Guard method and the node device of control VLAN in the ethernet ring network
Technical field
The present invention relates to the ethernet ring network technology, particularly EAPS (Ethernet Automatic Protection Switching, Ethernet APS) looped network technology.
Background technology
Comprised one group of protected professional VLAN (VLAN that is used for the user data service forwarding in the EAPS Ethernet ring protection method; And a host node and a plurality of transmission node Virtual Local Area Network) and a control VLAN who is used to protect the control message to transmit.Wherein, a master port and a secondary port are arranged respectively on the host node of this Ethernet protected field, the control message is transmitted the VLAN that uses and is control VLAN, and protected user data service is transmitted the VLAN that uses and is user data VLAN.Under the normal condition; Host node will block the user data VLAN forwarding capability (spanning-tree state of the user data VLAN on the secondary port is set to block) of secondary port, and loop free produces in the looped network, thereby prevents because network loop; User data Cheng Huan, the network storm that causes.
But the EAPS ring can be attacked, and the faulty operation of EAPS protocol massages occurs; Serious; Can cause the spanning-tree state of the user data VLAN on the secondary by error port of host node in the EAPS ring to be set to forwarding state, user data Cheng Huan causes network paralysis.
These wrong reasons occurring often is that the EAPS protocol massages entering EAPS ring that has the assailant to forge is attacked.Among the relevant standard RFC3619, suggestion is protected the EAPS protocol massages through the mode of message encryption in the EAPS looped network technology.But,, will influence interconnecting of equipment between the different manufacturers if use privately owned cipher mode that the EAPS protocol massages is encrypted.Use standard mode that the EAPS protocol massages is encrypted, victim cracks AES easily again.And, no matter be privately owned encryption method or Standard Encryption method at present, all possibly crack AES by victim.That is to say no matter to make how the EAPS protocol massages is encrypted, the assailant has an opportunity to take advantage of.Especially, if the assailant adopts the EAPS protocol massages of forgery that ethernet ring network is attacked, will cause serious consequence.
Summary of the invention
Technical problem to be solved by this invention is to provide a kind of assailant of preventing to forge the EAPS protocol massages EAPS is encircled control VLAN guard method of attacking and the node device of realizing this method.
The present invention solves the problems of the technologies described above the technical scheme that is adopted to be, the guard method of control VLAN in the Ethernet looped network comprises step:
When the EAPS node receives the EAPS protocol massages, forbid that the user data port on this node is transmitted the EAPS protocol massages; Said node comprises host node and transmission node.
Through the EAPS ring of being attacked is analyzed discovery; Cause the EAPS protocol massages of forgery to get into the reason that the EAPS ring attacks to be; There are many users to be accustomed to adding all VLAN to the user data port; So just forging the EAPS protocol massages to the assailant gets into the EAPS ring through the user data port and attack possibility is provided: the EAPS protocol massages is broadcasted in its control VLAN, so, on the arbitrary node of EAPS ring; As long as the user data port has added the control VLAN of EAPS ring; The EAPS protocol massages will get into user network, and this moment, the assailant analyzed the EAPS protocol massages through the packet catcher packet capturing, and then forges the EAPS protocol massages EAPS looped network is attacked.The present invention transmits the technological means of EAPS protocol massages through forbidding the user data port; The EAPS protocol massages that both can prevent the EAPS ring gets into user network through the user data port; Can prevent that again the EAPS protocol massages that the assailant forges from getting into the EAPS ring through the user data port, causes the faulty operation of agreement.Like this, the EAPS protocol massages can't arrive EAPS ring, has blocked the attack path that the assailant forges protocol massages from physical layer.
Concrete, on the user data port, block the control VLAN that EAPS encircles, then can forbid the EAPS protocol massages through transmitting at the user data port, promptly simple to operate, the resource that does not consume Ethernet switch again.
Any node is by two or more EAPS ring processes in the Ethernet looped network; And when each EAPS ring has two ports on this node; This node is the point of contact node of these two or more EAPS rings, and said two or more EAPS rings are the tangent EAPS ring of this point of contact node; At this moment, if the EAPS protocol massages of a tangent EAPS ring gets into another tangent EAPS ring, these EAPS protocol massages have been wasted the bandwidth of another tangent EAPS ring, and the EAPS protocol massages of also going up operation for another tangent EAPS has brought excess treating.Therefore, the present invention is further, forbids that two ports on each EAPS ring of node place, said point of contact are transmitted the protocol massages that other tangent EAPS encircles on this EAPS ring.
Two ports of EAPS ring process, one is master port, one is secondary port.
Preferably; Through on any two ports, blocking control VLAN of other tangent EAPS ring of all these point of contact nodes of process, forbid that two ports on each EAPS ring of node place, said point of contact are transmitted the protocol massages that other tangent EAPS encircles on this EAPS encircles through the tangent EAPS ring correspondence of point of contact node
To transmitting the EAPS protocol massages through other tangent EAPS ring of this point of contact node.
Node device in the Ethernet looped network comprises the first protection control module, the message judge module;
The message judge module is used for, and when receiving the EAPS protocol massages, triggers the first protection control module;
The first protection control module is used for, and forbids user data port forwarding EAPS protocol massages.
Preferably, the first protection control module is through blocking the control VLAN of EAPS ring on the user data port, forbids that the EAPS protocol massages transmits on the user data port.
Further, also comprise point of contact node judge module, the second protection control module;
Point of contact node judge module is used for; When local node equipment is passed through by two or more EAPS rings; And when each EAPS ring has two ports on local node equipment; Point of contact node judge module judges that local node equipment is the point of contact node of these two or more EAPS rings, and said two or more EAPS rings are the tangent EAPS ring of this point of contact node;
The message judge module also is used for, and when receiving the EAPS protocol massages, and point of contact node judge module triggers the second protection control module when judging local node equipment and being the point of contact node;
The second protection control module is used for, and forbids the protocol massages of two ports other tangent EAPS ring of forwarding on this EAPS ring that any tangent EAPS ring is corresponding on the local node equipment
Preferably; The second protection control module is used for; Block all control VLAN on two corresponding ports through encircling, forbid that any tangent EAPS that belongs on the local node equipment encircles two corresponding ports are transmitted other tangent EAPS ring on this EAPS ring protocol massages through other EAPS ring of these local node equipment at any EAPS through local node equipment.
The invention has the beneficial effects as follows, guaranteed the safety of EAPS looped network, further, when having avoided the tangent EAPS of appearance to encircle, the bandwidth of EAPS ring is taken by the EAPS protocol massages of other tangent EAPS ring.
Description of drawings
Fig. 1 is the sketch map of the node device in the Ethernet looped network;
Fig. 2 is an EAPS ring sketch map among the embodiment 1;
Fig. 3 is a tangent EAPS ring sketch map among the embodiment 2.
Embodiment
Node device as shown in Figure 1 comprises the first protection control module, message judge module, point of contact node judge module, the second protection control module;
The message judge module is used for, and when receiving the EAPS protocol massages, triggers the first protection control module; When receiving the EAPS protocol massages, and point of contact node judge module triggers the second protection control module when judging local node equipment and being the point of contact node;
Point of contact node judge module is used for; When local node equipment is passed through by two or more EAPS rings; And when each EAPS ring has two ports on local node equipment; Point of contact node judge module judges that local node equipment is the point of contact node of these two or more EAPS rings, and said two or more EAPS rings are the tangent EAPS ring of this point of contact node;
The first protection control module is used for, and on the user data port, blocks the control VLAN of EAPS ring.
The second protection control module is used for, and on any two ports through the EAPS ring correspondence of local node equipment, blocks all control VLAN through other EAPS ring of this local node equipment.
Embodiment 1
Like Fig. 1, in EAPS ring R, comprise host node M, transmission node T1, T2, T3.Among the node T2, port p1 is the EAPS master port, and port p2 is the secondary port of EAPS, and port p3 is the user data port, and port p3 is the port of user data discrepancy EAPS node, does not move the EAPS agreement on it.In order to prevent that the EAPS protocol massages from getting into user network from user data port p3, takies the user network bandwidth; Simultaneously in order to prevent that the assailant from from user network malice structure EAPS protocol message aggression EAPS ring R, letting protocol error move.For this reason, the message judge module of node T2 receives the EAPS protocol massages, and the control first protection control module is blocked the EAPS ring on user data port p3 control VLAN forbids the forwarding of EAPS protocol massages.
It is multiple to forbid that through the control VLAN that blocks the EAPS ring method of EAPS protocol massages forwarding has, and filters like common ACL (ACL, Access Control List) etc.But the user data port on the switch of some node devices is many; It is too much that the method for on the user data port, using ACL that the EAPS protocol massages is filtered consumes the ACL resource; And the ACL resource is a resource very valuable on the Ethernet switch, can not abuse.Therefore, can on FPDP P3, be set to block by the spanning-tree state of the control VLAN of EAPS ring, then can forbid the EAPS protocol massages through FPDP P3 forwarding, simple to operate relatively, the resource that does not consume Ethernet switch.
Embodiment 2
Like Fig. 2, two EAPS rings, an EAPS ring R1 comprises host node M, transmission node T1, T2, T3; Another EAPS ring R2 comprises host node m, transmission node t1, t2, T3; Wherein these two EAPS rings all pass through node T3; And each ring has two ports at node T3, the port p11 on the node T3, the corresponding EAPS ring of p22 R1, port p21, the corresponding EAPS ring of p22 R2.So, EAPS ring R1 and EAPS ring R2 are tangential on point of contact node T3, and EAPS ring R1 and EAPS ring R2 are tangent EAPS ring.
In the present embodiment except the message judge module of node T3 after receiving the EAPS protocol massages; The control first protection control module is blocked the control VLAN of EAPS ring on the user data port of node T3; Outside forbidding that the EAPS protocol massages is transmitted, also need do special processing to the situation of tangent EAPS ring---
When having two or more tangent EAPS to encircle on the same node device of process, a tangent EAPS ring blocks the control VLAN of other tangent EAPS ring on two ports of point of contact node.Present embodiment such as Fig. 2, the point of contact node judge module of node T3 judge EAPS ring R1 and EAPS ring R2 is tangential on node T3.The master port of R1 on node T3 is p11, and secondary port is p12, and the master port of EAPS ring R2 on node T3 is p21, and secondary port is p22.When the message judge module of node T3 received the EAPS protocol massages that comes from EAPS ring R1, the second protection control module was blocked the control VLAN of EAPS ring R2 on port p11 and p12; When the message judge module of node T3 received the EAPS protocol massages that comes from EAPS ring R2, the second protection control module was blocked the control VLAN of EAPS ring R1 on port p21 and p22.