CN102572000A - Address monitoring method and device - Google Patents
Address monitoring method and device Download PDFInfo
- Publication number
- CN102572000A CN102572000A CN2010106242580A CN201010624258A CN102572000A CN 102572000 A CN102572000 A CN 102572000A CN 2010106242580 A CN2010106242580 A CN 2010106242580A CN 201010624258 A CN201010624258 A CN 201010624258A CN 102572000 A CN102572000 A CN 102572000A
- Authority
- CN
- China
- Prior art keywords
- address
- port
- mac address
- corresponding informance
- layer equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000012544 monitoring process Methods 0.000 title claims abstract description 20
- 230000008520 organization Effects 0.000 claims description 22
- 238000013500 data storage Methods 0.000 claims description 20
- 230000008859 change Effects 0.000 claims description 15
- 238000007726 management method Methods 0.000 claims description 10
- 238000012545 processing Methods 0.000 claims description 9
- 238000012806 monitoring device Methods 0.000 abstract 2
- 230000007547 defect Effects 0.000 abstract 1
- 230000015572 biosynthetic process Effects 0.000 description 13
- 230000006399 behavior Effects 0.000 description 11
- 238000005516 engineering process Methods 0.000 description 9
- 238000004458 analytical method Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 238000007689 inspection Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000006243 chemical reaction Methods 0.000 description 2
- 239000003795 chemical substances by application Substances 0.000 description 2
- 239000012467 final product Substances 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 235000000421 Lepidium meyenii Nutrition 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 235000012902 lepidium meyenii Nutrition 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 238000012797 qualification Methods 0.000 description 1
- 238000007789 sealing Methods 0.000 description 1
- 238000010845 search algorithm Methods 0.000 description 1
Images
Landscapes
- Small-Scale Networks (AREA)
Abstract
The invention discloses an address monitoring method and an address monitoring device. The method comprises the following steps of: receiving address resolution protocol (ARP)information of three-layer equipment; when the ARP information is changed, acquiring a corresponding multi-access control (MAC) address according to an Internet protocol (IP) address in the changed ARP information; and searching information corresponding to a port MAC address of two-layer and/three-layer equipment according to the MAC address, and acquiring an access equipment port corresponding to the IP address. According to the address monitoring method and the address monitoring device, illegal addresses can be found immediately, and the technical defect that an address embezzlement behavior cannot be prevented fundamentally in the prior art is overcome.
Description
Technical field
The present invention relates to business support technology in the communications field, particularly, relate to address method for supervising and device.
Background technology
Present most of webmaster finds that the common method of IP address embezzlement is address resolution protocol (the address resolution protocol of each router of periodic scanning network; Be called for short ARP) table; Obtain current IP address of using and IP-MAC contrast relationship, with the legal IP address table, IP-MAC shows contrast; If inconsistent then have the unauthorized access behavior to take place, remove illegal IP in the ARP table then.In addition, also can find the behavior of usurping of IP address from user's Trouble Report (usurping the prompting that the MAC Address conflict can appear in the IP address of using).On this basis, strick precaution mechanism commonly used also has: IP-MAC binding technology, proxy server technology, IP-MAC-USER Certificate Authority and transparent gateway technology etc.Also have by hand and search mode: this mode need be logined switch and search the MAC Address under the corresponding port; The login core switch is checked the ARP table, and manual mode is loaded down with trivial details, cuts in the time of possibly inquiring relevant information; Illegal appropriator leaves, and can't effectively monitor.
The inventor finds to have following problem in the prior art at least: existing monitor mode all has certain limitation, and is very difficult like the management of IP-MAC binding technical user; The special machine of transparent gateway Technology Need carries out data forwarding, and this machine becomes bottleneck easily.The inventor finds that current mechanism does not all have the harm that prevents that fully fundamentally the behavior of IP address embezzlement from being produced, the direct access external network resource of person that just prevents the address embezzlement.Because IP address embezzlement person still has the interior movable fully freedom of IP subnet, therefore this meeting interfering legality user's use on the one hand: possibly stolen person be used for attacking the other machines and the network equipment in the subnet on the other hand.If acting server is arranged in the subnet, appropriator can also obtain the outer resource of net through all means.
Summary of the invention
First purpose of the present invention is to propose a kind of address method for supervising, to realize in time finding the illegal address.
Second purpose of the present invention is to propose a kind of address supervising device, to realize in time finding the illegal address.
For realizing above-mentioned first purpose, according to an aspect of the present invention, a kind of address method for supervising is provided, comprising: the ARP information that receives three-layer equipment; When listening to the ARP information change, obtain corresponding MAC Address according to the IP address in the ARP information that changes; Search the port mac address corresponding informance of two layers and/or three-layer equipment according to MAC Address, obtain the corresponding access device port in IP address.
Can also comprise: IP address and access device port legal IP address are compared, judge whether the IP address is the illegal address; After judging that the IP address is illegal, carry out monitoring alarm and/or sealing access device port.
Can also comprise: monitor the port mac address corresponding informance of two layers and/or three-layer equipment, and compare, judge whether to occur illegal MAC Address with legal port mac address corresponding informance; And/or ARP information and the corresponding relation of legal IP address and MAC Address of the three-layer equipment of monitoring compared, judge whether to occur illegal IP address or MAC Address.
Preferably, search the port mac address corresponding informance of two layers and/or three-layer equipment according to MAC Address, obtaining the corresponding access device port in IP address can comprise: obtain IP address corresponding two layers or three-layer equipment access interface according to MAC Address; When two layers or three-layer equipment access interface are the cascade port, search subordinate equipment port mac address corresponding informance; According to the port mac address corresponding informance of subordinate equipment, search the corresponding subordinate equipment access interface in IP address, be non-cascade port until the access device port of final acquisition; With the access device port of the non-cascade access device port of finally searching as IP address correspondence.
Port mac address corresponding informance according to subordinate equipment; Search the corresponding subordinate equipment access interface in IP address; Access device port until final acquisition is that non-cascade port can comprise: in single queuing data storage organization of setting up; When subordinate equipment port mac address corresponding informance to be found is not stored in single queuing data storage organization, the available storage location in single queuing data storage organization is stored the subordinate equipment port mac address corresponding informance that finds in order; Otherwise from single queuing data storage organization, directly extract.
Said method can receive ARP information and port mac address corresponding informance through Simple Network Management Protocol SNMP; Wherein, three-layer equipment comprises core router, core switch, convergence switch.
For realizing above-mentioned second purpose; According to another aspect of the present invention, a kind of address supervising device is provided, has comprised: interface module; Be used to receive the ARP information of three-layer equipment, and the port mac address corresponding informance of two layers and/or three-layer equipment; Processing module when being used to listen to the ARP information change, obtains corresponding MAC Address according to the IP address in the ARP information that changes; Search the port mac address corresponding informance of two layers and/or three-layer equipment according to MAC Address, obtain the corresponding access device port in IP address.
The address method for supervising and the device of various embodiments of the present invention; Can monitor in real time; And in time find the corresponding access device port in IP address that changes, if can in time block the physical connection of illegal IP, there is not fully fundamentally to prevent the harm of IP address embezzlement behavior in the solution prior art for illegal IP address; Not only can block the visit external resource, can also block the Intranet illegal IP address and usurp situation.
Other features and advantages of the present invention will be set forth in specification subsequently, and, partly from specification, become obvious, perhaps understand through embodiment of the present invention.The object of the invention can be realized through the structure that in the specification of being write, claims and accompanying drawing, is particularly pointed out and obtained with other advantages.
Through accompanying drawing and embodiment, technical scheme of the present invention is done further detailed description below.
Description of drawings
Accompanying drawing is used to provide further understanding of the present invention, and constitutes the part of specification, is used to explain the present invention with embodiments of the invention, is not construed as limiting the invention.In the accompanying drawings:
Fig. 1 is embodiment one flow chart of the address method for supervising according to the present invention;
Fig. 2 is embodiment two flow charts of the address method for supervising according to the present invention;
Fig. 3 is address method for supervising interface sketch map according to the present invention;
Fig. 4 is embodiment three flow charts of the address method for supervising according to the present invention;
Fig. 5 is the network topology structure sketch map that travels through mac address table according to the present invention in the method for supervising of address;
Fig. 6 is the storage organization sketch map of the ergodic data of network topology among Fig. 5.
Fig. 7 is address supervising device embodiment one structural representation according to the present invention;
Fig. 8 is address supervising device embodiment two structural representations according to the present invention.
Embodiment
Below in conjunction with accompanying drawing the preferred embodiments of the present invention are described, should be appreciated that preferred embodiment described herein only is used for explanation and explains the present invention, and be not used in qualification the present invention.
Method embodiment
Fig. 1 is embodiment one flow chart of the address method for supervising according to the present invention, and as shown in Figure 1, present embodiment comprises:
Step S102: the ARP information that receives three-layer equipment;
For example, three-layer equipment can be core router, core switch, convergence switch etc., obtains the ARP table from three-layer equipment, wherein, and the IP address of the current use of ARP table storage, and IP-MAC contrast relationship.
Step S104: when listening to the ARP information change, obtain corresponding MAC Address according to the IP address in the ARP information that changes;
Step S106:, can inquire about the corresponding access device port in IP address that obtains conversion according to the port mac address correspondence table that the MAC Address among the step S104 is searched two layers and/or three-layer equipment.
Two-layer equipment comprises each downstream switch of three-layer equipment, and switch is the main network equipment of local area network (LAN), and it is operated on the data link layer, transmits and the filtering data bag based on MAC Address.Therefore, each switch is all being safeguarded a mac address table corresponding with port.Any MAC Address that directly links to each other with switch or be in the main frame of same broadcast domain all can be saved in the mac address table of switch.Can obtain the mac address table corresponding that each switch is preserved through Simple Network Management Protocol SNMP (Simple NetworkManagement protocol) management station with respective switch SNMP agent communication with port; Thereby form a real-time port-MAC correspondence table; Step S106 obtains MAC Address according to the IP-MAC that changes in the ARP table; Search real-time port-MAC correspondence table according to this MAC Address then, change IP address corresponding port thereby obtain the ARP table.
In realizing the present invention; The inventor finds the corresponding relation of necessary typing IP of other IP monitoring and MAC Address; But MAC Address is changed quite frequent in the middle of actual environment; As change network interface card, the MAC that the change IP that maintenance person need not stop is corresponding, and present embodiment need not to know user's MAC Address but judges with the mode of the corresponding access interface of switch according to IP.And, owing to the ARP table can obtain easily, therefore; Can in time find the ARP table; And the corresponding access device port in the IP address of finally searching variation, if can in time block the physical connection of illegal IP, there is not fully fundamentally to prevent the harm of IP address embezzlement behavior in the solution prior art for illegal IP address; Present embodiment not only can be blocked the visit external resource, can also block the Intranet illegal IP address and usurp situation.
Fig. 2 is embodiment two flow charts of the address method for supervising according to the present invention; As shown in Figure 2, present embodiment comprises:
Step S202: suppose that certain machine IP address changes;
Step S204: the ARP table that core switch is corresponding also can change;
Step S206: the real-time ARP table that receives core switch; Compare with the preceding real-time ARP table that once obtains; The real-time ARP table that listens to certain core switch changes; Catch the transformed value of core ARPTable,, obtain ARP and change corresponding MAC Address according to the IP that changes and the corresponding relation of MAC Address;
Step S208: search the mac address table of two-layer equipment according to MAC Address, the location is which access interface of which platform switch, the access interface that the IP that promptly changes is corresponding;
The IP address only can exist on three-tier switch such as core switch with Management VLAN or convergence switch; Present embodiment search an IP address be can be earlier when which port comes in core or converge and search ARP Table and check the MAC Address that this IP is corresponding; Thereby obtaining this MAC Address from which port comes; Remove to check Mac Address-Talbe to subordinate's cascaded switches then, finally obtain the corresponding relation of IP address and access switch port;
Step S210: judge whether this IP is illegal; The IP address is fixed with corresponding access interface in the general local area network (LAN), even MAC Address changes, but IP and port corresponding relation can not become; Therefore; According to the port that navigates to, the IP address in the ARP table that judge to change whether with corresponding perhaps this port legal IP address of port of location in, if not then being illegal.Perhaps storing the legal IP and the binding relationship of access interface in advance, compare with binding relationship in advance according to the port of location and corresponding IP, whether be illegal IP, be then to close this port, otherwise finish if analyzing.
After present embodiment is judged illegal IP address and is usurped behavior; Can take corresponding method to block the influence that the behavior of usurping produces immediately; For example can send a snmp message to the switch agency and turn-off the switch ports themselves of the behavior of usurping through the snmp management station; Any contact can't take place with other machines in the network in the machine of usurping the IP address like this, also can't influence the normal operation of other machines certainly.
Present embodiment can in time be found illegal IP according to the variation of real-time monitoring; Guaranteed the high speed of monitoring, effectively carried out; Utilize port locations in time to block the IP address embezzlement, found the IP address embezzlement after, in fact also will the behavior of usurping have navigated to the port of switch.Through the legitimate ip address-device port correspondence table of the prior input of inquiry, just can navigate to the room of the behavior of usurping immediately again.
Fig. 3 is according to the present invention address method for supervising interface sketch map, and is as shown in Figure 3, mainly is binding IP address and switch ports themselves, in time finds illegal IP address.It will be understood by a person skilled in the art that can know according to Fig. 1 and Fig. 2 embodiment, each switch is all being safeguarded a mac address table corresponding with port.Can obtain the mac address table corresponding that each switch is preserved through the snmp management station and the SNMP agent communication of respective switch, thereby form a real-time port mac correspondence table with port.The IP that mentions except the foregoing description and the corresponding relation of port can also be monitored judging as follows:
1. monitor the real-time port MAC Address correspondence table of switch, and compare, can also in time judge whether switch ports themselves illegal MAC Address occurs fast with legal port mac address correspondence table;
2. the real-time ARP information of the nucleus equipment of monitoring and the corresponding relation of legal IP address and MAC Address are compared, judge whether to occur illegal IP address or MAC Address.
For example; Can find the IP address embezzlement according to Fig. 1 and Fig. 2; According to additional monitoring in the top the 1st; Can also find whether switch ports themselves illegal MAC Address occurs,, can also monitor IP-MAC and usurp in pairs if same MAC Address appears on the non-cascade port of different switches simultaneously.
In a word; Can bind multiple relation in advance, thereby realize the monitoring of multiple strategy, for example: in local area network (LAN); Obtaining legal binding relationship table in advance can comprise: terminal device IP address and switch ports themselves are bound; Terminal equipment MAC and switch ports themselves are bound, and terminal device IP address and MAC binding, IP address, MAC, switch ports themselves such as bind simultaneously at the real-time monitoring of multiple strategy.
Among above-mentioned Fig. 1-Fig. 3, can monitoring strategies and processing mode be set in advance as required, for example: spend the X time network is monitored so that the mode of poll is every,, its port carried out close processing as the user who illegal IP address occurs.Automatically open this port after can being provided with Y minute, and monitoring again.X, Y can be by User Defined.
Fig. 4 is embodiment three flow charts of the address method for supervising according to the present invention.Its main process comprises:
After A, initialization accomplish, use general international standard agreement SNMP (Simple Network Management Protocol) to obtain the core switch mib information and preserve, the just initial value of preservation is used for contrasting the ARP list item of new acquisition, comes the comparison changing value.Mib information mainly comprises: ARP tables of data (correspondence table of IP and MAC Address), Mac address-table tables of data (correspondence table of MAC Address and device port is also claimed port mac address correspondence table).
The change of the IP address of terminal of B, certain port triggers the ARP table change of core switch, and exchange opportunity is sent certain, and self-trapping " " the IP address supervising device of information to webmaster is like Fig. 7-8 for Trap.The IP supervising device obtains the core mac address table according to the ARP that changes, and finds corresponding port, judges whether the IP address of this port is consistent with real-time IP address; If it is inconsistent; Judge then whether this interface is the cascade port,, continue to search downwards until the Mac address-table that finds final access switch if the cascade port then need send the request of downward inquiry; Obtain the terminal access interface of non-cascade; The port that finds and IP address corresponding relation and the self-defining IP of legal users and switch ports themselves mapping table are compared, if for illegal IP then can take predefined treatment measures, like close port etc.
Prior art does not have the harm that prevents that fully fundamentally the behavior of IP address embezzlement from being produced, the direct access external network resource of person that just prevents the address embezzlement.Present embodiment is monitored blocking-up intranet and extranet illegal IP in real time and is usurped situation, in time blocks the physical connection of illegal IP.
Above-mentioned each embodiment need not to know user's MAC but judges the illegal address according to IP with the mode of the corresponding port of switch.When the difficult point of this mode is to search the port mac address correspondence table of two layers of access and/or three-layer equipment; Need traversal switch MacAddress Table; Do not search search if there is the algorithm of optimization to provide; Implement the comparison difficulty, below Fig. 5-Fig. 6 the search procedure of various embodiments of the present invention has been advanced to illustrate, a kind of algorithm of searching of optimization is provided: adopt single-threaded visit do not have the lock single formation search algorithm.
Fig. 5 is the network topology structure sketch map that travels through mac address table according to the present invention in the method for supervising of address, and wherein A, B, C, D, E, F, G, H, I are respective switch.
Because when ARP changes, when taking place, change and newly-increased IP address possibly be many data, and every data all need travel through its network path, and these network paths have polyisomenism unavoidably.As: path one A → B → C → D, path two A → B → E → F, its A of two paths is identical with B, if adopt recursive algorithm to obtain Mac-AddressTable from switch A and B repeatedly, belongs to the work of repetition, and efficiency of algorithm is low, and strengthens network burden.
Below in conjunction with Fig. 5 the search procedure that the present invention relates to is exemplified below:
When Intranet is monitored, find on the core switch A 2 illegal IP (being defined as x1 and x2) are arranged according to the ARP table that changes, at first check the Mac value (being defined as Mac-a) of x1, the MacAddress-Table analysis Mac-a according to core A comes from the B switch then; Still come from the C switch; Come from the B switch when result finds, obtain the MacAddress-Table of B switch again, to analyze Mac-a be on the B or from D or from E; Analysis result is found; Mac-a comes from switch D, continues to obtain the MacAddress-Table of switch D and analyze, and finds that finally this Mac-a is the G0/3 mouth of switch D.Current traverse path is A-B-D.
Search the Mac value (being defined as Mac-b) of x2 then, next according to the MacAddress-Table analysis Mac-b of core A from the B switch, still come from the C switch; Come from the B switch when result finds, obtain the MacAddress-Table of B switch again, to analyze Mac-b be on the B or from D or from E; Analysis result is found; Mac-a comes from switch D, continues to obtain the MacAddress-Table of switch D and analyze, and this Mac-b is that switch G goes up; Obtain the MacAddress-Table of switch G, the result finds that this Mac-b is the G0/4 mouth of switch G.Current traverse path is A-B-D-G.
Find out from above example; 2 illegal IP; Its path very similar (A-B-D and A-B-D-G); Search layer 2-switched port address correspondence table (MacAddress-Table) and will consume the plenty of time, and the MacAddress-Table that repeats to obtain switch can spend the running time of service routine 90%.Fig. 6 is the storage organization sketch map of the ergodic data of network topology among Fig. 5, and is as shown in Figure 6, search procedure, and single formation of setting up a sky earlier is used for storing respective switch MacAddress-Table.Path according to the network topology structure of Fig. 5 and 2 illegal IP (being defined as x1 and x2) of giving an example:
At first obtain the MacAddress-Table on the core A, the MacAddress-Table (being defined as MacA) with A is stored in the formation then.
The MacAddress-Table (being defined as MacB) that in the time will obtaining the MacAddress-Table of switch b, judges earlier switch b is present in the formation not, if there is not MacB in the formation, then MacB is stored in the formation.Directly from formation, obtain if exist.
The MacAddress-Table (being defined as MacC) that in the time will obtaining the MacAddress-Table of switch C, judges earlier switch C is present in the formation not, if there is not MacC in the formation, then MacC is stored in the formation.Directly from formation, obtain if exist.
The 1st illegal IP (x1) inspection finishes; When the 2nd IP of inspection; In the MacAddress-Table of the path A-B-C formation Already in; From the data structure of single queue stores, directly obtain and get final product, only need obtain the MacAddress-Table of switch D more separately, and be stored in the formation and get final product.
When judging the 2nd IP, only visited switch D, the time of visit A, B, C switch MacAddress-Table will be omitted, as a plurality of illegal IP, when network size is bigger, present embodiment to search effect more obvious, efficient is higher.
In short, when the ARP of conversion information has two above IP, obtain corresponding plural MAC Address according to the plural IP address in the ARP information that changes;
Port mac address corresponding informance according to the switch of plural MAC Address and monitoring; Obtain the corresponding respectively access device port in two above IP addresses; Particularly: when searching the access device port of next IP address correspondence; Judge whether stored next IP address two-layer equipment port mac address corresponding informance to be found in single queuing data storage organization, not the time, in single queuing data storage organization, store the two-layer equipment port mac address corresponding informance that finds in order; Otherwise directly from single queuing data storage organization, extract.
With above-mentioned example is description, the concrete realization of its search procedure can for: use single queuing data storage organization, and set up switch Mac-Address class; Produce single queue container earlier; Instantiation Mac-Address class when an access switch A by path produces the Mac-Address object of switch A, and object is saved in single queue container; After in like manner B, C, D visit finish, the Mac-AddressTable object of B, C, D switch also will be kept in the queue container.When visit second path, check earlier whether access switch exists in queue container, do not exist to produce new object and preserve container, if exist, directly extract from container.
Utilize prior art need check A, B, C, D, A, B; E, 8 switch MacAddressTable of F utilize behind the above-mentioned algorithm and only need check A, B, C, D; E, 6 of F in the above example, have optimized 25% performance, if need the IP address of inspection many more, it is more obvious that it searches advantage.
Fig. 7 is address supervising device embodiment one structural representation according to the present invention.As shown in Figure 7, comprising:
Interface module 2 is used to receive the ARP information of three-layer equipment, and the port mac address corresponding informance of two-layer equipment, specifically can be referring to said method embodiment related description;
Processing module 4 when being used to listen to the ARP information change, obtains corresponding MAC Address according to the IP address in the ARP information that changes; Search the port mac address corresponding informance of two layers and/or three layers corresponding access device according to MAC Address, obtain the corresponding access device port in IP address, specifically can be referring to the search procedure in the said method.
Can also comprise: alarm module 6, be used for IP address and access device port legal IP address are compared, after judgement IP address is the illegal address, alarm and/or seal the access device port.
Alarm module is further, can also monitor the port mac address corresponding informance of two layers and/or three-layer equipment, and compares with legal port mac address corresponding relation, judges whether to occur illegal MAC Address; And/or ARP information and the corresponding relation of legal IP address and MAC Address of the three-layer equipment of monitoring compared, judge whether to occur illegal IP address or MAC Address.
Fig. 8 is address supervising device embodiment two structural representations according to the present invention.Like Fig. 8, processing module 4 can comprise:
Inquiry submodule 42 is used for obtaining IP address corresponding two layers or three-layer equipment access interface according to MAC Address; When two layers or three-layer equipment access interface are the cascade port, search subordinate equipment port mac address corresponding informance; Port mac address corresponding informance according to subordinate equipment; Search the corresponding subordinate equipment access interface in IP address; Access device port until final acquisition is non-cascade port, specifically can no longer same or similar content be repeated in this description at this referring to said method embodiment related description.
Can also comprise: sub module stored 44; Be used for single queuing data storage organization of setting up; When subordinate equipment port mac address corresponding informance to be found is not stored in single queuing data storage organization, the available storage location in single queuing data storage organization is stored the subordinate equipment port mac address corresponding informance that finds in order; Otherwise from single queuing data storage organization, directly extract.Specifically can no longer same or similar content be repeated in this description at this referring to said method embodiment related description.
Each embodiment of said method invention can realize in the device that possesses structure shown in Fig. 7-Fig. 8 structure chart.Wherein, Fig. 7 and device shown in Figure 8 can be arranged in network management system, and the illegal address is monitored in real time.
Can implement technology described herein through various means.For instance, these technology may be implemented in hardware, firmware, software or its combination.For the hardware embodiment, processing module 4 may be implemented in one or more application-specific integrated circuit (ASIC)s (ASIC), digital signal processor (DSP), programmable logic device (PLD), field programmable gate array (FPGA), processor, controller, microcontroller, microprocessor, electronic installation, other through design with the electronic unit or its combination of carrying out function described herein in.
For firmware and/or software implementation scheme, the module of available execution function described herein (for example, process, step, flow process etc.) is implemented said technology.Firmware and/or software code can be stored in the memory and by processor and carry out.Memory may be implemented in the processor or processor outside.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be accomplished through the relevant hardware of program command; Aforesaid program can be stored in the computer read/write memory medium; This program the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
What should explain at last is: the above is merely the preferred embodiments of the present invention; Be not limited to the present invention; Although the present invention has been carried out detailed explanation with reference to previous embodiment; For a person skilled in the art, it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement.All within spirit of the present invention and principle, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (11)
1. an address method for supervising is characterized in that, comprising:
Receive the ARP information of three-layer equipment;
When listening to said ARP information change, obtain corresponding MAC Address according to the IP address in the ARP information of said variation;
Search the port mac address corresponding informance of two layers and/or three-layer equipment according to said MAC Address, obtain the corresponding access device port in said IP address.
2. method according to claim 1 is characterized in that, also comprises:
Said IP address and said access device port legal IP address are compared, judge whether said IP address is illegal;
After judging that said IP address is illegal, carry out monitoring alarm and/or seal said access device port.
3. method according to claim 1 is characterized in that, also comprises:
Monitor the port mac address corresponding informance of said two-layer equipment and/or three-layer equipment, the port mac address corresponding informance of monitoring and legal port mac address corresponding informance are compared, judge whether to occur illegal MAC Address;
And/or the said ARP information of the said three-layer equipment that will monitor and the corresponding relation of legal IP address and MAC Address compare, and judges whether to occur illegal IP address or MAC Address.
4. method according to claim 1 is characterized in that, searches the port mac address corresponding informance of two layers and/or three-layer equipment according to said MAC Address, obtains the corresponding access device port in said IP address and comprises:
Obtain said IP address corresponding two layers or three-layer equipment access interface according to said MAC Address;
When said three layers or two-layer equipment access interface are the cascade port, search subordinate equipment port mac address corresponding informance;
According to said subordinate equipment port mac address corresponding informance, search the corresponding subordinate's cascade device access interface in said IP address, be non-cascade port until the access device port of final acquisition;
With the access device port of the non-cascade access device port of finally searching as said IP address correspondence.
5. method according to claim 4 is characterized in that, according to said subordinate equipment port mac address corresponding informance, searches the corresponding subordinate's cascade device access interface in said IP address, is that non-cascade port comprises until the access device port of final acquisition:
In single queuing data storage organization of having set up; When subordinate equipment port mac address corresponding informance to be found is not stored in said single queuing data storage organization, the available storage location in said single queuing data storage organization is stored the subordinate equipment port mac address corresponding informance that finds in order; Otherwise from said single queuing data storage organization, directly extract.
6. according to each described method of claim 1-5, it is characterized in that, receive said ARP information and said port mac address corresponding informance through Simple Network Management Protocol SNMP;
Wherein, said three-layer equipment comprises core router, core switch, convergence switch.
7. an address supervising device is characterized in that, comprising:
Interface module is used to receive the ARP information of three-layer equipment, and the port mac address corresponding informance of two layers and/or three-layer equipment;
Processing module when being used to listen to said ARP information change, obtains corresponding MAC Address according to the IP address in the ARP information of said variation; Search the port mac address corresponding informance of said two layers and/or three-layer equipment according to said MAC Address, obtain the corresponding access device port in said IP address.
8. device according to claim 7 is characterized in that, also comprises:
Alarm module is used for said IP address and said access device port legal IP address are compared, judge that said IP address is the illegal address after, alarm and/or seal said access device port.
9. device according to claim 8; It is characterized in that; Said alarm module is the port mac address corresponding informance of said two layers and/or three-layer equipment of monitoring further; The port mac address corresponding informance of monitoring and legal port mac address corresponding informance are compared, judge whether to occur illegal MAC Address; And/or the said ARP information of the said three-layer equipment that will monitor and the corresponding relation of legal IP address and MAC Address compare, and judges whether to occur illegal IP address or MAC Address.
10. device according to claim 7 is characterized in that, said processing module comprises:
The inquiry submodule is used for obtaining said IP address corresponding two layers or three-layer equipment access interface according to said MAC Address; When said three layers or two-layer equipment access interface are the cascade port, search subordinate equipment port mac address corresponding informance; According to the port mac address corresponding informance of said subordinate equipment, search the corresponding subordinate equipment access interface in said IP address, be non-cascade port until the access device port of final acquisition.
11. device according to claim 10 is characterized in that, said processing module also comprises:
Sub module stored; Be used for single queuing data storage organization of setting up; When subordinate equipment port mac address corresponding informance to be found is not stored in said single queuing data storage organization, the available storage location in said single queuing data storage organization is stored the subordinate equipment port mac address corresponding informance that finds in order; Otherwise from said single queuing data storage organization, directly extract.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201010624258.0A CN102572000B (en) | 2010-12-31 | 2010-12-31 | address monitoring method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201010624258.0A CN102572000B (en) | 2010-12-31 | 2010-12-31 | address monitoring method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN102572000A true CN102572000A (en) | 2012-07-11 |
CN102572000B CN102572000B (en) | 2014-10-01 |
Family
ID=46416456
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201010624258.0A Expired - Fee Related CN102572000B (en) | 2010-12-31 | 2010-12-31 | address monitoring method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102572000B (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102970173A (en) * | 2012-12-25 | 2013-03-13 | 迈普通信技术股份有限公司 | Method and network management system for discovering illegal devices |
CN103259732A (en) * | 2013-04-03 | 2013-08-21 | 北京邮电大学 | SDN broadcast processing method triggering agent based on ARP event |
CN103457882A (en) * | 2013-08-29 | 2013-12-18 | 国家电网公司 | Intelligent substation secure access method |
CN103546587A (en) * | 2012-07-11 | 2014-01-29 | 现代摩比斯株式会社 | APP communication Mehode, transmission device and communication system verdifying effectiveness |
CN105897464A (en) * | 2016-03-30 | 2016-08-24 | 国网福建省电力有限公司 | Power internal network remote application program monitoring technology based on MAC address control |
CN105991794A (en) * | 2015-06-01 | 2016-10-05 | 杭州迪普科技有限公司 | Address learning method and address learning device |
CN107094187A (en) * | 2017-04-01 | 2017-08-25 | 汕头大学 | A kind of method of the access switch port of automatic lookup MAC Address |
CN107809348A (en) * | 2017-09-19 | 2018-03-16 | 广西电网有限责任公司电力科学研究院 | Towards the SOT state of termination monitoring method of power network big data distributed system |
TWI666896B (en) * | 2017-12-26 | 2019-07-21 | 資易國際股份有限公司 | Automatic repair method of network device real and virtual address corresponding failure |
CN113438162A (en) * | 2021-05-21 | 2021-09-24 | 翱捷科技股份有限公司 | Method and device for realizing two-layer forwarding |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070064689A1 (en) * | 2003-09-19 | 2007-03-22 | Shin Yong M | Method of controlling communication between devices in a network and apparatus for the same |
CN101098291A (en) * | 2006-06-29 | 2008-01-02 | 中兴通讯股份有限公司 | Method for preventing disturbance of medium accessing control address table on access equipment |
CN101436934A (en) * | 2008-10-20 | 2009-05-20 | 福建星网锐捷网络有限公司 | Method, system and equipment for controlling user upper wire |
CN101984693A (en) * | 2010-11-16 | 2011-03-09 | 中兴通讯股份有限公司 | Monitoring method and monitoring device for access of terminal to local area network (LAN) |
-
2010
- 2010-12-31 CN CN201010624258.0A patent/CN102572000B/en not_active Expired - Fee Related
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070064689A1 (en) * | 2003-09-19 | 2007-03-22 | Shin Yong M | Method of controlling communication between devices in a network and apparatus for the same |
CN101098291A (en) * | 2006-06-29 | 2008-01-02 | 中兴通讯股份有限公司 | Method for preventing disturbance of medium accessing control address table on access equipment |
CN101436934A (en) * | 2008-10-20 | 2009-05-20 | 福建星网锐捷网络有限公司 | Method, system and equipment for controlling user upper wire |
CN101984693A (en) * | 2010-11-16 | 2011-03-09 | 中兴通讯股份有限公司 | Monitoring method and monitoring device for access of terminal to local area network (LAN) |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103546587A (en) * | 2012-07-11 | 2014-01-29 | 现代摩比斯株式会社 | APP communication Mehode, transmission device and communication system verdifying effectiveness |
CN103546587B (en) * | 2012-07-11 | 2016-09-21 | 现代摩比斯株式会社 | The ARP communication means of effectiveness and dispensing device and communication system thereof can be verified |
CN102970173B (en) * | 2012-12-25 | 2015-07-15 | 迈普通信技术股份有限公司 | Method and network management system for discovering illegal devices |
CN102970173A (en) * | 2012-12-25 | 2013-03-13 | 迈普通信技术股份有限公司 | Method and network management system for discovering illegal devices |
CN103259732B (en) * | 2013-04-03 | 2016-09-28 | 北京邮电大学 | A kind of SDN broadcast processing method triggering agency based on ARP event |
CN103259732A (en) * | 2013-04-03 | 2013-08-21 | 北京邮电大学 | SDN broadcast processing method triggering agent based on ARP event |
CN103457882A (en) * | 2013-08-29 | 2013-12-18 | 国家电网公司 | Intelligent substation secure access method |
CN105991794A (en) * | 2015-06-01 | 2016-10-05 | 杭州迪普科技有限公司 | Address learning method and address learning device |
CN105991794B (en) * | 2015-06-01 | 2019-05-07 | 杭州迪普科技股份有限公司 | A kind of address learning method and device |
CN105897464A (en) * | 2016-03-30 | 2016-08-24 | 国网福建省电力有限公司 | Power internal network remote application program monitoring technology based on MAC address control |
CN105897464B (en) * | 2016-03-30 | 2019-08-23 | 国网福建省电力有限公司 | Electric power Intranet remote application monitoring method based on MAC Address control |
CN107094187A (en) * | 2017-04-01 | 2017-08-25 | 汕头大学 | A kind of method of the access switch port of automatic lookup MAC Address |
CN107809348A (en) * | 2017-09-19 | 2018-03-16 | 广西电网有限责任公司电力科学研究院 | Towards the SOT state of termination monitoring method of power network big data distributed system |
CN107809348B (en) * | 2017-09-19 | 2021-04-20 | 广西电网有限责任公司电力科学研究院 | Terminal state monitoring method for power grid big data distributed system |
TWI666896B (en) * | 2017-12-26 | 2019-07-21 | 資易國際股份有限公司 | Automatic repair method of network device real and virtual address corresponding failure |
CN113438162A (en) * | 2021-05-21 | 2021-09-24 | 翱捷科技股份有限公司 | Method and device for realizing two-layer forwarding |
Also Published As
Publication number | Publication date |
---|---|
CN102572000B (en) | 2014-10-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102572000B (en) | address monitoring method and device | |
CN107911258B (en) | SDN network-based security resource pool implementation method and system | |
US11086653B2 (en) | Forwarding policy configuration | |
TW202026896A (en) | Asynchronous object manager in a network routing environment | |
US20070201490A1 (en) | System and method for implementing ethernet MAC address translation | |
CN101227407B (en) | Method and apparatus for sending message based on two layer tunnel protocol | |
CN101873230B (en) | Method and device for discovering physical network topology | |
JP5846199B2 (en) | Control device, communication system, communication method, and communication program | |
CN105791072A (en) | Access method and device of Ethernet virtual network | |
EP2451125B1 (en) | Method and system for realizing network topology discovery | |
JP2006020085A (en) | Network system, network bridge device, network managing device and network address solution method | |
US9231831B2 (en) | Method and network system of converting a layer two network from a spanning tree protocol mode to a routed mesh mode without a spanning tree protocol | |
CN102143007A (en) | Distribution-based hierarchical network topology discovery method | |
CN102045190A (en) | Network topology discovery method and device | |
TW201519621A (en) | Management server and management method thereof for managing cloud appliances in virtual local area networks | |
CN104010049A (en) | Ethernet IP message packaging method based on SDN and network isolation and DHCP implementing method based on SDN | |
CN100547980C (en) | A kind of information processor and control method | |
US20130322445A1 (en) | Implementing Control Planes for Hybrid Networks | |
US8914503B2 (en) | Detected IP link and connectivity inference | |
CN103581022A (en) | MAC address finding and transmitting method and device | |
KR101358775B1 (en) | User access method, system, and access server, access device | |
CN101729355B (en) | Method for realizing particular virtual local area network and device | |
US20170180311A1 (en) | Systems and methods for managing network address information | |
CN110545194A (en) | Network topology generation method and device | |
CN109274588A (en) | The processing method and processing device of IP packet |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20141001 |
|
CF01 | Termination of patent right due to non-payment of annual fee |