CN103763120A - Network terminal management method based on SNMP - Google Patents
Network terminal management method based on SNMP Download PDFInfo
- Publication number
- CN103763120A CN103763120A CN201310603623.3A CN201310603623A CN103763120A CN 103763120 A CN103763120 A CN 103763120A CN 201310603623 A CN201310603623 A CN 201310603623A CN 103763120 A CN103763120 A CN 103763120A
- Authority
- CN
- China
- Prior art keywords
- port
- terminal
- address
- mac
- snmp
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a network terminal management method based on an SNMP. The network terminal management method based on the SNMP comprises the steps of (1) forming the corresponding relation between switch ports and the IP addresses of terminals, and the corresponding relation between the switch ports and MAC of the terminals, (2) setting a terminal matching rule, (3) configuring related information of a core switch, (4) obtaining port list information of the core switch, (5) obtaining information of the MAC address connected with each port of the core switch, (6) obtaining a list of the corresponding relation between the IP addresses and MAC in a network, (7) carrying out verification and matching on ports, the IP addresses and the MAC addresses according to the configured terminal matching rule, and (8) carrying out blocking on terminals which do not meet the terminal matching rule, and releasing terminals which meet the terminal matching rule. Network terminal management can be automatically accomplished, the cost of labor management is reduced, and complete and effective terminal management is provided.
Description
Technical field
The present invention relates to the equipment control in network management, relate in particular to a kind of method of the management of the network terminal based on SNMP.
Background technology
In the government departments such as finance, telecommunications, public security and industry, because its information has the requirement of highly confidential property, for department and Intranet, need to carry out strict management and control, all not processes allow and the terminal of authentication all can not be linked in department and Intranet.
It is a kind of important network terminal management and control device that the access of the network terminal is managed, conventionally by artificial method, manage: manually all network ports that can access Intranet are managed and distributed, each is allowed to IP address of terminal distribution of accessing, record the MAC address of terminal, the network port address of access; The network port is carried out to labor management and control, fixing on-position, all Administrative Areas that can access Intranet are carried out to gate inhibition and Artificial Control, behind the IP address that legal terminal is distributed in configuration, in the fixed position of distributing, be linked into department and Intranet; Use the method for labor management and Region control to manage and exist following problem the access of the network terminal: management cost is higher; Cannot be fully effective access terminal controlled.
The method and system providing in the present invention, provide a kind of by the method for each port second line of a couplet terminal on SNMP and Telnet/SSH mode automatic acquisition Intranet core switch, automatically compare and mate, for the terminal not being allowed to, automatically block, do not allow access department and corporate intranet, for the terminal allowing, automatically let pass, thereby can save the cost of labor management, complete effective terminal management is provided again.
Summary of the invention
SNMP Simple Network Management Protocol;
A kind of agreement and the mode of the service of Telnet Internet telnet;
SSH, refers to Secure Shell, for being based upon the security protocol on application layer and transport layer basis;
IP address, refers to Internet Protocol address, is each 32bit address that is connected to the host assignment on Internet;
MAC address, refers to Media Access Control address, is used for the position of define grid equipment;
The port of PORT switch, also can be described as interface.
The invention provides the terminal management method in a kind of network management, the method comprises the method for automatically terminal being blocked and automatically being let pass.
In the present invention, the described method of automatically terminal being blocked and automatically being let pass, the steps include:
1) pass through importing automatically or human-edited's method typing switch ports themselves and the IP address of terminal, the corresponding relation of MAC;
2) terminal matched rule is set;
3) subnet address, the subnet mask of the Intranet that manual typing need to manage, read group's word, obtain the core switch information in network, manual configuration core switch read group's word; Or the port numbers of the IP address of every core switch of manual typing, the account number of Telnet/SSH, Telnet/SSH, the password of Telnet/SSH, the privileged mode prompt of Telnet, the franchise password of Telnet, the CMD of Telnet;
4) obtain the port list information of core switch;
5) obtain the MAC address information of the each port second line of a couplet of core switch;
6) obtain the corresponding relation list of IP address and MAC in network;
7) according to the terminal matched rule of configuration, to step 3), 4), 5) in get core switch port, IP address, MAC address and in step 1), switch ports themselves, IP address, the MAC address information of importing or manual entry are mated automatically;
8) for the terminal that does not meet matched rule, block, for the terminal that meets matched rule, let pass.
In the present invention, in described step 1), automatically import switch ports themselves and the IP address of terminal, the corresponding relation of MAC, adopt but be not limited to following file format: EXCEL, XML, TXT.
In the present invention, described step 2) in terminal matched rule can adopt three kinds of rules: core switch port and terminal IP address binding, core switch port and terminal MAC address binding, core switch port and terminal IP address and MAC address binding.
In the present invention, described step 4) is obtained the port list information of the core switch in network, adopt SNMP mode automatically network to be scanned, by .iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable MIB item, obtain the port list information of core switch; , support by Telnet/SSH mode, automatic remote signs in on core switch meanwhile, and fill order is obtained the port list information of core switch.
In the present invention, described step 1), 2), 3), its order can exchange arbitrarily.
In the present invention, described step 5) is obtained the MAC address information of the each port second line of a couplet of core switch, by SNMP mode, obtaining type in addresses forwarding table information is port id and the MAC address information of 3 (learned), and obtain the corresponding informance of port id and port index number, correspondence obtains the corresponding relation of port index and MAC address information, and filters out the interconnected port of switch wherein according to spanning tree algorithm; Meanwhile, also can pass through Telnet/SSH mode, according to order, obtain the MAC address information of the port second line of a couplet.
In the present invention, described step 4), 5), when using Telnet/SSH mode, be a step, by an order, get the MAC information of port list and the port second line of a couplet of core switch.
In the present invention, described step 6) is obtained the corresponding relation list of IP address and MAC in network, by SNMP mode, obtain the content of .iso.org.dod.internet.mgmt.mib-2.ip.ipNetToMediaTable list item in IP table, obtain the corresponding relation of IP address and MAC address, for the situation of the corresponding multiple MAC in one of them IP address, PING test is carried out in IP address, get wherein can IP address as effective IP address; Meanwhile, also can pass through Telnet/SSH mode, by order, obtain the corresponding relation of IP address and MAC address, PING test is carried out in IP address, get wherein can IP address as effective IP address.
In the present invention, described step 8) is blocked/for the terminal that meets matched rule, is let pass for the terminal that does not meet matched rule, and by SNMP mode, Port Management state being set is down, unmatched terminal is blocked; By SNMP mode, Port Management state being set is up, the terminal of coupling is let pass; Meanwhile, also can pass through Telnet/SSH mode, be down by the controlled state of command set port, block unmatched terminal, and port is set
Controlled state is up, the terminal of the coupling of letting pass.
In the present invention, in described step 8), after the success of blocking-up terminal or clearance terminal, and the connection status of terminal is when change, and will send blocking-up/let pass and successfully point out, and prompting form can be Web information, note, mail, sound; After blocking unsuccessfully or letting pass unsuccessfully, failed alarm notification is blocked/is let pass in transmission, notice form can be Web information, note, mail, sound.
In the present invention, described step 5), 6), 7), 8) adopt the mode of timed task, the execution of these 4 steps is carried out in timing, its timing task carrying-out time, time of implementation interval, time of implementation, interval unit can arrange.
In sum, owing to having adopted technique scheme, the invention has the beneficial effects as follows: can be complete, automatically the network of department and enterprise is managed, manage the terminal of all access networks, both saved the cost of labor management, can to terminal, block automatically, in time, accurately and let pass again, effectively guarantee fail safe, the confidentiality of department and enterprise network and information.
Accompanying drawing explanation
Examples of the present invention will be described by way of reference to the accompanying drawings, wherein:
Fig. 1. network terminal management principle;
Fig. 2. network terminal administrative messag interaction figure;
Fig. 3. network terminal management process;
Fig. 4. SNMP mode core switch port second line of a couplet IP/MAC finds step;
Fig. 5. Telnet mode core switch port second line of a couplet IP/MAC finds step;
Fig. 6. network terminal coupling and blocking-up/clearance step.
Embodiment
Disclosed all features in this specification, or the step in disclosed all methods or process, except mutually exclusive feature and/or step, all can combine by any way.
Disclosed arbitrary feature in this specification (comprising any accessory claim, summary and accompanying drawing), unless narration especially all can be replaced by other equivalences or the alternative features with similar object.That is,, unless narration especially, each feature is an example in a series of equivalences or similar characteristics.
Embodiment 1: the present invention is described further below in conjunction with accompanying drawing.
As shown in Fig. 1, network terminal management method operation principle of the present invention is to carry out the storage of IP/MAC/PORT information, matched rule in network, send instructions to core switch, obtain exchanger information, carry out matching treatment, according to matching result, send instructions to core switch management switch ports themselves, by core switch, manage the network terminal of the switch second line of a couplet.
As shown in Fig. 2, Fig. 3, the step of network terminal management is: 1) by EXCEL/XML/TXT file mode, import IP/MAC/PORT information, and carry out manual edit management; 2) matched rule being set is: the complete coupling of IP-MAC-PORT; 3) manual edit need to be found core switch subnet IP address, subnet mask, read group's word, by SN MP mode, obtain core switch information; By SNMP mode, obtain core switch port list; 4) by SNMP mode, obtain core switch port second line of a couplet MAC address information; 5) by SNMP, obtain the corresponding relation of IP address and MAC; 6) obtain the matched rule of setting, obtain the match information of setting; 7) to all IP, the MAC, the PORT that get, according to matched rule, compare with the match information arranging, the match is successful to meet the match information of setting, the sign of letting pass; It fails to match not meet the match information of setting, blocks sign; 8) by SNMP mode, send message to core switch, the core switch port that is designated clearance is let pass; The core switch port that is designated blocking-up is blocked; 9) after block/letting pass successfully, and the connection status of network terminal transmission variation, send and block/let pass successful WEB message alert; Block/let pass unsuccessfully, send and block/let pass failed WEB message alert.
As shown in Fig. 5, SNMP mode core switch port second line of a couplet IP/MAC finds that step is: 1), by send SNMP GET order to core switch, use OID: 1.3.6.1.2.1.2.2, obtain core switch port list ifTable; 2) by send SNMP GET order to core switch, use OID: 1.3.6.1.2.1.17.4.4, obtain address forwarding information dot1dTpFdbTable list, list information comprises following three: dot1dTpFdbPort, dot1dTpFdbAddress, dot1dTpFdbStatus; 3) according to dot1dTpFdbStatus state, address forwarding information is filtered, only retaining dot1dTpFdbStatus is the address forwarding information of 3 (learned); 4) by send SNMP GET order to core switch, use OID: 1.3.6.1.2.1.17.1.4, obtain port id/index-mapping and be related to dot1dBasePortTable list, list information comprises following two: dot1dBasePort, dot1dB asePortIfIndex; 5) according to ID/ index-mapping relation, integrating step 3) in address forwarding information, obtain port index, the corresponding relation list of second line of a couplet MAC address; 6) according to spanning tree algorithm, filter out switch interconnect port; 7) by send SNMP GET order to core switch, use OID: 1.3.6.1.2.1.4.22, get IP/MAC corresponding relation ipNetToMediaTable list, list information comprises following two: ipNetToMediaNetAddress, ipNetToMediaPhysAddress; 8) filter the IP/MAC couple of the corresponding multiple IP of one of them MAC, IP is carried out to ICMP PING operation, only retaining can the logical IP address of PING; 9) according to step 6), 7) in information carry out association, obtain IP address, the incidence relation list of MAC address of switch ports themselves index and the second line of a couplet.
As shown in Fig. 6, network terminal coupling and blocking-up/clearance step are: 1) obtain the IP-MAC-PORT match information list of automatic importing, wherein PORT is port index; 2) poll is processed the IP/MAC/PORT couple finding in core switch, compares with the IP-MAC-PORT match information list in step 1); 3) the match is successful, and current Port Management state is down, by send SNMP SET order to core switch, open port, using OID: 1.3.6.1.2.1.2.2.1.7.ifindex(ifindex is port index) clearance network-termination device; It fails to match, and current Port Management state is up, by core switch, sends SNMP SET order close port, and using OID: 1.3.6.1.2.1.2.2.1.7.ifindex(ifindex is port index), blocking-up network-termination device; 4) operate successfully, send and block/let pass successful WEB alarm; Operation failure, sends and blocks/let pass failed WEB alarm.
Embodiment 2, below in conjunction with accompanying drawing, the present invention is described further.
As shown in Fig. 1, network terminal management method operation principle of the present invention is to carry out the storage of IP/MAC/PORT information, matched rule in network, send instructions to core switch, obtain exchanger information, carry out matching treatment, according to matching result, send instructions to core switch management switch ports themselves, by core switch, manage the network terminal of the switch second line of a couplet.
As shown in Fig. 2, Fig. 3, the step of network terminal management is: 1) by EXCEL/XML/TXT file mode, import IP/MAC/PORT information, and carry out manual edit management, wherein PORT is port title; 2) matched rule is set: the complete coupling of IP-MAC-PORT; 3) the IP address of manual edit core switch, Telnet port numbers, Telnet user, Telnet password, operational order prompt, privileged mode order, franchise password, privileged command prompt; 4) by elnet mode, obtain core switch port second line of a couplet MAC address information; 5) by Telnet mode, obtain the corresponding relation of IP address and MAC; 6) obtain the matched rule of setting, obtain the match information of setting; 7) to all IP, the MAC, the PORT that get, according to matched rule, compare with the match information arranging, the match is successful to meet the match information of setting, the sign of letting pass; It fails to match not meet the match information of setting, blocks sign; 8) by Telnet mode, send a command to core switch, the core switch port that is designated clearance is let pass; The core switch port that is designated blocking-up is blocked; 9) after block/letting pass successfully, and the connection status of network terminal transmission variation, send and block/let pass successful WEB message alert; Block/let pass unsuccessfully, send and block/let pass failed WEB message alert.
As shown in Fig. 4, take cisco3524 as example, Telnet mode core switch port second line of a couplet IP/MAC finds that step is: 1) set up Telnet with core switch and be connected, import user name, password into, login; 2) after logining successfully, be switched to privileged mode; 3) privileged mode login; 4) after privileged mode logins successfully, import order sh mac into, get core switch port and port second line of a couplet MAC information; 5) resolve command result, obtains Destination AddressMAC address), Destination Port(port title), obtain the MAC address of port list and the port second line of a couplet of switch; 6)
Enter order sh arp, obtain Address, Hardware Addr, obtain the list of IP/MAC corresponding informance; 7) filter the IP/MAC couple of the corresponding multiple IP of one of them MAC, IP is carried out to ICMP PING operation, only retaining can the logical IP address of PING; 8) according to step 5), 6) in information carry out association, obtain IP address, the incidence relation list of MAC address of switch ports themselves title and the second line of a couplet.
As shown in Fig. 6, network terminal coupling and blocking-up/clearance step are: the IP-MAC-PORT match information list of 1) obtaining automatic importing; 2) poll is processed the IP/MAC/PORT couple finding in core switch, compares with the IP-MAC-PORT match information list in step 1); 3) the match is successful, and current Port Management state is down,, by command switch name (config) #interface port name, enter corresponding ports in core switch interface configuration mode, send no shutdown order, open port clearance network-termination device; It fails to match, and current Port Management state is up,, by command switch name (config) #interface port name, enter corresponding ports in core switch interface configuration mode, send shutdown order, close port blocking-up network-termination device; 4) operate successfully, send and block/let pass successful WEB alarm; Operation failure, sends and blocks/let pass failed WEB alarm.
The present invention is not limited to aforesaid embodiment.The present invention expands to any new feature or any new combination disclosing in this manual, and the arbitrary new method disclosing or step or any new combination of process.
Claims (7)
1. the method for the management of the network terminal based on SNMP, is characterized in that step comprises:
1) pass through importing automatically or human-edited's method typing switch ports themselves and the IP address of terminal, the corresponding relation of MAC;
2) terminal matched rule is set;
3) subnet address, the subnet mask of the Intranet that manual typing need to manage, read group's word, obtain the core switch information in network, manual configuration core switch read group's word; 4) obtain the port list information of core switch;
5) obtain the mac address information of the each port second line of a couplet of core switch;
6) by the corresponding relation list of IP address in network and MAC;
7) according to the terminal matched rule of configuration, to step 3), 4), 5) in get core switch port, IP address, MAC Address and in step 1), switch ports themselves, IP address, the mac address information of importing or manual entry mate automatically;
8) for the terminal that does not meet matched rule, block, for the terminal that meets matched rule, let pass.
2. the method for the management of the network terminal based on SNMP according to claim 1, it is characterized in that: abovementioned steps 5) the specific works flow process of obtaining the mac address information of the each port second line of a couplet of core switch is, by SNMP mode, obtain port id and the mac address information that in addresses forwarding table information, type is 3, and obtain the corresponding informance of port id and port index number, correspondence obtains the corresponding relation of port index and mac address information, and filters out the interconnected port of switch wherein according to spanning tree algorithm.
3. the method for the management of the network terminal based on SNMP according to claim 1, it is characterized in that: the specific works flow process that described step 6) is obtained the corresponding relation list of IP address and MAC in network is, by SNMP mode, obtain the content of .iso.org.dod.internet.mgmt.mib-2.ip.ipNetToMediaTable list item in IP table, obtain the corresponding relation of IP address and MAC Address, for the situation of the corresponding multiple MAC in one of them IP address, ping testing is carried out in IP address, get wherein can IP address as effective IP address.
4. the method for the management of the network terminal based on SNMP according to claim 1, it is characterized in that: described step 8) is blocked for the terminal that does not meet matched rule, the specific works flow process of letting pass for the terminal that meets matched rule is, by SNMP mode, Port Management state being set is down, unmatched terminal is blocked; By SNMP mode, Port Management state being set is up, the terminal of coupling is let pass.
5. the method for the management of the network terminal based on SNMP according to claim 1, it is characterized in that: step 8) is blocked for the terminal that does not meet matched rule, the specific works flow process of letting pass for the terminal that meets matched rule can also be, after blocking-up terminal or the success of clearance terminal, and when the connection status of terminal changes, to send the blocking-up/successfully prompting of letting pass, prompting form can be Web information, note, mail, sound; After blocking unsuccessfully or letting pass unsuccessfully, failed alarm notification is blocked/is let pass in transmission, notice form can be Web information, note, mail, sound.
6. a method for the network terminal based on SNMP as claimed in claim 1 management, is characterized in that: step 1), 2), 3), its order can exchange arbitrarily.
7. the method for the management of the network terminal based on SNMP according to claim 1, it is characterized in that: step 5), 6), 7), 8) adopt the mode of timed task, the execution of these 4 steps is carried out in timing, and its timing task carrying-out time, time of implementation interval, time of implementation, interval unit can arrange.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310603623.3A CN103763120A (en) | 2011-03-09 | 2011-03-09 | Network terminal management method based on SNMP |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310603623.3A CN103763120A (en) | 2011-03-09 | 2011-03-09 | Network terminal management method based on SNMP |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011100547645A Division CN102123050B (en) | 2011-03-09 | 2011-03-09 | Network terminal management method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103763120A true CN103763120A (en) | 2014-04-30 |
Family
ID=50530283
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310603623.3A Pending CN103763120A (en) | 2011-03-09 | 2011-03-09 | Network terminal management method based on SNMP |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103763120A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104065531A (en) * | 2014-06-16 | 2014-09-24 | 国家电网公司 | Switch port monitoring system |
| CN106850560A (en) * | 2016-12-26 | 2017-06-13 | 沈阳通用软件有限公司 | A kind of method that internet mail sends safely and audits |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5982753A (en) * | 1997-06-09 | 1999-11-09 | Fluke Corporation | Method of testing a switched local area network |
| CN1682516A (en) * | 2002-09-16 | 2005-10-12 | 思科技术公司 | Method and apparatus for preventing spoofing of network addresses |
| CN101197854A (en) * | 2006-12-05 | 2008-06-11 | 株式会社日立制作所 | Computer system and management computer for identifying seat position |
| CN101951367A (en) * | 2010-09-09 | 2011-01-19 | 健雄职业技术学院 | Method for preventing campus network from virus attacks |
-
2011
- 2011-03-09 CN CN201310603623.3A patent/CN103763120A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5982753A (en) * | 1997-06-09 | 1999-11-09 | Fluke Corporation | Method of testing a switched local area network |
| CN1682516A (en) * | 2002-09-16 | 2005-10-12 | 思科技术公司 | Method and apparatus for preventing spoofing of network addresses |
| CN101197854A (en) * | 2006-12-05 | 2008-06-11 | 株式会社日立制作所 | Computer system and management computer for identifying seat position |
| CN101951367A (en) * | 2010-09-09 | 2011-01-19 | 健雄职业技术学院 | Method for preventing campus network from virus attacks |
Non-Patent Citations (1)
| Title |
|---|
| 陈松: "互联网测量管理若干关键技术研究", 《中国博士学位论文全文数据库(电子期刊)》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104065531A (en) * | 2014-06-16 | 2014-09-24 | 国家电网公司 | Switch port monitoring system |
| CN106850560A (en) * | 2016-12-26 | 2017-06-13 | 沈阳通用软件有限公司 | A kind of method that internet mail sends safely and audits |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102123050B (en) | Network terminal management method | |
| Kiravuo et al. | A survey of Ethernet LAN security | |
| US10938819B2 (en) | Poisoning protection for process control switches | |
| EP2716003B1 (en) | System and method for authenticating components in a network | |
| EP1670188A2 (en) | Methods and systems for connection determination in a multi-point virtual private network | |
| US8670349B2 (en) | System and method for floating port configuration | |
| US9935848B2 (en) | System and method for supporting subnet manager (SM) level robust handling of unkown management key in an infiniband (IB) network | |
| US20100280858A1 (en) | System and method for a small form pluggable ethernet demarcation device | |
| US20100281518A1 (en) | System and method for separating control of a network interface device | |
| KR20040080011A (en) | Authentication Method And Apparatus in Ethernet Passive Optical Network | |
| CN109525601A (en) | The lateral flow partition method and device of terminal room in Intranet | |
| CN103763119A (en) | Telnet/SSH-based network terminal management method | |
| CN101238684B (en) | System for cluster managing in the Ethernet switch layer and the method thereof | |
| CN103716179A (en) | Telnet/SSH-based network terminal management method | |
| CN103716178A (en) | Real-time reporting system network terminal management method | |
| WO2016197782A2 (en) | Service port management method and apparatus, and computer readable storage medium | |
| O'Raw et al. | IEC 61850 substation configuration language as a basis for automated security and SDN configuration | |
| CN103763120A (en) | Network terminal management method based on SNMP | |
| WO2020004498A1 (en) | Service initiation method and communication system | |
| Cisco | Configuring SNMP | |
| Cisco | Configuring SNMP | |
| Cisco | Configuring SNMP | |
| Cisco | Configuring SNMP | |
| Cisco | Configuring SNMP | |
| Cisco | Configuring SNMP |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140430 |
|
| WD01 | Invention patent application deemed withdrawn after publication |