CN101115004B - Method for preventing host computer from access to network appliance and blocking server - Google Patents

Method for preventing host computer from access to network appliance and blocking server Download PDF

Info

Publication number
CN101115004B
CN101115004B CN200710119826XA CN200710119826A CN101115004B CN 101115004 B CN101115004 B CN 101115004B CN 200710119826X A CN200710119826X A CN 200710119826XA CN 200710119826 A CN200710119826 A CN 200710119826A CN 101115004 B CN101115004 B CN 101115004B
Authority
CN
China
Prior art keywords
address
virtual network
blocking server
subnet
vlan
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN200710119826XA
Other languages
Chinese (zh)
Other versions
CN101115004A (en
Inventor
曹华
卓维乾
李冠鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing BOCO Inter-Telecom Technology Co., Ltd.
Original Assignee
Bright Oceans Inter Telecom Software Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bright Oceans Inter Telecom Software Research Institute Co Ltd filed Critical Bright Oceans Inter Telecom Software Research Institute Co Ltd
Priority to CN200710119826XA priority Critical patent/CN101115004B/en
Publication of CN101115004A publication Critical patent/CN101115004A/en
Application granted granted Critical
Publication of CN101115004B publication Critical patent/CN101115004B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Small-Scale Networks (AREA)

Abstract

The invention discloses a method used for preventing a host from accessing network equipment which comprises: the physical net mouth on a blocking server is provided with a plurality of virtual net mouths which correspond to a plurality of virtual LAN (VLAN); Aiming at the virtual net mouths of the blocking server, the subnet addresses of the virtual mouths which are in conformity with the destination host subnet addresses are gained; TRUNK protocol is started or TRUNK technology is carried out on a switch which is passed by the transmission link of the blocking server and the destination host; the blocked data packets are sent from the virtual mouths corresponding to the gained subnet addresses of the virtual mouths to the destination host by the blocking server through the TRUNK protocol. The invention also discloses a blocking server. When the invention is applied in large network that contains a plurality of VLANs, even though a hub which is used for connecting the VLAN is not needed, the blocked data packet can also be sent by the blocking server to stride the VLAN, thereby improving the operability of preventing the host from accessing the network equipment.

Description

The method and the blocking server that stop the host access network equipment
Technical field
The present invention relates to network communications technology field, particularly a kind of method and a kind of blocking server that stops the host access network equipment.
Background technology
ARP (Address Resolution Protocol, address resolution protocol) is a kind of network layer protocol, and its major function is to set up mapping between MAC Address (physical layer address) and IP address (network layer address).If host A will send data to host B, and host A is only known the IP address of host B, then host A must at first be searched the MAC Address of host B, therefore host A sends an ARP broadcasting that comprises the IP address of host B and is used for the MAC Address of requesting host B, after host B is received this ARP broadcasting, return the arp reply bag of the MAC Address that comprises host B to host A.Each main frame in the network all has an ARP high-speed cache to be used for storing the IP address of known main frame and the mapping relations table of MAC Address, therefore the main frame in the network need all not send ARP broadcasting at every turn when sending data, but preferentially search address stored mapping relations table in the ARP high-speed cache, broadcast with this ARP that reduces in the network.Therefore, main frame is before sending an IP bag usually, and it will arrive earlier and seek in the address mapping relation table and IP bag corresponding hardware MAC Address, if do not find, this main frame just sends an ARP broadcast packet, refreshes the ARP high-speed cache of oneself, and then sends the IP bag.
When stoping the host access network, adopt the ARP Cheating Technology usually.For example, in order to block communicating by letter between host A and the host B, the blocking server of implementing the ARP deception can initiatively send the arp reply bag of the wrong MAC Address that comprises host B to host A, upgrade the ARP high-speed cache of host A with this, when host A will be communicated by letter with host B and be inquired about its ARP high-speed cache, to obtain the wrong MAC Address of host B, thus cause host A can with the host B communication failure.Because ARP is TCP/IP (Transmission Control Protocol/Internet Protocol, transmission control/Internet protocol) second layer agreement in the protocol suite, therefore comprise that the relevant ARP packet that ARP broadcasting waits can only send in individual vlan, and can't cross the 3rd layer, be that the IP layer is realized the leap between subnet, hence one can see that, and the interior blocking server of the current network segment can't stop the interior host access network of other network segment.
The schematic diagram of the realization blocking server travelling across VLAN prevention host access network equipment as shown in Figure 1 in the prior art, each VLAN is managed by the last layer switch under it among Fig. 1, usually drawing a circuit in the layer switch on these focuses on the hub, this hub links to each other with blocking server, the vlan communication that hub is managed by the mode and the respective switch of broadcasting, when blocking server sends the ARP packet, this ARP packet will be sent to by the broadcasting of hub in each VLAN, realize that thus this blocking server carries out the purpose of ARP deception to the main frame in each VLAN.But, because existing network is catenet, comprised numerous VLAN (Virtual LocalArea Network in the catenet, VLAN), the physical distance of managing between the different switches of each VLAN is remote, therefore the mode by hub is too complicated with the implementation that each VLAN couples together, owing to need between the layer switch quite long connection line be set under this hub and each VLAN, so operability is not high.
Summary of the invention
The object of the present invention is to provide a kind of method that stops the host access network equipment, to solve the method complicated problems too that stops the host access network equipment in the prior art.
Another object of the present invention is to provide a kind of blocking server that stops the host access network equipment, to solve blocking server of the prior art complicated problems too when the blocking-up host access network.
For solving the problems of the technologies described above, the invention provides following technical scheme:
A kind of method that stops the host access network equipment comprises:
A plurality of virtual network ports of the corresponding a plurality of virtual LAN VLAN of configuration on the physics network interface on the blocking server, described a plurality of virtual network port corresponds respectively to a plurality of VLAN that divide based on port on the network of a three-tier switch, has stored the IP address and the corresponding subnet mask of each main frame in the network in the described blocking server in advance;
At the virtual network port of described blocking server, obtain the virtual network port subnet address consistent with the destination host subnet address;
On each switch of institute's road warp on the transmission link of described blocking server and destination host, implement the TRUNK technology;
Described blocking server will be blocked packet by the TRUNK agreement and be sent to described destination host from the virtual network port subnet address corresponding virtual network interface that is obtained.
The described virtual network port that disposes a plurality of VLAN on blocking server is specially:
Blocking server is the virtual network port IP address of configuration of each VLAN and the subnet mask of this IP address correspondence, the subnet mask logical AND of described IP address and this IP address correspondence is obtained the subnet address of the virtual network port of corresponding VLAN.
According to following step, described blocking server obtains the virtual network port subnet address consistent with the destination host subnet address:
Blocking server calculates the subnet address of destination host and the subnet address of each virtual network port thereof respectively;
The subnet address of more described destination host and the subnet address of described each virtual network port;
Determine the subnet address of the virtual network port consistent with described destination host subnet address.
Described blocking server calculates the subnet address of destination host and the subnet address of each virtual network port is specially:
Obtain the subnet address of this destination host behind the IP address of the described destination host that blocking server will be stored and the subnet mask logical AND thereof, and
Obtain the subnet address of each virtual network port behind the subnet mask logical AND of the IP address of each virtual network port that blocking server will dispose and IP address correspondence.
Described method also comprises:
Blocking server is structure blocking-up packet before sending the blocking-up packet.
Described blocking-up packet is an ARP deception packet, comprises the wrong physical address that stops the network equipment that described destination host will visit in this ARP deception packet.
Described blocking server is for supporting the blocking server of 802.1Q agreement.
A kind of blocking server that stops the host access network equipment comprises:
Configuration virtual network interface unit, the a plurality of virtual network ports that are used for the corresponding a plurality of virtual LAN VLAN of configuration on the physics network interface on this blocking server, described a plurality of virtual network port corresponds respectively to a plurality of VLAN that divide based on port on the network of a three-tier switch, has stored the IP address and the corresponding subnet mask of each main frame in the network in the described blocking server in advance;
Obtain the unit, subnet address, be used for virtual network port, obtain the virtual network port subnet address consistent with the destination host subnet address at blocking server;
Start the TRUNK unit, be used on each switch of institute's road warp on the transmission link of described blocking server and destination host, implementing the TRUNK technology;
Send packet unit, be used for to block packet and be sent to described destination host from described virtual network port subnet address corresponding virtual network interface by the TRUNK agreement.
Described blocking server also comprises:
Construction data bag unit is used for structure blocking-up packet, and the blocking-up packet is an ARP deception packet, comprises the wrong physical address that stops the network equipment that described destination host will visit.
Described blocking server is for supporting the blocking server of 802.1Q agreement.
By above technical scheme provided by the invention as seen, the present invention is by the virtual network port of a plurality of virtual LAN VLAN of configuration on blocking server, this blocking server obtains the virtual network port subnet address consistent with the destination host subnet address, and this blocking server will be blocked packet and be sent to destination host from this virtual network port subnet address corresponding virtual network interface then.When the present invention is applied in the catenet that comprises numerous VLAN, need not to dispose the hub that is used to connect VLAN, just can realize that the blocking server travelling across VLAN sends the purpose of blocking-up packet, simplify network configuration thus, improve the operability that stops the host access network equipment.
Description of drawings
Fig. 1 is the schematic diagram that stops the host access network equipment in the prior art by hub;
Fig. 2 is the first embodiment flow chart of the inventive method;
Fig. 3 is the second embodiment flow chart of the inventive method;
Fig. 4 is for using a kind of network diagram that the embodiment of the invention stops the host access network equipment;
Fig. 5 is for using the another kind of network diagram that the embodiment of the invention stops the host access network equipment;
Fig. 6 is the structured flowchart of blocking server first embodiment of the present invention;
Fig. 7 is the structured flowchart of blocking server second embodiment of the present invention.
Embodiment
The invention provides a kind of method that stops the host access network equipment, the core of this method is the virtual network port by a plurality of VLAN of configuration on blocking server, this blocking server will be blocked packet and be sent to destination host from this virtual network port subnet address corresponding virtual network interface after obtaining the virtual network port subnet address consistent with the destination host subnet address.The indication network equipment mainly comprises the network equipments such as main frame on the network, switch, router among the present invention.
In order to make those skilled in the art person understand the present invention program better, and above-mentioned purpose of the present invention, feature and advantage can be become apparent more, the present invention is further detailed explanation below in conjunction with the drawings and specific embodiments.
The first embodiment flow chart of the inventive method is as shown in Figure 2:
Step 201: a plurality of virtual network ports of the corresponding a plurality of VLAN of configuration on the physics network interface on the blocking server.
Wherein, blocking server is the virtual network port IP address of configuration of each VLAN and the subnet mask of this IP address correspondence, subnet mask is used for distinguishing which part of IP address is the network address, which part is a host address, the subnet mask " logical AND (AND) " of each IP address and this IP address correspondence can be accessed the subnet address of the virtual network port of corresponding VLAN, and the IP address of these configurations can be chosen in each VLAN respectively.
Step 202: blocking server obtains the virtual network port subnet address consistent with the destination host subnet address.
Concrete, blocking server calculates the subnet address of destination host and the subnet address of each virtual network port respectively, the subnet address of the subnet address of this destination host and each virtual network port relatively, the final subnet address of determining the virtual network port consistent with this destination host subnet address.
Wherein, calculate the subnet address and be specially blocking server and will obtain the subnet address of this destination host after the IP address of the destination host of storage and the subnet mask " logical AND ", reach the subnet address that obtains each virtual network port after the subnet mask " logical AND " of the IP address of each virtual network port that blocking server will dispose and IP address correspondence.
Step 203: on the switch of institute's road warp on the transmission link of blocking server and destination host, start the TRUNK agreement or implement the TRUNK technology.
Step 204: will block packet and be sent to destination host from this virtual network port subnet address corresponding virtual network interface by the TRUNK agreement.
Concrete, starting the blocking server road after the TRUNK agreement on the link, blocking server is at first constructed the blocking-up packet, will block packet then and be sent to destination host by the TRUNK agreement from the virtual network port subnet address corresponding virtual network interface of determining.
Wherein, the blocking-up packet is an ARP deception packet, has comprised the wrong physical address of the network equipment that stops the destination host visit in this ARP deception packet.
Especially, the blocking server among the present invention is for supporting the blocking server of 802.1Q agreement.
Step 205: destination host upgrades the physical address of the network equipment of preserving in its ARP high-speed cache with the wrong physical address in the ARP deception packet of receiving.
The second embodiment flow chart of the inventive method as shown in Figure 3, this embodiment shows and uses the detailed process that the inventive method stops the host access network equipment:
Step 301: a plurality of virtual network ports of the corresponding a plurality of VLAN of configuration on the physics network interface on the blocking server.
This step refers to that with a physics network interface virtual configuration on the blocking server be a plurality of virtual network ports, and these virtual network ports correspond respectively to a plurality of VLAN that divide based on port on the network of a three-tier switch.For example, configuration virtual network interface 1 is corresponding to VLAN1, and virtual network port 2 is corresponding to VLAN2, and virtual network port n is corresponding to VLANn, etc.Can be when having a plurality of three-tier switch in the network by preparing mechanism and sharing same VLAN at the label of inter-exchange exchange data packets, a switch can be set, make one of them port become link, on link, can be any VLAN transfer data packets.When packet transmits between switch, each packet is coupled with the label based on the 802.1Q agreement, 802.1Q agreement, it is Virtual Bridged Local Area Networks agreement, formal title is the Virtual Bridged Local Area Network standard, be the ieee standard of setting up for transfer data packets between bridger, the realization of mainly having stipulated VLAN has defined the VLAN model based on port.Desampler is eliminated the label of packet, and packet is sent to correct port, or is to send to correct VLAN under the situation of broadcast packet at packet.Same VLAN can cross over several Ethernet switches.
VLAN is meant, the equipment that is positioned at one or more local area network (LAN)s is through configuration can same channel is consistent to be communicated as being connected to, and in fact they are distributed in the different local area network (LAN)s, because the VLAN logic-based connects rather than physical connection, so it can provide services such as user/Host Administration, allocated bandwidth and resource optimization flexibly.Because VLAN is stipulated that by 802.1Q therefore blocking server of the present invention needs the physics network interface that at least one supports the 802.1Q agreement, can support the network interface card of 802.1Q agreement to realize that for example model is the network interface card of intel pro100+ by installing.
A plurality of virtual network ports of the present invention a plurality of VLAN on configuration map network on the physics network interface on the blocking server promptly will be the subnet mask of each virtual network port IP address of configuration and this IP address correspondence in layoutprocedure.The Internet is made of many mininets, many main frames are all arranged on each network, so just, constituted a stratified structure, the level characteristics of address assignment are just considered in the IP address when design, therefore each IP address all is divided into network number and host number two parts, so that the addressing operation of IP address.And subnet mask can't individualism, and it uses together in conjunction with the IP address, and effect is that certain IP address is divided into the network address and host address two parts.Certain rule is followed in the setting of subnet mask, and is identical with the IP address, and the length of subnet mask is 32, and the left side is the network position, with binary digit " 1 " expression; The right is the main frame position, with binary digit " 0 " expression.The present invention is before the virtual network port of the corresponding a plurality of VLAN of configuration, the IP address of each virtual network port and corresponding subnet mask thereof provide to the administrative staff of configuration virtual network interface by being responsible for the vlan network administrative staff that VLAN divides and manages in the network, usually the vlan network administrative staff adopt the VLAN dividing mode based on port, the trade-to product of present many manufacturers is all supported this function, its principle is to define VLAN according to switch ports themselves, be that VLAN comes from logic the port of LAN switch being divided, subnet is divided in IP address as required in VLAN then, subnet is that the host address space in the network address is segmented, and can effectively improve network reliability, flexibility, adaptability and address resource utilance.Port vlan is divided and is further divided into division of single switch port vlan and multi-exchange port vlan division dual mode, the former only is supported in the some port composition VLAN of appointment on the switch, the multi-exchange port vlan is divided and then can be made a VLAN cross over a plurality of switches, and the port on the same switch can belong to different VLAN.Port vlan is divided can carry out user management preferably, reduce broadcast storm, and fail safe is also higher.The IP address of the virtual network port that the administrative staff of configuration virtual network interface will obtain from the vlan network administrative staff and the subnet mask of this IP address correspondence are input in this network interface card by manual configuration.This configuration will guarantee that the subnet address that obtains after the subnet mask " logical AND (AND) " of IP address and this IP address correspondence is the subnet address of the virtual network port of corresponding VLAN.
Blocking server is after having disposed the virtual network port of a plurality of VLAN, these virtual network ports just are equivalent to be present in logic among each VLAN in the network, this be since blocking server dispose each VLAN the IP address and the correspondence subnet mask after, each virtual network port that just is equivalent in this blocking server has possessed the corresponding IP address that belongs to each VLAN.When needs when the main frame x in same VLANx does not communicate by letter with this blocking server (before the configuration virtual network interface) with certain, owing in network interface card, be configured and comprised this VLANx corresponding virtual network interface, therefore can select the virtual network port with this main frame x place VLANx coupling in the information of network interface card configuration, at this moment blocking server sends corresponding packet with this virtual network port to main frame x and can be discerned by main frame x.Therefore send the blocking-up packet by blocking server main frame among each VLAN on network and just be equivalent in same layer network, transmit, realize that thus the travelling across VLAN of blocking-up packet sends.
Step 302: blocking server calculates the subnet address of destination host and the subnet address of each virtual network port respectively.
Except the IP address and the corresponding subnet mask of pre-configured each virtual network port, also stored the IP address and the corresponding subnet mask of each main frame in the network in the blocking server.When calculating the subnet address of each virtual network port, the subnet mask of the IP address of each virtual network port that blocking server will dispose and IP address correspondence " logical AND (AND) " obtains the subnet address of each virtual network port; When calculating the subnet address of destination host, obtain the subnet address of destination host after the subnet mask " logical AND (AND) " of blocking server with the IP address of the destination host of storage and destination host.
Step 303: compare the subnet address of destination host and the subnet address of each virtual network port, determine the subnet address of a virtual network port consistent with the destination host subnet address.
With the subnet address of the destination host that calculates respectively with the subnet address of each virtual network port that calculates relatively after, find the subnet address of a virtual network port consistent with the destination host subnet address, there is its corresponding VLAN virtual network port the subnet address of this virtual network port.
Step 304: send the blocking-up packet time institute switch of road on link to blocking server and start the TRUNK agreement or implement the TRUNK technology.
TRUNK is the meaning of trunking, it is exactly setting by configuration software, 2 or a plurality of physical port are combined the passage that becomes a logic, it is worked together just as a passage unanimity, thereby be increased in the bandwidth between switch and the network node, the bandwidth that will belong to these several ports merges, and provides a high bandwidth that exclusively enjoys times over separate port to port.TRUNK is a kind of encapsulation technology, and it is the link of a point-to-point, and the two ends of link can all be switches, also can be switch and router, can also be main frame and switch or router.Based on trunking (TRUNK) function, allowing between switch and switch, switch and router, main frame and switch or the router walks abreast to be connected by two or more ports transmits simultaneously so that more high bandwidth, bigger throughput to be provided, and whole network capabilities is provided significantly.But in the vlan data transmission, each producer uses different technology, for example: the product of Cisco is to use its VLAN TRUNK technology, the product of other manufacturers supports the 802.1Q agreement to stamp the TAG head mostly, so just generated the baby giant frame, needed the port of same protocol to discern, the baby giant frame is because size has surpassed 1518 byte limit of standard Ether frame, common network interface card can't be discerned, and needs to support the network interface card or the switch of 802.1Q agreement to take off TAG.The start-up course of TRUNK agreement is finished by the network management personnel, and for example if will start the TRUNK agreement on the g2/1 of certain switch port, then administrative staff are configured by importing following information behind the login switch:
#Enable
#Config?terminal
#interface?g2/1
#switchport?mode?trunk
#switchport?trunk?allow?vlan?all
#switchport?trunk?encapsulation?dotlq
Send the blocking-up packet time institute switch of road on link at blocking server, after starting TRUNK on this switch, TRUNK link does not belong to any one VLAN, TRUNK link plays a part the VLAN pipeline between switch, main frame and blocking server, after a port of switch or router is arranged to TRUNK, just can realize communication between a plurality of VLAN by this port.Usually can only transmit data in the VLAN at its place at main frame under the single one physical link, the present invention is transmitted data institute road after starting the TRUNK agreement on the switch at blocking server, this blocking server transmission data institute road just becomes the multiplex link of a plurality of VLAN through the link of switch, and blocking server can be by each vlan communication in this multiplex link and the network.
Step 305: blocking server structure blocking-up packet.
The blocking-up packet of blocking server structure is generally ARP deception packet, has comprised the wrong MAC Address that stops destination host accesses network equipment in this ARP deception packet.
Usually ARP deception packet is made up of a plurality of critical fielies, behind the destination host of having determined to need to stop when blocking server, relevant information can be inserted in the corresponding field of ARP deception packet, forms ARP deception packet to be sent.
Step 306: will block packet and be sent to destination host from the virtual network port subnet address corresponding virtual network interface of determining by the TRUNK agreement.
The ARP deception packet definite VLAN virtual network port subnet address from step 303 that has comprised wrong MAC Address sends, and can be sent to the destination host that has the same subnet address with this VLAN virtual network port by the TRUNK agreement.
Destination host is after receiving the ARP deception packet that the blocking server across a network sends over, upgrade the MAC Address of this network equipment in the ARP high-speed cache with the wrong MAC Address of the network equipment in this ARP deception packet, when destination host is attempted when this network equipment is communicated by letter, will use in the ARP high-speed cache the wrong MAC Address of this network equipment to communicate by letter with it, therefore the communication failure of destination host and this network equipment has realized that thus the blocking server travelling across VLAN stops the purpose of the host access network equipment.
Use a kind of network diagram that the embodiment of the invention stops the host access network equipment as shown in Figure 4, this schematic diagram has illustrated a network with single three-tier switch.
In this network diagram, connected the n platform Layer 2 switch from B1 to Bn under the three-tier switch C respectively, under Layer 2 switch B1, connected the blocking server A in the network, under Layer 2 switch Bn, connected N the main frame of main frame 1 to main frame N, this N main frame lays respectively among m the virtual VLAN, wherein main frame 1 and main frame 2 are arranged in VLAN1, and main frame N-1 and main frame N are arranged in VLANm.
Suppose that blocking server A will stop main frame 1 visit Layer 2 switch Bn, then can be on blocking server the virtual network port of a plurality of VLAN in the configuration network, be that example describes with the virtual network port of m VLAN under the configuration Layer 2 switch Bn especially here.Dispose each virtual network port of m VLAN correspondence respectively for blocking server A, the subnet mask of each virtual network port IP address of configuration and this IP address correspondence, wherein Pei Zhi IP address is chosen from the VLAN corresponding with virtual network port, guarantees during configuration that the subnet address that obtains after the subnet mask " logical AND (AND) " of IP address and this IP address correspondence is the subnet address of corresponding VLAN virtual network port.After blocking server A has disposed the virtual network port of m VLAN under the Bn, just be equivalent to be present in logic among this m VLAN.
Blocking server A for example starts the TRUNK agreement on the interconnect interface on the equipment such as three-tier switch C, Layer 2 switch B1 to the road through switch again, and interconnect interface is the interface that Fig. 4 acceptance of the bid is marked with five-pointed star ☆.Having started switch-link after the TRUNK agreement can become the multiplex link of m VLAN, so blocking server A can carry out network service by all equipment among m the VLAN under this this link and the Bn.
Blocking server A is when realizing that travelling across VLAN stops destination host 1 access gateway switch Bn among the VLAN1, owing to stored the IP address of All hosts and the subnet mask of IP address correspondence in the network in the blocking server in advance, therefore blocking server A at first calculates the subnet address of destination host 1 by " logical AND " computing, the IP address of supposing the Bn under this destination host 1 is 192.168.0.1, subnet mask is 255.255.255.0, and the subnet address that then obtains destination host 1 after this IP address and the subnet mask " logical AND " is 192.168.0.0.This blocking server A obtains the subnet address of each virtual network port according to the virtual network port of m VLAN of configuration, the subnet address that the subnet address of the subnet address 192.168.0.0 of the destination host 1 that calculates and the virtual network port of m VLAN is obtained the virtual network port subnet address of VLAN1 and destination host 1 after relatively is consistent, be 192.168.0.0, determine that then blocking server A can cheat ARP packet and send from the virtual network port of VLAN1.
Blocking server A structure sends to the ARP deception packet of destination host 1, the correct MAC Address of supposing Bn is 00-0a-bf-23-78-0a, the wrong MAC Address that has then comprised Bn in this ARP deception packet, for example be 00-0b-bf-23-78-0a, the structure of the ARP deception packet of blocking server A structure is as shown in table 1 below:
Figure G071B9826X20070831D000121
Table 1
The ARP deception packet that blocking server A will comprise Bn mistake MAC Address is that the virtual network port of the VLAN1 of 192.168.0.0 sends from the subnet address of determining.Because blocking server A transmits this ARP deception packet to respective switch interface of three-tier switch C and has all opened the TRUNK agreement, therefore this ARP deception packet can arrive the destination host 1 that the subnet address is 192.168.0.0, is the transmission path of ARP deception packet as the dotted line of band arrow among Fig. 4.After destination host 1 receives ARP deception packet, upgrade the correct MAC Address 00-0a-bf-23-78-0a of the Bn in its high-speed cache with the wrong MAC Address 00-0b-bf-23-78-0a of Bn.When communicating with Bn, this destination host 1 desire finally causes communication failure with Bn owing to stored the wrong MAC Address of Bn.This shows, when the present invention is applied in the catenet that comprises numerous VLAN, realized that the blocking server travelling across VLAN sends ARP deception packet to stop the purpose of the host access network equipment, thereby simplified network configuration owing to need not to be provided with hub, improved the availability that stops the host access network equipment by ARP deception packet.
Use another kind of network diagram that the embodiment of the invention stops the host access network equipment as shown in Figure 5, this schematic diagram has illustrated a network with two three-tier switch.
In this network diagram, two three-tier switch are meant that three-tier switch C1 and C2 backup each other, when in these two switches any one because fault or work when busy, can be finished the work of corresponding transmission ARP deception packet by another one.Therefore in the figure, n platform Layer 2 switch from B1 to Bn is equivalent to be connected under three-tier switch C1 and the C2, consistent shown in the distribution of blocking server A and each main frame and Fig. 4, and blocking server A stops the process of the destination host 1 visit Bn under the Bn consistent with the process of single three-tier switch among above-mentioned Fig. 4, does not repeat them here.
The first example structure block diagram of blocking server of the present invention is as shown in Figure 6:
This blocking server comprises: configuration virtual network interface unit 610, acquisition unit, subnet address 620, startup TRUNK unit 630 and transmission packet unit 640.Configuration virtual network interface unit 610 is used for a plurality of virtual network ports of the corresponding a plurality of virtual LAN VLAN of configuration on the physics network interface on this blocking server; Acquisition unit, subnet address 620 is used for the virtual network port at blocking server, obtains the virtual network port subnet address consistent with the destination host subnet address; Starting TRUNK unit 630 is used for starting the TRUNK agreement or implements the TRUNK technology on the switch of institute's road warp on the transmission link of described blocking server and destination host; Transmission packet unit 640 is used for will blocking packet by the TRUNK agreement and is sent to destination host from virtual network port subnet address corresponding virtual network interface.
The course of work of this blocking server is: configuration virtual network interface unit 610 is the virtual network port IP address of configuration of each VLAN in the network and the subnet mask of this IP address correspondence, subnet mask is used for distinguishing which part of IP address is the network address, which part is a host address, the subnet mask " logical AND (AND) " of each IP address and this IP address correspondence can be accessed the subnet address of the virtual network port of corresponding VLAN; Obtain the virtual network port of unit, subnet address 620 according to each VLAN that configures in the configuration virtual network interface unit 610, calculate the subnet address of destination host and the subnet address of each virtual network port respectively, when calculating with the IP address of the destination host of storage and netmask with after obtain the subnet address of this destination host, and the netmask " logical AND " of the IP address of each virtual network port that will dispose and IP address correspondence obtains the subnet address of each virtual network port, the relatively subnet address of this destination host and the subnet address of each virtual network port have been calculated behind the subnet address, the final subnet address of determining the virtual network port consistent with this destination host subnet address; After the subnet address of virtual network port has been determined in acquisition unit, subnet address 620, trigger and start the TRUNK unit 630 TRUNK agreements of startup blocking server road on link, after transmission packet unit 640 knows that starting TRUNK unit 630 starts the TRUNK agreements, at first construct ARP deception packet, then this ARP deception packet is sent to destination host by the TRUNK agreement from obtaining unit, subnet address 620 definite virtual network port subnet address corresponding virtual network interfaces; After destination host is received the ARP deception packet that sends packet unit 640 transmissions, upgrade the physical address of this network equipment in the ARP high-speed cache with the wrong physical address in this ARP deception packet.
The second example structure block diagram of blocking server of the present invention is as shown in Figure 7:
This blocking server comprises: configuration virtual network interface unit 710, acquisition unit, subnet address 720, construction data bag unit 730, startup TRUNK unit 740 and transmission packet unit 750.Wherein, configuration virtual network interface unit 710 is used for a plurality of virtual network ports of a plurality of virtual LAN VLAN of configuration on the physics network interface on this blocking server; Obtain behind the subnet address that unit, subnet address 720 is used for calculating respectively the subnet address of destination host and each virtual network port the relatively subnet address and the subnet address of each virtual network port of destination host, the subnet address of definite then virtual network port consistent with the destination host subnet address; Construction data bag unit 730 is used for structure blocking-up packet; Starting TRUNK unit 740 is used for starting the TRUNK agreement or implements the TRUNK technology on the switch on the described blocking-up data packet transmission link; Sending packet unit 750 is used for the blocking-up packet is sent to destination host by the TRUNK agreement from virtual network port.
The course of work of this blocking server is: the network interface card of supporting the 802.1Q agreement has been installed in the configuration virtual network interface unit 710, for example model is the network interface card of intel pro100+, and on configuration network on this network interface card a plurality of virtual network ports of a plurality of VLAN, promptly to be the subnet mask of each virtual network port IP address of configuration and this IP address correspondence in layoutprocedure.Configuration virtual network interface unit 710 is before the virtual network port of a plurality of VLAN of configuration, VLAN divides and the vlan management personnel of management provide to the administrative staff of configuration virtual network interface by being responsible in the network for the IP address of each virtual network port and corresponding subnet mask thereof, and administrative staff are input to the IP address of the virtual network port that obtains and the subnet mask of this IP address correspondence in the network interface card by manual configuration.Configuration virtual network interface unit 710 is after having disposed the virtual network port of a plurality of VLAN, these virtual network ports just are equivalent to be present in logic among each VLAN in the network, this be since configuration virtual network interface unit 710 dispose each VLAN the IP address and the correspondence netmask after, just be equivalent to possess in this blocking server the corresponding IP address of each VLAN, when needs and certain and this blocking server (blocking server before the virtual network port is put in assignment) when the main frame x in same VLAN does not communicate by letter, owing in network interface card, be configured and comprised this VLANx corresponding virtual network interface, therefore can select the virtual network port with this main frame x place VLANx coupling in the information of configuration, at this moment blocking server sends corresponding packet to main frame x and can be discerned by main frame x.Therefore send the blocking-up packet by blocking server main frame among each VLAN on network and just be equivalent in same layer network, transmit, realize that thus the travelling across VLAN of blocking-up packet sends.
When obtaining unit, subnet address 720 and calculating the subnet address of these virtual network ports according to the virtual network port of a plurality of VLAN of configuration in the configuration virtual network interface unit 710, the subnet mask " logical AND (AND) " that is about to the IP address of each virtual network port of configuration and IP address correspondence obtains the subnet address of each virtual network port.When calculating the subnet address of destination host, obtain the subnet address of destination host after the subnet mask " logical AND (AND) " with the IP address of destination host of storage and destination host, behind the subnet address of each virtual network port that relatively calculates and the subnet address of destination host, with the subnet address of the destination host that calculates respectively with the subnet address of each virtual network port that calculates relatively after, find the subnet address of a virtual network port consistent with the destination host subnet address, there is its corresponding VLAN virtual network port the subnet address of this virtual network port.
After the subnet address of virtual network port has been determined in acquisition unit, subnet address 720, trigger construction data bag unit 730 structure blocking-up packets, this blocking-up packet is generally ARP deception packet, the wrong MAC Address that has comprised the network equipment that stops the destination host visit in this ARP deception packet, usually ARP deception packet is made up of a plurality of critical fielies, behind the destination host of having determined to need to stop when blocking server, relevant information can be inserted in the corresponding field of ARP deception packet, form ARP deception packet to be sent.The structure of this ARP deception packet is consistent with the structure shown in the table 1, does not repeat them here, and construction data bag unit 730 will be constructed good blocking-up packet and be sent to the biography transmission according to bag unit 750.
Obtaining unit, subnet address 720 has determined also to trigger startup TRUNK unit 740 these blocking server institute road TRUNK agreements on link of unlatching behind the subnet address of virtual network port, the start-up course of TRUNK agreement is finished by the network management personnel, for example if will start the TRUNK agreement on the g2/1 of certain switch port, then administrative staff's following information of input behind the login switch is configured:
#Enable
#Config?terminal
#interface?g2/1
#switchport?mode?trunk
#switchport?trunk?allow?vlan?all
#switchport?trunk?encapsulation?dot1q
Before being ready for sending the blocking-up packet, by obtaining unit, subnet address 720, construction data bag unit 730 and startup TRUNK unit 740 all set send the subnet address respectively, send packet and sendaisle, then, trigger to send packet unit 750 the ARP deception packet that has comprised wrong MAC Address of construction data bag unit 730 structures is sent from the VLAN virtual network port that obtains unit, subnet address 720 and determine, ARP can be cheated packet and be sent to the destination host that has the same subnet address with this VLAN virtual network port by starting TRUNK agreement that TRUNK unit 740 starts.
By above embodiment as seen, the present invention is by the virtual network port of a plurality of virtual LAN VLAN of configuration on blocking server, this blocking server obtains the virtual network port subnet address consistent with the destination host subnet address, and this blocking server will be blocked packet and be sent to destination host from this virtual network port subnet address corresponding virtual network interface then.When the present invention is applied in the catenet that comprises numerous VLAN, need not to dispose the hub that is used to connect VLAN, just can realize that the blocking server travelling across VLAN sends the purpose of blocking-up packet, simplify network configuration thus, improve the operability that stops the host access network equipment.
More than disclosed only be preferred implementation of the present invention; but the present invention is not limited thereto; any those skilled in the art can think do not have a creationary variation, and, all should drop in protection scope of the present invention not breaking away from some improvements and modifications of being done under the principle of the invention prerequisite.

Claims (10)

1. a method that stops the host access network equipment is characterized in that, comprising:
A plurality of virtual network ports of the corresponding a plurality of virtual LAN VLAN of configuration on the physics network interface on the blocking server, described a plurality of virtual network port corresponds respectively to a plurality of VLAN that divide based on port on the network of a three-tier switch, has stored the IP address and the corresponding subnet mask of each main frame in the network in the described blocking server in advance;
At the virtual network port of described blocking server, obtain the virtual network port subnet address consistent with the destination host subnet address;
On the switch of institute's road warp on the transmission link of described blocking server and destination host, implement the TRUNK technology;
Described blocking server will be blocked packet by the TRUNK agreement and be sent to described destination host from the virtual network port subnet address corresponding virtual network interface that is obtained.
2. method according to claim 1 is characterized in that, the described virtual network port that disposes a plurality of VLAN on blocking server is specially:
Blocking server is the virtual network port IP address of configuration of each VLAN and the subnet mask of this IP address correspondence, the subnet mask logical AND of described IP address and this IP address correspondence is obtained the subnet address of the virtual network port of corresponding VLAN.
3. method according to claim 1 is characterized in that, according to following step, described blocking server obtains the virtual network port subnet address consistent with the destination host subnet address:
Blocking server calculates the subnet address of destination host and the subnet address of each virtual network port thereof respectively;
The subnet address of more described destination host and the subnet address of described each virtual network port;
Determine the subnet address of the virtual network port consistent with described destination host subnet address.
4. method according to claim 3 is characterized in that, described blocking server calculates the subnet address of destination host and the subnet address of each virtual network port is specially:
Obtain the subnet address of this destination host behind the IP address of the described destination host that blocking server will be stored and the subnet mask logical AND thereof, and
Obtain the subnet address of each virtual network port behind the subnet mask logical AND of the IP address of each virtual network port that blocking server will dispose and IP address correspondence.
5. method according to claim 1 is characterized in that, described method also comprises:
Blocking server is structure blocking-up packet before sending the blocking-up packet.
6. method according to claim 5 is characterized in that, described blocking-up packet is an ARP deception packet, comprises the wrong physical address that stops the network equipment that described destination host will visit in this ARP deception packet.
7. according to any described method of claim 1 to 6, it is characterized in that described blocking server is for supporting the blocking server of 802.1Q agreement.
8. a blocking server that stops the host access network equipment is characterized in that, comprising:
Configuration virtual network interface unit, the a plurality of virtual network ports that are used for the corresponding a plurality of virtual LAN VLAN of configuration on the physics network interface on this blocking server, described a plurality of virtual network port corresponds respectively to a plurality of VLAN that divide based on port on the network of a three-tier switch, has stored the IP address and the corresponding subnet mask of each main frame in the network in the described blocking server in advance;
Obtain the unit, subnet address, be used for virtual network port, obtain the virtual network port subnet address consistent with the destination host subnet address at blocking server;
Start the TRUNK unit, be used on the switch of institute's road warp on the transmission link of described blocking server and destination host, implementing the TRUNK technology;
Send packet unit, be used for to block packet and be sent to described destination host from described virtual network port subnet address corresponding virtual network interface by the TRUNK agreement.
9. blocking server according to claim 8 is characterized in that, described blocking server also comprises:
Construction data bag unit is used for structure blocking-up packet, and the blocking-up packet is an ARP deception packet, comprises the wrong physical address that stops the network equipment that described destination host will visit.
10. according to Claim 8 or 9 any described blocking servers, it is characterized in that described blocking server is for supporting the blocking server of 802.1Q agreement.
CN200710119826XA 2007-07-31 2007-07-31 Method for preventing host computer from access to network appliance and blocking server Active CN101115004B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200710119826XA CN101115004B (en) 2007-07-31 2007-07-31 Method for preventing host computer from access to network appliance and blocking server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200710119826XA CN101115004B (en) 2007-07-31 2007-07-31 Method for preventing host computer from access to network appliance and blocking server

Publications (2)

Publication Number Publication Date
CN101115004A CN101115004A (en) 2008-01-30
CN101115004B true CN101115004B (en) 2010-06-30

Family

ID=39023128

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200710119826XA Active CN101115004B (en) 2007-07-31 2007-07-31 Method for preventing host computer from access to network appliance and blocking server

Country Status (1)

Country Link
CN (1) CN101115004B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102752303B (en) * 2012-07-05 2015-06-17 北京锐安科技有限公司 Bypass-based data acquisition method and system
CN102833155B (en) * 2012-08-03 2015-12-16 中兴通讯股份有限公司 Two layers of veneer realize method and the device of three layers of communication
CN104780078A (en) * 2015-04-03 2015-07-15 山东华软金盾软件有限公司 Method and system for initiatively detecting IP (Internet protocol) of switch
CN106487939B (en) * 2015-08-26 2019-10-29 阿里巴巴集团控股有限公司 A kind of method and apparatus, a kind of electronic equipment of determining User IP subnet
CN106506555B (en) * 2016-12-29 2019-01-29 杭州盈高科技有限公司 A kind of ARP admittance control method
CN112702361B (en) * 2021-03-22 2021-06-29 杭州海康威视数字技术股份有限公司 Safety blocking method, device and equipment based on lightweight distributed cooperative equipment
CN114024716B (en) * 2021-10-05 2022-10-28 广州非凡信息安全技术有限公司 Method for realizing directional micro-isolation based on MAC address dynamic spoofing
CN114422387A (en) * 2022-01-19 2022-04-29 北京华云安信息技术有限公司 Network asset detection method and device, electronic equipment and storage medium
CN115208606A (en) * 2022-03-28 2022-10-18 深圳铸泰科技有限公司 Method, system and storage medium for implementing network security protection
CN114666300B (en) * 2022-05-20 2022-09-02 杭州海康威视数字技术股份有限公司 Multitask-based bidirectional connection blocking method and device and electronic equipment

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1874223A (en) * 2006-06-27 2006-12-06 天津移动通信有限责任公司 Access control system and method for implementing binding MAC/IP of network device

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1874223A (en) * 2006-06-27 2006-12-06 天津移动通信有限责任公司 Access control system and method for implementing binding MAC/IP of network device

Non-Patent Citations (8)

* Cited by examiner, † Cited by third party
Title
周华等,.运用ARP欺骗进行网络安全管理.网络安全技术与应用 2005年3月.2005,(2005年3月),第44-45页.
周华等.运用ARP欺骗进行网络安全管理.网络安全技术与应用 2005年3月.2005,(2005年3月),第44-45页. *
徐亮.VLAN中的Trunk技术在局域网中的应用.华南金融电脑2007年 第3期.2007,2007年(第3期),第78-79页.
徐亮.VLAN中的Trunk技术在局域网中的应用.华南金融电脑2007年 第3期.2007,2007年(第3期),第78-79页. *
魏占祯等,.VLAN越级攻击及其安全防御策略.网络安全技术与应用 2005年3月.2005,(2005年3月),第41-43页.
魏占祯等.VLAN越级攻击及其安全防御策略.网络安全技术与应用 2005年3月.2005,(2005年3月),第41-43页. *
齐英兰.轻松架设基于IP地址的VLAN.电脑报 第D06版.2003,(第D06版),第1-2页,图1-3.
齐英兰.轻松架设基于IP地址的VLAN.电脑报 第D06版.2003,(第D06版),第1-2页,图1-3. *

Also Published As

Publication number Publication date
CN101115004A (en) 2008-01-30

Similar Documents

Publication Publication Date Title
CN101115004B (en) Method for preventing host computer from access to network appliance and blocking server
US8401024B2 (en) Ethernet address management system
CA2256698C (en) Connection aggregation in switched communications networks
US7489700B2 (en) Virtual access router
CN102461073B (en) Method and apparatus for accommodating duplicate MAC addresses
EP1045553B1 (en) Virtual private networks and methods for their operation
KR101089442B1 (en) System, method and function for ethernet mac address management
CN101006707B (en) Method for switching Ip packets between client networks and Ip provider networks by means of an access network
EP4231597A1 (en) Method for forwarding bier message, and device and system
CN100566334C (en) Dynamic Service is selected and the end user disposes Ethernet Digital Subscriber Line Access Multiplexer and method are provided
CN108574630A (en) EVPN message processing methods, equipment and system
US20120140772A1 (en) Methods and devices for converting routing data from one protocol to another in a virtual private network
EP2099180B1 (en) Switching device and method for Layer-2 forwarding of OAM frames with multicast Layer-3 addresses
US11310080B2 (en) VXLAN configuration method, device, and system
CN114465946B (en) Method, device and system for acquiring forwarding table item
CN108141392A (en) The method and apparatus that pseudowire load is shared
US11171860B2 (en) Method for obtaining target transmission route, related device, and system
EP2556628A1 (en) System and method for automated discovery of customer-edge devices and interface connections in a virtual-private-networking environment
US20220200820A1 (en) Packet Sending Method and Apparatus
US20070140118A1 (en) Access multiplexer
KR20230017324A (en) BIER multicast traffic statistics collection method, device and system
US20230318974A1 (en) BIER Packet Forwarding Method, Device, and System
Cisco SMDS Commands
JP3911223B2 (en) Packet transfer device
Kotal Principles, implementation and transition to IPv6 protocol

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C56 Change in the name or address of the patentee

Owner name: BEIJING BRIGHT OCEAN XINTONG TECHNOLOGY CO., LTD.

Free format text: FORMER NAME: BEIJING YIYANG XINTONG SOFTWARE INST. CO., LTD.

CP01 Change in the name or title of a patent holder

Address after: 100036 Beijing city Haidian District liangjiadian Huayu No. 130 building 11-12

Patentee after: Beijing BOCO Inter-Telecom Technology Co., Ltd.

Address before: 100036 Beijing city Haidian District liangjiadian Huayu No. 130 building 11-12

Patentee before: Beijing Yiyang Xintong Software Inst. Co., Ltd.