CN117528844A - Network isolation method, device, equipment and storage medium - Google Patents

Network isolation method, device, equipment and storage medium Download PDF

Info

Publication number
CN117528844A
CN117528844A CN202311556999.3A CN202311556999A CN117528844A CN 117528844 A CN117528844 A CN 117528844A CN 202311556999 A CN202311556999 A CN 202311556999A CN 117528844 A CN117528844 A CN 117528844A
Authority
CN
China
Prior art keywords
equipment
identity information
data
network isolation
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311556999.3A
Other languages
Chinese (zh)
Inventor
曹国龙
冯影
厉建亮
郑康
鞠震宇
杨杰
王坚
盛锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Zijin Jiangsu Innovation Research Institute Co ltd
China Mobile Communications Group Co Ltd
China Mobile Group Jiangsu Co Ltd
Original Assignee
China Mobile Zijin Jiangsu Innovation Research Institute Co ltd
China Mobile Communications Group Co Ltd
China Mobile Group Jiangsu Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Zijin Jiangsu Innovation Research Institute Co ltd, China Mobile Communications Group Co Ltd, China Mobile Group Jiangsu Co Ltd filed Critical China Mobile Zijin Jiangsu Innovation Research Institute Co ltd
Priority to CN202311556999.3A priority Critical patent/CN117528844A/en
Publication of CN117528844A publication Critical patent/CN117528844A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices
    • H04W88/06Terminal devices adapted for operation in multiple networks or having at least two operational modes, e.g. multi-mode terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W72/00Local resource management
    • H04W72/50Allocation or scheduling criteria for wireless resources
    • H04W72/56Allocation or scheduling criteria for wireless resources based on priority criteria
    • H04W72/566Allocation or scheduling criteria for wireless resources based on priority criteria of the information or information source or recipient
    • H04W72/569Allocation or scheduling criteria for wireless resources based on priority criteria of the information or information source or recipient of the traffic information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/18Service support devices; Network management devices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The application discloses a network isolation method, a device, equipment and a storage medium, and belongs to the technical field of wireless communication. According to the method and the device, when the access of the device is detected, the identity information of the device is identified, wherein the identity information is obtained based on the judgment of the base station, the corresponding port is connected based on the identity information of the device, the port is obtained based on the division of the interface level VLAN, and finally the data to be sent by the device are forwarded based on the corresponding port.

Description

Network isolation method, device, equipment and storage medium
Technical Field
The present disclosure relates to the field of wireless communications, and in particular, to a network isolation method, apparatus, device, and storage medium.
Background
The fifth generation mobile communication technology (5 th Generation Mobile Communication Technology, abbreviated as 5G) is a new generation broadband mobile communication technology with high speed, low time delay and large connection characteristics, WIFI is also called WLAN, and is a wireless communication technology for a local area network, and in the process of wireless network construction, in order to save investment, simplify construction and maximize utilization of existing equipment, 5G and WIFI are often deployed simultaneously, which makes network convergence of 5G and WIFI particularly important.
In the prior art, a co-forwarding deployment scheme is used by the network fusion of 5G and WIFI, but because the WIFI AP equipment, RRU (remote radio module) and BBU (base station) in the co-forwarding deployment scheme are in the same broadcast domain, and the traffic of the networks of different equipment is not isolated, when the 5G and the WIFI are deployed together, the network use is unstable and the reliability is not high.
The foregoing is merely provided to facilitate an understanding of the principles of the present application and is not admitted to be prior art.
Disclosure of Invention
The main purpose of the application is to provide a network isolation method, a device, equipment and a storage medium, and aims to solve the technical problems of unstable network use and low reliability when 5G and WIFI are deployed together.
In order to achieve the above object, the present application provides a network isolation method applied to an extension device, the network isolation method including the following steps:
when detecting that equipment is accessed, identifying identity information of the equipment, wherein the identity information is obtained based on the judgment of a base station;
based on the identity information of the equipment, connecting corresponding ports, wherein the ports are obtained based on interface level VLAN division;
and forwarding the data to be sent by the equipment based on the corresponding port.
Optionally, the method includes, when detecting that there is an access to the device, identifying identity information of the device, where the identity information is obtained based on a base station judgment, before the step of determining that the device is accessed, the method includes:
the method comprises the steps of connecting with a base station of a 5G forwarding network;
based on ECPRI protocol, adding an Ethernet interface, wherein the Ethernet interface supports WIFI equipment to access a 5G forwarding network;
the ethernet interface is divided into different ports using interface level VLANs.
Optionally, the step of connecting the corresponding ports based on the identity information of the device, where the ports are obtained based on interface level VLAN partitioning includes:
if the identity information of the equipment is RRU equipment, connecting the equipment by using a port corresponding to the RRU equipment;
if the identity information of the equipment is the common AP or the abnormal equipment, connecting the equipment by using a port corresponding to the common AP or the abnormal equipment.
Optionally, the step of forwarding, based on the corresponding port, data that needs to be sent by the device includes:
receiving data to be transmitted by the equipment and monitoring the type of the data;
if only one type of data exists, forwarding the data to be sent by the equipment directly based on the corresponding port;
If a plurality of types of data exist, the data are placed into a sending queue, and the data with the highest priority in the sending queue are forwarded through a corresponding port.
In addition, to achieve the above object, the present application further provides a network isolation method applied to a base station, the network isolation method including the following steps:
when the extension equipment is monitored to have equipment access, receiving a message broadcast by the equipment, and changing the identity information of the equipment based on the message, wherein the identity information is divided into common AP equipment, abnormal equipment, RRU equipment and indeterminate equipment;
transmitting information required by configuration equipment to equipment with unfixed identity information, and establishing a connection channel with the equipment, wherein if the connection channel with the equipment fails to be established, the identity information of the equipment is judged to be abnormal equipment, and the identity information of the equipment is changed to be abnormal equipment;
and initiating identity authentication to the equipment with the identity information being undetermined, and changing the identity information of the equipment.
Optionally, when it is monitored that the extension device has device access, receiving a message sent by broadcasting by the device, and changing identity information of the device based on the message, where the identity information includes a common AP device, an abnormal device, an RRU device, and an undefined device, and the method includes:
When the extension equipment is monitored to have equipment access, preparing to receive a message sent by broadcasting of the equipment;
if the message sent by the equipment is not received within the preset time, the identity information of the equipment is changed into common AP equipment;
if the message sent by the equipment does not carry equipment information, changing the identity information of the equipment into abnormal equipment;
and if the message sent by the equipment is received within the preset time and carries the equipment information, changing the identity information of the equipment into undetermined one.
Optionally, the step of initiating identity authentication to the device whose identity information is not defined and modifying the identity information of the device includes:
initiating identity authentication to equipment with undetermined identity information, and judging whether the identity authentication is successful or not;
if the identity authentication of the equipment is successful, the identity information of the equipment is changed into RRU equipment;
and if the identity authentication of the equipment fails, changing the identity information of the equipment into abnormal equipment.
In addition, to achieve the above object, the present application further provides a network isolation device, applied to an extension apparatus, where the device includes:
the device comprises an identification module, a communication module and a communication module, wherein the identification module is used for identifying the identity information of equipment when the equipment is detected to be accessed, wherein the identity information is obtained based on the judgment of a base station and is connected with a corresponding port based on the identity information of the equipment, and the port is obtained based on the division of an interface level VLAN;
And the forwarding module is used for forwarding the data sent by the equipment.
In addition, to achieve the above object, the present application further provides a network isolation device, including: a memory, a processor, and a network isolation program stored on the memory and executable on the processor, the network isolation program configured to implement the steps of the network isolation method as described above.
In addition, in order to achieve the above object, the present application further provides a storage medium having stored thereon a network isolation program which, when executed by a processor, implements the steps of the network isolation method as described above.
Compared with the problem that in the prior art, in the co-forwarding deployment scheme, WIFI AP equipment, RRU equipment and a base station are in the same broadcast domain, and the traffic of a network is not isolated, so that when 5G and WIFI are deployed together, the network is unstable in use and low in reliability, the method and the device identify identity information of equipment when equipment access is detected, wherein the identity information is obtained based on base station judgment, then based on the identity information of the equipment, corresponding ports are connected, wherein the ports are obtained based on interface-level VLAN division, and finally based on the corresponding ports, data to be sent by the equipment are forwarded.
Drawings
FIG. 1 is a schematic diagram of a network isolation device of a hardware operating environment according to an embodiment of the present application;
FIG. 2 is a schematic flow chart of a first embodiment of the present application;
FIG. 3 is a schematic flow chart of a second embodiment of the present application;
fig. 4 is a schematic structural diagram of a networking mode of the 5G forwarding network of the present application;
FIG. 5 is a schematic flow chart of a third embodiment of the present application;
fig. 6 is a schematic diagram of a process of determining a device type by a base station according to the present application;
fig. 7 is a block diagram of a network isolation device applied to an extension device side;
fig. 8 is a block diagram of a network isolation device applied to a base station side.
The realization, functional characteristics and advantages of the present application will be further described with reference to the embodiments, referring to the attached drawings.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
Referring to fig. 1, fig. 1 is a schematic diagram of a network isolation device in a hardware running environment according to an embodiment of the present application.
As shown in fig. 1, the network isolation device may include: a processor 1001, such as a central processing unit (Central Processing Unit, CPU), a communication bus 1002, a user interface 1003, a network interface 1004, a memory 1005. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display, an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may further include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a WIreless interface (e.g., a WIreless-FIdelity (WI-FI) interface). The Memory 1005 may be a high-speed random access Memory (Random Access Memory, RAM) Memory or a stable nonvolatile Memory (NVM), such as a disk Memory. The memory 1005 may also optionally be a storage device separate from the processor 1001 described above.
Those skilled in the art will appreciate that the architecture shown in fig. 1 is not limiting of the network isolation device and may include more or fewer components than shown, or may combine certain components, or may be a different arrangement of components.
As shown in fig. 1, an operating system, a data storage module, a network communication module, a user interface module, and a network isolation program may be included in the memory 1005 as one type of storage medium.
In the network isolated device shown in fig. 1, the network interface 1004 is mainly used for data communication with other devices; the user interface 1003 is mainly used for data interaction with a user; the processor 1001 and the memory 1005 in the network isolation device may be provided in the network isolation device, where the network isolation device invokes a network isolation program stored in the memory 1005 through the processor 1001, and executes a network isolation method provided in an embodiment of the present application.
A first embodiment of the present application provides a network isolation method applied to an extension device, and referring to fig. 2, the network isolation method includes:
it should be noted that, the method execution body of the embodiment is an extension device, and the extension device may be a HUB or a switch, etc. network devices having a data receiving and transmitting function, which is not specifically limited in this application.
It should be understood that, compared with the problem that in the prior art, in the co-forwarding deployment scheme, the WIFI AP device, the RRU device and the base station are in the same broadcast domain, and the traffic of the network is not isolated, so that when 5G and WIFI are deployed together, the network usage is unstable, and the reliability is not high, the method and the device solve the problem that when 5G and WIFI are deployed together, the network usage is unstable, and the reliability is not high because the identity information is obtained based on the base station judgment and then the identity information of the device is connected with the corresponding port, wherein the port is obtained based on interface-level VLAN partitioning, and finally the data to be sent by the device is forwarded based on the corresponding port.
The following description will be made specifically with HUB as an expansion device.
Step S10: and when detecting that the equipment is accessed, identifying the identity information of the equipment, wherein the identity information is obtained based on the judgment of the base station.
In a specific implementation, when the extension device detects that there is a device access, identity information of the access device is identified.
It should be noted that, the extension device itself cannot identify whether the port has device access, and the process of detecting whether the port has device access is to detect information sent by the base station, and if the extension device detects that the base station changes the identity information of the access device, it determines that the port has device access.
The identity information of the device includes a model number of the device and a type of the device, where the type of the device is classified into an RRU device, a common AP device, or an abnormal device.
Step S20: and connecting corresponding ports based on the identity information of the equipment, wherein the ports are obtained based on interface level VLAN division.
In a specific implementation, the expansion device is connected with a port corresponding to the identity information based on the identity information of the device.
The step of connecting the corresponding ports based on the identity information of the equipment, wherein the ports are obtained based on interface level VLAN division, specifically comprises the following steps:
step S21: if the identity information of the equipment is RRU equipment, connecting the equipment by using a port corresponding to the RRU equipment.
It can be understood that the english full name of the RRU device is Remote Radio Unit, and is translated into a remote radio module, which is used for transmitting the radio frequency part of a single sector in the base station to a transmitting device outside a certain distance by using an optical fiber, so that the transmitting device can share resources with other sectors of the original base station, and the capacity is improved.
In a specific implementation, if the extension device identifies that the identity information of the device is an RRU device, the extension device uses a Trunk port corresponding to the RRU device to connect the device.
It should be noted that, the Trunk port may send multiple VLAN messages, where each message needs to carry a VLAN Tag, where the Trunk port is generally used for interconnection between network transmission devices.
It should be understood that a packet is a data unit exchanged and transmitted in a network, and is also a unit transmitted by the network, where the packet includes complete data information to be sent, and the length of the complete data information is inconsistent, where the packet is continuously encapsulated into a packet, a packet or a frame to be transmitted in the transmission process, and the encapsulation mode is to add some control information to the header of the packet, where the control information is a header.
Step S22: if the identity information of the equipment is the common AP or the abnormal equipment, connecting the equipment by using a port corresponding to the common AP or the abnormal equipment.
In a specific implementation, if the extension device identifies that the identity information of the device is a common AP device or an abnormal device, the extension device uses an Access port corresponding to the common AP device or the abnormal device to connect the device.
It should be noted that, the Access port can only send one VLAN packet at a time, and because the packet sent by the Access port does not carry a VLAN Tag, the Access port is generally used for connection with a user terminal device that cannot identify a VLAN Tag, where the Access port is generally used when different VLAN members do not need to be distinguished.
Step S30: and forwarding the data to be sent by the equipment based on the corresponding port.
In a specific implementation, the expansion device forwards the data to be sent by the access device based on the corresponding port.
It should be noted that, if the Access device is connected with the Trunk port, the extension device transmits the data to be sent by the Access device to the base station through the Trunk port, and if the Access device is connected with the Access port, the extension device transmits the data to be sent by the Access device to the base station through the Access port.
The step of forwarding the data to be sent by the device based on the corresponding port specifically includes:
step S31: the receiving device needs the data to be transmitted and monitors the type of the data.
In a specific implementation, the extension device receives data that the access device needs to transmit, and monitors the type of the data.
It should be understood that the data includes PTP traffic, IQ traffic, IR traffic, and WIFI traffic, where PTP traffic, IQ traffic, and IR traffic are traffic transmitted from the RRU device to the extension device, and WIFI traffic is traffic transmitted from the WIFI device to the extension device, where the 5G traffic includes three types of traffic including PTP traffic, IQ traffic, and IR traffic.
Step S32: if only one type of data exists, forwarding the data to be sent by the device directly based on the corresponding port.
In a specific implementation, if the expansion device determines that the types of the traffic data to be forwarded are all the same, the expansion device forwards the traffic data to be sent by the device based on the port corresponding to the device.
Step S33: if a plurality of types of data exist, the data are placed into a sending queue, and the data with the highest priority in the sending queue are forwarded through a corresponding port.
In a specific implementation, if the extension device determines that there are several types of traffic data to be forwarded, the extension device places the traffic data into a transmission queue, and then forwards the traffic data with the highest priority in the transmission queue based on a port corresponding to the device.
It should be understood that the priority of the traffic data should be set to PTP traffic > IQ traffic > IR traffic > WIFI traffic, where the priority of the traffic data may also be manually set based on traffic needs.
It should be noted that, in the co-forwarding network, when the WIFI traffic and the 5G traffic enter the extension device or the RRU device at the same time, the extension device needs to distinguish between types of different traffic and marks different priorities due to different requirements of the traffic in the same extension device or RRU device on reliability and instantaneity, so as to ensure high availability of the 5G network.
For example, since the IR traffic can be retransmitted, the reliability is higher, so that the IR traffic can be set to a lower priority, and since the IQ traffic is transmitted in real time, if the IQ traffic cannot be transmitted in time, an error code is generated, so that the IQ traffic needs to be set to a higher priority.
It should be noted that, in the network transmission, if the base station does not correctly receive the IR traffic data packet sent by the extension unit, the extension unit will retransmit the IR traffic data packet that is not correctly received, so as to ensure that the IR traffic data can be correctly transmitted.
In this embodiment, compared with the case that in the common forward deployment scheme in the related art, the WIFI AP device, the RRU device and the base station are in the same broadcast domain, and the traffic of the network is not isolated, so that when 5G and WIFI are deployed together, the network is unstable in use and low in reliability, the method and the device identify identity information of the device when detecting that the device is accessed, wherein the identity information is obtained based on the base station, and then based on the identity information of the device, and connect corresponding ports, wherein the ports are obtained based on interface-level VLAN partitioning, and finally based on the corresponding ports, data to be transmitted by the device are forwarded.
Based on the first embodiment of the present application, a second embodiment of the present application is provided, referring to fig. 3, before the step of identifying identity information of a device when detecting that there is a device access, the network isolation method includes steps a10-a30:
It should be noted that, in the networking mode of this embodiment, through the base station connected with the 5G forwarding network, and based on the ECPRI protocol, an ethernet interface is added, where the ethernet interface supports the WIFI device to access to the 5G forwarding network, and finally, an interface-level VLAN is used to divide the ethernet interface into different ports, so that the 5G and the WIFI can be deployed together in a forwarding manner, and existing devices are utilized to the maximum, so that investment is less, and construction is simpler and more convenient.
Step A10: and the base station is connected with a base station of the 5G forwarding network.
In a specific implementation, the extension device is connected with a base station of the 5G forwarding network.
For example, the extension device is connected to the base station of the 5G forwarding network through the Trunk port, and forms a complete 5G forwarding network according to fig. 4, where AC is called Access Controller, translated into a wireless controller, AP is called Access Point, translated into a wireless Access Point, and NR is called New Radio, translated into a New air interface technology (5G).
In this scenario, the AP device may be hung under the RRU, or directly hung on the EU downlink port through the switch, where the EU device generally has 8 downlink ports and supports cascading, and on the downlink port, the RRU device may be connected, or the switch may be connected, or the AP may be directly connected, so that the forwarding network is more flexible.
Step A20: based on ECPRI protocol, ethernet interface is added, wherein the Ethernet interface supports WIFI equipment to access 5G forwarding network.
In a specific implementation, the expansion device is based on ECPRI protocol, and an Ethernet interface is added, wherein the Ethernet interface supports the WIFI device to access the 5G forwarding network.
It should be noted that, the english full name of the ECPRI is ethernet CPRI or enhanced CPRI, the ethernet CPRI is used to characterize that the ECPRI protocol is a CPRI protocol carried over the ethernet, and the enhanced CPRI is used to characterize that the ECPRI protocol is an evolution of the CPRI protocol, where both the ECPRI and the CPRI are interface specifications between the base station and the RRU device in the wireless network.
It should be understood that the english acronym of the CPRI is Common Public Radio Interface, which is translated into a public radio interface, and the CPRI defines a communication interface specification between a radio control device and a radio device in a cellular wireless network, and is widely applied to LTE and 5G base station systems, where the CPRI protocol is a protocol of a physical layer and a data link layer.
It should be noted that the Physical Layer and the Data Link Layer are the two lowest layers in the OSI reference model, wherein the 7 layers of the OSI reference model are, from low to high, a Physical Layer (Physical Layer), a Data Link Layer (Data Link Layer), a Network Layer (Network Layer), a Transport Layer (Transport Layer), a Session Layer (Session Layer), a presentation Layer (Presentation Layer), and an application Layer (Application Layer), respectively.
Step A30: the ethernet interface is divided into different ports using interface level VLANs.
In a specific implementation, the expansion device uses an interface level VLAN to divide the ethernet interface into a Trunk port and an Access port.
It should be noted that, the english full name of the VLAN is Virtual Local Area Network, and the VLAN technology is translated into a virtual local area network, where a physical LAN is divided into multiple logical VLANs, where hosts in the same VLAN can directly communicate with each other, and hosts in different VLANs cannot directly communicate with each other, so that the security of the local area network is enhanced.
It should be understood that after dividing the VLAN, the broadcast message is limited to the same VLAN, that is, each VLAN is a separate broadcast domain, which effectively limits the scope of the broadcast domain, and different hosts can be divided into different working groups based on the VLAN, where the hosts in the same working group can be located in different physical locations, so that the construction and maintenance of the network are more convenient.
It can be understood that the port-based VLAN partitioning is the simplest and most efficient method of VLAN partitioning, and according to the device port-customized VLAN membership, after adding a specified port to a specified VLAN, the port may forward a message of the VLAN.
For example, with interface level VLAN partitioning, two layers of PTP traffic are specified with VLAN ID 501, iq traffic with VLAN ID 502, ir traffic with VLAN ID 503, wifi data traffic with VLAN ID 1001, and different types of traffic constitute different forwarding domains, where base stations belong to both VLANs 501, 502, 503, and traffic entering and exiting the base station must carry VLAN TAG to ensure that 5G related traffic and devices are in independent forwarding domains.
It should be noted that the above VLAN IDs 501, 502, 503, 1001, etc. are just an example, and VLAN IDs of different traffic in actual use may be configured by a network management, for example, when VLAN functions in an ora Option 7-2 are supported, in order to distinguish traffic of different cells and different antennas, VLAN IDs may also be added, and at this time, VLAN IDs that have been used may be flexibly configured by a network, avoiding VLAN IDs that have been used may be avoided, and besides static configuration of a VLAN, a dynamic VLAN may be considered to be introduced, so that an expansion device may more flexibly manage network resources, where the dynamic VLAN is dynamically allocated based on a user identity or a device type, and network security and performance requirements may be better satisfied.
In this embodiment, the present application adds an ethernet interface through a base station connected to a 5G forwarding network, and based on an ECPRI protocol, where the ethernet interface supports a WIFI device to access the 5G forwarding network, and finally uses an interface level VLAN to divide the ethernet interface into different ports, so that the 5G forwarding network and the WIFI device are fused.
In addition, a third embodiment of the present application provides a network isolation method, applied to a base station, referring to fig. 5, where the network isolation method includes:
it should be noted that, the method execution body of the present embodiment is a base station, and the base station may be a network device with a data receiving and transmitting processing function, such as a switch or a router, which is not specifically limited in this application.
The switch is specifically described below as a base station.
Step B10: when the extension unit is monitored to have equipment access, receiving a message sent by the equipment in a broadcasting mode, and changing the identity information of the equipment based on the message, wherein the identity information is divided into common AP equipment, abnormal equipment, RRU equipment and indeterminate equipment.
In a specific implementation, when the base station monitors that the port of the extension unit has equipment access, the base station receives a message broadcast transmitted by the equipment and changes the identity information of the equipment based on the message.
It should be noted that, when the state of the port is switched from down to up, the base station monitors the port state of the extension unit, and determines that the port of the extension unit has device access, where the port has only two states, namely down and up, when the state of the port is down, the port of the extension unit has no device access, and when the state of the port is up, the port of the extension unit has device access.
It should be understood that, since the status of the port may be frequently switched for some temporary reasons (such as line noise), an anti-jitter mechanism is required to be used when monitoring the status of the port, where the base station needs to wait for a preset time when monitoring that the status of the port changes, and reconfirm the status of the port again, so as to prevent the base station from performing unnecessary operations due to various temporary switching of the port.
For example, when the state of the port is switched from down to up, the base station waits for 5 seconds, and then reconfirms the state of the port, if the state of the port is still up, it is determined that the port of the expansion unit has equipment access, and if the state of the port is down, it is determined that there is line noise interference, and the port of the expansion unit has no equipment access.
It should be noted that, the message should include authentication information and device information required for connection, for example, the base station receives a DHCP message broadcasted by the device, where the DHCP message includes authentication information and device information required for connection such as < vendor id >, < device type >, < device serial number >.
When the extension unit is monitored that equipment is accessed, receiving a message broadcast by the equipment, and changing the identity information of the equipment based on the message, wherein the identity information is divided into a common AP equipment, an abnormal equipment, an RRU equipment and an undetermined equipment, and the method specifically comprises the following steps of:
step B11: when the extension unit is monitored to have equipment access, the extension unit is ready to receive a message sent by the equipment in a broadcasting mode.
In a specific implementation, when the base station monitors that the port of the extension unit has equipment access, the base station prepares to receive a message broadcast by the equipment.
Step B12: and if the message sent by the equipment is not received within the preset time, changing the identity information of the equipment into common AP equipment.
In a specific implementation, if the base station does not receive the message sent by the device within a preset time, the base station changes the identity information of the device into a common AP device.
It should be noted that the preset time should be set manually according to network requirements, for example, when the base station determines that the device is accessed in the port of the extension device, the base station starts 60 seconds countdown, and after the 60 seconds countdown is finished, the base station does not receive the DHCP packet sent by the device, determines that the identity information of the device is a common AP device, and changes the identity information of the device to the common AP device.
It should be noted that, since the DHCP packet sent by the normal AP device does not carry the VLAN Tag, the base station cannot receive the DHCP packet sent by the normal AP device.
Step B13: and if the message sent by the equipment does not carry equipment information, changing the identity information of the equipment into abnormal equipment.
In a specific implementation, if the base station judges that the message sent by the equipment does not carry equipment information, the base station changes the identity information of the equipment into abnormal equipment.
Step B14: and if the message sent by the equipment is received within the preset time and carries the equipment information, changing the identity information of the equipment into undetermined one.
In a specific implementation, if the base station receives a message sent by the device within a preset time and the message carries device information, the base station changes the identity information of the device to be undetermined.
Step B20: and sending information required by configuration equipment to equipment with undetermined identity information, and establishing a connection channel with the equipment, wherein if the connection channel with the equipment fails to be established, the identity information of the equipment is judged to be abnormal equipment, and the identity information of the equipment is changed to be abnormal equipment.
In a specific implementation, a base station sends information required by configuration equipment to equipment with unchanged identity information, establishes a connection channel with the equipment, and if the base station fails to establish the connection channel with the equipment, the base station judges that the identity information of the equipment is abnormal equipment and changes the identity information of the equipment into the abnormal equipment.
It should be noted that the information required by the configuration device may be an IP address or any information required by the configuration device.
It can be understood that the connection channel established between the base station and the device is established based on an SSH protocol, the english holly name of SSH is Secure Shell, and the SSH is translated into a Secure Shell protocol, which is a Secure protocol established based on an application layer and a transmission layer, and the problem of information leakage in the data transmission process can be effectively solved by using the SSH protocol.
For example, conventional network transmission protocols (FTP, poP, and Telnet) are intrinsically unsafe because they use plaintext to transmit passwords and data, which are very easy for an external device to intercept and impersonate a terminal to receive or transmit, and by using SSH, the plaintext transmitted passwords and data can be encrypted so that the external device cannot intercept the transmitted passwords and data, making the transmission of data more secure.
Step B30: and initiating identity authentication to the equipment with the identity information being undetermined, and changing the identity information of the equipment.
In a specific implementation, a base station initiates identity authentication to equipment with undetermined identity information, and based on the result of the identity authentication, the identity information of the equipment is changed.
For example, as shown in fig. 6, the base station is configured to determine the device type of the Access device, and the extension device is configured to Access the determined device to a corresponding port, and if the DHCP packet is not transmitted over time, the DHCP packet carries device information, the base station establishes a connection with the Access device, passes the connection successfully, and the identity authentication succeeds, the base station determines that the accessed device type is an RRU device, and uses a Trunk port to connect the device, otherwise uses an Access port to connect the device.
The step of initiating identity authentication to the equipment with unchanged identity information and changing the identity information of the equipment specifically comprises the following steps:
step B31: and initiating identity authentication to equipment with the identity information being undetermined, and judging whether the identity authentication is successful or not.
In specific implementation, a base station initiates identity authentication to equipment with undetermined identity information, and judges whether the identity authentication is successful or not based on an identity authentication message returned by the equipment.
It should be noted that, the identity authentication program is sent by the base station, the base station firstly randomly generates a random character string with a length of less than 64 bytes, the instruction is < random_len_64 >, then the character string is sent to the device needing identity authentication, so that the device uses a hash algorithm to calculate a hash value, the hash algorithm formula is hash_msg=sha1 (< device id > + < device type > + < device serial number > + < verification code > + < random_len_64 >), wherein verification code is a verification code recorded by both the base station and the RRU device, the verification code can be customized by a manufacturer or manually, the length is 64 bytes, and since key information verification code is not transmitted in the network, and the base station generates different random_len_64 for each authentication, an attacker can be ensured that the attacker still cannot disguise as the RRU device to access the network even after the network message is intercepted.
It should be understood that after sending out the character string, the base station needs to receive the hash_msg file of the identity authentication information returned by the equipment needing identity authentication, read the hash_msg information therein, and finally compare the hash_msg information returned by the equipment needing identity authentication with the hash_msg information locally calculated by the base station, if the hash_msg information is the same, then it is determined that the identity authentication is successful, wherein the comparison is only a message content with 160 bits in length, and the information in the file is not involved.
Step B32: and if the identity authentication of the equipment is successful, changing the identity information of the equipment into RRU equipment.
In a specific implementation, if the identity authentication of the device is successful, the base station changes the identity information of the device into RRU device.
Step B33: and if the identity authentication of the equipment fails, changing the identity information of the equipment into abnormal equipment.
In a specific implementation, if the identity authentication of the device fails, the base station changes the identity information of the device into abnormal device.
In this embodiment, when it is monitored that an extension unit has an access to a device, a message sent by the device is received, identity information of the device is changed based on the message, and then information required by configuration equipment is sent to the device with an undetermined identity information, where the identity information is divided into a common AP device, an abnormal device, an RRU device, and an undetermined device, and a connection channel is established with the device, if the connection channel is failed to be established with the device, it is determined that the identity information of the device is an abnormal device, the identity information of the device is changed into an abnormal device, and finally identity authentication is initiated to the device with an undetermined identity information, and identity information of the device is changed.
In addition, an embodiment of the present application further provides a network isolation device, which is applied to an extension device, and referring to fig. 7, the network isolation device includes:
an identification module 10, configured to identify identity information of a device when detecting that the device is accessed, where the identity information is obtained based on a base station;
a first connection module 20, configured to connect corresponding ports based on identity information of the device, where the ports are obtained based on interface level VLAN partitioning;
and the forwarding module 30 is configured to forward data to be sent by the device based on the corresponding port.
Optionally, the connection module 20 includes:
the first connection unit is used for connecting the equipment by using a port corresponding to the RRU equipment if the identity information of the equipment is the RRU equipment;
and the second connection unit is used for connecting the equipment by using a port corresponding to the common AP or the abnormal equipment if the identity information of the equipment is the common AP or the abnormal equipment.
Optionally, the forwarding module 30 includes:
the monitoring unit is used for receiving the data which the equipment needs to send and monitoring the type of the data;
the first forwarding unit is used for forwarding the data to be sent by the equipment directly based on the corresponding port if only one type of data exists;
And the second forwarding unit is used for placing the data into a sending queue if a plurality of types of data exist, and forwarding the data with the highest priority in the sending queue through the corresponding port.
Optionally, applied to the extension device, the network isolation device further includes:
the second connection module is used for being connected with a base station of the 5G forwarding network;
the adding module is used for adding an Ethernet interface based on an ECPRI protocol, wherein the Ethernet interface supports the WIFI equipment to access the 5G forwarding network;
and the dividing module is used for dividing the Ethernet interface into different ports by using an interface level VLAN.
The specific implementation manner of the network isolation device is basically the same as that of each embodiment of the network isolation method, and is not repeated here.
In addition, an embodiment of the present application further provides a network isolation device, which is applied to a base station, and referring to fig. 8, the network isolation device includes:
a receiving module 10, configured to receive a message sent by an extension device in a broadcast manner when the extension device is monitored to have device access, and change identity information of the device based on the message, where the identity information is divided into a common AP device, an abnormal device, an RRU device, and an indeterminate device;
The sending module 20 is configured to send information required by the configuration device to a device whose identity information is uncertain, and establish a connection channel with the device, where if the connection channel with the device fails to be established, the identity information of the device is determined to be an abnormal device, and the identity information of the device is changed to be an abnormal device;
and the initiating module 30 is used for initiating identity authentication to the equipment with the identity information being undetermined and changing the identity information of the equipment.
Optionally, the receiving module 10 includes:
a receiving unit, configured to prepare to receive a message broadcast by an extension device when it is monitored that the extension device has a device access;
the first changing unit is used for changing the identity information of the equipment into common AP equipment if the message sent by the equipment is not received within the preset time;
the second changing unit is used for changing the identity information of the equipment into abnormal equipment if the message sent by the equipment does not carry the equipment information;
and the third changing unit is used for changing the identity information of the equipment into an undetermined one if the message sent by the equipment is received within the preset time and the message carries the equipment information.
Optionally, the initiating module 30 includes:
the judging unit is used for initiating identity authentication to equipment with undetermined identity information and judging whether the identity authentication is successful or not;
a third changing unit, configured to change the identity information of the device into an RRU device if the identity authentication of the device is successful;
and the fourth changing unit is used for changing the identity information of the equipment into abnormal equipment if the identity authentication of the equipment fails.
The specific implementation manner of the network isolation device is basically the same as that of each embodiment of the network isolation method, and is not repeated here.
Embodiments of the present application provide a storage medium, and the storage medium stores one or more programs, which may also be executed by one or more processors to implement the steps of the network isolation method described in any one of the above.
The specific implementation manner of the storage medium is basically the same as that of each embodiment of the network isolation method, and is not repeated here.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present application are merely for describing, and do not represent advantages or disadvantages of the embodiments.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) as described above, including several instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method described in the embodiments of the present application.
The foregoing description is only of the preferred embodiments of the present application, and is not intended to limit the scope of the claims, and all equivalent structures or equivalent processes using the descriptions and drawings of the present application, or direct or indirect application in other related technical fields are included in the scope of the claims of the present application.

Claims (10)

1. A network isolation method, applied to an expansion device, comprising the steps of:
when detecting that equipment is accessed, identifying identity information of the equipment, wherein the identity information is obtained based on the judgment of a base station;
based on the identity information of the equipment, connecting corresponding ports, wherein the ports are obtained based on interface level VLAN division;
and forwarding the data to be sent by the equipment based on the corresponding port.
2. The network isolation method of claim 1, wherein the identity information of the device is identified when the device access is detected, wherein the identity information is obtained based on a base station determination, and wherein the method comprises:
the method comprises the steps of connecting with a base station of a 5G forwarding network;
based on ECPRI protocol, adding an Ethernet interface, wherein the Ethernet interface supports WIFI equipment to access a 5G forwarding network;
the ethernet interface is divided into different ports using interface level VLANs.
3. The network isolation method according to claim 1, wherein the corresponding ports are connected based on the identity information of the device, wherein the ports are obtained based on interface-level VLAN partitioning, and the method comprises:
If the identity information of the equipment is RRU equipment, connecting the equipment by using a port corresponding to the RRU equipment;
if the identity information of the equipment is the common AP or the abnormal equipment, connecting the equipment by using a port corresponding to the common AP or the abnormal equipment.
4. The network isolation method of claim 1, wherein forwarding the data that the device needs to send based on the corresponding port comprises:
receiving data to be transmitted by the equipment and monitoring the type of the data;
if only one type of data exists, forwarding the data to be sent by the equipment directly based on the corresponding port;
if a plurality of types of data exist, the data are placed into a sending queue, and the data with the highest priority in the sending queue are forwarded through a corresponding port.
5. A network isolation method, applied to a base station, comprising the steps of:
when the extension equipment is monitored to have equipment access, receiving a message broadcast by the equipment, and changing the identity information of the equipment based on the message, wherein the identity information is divided into common AP equipment, abnormal equipment, RRU equipment and indeterminate equipment;
Transmitting information required by configuration equipment to equipment with unfixed identity information, and establishing a connection channel with the equipment, wherein if the connection channel with the equipment fails to be established, the identity information of the equipment is judged to be abnormal equipment, and the identity information of the equipment is changed to be abnormal equipment;
and initiating identity authentication to the equipment with the identity information being undetermined, and changing the identity information of the equipment.
6. The network isolation method according to claim 5, wherein when it is monitored that the extension device has a device access, the step of receiving a message broadcasted by the device and modifying identity information of the device based on the message, wherein the identity information is divided into a normal AP device, an abnormal device, an RRU device, and an indeterminate device, includes:
when the extension equipment is monitored to have equipment access, preparing to receive a message sent by broadcasting of the equipment;
if the message sent by the equipment is not received within the preset time, the identity information of the equipment is changed into common AP equipment;
if the message sent by the equipment does not carry equipment information, changing the identity information of the equipment into abnormal equipment;
and if the message sent by the equipment is received within the preset time and carries the equipment information, changing the identity information of the equipment into undetermined one.
7. The network isolation method of claim 5, wherein the step of initiating identity authentication to a device whose identity information is indeterminate and modifying the identity information of the device comprises:
initiating identity authentication to equipment with undetermined identity information, and judging whether the identity authentication is successful or not;
if the identity authentication of the equipment is successful, the identity information of the equipment is changed into RRU equipment;
and if the identity authentication of the equipment fails, changing the identity information of the equipment into abnormal equipment.
8. A network isolation device for use with an expansion apparatus, the device comprising:
the identification module is used for identifying the identity information of the equipment when the equipment access is detected, wherein the identity information is obtained based on the judgment of the base station;
the first connection module is used for connecting corresponding ports based on the identity information of the equipment, wherein the ports are obtained based on interface level VLAN division;
and the forwarding module is used for forwarding the data which the equipment needs to send based on the corresponding port.
9. A network isolation device, the device comprising: a memory, a processor and a network isolation program stored on the memory and executable on the processor, the network isolation program being configured to implement the steps of the network isolation method of any one of claims 1 to 7.
10. A storage medium having stored thereon a network isolation program which, when executed by a processor, implements the steps of the network isolation method of any of claims 1 to 7.
CN202311556999.3A 2023-11-20 2023-11-20 Network isolation method, device, equipment and storage medium Pending CN117528844A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311556999.3A CN117528844A (en) 2023-11-20 2023-11-20 Network isolation method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311556999.3A CN117528844A (en) 2023-11-20 2023-11-20 Network isolation method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117528844A true CN117528844A (en) 2024-02-06

Family

ID=89745241

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311556999.3A Pending CN117528844A (en) 2023-11-20 2023-11-20 Network isolation method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117528844A (en)

Similar Documents

Publication Publication Date Title
US10122574B2 (en) Methods and apparatus for a common control protocol for wired and wireless nodes
US9154935B2 (en) Wireless home mesh network bridging adaptor
US9444639B2 (en) Multi-tier wireless home mesh network with a secure network discovery protocol
US8904177B2 (en) Authentication for a multi-tier wireless home mesh network
US8161543B2 (en) VLAN tunneling
US8335918B2 (en) MAC frame provision method and apparatus capable of establishing security in IEEE 802.15.4 network
EP2924951B1 (en) Configuration of networks using switch device access of remote server
US20110235502A1 (en) Communication relay device, communication relay method, and storage medium having communication relay program stored therein
US20230336377A1 (en) Packet forwarding method and apparatus, and network system
CN117528844A (en) Network isolation method, device, equipment and storage medium
CN112636983A (en) Network equipment networking method, uplink equipment, downlink equipment and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination