CN101060498A - A method for realizing the gateway Mac binding, assembly, gateway and layer 2 switch - Google Patents
A method for realizing the gateway Mac binding, assembly, gateway and layer 2 switch Download PDFInfo
- Publication number
- CN101060498A CN101060498A CNA2007101233441A CN200710123344A CN101060498A CN 101060498 A CN101060498 A CN 101060498A CN A2007101233441 A CNA2007101233441 A CN A2007101233441A CN 200710123344 A CN200710123344 A CN 200710123344A CN 101060498 A CN101060498 A CN 101060498A
- Authority
- CN
- China
- Prior art keywords
- port
- binding
- gateway
- gateway mac
- corresponding relation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The disclosed gateway Mac bonding method comprises: when network topology changes, activating the bonding right of device ports connected with each other; when receiving a first/second appointed-format message, detecting whether its port is the activated port; yes to automatic bonding/debonding the relative relation between the port and the gateway Mac address. This invention avoids pretended gateway Mac attack, and reduces right bonding complexity.
Description
Technical field
The present invention relates to network communications technology field, relate in particular to a kind of method, assembly, gateway and Layer 2 switch of realizing gateway Mac binding.
Background technology
Along with popularizing and development of network service, carry out mutual, the shared basic means that has become individual, enterprise and even large organization group periodic traffic of information by network.Therefore, as the network equipment on basis, whether switch can realize the correct forwarding of network message, is directly connected to the normal operation of network, closely bound up with user's work, life and amusement.
With regard to the VLAN network message repeating process of (Virtual Local Area Network is called for short VLAN), no matter be Layer 2 switch or three-tier switch, the forwarding of message data bag all will be carried out according to the Mac address table in the switch.As shown in Figure 1, be typical two or three layers of exchange networking schematic diagram, wherein, switch (Switch) A is a three-layer switching equipment, its inside provides the logic interfacing " interface vlan 1 " that enters VLAN 1 (being also referred to as three layers of virtual interface), be the gateway of main frame among the VLAN 1 (Host) A, B, C, its IP address is 1.1.1.1, and the Mac address is 0-0-1; Simultaneously, Host A, B are connected by Layer 2 switch Switch B with C.When carrying out the network message transmission, Switch A is exactly the gateway of Host A, B and C; The IP message that Host A, B and C at first will send to gateway 1.1.1.1 is encapsulated as two layers Ethernet message, and purpose Mac address is gateway Mac address 0-0-1; After this message sends to Layer 2 switch Switch B, the Mac address table of Switch B inquiry oneself, finding this purpose of 0-0-1 Mac address corresponding output port is Port 1, then message is sent from Port 1, finishes correct forwarding.In this process, the corresponding outbound port Port 1 of 0-0-1 in the Mac address table of Switch B why, be because Switch B machine in return, ability with " study " Mac address, and can " study " to the Mac address leave in the internal table of addresses, detailed process is: when Switch B has received source Mac from port Port 1 is two layers of Ethernet message of 0-0-1, just dynamically " study " and set up the corresponding relation of port Port 1 and this Mac address.But it is same, if it is two layers of Ethernet message of 0-0-1 that SwitchB has received source Mac from port Port4 again, because having no way of discerning this message, whether sends SwitchB by gateway or the switch that is connected with gateway, therefore can refresh port and the corresponding relation of Mac address, with Mac address 0-0-1 " study " above Port4.Since the message that receives from port Port 4 by Host C but not Switch A send, the message that will cause Switch B that other main frame is wanted to send to gateway that refreshes of this port all forwards from port Port4, arrival gateway Switch A that can not be real, thus cause network to interrupt.
At two gateways, comprise three-tier switch/router, in the time of direct-connected, also exist this camouflage gateway Mac to carry out the situation of network attack.
As can be seen, no matter the connection between the network equipment is being connected of Layer 2 switch and gateway, or the connection between the gateway, guarantee the forwarding of message correctly, all needs to satisfy following two conditions:
The gateway Mac address right of learning; And
The network equipment is correct to outbound port that should the Mac address, and promptly the binding relationship of gateway Mac address and outbound port is correct.
At the attack of last condition, generally be to send wrong ARP information, owing at present perfect ARP solution has been arranged, do not discuss at this;
Attack at back one condition, only need send Mac address, source from the another one port in the VLAN of this network equipment place is the message of 0-0-1, the network equipment will be gateway Mac address learning to the port of mistake so, thereby follow-up packet also will be forwarded to this wrong port, reach the purpose of attack.
Obviously, the behavior that above-mentioned camouflage gateway Mac carries out network attack is very easy to implement, in real network, also often take place, industry generally solves this problem by manual static binding Mac at present, comprise: the attributes section that corresponding relation is set in the address table of the network equipment (as switch), when the attributes section of a corresponding relation was " Learned ", this corresponding relation can be refreshed by the result of " study " at any time; And for the Mac and the port of network manager's manual configuration, the attributes section of its corresponding relation is " Static ", can not refreshed by the result of " study "; Accordingly, after the Mac address and the port of export of determining gateway, need the manually corresponding relation of this Mac address of configuration and the port of export in each network equipment (as switch), its attribute is the Static attribute; Like this, even receive the message that source Mac is 0-0-1 from other ports, the network equipment (as switch) match this corresponding relation by static binding after, can be with gateway Mac address learning to port Port 4 yet, thus can reach the purpose of attack protection.
But there is following defective in the scheme of the static Mac of this set:
1, for static Mac is set, must manually obtain gateway Mac address earlier, be configured cumbersome to the network equipment such as switch one by one again;
2, owing to reasons such as migrations, the gateway that may cause the network equipment such as switch to connect changes, this just need be in the network equipment manual adjustment; Therefore in the networking of reality is used, can there be configuration and the deletion work of a large amount of static Mac;
3, gateway and gateway, and the physical distance between gateway and the switch may be separated by far, therefore manual configuration respectively is very inconvenient.
Summary of the invention
The objective of the invention is to,, provide a kind of technical scheme that realizes gateway Mac binding, thereby effectively prevent to pretend the behavior of gateway Mac attacking network at above-mentioned defective of the prior art.
For achieving the above object, embodiments of the invention provide a kind of method that realizes gateway Mac binding, may further comprise the steps: when the network physical topological structure changes, activate the binding authority that interconnects port between the network equipment; When a network equipment receives one the first/the second specified format message, detect whether the port that receives described the first/the second specified format message is the port that has activated the binding authority; Be then, the corresponding relation of the gateway Mac address of described port of binding and described the first/the second specified format message identification is bound/separated to the described network equipment automatically.
Embodiments of the invention also provide a kind of assembly of realizing gateway Mac binding, comprising:
The Mac dispensing device, the port that is used to instruct gateway to activate the binding authority sends the first/the second specified format message that identifies gateway Mac address; The Mac binding device is used to detect the port that the network equipment receives the first/the second specified format message and whether has activated the binding authority; And for activating under the situation of binding the authority port, the corresponding relation of described port of binding and described gateway Mac address is bound/is separated in instruction at this port.
Embodiments of the invention also provide a kind of gateway of realizing gateway Mac binding, are provided with the Mac dispensing device that the embodiment of the invention provides in the described gateway, and described gateway comprises three-tier switch and router.
Embodiments of the invention also provide a kind of Layer 2 switch of realizing gateway Mac binding, are provided with the Mac binding device that the embodiment of the invention provides in the described Layer 2 switch.
As shown from the above technical solution, the present invention distinguishes the network equipment port attribute according to the network physical topological structure, adopts at the port automatic binding gateway Mac address of activating the binding authority and the scheme of port corresponding relation, has following beneficial effect:
1, effectively prevented the behavior of camouflage gateway Mac attacking network;
2, avoid a large amount of manual configuration work, reduced the complexity that realizes gateway Mac address binding.
Below by drawings and Examples, technical scheme of the present invention is described in further detail.
Description of drawings
Fig. 1 is typical two or three layers of exchange networking schematic diagram in the prior art;
Fig. 2 is the flow chart of method one preferred embodiment of realization gateway Mac binding provided by the invention;
Fig. 3 be embodiment illustrated in fig. 2 in, the flow chart of embodiment 1 of the corresponding relation of bundling port and gateway Mac address is bound/separated to switch automatically;
Fig. 4 be embodiment illustrated in fig. 2 in, the flow chart of embodiment 2 of the corresponding relation of bundling port and gateway Mac address is bound/separated to switch automatically;
Fig. 5 is in method one specific embodiment of realization gateway Mac binding provided by the invention, the schematic diagram of the VLAN that is adopted;
Fig. 6 is the schematic diagram of assembly one embodiment of realization gateway Mac binding provided by the invention.
Embodiment
In order to overcome existing complicated operation problem in the existing gateway Mac static binding, the invention provides a kind of technical scheme that realizes gateway Mac binding, will be elaborated below.
At first, the invention provides a kind of method that realizes gateway Mac binding, consider based on following two aspects: on the one hand, because the network equipment all is to be safeguarded by the vlan network guardian as two/three-tier switch and router, can not initiatively initiate attack, so the information of its transmission is reliable; On the other hand, legal gateway Mac address transfer path all is again to terminal from the network equipment, therefore, when only being connected the binding authority of port between the open-type network equipment, just the camouflage message that is not sent by Host by the assurance switch is confused precondition is provided, therefore by carrying out the correct binding that following steps can realize gateway Mac address and port: when the network physical topological structure changes, activate the binding authority that interconnects port between the network equipment; When a network equipment receives the first/the second specified format message of a sign gateway Mac address, detect whether the port that receives described the first/the second specified format message is the port that has activated the binding authority; Be then, the corresponding relation of described port of binding and described gateway Mac address is bound/separated to described switch automatically.Above-mentioned steps is not only applicable to two layers/three-tier switch, is applicable to the network equipment that router etc. E-Packets based on the Mac port yet.
Wherein, port support that described binding authority the is activated identification to the first/the second specified format message of sign gateway Mac address can further be set, then whether can identify the first/the second specified format message and can finish the identification that whether port is activated the binding authority by detecting.
Because during primary network topologies change in office, the whole setting of ports of the network equipment is all with zero clearing, and therefore, the activation situation of network physical topologies change front port binding authority can not exert an influence to the network equipment after changing.
As shown in Figure 2, the flow chart for method one preferred embodiment of realization gateway Mac provided by the present invention binding may further comprise the steps:
At first, when the network physical topological structure changes, need to activate the binding authority that interconnects port between the network equipment; It will be appreciated by those skilled in the art that, no matter which kind of variation takes place in the network physical topological structure, all with the at first original port binding authority of deexcitation, and triggering reexamining to interconnected relationship between the network equipment, and the binding authority of corresponding port carried out activation manipulation, guarantee that the binding authority that all interconnects port between the network equipment all is activated in the new topological structure that forms.
The method of port binding authority activation can specifically be provided with according to actual needs, embodiments of the invention are that example specifically describes by an agreement that is enclosed within exchange gateway Mac between the network equipment is provided, but those skilled in the art can understand, and this active mode only is for example and not limitation.In the present embodiment, the agreement that is provided is named as the UpDown agreement, dispatch from the factory or during the network architecture by network equipment default installation, thereby provide the binding authority this attribute for network equipment port.When certain network equipment port had enabled this agreement, this port binding authority promptly was activated; When this port went to enable this agreement, this port binding authority was by deexcitation, and the process of this deexcitation is carried out when the network physical topology changes automatically.
Therefore, the step 101 of present embodiment is: when the network physical topological structure changes, interconnect the UpDown agreement of port between the enabled network devices.
The message that the network equipment receives comprises the message that sends from gateway and two kinds of the messages that send from Host, in order to realize the correct binding of gateway Mac, the specified format message of sign gateway Mac address need be set.Simultaneously, in order to realize binding/separating the various objectives of binding, type of message needs difference to some extent, and present embodiment characterizes with two types: a kind of is the message of informing that this port of recipient is opened, and another kind is the message of informing this port cancellation of recipient.Concrete, can under the UpDown agreement, be set to Up message (the first specified format message) and Down message (the second specified format message) respectively.
The message format of UpDown agreement can be with reference to following content:
Purpose Mac address: 6 bytes are gateway Mac addresses;
Mac address, source: 6 bytes are gateway Mac addresses;
Type: 2 bytes, sign UpDown agreement; Because be the agreement of appointment voluntarily, can arbitrarily distribute a still unappropriated field, as 0xff88; If desired with this consensus standardization, can file an application to the corresponding standard tissue;
Type of message: 1 byte, such as 0x00 sign Up message, 0x01 sign Down message, other 0x02~0xff are kept, and can be used for identifying the UpDown protocol massages of other types;
Other bytes: can specify message length as required, after foregoing was finished according to certain built-up sequence arrangement, other bytes of message were filled with 0.
As can be seen, the message of this specified format, its destination address is identical with source address, therefore can not transmitted by the chip of the network equipment such as switch, but realize transmission/reception by the program end software of gateway and switch UpDown agreement; This program end software can adopt the form of order line to realize, the instruction gateway sends the message of specified format from the port that has enabled this agreement, and simultaneously, the switch of instruction non-gateway is transmitted from port except that receiving port, that enabled this agreement.
Simultaneously, because message format is special, the network equipment is easy to identify the message of this message for sign gateway Mac address.
In actual use, the received specified format message of the network equipment has following three kinds of sources: 1, the specified format message that directly sends for gateway; 2, gateway specified format message that send and that transmit by other network equipments; 3, Host forges the message of this specified format, and sends it to the network equipment.
Wherein,,, send the first/the second specified format message, can comprise following situation from this port when arbitrary port of a gateway satisfies when pre-conditioned for situation 1:
When the binding authority of this port is activated, send the first specified format message from this port, in the UpDown agreement Up message;
When the port that is activated of binding authority arrives predetermined period, send the first specified format message from described port, in the UpDown agreement Up message;
Breaking away from a VLAN or disconnect when being connected with the logic of a network equipment when the port that is activated of binding authority switches, send the second specified format message from described port, is the Down message in the UpDown agreement;
Entering a VLAN or set up when being connected with the logic of a network equipment when the port that is activated of binding authority switches, send the first specified format message from described port, is the Up message in the UpDown agreement.
For situation 2, when the port binding authority that receives the specified format message when arbitrary network equipment has activated, whether also inquire about present networks equipment exists other to activate port, be then received message have been activated port from other to forward, the type that is forwarded message can not change.
Following table 1 has provided a state machine example that sends the UpDown protocol massages, but also non exhaustive:
| Incident | Action |
| Three-tier switch inserts VLAN | All of the port in this VLAN (router is just from this interface) sends the Up message |
| The three-tier switch timer expires | All of the port in VLAN (router is just from this interface) sends the Up message |
| The a certain port of three-tier switch adds VLAN | Send the Up message at this port |
| Three-tier switch breaks away from VLAN | All of the port (router is just from this interface) at VLAN sends the Down message |
| The a certain port of three-tier switch takes place from VLAN deletion or attribute | Send the Down message at this port |
| Change (connecting switch) as logic no longer |
Table 1
By the description of above-mentioned steps 102, the message that receives as can be seen might be that Host forges, if the network equipment is not screened the corresponding relation of just learning this gateway Mac and interface so, still can cause the mistake of learning outcome.
,, finish for this reason, stop to learn the possibility of wrong corresponding relation from Host to sending the identification of specified format message end by the port binding authority that step 101 provided.Wherein,, can abandon described message, perhaps report risk of attacks to management platform for the port of non-activation binding authority.
Further, because in the present embodiment, the specified format message is arranged under the UpDown agreement, therefore, step 103 can be specially detection and whether identify the Up/Down message, be to illustrate that then the port binding authority that receives this message activates, otherwise, can not cause mistake study naturally owing to be unrealized to the identification of message at all.
Because having activated the port of binding authority is the port that is connected between the network equipment, therefore, carry out the binding of port and gateway Mac address/separate the binding configuration can guarantee the reliability that message is originated according to this port.
In the actual disposition process, can realize binding for " Static " by the attributes section of automatic configured port and gateway corresponding relation, the attributes section " Trusted " of one corresponding relation also can be set, this attribute is superior to " Learned ", but be lower than " Static ", then the attributes section by automatic configured port and gateway corresponding relation can realize binding equally for " Trusted ", is described respectively below.
Referring to Fig. 3, bind/separate the embodiment 1 of the corresponding relation of binding described port and described gateway Mac address automatically for the network equipment, be example with the switch, the attributes section of corresponding relation is " Static " and " Learned ", and is same as the prior art; This embodiment 1 may further comprise the steps:
1041, switch detects the message of the sign gateway Mac that receives, is the Up message, execution in step 1042, otherwise be the Down message, execution in step 1046;
1042, will receive the gateway Mac address and the address table that identify in the port of message and the message compares; There are following two kinds of possibilities this moment:
(1) coupling then illustrates the corresponding relation of having preserved gateway Mac and port in the address table; But this corresponding relation may be the result of switches learn, and its former attribute option is " Learned ", also might be the result after last time binding, and its former attribute option has been " Static "; The execution binding of not distinguished might be the setting repeatedly to " Static " attribute, causes the unhelpful waste of resource, therefore, and execution in step 1043;
(2) do not match, the corresponding relation that does not still have gateway Mac and port in the address table is described, such as the VLAN that finishes of topology just, execution in step 1045;
Whether the attribute of corresponding relation that 1043, detection is mated is Static, is then to illustrate to carry out bindings, need not address table is made amendment, and finishes; Otherwise illustrate that this corresponding relation is that switch passes through normal learning program acquisition, so execution in step 1044;
1044, the attribute of corresponding relation is set to " Static ", finishes bindings, finishes;
At this moment, can be set to the infinite staticize effect that reaches, realize that " Static " is provided with automatically by keeping a timer and this timer.
1045, in address table, set up the corresponding relation of described port and gateway Mac address, and the attributes section of this corresponding relation is set to " Static ", finishes bindings, finish;
In this step, be set to the infinite staticize effect that reaches by keeping a timer and this timer equally, realize that " Static " is provided with automatically.
1046, the corresponding relation record of port and gateway Mac address described in the deletion address table finishes.
For fear of the corresponding relation of the manual binding of mistake deletion, this step can be specially: checking whether safeguard " Static " attribute by timer, is then to prove automatic binding, and deletion also finishes; Otherwise be manual binding, do not delete, finish.
Because in actual applications, the general manual rank that is provided with will be higher than automatic configuration, to utilize the management of VLAN, therefore, the preferred embodiment 2 that the invention provides the network equipment and bind/separate the corresponding relation of bundling port and gateway Mac address automatically, be example with the switch still, as shown in Figure 4, may further comprise the steps:
1041 ', switch detects the message of the sign gateway Mac receive, is the Up message, execution in step 1042 ', otherwise be the Down message, execution in step 1046 ';
1042 ', will receive the Mac address and the address table that identify in the port of message and the message and compare, mate then execution in step 1043 ', otherwise execution in step 1045 ';
1043 ', detect described attribute;
Be " Static ", show that this corresponding relation by manual binding, do not handle, finish;
Be " Trusted ", show that this corresponding relation is bound automatically, do not handle, finish;
Be " Learned ", show only result of this corresponding relation, can be refreshed by new learning outcome at any time for learning automatically, so execution in step 1044 ';
1044 ', the attribute of configuration described port and gateway Mac address corresponding relation is " Trusted " in address table, finishes binding, end.
1045 ', in address table, set up the corresponding relation of described port and gateway Mac address, and the attribute of this corresponding relation is set to " Trusted ", finishes bindings, finishes;
1046 ', detect described attributes section;
Be " Static ", show that this corresponding relation by manual binding, do not handle, finish;
Be " Trusted ", show that this corresponding relation is binding automatically, execution in step 1047 ';
Be " Learned ", show only result of this corresponding relation for learning automatically, execution in step 1047 ';
1047 ', the corresponding relation record of port and gateway Mac address described in the deletion address table, end.
By the foregoing description as can be seen, because port binding authority physical topological structure Network Based obtains to activate, even being arranged, Host camouflage Mac address and forgery specify message format to attack, because the binding authority of the network equipment port that is connected with this main frame must be in unactivated state, therefore, this attack is invalid.And in this process, need not manual staticize processing gateway Mac,, also can make automatic feedback immediately even gateway changes.The work that needs the network manager to make only is according to the network physical topological structure, in time activates the port binding authority, and the Mac address and the staticize that need not further to go to call after the variation are handled; Can activate the port binding authority automatically by programming, thereby realize artificial real liberation according to the network physical changes of topology structure even.
Referring to table 2, be one and receive the state machine example of handling behind the UpDown protocol massages:
| Incident | Action |
| Receive the Up message | If corresponding gateway Mac and outbound port has existed and be the Static attribute, keep the static attribute constant, otherwise the corresponding relation of study gateway Mac and setting and port is the Trusted attribute |
| Receive the Down message | Judge whether the gateway Mac in the Mac table is the Trusted attribute, if deletion is other attribute, does not deal with. |
Table 2
Further describe the method for realization gateway Mac provided by the invention binding below by a specific embodiment,, be the VLAN schematic diagram that is adopted in this specific embodiment referring to Fig. 5, for the situation of a plurality of Layer 2 switch cascade networks is arranged, specific as follows:
Switch A is the three-tier switch as gateway, and its interface vlan 1 enables the Updown agreement, periodically sends the Up message; Port Port 1 and the Port3 of Layer 2 switch Swich B enable the Updown agreement, just can learn gateway Mac address 0-0-1 and staticize at Port1 like this, the Port 3 of the same VLAN of Switch B has also enabled the Updown agreement simultaneously, and the Up message is forwarded out Port 3; And the port Port 1 of Switch C has also enabled the UpDown agreement, and the port 1 of Switch C also can acquire Mac address 0-0-1 and staticize like this.Because other port of SwitchB and Switch C does not enable the Updown agreement,, do not reach the effect of attack so there is the Up of forgery message to attack yet.
In sum, the method of the realization gateway Mac binding that the embodiment of the invention provided, make gateway inform himself Mac address of other network equipment by the protocol massages of appointment, other network equipments can be discerned the authority of the port that receives protocol massages, and the gateway Mac that port provided that will have an authority is from this port study and solidify, thereby avoided the situation of camouflage Mac attacking network, and need not a large amount of manual configuration.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, described program can be stored in the computer read/write memory medium, this program comprises the steps: when carrying out
When the network physical topological structure changes, activate the binding authority that interconnects port between the network equipment; When a network equipment receives the first/the second specified format message of a sign gateway Mac address, detect whether the port that receives described the first/the second specified format message is the port that has activated the binding authority; Be then, the corresponding relation of the gateway Mac address of described port of binding and described the first/the second specified format message identification is bound/separated to the described network equipment automatically.
Described storage medium comprises: ROM/RAM, magnetic disc or CD etc.
Accordingly, embodiments of the invention also provide the assembly of realizing gateway Mac binding, as shown in Figure 6, comprising:
Wherein, assembly also can comprise Mac retransmission unit 23, trigger when binding authority port receives the first/the second specified format message activating by Mac binding device 22, instruct other ports that activated the binding authority of this port place network equipment to transmit described the first/the second specified format message.
Also comprise the timer (not shown), be used for periodic triggers Mac dispensing device 21, thereby periodically send gateway Mac address; This timer can be installed within the Mac dispensing device 21, also can be installed in outside this Mac dispensing device 21.
Also comprise gateway port induction installation (not shown), be used for when gateway port binding authority activates, perhaps the gateway port attribute change is connected with the logic of switch or disconnection is connected with the logic of switch such as setting up, perhaps switch when entering/breaking away from a certain VLAN, trigger described Mac dispensing device 21.Same, this gateway port induction installation can be installed within the Mac dispensing device 21, also can be installed in outside this Mac dispensing device 21.
Also comprise Mac active device 24, be used to detect the network physical changes of topology structure, and corresponding execution activates the operation that interconnects the port binding authority of port between the network equipment.
Simultaneously, Mac address and port that Mac binding device 22 can the instruction address table will be learnt are arranged to the Trusted attribute, this attribute is than the Learned attribute priority height by common two layers of Ethernet message study, learn identical Mac from other port like this, because its attribute is Learned, can not cover this Mac record, finish the correct binding of gateway Mac and outbound port.
Assembly that the embodiment of the invention provides can be the program function piece, need be installed in the actual switch/router to play a role.
Wherein, Mac dispensing device 21 typical cases are applied in gateway, comprise three-tier switch and router, and the corresponding gateway of realizing gateway Mac binding that provides of the present invention is provided with Mac dispensing device 21 in this gateway, also can be provided with timer and gateway port induction installation.A state machine example that sends the UpDown protocol massages of this gateway sees also table 1.
Also can be provided with Mac binding device 22 in this gateway, be used for when different VLAN cascades, receive other three-layer network and close the specified format message that switch/router sends.
It is Layer 2 switch that the typical case of Mac binding device 22 uses, and is provided with Mac binding device 22 in this Layer 2 switch.
Also can be provided with Mac retransmission unit 23 in this Layer 2 switch, be used for when receiving the specified format message, triggering, instruct this layer 2-switched port that other have activated the binding authority to transmit described message by Mac binding device 22.It may be noted that under the situation of the non-cascade of Layer 2 switch,, just can avoid pretending the situation of gateway Mac attacking network in equipment by Mac binding device 22 only is set, therefore, Mac retransmission unit 23 alternative installations.
The embodiment of the invention also provides a kind of VLAN that realizes gateway Mac binding, comprises gateway switch/router, Layer 2 switch and host terminal, and described gateway switch, router and Layer 2 switch are the network equipment of above-mentioned realization gateway Mac binding.
Also can comprise Mac active device 24 among this VLAN, be connected with Layer 2 switch with gateway switch/router respectively, be used to detect the variation of network topology structure, and corresponding execution activates the operation of above-mentioned switch ports themselves binding authority, thereby realize the real liberation of manpower.
It should be noted last that, above embodiment is only unrestricted in order to technical scheme of the present invention to be described, although the present invention is had been described in detail with reference to preferred embodiment, those of ordinary skill in the art is to be understood that, can make amendment or be equal to replacement technical scheme of the present invention, and not break away from the spirit and scope of technical solution of the present invention.
Claims (15)
1. a method that realizes gateway Mac binding is characterized in that, may further comprise the steps:
When the network physical topological structure changes, activate the binding authority that interconnects port between the network equipment;
When a network equipment receives the first/the second specified format message of a sign gateway Mac address, detect whether the port that receives described the first/the second specified format message is the port that has activated the binding authority;
Be then, the corresponding relation of the gateway Mac address of described port of binding and described the first/the second specified format message identification is bound/separated to the described network equipment automatically.
2. the method for realization gateway Mac binding according to claim 1 is characterized in that, by enabling the preset protocol in the described network equipment port, activates the binding authority of port; Described the first/the second specified format message is the message according to described preset protocol format organization.
3. the method for realization gateway Mac binding according to claim 2 is characterized in that, the first/the second specified format message of sign gateway Mac address, and Mac address, its source and purpose Mac address all are gateway Mac address.
4. according to the method for the arbitrary described realization gateway Mac binding of claim 1-3, it is characterized in that, when the network physical topological structure changes, comprise that also deexcitation changes the binding authority of the whole ports of the network equipment before.
5. according to the method for the arbitrary described realization gateway Mac binding of claim 1-3, it is characterized in that, comprise that also arbitrary port when a gateway satisfies when pre-conditioned, from the step of described port transmission the first/the second specified format message; Be specially:
When the binding authority of described port is activated, send the first specified format message from described port;
When the port that is activated of binding authority arrives predetermined period, send the first specified format message from described port;
When the port that is activated of binding authority switches when breaking away from a VLAN or disconnects when being connected with the logic of a network equipment, send the second specified format message from described port; Perhaps
Enter a VLAN person and set up when being connected when the port that is activated of binding authority switches, send the first specified format message from described port with the logic of a network equipment.
6. according to the method for the arbitrary described realization gateway Mac binding of claim 1-3, it is characterized in that, when a network equipment receives described the first/the second specified format message, comprising also whether inquiry present networks equipment exists other ports that has activated the binding authority, is then received message to be forwarded from the port that other have activated the binding authority.
7. according to the method for the arbitrary described realization gateway Mac binding of claim 1-3, it is characterized in that the corresponding relation of automatic bundling port of the described network equipment and gateway Mac address comprises:
The corresponding relation of the gateway Mac address that in address table, identifies in described port of comparison and the described first specified format message; Coupling, the attribute of then described port and gateway Mac address corresponding relation is set to Static, finishes; Do not match, in address table, set up the corresponding relation of described port and gateway Mac address, and the attribute of this corresponding relation is set to Static, end;
Perhaps,
The corresponding relation of the gateway Mac address that in address table, identifies in described port of comparison and the described first specified format message; When coupling, detect the attribute of described port and gateway Mac address corresponding relation, be Static or Trusted, finish; Be Learned, the attribute of described port of configuration and gateway Mac address corresponding relation is Trusted in address table, finishes; When not matching, in address table, set up the corresponding relation of described port and gateway Mac address, and the attribute of this corresponding relation is set to Trusted, end; Wherein, described Trusted attribute is superior to the Learned attribute, but is lower than the Static attribute.
8. according to the method for the arbitrary described realization gateway Mac binding of claim 1-3, it is characterized in that the corresponding relation that the described network equipment is separated bundling port and gateway Mac address automatically comprises:
In address table, delete the corresponding relation record of the gateway Mac address that identifies in described port and the described second specified format message, finish;
Perhaps,
Detect the attribute of the corresponding relation of the gateway Mac address that identifies in described port and the described second specified format message; Be Static, finish; Be Trusted or Learned, the corresponding relation record of port and gateway Mac address finishes described in the deletion address table; Wherein, described Trusted attribute is superior to the Learned attribute, but is lower than the Static attribute.
9. an assembly of realizing gateway Mac binding is characterized in that, comprising:
The Mac dispensing device, the port that is used to instruct gateway to activate the binding authority sends the first/the second specified format message that identifies gateway Mac address;
The Mac binding device is used to detect the port that the network equipment receives the first/the second specified format message and whether has activated the binding authority; And for activating under the situation of binding the authority port, the corresponding relation of described port of binding and described gateway Mac address is bound/is separated in instruction at this port.
10. the assembly of realization gateway Mac binding according to claim 9, it is characterized in that, also comprise the Mac retransmission unit, trigger when binding authority port receives the first/the second specified format message activating by the Mac binding device, instruct other ports that activated the binding authority of the described port place network equipment to transmit described the first/the second specified format message.
11. the assembly of realization gateway Mac binding according to claim 9 is characterized in that, also comprises timer, is used for periodic triggers Mac dispensing device.
12. the assembly of realization gateway Mac binding according to claim 9 is characterized in that, also comprises the gateway port induction installation, is used for triggering when gateway port is bound authority activation or attribute change or switched between VLAN described Mac dispensing device.
13. assembly according to the arbitrary described realization gateway Mac binding of claim 9-12, it is characterized in that, also comprise the Mac active device, be used to detect the network physical changes of topology structure, and corresponding execution activates the operation that interconnects the port binding authority of port between the network equipment.
14. a gateway of realizing gateway Mac binding is characterized in that be provided with Mac dispensing device as claimed in claim 9 in the described gateway, described gateway comprises three-tier switch and router.
15. a Layer 2 switch of realizing gateway Mac binding is characterized in that, is provided with Mac binding device as claimed in claim 9 in the described Layer 2 switch.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710123344A CN100596115C (en) | 2007-06-22 | 2007-06-22 | A method for realizing the gateway Mac binding, assembly, gateway and layer 2 switch |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710123344A CN100596115C (en) | 2007-06-22 | 2007-06-22 | A method for realizing the gateway Mac binding, assembly, gateway and layer 2 switch |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101060498A true CN101060498A (en) | 2007-10-24 |
| CN100596115C CN100596115C (en) | 2010-03-24 |
Family
ID=38866394
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200710123344A Active CN100596115C (en) | 2007-06-22 | 2007-06-22 | A method for realizing the gateway Mac binding, assembly, gateway and layer 2 switch |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100596115C (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010025647A1 (en) * | 2008-09-02 | 2010-03-11 | 中兴通讯股份有限公司 | Implementation method for binding the mac address in the broadband access system |
| CN101227287B (en) * | 2008-01-28 | 2010-12-08 | 华为技术有限公司 | Data message processing method and data message processing equipment |
| CN101227467B (en) * | 2008-01-08 | 2011-11-30 | 中兴通讯股份有限公司 | Apparatus for managing black list |
| CN102301662A (en) * | 2011-06-27 | 2011-12-28 | 华为技术有限公司 | MAC address protection method and switches |
| CN102858033A (en) * | 2012-04-06 | 2013-01-02 | 中兴通讯股份有限公司 | Base transceiver station communication method and device |
| CN103209142A (en) * | 2012-01-11 | 2013-07-17 | 中兴通讯股份有限公司 | Method and system for restraining Ethernet layer-two data package from forwarding through switching device |
| CN103812794A (en) * | 2012-11-15 | 2014-05-21 | 上海斐讯数据通信技术有限公司 | System and method for arranging exchanger ports |
| CN103944826A (en) * | 2013-01-22 | 2014-07-23 | 杭州华三通信技术有限公司 | Entry aggregation method in SPBM (shortest path bridging MAC mode) network and equipment |
| CN107819776A (en) * | 2017-11-17 | 2018-03-20 | 锐捷网络股份有限公司 | A kind of message processing method and equipment |
| CN108833362A (en) * | 2018-05-23 | 2018-11-16 | 邱婧 | A kind of equipment access authority control method, apparatus and system |
| CN112532410A (en) * | 2019-09-18 | 2021-03-19 | 无锡江南计算技术研究所 | Trap quick response method for large-scale interconnection network |
| CN112738869A (en) * | 2020-12-29 | 2021-04-30 | 北京天融信网络安全技术有限公司 | Message receiving method, device, equipment and medium |
| CN113271266A (en) * | 2021-04-21 | 2021-08-17 | 锐捷网络股份有限公司 | Message forwarding method and device for heterogeneous switching chip |
-
2007
- 2007-06-22 CN CN200710123344A patent/CN100596115C/en active Active
Cited By (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101227467B (en) * | 2008-01-08 | 2011-11-30 | 中兴通讯股份有限公司 | Apparatus for managing black list |
| CN101227287B (en) * | 2008-01-28 | 2010-12-08 | 华为技术有限公司 | Data message processing method and data message processing equipment |
| WO2010025647A1 (en) * | 2008-09-02 | 2010-03-11 | 中兴通讯股份有限公司 | Implementation method for binding the mac address in the broadband access system |
| CN102301662A (en) * | 2011-06-27 | 2011-12-28 | 华为技术有限公司 | MAC address protection method and switches |
| WO2012103708A1 (en) * | 2011-06-27 | 2012-08-09 | 华为技术有限公司 | Media access control address protection method and switch |
| CN102301662B (en) * | 2011-06-27 | 2013-10-02 | 华为技术有限公司 | MAC address protection method and switches |
| US9282025B2 (en) | 2011-06-27 | 2016-03-08 | Huawei Technologies Co., Ltd. | Medium access control address protection method and switch |
| CN103209142A (en) * | 2012-01-11 | 2013-07-17 | 中兴通讯股份有限公司 | Method and system for restraining Ethernet layer-two data package from forwarding through switching device |
| CN102858033A (en) * | 2012-04-06 | 2013-01-02 | 中兴通讯股份有限公司 | Base transceiver station communication method and device |
| CN102858033B (en) * | 2012-04-06 | 2016-08-03 | 中兴通讯股份有限公司 | The communication means of base transceiver station and device |
| CN103812794A (en) * | 2012-11-15 | 2014-05-21 | 上海斐讯数据通信技术有限公司 | System and method for arranging exchanger ports |
| CN103812794B (en) * | 2012-11-15 | 2018-02-13 | 上海斐讯数据通信技术有限公司 | The setting system and method to set up of switch ports themselves |
| CN103944826B (en) * | 2013-01-22 | 2017-03-15 | 杭州华三通信技术有限公司 | List item polymerization and equipment in SPBM network |
| US9825859B2 (en) | 2013-01-22 | 2017-11-21 | Hewlett Packard Enterprise Development Lp | Item aggregation in shortest path bridging mac-in-mac mode (SPBM) network |
| CN103944826A (en) * | 2013-01-22 | 2014-07-23 | 杭州华三通信技术有限公司 | Entry aggregation method in SPBM (shortest path bridging MAC mode) network and equipment |
| CN107819776A (en) * | 2017-11-17 | 2018-03-20 | 锐捷网络股份有限公司 | A kind of message processing method and equipment |
| CN107819776B (en) * | 2017-11-17 | 2021-01-15 | 锐捷网络股份有限公司 | Message processing method and device |
| CN108833362A (en) * | 2018-05-23 | 2018-11-16 | 邱婧 | A kind of equipment access authority control method, apparatus and system |
| CN108833362B (en) * | 2018-05-23 | 2021-05-07 | 邱婧 | Equipment access authority control method, device and system |
| CN112532410A (en) * | 2019-09-18 | 2021-03-19 | 无锡江南计算技术研究所 | Trap quick response method for large-scale interconnection network |
| CN112532410B (en) * | 2019-09-18 | 2023-10-31 | 无锡江南计算技术研究所 | Rapid response method for large-scale interconnection network Trap |
| CN112738869A (en) * | 2020-12-29 | 2021-04-30 | 北京天融信网络安全技术有限公司 | Message receiving method, device, equipment and medium |
| CN112738869B (en) * | 2020-12-29 | 2022-12-20 | 北京天融信网络安全技术有限公司 | Message receiving method, device, equipment and medium |
| CN113271266A (en) * | 2021-04-21 | 2021-08-17 | 锐捷网络股份有限公司 | Message forwarding method and device for heterogeneous switching chip |
| CN113271266B (en) * | 2021-04-21 | 2024-03-22 | 锐捷网络股份有限公司 | Message forwarding method and device of heterogeneous switching chip |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100596115C (en) | 2010-03-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101060498A (en) | A method for realizing the gateway Mac binding, assembly, gateway and layer 2 switch | |
| CN1310467C (en) | Port based network access control method | |
| CN100352240C (en) | Method for controlling number of Layer2 Ethernet ring equipment MAC address learning | |
| CN1921457A (en) | Network equipment and message transferring method based on multiple-core processor | |
| CN1929472A (en) | Method, system, signal and medium for managing data transmission in a data network | |
| CN1805363A (en) | Massive parallel processing apparatus and method for network isolation and information exchange module | |
| CN1946041A (en) | VLAN polymerizing method, converging exchanger and system based on ARP detector intercept | |
| CN1620034A (en) | Identification gateway and its data treatment method | |
| CN101051951A (en) | Method and device for securing server connection reliability | |
| CN1856163A (en) | Communication system with dialog board controller and its command transmitting method | |
| CN1744572A (en) | Switchnig equipment and method for controlling multicasting data forwarding | |
| CN101051995A (en) | Protection switching method based on no connection network | |
| CN1816011A (en) | Data transfer apparatus and multicast system and program | |
| CN1716912A (en) | Method and apparatus providing rapid end-to-end failover in a packet switched communications network | |
| CN1848826A (en) | Family gateway equipment | |
| CN1567808A (en) | A network security appliance and realizing method thereof | |
| CN1744574A (en) | Method for multicasting message to traverse non multicasting network and its applied network system | |
| CN1929444A (en) | Operator's boundary notes, virtual special LAN service communication method and system | |
| CN1878118A (en) | System for realizing data communication and its method | |
| CN1731740A (en) | Network device management method and network management system | |
| CN101060485A (en) | Topology changed messages processing method and processing device | |
| CN1777150A (en) | Method for realizing user-isolated virtual LAN and its network device | |
| CN1946064A (en) | Message repeat method and device | |
| CN1946060A (en) | Method for realizing re-oriented message correctly repeat and first-part and second-part | |
| CN1946053A (en) | Data transmission method and system between operator ether net and customer network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: NEW H3C TECHNOLOGIES Co.,Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: HANGZHOU H3C TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230807 Address after: 24th Floor, Block B, Zhizhen Building, No. 7 Zhichun Road, Haidian District, Beijing, 100088 Patentee after: Beijing Ziguang Communication Technology Group Co.,Ltd. Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466 Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd. |