CN101447927B - Method and routing device for three-layer isolation of user terminals - Google Patents
Method and routing device for three-layer isolation of user terminals Download PDFInfo
- Publication number
- CN101447927B CN101447927B CN2008101879519A CN200810187951A CN101447927B CN 101447927 B CN101447927 B CN 101447927B CN 2008101879519 A CN2008101879519 A CN 2008101879519A CN 200810187951 A CN200810187951 A CN 200810187951A CN 101447927 B CN101447927 B CN 101447927B
- Authority
- CN
- China
- Prior art keywords
- isolation
- outgoing interface
- packet
- interface
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a routing device for three-layer isolation of user terminals. The method includes the following steps: at least one isolation set is configured, and a plurality of interfaces that need isolating with each other are included in the isolation set; when a data packet that needs three-layer transmitting processing and is sent by a user terminal is received from an input interface, the output interface of the data packet is obtained according to a routing table entry; and when both the input interface and the output interface belong to any isolation set, the transmitting operation of the data packet is refused. By using the method and the routing device, as for the data packet needing three-layer transmitting processing, whether the data packet is transmitted is judged according to the output interface and the input interface of the data packet and the pre-configured isolation set so that three-layer isolation function of user terminals can be realized just by simple configuration.
Description
Technical field
The present invention relates to networking technology area, relate in particular to the method and the routing device of three layers of isolation between a kind of user terminal.
Background technology
Along with the continuous development of network technology, increasing network security problem has presented to come out.At this problem, the isolation technology at professional between the network access user and visit has been proposed in the prior art.
Port isolation technology for example, its widespread usage is at two layers of access switch or have on the router of function of exchange, and the port isolation function that relies on device chip to provide realizes.In the time of on being deployed in three-layer equipment, a plurality of ports of two layers of access switch of descending connection are added in the same isolation group, and add mark respectively in the hardware register of each port that this isolation group is related to by device chip, the mark that adds on hardware capability by device chip and each port makes that three layer services between the port that the isolation group relates to can't intercommunication.The problem that this method exists is that the function that present considerable device chip is supported only limits to support two layers of isolation, and the device chip kind of supporting above-mentioned three layers of isolation features seldom.
In addition, ACL (AccessControl List, access control lists) rule can also be set on each port of two layers of access switch of descending connection,, realize the isolation of three layer services by acl rule is set.The problem that this method exists is, need all dispose ACL on all of the port, when port number more for a long time, dispose very loaded down with trivial details; And when the network of port access changed, ACL also needed synchronous modification, causes flexibility very poor.
On the whole, two layers of isolation technology comparative maturity of user of the prior art, and realize that by the routing function of gateway device three layers of isolation technology relatively lack between the user at present.
Summary of the invention
The invention provides the method and the routing device of three layers of isolation between a kind of user terminal, be used for the three layer isolation features of easy realization user terminal.
For achieving the above object, embodiments of the invention provide the method for three layers of isolation between a kind of user terminal, comprising:
Dispose at least one isolation group, comprise a plurality of interfaces that to isolate in twos in the described isolation group;
Receive needs that user terminal sends from incoming interface and carry out three layers when transmitting the packet of handling, obtain the outgoing interface of described packet according to route table items;
When described incoming interface and outgoing interface belong to arbitrary isolation group, refuse the forwarding operation of described packet.
Wherein, the user terminal under a plurality of interfaces belongs to the different network segments respectively in the described isolation group.
Wherein, at least one isolation group of described configuration comprises:
Dispose described isolation group according to default command format, comprise a plurality of interfaces that isolation order title, isolation group id and needs are isolated in twos in the described command format.
Wherein, the described outgoing interface that obtains described packet according to route table items comprises:
Obtain the purpose IP address of described packet;
Judge whether described purpose IP address is effective address, is then to continue, otherwise abandon described packet;
According to the route table items of described purpose IP matching addresses routing table, obtain the outgoing interface of described packet according to matching result.
Wherein, also comprise:
When described incoming interface and outgoing interface did not belong to described arbitrary isolation group, described packet was transmitted in the purpose IP address in described outgoing interface.
The present invention also provides a kind of routing device, comprising:
The isolation configuration unit is used to dispose at least one isolation group, comprises a plurality of interfaces that need isolate in twos in the described isolation group;
Receiving element is used for carrying out three layers from the needs that incoming interface reception user terminal sends and transmits the packets of handling;
The outgoing interface acquiring unit is used for obtaining according to route table items the outgoing interface of described packet;
The isolation processing unit is used for refusing the forwarding operation of described packet when described incoming interface and outgoing interface belong to arbitrary isolation group.
Wherein, the user terminal under a plurality of interfaces belongs to the different network segments in the described isolation configuration unit.
Wherein, also comprise:
The isolation order input unit is used for the isolation group that the default command format of basis disposes described isolation configuration unit, comprises a plurality of interfaces that isolation order title, isolation group id and needs are isolated in twos in the described command format.
Wherein, described outgoing interface acquiring unit comprises:
Purpose IP address obtains subelement, is used to obtain the purpose IP address of described packet;
The effective address judgment sub-unit is used to judge whether described purpose IP address is effective address, is then to notify outgoing interface to obtain subelement, otherwise abandons described packet;
Outgoing interface obtains subelement, is used for the route table items according to described purpose IP matching addresses routing table, obtains the outgoing interface of described packet according to matching result.
Wherein, also comprise:
Forward processing unit is used for when described incoming interface and outgoing interface do not belong to described arbitrary isolation group, and described packet is transmitted in the purpose IP address in described outgoing interface.
Compared with prior art, the present invention has the following advantages:
Carry out three layers for needs among the present invention and transmit the packet of handling, outgoing interface and incoming interface and pre-configured isolation group according to packet, judge whether packet is transmitted, thereby only need simple configuration can realize three layers of isolation features user terminal.
Description of drawings
In order to be illustrated more clearly in technical scheme of the present invention, the accompanying drawing of required use is done to introduce simply in will describing embodiment below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart of three layers of partition method between the user terminal among the present invention;
Fig. 2 is the network diagram of three layers of partition method one application scenarios between the user terminal among the present invention;
Fig. 3 is the flow chart again of three layers of partition method between the user terminal among the present invention;
Fig. 4 is a structural representation of realizing the routing device of three layers of isolation between the user terminal among the present invention;
Fig. 5 is another structural representation of realizing the routing device of three layers of isolation between the user terminal among the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme among the present invention is clearly and completely described, obviously, described embodiment only is a part of embodiment of the present invention, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
The invention provides the method for three layers of isolation between a kind of user terminal, as shown in Figure 1, may further comprise the steps:
Step s101, dispose at least one isolation group, comprise a plurality of interfaces that to isolate in twos in the isolation group.
Step s102, receive needs that user terminal sends from incoming interface and carry out three layers when transmitting the packet of handling, obtain the outgoing interface of this packet according to route table items.
When step s103, incoming interface and outgoing interface belong to arbitrary isolation group, refuse the forwarding operation of this packet.
In the method provided by the invention, carry out three layers for needs and transmit the packet of handling, outgoing interface and incoming interface and pre-configured isolation group according to packet judge whether packet is transmitted, thereby only need simple configuration can realize three layers of isolation features to user terminal.
Below in conjunction with a concrete application scenarios, the method for three layers of isolation between the user terminal among description the present invention.As shown in Figure 2, be the network architecture schematic diagram of three layers of partition method one application scenarios between the user terminal among the present invention.Wherein, user terminal PC is by the access switch access network, and access switch is two layers of forwarding unit, and convergence router and core router are three layers of forwarding unit.Wherein under the better simply situation of network condition, the function of convergence router and core router also can be realized by a router.In this network scenarios, three access switch are connected with convergence router-1 by interface E0/1, E0/2, E0/3 respectively.Wherein, the network segment that interface E0/1, E0/2, E0/3 are corresponding different respectively, the gateway among the interface E0/1 is 10.1.1.1, the network segment is 10.1.1.1/24,24 expression subnet masks; Gateway among the interface E0/2 is 10.1.2.1, and the network segment is 10.1.2.1/24; Gateway among the interface E0/3 is 10.1.3.1, and the network segment is 10.1.3.1/24.
During isolation in three different segments that need achieve a butt joint on convergence router-1 below a mouthful E0/1, E0/2, the E0/3 between the user terminal, as shown in Figure 3, the method for three layers of isolation comprises between the user terminal that provides among the present invention:
Step s301, on router, carry out isolation order, a plurality of interfaces that need to isolate are configured.
Concrete, three layer services under the total interface that this isolation order is used for order is comprised between the user terminal are isolated from each other.Concrete, a plurality of interfaces that comprise the isolation order title in the command format of isolation order, isolate group id and needs isolation, an example of isolation order is:
user-isolate index1 E0/1 E0/2 E0/3
Wherein user-isolate is the isolation order title, and index1 is the index of isolation group, E0/1, the E0/2E0/3 interface for carrying out three layers of isolation.
After carrying out this isolation order, increased content as shown in table 1 in the isolation Groups List on the router:
Table 1 is isolated Groups List
| Isolate group index | The interface that comprises in the isolation group |
| index1 | E0/1 E0/2 E0/3 |
| index2 | …… |
| … | …… |
Comprised the isolation group of representing with different index in this isolation Groups List, the isolation group of only representing with index 1 in the above-mentioned table 1 is that example describes.
Step s302, router receive packet from interface, obtain the purpose IP address of packet.
Concrete, be that the IP address is that the user terminal PC2 of 10.1.2.2 is an example under the user terminal PC1 access interface E0/2 of 10.1.1.2 with IP address under the interface E0/1.Router receives the packet that PC1 sends under the interface E0/1, and with the incoming interface of interface E0/1 as packet, and the purpose IP address that gets access to packet is 10.1.2.2.
Step s303, router judge whether purpose IP address is effective address, then carry out step s304 in the time of effectively, otherwise abandon this packet.
Step s304, router obtain the outgoing interface at place, purpose IP address.
Concrete, safeguard in the router to be useful on the route table items that packet is transmitted, comprise following content in the route table items: purpose IP address and corresponding interface.The route table items structure that example is as shown in table 2 below:
Table 2 route table items structure
| Sequence number | The IP | Corresponding interface | |
| 1 | 10.1.1.1/24 | E0/1 | |
| 2 | 10.1.2.1/24 | E0/2 | |
| 3 | 10.1.3.1/24 | E0/3 |
Be the packet of 10.1.2.2 for purpose IP address for example, according to the longest matching result of content in this route table items, the outgoing interface that can obtain this purpose IP address correspondence is E0/2.
Step s305, router judge that whether incoming interface and outgoing interface belong to any pre-configured isolation group, are then to carry out step s306, otherwise carry out step s307.
Concrete, be example with outgoing interface and the corresponding incoming interface that obtains among the step s304, router can be inquired about the isolation Groups List described in the above-mentioned steps s301.For incoming interface E0/1 and outgoing interface E0/2, can find in index1 is the isolation group of index, to comprise interface E0/1 and E0/2 that illustrating between the user terminal under these two interfaces needs to carry out three layers of isolation.
Step s306, router are refused the forwarding operation of this packet.
Concrete, when incoming interface and outgoing interface belonged to pre-configured isolation group, router was refused the forwarding operation of this packet.
Step s307, router are transmitted this packet to outgoing interface.
Concrete, the access switch under the outgoing interface is forwarded to its purpose IP address with this packet, and user terminal PC2 receives this packet.
Need to prove that for the network scenarios of convergence router and core router unification, method provided by the invention is suitable equally.Concrete execution mode is similar to above-mentioned flow process shown in Figure 3, does not repeat to introduce at this.
In the method provided by the invention, carry out three layers for needs and transmit the packet of handling, outgoing interface and incoming interface and pre-configured isolation group according to packet judge whether packet is transmitted, thereby only need simple configuration can realize three layers of isolation features to user terminal.In addition, make the user of different segment to exchange visits, realized network security based on three layers of isolation features in network internal.Do not support under the situation of three layers of isolation at the hardware of routing device, still can be by three layers of isolation of software mode realization to user terminal.
The present invention also provides a kind of routing device, comprises a plurality of interfaces, and these interfaces are as the outgoing interface or the incoming interface of packet.As shown in Figure 4, this routing device comprises:
Receiving element 20 is used for carrying out three layers from the needs that incoming interface reception user terminal sends and transmits the packets of handling;
Outgoing interface acquiring unit 30 is used for obtaining according to route table items the outgoing interface of this packet;
In the routing device of the present invention, as shown in Figure 5, also comprise:
Isolation order input unit 50 is used for the isolation group according to default command format configuration isolation dispensing unit 40, a plurality of interfaces that comprise the isolation order title in this command format, isolate group id and needs isolation.
Forward processing unit 60 is used for when incoming interface and outgoing interface do not belong to pre-configured isolation group, and this packet is transmitted in the purpose IP address in outgoing interface.
In addition, above-mentioned outgoing interface acquiring unit 30 may further include:
Purpose IP address obtains subelement 31, is used to obtain the purpose IP address of packet;
Effective address judgment sub-unit 32 is used to judge that purpose IP address obtains whether the purpose IP address that subelement 31 obtains is effective address, is then to notify outgoing interface to obtain subelement 33, otherwise abandons this packet;
Outgoing interface obtains subelement 33, is used for obtaining according to purpose IP address the route table items of the purpose IP matching addresses routing table that subelement 31 obtains, and obtains the outgoing interface of packet according to matching result.
In the routing device provided by the invention, carry out three layers for needs and transmit the packet of handling, outgoing interface and incoming interface and pre-configured isolation group according to packet, judge whether packet is transmitted, thereby only need simple configuration can realize three layers of isolation features user terminal.In addition, make the user of different segment to exchange visits, realized network security based on three layers of isolation features in network internal.Do not support under the situation of three layers of isolation at the hardware of routing device, still can be by three layers of isolation of software mode realization to user terminal.
Above-mentioned module can be distributed in a device, also can be distributed in multiple arrangement.Above-mentioned module can be merged into a module, also can further split into a plurality of submodules.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by hardware, also can realize by the mode that software adds necessary general hardware platform.Based on such understanding, technical scheme of the present invention can embody with the form of software product, it (can be CD-ROM that this software product can be stored in a non-volatile memory medium, USB flash disk, portable hard drive etc.) in, comprise some instructions with so that computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
It will be appreciated by those skilled in the art that accompanying drawing is the schematic diagram of a preferred embodiment, module in the accompanying drawing or flow process might not be that enforcement the present invention is necessary.
It will be appreciated by those skilled in the art that the module in the device among the embodiment can be distributed in the device of embodiment according to the embodiment description, also can carry out respective change and be arranged in the one or more devices that are different from present embodiment.The module of the foregoing description can be merged into a module, also can further split into a plurality of submodules.
The invention described above embodiment sequence number is not represented the quality of embodiment just to description.
More than disclosed only be several specific embodiment of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.
Claims (10)
1. the method for three layers of isolation between the user terminal is characterized in that, comprising:
Dispose at least one isolation group, comprise a plurality of interfaces that to isolate in twos in the described isolation group;
Receive needs that user terminal sends from incoming interface and carry out three layers when transmitting the packet of handling, obtain the outgoing interface of described packet according to route table items;
When described incoming interface and outgoing interface belong to arbitrary isolation group, refuse the forwarding operation of described packet.
2. the method for claim 1 is characterized in that, the user terminal in the described isolation group under a plurality of interfaces belongs to the different network segments respectively.
3. method as claimed in claim 1 or 2 is characterized in that, at least one isolation group of described configuration comprises:
Dispose described isolation group according to default command format, comprise a plurality of interfaces that isolation order title, isolation group id and needs are isolated in twos in the described command format.
4. method as claimed in claim 1 or 2 is characterized in that, the described outgoing interface that obtains described packet according to route table items comprises:
Obtain the purpose IP address of described packet;
Judge whether described purpose IP address is effective address, is then to continue, otherwise abandon described packet;
According to the route table items of described purpose IP matching addresses routing table, obtain the outgoing interface of described packet according to matching result.
5. method as claimed in claim 4 is characterized in that, also comprises:
When described incoming interface and outgoing interface did not belong to described arbitrary isolation group, described packet was transmitted in the purpose IP address in described outgoing interface.
6. a routing device is characterized in that, comprising:
The isolation configuration unit is used to dispose at least one isolation group, comprises a plurality of interfaces that need isolate in twos in the described isolation group;
Receiving element is used for carrying out three layers from the needs that incoming interface reception user terminal sends and transmits the packets of handling;
The outgoing interface acquiring unit is used for obtaining according to route table items the outgoing interface of described packet;
The isolation processing unit is used for refusing the forwarding operation of described packet when described incoming interface and outgoing interface belong to arbitrary isolation group.
7. routing device as claimed in claim 6 is characterized in that, the user terminal in the described isolation configuration unit under a plurality of interfaces belongs to the different network segments.
8. routing device as claimed in claim 7 is characterized in that, also comprises:
The isolation order input unit is used for the isolation group that the default command format of basis disposes described isolation configuration unit, comprises a plurality of interfaces that isolation order title, isolation group id and needs are isolated in twos in the described command format.
9. as claim 7 or 8 described routing devices, it is characterized in that described outgoing interface acquiring unit comprises:
Purpose IP address obtains subelement, is used to obtain the purpose IP address of described packet;
The effective address judgment sub-unit is used to judge whether described purpose IP address is effective address, is then to notify outgoing interface to obtain subelement, otherwise abandons described packet;
Outgoing interface obtains subelement, is used for the route table items according to described purpose IP matching addresses routing table, obtains the outgoing interface of described packet according to matching result.
10. routing device as claimed in claim 9 is characterized in that, also comprises:
Forward processing unit is used for when described incoming interface and outgoing interface do not belong to described arbitrary isolation group, and described packet is transmitted in the purpose IP address in described outgoing interface.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101879519A CN101447927B (en) | 2008-12-30 | 2008-12-30 | Method and routing device for three-layer isolation of user terminals |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101879519A CN101447927B (en) | 2008-12-30 | 2008-12-30 | Method and routing device for three-layer isolation of user terminals |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101447927A CN101447927A (en) | 2009-06-03 |
| CN101447927B true CN101447927B (en) | 2010-11-10 |
Family
ID=40743339
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008101879519A Active CN101447927B (en) | 2008-12-30 | 2008-12-30 | Method and routing device for three-layer isolation of user terminals |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101447927B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104754074A (en) * | 2015-03-31 | 2015-07-01 | 江苏恒信和安电子科技有限公司 | Self-conversion network segment router |
| CN107493233A (en) * | 2016-06-12 | 2017-12-19 | 上海斯远计算机网络信息科技有限公司 | A kind of method for routing and system based on user terminal |
| CN106878986B (en) * | 2017-01-05 | 2021-03-26 | 新华三技术有限公司 | User isolation method and device |
| CN110708305B (en) * | 2019-09-27 | 2022-04-15 | 国家计算机网络与信息安全管理中心 | Network isolation equipment and method |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1507215A (en) * | 2002-12-11 | 2004-06-23 | 华为技术有限公司 | Two-layer message isolating method |
| CN101232509A (en) * | 2008-02-26 | 2008-07-30 | 杭州华三通信技术有限公司 | Equipment, system and method for supporting insulation mode network access control |
-
2008
- 2008-12-30 CN CN2008101879519A patent/CN101447927B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1507215A (en) * | 2002-12-11 | 2004-06-23 | 华为技术有限公司 | Two-layer message isolating method |
| CN101232509A (en) * | 2008-02-26 | 2008-07-30 | 杭州华三通信技术有限公司 | Equipment, system and method for supporting insulation mode network access control |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101447927A (en) | 2009-06-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7636360B2 (en) | Dynamic VLAN ID assignment and packet transfer apparatus | |
| US9246791B2 (en) | Method and apparatus for routing and forwarding between virtual routers within a single network element | |
| CN101702679B (en) | Message processing method and exchange apparatus based on virtual local area network | |
| CN101141304B (en) | Management method and equipment of ACL regulation | |
| CN104780088A (en) | Service message transmission method and equipment | |
| CN101729425B (en) | Method and equipment for flow sending in VRRP networking | |
| CN101635702B (en) | Method for forwarding data packet using security strategy | |
| CN102255785A (en) | Network isolation method in VPLS (Virtual Private Lan Service) and device thereof | |
| CN107302806A (en) | The method and Multi-Mode Base Station of a kind of realizing transmission line sharing of multi-mode base station | |
| US20100271949A1 (en) | Traffic processing system and method of processing traffic | |
| CN101447927B (en) | Method and routing device for three-layer isolation of user terminals | |
| TW200406685A (en) | Interface architecture | |
| CN101272350B (en) | Output access control method and output access control device | |
| CN101827366B (en) | Method, unit and device for isolating wireless network user | |
| CN106027354A (en) | Backflow method and device for VPN (Virtual Private Network) client | |
| CN101557541B (en) | Data package transmission method, system and device thereof | |
| CN1157902C (en) | Ip address mapping and transmitting method for non-broadcast multipath access network | |
| CN101742008A (en) | Media stream proxy method, voice exchanger and communication system | |
| JP2006174399A (en) | Communication method in group, system and recording medium | |
| CN101483590B (en) | Network communication equipment and packet routing method thereof | |
| KR20020090141A (en) | Public access separation in a virtual networking environment | |
| CN102083173A (en) | Network access control method, equipment and gateway GPRS support node | |
| CN103370910A (en) | Methods, systems, and computer readable media for next hop scaling with link aggregation | |
| JP2010074504A (en) | Communication method and communication device | |
| JP2004072160A (en) | Switching method and apparatus, and computer program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |
|
| CP03 | Change of name, title or address |