CN100356725C - Managing method for network facilities - Google Patents
Managing method for network facilities Download PDFInfo
- Publication number
- CN100356725C CN100356725C CNB021603316A CN02160331A CN100356725C CN 100356725 C CN100356725 C CN 100356725C CN B021603316 A CNB021603316 A CN B021603316A CN 02160331 A CN02160331 A CN 02160331A CN 100356725 C CN100356725 C CN 100356725C
- Authority
- CN
- China
- Prior art keywords
- equipment
- certified
- authenticating device
- response message
- authentication request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Small-Scale Networks (AREA)
Abstract
The present invention relates to a management method for network equipment, which belongs to the technical field of network communication. In the method, first of all, by-pass MAC address tables are arranged on authentication equipment; authentication request messages are transmitted to authenticated equipment by the authentication equipment, a response message comprising the bridge MAC address of the authenticated equipment is transmitted to the authentication equipment after the authenticated equipment receives the messages, and the authentication request message is simultaneously forwarded to sublayer authenticated equipment; the process is repeated until the authenticated equipment at the nth layer receives the authentication request message, and the response message is transmitted to the authentication equipment; the bridge MAC address, etc. of the authenticated equipment at all layers are filled in the by-pass MAC address tables after all the response messages of the sublayer authenticated equipment are received; upper layer equipment is used for managing network equipment according to the by-pass MAC address tables. The method of the present invention can be used for providing maintainability, adaptability and extensibility for networks.
Description
Technical field
The present invention relates to network communications technology field, relate in particular to a kind of management method of the network equipment.
Background technology
At present, in existing data network, for example ethernet switched network adopts IEEE802.1X agreement (hereinafter to be referred as 802.1X) that the user is authenticated mostly.But to the authenticating device of great majority based on 802.1X, owing to the reasons such as complexity that realize certified person role and authenticator role function simultaneously, the general function that only realizes as authenticator role.The port that will cause upper network layer equipment to authenticate by the 802.1X that comes into force like this adopts Telnet (hereinafter to be referred as Telnet) and Simple Network Management Protocol (hereinafter to be referred as SNMP) etc. that lower floor's equipment is managed.From the angle of management, just 802.1X and Telnet and SNMP etc. can not coexist simultaneously.
Summary of the invention
The objective of the invention is to propose a kind of management method of the network equipment, make through communicating by letter between authenticating device and the lower floor certified equipment and can not interrupt because of the 802.1X agreement, thus the problem that 802.1X and Telnet and SNMP etc. can not co-ordinations in the solution prior art.
The management method of the network equipment that the present invention proposes comprises following each step:
1, when the authenticating device initialization, on authenticating device, sets up the by-pass MAC lattice of certified equipment;
2, authenticating device sends authentication request packet by all the 802.1X ports that come into force on this equipment to certified equipment;
3, after the certified equipment of one deck receives above-mentioned message, receiving port by this equipment sends a response message to authenticating device, the bridge MAC Address that contains the certified equipment of this layer in the response message will be passed through other port except that receiving port of this equipment to two layers of certified device forwards in addition from the authentication request packet of authentication equipment;
4, after two layers of certified equipment receives the authentication request packet that relaying comes, receiving port by this equipment sends a response message to authenticating device, the bridge MAC Address that contains the certified equipment of this layer in the above-mentioned response message, the authentication request packet that relaying is come passes through other port except that receiving port of this equipment to three layers of certified device forwards in addition;
5, other certified device synchronization are rapid 4, receive authentication request packet up to the certified equipment of n layer, and send response message to authenticating device;
6, after authenticating device receives the response message of all certified equipment of lower floor, the bridge MAC Address of every layer of certified equipment is inserted in the above-mentioned by-pass MAC lattice;
7, according to by-pass MAC, upper layer device is realized the management to the network equipment.
In the said method, authenticating device and certified equipment are any in Ethernet switch, router or the wireless access accessing points.
Authenticating device is regularly to send authentication request packet by all the 802.1X ports that come into force on this equipment to certified equipment in the said method.
The destination address of request authentication message is " 01-80-C2-00-00-0A " in the said method.
In the said method, certified equipment is unicast message or multicast message to the response message that authenticating device sends.
In the said method, can also contain the certified equipment MAC Address corresponding with the virtual local area network interface in the response message, the MAC Address that certified equipment is corresponding with the virtual local area network interface has one or more.
In the said method, two layers of certified equipment by the receiving port of this equipment to the process that authenticating device sends response message is: two layers of certified equipment send the certified equipment of one deck with above-mentioned response message, and the certified equipment of one deck is transmitted to authenticating device with above-mentioned response message again.
In the said method, the authenticating device continuous several times is after certified equipment sends authentication request packet, if no response then will be deleted with the corresponding MAC Address of this certified equipment in by-pass MAC.
The management method of the network equipment that the present invention proposes is set up the mac address table of the certified equipment of lower floor on the port of the 802.1X that authenticating device comes into force, make through communicating by letter between authenticating device and the lower floor certified equipment can not interrupt because of the 802.1X agreement.The advantage of the inventive method is: on the port of opening authentication, can make authentication protocol (as 802.1X) and NMP coexistence; To the Dynamic Maintenance of bypass MAC, network is had from maintainability by running status machine on authenticating device; Realization of this method and 802.1X protocol state machine be without any relation, thereby have better adaptability and extensibility.
Description of drawings
Fig. 1 is the FB(flow block) of the inventive method.
Embodiment
The management method of the network equipment that the present invention proposes, its FB(flow block) comprises following each step as shown in Figure 1:
1, when the authenticating device initialization, on authenticating device, sets up the by-pass MAC lattice of certified equipment;
2, authenticating device sends authentication request packet by all the 802.1X ports that come into force on this equipment to certified equipment;
3, after the certified equipment of one deck receives above-mentioned message, receiving port by this equipment sends a response message to authenticating device, the bridge MAC Address that contains the certified equipment of this layer in the response message will be passed through other port except that receiving port of this equipment to two layers of certified device forwards in addition from the authentication request packet of authentication equipment;
4, after two layers of certified equipment receives the authentication request packet that relaying comes, receiving port by this equipment sends a response message to authenticating device, the bridge MAC Address that contains the certified equipment of this layer in the above-mentioned response message, the authentication request packet that relaying is come passes through other port except that receiving port of this equipment to three layers of certified device forwards in addition;
5, other certified device synchronization are rapid 4, receive authentication request packet up to the certified equipment of n layer, and send response message to authenticating device;
6, after authenticating device receives the response message of all certified equipment of lower floor, the bridge MAC Address of every layer of certified equipment is inserted in the above-mentioned by-pass MAC lattice;
7, according to by-pass MAC, upper layer device is realized the management to the network equipment.
In the said method, authenticating device and certified equipment are any in Ethernet switch, router or the wireless access accessing points.
Authenticating device is regularly to send authentication request packet by all the 802.1X ports that come into force on this equipment to certified equipment in the said method, and the time interval regularly can be 5~60 seconds.Before network is unstable, will get the small value the time interval, make network faster stable like this; After the network stabilization, the time interval is got big value, can reduce network burden.
In the said method, certified equipment is unicast message or multicast message to the response message that authenticating device sends.The more report of unicast message Wen Eryan can reduce network burden; If but unicast message can not arrive authenticating device well, then uses multicast message.
In the said method, the authenticating device continuous several times is after certified equipment sends authentication request packet, if no response then will be deleted with the corresponding MAC Address of this certified equipment in by-pass MAC.
In the said method, authenticating device to coming into force of sending of certified equipment destination address can be " 01-80-C2-00-00-0A ", also can be the destination address of other form.
In the said method, two layers of certified equipment by the receiving port of this equipment to the process that authenticating device sends response message is: two layers of certified equipment send the certified equipment of one deck with above-mentioned response message, and the certified equipment of one deck is transmitted to authenticating device with above-mentioned response message again.
In the said method, can also contain the certified equipment MAC Address corresponding in the response message with the virtual local area network interface, wherein, the MAC Address that certified equipment is corresponding with the virtual local area network interface has one or more, this is because in some cases, to manage lower floor's equipment by a plurality of virtual net interfaces, then should be included in the MAC Address of a plurality of virtual net interface correspondences in the response message.
In the said method, the authenticating device continuous several times, for example three times, after certified equipment sends authentication request packet, if no response then will be deleted with the corresponding MAC Address of this certified equipment in by-pass MAC.This aging mechanism that authenticating device is safeguarded Bypass MAC, dynamic management that can network enabled.
Address in the mac address table of the present invention can be the bridge MAC Address of certified equipment and the MAC Address of VLAN (hereinafter to be referred as VLAN) interface correspondence etc.For the 802.1X agreement, have only user by authentication, it is legal that its MAC Address just is considered to.The certified device mac address table of the present invention by setting up be equivalent to be provided with a bypass for the certified equipment of lower floor on the port of the 802.1X that comes into force, so the apparatus characteristic MAC Address also can be described as the bypass MAC Address.
The port of opening authentication on the authenticating device sends particular B PDU message (Bridge Protocol Data Unit to its member device of hanging down, Bridge Protocol Data Unit), after member switch receives this message, send one and carry self identification MAC (Ethernet switch is meant bridge MAC) address, the response message that sometimes also can have the management interface MAC Address is simultaneously to other this message of member's transparent transmission.Authenticating device writes it to certified equipment mark MAC (also can be referred to as BypassMAC) with static mode and opens authentication port, is that the message of source MAC can transparent transmission thereby make with designated equipment MAC.Among Fig. 1, the authenticated exchange machine makes the 802.1X protocol validation on (referring to Ethernet switch, down together), can manage the switch that it is hung down by Telnet and SNMP etc., and detailed process is:
1, the 802.1X port that comes into force of authenticating device all on this equipment sends the request message of destination address for " 01-80-C2-00-00-0A " (can revise this address as required).
2, after the certified equipment of one deck is received request message from authenticating device, reply a response message that comprises the MAC Address of self bridge MAC and management vlan interface correspondence to the port that receives this request message.
3, simultaneously, the certified equipment of one deck is transmitted the request message from authenticating device to other port of its 802.1X that comes into force, and this process is called relaying.
4, two layers of certified equipment are received the request message that the certified equipment relaying of one deck is come, and in like manner, the response message that comprises self bridge MAC and management vlan interface MAC are issued the certified equipment of one deck.
5, the certified equipment of one deck is transmitted to authenticating device to the response message of two layers of certified equipment.In general, this process is that equipment is finished automatically, does not need software control.
6, authenticating device receive from one deck and two layers of certified equipment response message after, its bridge MAC and management vlan interface MAC are added by-pass MAC.
In order to guarantee network security, authentication request packet can be communicated by letter in Management VLAN with response message.And guarantee that domestic consumer can not Access Management Access VLAN.Be in order to prevent that the counterfeit certified equipment of user from sending out response message and obtaining network access authority to authenticating device like this.
Request message and response message are by comprising request message ID and response message ID respectively.When having only both consistent, it is effective that response message just is considered to; Otherwise, belong to the invalid response message.
Claims (4)
1, a kind of management method of the network equipment is characterized in that this method comprises following each step:
(1) when the authenticating device initialization, on authenticating device, sets up the by-pass MAC lattice of certified equipment;
(2) authenticating device sends authentication request packet by all the 802.1X ports that come into force on this equipment to certified equipment;
(3) after the certified equipment of one deck receives above-mentioned message, receiving port by this equipment sends response message to authenticating device, the bridge MAC Address that contains the certified equipment of this layer in the above-mentioned response message will be passed through other port except that receiving port of this equipment to two layers of certified device forwards in addition from the authentication request packet of authentication equipment;
After (4) two layers of certified equipment receives the authentication request packet that relaying comes, receiving port by this equipment sends response message to authenticating device, include the bridge MAC Address of the certified equipment of this layer in the above-mentioned response message, the authentication request packet that relaying is come passes through other port except that receiving port of this equipment to three layers of certified device forwards in addition;
(5) other certified device synchronization rapid (4) receive authentication request packet up to the certified equipment of n layer, and send response message to authenticating device;
(6) after authenticating device receives the response message of all certified equipment of lower floor, the bridge MAC Address of every layer of certified equipment is inserted in the above-mentioned by-pass MAC lattice;
(7) according to by-pass MAC, upper layer device is realized the management to the network equipment.
2, the method for claim 1 is characterized in that wherein said authenticating device and certified equipment are any in Ethernet switch, router or the wireless access accessing points.
3, the method for claim 1 is characterized in that authenticating device is regularly to send authentication request packet by all the 802.1X ports that come into force on this equipment to certified equipment in the step (2).
4, the method for claim 1 is characterized in that the destination address of wherein said authentication request packet is " 01-80-C2-00-00-0A ".
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB021603316A CN100356725C (en) | 2002-12-26 | 2002-12-26 | Managing method for network facilities |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB021603316A CN100356725C (en) | 2002-12-26 | 2002-12-26 | Managing method for network facilities |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1510868A CN1510868A (en) | 2004-07-07 |
| CN100356725C true CN100356725C (en) | 2007-12-19 |
Family
ID=34237841
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB021603316A Expired - Fee Related CN100356725C (en) | 2002-12-26 | 2002-12-26 | Managing method for network facilities |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100356725C (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100444557C (en) * | 2005-12-27 | 2008-12-17 | 杭州华三通信技术有限公司 | Method for positioning target apparatus in two layer network |
| EP2068498B1 (en) | 2006-09-25 | 2017-12-13 | Hewlett-Packard Enterprise Development LP | Method and network device for communicating between different components |
| WO2008152807A1 (en) * | 2007-06-13 | 2008-12-18 | Panasonic Corporation | Mac address overlap eliminating method, network device managing system, server, and information device |
| CN101150457B (en) * | 2007-10-25 | 2010-06-16 | 中兴通讯股份有限公司 | Testing method for Ethernet media access control table capacity |
| CN102195952B (en) * | 2010-03-17 | 2015-05-13 | 杭州华三通信技术有限公司 | Method and device terminal for triggering 802.1X Authentication |
| CN102185864B (en) * | 2011-05-13 | 2014-12-24 | 北京星网锐捷网络技术有限公司 | Security authentication strategy configuration method, device and system |
| CN104506370B (en) * | 2014-12-31 | 2018-05-08 | 新华三技术有限公司 | Without network management system management method and device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1331534A (en) * | 2000-06-26 | 2002-01-16 | 三星电子株式会社 | System and method for providing WAP via internet |
| WO2002060127A2 (en) * | 2001-01-26 | 2002-08-01 | International Business Machines Corporation | Distributed multicast caching technique |
-
2002
- 2002-12-26 CN CNB021603316A patent/CN100356725C/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1331534A (en) * | 2000-06-26 | 2002-01-16 | 三星电子株式会社 | System and method for providing WAP via internet |
| WO2002060127A2 (en) * | 2001-01-26 | 2002-08-01 | International Business Machines Corporation | Distributed multicast caching technique |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1510868A (en) | 2004-07-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101706006B1 (en) | A method and system for updating distributed resilient network interconnect states | |
| CN100594476C (en) | Method and apparatus for realizing network access control based on port | |
| CN100583773C (en) | Method and device for controlling data link layer elements with network layer elements | |
| JP4190421B2 (en) | Personal virtual bridge local area network | |
| CN100512109C (en) | Access authentication system and method by verifying safety of accessing host | |
| CN107800602A (en) | A kind of message processing method, equipment and system | |
| CN104601566B (en) | authentication method and device | |
| CN101478485B (en) | Method for local area network access control and network gateway equipment | |
| US20030147405A1 (en) | Protecting the filtering database in virtual bridges | |
| CN107277058A (en) | A kind of interface authentication method and system based on BFD agreements | |
| CN100356725C (en) | Managing method for network facilities | |
| CN106027491A (en) | Independent link type communication processing method and system based on isolated IP (Internet Protocol) address | |
| CN104539539A (en) | Multi-service-board data forwarding method for AC device | |
| CN100591068C (en) | Method of transmitting 802.1X audit message via bridging device | |
| Convery | Hacking layer 2: Fun with Ethernet switches | |
| CN1486032A (en) | Method and apparatus for VLAN based network access control | |
| CN100477609C (en) | Method for implementing dedicated network access | |
| CN108712398A (en) | Port authentication method, server, interchanger and the storage medium of certificate server | |
| Cisco | sh_a_c | |
| Cisco | Cisco IOS Commands | |
| Cisco | Cisco IOS Commands | |
| Cisco | Cisco IOS Commands - s | |
| Cisco | Configuring Transparent Bridging | |
| Cisco | sh_a_c | |
| Cisco | sh_a_c |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CI03 | Correction of invention patent |
Correction item: Claims Correct: Add claim Book Second False: Lack of claim Book Second Number: 51 Volume: 23 |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: RIGHT-CLAIMING DOCUMENT; FROM: LACK OF RIGHT-CLAIMING DOCUMENT PAGE TWO TO: ADD RIGHT-CLAIMING DOCUMENT PAGE TWO |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20071219 Termination date: 20151226 |
|
| EXPY | Termination of patent right or utility model |