN outside the broadcast domain of the network of router S1, this VLAN has the equipment 123.456.1.1 among the network 123.456.0.0.Having only equipment 192.168.1.1 and equipment 123.456.1.1 is the member of this VLAN.As shown in the example of Fig. 1, legal monitoring device 192.168.1.1 can hear and go to and from all business of equipment 123.456.1.1 now.
Described method can also be applied to have IP phone (" IP-based the voice ") network of ustomer premises access equipment (CPE), and described ustomer premises access equipment (CPE) is connected to other networks via ADSL, ISDN etc.And, can based on to the utilization of existing instrument (for example, by using VLANid) such as the such management agreement statement of SNMP-Simple Network Management Protocol or to special tool(s) be used to realize according to Lawful Interception of the present invention.The special tool(s) that can comprise graphic user interface can be when being provided with according to Lawful Interception of the present invention, to the complexity of " prison hearer " concealment operation.In fact, needing the particular address of equipment that the knowledge (general knowledge of system operator) of some quite high skills can Lawful Interception or terminal node (such as voip phone or based on the fax of IP terminal) (is its port or MAC and/or IP address, the latter normally dynamically arranges), be assigned in the particular vlan on the existing network.This specific VLAN specific assigned can be given " prison hearer ", and might need administration authority.So the data that the prison hearer can listen to from its terminal analysis, described terminal are as legal monitoring device and as this VLAN part, its can but and nonessential be the type identical with the equipment that will monitor.For example, following situation is possible according to the present invention: belong in the data that listen to arbitrarily under the situation of the sound-type that may be derived from the communication that will listen, play the data that listen to arbitrarily; Perhaps belong to fax or arbitrarily under the situation of the data of other recordable-type (SMS (short message service), MMS (multimedia messaging service, MMS) etc.), video data in data.
Claims (9)
1. one kind provides the method to the Lawful Interception of the equipment in the network, described network comprises the device of defining virtual local network, the legal monitoring device of wherein said network has defined a VLAN, is the member of described VLAN by audiomonitor and described legal monitoring device at least.
2. method according to claim 1, wherein said legal monitoring device serves as the switch of switch in the described network.
3. method according to claim 1 wherein uses the virtual local network log-on protocol of Generic Attribute Registration Protocol to define described legal monitoring device and described by the VLAN between the audiomonitor.
4. method according to claim 1, wherein said legal monitoring device is in different static broadcast domains with described by audiomonitor.
5. method according to claim 1, wherein said legal monitoring device and describedly be in same static broadcast domain by audiomonitor.
6. ustomer premises access equipment, it comprises the device that adds VLAN.
7. legal monitoring device, it comprises the device that serves as switch.
8. ustomer premises access equipment according to claim 6, it comprises the device by the virtual local network log-on protocol exchange message of using Generic Attribute Registration Protocol.
9. legal monitoring device according to claim 7, it comprises the device by the virtual local network log-on protocol exchange message of using Generic Attribute Registration Protocol.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2006100959767A CN101098252A (en) | 2006-06-29 | 2006-06-29 | Legal monitor of IP network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2006100959767A CN101098252A (en) | 2006-06-29 | 2006-06-29 | Legal monitor of IP network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101098252A true CN101098252A (en) | 2008-01-02 |
Family
ID=39011791
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2006100959767A Pending CN101098252A (en) | 2006-06-29 | 2006-06-29 | Legal monitor of IP network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101098252A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102098167A (en) * | 2010-12-29 | 2011-06-15 | 杭州华三通信技术有限公司 | Multicasting stream forwarding method, device and system |
| CN114629844A (en) * | 2022-02-28 | 2022-06-14 | 浙江大华技术股份有限公司 | Message forwarding method and device and electronic equipment |
-
2006
- 2006-06-29 CN CNA2006100959767A patent/CN101098252A/en active Pending
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102098167A (en) * | 2010-12-29 | 2011-06-15 | 杭州华三通信技术有限公司 | Multicasting stream forwarding method, device and system |
| CN102098167B (en) * | 2010-12-29 | 2013-12-25 | 浙江宇视科技有限公司 | Multicasting stream forwarding method, device and system |
| CN114629844A (en) * | 2022-02-28 | 2022-06-14 | 浙江大华技术股份有限公司 | Message forwarding method and device and electronic equipment |
| CN114629844B (en) * | 2022-02-28 | 2024-04-05 | 浙江大华技术股份有限公司 | Message forwarding method and device and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8050273B2 (en) | Lawful interception in IP networks | |
| US8369246B2 (en) | Method and apparatus for sending and receiving multicast packets on a multicast tree | |
| CN100444565C (en) | Method and apparatus for controlling multi-point transmitaion in ether metropolitan network | |
| KR101357457B1 (en) | Point-to-multipoint functionality in a bridged network | |
| CN101159665B (en) | Method and device to implement forwarding of unknown multicast packet to router port | |
| CN101616014B (en) | Method for realizing cross-virtual private local area network multicast | |
| CN107438016A (en) | Network management, equipment, system and storage medium | |
| CN101515859B (en) | Method for multicast transport in Internet protocol secure tunnel and device | |
| CN101335637A (en) | Method and device for multicast control | |
| CN102447565B (en) | A kind of method and system realizing multicast control at broadband access network | |
| CN102195933A (en) | Method for realizing call between isolated Internet protocol (IP) sub-networks and communication unit | |
| US8224401B1 (en) | System and method for controlling a powered device that draws power from a communications network in response to user detection | |
| CN102571375B (en) | Multicast forwarding method and device as well as network device | |
| EP2897328B1 (en) | Method, system and apparatus for establishing communication link | |
| CN107196837A (en) | A kind of method that the multiple data service co-existence network used is divided based on VLAN | |
| JP2012512585A (en) | Multicast quality of service module and method | |
| CN1996956A (en) | L3 network device and method for multi-cast cross-VLAN forwarding | |
| US20060029001A1 (en) | Multicast source discovery | |
| CN101098252A (en) | Legal monitor of IP network | |
| CN100579022C (en) | Method for managing bridging connection equipment | |
| CN115941389A (en) | Method for realizing IPSec VPN two-layer networking and IPSec VPN gateway | |
| WO2009097796A1 (en) | Multicast method of provider backbone transport loop and multicast loop network and node device | |
| KR100728292B1 (en) | Apparatus for Control of Virtual LAN and Method thereof | |
| RU2402174C2 (en) | Legitimate tapping in ip-protocol networks | |
| KR100602600B1 (en) | A VoIP TRAFFIC PROCESSING SYSTEM |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20080102 |