CN101072239A - Method and device for realizing IP address filtering - Google Patents
Method and device for realizing IP address filtering Download PDFInfo
- Publication number
- CN101072239A CN101072239A CN200710123368.7A CN200710123368A CN101072239A CN 101072239 A CN101072239 A CN 101072239A CN 200710123368 A CN200710123368 A CN 200710123368A CN 101072239 A CN101072239 A CN 101072239A
- Authority
- CN
- China
- Prior art keywords
- address
- mac
- packet
- vlan
- source
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The method includes procedures: using exchanger equipment receives data a packet sent from user, and analyzing the data packet obtains source MAC address, VLAN ID, and source IP address; carrying out binding configuration check for entry matched to the source MAC address, VLAN ID in MAC address table of exchanger equipment; comparing the source IP address with bound IP address in MAC address table of exchanger equipment; in the two addresses are different, then the data packet is filtered out; otherwise, the data packet is sent out. The invention implements function of binding VID + MAC +IP in two layer exchanger equipment. Thus, user must use bound IP address, cannot do optional configuration so as to prevent issue of IP address confliction, and guarantee centralized control.
Description
Technical field
The present invention relates to realize in the switch device technology of IP address filtering, relate in particular to method and the device of in the switch device that has network processing unit of supporting the VID+MAC+IP binding, realizing the IP address filtering.
Background technology
Described VID, i.e. VLAN ID, VLAN (Virtual LAN, VLAN), now in the network, each user's network insertion mouth all corresponding a VID, to realize carrying out two layers of isolation with other VLAN, described VID is used for distinguishing different VLAN.
MAC, promptly MAC Address is the address that the Ethernet agreement is used, and is the physical address of the used network interface card of PC, is kept at the EPROM the inside of network interface card, the MAC Address of each PC all is unique, and the MAC Address of same network interface card is constant.
IP, i.e. the Internet agreement address of using is mainly used in the exchanges data of IP layer, and the user can dispose the IP address of PC voluntarily.
Expansion day by day along with network sizes such as enterprise network and campus networks, the user is after obtaining the IP address, if the random IP address of configure host again, be easy to cause IP address conflict, adopt the filtering technique of VID+MAC+IP binding, can after obtaining the IP address, reconfigure the IP address again by limited subscriber, thereby avoid IP address conflict, guarantee centralized management.
Existing VID+MAC+IP binding technology, can be divided into two kinds of three layer-switching technologies and two layer-switching technologies, three layer-switching technologies mainly are based on DHCP (Dynamic Host Configuration Protocol, DHCP) Relay (relaying) realizes, three layer interfaces must be played and filtering function can be realized binding, and existing two layer-switching technologies, be to adopt ACL (Access Control List, access control list) configuration, illegal IP address is filtered, but the acl entry of being supported for switch device is limited
In sum, exist in the prior art, when realizing in the Layer 2 switch equipment that the IP address is filtered in the VID+MAC+IP binding, too much take the problem of acl entry.
Summary of the invention
The objective of the invention is to propose a kind of method and device of the IP of realization address filtering, be used for solving that prior art exists when realizing that in Layer 2 switch equipment the IP address is filtered in the VID+MAC+IP binding, too much take the problem of acl entry.
In order to realize the foregoing invention purpose, the present invention specifically is achieved in that
A kind of method of the IP of realization address filtering comprises, adopts switch device that the packet that sends from the user is received, and comprising:
Step 2 is to binding configuration inspection with the clauses and subclauses of described source MAC, VLAN ID coupling in the mac address table of switch device;
Step 3, the IP address of binding in the mac address table with described source IP address and switch device compares, if two addresses are inequality, then filters out packet, otherwise two addresses are identical, then packet sent.
In the method for described realization IP address filtering, in the described step 2,
If clauses and subclauses in the mac address table of switch device and described source MAC, VLAN ID do not match, then directly carry out the transmission of packet.
In the method for described realization IP address filtering, described step 2,
Clauses and subclauses in the mac address table of described switch device if do not bind configuration, are then directly carried out the transmission of packet.
The device that the present invention also proposes a kind of IP of realization address filtering comprises, is used for the user is sent the receiver module that packet receives;
Be used for described packet is analyzed and obtained the analysis module of source MAC, VLAN ID and source IP address;
Be used for configuration inspection module that the mac address table of switch device and the clauses and subclauses of described source MAC, VLAN ID coupling are bound the filtering function configuration inspection;
The IP address that is used for the mac address table of described source IP address and switch device is bound compares, if the address identical judgement/processing module of carrying out the packet transmission of Packet Filtering and address of carrying out inequality.
Adopt the present invention, not only in Layer 2 switch equipment, realized the function of VID+MAC+IP binding, make the user must use the IP address of binding, must not arbitrarily dispose again, avoided the IP address conflict problem effectively, guaranteed centralized management, and the present invention implements simply, flexibly.
Description of drawings
Fig. 1 uses the diagram of the IP online of binding for the user;
Fig. 2 uses the diagram of the IP online of unbundling for the user;
Fig. 3 is for realizing the main flow chart of the method for the invention.
Embodiment
Major technique thought of the present invention is, if bind user's MAC Address, VLAN ID and IP address, special MAC clauses and subclauses in switch device, have just been generated, binding flag bit in the clauses and subclauses is put, bound IP address also is written in the MAC clauses and subclauses simultaneously, and the user must use bound IP address, if change another one IP address, just can not proper communication, the packet that sends all can be filtered.
Below in conjunction with accompanying drawing the specific embodiment of the present invention is elaborated.
As shown in Figure 1, a PC, MAC Address is 00-11-C6-5B-D5-80, VLAN is 1, use IP (192.168.1.1) online of binding, switch device is looked into the mac learning table with MAC+VLAN earlier, and the corresponding MAC clauses and subclauses that obtain have binding function, need carry out IP relatively, comparative result: the IP that binds in the source IP of packet and the MAC clauses and subclauses is identical, do not filter, so the normal forwarding is user and extraneous proper communication.
As shown in Figure 2, a PC, MAC Address is 00-11-C6-5B-D5-80, and VLAN is 1, and the IP address of binding is 192.168.1.1, uses IP (192.168.1.5) online of unbundling.Switch device is looked into the mac learning table with MAC+VLAN earlier, the corresponding MAC clauses and subclauses that obtain have binding function, need carry out IP relatively, comparative result: the IP that binds in the source IP of packet and the MAC clauses and subclauses is different, the user filters out this packet, so can't communicate by letter with the external world.
Be illustrated in figure 3 as the main flow chart of realizing the method for the invention.
Describe the method for realization of the present invention IP address filtering from the angle of data forwarding, mainly comprise the steps:
The first step, switch device are received the packet that sends from the user, analyze source MAC, VLAN ID and the source IP address of packet from packet;
Second step, the mac address table of inquiring about switch device with the source MAC and the VLAN ID of packet;
In the 3rd step, according to the result of inquiry, whether the clauses and subclauses of the mac address table of the source MAC of judgment data bag and VLAN ID and switch device mate, if do not match, then do not carry out IP relatively, directly carry out the normal forwarding of data, otherwise, if coupling changed for the 4th step over to;
The 4th step, check the binding flag bit in the clauses and subclauses of mac address table of switch device of coupling, if flag bit is 0, then these MAC clauses and subclauses do not dispose the binding filtering function, do not need to carry out IP relatively, directly carry out the normal forwarding of data; If flag bit is 1, then these MAC clauses and subclauses have disposed the binding filtering function, need carry out IP relatively, change for the 5th step over to;
The 5th step compared with the IP address of binding in the source IP address of packet and the mac address table, if inequality, with this data packet discarding, promptly filtered out this packet, otherwise, if identical, this packet is normally transmitted.
Claims (4)
1, a kind of method of the IP of realization address filtering comprises, adopts switch device that the packet that sends from the user is received, and it is characterized in that, also comprises:
Step 1 is analyzed described packet, obtains source MAC, VLAN ID and source IP address;
Step 2 is to binding configuration inspection with the clauses and subclauses of described source MAC, VLAN ID coupling in the mac address table of switch device;
Step 3, the IP address of binding in the mac address table with described source IP address and switch device compares, if two addresses are inequality, then filters out packet, otherwise two addresses are identical, then packet sent.
2, the method for realization IP address filtering as claimed in claim 1 is characterized in that, in the described step 2,
If clauses and subclauses in the mac address table of switch device and described source MAC, VLAN ID do not match, then directly carry out the transmission of packet.
3, the method for realization IP address filtering as claimed in claim 1 or 2 is characterized in that, described step 2,
Clauses and subclauses in the mac address table of described switch device if do not bind configuration, are then directly carried out the transmission of packet.
4, a kind of device of the IP of realization address filtering comprises, be used for the user is sent the receiver module that packet receives,
It is characterized in that, also comprise:
Be used for described packet is analyzed and obtained the analysis module of source MAC, VLAN ID and source IP address;
Be used for configuration inspection module that the mac address table of switch device and the clauses and subclauses of described source MAC, VLAN ID coupling are bound the filtering function configuration inspection;
The IP address that is used for the mac address table of described source IP address and switch device is bound compares, if the address identical judgement/processing module of carrying out the packet transmission of Packet Filtering and address of carrying out inequality.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710123368.7A CN101072239B (en) | 2007-06-25 | 2007-06-25 | Method and device for realizing IP address filtering |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710123368.7A CN101072239B (en) | 2007-06-25 | 2007-06-25 | Method and device for realizing IP address filtering |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101072239A true CN101072239A (en) | 2007-11-14 |
| CN101072239B CN101072239B (en) | 2010-06-02 |
Family
ID=38899226
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200710123368.7A Expired - Fee Related CN101072239B (en) | 2007-06-25 | 2007-06-25 | Method and device for realizing IP address filtering |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101072239B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012031572A1 (en) * | 2010-09-10 | 2012-03-15 | Huawei Technologies Co., Ltd. | Use of partitions to reduce flooding and filtering database size requirements in large layer two networks |
| CN101610258B (en) * | 2009-07-21 | 2012-03-28 | 北京九方中实电子科技有限责任公司 | Method for filtering DOCSIS MAC address |
| CN103501355A (en) * | 2013-09-04 | 2014-01-08 | 福建星网锐捷网络有限公司 | Detection method and device of Internet protocol address conflict and gateway device |
| CN104316873A (en) * | 2014-11-13 | 2015-01-28 | 云南电网公司电力科学研究院 | Circuit breaker and mechanism status four-in-one recognition system |
| CN104348696A (en) * | 2014-11-17 | 2015-02-11 | 京信通信系统(中国)有限公司 | Method and equipment for dividing multiple VLANs (Virtual Local Area Network) |
| CN105681490A (en) * | 2016-03-29 | 2016-06-15 | 上海斐讯数据通信技术有限公司 | Software defined network (SDN)-based anti-IP address conflict method |
| CN112019653A (en) * | 2020-09-09 | 2020-12-01 | 迈普通信技术股份有限公司 | Access switch, IP address deployment method, device and readable storage medium |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1129272C (en) * | 2000-12-15 | 2003-11-26 | 华为技术有限公司 | Virtual local area network access method in ethernet access network |
| CN1167227C (en) * | 2001-10-31 | 2004-09-15 | 华为技术有限公司 | Method for switching in virtual local area network of the access network with mixed optical fiber and coaxial line |
| CN100437550C (en) * | 2002-09-24 | 2008-11-26 | 武汉邮电科学研究院 | Ethernet confirming access method |
| US7586895B2 (en) * | 2005-04-01 | 2009-09-08 | Cisco Technology, Inc. | Performing extended lookups on MAC-based tables including level 3 multicast group destination addresses |
-
2007
- 2007-06-25 CN CN200710123368.7A patent/CN101072239B/en not_active Expired - Fee Related
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101610258B (en) * | 2009-07-21 | 2012-03-28 | 北京九方中实电子科技有限责任公司 | Method for filtering DOCSIS MAC address |
| WO2012031572A1 (en) * | 2010-09-10 | 2012-03-15 | Huawei Technologies Co., Ltd. | Use of partitions to reduce flooding and filtering database size requirements in large layer two networks |
| US8837281B2 (en) | 2010-09-10 | 2014-09-16 | Futurewei Technologies, Inc. | Use of partitions to reduce flooding and filtering database size requirements in large layer two networks |
| CN103501355A (en) * | 2013-09-04 | 2014-01-08 | 福建星网锐捷网络有限公司 | Detection method and device of Internet protocol address conflict and gateway device |
| CN104316873A (en) * | 2014-11-13 | 2015-01-28 | 云南电网公司电力科学研究院 | Circuit breaker and mechanism status four-in-one recognition system |
| CN104316873B (en) * | 2014-11-13 | 2017-07-28 | 云南电网公司电力科学研究院 | A kind of breaker and mechanism status quaternity identifying system |
| CN104348696A (en) * | 2014-11-17 | 2015-02-11 | 京信通信系统(中国)有限公司 | Method and equipment for dividing multiple VLANs (Virtual Local Area Network) |
| CN104348696B (en) * | 2014-11-17 | 2018-03-27 | 京信通信系统(中国)有限公司 | A kind of method and apparatus for dividing multi-VLAN |
| CN105681490A (en) * | 2016-03-29 | 2016-06-15 | 上海斐讯数据通信技术有限公司 | Software defined network (SDN)-based anti-IP address conflict method |
| CN105681490B (en) * | 2016-03-29 | 2019-10-22 | 上海斐讯数据通信技术有限公司 | A kind of anti-IP address conflict method based on software defined network |
| CN112019653A (en) * | 2020-09-09 | 2020-12-01 | 迈普通信技术股份有限公司 | Access switch, IP address deployment method, device and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101072239B (en) | 2010-06-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101072239B (en) | Method and device for realizing IP address filtering | |
| US7869432B1 (en) | Peer-to-peer link aggregation across a service provider network | |
| KR100662685B1 (en) | Subscriber line accomodation device and packet filtering method | |
| CN102263774B (en) | Method and device for processing source role information | |
| US6944706B2 (en) | System and method for efficiently processing broadband network traffic | |
| US9219698B2 (en) | Providing a layer-3 interface | |
| JP2004510358A (en) | Method and apparatus for handling network data transmission | |
| CN101834783B (en) | Method and device for forwarding messages and network equipment | |
| WO2007135666A3 (en) | Mac address learning in a distributed bridge | |
| CN103763407A (en) | Method for achieving address resolution protocol proxy through two-layer virtual local area network and local area network system | |
| CN103747116A (en) | Business access method and device based on Layer 2 Tunneling Protocol (L2TP) | |
| CN106230898A (en) | The data processing method of network system, proxy server and application thereof and system | |
| CN102761483B (en) | Tunnel implementation method, system and device implemented without occupying IP addresses | |
| JP2011078135A (en) | Data stream filtering apparatus and method | |
| CN105635335B (en) | Social resources cut-in method, apparatus and system | |
| CN104092684A (en) | Method and device for supporting VPN based on OpenFlow protocol | |
| CN101098290B (en) | Devices for implementing anti-spurious IP address on AN and methods therefor | |
| CN104539539A (en) | Multi-service-board data forwarding method for AC device | |
| CN102263679B (en) | Source role information processing method and forwarding chip | |
| CN100579022C (en) | Method for managing bridging connection equipment | |
| CN101115001B (en) | Host computer of ADSL router and PVC dynamic binding method | |
| CN1997036A (en) | Access multiplexer | |
| CN201928308U (en) | Hotel individualized network service system | |
| CN104054303B (en) | Gateway suitable for VOD | |
| CN102006312A (en) | Hotel individual network service method and hotel individual network service system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100602 Termination date: 20160625 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |