CN100356741C - A method and apparatus for implementing network access control based on link layer protocol - Google Patents
A method and apparatus for implementing network access control based on link layer protocol Download PDFInfo
- Publication number
- CN100356741C CN100356741C CNB031440142A CN03144014A CN100356741C CN 100356741 C CN100356741 C CN 100356741C CN B031440142 A CNB031440142 A CN B031440142A CN 03144014 A CN03144014 A CN 03144014A CN 100356741 C CN100356741 C CN 100356741C
- Authority
- CN
- China
- Prior art keywords
- link layer
- network terminal
- layer protocol
- terminal user
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The present invention provides a method for controlling network connection on the basis of a link layer protocol. The method comprises the steps that control operation corresponding to the preset state of the link layer protocol is set; when the link layer protocol is transferred to the preset state during the establishment of the connection of network terminal users, the control operation corresponding to the state controls the network connection of the network terminal users. The present invention also provides a device controlling network connection on the basis of the link layer protocol. The device comprises a link layer protocol module and a service control module. The present invention fully utilizes the characteristics of the link layer protocol facing connection to limit the number of broadband network terminal users which simultaneous access to a broadband network, prevent the cheat of IP addresses of broadband network terminal users and realize the certificating and charging function of broadband network terminals; at the same time, because the present invention adopts a registration mechanism, the link layer protocol is irrelevant to service control, and the flexibility of the device is enhanced, so that the safety, the operation and the management of broadband networks are enhanced.
Description
Technical field
The present invention relates to the network communications technology field, be specifically related to a kind of method and apparatus of realizing network connection control based on link layer protocol.
Background technology
Along with developing rapidly of computer, Computer Communication Networks has been deep in our work and life.Nowadays broadband network has entered into average family, becomes the important component part in the present Computer Communication Networks.
Broadband network makes people break away from constraints such as the networking speed of arrowbands such as dialing online is slow, message transmissions speed is slow, and the impression that broadband network has brought information superhighway to people makes people realize the enjoyment of surfing the web fully.
Along with developing rapidly of broadband network, the access technology of broadband network also progressively grows up, and people can adopt mode accessing to wide band network such as Ethernet access, ADSL (Asymmetrical Digital Subscriber Line) access.
Adopt various access way accessing to wide band network people, and when utilizing broadband access network, for the Virtual network operator that broadband services is provided, it is very important that the network terminal user who adopts various access way accessing to wide band network is carried out access to netwoks control.Realization can make broadband network be in to network terminal user's access to netwoks control and a kind ofly run, manageable state, and the runing of this network, manageable state are that broadband network operator is necessary.
There are three main problems in access to netwoks control and management to the wideband network terminal user at present:
1. safety problem.
When the wideband network terminal user adopts the Ethernet access way to be connected with broadband network, exist network terminal user that the problem of IP (INTERNET POTOCOL) address of its network terminal illegally is set, should illegal IP address that is provided with may with the IP address conflict of other legitimate network terminals, thereby cause legal network terminal user normally not surf the Net.
2. access customer number restricted problem.
The wideband network terminal user is after opening the broadband access network mode, and a VLAN (VLAN) down and ADSL situation of existing a lot of people to surf the Net simultaneously in inserting.A lot of people's online simultaneously can take the resources such as IP address of system, and this is that broadband network operator is undesirable.
3. authentication and accounting problem.
For the authentication and accounting problem of wideband network terminal, network communication apparatus should be able to carry out authentication and accounting control to the network terminal user with all kinds of access way accessing to wide band network.In the suggestion that IETF (engineering duty group) provides, have only PPP (point-to-point protocol) agreement can realize network terminal user is carried out basic authentication and accounting function, other agreements then do not have the controlled function of authentication and accounting, when being connected with the network terminal, then can not realize the control that network terminal authentification of user is chargeed such as employing Ethernet access way.
In sum, broadband network causes poor stability, manageability and the manageability of broadband network poor owing to can not realize strict access to netwoks control to the network terminal user with various access way accessing to wide band network at present.
Summary of the invention
The objective of the invention is to, provide a kind of and realize that based on link layer protocol network connects the method for control, the present invention makes full use of the connection-oriented characteristics of link layer protocol, registration corresponding interface function in link layer protocol, and the call back function by each interface function correspondence realizes that the network of wideband network terminal connects control, thereby realized improving the purpose of fail safe, manageability and the manageability of broadband network.
For achieving the above object, provided by the invention based on link layer protocol realization method of network connection, comprising:
A, the control operation of link layer protocol predetermined state correspondence is set by the call back function of registering in link layer protocol;
B, in network terminal user connects process, when link layer protocol is moved to predetermined state, utilize described call back function to determine the control operation of described predetermined state correspondence of moving to, and connect according to described definite control operation Control Network terminal use's network.
Described link layer protocol is the point-to-point protocol on the Ethernet or the link layer protocol of Ethernet.
When described control operation is realized by function, preserve the function name of predetermined state correspondence in the described link layer protocol, described step b comprises:
In network terminal user connected process, when link layer protocol was moved to predetermined state, described link layer protocol was called corresponding function by the function name of described predetermined state correspondence of moving to, and Control Network terminal use's network connects
When described step a is at link layer protocol predetermined state registration corresponding interface function; During the corresponding call back function of the function pointer of described interface function, described step b comprises:
In network terminal user connects process, when link layer protocol is moved to predetermined state, described link layer protocol is called corresponding call back function by the interface function function pointer of described predetermined state correspondence of moving to, and Control Network terminal use's network connects.
Described link layer protocol predetermined state comprises: connect initial condition;
When network terminal user initiates point-to-point protocol request on the Ethernet or Dynamic Host Control Protocol request, be described connection initial condition;
The control operation of described connection initial condition correspondence is:
When network access equipment port lower network terminal use's number is not less than predetermined maximum access customer number order, forbid that network terminal user sets up network and connects;
When network access equipment port lower network terminal use's number during, be described network terminal user distributing IP address, and preserve the corresponding relation of described IP address and this network terminal user's MAC Address less than described predetermined maximum access customer number order.
Described link layer protocol predetermined state also comprises: connect the state of setting up;
When network terminal user initiates LCP request or arp request, for state is set up in described connection;
The control operation that the state correspondence is set up in described connection is:
When the corresponding relation of network terminal user's connect IP address and this network terminal user's MAC Address and IP address that described link layer protocol is preserved conform to the corresponding relation of MAC Address, allow this network terminal user to set up the network connection; Otherwise, do not allow this network terminal user to set up network and connect.
After the described link layer protocol expansion application authentication function, the predetermined state of described link layer protocol also comprises: authentication state;
When network terminal user carries out LCP when consulting successfully or when initiating the inlet authentication, be described authentication state;
The control operation of described authentication state correspondence is:
When network terminal user authentication failure, the network that disconnects this network terminal user connects.
The predetermined state of described link layer protocol also comprises: the successful connection state be connected the dismounting state;
When link layer protocol receives network terminal user's online request, be described successful connection state;
When link layer protocol receives network terminal user's off line sign, for state is removed in described connection;
The control operation of described successful connection state correspondence is:
When link layer protocol receives network terminal user's online request, begin this network terminal user is chargeed;
When link layer protocol receives network terminal user's off line sign, finish charging to this network terminal user.
It is a kind of based on the device of realizing the inventive method that the present invention also provides, and comprising:
The link layer protocol module: registration has call back function, so that the control operation of link layer protocol predetermined state correspondence to be set in message control module, when determining link layer protocol and move to predetermined state, network terminal user is transmitted next related information transmission to message control module, and described network terminal user's network connection is controlled in the control information that transmission comes according to message control module;
Message control module: determine the predetermined state that link layer protocol is moved to according to the relevant information that described link layer protocol module transmission comes, and utilize described call back function to determine the control operation of the predetermined state correspondence that described link layer protocol is moved to, and described control operation control information corresponding is transferred to described link layer protocol module.
Described link layer protocol module comprises:
Connect initial link circuit straton module: reception network terminal user is transmitted point-to-point protocol request or the Dynamic Host Control Protocol request on the next Ethernet, the described request message transmission to connecting the initial service submodule, and is transmitted the connection request that comes according to connecting corresponding control information response to network terminal use that the transmission of initial service submodule comes;
Connect and set up the link layer submodule: receive network terminal user and transmit next LCP request or arp request, the described request message transmission is set up professional submodule to connecting, and response connects and sets up whether this network terminal user that professional submodule transmission comes is the judged result of validated user;
Authentication link straton module: receive network terminal user and transmit next authentication information, described authentication information is transferred to the authentication business submodule, after the information that the authentication that receives the transmission of authentication business submodule is passed through, network terminal user is transmitted the online request that comes transfer to the professional submodule of successful connection, and network terminal user is transmitted the off line sign that comes transfer to connect and remove professional submodule;
Described message control module comprises:
Connect the initial service submodule: according to predetermined maximum access customer number with describedly be connected point-to-point protocol request on the Ethernet that the transmission of initial link circuit straton module comes or Dynamic Host Control Protocol request and determine control information that this network terminal user is connected, and this control information is transferred to described connection initial link circuit straton module;
Connect and to set up professional submodule: set up LCP request or the arp request that the transmission of link layer submodule comes according to described connection and judge whether this network terminal user is the network terminal user with legitimate ip address, and this judged result is transferred to described connection set up the link layer submodule;
The authentication business submodule: the authentication information that comes according to described authentication link straton module transmission authenticates this network terminal user, and authentication result is transferred to authentication link straton module;
The professional submodule of successful connection: the online request according to the next network terminal user of described authentication link straton module transmission begins this network terminal user is chargeed;
Connect and remove professional submodule: the off line sign according to the next network terminal user of described authentication link straton module transmission, finish the charging to this network terminal user.
Utilize the present invention, control operation in link layer protocol predetermined state correspondence, network terminal user's access quantity is carried out network connect control, the network terminal user who carries out the IP address spoofing behavior is carried out network connect control, effectively limited accessing to wide band network terminal quantity simultaneously, prevent the deceptive practices of wideband network terminal user's IP address, thereby guaranteed the reasonable resources utilizations such as IP address of legal wideband network terminal user's access authority and network communication system.And utilize link layer protocol in broadband network, to realize the authentication and accounting function of wideband network terminal; Owing to the present invention adopts login mechanism in link layer protocol, make the interface of link layer protocol open fully, strengthen the flexibility of device of the present invention, thereby realized improving the purpose of fail safe, manageability and the manageability of broadband network.
Description of drawings
Fig. 1 is a link layer protocol view of the present invention;
Fig. 2 is the schematic diagram at link layer protocol registration interface function of the present invention;
Fig. 3 is a device of realizing network connection control based on link layer protocol of the present invention.
Embodiment
The present invention is provided with corresponding control operation by the predetermined state in link layer protocol; Set up in the network connection procedure the wideband network terminal user, when link layer protocol is moved to predetermined state, by the described control operation Control Network terminal use's corresponding network connection with this state.
The network of realizing according to the broadband network needs to network terminal user connects control, that it is billed to last network terminal user is off line if network terminal user is connected to from application, end is carried out state analysis to the process of its charging, the state that has obvious characteristic in the whole process comprises as shown in Figure 1: connect initial condition, connect and set up state, authentication state, successful connection state and be connected the dismounting state.Can operate by control corresponding at these state places, realize that corresponding network connects control with obvious characteristic.
In prior protocols, have only several states more than the ppp protocol existence, above-mentioned these several states generally are not provided in the agreement of Ethernet protocol and other types, when the wideband network terminal user adopts the ppp protocol accessing to wide band network, broadband network operator can realize authentication and accounting function to network terminal user by the above-mentioned several states that ppp protocol provides, but can not realize the access of the network terminal the network access equipment port under quantity is controlled.
It is Connection-oriented Protocol that the present invention fully takes into account link layer protocol, can be good at identifying a network terminal user, and the agreement on link layer protocol is towards connectionless agreement, if take out the connection initial condition so on link layer protocol, analyze, connect the state of setting up, authentication state, the successful connection state be connected the dismounting state, the control corresponding operation is set at these state places, when link layer protocol is moved to predetermined state, carry out the limiting network terminal by the control operation of predetermined state correspondence and insert quantity, the deception of network terminal user's IP address, network terminal user's networks such as authentication and accounting connect control, are a kind of simple, efficiently, the method that is easy to realize.
Because link layer protocol can not provide above-mentioned these several states fully, so need in link layer protocol, expand corresponding block of state, as after increasing PORTAL (inlet) module, can make link layer protocol possess above-mentioned these several states fully, thereby the control operation of a correspondence can be set at each state place, when link layer protocol is moved to these states, finish corresponding network by the control operation of correspondence and connect control like this.Control operation can realize by function.
Concrete grammar based on link layer protocol realization network connection control of the present invention is as described below:
In this specific embodiment, will be called message control module corresponding to all control operations of link layer protocol state.Message control module can adopt the predetermined state registered callbacks function of login mechanism in link layer protocol, registration process adopts general login mechanism, the basic principle of its login mechanism as shown in Figure 2, in Fig. 2: link layer protocol provides the registration interface function, and the suction parameter of this function is the call back function that message control module provides.Message control module is in initialization procedure or in the layoutprocedure, call the registration interface function that each block of state of link layer protocol provides, the call back function that each block of state of link layer protocol provides message control module is kept in the function pointer, when link layer protocol was moved to predetermined state, the function pointer of preserving by this block of state called the call back function that message control module provides.
Adopt the method for registration interface function, link layer protocol is called call back function by the function pointer of message control module registration in the state transition process, and with relevant information, as MAC (medium access control) address, VLAN ID information notification service control module, these information and concrete independent of service such as (virtual LAN numberings).If corresponding call back function is arranged, then call this function and realize the control corresponding operation at predetermined state; If do not have corresponding call back function at predetermined state, then handle by link layer protocol normal handling flow process, do not carry out business control.Like this, do not connect control, message control module is not set in router gets final product if some router does not need to carry out network.Thereby guaranteed the versatility of the link layer protocol behind the employing login mechanism.Because message control module and link layer protocol are separate, link layer protocol can not perceive concrete business, the link layer protocol code is not subjected to professional influence, message control module is expanded convenient, thereby has avoided because the variation of message control module causes the frequent modification of link layer protocol code.The independence that has guaranteed the link layer protocol code is stable.Adopt the mode of registration the open third party of giving of the registration interface of link layer protocol can also be developed value-added service on its basis by the third party.
Above-mentioned by registered callbacks function in link layer protocol, utilize call back function to realize that corresponding network connects the method for control, also can realize by additive method.As: in each block of state of link layer protocol, preserve corresponding function name, when link layer protocol is moved to predetermined state, the function name of preserving by this block of state calls the function that message control module provides, and is realized that by corresponding function network terminal user's network connects control.This method can realize purpose of the present invention equally, but the existence of the perception service that link layer protocol can be too much like this, make link layer protocol and business-binding too tight, message control module expansion difficulty, the variation of message control module simultaneously can cause the frequent modification of link layer protocol code, and is unfavorable to stablizing of link layer protocol code.
Being example with PPPoE (on the Ethernet point-to-point) agreement below realizes that by each state the method that network connects control describes in detail to the present invention.
When PPP (point-to-point) agreement is received the PPPoE request of network terminal user transmission, enter the connection initial condition, the PPPoE agreement need be consulted whether allow for this network terminal user with message control module and connected this moment, its negotiations process is: to message control module, expression has a network terminal user corresponding to VLAN ID to connect to the PPPoE agreement with relevant information such as VLAN ID message transmission such as (virtual LAN numberings).Whether decision allows this user to connect to message control module according to relevant information, as in the network access equipment corresponding to the number of users of VLAN ID whether less than maximum access customer number amount, if corresponding to the number of users of VLAN ID less than maximum access customer number amount, then notify this network terminal of PPPoE agreement user to insert, if the number of users corresponding to VLAN ID is not less than maximum access customer number amount, then notify this network terminal of PPPoE agreement user to insert, PPPoE agreement refusal connects for this network terminal user.
After PPPoE agreement and message control module are consulted to connect for this network terminal user, enter LCP (LCP) state of ppp protocol, lcp state is and connects the state of setting up.Ppp protocol is received after the Client-initiated LCP negotiation packet, whether the informing business control module allows to carry out ppp negotiation, if message control module allows to carry out ppp negotiation, partly send the information that allows negotiation then for ppp protocol, if message control module does not allow to carry out ppp negotiation, partly send then for ppp protocol not allow the information of consulting.
If message control module notice ppp protocol partly allows to consult, then ppp protocol and network terminal user carry out normal LCP negotiation, and LCP enters authentication phase after consulting to pass through.Network terminal user initiates authentication request, ppp protocol is partly received after the authentication request, because ppp protocol itself is not handled authentication information, authentication information need be transferred to message control module, the processing of being correlated with according to authentication information by message control module, and to ppp protocol return authentication result.
Authentication is carried out IPCP (INTERNET POTOCOL control protocol) by later ppp protocol and network terminal user and is consulted, negotiation is by entering the successful connection state later on, ppp protocol reports PPP successful connection state to message control module, if successful connection, message control module begins this network terminal user is chargeed, get nowhere if connect, message control module does not charge to this network terminal user.
If network terminal user does not want to continue online, can initiatively roll off the production line, after ppp protocol is received network terminal user's following line index, enter connection dismounting state.Ppp protocol need be with the message transmission of network terminal user offline to message control module, and message control module is according to the charging to this network terminal user of the end of message of network terminal user offline.
Insert the user for Ethernet, it is as described below to realize that by each state of the present invention network connects the method for controlling.
Network terminal user initiates DHCP (Dynamic Host Control Protocol) request, request distributing IP (Internet protocol) address.DHCP module in the link layer protocol is received when network terminal user is transmitted next DHCP request, is entered the connection initial condition.The DHCP module transfers to message control module with network terminal user's dhcp request message, VLAN ID (virtual LAN numbering) information etc. of this network terminal user correspondence.Whether decision allows this user to connect to message control module according to relevant information, as in the network access equipment corresponding to the number of users of VLAN ID whether less than predetermined maximum access customer number amount, if the network terminal corresponding to VLAN ID inserts number less than predetermined maximum access customer number amount, then notify this network terminal of DHCP module user to insert, the DHCP module distributes a legal IP address can for this network terminal user, and message control module is preserved the corresponding relation of this IP address and network terminal user's MAC Address.If the number of users corresponding to VLAN ID is not less than predetermined maximum access customer number amount, then notify this network terminal of DHCP module user to insert, the DHCP module is not given this network terminal user distributing IP address.
Network terminal user receives after the IP address that DHCP module transmission comes, and initiates ARP (address resolution protocol) request, after the ARP module in the link layer protocol part receives that network terminal user is transmitted the ARP that comes and asked clearly, enters and connects the state of setting up.Whether the ARP module will allow to connect message transmission such as the information of foundation and VLAN ID, MAC Address, IP address to message control module, message control module judges according to VLAN ID, MAC Address, IP address whether this network terminal user is a legal users, if the MAC Address of the corresponding relation of MAC Address and IP address and its preservation is identical with the corresponding relation of IP address, then will allow to set up message transmission that IP connects to the ARP module.If the corresponding relation of the corresponding relation of MAC Address and IP address and the MAC Address of its preservation and IP address is inequality, then will not allow to set up the message transmission of IP connection to the ARP module.
After network terminal user receives the next IP address of ARP module transmission, network terminal user online, initiate Portal (inlet) authentication, user name, the password information of input Portal authentication, the Portal module of expanding in the link layer protocol receives that user name, password information that network terminal user is transmitted enter authentication state later on, and to message control module initiation authentication request, message control module feeds back authentication result to link layer protocol.
After link layer protocol partly receives the information passed through of authentication, send the information that authentication is passed through to network terminal user.Network terminal user clicks the online sign after receiving and authenticating the information of passing through, and sends the request of online, and the Portal module is received after network terminal user's the online request message, entered the successful connection state.To message control module, message control module begins this network terminal user is chargeed according to the information of the successful connection that receives the Portal module with the message transmission of successful connection.
Network terminal user online finishes, and clicks line index down, and the Portal module is received to enter after rolling off the production line of network terminal user asked and connected the dismounting state.The Portal module will connect the message transmission of dismounting to message control module, and message control module finishes the charging to this network terminal user.
The method of describing in this embodiment is equally applicable to realize that network connects control in narrowband network.
The device that connection is controlled based on link layer protocol realization network provided by the invention as shown in Figure 3.
Fig. 3 comprises message control module 300 and link layer protocol module 310.
Link layer protocol module 310 comprises: connect initial link circuit straton module 311, connect and set up link layer submodule 312, authentication link straton module 313.
Be controlled to be example with device of the present invention to netting very much the network connection that inserts the user below, describe device of the present invention in detail.
Receive network terminal user when transmitting the DHCP request when connecting initial link circuit straton module 311, network terminal user's dhcp request message, the VLAN id information of this network terminal user correspondence etc. are transferred to connect initial service submodule 301.Whether decision allows this user to connect according to relevant information to connect initial service submodule 301, as in the network access equipment corresponding to the number of users of VLAN ID whether less than predetermined maximum access customer number, if corresponding to the number of users of VLAN ID less than predetermined maximum access customer number, then notice connection initial link circuit straton module 311 this network terminal users can insert, connect initial link circuit straton module 311 and distribute a legal IP address can for this network terminal user, connect initial service submodule 301 and preserve the corresponding relation of this IP address and network terminal user's MAC Address.If the number of users corresponding to VLAN ID is not less than predetermined maximum access customer number, then notice connection initial link circuit straton module 311 this network terminal users cannot insert, and connect initial link circuit straton module 311 and do not give this network terminal user distributing IP address.
Network terminal user receives and connects after the next IP address of initial link circuit straton module 311 transmission, initiate the ARP request, connect set up link layer submodule 312 and receive that network terminal user is transmitted the ARP request that comes after, with ARP solicited message and VLAN ID, MAC Address, message transmission such as IP address are set up professional submodule 302 to connecting, connect and set up professional submodule 302 according to VLAN ID, MAC Address, IP judges the address whether this network terminal user is a legal users, if the MAC Address of the corresponding relation of MAC Address and IP address and its preservation is identical with the corresponding relation of IP address, then will allows to set up the message transmission that IP connects and set up link layer submodule 312 to connecting.If the corresponding relation of the corresponding relation of MAC Address and IP address and the MAC Address of its preservation and IP address is inequality, the message transmission that then will not allow to set up the IP connection is set up link layer submodule 312 to connecting.Connect and to set up link layer submodule 312 and set up the judged result that professional submodule 302 transmission come according to connection and determine whether to connect for described network terminal user sets up IP.
After connection is set up link layer submodule 312 and is set up IP for network terminal user and connect, network terminal user online, initiate the Portal authentication, user name, the password information of input Portal authentication, authentication link straton module 313 receives that user name, password information that network terminal user is transmitted enter authentication state later on, and to authentication business submodule 303 initiation authentication request, 303 pairs of these authentication request of authentication business submodule authenticate and feed back authentication results to authentication link straton module 313.
After authentication link straton module 313 receives the information that authentication passes through, send the information that authentication is passed through to network terminal user.Network terminal user clicks the online sign after receiving and authenticating the information of passing through, authentication link straton module 313 is received after network terminal user's the online request message, to the professional submodule 304 of successful connection, the professional submodule 304 of successful connection begins this network terminal user is chargeed according to the information of the successful connection that receives with the message transmission of successful connection.
Network terminal user online finishes, and clicks line index down, and authentication link straton module 313 is received to enter after rolling off the production line of network terminal user asked and connected the dismounting state.Authentication link straton module 313 will connect the message transmission of removing and remove professional submodule 305 to connecting, and connect and remove the charging that professional submodule 305 finishes this network terminal user.
Though described the present invention by embodiment, those of ordinary skills know, the present invention has many distortion and variation and do not break away from spirit of the present invention, wishes that appended claim comprises these distortion and variation.
Claims (10)
1, a kind of method based on link layer protocol realization network connection control is characterized in that comprising:
A, the control operation of link layer protocol predetermined state correspondence is set by the call back function of registering in link layer protocol;
B, in network terminal user connects process, when link layer protocol is moved to predetermined state, utilize described call back function to determine the control operation of described predetermined state correspondence of moving to, and connect according to described definite control operation Control Network terminal use's network.
2, the method for claim 1 is characterized in that described link layer protocol is the point-to-point protocol on the Ethernet or the link layer protocol of Ethernet.
3, the described a kind of method based on link layer protocol realization network connection control of claim 2 is characterized in that preserving the function name of predetermined state correspondence in the described link layer protocol when described control operation is realized by function, and described method also comprises:
In network terminal user connected process, when link layer protocol was moved to predetermined state, described link layer protocol was called corresponding function by the function name of described predetermined state correspondence of moving to, and Control Network terminal use's network connects.
4, the described a kind of method based on link layer protocol realization network connection control of claim 2 is characterized in that as described step a being: at link layer protocol predetermined state registration corresponding interface function; During the corresponding call back function of the function pointer of described interface function, described step b comprises:
In network terminal user connects process, when link layer protocol is moved to predetermined state, described link layer protocol is called corresponding call back function by the function pointer of the interface function of described predetermined state correspondence of moving to, and Control Network terminal use's network connects.
5, claim 3 or 4 described a kind of methods based on link layer protocol realization network connection control is characterized in that described link layer protocol predetermined state comprises: connect initial condition;
When network terminal user initiates point-to-point protocol request on the Ethernet or Dynamic Host Control Protocol request, be described connection initial condition;
The control operation of described connection initial condition correspondence is:
When network access equipment port lower network terminal use's number is not less than predetermined maximum access customer number order, forbid that network terminal user sets up network and connects;
When network access equipment port lower network terminal use's number during, be described network terminal user distributing IP address, and preserve the corresponding relation of described IP address and this network terminal user's MAC Address less than described predetermined maximum access customer number order.
6, as claim 3 or 4 described a kind of methods, it is characterized in that described link layer protocol predetermined state also comprises: connect the state of setting up based on link layer protocol realization network connection control;
When network terminal user initiates LCP request or arp request, for state is set up in described connection;
The control operation that the state correspondence is set up in described connection is:
When the corresponding relation of network terminal user's connect IP address and this network terminal user's MAC Address and IP address that described link layer protocol is preserved conform to the corresponding relation of MAC Address, allow this network terminal user to set up the network connection; Otherwise, do not allow this network terminal user to set up network and connect.
7, as claim 3 or 4 described a kind of methods, it is characterized in that the predetermined state of described link layer protocol also comprises: authentication state after described link layer protocol expansion application authentication function based on link layer protocol realization network connection control;
When network terminal user carries out LCP when consulting successfully or when initiating the inlet authentication, be described authentication state;
The control operation of described authentication state correspondence is:
When network terminal user authentication failure, the network that disconnects this network terminal user connects.
8, as claimed in claim 7ly a kind ofly realize that based on link layer protocol network connects the method for control, is characterized in that the predetermined state of described link layer protocol also comprises: the successful connection state be connected the dismounting state;
When link layer protocol receives network terminal user's online request, be described successful connection state;
When link layer protocol receives network terminal user's off line sign, for state is removed in described connection;
The control operation of described successful connection state correspondence is:
When link layer protocol receives network terminal user's online request, begin this network terminal user is chargeed;
When link layer protocol receives network terminal user's off line sign, finish charging to this network terminal user.
9, a kind of device based on link layer protocol realization network connection control is characterized in that comprising:
The link layer protocol module: registration has call back function, so that the control operation of link layer protocol predetermined state correspondence to be set in message control module, when determining link layer protocol and move to predetermined state, network terminal user is transmitted next related information transmission to message control module, and described network terminal user's network connection is controlled in the control information that transmission comes according to message control module;
Message control module: determine the predetermined state that link layer protocol is moved to according to the relevant information that described link layer protocol module transmission comes, and utilize described call back function to determine the control operation of the predetermined state correspondence that described link layer protocol is moved to, and described control operation control information corresponding is transferred to described link layer protocol module.
10, a kind of device based on link layer protocol realization network connection control as claimed in claim 9 is characterized in that described link layer protocol module comprises:
Connect initial link circuit straton module: reception network terminal user is transmitted point-to-point protocol request or the Dynamic Host Control Protocol request on the next Ethernet, the described request message transmission to connecting the initial service submodule, and is transmitted the connection request that comes according to connecting corresponding control information response to network terminal use that the transmission of initial service submodule comes;
Connect and set up the link layer submodule: receive network terminal user and transmit next LCP request or arp request, the described request message transmission is set up professional submodule to connecting, and response connects and sets up whether this network terminal user that professional submodule transmission comes is the judged result of validated user;
Authentication link straton module: receive network terminal user and transmit next authentication information, described authentication information is transferred to the authentication business submodule, after the information that the authentication that receives the transmission of authentication business submodule is passed through, network terminal user is transmitted the online request that comes transfer to the professional submodule of successful connection, and network terminal user is transmitted the off line sign that comes transfer to connect and remove professional submodule;
Described message control module comprises:
Connect the initial service submodule: according to predetermined maximum access customer number with describedly be connected point-to-point protocol request on the Ethernet that the transmission of initial link circuit straton module comes or Dynamic Host Control Protocol request and determine control that this network terminal user is connected, and corresponding control information is transferred to described connection initial link circuit straton module;
Connect and to set up professional submodule: set up LCP request or the arp request that the transmission of link layer submodule comes according to described connection and judge whether this network terminal user is the network terminal user with legitimate ip address, and judged result is transferred to described connection set up the link layer submodule;
The authentication business submodule: the authentication information that comes according to described authentication link straton module transmission authenticates this network terminal user, and authentication result is transferred to authentication link straton module;
The professional submodule of successful connection: the online request according to the next network terminal user of described authentication link straton module transmission begins this network terminal user is chargeed;
Connect and remove professional submodule: the off line sign according to the next network terminal user of described authentication link straton module transmission, finish the charging to this network terminal user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031440142A CN100356741C (en) | 2003-07-25 | 2003-07-25 | A method and apparatus for implementing network access control based on link layer protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031440142A CN100356741C (en) | 2003-07-25 | 2003-07-25 | A method and apparatus for implementing network access control based on link layer protocol |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1571378A CN1571378A (en) | 2005-01-26 |
| CN100356741C true CN100356741C (en) | 2007-12-19 |
Family
ID=34471324
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB031440142A Expired - Fee Related CN100356741C (en) | 2003-07-25 | 2003-07-25 | A method and apparatus for implementing network access control based on link layer protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100356741C (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102065072B (en) * | 2010-09-21 | 2013-12-25 | 深圳市九洲电器有限公司 | Method and device for fast establishing PPPOE (Point-to-Point Protocol over Ethernet) link layer connection |
| CN102769844B (en) * | 2012-07-04 | 2015-04-08 | 中国联合网络通信集团有限公司 | Data transmission method and system based on mobile terminal and mobile terminal |
| CN105812318B (en) * | 2014-12-30 | 2019-02-12 | 中国电信股份有限公司 | For preventing method, controller and the system of attack in a network |
| CN109150925B (en) * | 2018-11-08 | 2021-06-15 | 网宿科技股份有限公司 | IPoE static authentication method and system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1298592A (en) * | 1998-04-27 | 2001-06-06 | 因特纳普网络服务公司 | Establishing connectivity in networks |
| JP2001211180A (en) * | 2000-01-26 | 2001-08-03 | Nec Commun Syst Ltd | Dhcp server with client authenticating function and authenticating method thereof |
| CN1392708A (en) * | 2001-06-19 | 2003-01-22 | 深圳市中兴通讯股份有限公司 | Allocation method of wide band access user |
| CN1397208A (en) * | 2001-07-19 | 2003-02-19 | 王海光 | Sporophyllary leaf of undaria pinnatifida and its preparing process |
| CN1411242A (en) * | 2001-09-28 | 2003-04-16 | 华为技术有限公司 | Broad band intelligent net access service system and its realizing method |
-
2003
- 2003-07-25 CN CNB031440142A patent/CN100356741C/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1298592A (en) * | 1998-04-27 | 2001-06-06 | 因特纳普网络服务公司 | Establishing connectivity in networks |
| JP2001211180A (en) * | 2000-01-26 | 2001-08-03 | Nec Commun Syst Ltd | Dhcp server with client authenticating function and authenticating method thereof |
| CN1392708A (en) * | 2001-06-19 | 2003-01-22 | 深圳市中兴通讯股份有限公司 | Allocation method of wide band access user |
| CN1397208A (en) * | 2001-07-19 | 2003-02-19 | 王海光 | Sporophyllary leaf of undaria pinnatifida and its preparing process |
| CN1411242A (en) * | 2001-09-28 | 2003-04-16 | 华为技术有限公司 | Broad band intelligent net access service system and its realizing method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1571378A (en) | 2005-01-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1781099B (en) | Automatic configuration of client terminal in public hot spot | |
| US7036142B1 (en) | Single step network logon based on point to point protocol | |
| JP5054699B2 (en) | Policy enforcement point interface system and method | |
| US8125980B2 (en) | User terminal connection control method and apparatus | |
| US6400707B1 (en) | Real time firewall security | |
| US7630386B2 (en) | Method for providing broadband communication service | |
| CN100566300C (en) | A kind of netted trunking method and IP communication system of controlling the media delivery path | |
| JP2001506432A (en) | Method of activating unregistered system in distributed multi-server network environment | |
| CN101102291B (en) | Method for realizing user Internet access based on PPPOE agent function | |
| CN102480729A (en) | Method for preventing faked users and access point in radio access network | |
| CN101222354A (en) | Intelligent terminal management method | |
| US20080046974A1 (en) | Method and System Enabling a Client to Access Services Provided by a Service Provider | |
| CN107707435B (en) | Message processing method and device | |
| CN105706455B (en) | Electronic device and method for controlling electronic device | |
| US20070121833A1 (en) | Method of Quick-Redial for Broadband Network Users and System Thereof | |
| CN100356741C (en) | A method and apparatus for implementing network access control based on link layer protocol | |
| CN100370768C (en) | Method for triggering user IP address assignment | |
| CN101087232B (en) | An access method, system and device based on Ethernet point-to-point protocol | |
| EP1912411B1 (en) | Method and system for service preparation of a residential network access device | |
| CN108134693A (en) | Networking parameters configuration method, device, router and the storage medium of router | |
| CN100473038C (en) | Method for supporting multiple Ethernet point-to-point protocol conversation by one Ethernet interface | |
| CN101997904B (en) | Session distinguishing method and session distinguishing equipment | |
| CN101656738A (en) | Method and device for verifying terminal accessed to network | |
| CN114338218A (en) | PPPoE dialing method | |
| CN101652778B (en) | GW coupled SIP proxy |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20071219 Termination date: 20180725 |