A kind of method of network terminal management
Technical field
The present invention relates to the equipment control in network management, relate in particular to a kind of network terminal management method.
Background technology
In the government departments such as finance, telecommunications, public security and industry, the requirement that has highly confidential property due to its information, for department and Intranet, need to carry out strict management and control, all can not be linked in department and Intranet through the terminal that allows and authenticate.
It is a kind of important network terminal management and control device that the access of the network terminal is managed, usually with artificial method, manage: manually all network ports that can access Intranet are managed and distribute, each is allowed to IP address of terminal distribution of access, record the MAC Address of terminal, the network port address of access; The network port is carried out to labor management and control, fixing on-position, all Administrative Areas that can access Intranet are carried out to gate inhibition and Artificial Control, and legal terminal, behind the IP address that configuration distributes, is linked into department and Intranet in the fixed position of distributing;
The method of using labor management and Region control manages and exists following problem the access of the network terminal: management cost is higher; Can't be fully effective access terminal controlled.
The method and system that provides in the present invention, provide a kind of by each port second line of a couplet terminal on SNMP and Telnet/SSH mode automatic acquisition Intranet core switch
Method, automatically compare and mate, for the terminal that is not allowed to, automatically block, do not allow access department and corporate intranet, for the terminal that allows, automatically let pass, thereby can save the cost of labor management, complete effective terminal management is provided again.
Summary of the invention
SNMP Simple Network Management Protocol
A kind of agreement and the mode of the service of Telnet Internet telnet
SSH, refer to Secure Shell, for being based upon the security protocol on application layer and transport layer basis
The IP address, refer to Internet Protocol address, for each is connected to a 32bit address of the host assignment on Internet
MAC Address, refer to Media Access Control address, is used for the position of define grid equipment
The port of
PORT switch, also can be described as interface.
The invention provides the terminal management method in a kind of network management, the method comprises the method for automatically terminal being blocked and automatically being let pass.
In the present invention, the described method of automatically terminal being blocked and automatically being let pass, the steps include: 1) by automatically importing or human-edited's method typing switch ports themselves and the IP address of terminal, the corresponding relation of MAC; 2) the terminal matched rule is set; 3) subnet address, the subnet mask of the manual typing Intranet that need to manage, read group's word, obtain the core switch information in network, the manual configuration core switch read group's word; The perhaps franchise password of the privileged mode prompt of the password of the port numbers of the account number of the IP address of every core switch of manual typing, Telnet/SSH, Telnet/SSH, Telnet/SSH, Telnet, Telnet, the CMD of Telnet; 4) obtain the port list information of core switch; 5) obtain the mac address information of each port second line of a couplet of core switch; 6) obtain the corresponding relation list of IP address and MAC in network; 7) according to the terminal matched rule of configuration, to step 3), 4), 5) in get in core switch port, IP address, MAC Address and step 1) importing automatically or manual entry switch ports themselves, IP address, mac address information mate; 8) for the terminal that does not meet matched rule, block, for the terminal that meets matched rule, let pass.
In the present invention, in described step 1), automatically import switch ports themselves and the IP address of terminal, the corresponding relation of MAC, adopt but be not limited to following file format: EXCEL, XML, TXT.
In the present invention, described step 2) the terminal matched rule in can adopt three kinds of rules: core switch port and IP address of terminal binding, core switch port are bound with the binding of terminal MAC Address, core switch port and IP address of terminal and MAC Address.
In the present invention, described step 3) is obtained the port list information of the core switch in network, adopt the SNMP mode automatically network to be scanned, by .iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable MIB item, obtain the port list information of core switch; Simultaneously, support that automatic remote signs in on core switch by the Telnet/SSH mode, fill order, obtain the port list information of core switch;
In the present invention, described step 1), 2), 3), its order can exchange arbitrarily.
In the present invention, described step 5) is obtained the mac address information of each port second line of a couplet of core switch, by the SNMP mode, obtaining type in addresses forwarding table information is port id and the mac address information of 3 (learned), and obtain the corresponding informance of port id and port index number, correspondence obtains the corresponding relation of port index and mac address information, and filters out the interconnected port of switch wherein according to spanning tree algorithm; Simultaneously, also can pass through the Telnet/SSH mode, according to order, obtain the mac address information of the port second line of a couplet;
In the present invention, described step 4), 5), when using the Telnet/SSH mode, be a step, by an order, get the MAC information of port list and the port second line of a couplet of core switch.
In the present invention, described step 6) is obtained the corresponding relation list of IP address and MAC in network, by the SNMP mode, obtain the content of .iso.org.dod.internet.mgmt.mib-2.ip.ipNetToMediaTable list item in the IP table, obtain the corresponding relation of IP address and MAC Address, situation for the corresponding a plurality of MAC in one of them IP address, ping testing is carried out in the IP address, get wherein can the IP address as effective IP address; Simultaneously, also can pass through the Telnet/SSH mode, by order, obtain the corresponding relation of IP address and MAC Address, ping testing is carried out in the IP address, get wherein can the IP address as effective IP address.
In the present invention, described step 8) is blocked/for the terminal that meets matched rule, is let pass for the terminal that does not meet matched rule, and by the SNMP mode, the Port Management state being set is down, unmatched terminal is blocked; By the SNMP mode, the Port Management state being set is up, the terminal of coupling is let pass; Simultaneously, also can pass through the Telnet/SSH mode, the controlled state by the command set port is down, blocks unmatched terminal, and the controlled state that port is set is up, the terminal of the coupling of letting pass.
In the present invention, in described step 8), after the success of blocking-up terminal or clearance terminal, and the connection status of terminal is while changing, and will send blocking-up/let pass and successfully point out, and the prompting form can be Web information, note, mail, sound; After blocking unsuccessfully or letting pass unsuccessfully, will send and block/let pass failed alarm notification, the notice form can be Web information, note, mail, sound.
In the present invention, described step 5), 6), 7), 8) adopt the mode of timed task, regularly carry out the execution of these 4 steps, its timing task carrying-out time, time of implementation interval, time of implementation, interval unit can arrange.
In sum, owing to having adopted technique scheme, the invention has the beneficial effects as follows: can manage by complete, automatic network to department and enterprise, manage the terminal of all access networks, both saved the cost of labor management, again can be automatically, in time, accurately terminal blocked and let pass, effectively guaranteed fail safe, the confidentiality of department and enterprise network and information.
The accompanying drawing explanation
Examples of the present invention will be described by way of reference to the accompanying drawings, wherein:
Figure mono-. network terminal management principle
Figure bis-. network terminal administrative messag interaction figure
Figure tri-. network terminal management process
Figure tetra-.SNMP mode core switch port second line of a couplet IP/MAC find step
Figure five. and Telnet mode core switch port second line of a couplet IP/MAC finds step
Figure six. network terminal coupling and blocking-up/clearance step.
Embodiment
Disclosed all features in this specification, or the step in disclosed all methods or process, except mutually exclusive feature and/or step, all can make up by any way.
Disclosed arbitrary feature in this specification (comprising any accessory claim, summary and accompanying drawing), unless special narration all can be replaced by other equivalences or the alternative features with similar purpose.That is, unless special narration, each feature is an example in a series of equivalences or similar characteristics.
Embodiment 1
The present invention is described further below in conjunction with accompanying drawing
As shown in Figure 1, network terminal management method operation principle of the present invention is to carry out the storage of IP/MAC/PORT information, matched rule in network, send instructions to core switch, obtain exchanger information, carry out matching treatment, according to matching result, send instructions to core switch management switch ports themselves, by core switch, manage the network terminal of the switch second line of a couplet.
As shown in Figure 2 and Figure 3, the step of network terminal management is: 1) by the EXCEL/XML/TXT file mode, import IP/MAC/PORT information, and carry out the manual edit management; 2) matched rule being set is: the complete coupling of IP-MAC-PORT; 3) core switch subnet of ip address, the subnet mask that need to find of manual edit, read group's word, by the SNMP mode, obtain core switch information; By the SNMP mode, obtain the core switch port list; 4) by the SNMP mode, obtain core switch port second line of a couplet mac address information; 5) by SNMP, obtain the corresponding relation of IP address and MAC; 6) obtain the matched rule of setting, obtain the match information of setting; 7) all IP, MAC, the PORT to getting, according to matched rule, compare with the match information that arranges, and the match is successful to meet the match information of setting, the sign of letting pass; It fails to match not meet the match information of setting, blocks sign; 8) by the SNMP mode, send message to core switch, the core switch port that is designated clearance is let pass; The core switch port that is designated blocking-up is blocked; 9) after block/letting pass successfully, and the connection status of the network terminal sends variation, the transmission blocking-up/successful WEB message alert of letting pass; Block/let pass unsuccessfully, send the blocking-up/failed WEB message alert of letting pass.
As shown in Figure 5, SNMP mode core switch port second line of a couplet IP/MAC finds that step is: 1), by to core switch, sending SNMP GET order, use OID:1.3.6.1.2.1.2.2, obtain core switch port list ifTable; 2) by to core switch, sending SNMP GET order, use OID:.1.3.6.1.2.1.17.4.4, obtain address forwarding information dot1dTpFdbTable list, list information comprises following three: dot1dTpFdbPort, dot1dTpFdbAddress, dot1dTpFdbStatus; 3) according to the dot1dTpFdbStatus state, the address forwarding information is filtered, only keeping dot1dTpFdbStatus is the address forwarding information of 3 (learned); 4) by to core switch, sending SNMP GET order, use OID:1.3.6.1.2.1.17.1.4, obtain port id/index-mapping and concern the dot1dBasePortTable list, list information comprises following two: dot1dBasePort, dot1dBasePortIfIndex; 5) according to ID/ index-mapping relation, integrating step 3) in the address forwarding information, obtain port index, the list of second line of a couplet MAC Address corresponding relation; 6) according to spanning tree algorithm, filter out the switch interconnect port; 7) by to core switch, sending SNMP GET order, use OID:1.3.6.1.2.1.4.22, get IP/MAC corresponding relation ipNetToMediaTable list, list information comprises following two: ipNetToMediaNetAddress, ipNetToMediaPhysAddress; 8) filter the IP/MAC couple of the corresponding a plurality of IP of one of them MAC, IP is carried out to ICMP PING operation, only keeping can the logical IP address of PING; 9) according to step 6), 7) in information carry out association, obtain IP address, the list of MAC Address incidence relation of switch ports themselves index and the second line of a couplet.
As shown in Figure 6, network terminal coupling and blocking-up/clearance step are: 1) obtain the IP-MAC-PORT match information list of automatic importing, wherein PORT is port index; 2) poll is processed the IP/MAC/PORT couple that finds in core switch, with the IP-MAC-PORT match information list in step 1), compares; 3) the match is successful, and current Port Management state is down, by to core switch, sending SNMP SET order, opens port, uses the OID:1.3.6.1.2.1.2.2.1.7.ifindex(ifindex to be port index) the clearance network-termination device; It fails to match, and current Port Management state is up, by core switch, sends SNMP SET order close port, uses OID:1.3.6.1.2.1.2.2.1.7.ifindex(ifindex to be port index), the blocking-up network-termination device; 4) operate successfully, send the blocking-up/successful WEB alarm of letting pass; Operation failure, send the blocking-up/failed WEB alarm of letting pass.
Embodiment 2
The present invention is described further below in conjunction with accompanying drawing
As shown in Figure 1, network terminal management method operation principle of the present invention is to carry out the storage of IP/MAC/PORT information, matched rule in network, send instructions to core switch, obtain exchanger information, carry out matching treatment, according to matching result, send instructions to core switch management switch ports themselves, by core switch, manage the network terminal of the switch second line of a couplet.
As shown in Figure 2 and Figure 3, the step of network terminal management is: 1) by the EXCEL/XML/TXT file mode, import IP/MAC/PORT information, and carry out the manual edit management, wherein PORT is the port title; 2) matched rule being set is: the complete coupling of IP-MAC-PORT; 3) the IP address of manual edit core switch, telnet port number, Telnet user name, Telnet password, operational order prompt, privileged mode order, franchise password, privileged command prompt; 4) by the Telnet mode, obtain core switch port second line of a couplet mac address information; 5) by the Telnet mode, obtain the corresponding relation of IP address and MAC; 6) obtain the matched rule of setting, obtain the match information of setting; 7) all IP, MAC, the PORT to getting, according to matched rule, compare with the match information that arranges, and the match is successful to meet the match information of setting, the sign of letting pass; It fails to match not meet the match information of setting, blocks sign; 8) by the Telnet mode, send a command to core switch, the core switch port that is designated clearance is let pass; The core switch port that is designated blocking-up is blocked; 9) after block/letting pass successfully, and the connection status of the network terminal sends variation, the transmission blocking-up/successful WEB message alert of letting pass; Block/let pass unsuccessfully, send the blocking-up/failed WEB message alert of letting pass.
As shown in Figure 4, take cisco3524 as example, Telnet mode core switch port second line of a couplet IP/MAC finds that step is: 1) with core switch, set up Telnet and be connected, import user name, password into, login; 2) after logining successfully, be switched to privileged mode; 3) privileged mode login; 4) after privileged mode logins successfully, import order sh mac into, obtain core switch port and port second line of a couplet MAC information; 5) resolve command result, obtain Destination Address(MAC address), Destination Port(port title), obtain the MAC Address of port list and the port second line of a couplet of switch; 6) import order sh arp into, obtain Address, Hardware Addr, obtain the list of IP/MAC corresponding informance; 7) filter the IP/MAC couple of the corresponding a plurality of IP of one of them MAC, IP is carried out to ICMP PING operation, only keeping can the logical IP address of PING; 8) according to step 5), 6) in information carry out association, obtain IP address, the list of MAC Address incidence relation of switch ports themselves title and the second line of a couplet.
As shown in Figure 6, network terminal coupling and blocking-up/clearance step are: the IP-MAC-PORT match information list of 1) obtaining automatic importing; 2) poll is processed the IP/MAC/PORT couple that finds in core switch, with the IP-MAC-PORT match information list in step 1), compares; 3) the match is successful, and current Port Management state is down's,, by command switch name (config) #interface port name, enters corresponding ports in the core switch interface configuration mode, send no shutdown order, open port clearance network-termination device; It fails to match, and current Port Management state is up's,, by command switch name (config) #interface port name, enters corresponding ports in the core switch interface configuration mode, send the shutdown order, close port blocking-up network-termination device; 4) operate successfully, send the blocking-up/successful WEB alarm of letting pass; Operation failure, send the blocking-up/failed WEB alarm of letting pass.
The present invention is not limited to aforesaid embodiment.The present invention expands to any new feature or any new combination that discloses in this manual, and the arbitrary new method that discloses or step or any new combination of process.