CN101447933A - Assisting method and device, method and system as well as switch device for port safety protection - Google Patents
Assisting method and device, method and system as well as switch device for port safety protection Download PDFInfo
- Publication number
- CN101447933A CN101447933A CNA2008101917258A CN200810191725A CN101447933A CN 101447933 A CN101447933 A CN 101447933A CN A2008101917258 A CNA2008101917258 A CN A2008101917258A CN 200810191725 A CN200810191725 A CN 200810191725A CN 101447933 A CN101447933 A CN 101447933A
- Authority
- CN
- China
- Prior art keywords
- port
- mac address
- switching equipment
- security
- security domain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an assisting method and a device for port safety protection. The method comprises the following steps: setting safety domains with different priorities to a switch device; adding each port of the switch device into the corresponding safety domains and controlling the ports in a high priority safety domain to preferably carry out study on a MAC address. The invention also discloses a method and a system for port safety protection as well as the switch device. The invention can improve the accuracy for learning the MAC address of the port to a certain extent, and can effectively ensure the access and the flow of key users.
Description
Technical field
The present invention relates to the communication network technical field, relate in particular to a kind of householder method of port security defence and the servicing unit of port security defence, also relate to a kind of method of port security defence and the system of port security defence, and a kind of switching equipment.
Background technology
The port security defense mechanism of switching equipment, comprise 802.1x authentication mode and MAC address authentication mode, the former is based on port user identity is authenticated, and the latter is based on the authentication that port carries out MAC (Media Access Control, medium access control) address; At present, common port security defense mechanism is jointly network insertion to be controlled in conjunction with existing 802.1x authentication and MAC address authentication, its operation principle is: based on port user identity is authenticated, simultaneously carry out the study of MAC (Media Access Control, medium access control) address based on port; When finding invalid packet, switching equipment will be handled according to preassigned mode, thereby be the fail safe that user friendly management has improved switching equipment again.Wherein, invalid packet comprises: the message that sends of the user by authentication, and, when the MAC Address of learning reaches maximum number of mac address entry that port allows (when forbidding the port mac address learning, this number is 0) after, the MAC Address of receiving is the message of unknown MAC Address.
In the above-mentioned port security defense mechanism, the implementation of MAC address authentication is as follows: switching equipment definition port security pattern, make port carry out the study of legal message MAC Address, and the legal MAC Address that will learn is kept at (this content-addressable memory is the address table that is used for two layers of exchange, the corresponding relation of record port and MAC Address) in the content-addressable memory; Control the visit of unauthorized device by the source MAC that detects in the Frame then to network, control visit to unauthorized device by detecting target MAC (Media Access Control) address in the Frame: having only source MAC or target MAC (Media Access Control) address is the message of legal MAC Address or the static mac address that disposed, could pass through corresponding ports.
The advantage that above-mentioned MAC address authentication mode has simply, controls easily: only need be that each port is specified maximum MAC address study quantity on switching equipment, after the maximum MAC address quantity that the legal MAC Address number under a certain port allows to learn above this port, port mode is automatically changeb to the secure pattern, no longer proceeds the study of new MAC Address.
But but there is following defective in the implementation of above-mentioned MAC address authentication:
1, is difficult to guarantee the accuracy of port mac address learning.If port one has been learnt user 1 MAC1, but the address that the user 2 under the port 2 has forged MAC1, and then switching equipment can be deleted the MAC1 that learns on the port one, then MAC1 is learnt on the port 2; Even more serious is, if user 1 and user 2 send message repeatedly, can cause the MAC Address vibration in the switching equipment;
2, be difficult to guarantee key user's flow.Continue to use top example, suppose that user 1 is the key user, user 2 right and wrong key users, then user 2 can easily block user 1 flow, makes a very bad impression; For instance, the uplink port of switching equipment is crucial, and upstream gateway is most important user, if the user that downlink port connected forges the gateway MAC Address, then switching equipment can cause the interruption of all business the gateway MAC address learning to downlink port;
3, configuration trouble.Want the careful down maximum number of nodes that connects of each port of assessment for port arrangement maximum MAC address study number needs, simultaneously, it also is a pretty troublesome process that port basis is configured.
Summary of the invention
Embodiments of the invention aim to provide and can overcome the defective that exists in the above-mentioned prior art middle port Prevention-Security mechanism, and a kind of subplan of port security defence is provided, thereby improve the accuracy of port mac address learning, guarantee key user's flow.
For achieving the above object, embodiments of the invention provide a kind of householder method of port security defence, are used for auxiliary switching equipment and carry out the study of port mac address, may further comprise the steps:
Step S1: the security domain that has different priorities for the switching equipment setting;
Step S2: each port of switching equipment is added in the corresponding security domain, and the port under the control high priority security domain preferentially carries out the study of MAC Address.
Wherein, the step that port under the described control high priority security domain preferentially carries out MAC address learning can comprise: when the MAC Address list item of having learnt when second port in MAC Address that first port is learnt and the switching equipment content-addressable memory conflicts, discern the security domain under first port and second port; If the priority of security domain is higher than the priority of the affiliated security domain of second port under first port, then from content-addressable memory, deletes the MAC Address list item of second port, and add the MAC Address list item of first port again; Otherwise, abandon the message that first port is received.
And/or the step that the port under the described control high priority security domain preferentially carries out MAC address learning can comprise: when a full and port is learnt new MAC Address when the switching equipment content-addressable memory, discern the priority of the security domain under the described port; If record the more MAC Address list item of low priority port in the described content-addressable memory, then delete the MAC Address list item of the lowest priority port of respective number; Otherwise, transfer described port mode to secure, stop the study of described port mac address.
Preferable, the step of among the step S2 each port of switching equipment being added in the corresponding security domain can comprise: each port of described switching equipment is added in the corresponding security domain in batches, to avoid by configuring ports.
Preferable, the householder method of port security defence also comprises the default setting that keeps the switching equipment port, this default setting is no maximum MAC address study restricted number, thereby avoids connecting for each port the evaluation work of number of connections.
Embodiments of the invention also provide a kind of servicing unit of port security defence, are arranged in the switching equipment to carry out the study of port mac address with auxiliary switching equipment; Comprise: the security domain division unit is used to have the security domain setting of different priorities; Port is provided with the unit, is connected with described security domain division unit, is used for adding each port of switching equipment to corresponding security domain; The MAC address learning control unit is provided with the unit with described port and is connected with content-addressable memory in the switching equipment, and the port that is used to control under the high priority security domain preferentially carries out the study of MAC Address.
Wherein, the MAC address learning control unit can comprise the port collision control module, when being used for the MAC Address of learning at first port and conflicting, discern the security domain under first port and second port with the MAC Address list item that switching equipment content-addressable memory second port has been learnt; If the priority of security domain is higher than the priority of the affiliated security domain of second port under first port, then from content-addressable memory, deletes the MAC Address list item of second port, and add the MAC Address list item of first port again; Otherwise, abandon the message that first port is received;
And/or the MAC address learning control unit can comprise that content-addressable memory overflows control module, when being used at the switching equipment content-addressable memory that a full and port is learnt new MAC Address, discerns the priority of the security domain under the described port; If record the more MAC Address list item of low priority port in the described content-addressable memory, then delete the MAC Address list item of the lowest priority port of respective number; Otherwise, transfer described port mode to secure, stop the study of described port mac address.
Preferable, port is provided with the unit can comprise the batch process interface, is used for adding each port of described switching equipment to corresponding security domain in batches.
Preferable, each port of switching equipment keeps default setting, and this default setting is no maximum MAC address study restricted number.
Embodiments of the invention also provide a kind of method of port security defence, and switching equipment carries out the study of MAC Address based on the householder method of above-mentioned port security defence, and carry out network insertion control according to the MAC Address of learning.
Embodiments of the invention also provide a kind of system of port security defence, are arranged in the switching equipment, comprise MAC address learning unit and the content-addressable memory of preserving port mac address learning result; The servicing unit that also comprises above-mentioned port security defence.
Embodiments of the invention also provide a kind of switching equipment, are provided with the servicing unit of above-mentioned port security defence or the system that above-mentioned port security is defendd.
As shown from the above technical solution, embodiments of the invention are by dividing the priority of switching equipment port, and the port under the employing high priority security domain preferentially carries out the mode of MAC address learning, has following beneficial effect:
1, improved the accuracy of port mac address learning to a certain extent;
2, effectively guarantee key user's access and flow;
3, by further batch setting and default setting, can effectively simplify configuration.
With reference to the accompanying drawing description of a preferred embodiment, above-mentioned and other purpose of the present invention, feature and advantage will be more obvious by following.
Description of drawings
Fig. 1 is the flow chart of householder method one embodiment of port security defence provided by the invention;
Fig. 2 A, 2B are in the method shown in Figure 1, and the port under the control high priority security domain preferentially carries out the flow chart of the embodiment of MAC address learning;
Fig. 3 is the networking schematic diagram of the specific embodiment of method shown in Figure 1;
Fig. 4 is the block diagram of servicing unit one embodiment of port security defence provided by the invention;
Fig. 5 is the block diagram of another embodiment of servicing unit of port security defence provided by the invention;
Fig. 6 is the block diagram of one embodiment of system of port security defence provided by the invention.
Embodiment
To describe specific embodiments of the invention in detail below.Should be noted that the embodiments described herein only is used to illustrate, be not limited to the present invention.
Main design of the present invention is for switching equipment a plurality of security domains to be set, different security domains disposes corresponding safe class (also can be described as priority), join by port and to make its MAC address learning of enjoying different priorities control in the corresponding security domain, solve the problem that existing MAC address learning poor accuracy and key user's flow can't guarantee in the existing port Prevention-Security mechanism switching equipment.To introduce technical scheme provided by the present invention in detail below.
At first, please in conjunction with Fig. 1, the invention provides a kind of householder method of port security defence, be used for auxiliary switching equipment and carry out the study of port mac address, can be used for the port security defense mechanism that MAC address authentication or MAC address authentication and 802.1x authentication combines, perhaps other need carry out the occasion of MAC address learning.
The householder method of this port security defence may further comprise the steps:
Step S1: for the switching equipment setting has the security domain of different priorities, be switching equipment and dispose a plurality of security domains, different security domain configuration corresponding priority level;
Step S2: each port of switching equipment is added in the corresponding security domain, and the port under the control high priority security domain preferentially carries out the study of MAC Address;
In this step S2, can port be added in the corresponding security domain according to each port access user's of switching equipment characteristics; For instance, if be provided with the security domain of high, medium and low three priority, the port of IAD need add in the high priority security domain so, (for example: financial user, leading subscriber) port need add in the medium priority security domain, and the port of access domestic consumer (for example: the user generally handles official business) can add in the low priority security domain to insert the key user; It may be noted that above-mentioned example only is explanation usefulness for example, can divide more fine granularity or the more security domain and the corresponding interpolation port of coarseness fully as required in the practical application; Certainly, can add a plurality of ports in each security domain;
Preferable, adding each port of switching equipment in the corresponding security domain step can add in batches in the corresponding security domain by each port with switching equipment and realize, such as, port under a certain network segment is added in the security domain together, need not port basis and be configured, effectively simplify the configuration effort of MAC address authentication.
By the above-mentioned processing of step S2, the port that joins in the different security domains has different priority accordingly, and the control of follow-up MAC address learning just is based on that port priority carries out, and specifically the measure that can take is as follows:
(1) based on port priority control MAC address learning, to improve the accuracy of MAC address learning, it handles thinking: conflict if the MAC Address of learning under the low priority port has with MAC Address that the high priority port is acquired, then delete the MAC Address under the low priority port; Concrete scheme comprises shown in Fig. 2 A:
When the MAC Address list item of having learnt when second port in MAC Address that first port is learnt and the switching equipment content-addressable memory conflicts, discern the security domain under first port and second port;
If the priority of security domain is higher than the priority of the affiliated security domain of second port under first port, then from content-addressable memory, deletes the MAC Address list item of second port, and add the MAC Address list item of first port again;
Otherwise, abandon the message that first port is received, keep original MAC Address list item;
As can be seen, by above-mentioned MAC address learning controlling schemes,, guaranteed key user's flow even the counterfeit MAC Address of low priority port user malice also can be rejected owing to the port mac address conflict with high-priority users based on port priority;
Simultaneously, greatly improved the accuracy of MAC address learning; This is that the probability of therefore learning counterfeit MAC Address greatly reduces because the identical MAC Address of port of high-priority users can't be learnt and be inserted to the port of access low priority user; Particularly in actual applications, because the reliability of high-priority users is very high, basically the possibility that does not have counterfeit low priority of high-priority users malice and same priority user's MAC address, therefore, though also there is the counterfeit possibility of MAC Address between the low priority user, but, greatly improved the accuracy of MAC address learning with respect to prior art.
(2) based on port priority control MAC address learning, to guarantee the smooth access of high-priority users, it handles thinking: if content-addressable memory is full, but when the port of high priority has new MAC Address to insert, can in content-addressable memory, delete port mac address list item respective numbers, corresponding lowest priority security domain, thereby guarantee the smooth access of high-priority users; Concrete scheme comprises shown in Fig. 2 B:
When a full and port is learnt new MAC Address when the switching equipment content-addressable memory, discern the priority of the security domain under this port;
If record the more MAC Address list item of low priority port in this content-addressable memory, then delete the MAC Address list item of the lowest priority port of respective number; The deletion that note that here to be carried out is that the MAC Address list item from lowest priority port correspondence begins;
Otherwise, transfer described port mode to secure, stop the study of this port mac address;
As can be seen, by above-mentioned MAC address learning controlling schemes based on port priority, the high priority port can preferentially use the CAM capacity of switching equipment, the low priority port can not occur and take the content-addressable memory capacity, and cause the high priority port can't carry out the phenomenon of MAC address learning.
Those skilled in the art can understand, port under two kinds of control high priority security domains of foregoing description preferentially carries out the scheme of MAC address learning, can select one and use, certainly, preferred embodiment is that above-mentioned two kinds of scheme combination are used, and guarantees the access and the flow of high-priority users.
Generally speaking, by above-mentioned steps S1~S2, the householder method of port security defence provided by the present invention can improve the accuracy of port mac address learning to a certain extent, and effectively guarantees key user's access and flow;
As preferred embodiment, the householder method of port security defence provided by the present invention can further include the step of the default setting that keeps the switching equipment port, and this default setting is no maximum MAC address study restricted number; That is to say, in actual access procedure, be based on CAM target capacity, adjust actual access situation according to priority, and the access number of each port is with unrestricted; As can be seen, when taking above-mentioned default setting, the keeper needn't be again carries out one by one difficult assessment to the number of nodes under each port, effectively reduces the configuration effort amount.
Below, will be in conjunction with a specific embodiment to the in addition exemplary description of the householder method of port security provided by the present invention defence, to help to deepen understanding for this programme.
Please refer to Fig. 3: user 1 is key user's (for example: leader office with machine, finance office with machine etc.), user 2 right and wrong key users (common office machine), and router is to export gateway, its MAC Address is MAC3;
At core switch (also claiming convergence switch) configuration three territory Sec1, Sec2 and Sec3, specify different priority SL1, SL2, SL3 simultaneously, wherein SL3〉SL1〉SL2; Then (Sec1, SL1), (Sec2, SL2) and (Sec3 SL3) has constituted three security domains of core switch;
On core switch, port Port1, Port2 are joined in the different security domains according to the characteristics that insert the user respectively with Port3, formed (Sec1, SL1, Port1), (Sec2, SL2, Port2) and (Sec3, SL3, Port3) port of these three different safety class;
Simultaneously, set each port and adopt default setting, promptly do not dispose each port maximum MAC address study quantity, to simplify the layoutprocedure of MAC address authentication;
After having carried out above-mentioned configuration, just can enter follow-up MAC address learning flow process based on port priority, the situation that we simulate several actual capabilities appearance illustrates effect of the present invention:
Such as, gateway sends message to core switch, and core switch is learnt MAC3;
User 1 sends message to core switch by two layers of access switch, and core switch is learnt MAC2;
At this moment, if user 2 forges gateway MAC3 (if forgery user's 1 MAC1 effect is identical, this sentences MAC3 is example) message sends to core switch, core switch retrieves the MAC Address that different ports has repetition, then compares (Sec3, SL3, Port3) and (Sec2, SL2, safe class Port2), SL3〉SL2; Therefore switch judges that (MAC3 be legal Port3), and (MAC3 is illegal Port2), then abandons this message;
For another example, suppose that user 2 has forged user 1 MAC1 message earlier, has formed (MAC1, Port2) list item at core switch;
If at this moment user 1 surfs the Net, core switch retrieves the MAC Address that different ports has repetition, then compare (Sec1, SL1, Port1) and (Sec2, SL2, safe class Port2), SL1〉SL2; Therefore switch judges that (MAC1 is legal Port1), and (MAC1 is illegal Port2), and (MAC1, Port2) list item guarantee normal access of the user 1 in deletion.
Again such as, suppose that user 2 forges whole CAM capacity that a large amount of MAC Address has taken core switch;
If at this moment user 1 surfs the Net, core switch can (Sec2, the MAC Address of deletion respective numbers guarantees the smooth access of high-priority users 1 in port mac address table SL2) at the lowest priority security domain.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, described program can be stored in the computer read/write memory medium, this program comprises the steps: when carrying out
Step S1: the security domain that has different priorities for described switching equipment setting;
Step S2: each port of described switching equipment is added in the corresponding security domain, and the port under the control high priority security domain preferentially carries out the study of MAC Address;
Described storage medium comprises: ROM/RAM (Read Only Memory/Random-Access Memory, read-only memory/random-access memory), magnetic disc or CD etc.
Continue, please refer to Fig. 4, shown the block diagram of servicing unit one embodiment of port security defence of the present invention, the servicing unit 400 of this port security defence is arranged in the switching equipment and carries out the study of port mac address with auxiliary switching equipment, comprising:
Security domain division unit 410 is used to have the security domain setting of different priorities;
Port is provided with unit 420, is connected with security domain division unit 410, is used for adding each port of switching equipment to corresponding security domain;
MAC address learning control unit 430 is provided with unit 420 with port and is connected with content-addressable memory in the switching equipment, and the port that is used to control under the high priority security domain preferentially carries out the study of MAC Address;
As can be seen,, can learn based on the priority control port in conjunction with the servicing unit 400 of port security defence provided by the invention, thus assurance key user's flow and access, and the accuracy of raising MAC address learning.
As a specific embodiment, see also Fig. 5, the servicing unit 500 of this port security defence comprises that security domain division unit 510, port are provided with unit 520 and MAC address learning control unit 530, and the annexation between each unit and function are with embodiment illustrated in fig. 4 identical;
Wherein, MAC address learning control unit 530 comprises that port collision control module 531 and/or content-addressable memory overflow control module 532;
This port collision control module 531 is used for the MAC Address of learning at first port when conflicting with the MAC Address list item that switching equipment content-addressable memory second port has been learnt, discerns the security domain under first port and second port; If the priority of security domain is higher than the priority of the affiliated security domain of second port under first port, then from content-addressable memory, deletes the MAC Address list item of second port, and add the MAC Address list item of first port again; Otherwise, abandon the message that first port is received, keep the original MAC Address list item in the content-addressable memory;
This content-addressable memory overflows control module 532 when being used at the switching equipment content-addressable memory that a full and port is learnt new MAC Address, discerns the priority of the security domain under this port; If record the more MAC Address list item of low priority port in the described content-addressable memory, then delete the MAC Address list item of the lowest priority port of respective number; Otherwise, transfer this port mode to secure, stop the study of described port mac address;
As can be seen, port collision control module 531 can effectively guarantee key user's flow, improves the accuracy of MAC address learning; Content-addressable memory overflows the access that control module 532 then can effectively guarantee the key user, and the two is used in combination, and can reach best technique effect.
In addition, port is provided with and includes batch process interface 521 in the unit 520, is used for adding each port of switching equipment to corresponding security domain in batches, to simplify configuration;
And each port of switching equipment keeps default setting, and this default setting is no maximum MAC address study restricted number, thereby reduces each port assessment workload, has the effect of simplifying configuration equally.
Next, the present invention also provides a kind of method of port security defence, carries out the study of MAC Address by switching equipment based on the householder method of above-mentioned port security defence, and carries out network insertion control according to the MAC Address of learning.
Those skilled in the art can understand, and the method for above-mentioned port security defence can also because the combination of MAC address authentication and 802.1x authentication is those skilled in the art's a conventional means, therefore repeat no more in conjunction with the 802.1x certificate scheme.
Again next, the present invention also provides a kind of system 600 of port security defence, as shown in Figure 6.
The system 600 of this port security defence is arranged in the switching equipment, comprises MAC address learning unit 610 and the content-addressable memory 620 of preserving port mac address learning result, also comprises the servicing unit of above-mentioned port security defence.
At last, the present invention also provides a kind of switching equipment, is provided with the servicing unit of above-mentioned port security defence or the system that above-mentioned port security is defendd.
Though described the present invention with reference to several exemplary embodiments, should be appreciated that used term is explanation and exemplary and nonrestrictive term.The spirit or the essence that do not break away from invention because the present invention can specifically implement in a variety of forms, so be to be understood that, the foregoing description is not limited to any aforesaid details, and should be in the spirit and scope that claim limited of enclosing explain widely, therefore fall into whole variations in claim or its equivalent scope and remodeling and all should be the claim of enclosing and contain.
Claims (13)
1. the householder method of a port security defence is used for auxiliary switching equipment and carries out the study of port mac address, it is characterized in that, may further comprise the steps:
Step S1: the security domain that has different priorities for described switching equipment setting;
Step S2: each port of described switching equipment is added in the corresponding security domain, and the port under the control high priority security domain preferentially carries out the study of MAC Address.
2. the householder method of port security defence according to claim 1 is characterized in that the step that the port under the described control high priority security domain preferentially carries out MAC address learning comprises:
When the MAC Address list item of having learnt when second port in MAC Address that first port is learnt and the switching equipment content-addressable memory conflicts, discern the security domain under first port and second port;
If the priority of security domain is higher than the priority of the affiliated security domain of second port under first port, then from content-addressable memory, deletes the MAC Address list item of second port, and add the MAC Address list item of first port again;
Otherwise, abandon the message that first port is received.
3. the householder method of port security defence according to claim 1 is characterized in that the step that the port under the described control high priority security domain preferentially carries out MAC address learning comprises:
When a full and port is learnt new MAC Address when the switching equipment content-addressable memory, discern the priority of the security domain under the described port;
If record the more MAC Address list item of low priority port in the described content-addressable memory, then delete the MAC Address list item of the lowest priority port of respective number;
Otherwise, transfer described port mode to secure, stop the study of described port mac address.
4. according to the householder method of the arbitrary described port security defence of claim 1-3, it is characterized in that the step of among the step S2 each port of switching equipment being added in the corresponding security domain comprises: each port of described switching equipment is added in the corresponding security domain in batches.
5. according to the householder method of the arbitrary described port security defence of claim 1-3, it is characterized in that, also comprise: keep the default setting of switching equipment port, this default setting is no maximum MAC address study restricted number.
6. the servicing unit of a port security defence is arranged in the switching equipment and carries out the study of port mac address with auxiliary switching equipment; It is characterized in that, comprising:
The security domain division unit is used to have the security domain setting of different priorities;
Port is provided with the unit, is connected with described security domain division unit, is used for adding each port of switching equipment to corresponding security domain;
The MAC address learning control unit is provided with the unit with described port and is connected with content-addressable memory in the switching equipment, and the port that is used to control under the high priority security domain preferentially carries out the study of MAC Address.
7. the servicing unit of port security defence according to claim 6, it is characterized in that, described MAC address learning control unit comprises: the port collision control module, when being used for the MAC Address of learning at first port and conflicting, discern the security domain under first port and second port with the MAC Address list item that switching equipment content-addressable memory second port has been learnt; If the priority of security domain is higher than the priority of the affiliated security domain of second port under first port, then from content-addressable memory, deletes the MAC Address list item of second port, and add the MAC Address list item of first port again; Otherwise, abandon the message that first port is received.
8. the servicing unit of port security defence according to claim 6, it is characterized in that, described MAC address learning control unit comprises: content-addressable memory overflows control module, when being used at the switching equipment content-addressable memory that a full and port is learnt new MAC Address, discern the priority of the security domain under the described port; If record the more MAC Address list item of low priority port in the described content-addressable memory, then delete the MAC Address list item of the lowest priority port of respective number; Otherwise, transfer described port mode to secure, stop the study of described port mac address.
9. according to the servicing unit of the arbitrary described port security defence of claim 6-8, it is characterized in that described port is provided with the unit and comprises the batch process interface, be used for adding each port of described switching equipment to corresponding security domain in batches.
10. according to the servicing unit of the arbitrary described port security defence of claim 6-8, it is characterized in that each port of switching equipment keeps default setting, this default setting is no maximum MAC address study restricted number.
11. the method for a port security defence is characterized in that, switching equipment carries out the study of MAC Address based on the householder method of the arbitrary described port security defence of claim 1-5, and carries out network insertion control according to the MAC Address of learning.
12. the system of a port security defence is arranged in the switching equipment, comprises MAC address learning unit and the content-addressable memory of preserving port mac address learning result; It is characterized in that, also comprise the servicing unit of the arbitrary described port security defence of claim 6-10.
13. a switching equipment is characterized in that, is provided with the servicing unit of the arbitrary described port security defence of claim 6-10 or the system of the described port security defence of claim 12.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101917258A CN101447933B (en) | 2008-12-30 | 2008-12-30 | Assisting method and device, method and system as well as switch device for port safety protection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101917258A CN101447933B (en) | 2008-12-30 | 2008-12-30 | Assisting method and device, method and system as well as switch device for port safety protection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101447933A true CN101447933A (en) | 2009-06-03 |
| CN101447933B CN101447933B (en) | 2011-06-01 |
Family
ID=40743345
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008101917258A Active CN101447933B (en) | 2008-12-30 | 2008-12-30 | Assisting method and device, method and system as well as switch device for port safety protection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101447933B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011079607A1 (en) * | 2009-12-28 | 2011-07-07 | 中兴通讯股份有限公司 | Method and apparatus for implementing anti-transferring of media access control address of switch port |
| CN102356607A (en) * | 2011-08-25 | 2012-02-15 | 华为技术有限公司 | Method and apparatus for learning media being accessed with control address |
| CN102664804A (en) * | 2012-04-24 | 2012-09-12 | 汉柏科技有限公司 | Method and system for achieving network bridge function of network equipment |
| CN103095717A (en) * | 2013-01-28 | 2013-05-08 | 杭州华三通信技术有限公司 | Method and network equipment preventing media access control (MAC) address table from overflowing and attacking |
| CN107547408A (en) * | 2017-07-28 | 2018-01-05 | 新华三技术有限公司 | A kind for the treatment of method and apparatus of MAC Address hash-collision |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP4506637B2 (en) * | 2002-09-02 | 2010-07-21 | ソニー株式会社 | Information processing apparatus, information processing method, and computer program |
| CN100373891C (en) * | 2004-09-03 | 2008-03-05 | 上海贝尔阿尔卡特股份有限公司 | Method, device and system for controlling network MAC address conllision |
-
2008
- 2008-12-30 CN CN2008101917258A patent/CN101447933B/en active Active
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011079607A1 (en) * | 2009-12-28 | 2011-07-07 | 中兴通讯股份有限公司 | Method and apparatus for implementing anti-transferring of media access control address of switch port |
| CN102356607A (en) * | 2011-08-25 | 2012-02-15 | 华为技术有限公司 | Method and apparatus for learning media being accessed with control address |
| WO2012162964A1 (en) * | 2011-08-25 | 2012-12-06 | 华为技术有限公司 | Method and device for learning media access control address |
| CN102664804A (en) * | 2012-04-24 | 2012-09-12 | 汉柏科技有限公司 | Method and system for achieving network bridge function of network equipment |
| CN102664804B (en) * | 2012-04-24 | 2015-03-25 | 汉柏科技有限公司 | Method and system for achieving network bridge function of network equipment |
| CN103095717A (en) * | 2013-01-28 | 2013-05-08 | 杭州华三通信技术有限公司 | Method and network equipment preventing media access control (MAC) address table from overflowing and attacking |
| CN103095717B (en) * | 2013-01-28 | 2015-11-25 | 杭州华三通信技术有限公司 | Prevent method and the network equipment of mac address table flooding |
| CN107547408A (en) * | 2017-07-28 | 2018-01-05 | 新华三技术有限公司 | A kind for the treatment of method and apparatus of MAC Address hash-collision |
| CN107547408B (en) * | 2017-07-28 | 2020-08-28 | 新华三技术有限公司 | Method and device for processing MAC address hash collision |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101447933B (en) | 2011-06-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210281571A1 (en) | Enhanced smart process control switch port lockdown | |
| CA3026781C (en) | A method for tee access control and a mobile terminal for implementing the method | |
| CN101447933B (en) | Assisting method and device, method and system as well as switch device for port safety protection | |
| US7103744B2 (en) | Binding a memory window to a queue pair | |
| JP5594171B2 (en) | Communication processing apparatus, address learning program, and address learning method | |
| US10447793B2 (en) | Detecting shared access | |
| CN103731413B (en) | A kind of method for handling abnormal login | |
| CN105991565B (en) | Method, system and the database proxy server of read and write abruption | |
| KR20020005440A (en) | Secure communicating method using media access control address | |
| CA3152223A1 (en) | Method and apparatus for controlling flow of service interface, and computer device and storage medium | |
| CN102271133A (en) | Authentication method, device and system | |
| CN107465650A (en) | A kind of access control method and device | |
| CN107707435A (en) | A kind of message processing method and device | |
| CN104144095A (en) | Terminal authentication method and interchanger | |
| CN107846676A (en) | Safety communicating method and system based on network section security architecture | |
| CN101119383B (en) | Method and apparatus of establishing iSCSI conversation for objective terminal and initiating terminal | |
| CN114338153B (en) | IPSec negotiation method and device | |
| CN104601578B (en) | A kind of attack message recognition methods, device and core equipment | |
| US20140237552A1 (en) | Authenticating medium, authenticating terminal, authenticating server, and method for authentication by using same | |
| WO2021098213A1 (en) | Trusted state monitoring method, device, and medium | |
| JP2017533642A (en) | Method and system for operating user equipment devices in a private network | |
| US20060212560A1 (en) | Systems and methods for denying rogue DHCP services | |
| CN108366087A (en) | A kind of ISCSI service implementing methods and device based on distributed file system | |
| CN108306875B (en) | Method and device for controlling access of wired terminal | |
| CN110445765A (en) | Data sharing method, terminal device and medium based on block chain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |