CN101394360B - Processing method, access device and communication system for address resolution protocol - Google Patents

Processing method, access device and communication system for address resolution protocol Download PDF

Info

Publication number
CN101394360B
CN101394360B CN 200810225734 CN200810225734A CN101394360B CN 101394360 B CN101394360 B CN 101394360B CN 200810225734 CN200810225734 CN 200810225734 CN 200810225734 A CN200810225734 A CN 200810225734A CN 101394360 B CN101394360 B CN 101394360B
Authority
CN
China
Prior art keywords
ip address
arp
address
source
module
Prior art date
Application number
CN 200810225734
Other languages
Chinese (zh)
Other versions
CN101394360A (en
Inventor
詹柱
Original Assignee
北京星网锐捷网络技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京星网锐捷网络技术有限公司 filed Critical 北京星网锐捷网络技术有限公司
Priority to CN 200810225734 priority Critical patent/CN101394360B/en
Publication of CN101394360A publication Critical patent/CN101394360A/en
Application granted granted Critical
Publication of CN101394360B publication Critical patent/CN101394360B/en

Links

Abstract

The invention discloses a method for handling an address resolution protocol (ARP) packet, and access equipment and a communication system thereof. The method comprises the following steps: access equipment receives an ARP packet through a lower interface, which carries an active Internet protocol (IP) address, a source media access control (MAC) address, a destination IP address and a destination MAC address; the access equipment judges whether the source IP address is the same as the IP address of gateway equipment configured on the lower interface, and the upper interface of the access equipment is connected with the gateway equipment; if the source IP address is the same as the IP address of gateway equipment, the access equipment discards the ARP packet; and if the source IP address is different from the IP address of gateway equipment, the access equipment forwards the ARP packet according to the destination IP address in the ARP packet. The embodiment of the invention can prevent the ARP packet which is deceived by an illegal host and passes through the gateway equipment of not performing ARP spoofing with respect to the gateway equipment, without imposing heavier load uponthe gateway equipment.

Description

地址解析协议报文的处理方法、接入设备和通信系统 The method of processing ARP packets, an access device and a communication system

技术领域 FIELD

[0001] 本发明涉及网络通信技术,尤其是一种地址解析协议报文的处理方法、接入设备和通信系统。 [0001] The present invention relates to network communication technology, in particular a method for processing address resolution protocol messages, the access device and a communication system.

背景技术 Background technique

[0002] 地址解析协议(Address Resolution Protocol,以下简称:ARP)是一种将IP地址映射成物理地址的协议。 [0002] ARP (Address Resolution Protocol, hereinafter referred to as: ARP) is a protocol maps IP addresses to physical addresses. 由于网络中数据依据目的地的物理地址进行传输,因此,需要先对通信设备的IP地址进行解析,获得该通信设备的物理地址。 Since data is transmitted based on the physical network address of the destination, and therefore, needs to IP address the communication device is parsed to obtain the physical address of the communication device. 在以太网中,物理地址即为48Bit的介质访问控制(Media AccessControl,以下简称:MAC)地址。 In Ethernet, the physical address is a media access control of 48Bit (Media AccessControl, hereinafter referred to as: MAC) address.

[0003] 同一个物理网络中的两台主机之间欲互相通信时,双方需要先得到对方的IP地址,然后利用ARP将对方的IP地址解析成MAC地址,方可利用MAC地址在以太网上向对方传输数据报文。 [0003] To communicate with each other when the same physical network between two hosts, both sides need to get each other's IP address, then use ARP to resolve each other's IP address to a MAC address, only on the Ethernet MAC address to the other to transmit data packets. 在上述过程中,ARP通过ARP请求报文与ARP应答报文来进行IP地址解析。 In the above process, ARP packets by the ARP request packet with an ARP reply packet to IP address resolution.

[0004] 发送主机需要向一个IP地址发送数据报文时,首先查询本地的ARP表,搜索该ARP 表中是否存在该IP对应的MAC地址,若存在,则直接向使用该MAC地址的目的主机传输数据。 When [0004] the sending host needs to send data packets to the IP address, looks up the local ARP table, searches whether the MAC address of the IP corresponding to the presence of the ARP table, if present, directly to the use of the destination host the MAC address transfer data. 否则,若不存在,则广播一个ARP请求报文,该ARP请求报文中包括发送主机的IP地址与MAC地址、以及目的主机的IP地址,请求解析该目的主机的IP地址的MAC地址。 Otherwise, if there is a broadcast ARP request packet, the ARP request packet including the IP address of the IP address and MAC address of the sending host and the destination host, the IP address of MAC address resolution request to the destination host. 处于同一个物理网络的主机都会收到该ARP请求报文。 In the same physical network hosts will receive the ARP request packet. 接收到的主机根据该ARP请求报文中发送主机的IP地址与MAC地址更新本地的ARP表,将发送主机的IP地址与MAC地址之间的对应关系写入本地的ARP表。 Received the ARP request to the host IP address and MAC address of the packet in the sending host updates local ARP table based on the correspondence between the IP address and MAC address of the sending host is written into the local ARP table. 目的主机接收到该ARP请求报文后,还向发送主机回应一个ARP 应答报文,其中包括目的主机的IP地址与MAC地址。 After receiving the destination host ARP request packet, the host sends a further response to the ARP response packet, including the IP address and MAC address of the destination host. 发送主机接收到ARP应答报文后,利用目的主机的IP地址与MAC地址更新本地的ARP表。 After receiving the sending host ARP response packet by the destination host IP address and MAC address update local ARP table. 之后,发送主机与目的主机之间便可依据MAC地址进行通信。 Thereafter, the communication can be based on the MAC address of the transmission between a host and the destination host.

[0005] 由于主机接收到ARP应答报文时就会根据其中的IP地址与MAC地址对本地的ARP 表进行更新,若局域网中的主机A冒充主机B,采用主机B的IP地址、主机A的MAC地址伪造ARP应答报文并发送给主机C,主机C就会据此更新本地的ARP表,在主机C看来主机B 的IP地址没有变,而主机B的MAC地址已经变为主机A的MAC地址了。 [0005] Since the host will be received according to which the IP address and MAC address of the ARP response packet when the local ARP table update, if the host in LAN A posing host B, using the IP address of the host B, host A MAC address forged ARP response sent to host C, host C will accordingly update the local ARP table, IP address of the host B host C appears to be no change, while the MAC address of host B has become the host of a the MAC address. 这样,主机C发往主机B的数据实际上发送给了主机A,此即ARP欺骗。 Thus, the host C to host B sent the data actually transmitted to the host A, namely ARP spoofing.

[0006] 针对网关设备的ARP欺骗是一种常见的ARP欺骗形式,即:处于局域网中的某台主机伪造网关设备的ARP报文,包括ARP请求报文与ARP应答报文,使用网关设备的IP地址和该主机的MAC地址发送伪造的ARP报文,造成该局域网中的所有主机更新ARP表,认为发送ARP报文的欺骗主机是网关设备。 [0006] against ARP spoofing gateway device ARP spoofing is a common form, namely: in a host on the LAN gateway fake ARP packets, including ARP request packets and ARP response packet, the gateway device MAC address and IP address of the host to send fake ARP packets, causing all the hosts of the LAN update the ARP table, consider sending ARP packets to deceive the host is a gateway device. 因此,该局域网中所有主机发往网关设备的报文实际上被转发到该欺骗主机,从而造成网络不通或者攻击的目的。 Therefore, all the hosts of the LAN packets sent to the gateway device is actually being forwarded to deceive the host, resulting in unreasonable or destination network attacks. 如图1所示,为一个针对网关设备的ARP欺骗原理图。 1, a schematic, ARP spoofing gateway device. 主机A的IP地址与MAC地址分别为IP A.MAC Α,主机B的IP地址与MAC地址分别为IP B、MAC B,主机A与主机B接在同一个接入交换机上,它们与外界交换的数据通过接入交换机到达网关设备,如箭头101与箭头102所示。 IP address and MAC address of Host A are IP A.MAC Α, IP address and MAC address of the IP host B, respectively B, MAC B, Host A and Host B connected to the same access switch are exchanged with the outside data arrives at the gateway device via an access switch, as indicated by arrows 101 and the arrow 102 in FIG. 此时,如果主机B 发送伪造由网关设备发送的ARP报文,则主机A会误认为主机B是网关设备,主机A便会将所有发往网关设备的数据都发往主机B,如箭头103所示。 At this time, if the host B sends forged ARP packets sent by the gateway device, the host A host B is a misconception that the gateway device, the host A would be sent to all the data are sent to the gateway host device B, as indicated by arrows 103 Fig. 这样,主机B便可以对主机A的数据进行窃听或截取,造成主机A的通信中断或者信息丢失,从而达到网络攻击的目的。 Thus, host B can eavesdrop or intercept data from the host A, the host A caused interruption or loss of information, so as to achieve the purpose of network attacks.

[0007] 为了避免非法主机进行针对网关设备的ARP欺骗,从而进行网络攻击,现有技术在网关设备上进行了软件改进,禁止网关设备直接对ARP报文进行二层转发,所有的ARP报文由新增软件转发,只有ARP报文中的目的IP地址与网关设备IP地址不同时,新增软件才对该ARP报文进行转发处理。 [0007] In order to avoid illegal ARP spoofing host for a gateway device, so that the network attack, carried out on a prior art gateway software improvements, prohibits direct gateway ARP packets Layer 2 forwarding, all ARP packets forwarded by the new software, only the destination IP address of the ARP packets with the IP address of the gateway device is not the same, the new software before the ARP packet forwarding processing. 由于网络内与网络外通信的所有ARP报文都要由网关设备进行转发处理,加重了网关设备的负担,在网络攻击的情况下容易导致网关设备上运行的协议震荡等故障。 Due to internal network communication with the outside network all ARP packets should be forwarded by the gateway processing equipment, increased the burden on gateway device, in the case of cyber attack prone to shocks and other protocols running on the gateway device failure. 并且,如果该网关设备下还连接有二层设备并且ARP报文不经过网关设备, 则无法防止连接在二层设备上的多台终端设备遭到ARP欺骗。 And, if it is connected to this gateway device has a two-story equipment and ARP packets do not go through a gateway device, it can not prevent Layer 2 devices connected to the multiple terminal devices have been ARP spoofing.

发明内容 SUMMARY

[0008] 本发明实施例的目的是:提供一种地址解析协议报文的处理方法、接入设备和通信系统,在不加重网关设备负担的情况下,避免非法主机伪造的经过网关设备与不经过网关设备的ARP报文进行针对网关设备的ARP欺骗。 [0008] The object of embodiments of the present invention are: to provide a method for processing address resolution protocol messages, the access device and a communication system, without burdening the gateway device, to avoid the illegal fake host and does not pass through the gateway device after the gateway device ARP ARP spoofing packets for the gateway device.

[0009] 为解决上述技术问题,本发明实施例提供的一种地址解析协议报文的处理方法, 包括: [0009] To solve the above problems, embodiments provide a method for processing address resolution protocol messages embodiment of the present invention, comprising:

[0010] 接入设备通过下联口接收ARP报文,该ARP报文中携带有源IP地址、源MAC地址、 目的IP地址与目的MAC地址; [0010] The access device receives the downlink port through ARP packets, ARP packet which carries an active IP address, source MAC address, destination IP address and destination MAC address;

[0011] 所述接入设备判断所述源IP地址与所述下联口上配置的网关设备的IP地址是否相同,所述接入设备的上联口与所述网关设备连接; [0011] The access gateway device determines whether the same device arranged on the second line port address and the IP address of the source IP, the uplink port of the access device and the gateway device is connected;

[0012] 若所述源IP地址与所述网关设备的IP地址相同,所述接入设备丢弃所述ARP报文; [0012] If the source IP address of the same IP address and the gateway device, the access device discards the ARP packet;

[0013] 若所述源IP地址与所述网关设备的IP地址不同,所述接入设备根据所述ARP报文中的目的IP地址转发所述ARP报文。 [0013] If the source IP address and the IP address of the gateway device is different from the access device forwards the ARP packet according to the destination IP address of the ARP packet.

[0014] 本发明实施例提供的一种接入设备,包括与主机或二层设备连接的下联口,和与网关设备连接的上联口,和用于转发ARP报文的转发模块,和与所述转发模块连接、用于存储本地的ARP表的第一存储模块,还包括: [0014] An access device according to an embodiment of the present invention, comprises a downlink port connected to the host device or the floor, and an uplink port connected to the gateway device, and for forwarding the ARP packet forwarding module, and a the forwarding module is connected, a first storage module for storing the local ARP table, further comprising:

[0015] 第二存储模块,设置在所述下联口中,用于存储所述网关设备的IP地址; [0015] The second storage module, provided in the second line the mouth, the IP address of the gateway storage device;

[0016] 接收模块,设置在所述下联口中,用于接收ARP报文,该ARP报文中携带有源IP地址、源MAC地址、目的IP地址与目的MAC地址; [0016] a receiving module, disposed in the second line the mouth, for receiving ARP packets, ARP packet which carries an active IP address, source MAC address, destination IP address and destination MAC address;

[0017] 判断模块,用于判断所述源IP地址与所述网关设备的IP地址是否相同,并输出判断结果; [0017] The determination module configured to determine the IP address of the source IP address and the gateway device are the same, and outputs the judgment result;

[0018] 丢弃模块,用于根据所述判断结果,在所述源IP地址与所述网关设备的IP地址相同时,丢弃所述ARP报文; [0018] discarding module, according to the determination result, the source address and the IP IP address of the gateway device is the same, discarding the ARP packet;

[0019] 所述转发模块,用于根据所述判断结果,在所述源IP地址与所述网关设备的IP地址不同时,根据所述ARP报文中的目的IP地址转发所述ARP报文。 [0019] The forwarding module, according to the determination result, the source IP address and the IP address of the gateway device is not the same, according to forwarding destination IP address of the ARP packet in the ARP packet .

[0020] 本发明实施例提供的一种通信系统,包括网关设备与接入设备,所述接入设备包括下联口、上联口、转发模块与第一存储模块,所述下联口与主机或二层设备连接,所述上联口与所述网关设备连接,所述转发模块用于转发ARP报文,所述第一存储模块与所述转发模块连接,用于存储本地的ARP表,所述接入设备还包括: [0020] A communication system according to an embodiment of the present invention, includes a gateway device and the access device, the access device comprises a downlink port, the uplink port, the first forwarding module and the storage module, the second line with a host or port Layer device is connected, the uplink port connected to the gateway device, the forwarding module for forwarding ARP packets, the first memory module and the forwarding module is connected, for storing local ARP table, the said access device further comprises:

[0021] 第二存储模块,设置在所述下联口中,用于存储所述网关设备的IP地址; [0021] The second storage module, provided in the second line the mouth, the IP address of the gateway storage device;

[0022] 接收模块,设置在所述下联口中,用于接收ARP报文,该ARP报文中携带有源IP地址、源MAC地址、目的IP地址与目的MAC地址; [0022] a receiving module, disposed in the second line the mouth, for receiving ARP packets, ARP packet which carries an active IP address, source MAC address, destination IP address and destination MAC address;

[0023] 判断模块,用于判断所述源IP地址与所述网关设备的IP地址是否相同,并输出判断结果; [0023] The determination module configured to determine the IP address of the source IP address and the gateway device are the same, and outputs the judgment result;

[0024] 丢弃模块,用于根据所述判断结果,在所述源IP地址与所述网关设备的IP地址相同时,丢弃所述ARP报文; [0024] discarding module, according to the determination result, the source address and the IP IP address of the gateway device is the same, discarding the ARP packet;

[0025] 所述转发模块,用于根据所述判断结果,在所述源IP地址与所述网关设备的IP地址不同时,根据所述ARP报文中的目的IP地址转发所述ARP报文。 [0025] The forwarding module, according to the determination result, the source IP address and the IP address of the gateway device is not the same, according to forwarding destination IP address of the ARP packet in the ARP packet .

[0026] 基于本发明上述实施例提供的地址解析协议报文的处理方法、接入设备和通信系统,在接入设备的下联口上配置网关设备的IP地址,在接入设备的下联口对ARP报文中的目的IP地址进行验证,在ARP报文中的源IP地址与网关设备的IP地址相同时,丢弃该ARP 报文,不需要网关设备处理,与现有技术相比,减轻了网关设备的负担,避免了网关设备上运行的协议震荡等故障,并且,可以有效防止不经过网关设备的ARP报文对连接在二层设备上的主机进行ARP欺骗,进一步提高了通信网络的安全性。 [0026] The method of process ARP packets based on the above-described embodiments of the present invention provides the access device and a communication system, a gateway device arranged on the second line port access device IP address, the downlink port on the access device ARP destination IP address of the packet to verify the IP address of the ARP packet with the source IP address of the gateway device is the same, discards the ARP packet, the gateway device does not need to process, compared to the prior art, reducing the gateway the burden of equipment, to avoid failures such as shock protocol running on the gateway device, and can be effectively prevented through the gateway device connected to the host ARP packets on Layer 2 devices are ARP spoofing, to further improve the security of communication networks .

[0027] 下面通过附图和实施例,对本发明的技术方案做进一步的详细描述。 [0027] The following drawings and embodiments, detailed description of the further aspect of the present invention.

附图说明 BRIEF DESCRIPTION

[0028] 图1为一个针对网关设备的ARP欺骗原理图; [0028] Figure 1 is a schematic, ARP spoofing gateway device;

[0029] 图2为本发明ARP报文的处理方法一个实施例的流程图; [0029] FIG. 2 is an ARP packet processing method of a flow diagram of the embodiment of the invention;

[0030] 图3为本发明ARP报文的处理方法另一个实施例的流程图; [0030] FIG. 3 is a flowchart of another embodiment of the ARP packet processing method of the present invention;

[0031] 图4为本发明接入设备一个实施例的结构示意图; [0031] FIG. 4 is a schematic structural diagram of an access device embodiment of the invention;

[0032] 图5为本发明接入设备另一个实施例的结构示意图; [0032] FIG. 5 is a schematic structural diagram of another embodiment of the invention, the access device;

[0033] 图6为本发明接入设备又一个实施例的结构示意图; [0033] FIG. 6 is a schematic structural diagram of another embodiment of the invention the access device;

[0034] 图7为本发明通信系统一个实施例的结构示意图; [0034] Figure 7 is a schematic structural diagram of a communication system of the embodiment of the invention;

[0035] 图8为本发明通信系统另一个实施例的结构示意图; [0035] FIG. 8 a schematic structural diagram of another embodiment of the present invention, a communication system;

[0036] 图9为本发明通信系统又一个实施例的结构示意图。 [0036] FIG. 9 is a schematic structural diagram of another embodiment of a communication system of the invention.

具体实施方式 Detailed ways

[0037] 在实际的组网应用中,通常是在一台网关设备下连接多个接入设备,例如:接入交换机等,接入设备的下联口下可直接连接更多的主机,或通过二层接入设备连接更多的主机,接入设备通过上联口到达网关设备,从而达到充分利用网关设备的目的。 [0037] In an actual networking application, multiple access devices are usually connected at a gateway, for example: access switches, the downlink port access device may be directly connected to more hosts, or by Layer more hosts connected to the access device, the access device to the gateway device via the uplink port, so as to achieve the full advantage of the gateway device. 本发明实施例预先在接入设备的下联口上配置网关设备的IP地址,在接入设备上丢弃源IP地址与网关设备的IP地址相同的ARP报文。 Example embodiments of the present invention the gateway device preconfigured downlink port on the access device IP address, the device discards the access in the source IP address and the IP address of the gateway device the same ARP packets.

[0038] 如图2所示,为本发明ARP报文的处理方法一个实施例的流程图,其包括以下步骤: [0038] As shown, the present invention is shown in Scheme 2 ARP packet processing method of an embodiment, which comprises the steps of:

[0039] 步骤201,接入设备通过下联口接收ARP报文,该ARP报文中携带有源IP地址、源MAC地址、目的IP地址与目的MAC地址。 [0039] Step 201, the access device receives the downlink port through ARP packets, ARP packet which carries an active IP address, source MAC address, destination IP address and destination MAC address. [0040] 具体地,该ARP报文可以为ARP请求报文或ARP应答报文。 [0040] Specifically, the ARP packet may be an ARP request packet or ARP Reply packets.

[0041] 步骤202,接入设备判断ARP报文中的源IP地址与下联口上配置的网关设备的IP 地址是否相同,其中,接入设备的上联口与网关设备连接。 [0041] Step 202, the access gateway device determines whether the IP address configured on the ARP packet with the source IP address is the same as the downlink port, wherein the access device uplink port connected to the gateway device. 若源IP地址与网关设备的IP 地址相同,执行步骤203。 If the source IP address of the same IP address of the gateway device, step 203 is performed. 若ARP报文中的源IP地址与网关设备的IP地址不同,执行步骤204。 If the source IP address and the IP address of the gateway device different ARP packet, step 204 is performed.

[0042] 步骤203,接入设备丢弃所述ARP报文。 [0042] Step 203, the access device discards the ARP packet.

[0043] 步骤204,接入设备根据所述ARP报文中的目的IP地址转发ARP报文。 [0043] Step 204, the access device forwards the ARP packets according to the destination IP address of the ARP packet.

[0044] 本发明实施例预先在接入设备的下联口上配置了网关设备的IP地址,在接入设备的下联口对ARP报文中的源IP地址进行验证,在ARP报文中的源IP地址与网关设备的IP地址相同时,丢弃该ARP报文,不需要网关设备处理,减轻了网关设备的负担,避免了网关设备上运行的协议震荡等故障,并且,可以有效防止不经过网关设备的ARP报文对连接在二层设备上的主机进行ARP欺骗,进一步提高了通信网络的安全性。 [0044] Example embodiments of the present invention previously downlink port on the access device is configured with the IP address of the gateway device, the downlink port on the access device ARP packet source IP address validation, the source IP ARP packets address of the gateway IP address is the same device, discards the ARP packet, the gateway device does not need to process, reducing the burden on the gateway device failure protocol avoids shock or the like running on the gateway device, and can be effectively prevented without the gateway device ARP packets to the host device connected to the second floor of an ARP deception, to further improve the security of communication networks.

[0045] 本发明实施例中接入设备对ARP报文的处理可以通过接入设备中的硬件实现,从而避免由于对ARP报文的处理而降低接入设备的性能。 Access device embodiment can be realized by the ARP packet processing hardware access device embodiments [0045] of the present invention, thereby avoiding the reduction of the ARP packet processing capability of the access device.

[0046] 在图2所示实施例的步骤201之前,还可以包括:在下联口上配置网关设备的IP 地址的操作。 [0046] In the prior embodiment shown in FIG Step 2201, may further comprise: a gateway IP address configuration operation device on a downlink port. 另外,还可以根据实际需求对下联口上配置的网关设备的IP地址进行更新; 相应的,步骤202中,接入设备判断ARP报文中的源IP地址与下联口上更新后的网关设备的IP地址是否相同。 It is also possible to update the IP address of the gateway device the actual demand for the downlink port configuration; in 202, the IP address of the gateway device after the update on the access device judges ARP packet source IP address of the downlink port corresponding to step They are the same.

[0047] 如图3所示,为本发明ARP报文的处理方法另一个实施例的流程图,其包括以下步骤: [0047] As shown in FIG 3, the ARP packet processing method flow diagram of another embodiment of the present invention, which comprises the steps of:

[0048] 步骤301,接入设备通过下联口接收ARP报文,该ARP报文中携带有源IP地址、源MAC地址、目的IP地址与目的MAC地址。 [0048] Step 301, the access device receives the downlink port through ARP packets, ARP packet which carries an active IP address, source MAC address, destination IP address and destination MAC address. 具体地,该ARP报文可以为ARP请求报文或ARP应答报文。 In particular, the ARP packet may be an ARP request packet or ARP Reply packets.

[0049] 步骤302,接入设备判断ARP报文中的源IP地址与下联口上配置的网关设备的IP 地址是否相同,其中,接入设备的上联口与网关设备连接。 [0049] Step 302, the access gateway device determines whether the IP address configured on the ARP packet with the source IP address is the same as the downlink port, wherein the access device uplink port connected to the gateway device. 若ARP报文中的源IP地址与网关设备的IP地址相同,执行步骤303。 If the same source IP address and the IP address of the gateway device in the ARP packet, step 303 is executed. 若ARP报文中的源IP地址与网关设备的IP地址不同,执行步骤304。 If the source IP address and the IP address of the gateway device different ARP packet, step 304 is performed.

[0050] 步骤303,接入设备丢弃所述ARP报文。 [0050] Step 303, the access device discards the ARP packet.

[0051] 步骤304,接入设备查询本地的ARP表中是否存储有目的IP地址。 [0051] Step 304, queries whether the access device the local ARP table stores the destination IP address. 若本地的ARP 表中存储有目的IP地址,执行步骤305。 If the local ARP table stored in the destination IP address, step 305 is performed. 若本地的ARP表中未存储目的IP地址,执行步骤306。 If the destination IP address is not stored in the local ARP table, step 306 is performed.

[0052] 步骤305,接入设备从ARP表中获取与目的IP地址对应的MAC地址,并根据该MAC 转发ARP报文。 [0052] Step 305, the access device obtains the MAC address and destination IP address from the ARP table corresponding to, and forward the ARP packet based on the MAC.

[0053] 步骤306,接入设备从ARP报文中获取VLAN ID,并在该VLAN ID所标识的VLAN中广播ARP报文。 [0053] Step 306, the access device acquires the VLAN ID from the ARP packet, and broadcasts an ARP packet in VLAN identified by the VLAN ID's.

[0054] 在图3所示实施例的步骤301中,若ARP报文为ARP请求报文,则其中携带的目的MAC地址以全0或全1表示。 [0054] In the embodiment of FIG step 301 in FIG. 3, if the ARP packet is an ARP request packet, the destination MAC address carried in full represents 0 or 1 full. 接入设备接收到采用目的IP地址的目的主机针对该ARP请求报文返回的ARP应答报文后,针对该ARP应答报文的处理方式与ARP请求报文的处理方式相同。 Receiving the access device uses the destination IP address of the destination host after the response packet, the same as for the ARP request returns the ARP packet processing mode for handling the ARP response to the ARP packet request packets. [0055] 无论是针对ARP请求报文还是ARP应答报文,接入设备在ARP报文中的源IP地址与网关设备的IP地址不同时,都可以查询本地的ARP表中是否存在ARP报文中的源IP地址与源MAC地址,若不存在,则根据源IP地址与源MAC地址更新本地的ARP表,将源IP地址与源MAC地址添加入本地的ARP表中。 [0055] Whether it is for the ARP request packet or ARP response packet, the access device is present in the IP address of the ARP packet source IP address of the gateway device is not the same, you can query the local ARP table ARP packets the source IP address and source MAC address, if not, then the source IP address and source MAC address update local ARP table according to add the local ARP table with the source IP address of the source MAC address.

[0056] 如图4所示,为本发明接入设备一个实施例的结构示意图,该实施例的接入设备包括下联口401、上联口402、转发模块403、第一存储模块404、第二存储模块405、接收模块406、判断模块407与丢弃模块408。 [0056] As shown in FIG 4, a schematic structural diagram of the present embodiment of the invention the access device, the access device of the embodiment includes a downlink port 401, the uplink port 402, a forwarding module 403, a first storage module 404, the second storage module 405, a receiving module 406, a determining module 407 and discard module 408.

[0057] 其中,包括下联口401与主机或二层设备连接,实现与主机或二层设备的报文收发。 [0057] wherein the second line comprises a connection to the host port 401 or layer two device, send and receive packets to achieve with the host device or the floor. 上联口402与网关设备连接,实现与网关设备的报文转发。 The uplink port 402 is connected to the gateway device, and forward the packet to achieve the gateway device. 转发模块403通过上联口402或下联口401转发ARP报文。 Forwarding module 403 forwards the ARP packets on the downlink port 402 or uplink port 401. 第一存储模块404与转发模块403连接,用于存储本地的ARP表。 First storage module 404 is connected to the forwarding module 403 for storing local ARP table. 第二存储模块405设置在下联口401中,用于存储上联口402连接的网关设备的IP地址。 Second storage module 405 is provided at the downlink port 401, a gateway IP address on the storage device 402 is connected to uplink port. 接收模块406设置在下联口401中,用于接收ARP报文,该ARP报文中携带有源IP地址、源MAC地址、目的IP地址与目的MAC地址。 A receiving module 406 provided in the downlink port 401, for receiving the ARP packets, ARP packet which carries an active IP address, source MAC address, destination IP address and destination MAC address. 具体地,该ARP报文可以是ARP请求报文或ARP应答报文。 In particular, the ARP packet may be an ARP request packet or ARP Reply packets. 判断模块407分别与接收模块406及第二存储模块405连接,用于判断接收模块406接收到的ARP报文中的源IP地址与第二存储模块405中存储的网关设备的IP地址是否相同,并输出判断结果。 Analyzing module 407 is connected with the receiving module 406 and the second storage module 405, a receiving module configured to determine the IP address of the source IP address of the gateway device 406 ARP packets received and stored in the second storage module 405 is the same, and outputs the judgment result. 具体地,若源IP地址与网关设备的IP地址相同,向丢弃模块408输出判断结果;若不同,向转发模块403输出判断结果。 Specifically, if the same source IP address and the IP address of the gateway device, the discard module 408 outputs the judgment result; if different, the forwarding determination module 403 to the result output. 丢弃模块408 与用于根据判断结果,在源IP地址与网关设备的IP地址相同时,丢弃ARP报文。 Discarding module 408 according to the determination result, the source IP address in the IP address of the gateway devices are the same, discarding ARP packets. 转发模块403根据判断结果,在源IP地址与网关设备的IP地址不同时,根据ARP报文中的目的IP地址转发ARP报文。 Forwarding module 403 according to the determination result, is not the same, forward the ARP packet according to the destination IP address in the ARP packet source IP address and the IP address of the gateway device.

[0058] 由于在接入设备的下联口401上配置网关设备的IP地址,在接入设备的下联口401实现对ARP报文中的源IP地址的验证,在ARP报文中的源IP地址与网关设备的IP地址相同时,丢弃该ARP报文,不需要网关设备处理,从而减轻了网关设备的负担,避免了网关设备上运行的协议震荡等故障,并且,可以有效防止不经过网关设备的ARP报文对连接在二层设备上的主机进行ARP欺骗,进一步提高了通信网络的安全性。 [0058] Since the configuration of the gateway device on a downlink port access device 401 IP address, the downlink port access device 401 enable the validation of the ARP packet source IP address, source IP address in the ARP packets gateway IP address is the same, discards the ARP packet, the gateway device does not require processing, thus reducing the burden on the gateway device failure protocol avoids shock or the like running on the gateway device, and can be effectively prevented without the gateway device ARP packets to the host device connected to the second floor of an ARP deception, to further improve the security of communication networks.

[0059] 本发明接入设备中的转发模块403、判断模块407与丢弃模块408可以通过硬件实现,从而避免由于对ARP报文的相应处理降低接入设备的性能。 [0059] The access device according to the present invention forwarding module 403, a determining module 407 and discard module 408 may be implemented by hardware, thereby avoiding handling of ARP packets corresponding decrease in the performance of the access device.

[0060] 如图5所示,为本发明接入设备另一个实施例的结构示意图。 As shown in [0060] FIG. 5, a schematic structural diagram of another embodiment of the access device of the present invention. 与图4所示的实施例相比,该实施例的转发模块403包括查询单元501、获取单元502、转发单元503与广播单元504。 Compared to the embodiment shown in Figure 4, the forwarding module 403 of this embodiment includes a query unit 501, acquisition unit 502, a forwarding unit 503 and the broadcast unit 504. 其中,查询单元501分别与判断模块407及第一存储模块404连接,用于查询第一存储模块404中存储的本地的ARP表中是否存储有ARP报文中的目的IP地址,并输出查询结果。 Wherein the query unit 501 are respectively connected to the first determining module 407 and a memory module 404, configured to query whether the destination IP address is stored in the ARP packet is a local ARP first storage module stored in the table 404, and outputs the result of the query . 获取单元502分别与第一存储模块404及查询单元501连接,用于根据查询结果,在本地的ARP表中存储有目的IP地址时,从ARP表中获取与目的IP地址对应的MAC地址。 Obtaining unit 502 are respectively connected to the first storage module 404 and a query unit 501, a MAC address according to the query result, the destination IP address is stored in the local ARP table acquired from the ARP table corresponding to the destination IP address. 转发单元503用于根据获取单元502查询到的MAC地址,转发ARP报文。 Forwarding unit 503 according to the obtaining unit 502 to query the MAC address forwarding ARP packets. 广播单元504与查询单元501连接,用于根据查询结果,在本地的ARP表中未存储有目的IP地址时,在ARP报文中VLANID所标识的VLAN中广播ARP报文。 Broadcasting unit 504 and the inquiry unit 501 is connected, according to the query result, when the local ARP table is not stored in the destination IP address, the VLAN broadcast ARP packets ARP packet VLANID the identified.

[0061] 在本发明上述实施例提供的接入设备中,还可以包括查询模块601与更新模块602。 [0061] In the above-described embodiment provides the access device of the present invention may further include a query module 601 and the update module 602. 其中,查询模块601分别与判断模块407及第一存储模块404连接,用于根据判断模块407的判断结果,在ARP报文中的源IP地址与所述网关设备的IP地址不同时,查询本地的 Wherein the query module 601 are respectively connected to the first determining module 407 and a memory module 404, according to the judgment result of the judging module 407, the source IP address and the IP address of the gateway device in the ARP packet is not the same, the local query of

8ARP表中是否存在ARP报文中的源IP地址与源MAC地址,并输出查询结果。 Whether there is a source IP address of the ARP packet with the source MAC address 8ARP table, and outputs the result of the query. 更新模块402 分别与查询模块601及第一存储模块404连接,用于根据查询结果,在本地的ARP表中不存在ARP报文中的源IP地址与源MAC地址时,根据ARP报文中的源IP地址与源MAC地址更新本地的ARP表,将ARP报文中的源IP地址与源MAC地址添加入本地的ARP表中。 When updating module 402 are respectively connected to a first query module 601 and a memory module 404, according to the query result, the ARP packet source IP address and source MAC address does not exist in the local ARP table, according to the ARP packets source IP address and source MAC address update local ARP table, adding the local source IP address of the ARP table ARP packet with the source MAC address. 如图6 所示,为本发明接入设备又一个实施例的结构示意图。 6, a schematic structural diagram of another embodiment of the access device of the present invention.

[0062] 如图7所示,为本发明通信系统一个实施例的结构示意图。 [0062] As shown in FIG. 7, a schematic structural diagram of a communication system of the embodiment of the present invention. 该实施例的通信系统包括网关设备701与接入设备702。 Communication system of this embodiment includes a gateway device 701 and the access device 702. 其中,接入设备702可以采用图4、图5或图6所示实施例提供的接入设备。 Wherein, the access device 702 in FIG. 4 may be employed, the embodiment shown provides the access device of FIG. 5 or FIG. 6. 该实施例中的接入设备采用图4所示实施例提供的接入设备。 The embodiment shown in FIG. 4 the access device using the access device according to an embodiment.

[0063] 如图8所示,为本发明通信系统另一个实施例的结构示意图。 [0063] As shown in FIG 8, a schematic structure of a communication system according to another embodiment of the present invention. 该实施例中的接入设备采用图5所示实施例提供的接入设备。 The embodiment shown in FIG. 5 using the access device access apparatus according to an embodiment.

[0064] 如图9所示,为本发明通信系统又一个实施例的结构示意图。 [0064] As shown in FIG. 9, a schematic structural diagram of another embodiment of the invention the communication system. 该实施例中的接入设备采用图6所示实施例提供的接入设备。 This embodiment of the access device uses the access apparatus shown in FIG. 6 according to an embodiment.

[0065] 本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:R0M、RAM、磁碟或者光盘等各种可以存储程序代码的介质。 [0065] Those of ordinary skill in the art will be understood: the hardware implementing the above method can be accomplished by a program instructing relevant to all or part of the steps embodiment, the program may be stored in a computer readable storage medium, the program execution when, comprising the step of performing the above-described embodiment of the method; and the storage medium comprising: a variety of medium may store program codes R0M, RAM, magnetic disk, or optical disk.

[0066] 本发明实施例在接入设备的下联口401实现对ARP报文中的目的IP地址的验证, 在ARP报文中的目的IP地址与网关设备的IP地址相同时,丢弃该ARP报文,减轻了网关设备的负担,避免了网关设备上运行的协议震荡等故障,并且,可以有效防止不经过网关设备的ARP报文对连接在二层设备上的主机进行ARP欺骗,进一步提高了通信网络的安全性。 [0066] In the embodiment of the present invention, a downlink port access device 401 enable the validation of the destination IP address in the ARP packet, the IP address of the destination IP address of the gateway device in the ARP packet is the same, discards the ARP packet Wen, reducing the burden on gateway device, to avoid a failure like running on concussion protocol gateway device, and can be effectively prevented through the gateway device connected to the host ARP packets on Layer 2 devices are ARP spoofing, to further improve the security of communication networks.

[0067] 最后所应说明的是:以上实施例仅用以说明本发明的技术方案,而非对本发明作限制性理解。 [0067] Finally, it should be noted that: the above embodiments are intended to illustrate the present invention and not for limiting understanding of the invention. 尽管参照上述较佳实施例对本发明进行了详细说明,本领域的普通技术人员应当理解:其依然可以对本发明的技术方案进行修改或者等同替换,而这种修改或者等同替换并不脱离本发明技术方案的精神和范围。 While the invention has been described in detail above with reference to preferred embodiments, those of ordinary skill in the art should be understood: that they may still be modified aspect of the present invention, or equivalent replacements, and such modifications or equivalent replacements without departing from the techniques of this invention the spirit and scope of the program.

Claims (10)

1. 一种地址解析协议报文的处理方法,其特征在于,包括:接入设备通过下联口接收ARP报文,该ARP报文中携带有源IP地址、源MAC地址、目的IP地址与目的MAC地址;所述接入设备判断所述源IP地址与所述下联口上配置的网关设备的IP地址是否相同,所述接入设备的上联口与所述网关设备连接;若所述源IP地址与所述网关设备的IP地址相同,所述接入设备丢弃所述ARP报文; 若所述源IP地址与所述网关设备的IP地址不同,所述接入设备根据所述ARP报文中的目的IP地址转发所述ARP报文。 1. A method of processing ARP packets, characterized by comprising: the access device receiving the downlink port ARP packets, ARP packet which carries an active IP address, source MAC address, destination IP address and destination MAC address; the IP address of the access gateway device determines the configuration of the device address and the port of the second line is the same as the source IP, the access gateway uplink port the device is connected to the device; if the source IP the same address and the IP address of the gateway device, the access device discards the ARP packet; if the source IP address and the IP address of the gateway device is different from the access device according to the ARP packet forwarding destination IP address in the ARP packet.
2.根据权利要求1所述的方法,其特征在于,所述接入设备根据所述ARP报文中的目的IP地址转发所述ARP报文包括:所述接入设备查询本地的ARP表中是否存储有所述目的IP地址; 若本地的ARP表中存储有所述目的IP地址,则从所述ARP表中获取与所述目的IP地址对应的MAC地址,并根据该MAC地址转发所述ARP报文;若本地的ARP表中未存储所述目的IP地址,则在所述ARP报文中VLAN ID所标识的VLAN中广播所述ARP报文。 The method according to claim 1, characterized in that, the access device forwards the destination IP address of the ARP packet in the ARP packet comprising: the access device queries the local ARP table if the destination IP address is stored; if the local ARP table is stored in the destination IP address from the ARP table acquires a MAC address corresponding to the destination IP address, MAC address and forwards the basis of the ARP packet; if the destination IP address of the local ARP table is not stored, the broadcast the ARP packet in the ARP packet in VLAN identified by the VLAN ID.
3.根据权利要求1所述的方法,其特征在于,还包括: 更新所述下联口上配置的网关设备的IP地址;所述接入设备判断所述源IP地址与所述下联口上配置的网关设备的IP地址是否相同具体为:所述接入设备判断所述源IP地址与所述下联口上更新后的网关设备的IP地址是否相同。 3. The method according to claim 1, characterized in that, further comprising: updating the IP address of the gateway device arranged on the second line port; Analyzing the access gateway apparatus arranged on the second line address and the source port of the IP whether the same IP address of the device is specifically: the IP address of the access device of the gateway device determines the update of the IP address and the source port is the same as the second line.
4.根据权利要求1、2或3所述的方法,其特征在于,还包括:若所述源IP地址与所述网关设备的IP地址不同,所述接入设备在本地的ARP表中不存在所述源IP地址与所述源MAC地址时,根据所述源IP地址与所述源MAC地址更新本地的ARP表。 4. The method of claim 1, 2 or 3, characterized in that, further comprising: if the source address and the IP IP address of the gateway device is different from the access device is not in the local ARP table the presence of the source IP address and the source MAC address, according to the source IP address and the source MAC address update local ARP table.
5. 一种接入设备,包括与主机或二层设备连接的下联口,和与网关设备连接的上联口, 和用于转发ARP报文的转发模块,和与所述转发模块连接、用于存储本地的ARP表的第一存储模块,其特征在于,还包括:第二存储模块,设置在所述下联口中,用于存储所述网关设备的IP地址; 接收模块,设置在所述下联口中,用于接收ARP报文,该ARP报文中携带有源IP地址、 源MAC地址、目的IP地址与目的MAC地址;判断模块,用于判断所述源IP地址与所述网关设备的IP地址是否相同,并输出判断结果;丢弃模块,用于根据所述判断结果,在所述源IP地址与所述网关设备的IP地址相同时,丢弃所述ARP报文;所述转发模块,用于根据所述判断结果,在所述源IP地址与所述网关设备的IP地址不同时,根据所述ARP报文中的目的IP地址转发所述ARP报文。 An access device, comprising a downlink port connected to the host device or the floor, and a gateway device connected to the uplink port, and for forwarding the ARP packet forwarding module and the forwarding module is connected, with first storage means for storing the local ARP table, characterized by further comprising: a second storage module, provided in the second line the mouth, the IP address of the gateway storage device; a receiving module, disposed in the second line mouth for receiving the ARP packets, ARP packet which carries an active IP address, source MAC address, destination IP address and destination MAC address; determining module configured to determine the source IP address and the IP gateway device address is the same, and outputs the judgment result; discarding module, according to the determination result, the source address and the IP IP address of the gateway device is the same, discarding the ARP packet; the forwarding module, with according to the determination result, the IP address of the source IP address and the gateway device is not the same, forward the ARP packet according to the destination IP address of the ARP packet.
6.根据权利要求5所述的接入设备,其特征在于,所述转发模块包括:查询单元,用于查询本地的ARP表中是否存储有所述目的IP地址,并输出查询结果; 获取单元,用于根据所述查询结果,在本地的ARP表中存储有所述目的IP地址时,从所述ARP表中获取与所述目的IP地址对应的MAC地址;转发单元,用于根据所述获取单元查询到的MAC地址,转发所述ARP报文; 广播单元,用于根据所述查询结果,在本地的ARP表中未存储有所述目的IP地址时,在所述ARP报文中VLAN ID所标识的VLAN中广播所述ARP报文。 Access device according to claim 5, wherein the forwarding module comprises: a query unit configured to query whether the destination IP address is stored in the local ARP table, and outputs the result of the query; obtaining unit , when used according to the query result, it is stored in the destination IP address of the local ARP table to acquire the MAC address corresponding to the destination IP address from the ARP table; forwarding unit, according to the acquiring means to query the MAC address, forwarding the ARP packet; broadcast unit, according to the query result, is not stored in the destination IP address of the local ARP table, the ARP packet in VLAN VLAN ID of the identified broadcast the ARP packet.
7.根据权利要求5或6所述的接入设备,其特征在于,还包括:查询模块,用于根据所述判断模块的判断结果,在所述源IP地址与所述网关设备的IP 地址不同时,查询本地的ARP表中是否存在所述源IP地址与所述源MAC地址,并输出查询结果;更新模块,用于根据所述查询结果,在本地的ARP表中不存在所述源IP地址与所述源MAC地址时,根据所述源IP地址与所述源MAC地址更新本地的ARP表。 The access device of claim 5 or claim 6, characterized in that, further comprising: a query module, for modules based on the determination result of the determination, the IP address of the source IP address and the gateway device not the same, check whether there is a local ARP table of the source IP address and the source MAC address, and outputs the result of the query; updating module, according to the query result, the source is not present in the local ARP table when the IP address and the source MAC address, according to the source IP address and the source MAC address update local ARP table.
8. 一种通信系统,包括网关设备与接入设备,所述接入设备包括下联口、上联口、转发模块与第一存储模块,所述下联口与主机或二层设备连接,所述上联口与所述网关设备连接,所述转发模块用于转发ARP报文,所述第一存储模块与所述转发模块连接,用于存储本地的ARP表,其特征在于,所述接入设备还包括:第二存储模块,设置在所述下联口中,用于存储所述网关设备的IP地址; 接收模块,设置在所述下联口中,用于接收ARP报文,该ARP报文中携带有源IP地址、 源MAC地址、目的IP地址与目的MAC地址;判断模块,用于判断所述源IP地址与所述网关设备的IP地址是否相同,并输出判断结果;丢弃模块,用于根据所述判断结果,在所述源IP地址与所述网关设备的IP地址相同时,丢弃所述ARP报文;所述转发模块,用于根据所述判断结果,在所述源IP地址与所述 A communication system comprising a gateway device and the access device, the access device comprises a downlink port, the uplink port, the first forwarding module and the storage module, the second line port and the host device is connected or the floor, the the uplink port connected to the gateway device, the forwarding module for forwarding ARP packets, the first memory module connected to the forwarding module, for storing local ARP table, wherein the access apparatus further comprises: a second storage module, provided in the second line the mouth, the IP address of the gateway storage device; a receiving module, disposed in the second line the mouth, for receiving ARP packets, ARP packet carrying the an active IP address, source MAC address, destination IP address and destination MAC address; determining module configured to determine the IP address of the source IP address and the gateway device are the same, and outputs the judgment result; discarding module, according to the determination result, the source IP address and the IP address of the gateway device is the same, discarding the ARP packet; forwarding said module, according to the determination result, the source IP address in the state 关设备的IP地址不同时,根据所述ARP报文中的目的IP地址转发所述ARP报文。 IP address of the gateway device is not the same, forward the ARP packet according to the destination IP address of the ARP packet.
9.根据权利要求8所述的通信系统,其特征在于,所述转发模块包括:查询单元,用于查询本地的ARP表中是否存储有所述目的IP地址,并输出查询结果; 获取单元,用于根据所述查询结果,在本地的ARP表中存储有所述目的IP地址时,从所述ARP表中获取与所述目的IP地址对应的MAC地址;转发单元,用于根据所述获取单元查询到的MAC地址,转发所述ARP报文; 广播单元,用于根据所述查询结果,在本地的ARP表中未存储有所述目的IP地址时,在所述ARP报文中VLAN ID所标识的VLAN中广播所述ARP报文。 9. The communication system of claim 8, wherein the forwarding module comprises: a query unit configured to query whether the destination IP address is stored in the local ARP table, and outputs the result of the query; obtaining unit, when used according to the query result, it is stored in the destination IP address of the local ARP table to acquire the MAC address corresponding to the destination IP address from the ARP table; forwarding unit, for obtaining according to the unit queries the MAC address, forwarding the ARP packet; broadcasting unit, when used according to the query result, is not stored in the local ARP table has the destination IP address in the ARP packet in VLAN ID VLAN identified broadcasting the ARP packet.
10.根据权利要求8或9所述的通信系统,其特征在于,所述接入设备还包括:查询模块,用于根据所述判断模块的判断结果,在所述源IP地址与所述网关设备的IP 地址不同时,查询本地的ARP表中是否存在所述源IP地址与所述源MAC地址,并输出查询结果;更新模块,用于根据所述查询结果,在本地的ARP表中不存在所述源IP地址与所述源MAC地址时,根据所述源IP地址与所述源MAC地址更新本地的ARP表。 10. A communication system according to claim 8 or claim 9, wherein the access device further comprising: a query module, for the determination result based on the determination module, the source IP address of the gateway IP address of the device is not at the same time, check whether there is a local ARP table of the source IP address and the source MAC address, and outputs the result of the query; updating module, according to the query result, not in the local ARP table the presence of the source IP address and the source MAC address, according to the source IP address and the source MAC address update local ARP table.
CN 200810225734 2008-11-10 2008-11-10 Processing method, access device and communication system for address resolution protocol CN101394360B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200810225734 CN101394360B (en) 2008-11-10 2008-11-10 Processing method, access device and communication system for address resolution protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200810225734 CN101394360B (en) 2008-11-10 2008-11-10 Processing method, access device and communication system for address resolution protocol

Publications (2)

Publication Number Publication Date
CN101394360A CN101394360A (en) 2009-03-25
CN101394360B true CN101394360B (en) 2011-07-20

Family

ID=40494441

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200810225734 CN101394360B (en) 2008-11-10 2008-11-10 Processing method, access device and communication system for address resolution protocol

Country Status (1)

Country Link
CN (1) CN101394360B (en)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9935894B2 (en) 2014-05-08 2018-04-03 Cisco Technology, Inc. Collaborative inter-service scheduling of logical resources in cloud platforms
US10034201B2 (en) 2015-07-09 2018-07-24 Cisco Technology, Inc. Stateless load-balancing across multiple tunnels
US10037617B2 (en) 2015-02-27 2018-07-31 Cisco Technology, Inc. Enhanced user interface systems including dynamic context selection for cloud-based networks
US10050862B2 (en) 2015-02-09 2018-08-14 Cisco Technology, Inc. Distributed application framework that uses network and application awareness for placing data
US10067780B2 (en) 2015-10-06 2018-09-04 Cisco Technology, Inc. Performance-based public cloud selection for a hybrid cloud environment
US10084703B2 (en) 2015-12-04 2018-09-25 Cisco Technology, Inc. Infrastructure-exclusive service forwarding
US10122605B2 (en) 2014-07-09 2018-11-06 Cisco Technology, Inc Annotation of network activity through different phases of execution
US10129177B2 (en) 2016-05-23 2018-11-13 Cisco Technology, Inc. Inter-cloud broker for hybrid cloud networks
US10142346B2 (en) 2016-07-28 2018-11-27 Cisco Technology, Inc. Extension of a private cloud end-point group to a public cloud
US10205677B2 (en) 2015-11-24 2019-02-12 Cisco Technology, Inc. Cloud resource placement optimization and migration execution in federated clouds
US10212074B2 (en) 2011-06-24 2019-02-19 Cisco Technology, Inc. Level of hierarchy in MST for traffic localization and load balancing
US10257042B2 (en) 2012-01-13 2019-04-09 Cisco Technology, Inc. System and method for managing site-to-site VPNs of a cloud managed network
US10263898B2 (en) 2016-07-20 2019-04-16 Cisco Technology, Inc. System and method for implementing universal cloud classification (UCC) as a service (UCCaaS)
US10320683B2 (en) 2017-01-30 2019-06-11 Cisco Technology, Inc. Reliable load-balancer using segment routing and real-time application monitoring
US10326817B2 (en) 2016-12-20 2019-06-18 Cisco Technology, Inc. System and method for quality-aware recording in large scale collaborate clouds
US10334029B2 (en) 2017-01-10 2019-06-25 Cisco Technology, Inc. Forming neighborhood groups from disperse cloud providers

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101527681B (en) 2009-03-31 2012-07-04 成都市华为赛门铁克科技有限公司 Method for processing uplink message, device and system thereof
CN101540733B (en) 2009-05-08 2011-01-05 深圳市维信联合科技有限公司 ARP message processing method and network side apparatus
CN101888329B (en) * 2010-04-28 2013-04-17 北京星网锐捷网络技术有限公司 Address resolution protocol (ARP) message processing method, device and access equipment
CN101888338B (en) * 2010-07-01 2016-06-22 中兴通讯股份有限公司 Message forwarding method and gateway
CN102075426A (en) * 2011-01-14 2011-05-25 中兴通讯股份有限公司 Message transmission method under MFF manual mode and device
CN102143068B (en) * 2011-03-01 2014-04-02 华为技术有限公司 Method, device and system for learning MAC (Media Access Control) address
CN102571806B (en) * 2012-02-08 2016-12-07 神州数码网络(北京)有限公司 An active device and method for preventing router advertisement message spoofing
CN102546658A (en) * 2012-02-20 2012-07-04 神州数码网络(北京)有限公司 Method and system for preventing address resolution protocol (ARP) gateway spoofing
CN102694876A (en) * 2012-05-10 2012-09-26 北京星网锐捷网络技术有限公司 Method and device for determining effectiveness of learned MAC (Media Access Control) address and gateway equipment
CN102710805B (en) * 2012-05-14 2015-10-14 浙江宇视科技有限公司 A method and apparatus for updating address ip
CN105472054B (en) * 2014-09-05 2019-05-24 华为技术有限公司 A kind of file transmitting method and access device
CN105991794B (en) * 2015-06-01 2019-05-07 杭州迪普科技股份有限公司 A kind of address learning method and device
CN105959425B (en) * 2016-04-21 2019-04-16 北京千丁互联科技有限公司 Communication means, system and its intercommunication terminal and core switch of intelligent residential district
CN106102122A (en) * 2016-05-16 2016-11-09 杭州华三通信技术有限公司 MAC (Multimedia Access Control) address table item updating method and apparatus

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1567839A (en) 2003-06-24 2005-01-19 华为技术有限公司 Port based network access control method
WO2006126919A1 (en) 2005-05-23 2006-11-30 Telefonaktiebolaget Lm Ericsson (Publ) Method and system for local peer-to-peer traffic
CN1925493A (en) 2006-09-15 2007-03-07 杭州华为三康技术有限公司 Method and device for processing ARP message

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1567839A (en) 2003-06-24 2005-01-19 华为技术有限公司 Port based network access control method
WO2006126919A1 (en) 2005-05-23 2006-11-30 Telefonaktiebolaget Lm Ericsson (Publ) Method and system for local peer-to-peer traffic
CN1925493A (en) 2006-09-15 2007-03-07 杭州华为三康技术有限公司 Method and device for processing ARP message

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10212074B2 (en) 2011-06-24 2019-02-19 Cisco Technology, Inc. Level of hierarchy in MST for traffic localization and load balancing
US10257042B2 (en) 2012-01-13 2019-04-09 Cisco Technology, Inc. System and method for managing site-to-site VPNs of a cloud managed network
US9935894B2 (en) 2014-05-08 2018-04-03 Cisco Technology, Inc. Collaborative inter-service scheduling of logical resources in cloud platforms
US10122605B2 (en) 2014-07-09 2018-11-06 Cisco Technology, Inc Annotation of network activity through different phases of execution
US10050862B2 (en) 2015-02-09 2018-08-14 Cisco Technology, Inc. Distributed application framework that uses network and application awareness for placing data
US10037617B2 (en) 2015-02-27 2018-07-31 Cisco Technology, Inc. Enhanced user interface systems including dynamic context selection for cloud-based networks
US10034201B2 (en) 2015-07-09 2018-07-24 Cisco Technology, Inc. Stateless load-balancing across multiple tunnels
US10067780B2 (en) 2015-10-06 2018-09-04 Cisco Technology, Inc. Performance-based public cloud selection for a hybrid cloud environment
US10205677B2 (en) 2015-11-24 2019-02-12 Cisco Technology, Inc. Cloud resource placement optimization and migration execution in federated clouds
US10084703B2 (en) 2015-12-04 2018-09-25 Cisco Technology, Inc. Infrastructure-exclusive service forwarding
US10129177B2 (en) 2016-05-23 2018-11-13 Cisco Technology, Inc. Inter-cloud broker for hybrid cloud networks
US10263898B2 (en) 2016-07-20 2019-04-16 Cisco Technology, Inc. System and method for implementing universal cloud classification (UCC) as a service (UCCaaS)
US10142346B2 (en) 2016-07-28 2018-11-27 Cisco Technology, Inc. Extension of a private cloud end-point group to a public cloud
US10326817B2 (en) 2016-12-20 2019-06-18 Cisco Technology, Inc. System and method for quality-aware recording in large scale collaborate clouds
US10334029B2 (en) 2017-01-10 2019-06-25 Cisco Technology, Inc. Forming neighborhood groups from disperse cloud providers
US10320683B2 (en) 2017-01-30 2019-06-11 Cisco Technology, Inc. Reliable load-balancer using segment routing and real-time application monitoring

Also Published As

Publication number Publication date
CN101394360A (en) 2009-03-25

Similar Documents

Publication Publication Date Title
US8341725B2 (en) Secure DHCP processing for layer two access networks
US7852774B2 (en) User datagram protocol traceroute probe extension
US9455956B2 (en) Load balancing in a network with session information
JP4579934B2 (en) Addressing method and apparatus for establishing a Host Identity protocol between a legacy node and hip node (hip) connected
EP1170925A1 (en) Mac address-based communication restricting method
US7107609B2 (en) Stateful packet forwarding in a firewall cluster
CN1310467C (en) Port based network access control method
US7088689B2 (en) VLAN data switching method using ARP packet
CN103685006B (en) OSPF packets at the edge of the device and forwarding method edge device
CN101110821B (en) Method and apparatus for preventing ARP address cheating attack
US8089967B2 (en) Modification of a switching table of an internet protocol switch
CN100437550C (en) Ethernet confirming access method
WO2002091674A1 (en) Network traffic flow control system
EP0861544A1 (en) Method for establishing restricted broadcast groups in a switched network
US8144709B2 (en) Method, system and computer processing an IP packet, routing a structured data carrier, preventing broadcast storms, load-balancing and converting a full broadcast IP packet
US7729352B1 (en) System and method for handling flows in a network
CN101128796A (en) 802.1X authentication technique for shared media
CN101019405A (en) Method and system for mitigating denial of service in a communication network
US8542684B2 (en) ARP packet processing method, communication system and device
CN101022394B (en) Method for realizing virtual local network aggregating and converging exchanger
WO2012077603A1 (en) Computer system, controller, and network monitoring method
JP3813571B2 (en) Border router device, a communication system, a routing method, and routing program
CN101841442B (en) Method for detecting network anomaly in name-address separated network
CN103166874A (en) Message forwarding method and device
CN1177439C (en) Method of acting address analytic protocol in Ethernet Switch-in application

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance
C14 Granted