CN102572000B - address monitoring method and device - Google Patents
address monitoring method and device Download PDFInfo
- Publication number
- CN102572000B CN102572000B CN201010624258.0A CN201010624258A CN102572000B CN 102572000 B CN102572000 B CN 102572000B CN 201010624258 A CN201010624258 A CN 201010624258A CN 102572000 B CN102572000 B CN 102572000B
- Authority
- CN
- China
- Prior art keywords
- address
- port
- mac address
- corresponding informance
- layer equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 238000012544 monitoring process Methods 0.000 title claims abstract description 41
- 230000008520 organization Effects 0.000 claims description 22
- 238000013500 data storage Methods 0.000 claims description 20
- 230000008859 change Effects 0.000 claims description 14
- 238000007726 management method Methods 0.000 claims description 10
- 238000012545 processing Methods 0.000 claims description 9
- 238000012806 monitoring device Methods 0.000 abstract 2
- 230000007547 defect Effects 0.000 abstract 1
- 230000006399 behavior Effects 0.000 description 11
- 238000005516 engineering process Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 6
- 230000008901 benefit Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 238000007789 sealing Methods 0.000 description 2
- 235000000421 Lepidium meyenii Nutrition 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 235000012902 lepidium meyenii Nutrition 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 238000010845 search algorithm Methods 0.000 description 1
Landscapes
- Small-Scale Networks (AREA)
Abstract
The invention discloses an address monitoring method and an address monitoring device. The method comprises the following steps of: receiving address resolution protocol (ARP)information of three-layer equipment; when the ARP information is changed, acquiring a corresponding multi-access control (MAC) address according to an Internet protocol (IP) address in the changed ARP information; and searching information corresponding to a port MAC address of two-layer and/three-layer equipment according to the MAC address, and acquiring an access equipment port corresponding to the IP address. According to the address monitoring method and the address monitoring device, illegal addresses can be found immediately, and the technical defect that an address embezzlement behavior cannot be prevented fundamentally in the prior art is overcome.
Description
Technical field
The present invention relates to business support technology in the communications field, particularly, relate to address monitoring method and device.
Background technology
Current most of webmaster finds that the common method of IP address embezzlement is address resolution protocol (the address resolution protocol of each router of periodic scanning network, be called for short ARP) table, obtain current IP address of using and IP-MAC contrast relationship, with legal IP address table, IP-MAC shows contrast, if inconsistent, there is unauthorized access behavior to occur, then remove illegal IP in ARP table.In addition, from user's Trouble Report (usurping the prompting that the IP address of using there will be MAC Address conflict), also can find the behavior of usurping of IP address.On this basis, conventional Avoid also has: IP-MAC binding technology, proxy server technology, IP-MAC-USER Certificate Authority and transparent gateway technology etc.Also have by hand and search mode: this mode need to be logined switch and search the MAC Address under corresponding ports, login core switch is checked ARP table, and manual mode is loaded down with trivial details, cuts in the time of may inquiring relevant information, illegal appropriator leaves, and cannot effectively monitor.
Inventor finds that in prior art, at least there are the following problems: existing monitor mode has certain limitation, as very difficult in the management of IP-MAC binding technical user; The special machine of transparent gateway Technology Need carries out data retransmission, and this machine easily becomes bottleneck.Inventor finds that current mechanism does not all have the harm that completely fundamentally prevents that the behavior of IP address embezzlement from producing, and person directly accesses external network resource just to prevent address embezzlement.Because IP address embezzlement person still has freedom completely movable in IP subnet, therefore this meeting interfering legality user's use on the one hand: may stolen user be used for attacking other machines and the network equipment in subnet on the other hand.If there is proxy server in subnet, appropriator can also obtain the outer resource of net by all means.
Summary of the invention
The first object of the present invention is to propose a kind of address monitoring method, to realize timely discovery illegal address.
The second object of the present invention is to propose a kind of address supervising device, to realize timely discovery illegal address.
For realizing above-mentioned the first object, according to an aspect of the present invention, provide a kind of address monitoring method, comprising: the ARP information that receives three-layer equipment; When listening to ARP information change, according to the IP address in the ARP information changing, obtain corresponding MAC Address; According to MAC Address, search the port mac address corresponding informance of two layers and/or three-layer equipment, obtain access device port corresponding to IP address.
Can also comprise: IP address and the legal IP address of access device port are compared, judge whether IP address is illegal address; After judgement IP address is illegal, carry out monitoring alarm and/or sealing access device port.
Can also comprise: monitor the port mac address corresponding informance of two layers and/or three-layer equipment, and compare with legal port mac address corresponding informance, judge whether to occur illegal MAC Address; And/or the ARP information of the three-layer equipment of monitoring and legal IP address and the corresponding relation of MAC Address are compared, judge whether to occur illegal IP address or MAC Address.
Preferably, search the port mac address corresponding informance of two layers and/or three-layer equipment according to MAC Address, obtaining access device port corresponding to IP address can comprise: according to MAC Address, obtain two layers corresponding or three-layer equipment access interface of IP address; When two layers or three-layer equipment access interface are cascade port, search subordinate equipment port mac address corresponding informance; According to the port mac address corresponding informance of subordinate equipment, search subordinate equipment access interface corresponding to IP address, until the final access device port obtaining is non-cascade port; Using the non-cascade access device port access device port corresponding as IP address of finally searching.
According to the port mac address corresponding informance of subordinate equipment, search subordinate equipment access interface corresponding to IP address, until the final access device port obtaining is that non-cascade port can comprise: in single queuing data storage organization of having set up, when subordinate equipment port mac address corresponding informance to be found is not stored in single queuing data storage organization, the available storage location in single queuing data storage organization is stored the subordinate equipment port mac address corresponding informance finding in order; Otherwise directly extract from single queuing data storage organization.
Said method can receive ARP information and port mac address corresponding informance by Simple Network Management Protocol SNMP; Wherein, three-layer equipment comprises core router, core switch, convergence switch.
For realizing above-mentioned the second object, according to another aspect of the present invention, provide a kind of address supervising device, having comprised: interface module, for receiving the ARP information of three-layer equipment, and the port mac address corresponding informance of two layers and/or three-layer equipment; Processing module, when listening to ARP information change, obtains corresponding MAC Address according to the IP address in the ARP information changing; According to MAC Address, search the port mac address corresponding informance of two layers and/or three-layer equipment, obtain access device port corresponding to IP address.
The address monitoring method of various embodiments of the present invention and device, can monitor in real time, and access device port corresponding to IP address that discovery changes in time, illegal IP address can be blocked the physical connection of illegal IP in time if, solve the harm that there is no completely fundamentally to prevent the behavior of IP address embezzlement in prior art, not only can block access external resource, can also block Intranet illegal IP address and usurp situation.
Other features and advantages of the present invention will be set forth in the following description, and, partly from specification, become apparent, or understand by implementing the present invention.Object of the present invention and other advantages can be realized and be obtained by specifically noted structure in the specification write, claims and accompanying drawing.
Below by drawings and Examples, technical scheme of the present invention is described in further detail.
Accompanying drawing explanation
Accompanying drawing is used to provide a further understanding of the present invention, and forms a part for specification, for explaining the present invention, is not construed as limiting the invention together with embodiments of the present invention.In the accompanying drawings:
Fig. 1 is embodiment mono-flow chart of the address monitoring method according to the present invention;
Fig. 2 is embodiment bis-flow charts of the address monitoring method according to the present invention;
Fig. 3 is address monitoring method interface schematic diagram according to the present invention;
Fig. 4 is embodiment tri-flow charts of the address monitoring method according to the present invention;
Fig. 5 is for traveling through the network topology structure schematic diagram of mac address table in address monitoring method according to the present invention;
Fig. 6 is the storage organization schematic diagram of the ergodic data of network topology in Fig. 5.
Fig. 7 is address supervising device embodiment mono-structural representation according to the present invention;
Fig. 8 is address supervising device embodiment bis-structural representations according to the present invention.
Embodiment
Below in conjunction with accompanying drawing, the preferred embodiments of the present invention are described, should be appreciated that preferred embodiment described herein, only for description and interpretation the present invention, is not intended to limit the present invention.
Embodiment of the method
Fig. 1 is embodiment mono-flow chart of the address monitoring method according to the present invention, and as shown in Figure 1, the present embodiment comprises:
Step S102: the ARP information that receives three-layer equipment;
For example, three-layer equipment can be core router, core switch, convergence switch etc., from three-layer equipment, obtains ARP table, wherein, and the IP address of the current use of ARP table storage, and IP-MAC contrast relationship.
Step S104: when listening to ARP information change, obtain corresponding MAC Address according to the IP address in the ARP information changing;
Step S106: search the corresponding table in port mac address of two layers and/or three-layer equipment according to the MAC Address in step S104, can inquire about access device port corresponding to IP address that obtains conversion.
Two-layer equipment comprises each downstream switch of three-layer equipment, and switch is the main network equipment of local area network (LAN), and it is operated in data link layer, based on MAC Address, forwards and filtering data bag.Therefore, each switch is all being safeguarded a mac address table corresponding with port.Any be directly connected with switch or the MAC Address of the main frame in same broadcast domain all can be saved in the mac address table of switch.By Simple Network Management Protocol SNMP (Simple NetworkManagement protocol) management station, can obtain with respective switch SNMP agent communication the mac address table corresponding with port that each switch is preserved, thereby form the corresponding table of a real-time port-MAC, step S106 obtains MAC Address according to the IP-MAC changing in ARP table, then according to this MAC Address, search the corresponding table of real-time port-MAC, thereby obtain ARP table, change port corresponding to IP address.
In realizing the present invention, inventor finds the corresponding relation of the necessary typing IP of other IP monitoring and MAC Address, but MAC Address is changed quite frequent in the middle of actual environment, as change network interface card, maintenance person need to ceaselessly change the MAC that IP is corresponding, and the present embodiment is without knowing user's MAC Address but judge with the mode of the corresponding access interface of switch according to IP.And, because ARP table can easily obtain, therefore, can find in time ARP table, and access device port corresponding to the IP address of finally searching variation, illegal IP address can be blocked the physical connection of illegal IP in time if, solves the harm that there is no completely fundamentally to prevent the behavior of IP address embezzlement in prior art, the present embodiment not only can be blocked access external resource, can also block Intranet illegal IP address and usurp situation.
Fig. 2 is embodiment bis-flow charts of the address monitoring method according to the present invention; As shown in Figure 2, the present embodiment comprises:
Step S202: suppose that certain machine IP address changes;
Step S204: the ARP table that core switch is corresponding also can change;
Step S206: the real-time ARP table that receives core switch, compare with the front real-time ARP table once obtaining, the real-time ARP table that listens to certain core switch changes, catch the transformed value of core ARPTable, according to the IP changing and the corresponding relation of MAC Address, obtain ARP and change corresponding MAC Address;
Step S208: search the mac address table of two-layer equipment according to MAC Address, location is which access interface of which platform switch, access interface corresponding to IP changing;
IP address only can exist having on the three-tier switch such as the core switch of Management VLAN or convergence switch, the present embodiment search an IP address be can be first when which port comes in core or converge and search ARP Table and check the MAC Address that this IP is corresponding, thereby obtaining this MAC Address from which port comes, then to subordinate's cascaded switches, remove to check Mac Address-Talbe, finally obtain the corresponding relation of IP address and access switch port;
Step S210: judge that whether this IP is illegal, in general local area network (LAN), IP address and corresponding access interface are fixed, even if MAC Address changes, but IP and port corresponding relation can not become, therefore, according to the port navigating to, whether the IP address in the ARP table that judgement changes with the IP address that port is corresponding or this port is legal of location, if not being illegal.Or pre-stored have legal IP and a binding relationship of access interface, according to the port of location and corresponding IP, compare with binding relationship in advance, whether be illegal IP, be to close this port, otherwise finish if analyzing.
The present embodiment is judged illegal IP address and is usurped after behavior, can take immediately corresponding method to block the impact that the behavior of usurping produces, for example can to switch agency, send a snmp message by snmp management station and turn-off the switch ports themselves of the behavior of usurping, cannot there is any contact with other machines in network in the machine of usurping like this IP address, certainly also cannot affect the normal operation of other machines.
The present embodiment can be found illegal IP in time according to the variation of real-time monitoring, guaranteed the high speed of monitoring, effectively carried out, utilize port locations to block in time IP address embezzlement, found, after IP address embezzlement, in fact also the behavior of usurping have been navigated to the port of switch.By the corresponding table of legitimate ip address-device port of the prior input of inquiry, just can navigate to immediately the room of the behavior of usurping again.
Fig. 3 is address monitoring method interface schematic diagram according to the present invention, as shown in Figure 3, is mainly binding IP address and switch ports themselves, finds in time illegal IP address.It will be understood by a person skilled in the art that, known according to Fig. 1 and Fig. 2 embodiment, each switch is all being safeguarded a mac address table corresponding with port.By snmp management station and the SNMP agent communication of respective switch, can obtain the mac address table corresponding with port that each switch is preserved, thereby form a corresponding table of real-time port mac.The IP mentioning except above-described embodiment and the judgement of the corresponding relation of port, can also monitor as follows:
1. the real-time port MAC Address of monitoring switch is corresponding shows, and compares with the legal corresponding table in port mac address, can also judge whether switch ports themselves occurs illegal MAC Address fast in time;
2. the real-time ARP information of the nucleus equipment of monitoring and legal IP address and the corresponding relation of MAC Address are compared, judge whether to occur illegal IP address or MAC Address.
For example, according to Fig. 1 and Fig. 2, can find IP address embezzlement, according to above the 1st in additional monitoring, can also find whether switch ports themselves occurs illegal MAC Address, if same MAC Address appears on the non-cascade port of different switches simultaneously, can also monitor IP-MAC and usurp in pairs.
In a word, can bind in advance multiple relation, thereby realize the monitoring of multiple strategy, for example: in local area network (LAN), obtaining in advance legal binding relationship table can comprise: terminal device IP address and switch ports themselves binding, the binding of terminal equipment MAC and switch ports themselves, terminal device IP address is bound with MAC, and IP address, MAC, switch ports themselves such as bind at the real-time monitoring of multiple strategy simultaneously.
In above-mentioned Fig. 1-Fig. 3, can set in advance as required monitoring strategies and processing mode, for example: the every X time excessively of mode with poll is monitored network, when occurring the user of illegal IP address, its port is carried out and is closed processing.After can arranging Y minute, automatically open this port, and monitoring again.X, Y can be by User Defined.
Fig. 4 is embodiment tri-flow charts of the address monitoring method according to the present invention.Its main process comprises:
After A, initialization complete, use general international standard agreement SNMP (Simple Network Management Protocol) obtain core switch mib information and preserve, the just initial value of preservation, is used for contrasting the ARP list item of new acquisition, carrys out comparison changing value.Mib information mainly comprises: ARP tables of data (the correspondence table of IP and MAC Address), Mac address-table tables of data (the corresponding table of MAC Address and device port also claims port mac address corresponding table).
The IP address of terminal change of B, certain port, triggers the ARP table change of core switch, and exchange opportunity sends certain, and self-trapping " " information is to the IP address supervising device of webmaster, as Fig. 7-8 for Trap.IP supervising device obtains core mac address table according to the ARP changing, find corresponding port, whether the IP address that judges this port is consistent with real-time IP address, if inconsistent, judge whether this interface is cascade port, if cascade port needs to send the request of downward inquiry, continue to search downwards until find the Mac address-table of final access switch, obtain the terminal access interface of non-cascade, the port finding and IP address corresponding relation and legal user-defined IP and switch ports themselves mapping table are compared, illegal IP can be taked predefined treatment measures if, as close port etc.
Prior art does not have the harm that completely fundamentally prevents that the behavior of IP address embezzlement from producing, and person directly accesses external network resource just to prevent address embezzlement.The present embodiment carries out the intranet and extranet of monitoring blocking-up in real time illegal IP and usurps situation, blocks in time the physical connection of illegal IP.
The various embodiments described above are without knowing user's MAC but judge illegal address according to the mode of IP and switch corresponding ports.When the difficult point of this mode is to search the port mac address corresponding table of two layers of access and/or three-layer equipment, need to travel through switch MacAddress Table, if have the algorithm of optimization to provide, do not search search, implement more difficult, Fig. 5-Fig. 6 has entered to illustrate to the search procedure of various embodiments of the present invention below, and a kind of algorithm of searching of optimization is provided: adopt single-threaded access to search algorithm without the single queue of lock.
Fig. 5 is for traveling through the network topology structure schematic diagram of mac address table in address monitoring method according to the present invention, wherein A, B, C, D, E, F, G, H, I are respective switch.
While changing due to ARP, while there is change and newly-increased IP address, may be many data, every data all need to travel through its network path, and these network paths have polyisomenism unavoidably.As: path one A → B → C → D, path two A → B → E → F, its A of two paths is identical with B, if adopt recursive algorithm repeatedly to obtain Mac-AddressTable from switch A and B, belongs to repeated work, and efficiency of algorithm is low, and strengthens network burden.
Below in conjunction with Fig. 5, the search procedure the present invention relates to is exemplified below:
When monitoring, Intranet finds there are 2 illegal IP (being defined as x1 and x2) on core switch A according to the ARP table changing, first check the Mac value (being defined as Mac-a) of x1, then according to the MacAddress-Table of core A, analyzing Mac-a comes from B switch, or come from C switch, while found that, from B switch, come, obtain again the MacAddress-Table of B switch, analyzing Mac-a is that B above or from D or from E comes, analysis result is found, Mac-a comes from switch D, continue obtain the MacAddress-Table of switch D and analyze, final this Mac-a of discovery is the G0/3 mouth of switch D.Current traverse path is A-B-D.
Then search the Mac value (being defined as Mac-b) of x2, according to the MacAddress-Table of core A, analyzing Mac-b comes from B switch, or come from C switch, while found that, from B switch, come, obtain again the MacAddress-Table of B switch, analyzing Mac-b is that B above or from D or from E comes, analysis result is found, Mac-a comes from switch D, continue obtain the MacAddress-Table of switch D and analyze, this Mac-b is that switch G is upper, obtain the MacAddress-Table of switch G, found that this Mac-b is the G0/4 mouth of switch G.Current traverse path is A-B-D-G.
From above example, find out, 2 illegal IP, its path very similar (A-B-D and A-B-D-G), search the corresponding table of layer 2-switched port address (MacAddress-Table) and will consume the plenty of time, and the MacAddress-Table of repeated obtain switch can spend the running time of service routine 90%.Fig. 6 is the storage organization schematic diagram of the ergodic data of network topology in Fig. 5, and as shown in Figure 6, search procedure, first sets up an empty single queue, is used for storing respective switch MacAddress-Table.According to the path of the network topology structure of Fig. 5 and 2 illegal IP (being defined as x1 and x2) of giving an example:
First obtain the MacAddress-Table on core A, then the MacAddress-Table of A (being defined as MacA) is stored in queue.
The MacAddress-Table (being defined as MacB) that first judges switch b in the time will obtaining the MacAddress-Table of switch b is present in queue not, if there is not MacB in queue, MacB is stored in queue.If existed, directly from queue, obtain.
The MacAddress-Table (being defined as MacC) that first judges switch C in the time will obtaining the MacAddress-Table of switch C is present in queue not, if there is not MacC in queue, MacC is stored in queue.If existed, directly from queue, obtain.
The 1st illegal IP (x1) checks complete, when checking the 2nd IP, in Already in queue of the MacAddress-Table of path A-B-C, from the data structure of single queue stores, directly obtain, only need to obtain separately again the MacAddress-Table of switch D, and be stored in queue.
While judging the 2nd IP, only accessed switch D, the time of access A, B, C switch MacAddress-Table will be omitted, when there being a plurality of illegal IP, when network size is larger, the present embodiment to search effect more obvious, efficiency is higher.
In short, when the ARP information of conversion has more than two IP, according to the plural IP address in the ARP information changing, obtain the plural MAC Address of correspondence;
According to the port mac address corresponding informance of the switch of plural MAC Address and monitoring, obtain two access device ports corresponding to above IP addresses difference, particularly: when searching access device port corresponding to next IP address, judge in single queuing data storage organization whether stored next IP address two-layer equipment port mac address corresponding informance to be found, the two-layer equipment port mac address corresponding informance that storage finds in order in single queuing data storage organization when no; Otherwise directly from single queuing data storage organization, extract.
Take above-mentioned example as description, its search procedure specific implementation can be: use single queuing data storage organization, and set up switch Mac-Address class, first produce single queue container, when an access switch A by path, instantiation Mac-Address class, produces the Mac-Address object of switch A, and object is saved in single queue container, after in like manner B, C, D access finish, the Mac-AddressTable object of B, C, D switch also will be kept in queue container.When access second path, first check whether access switch exists in queue container, do not exist and produce new object and preserve into container, if existed, directly extract from container.
Utilize prior art need to check A, B, C, D, A, B, E, 8 switch MacAddressTable of F, utilize after above-mentioned algorithm and only need check A, B, C, D, E, 6 of F, in the above example, have optimized 25% performance, if the IP address need checking is more, it is more obvious that it searches advantage.
Fig. 7 is address supervising device embodiment mono-structural representation according to the present invention.As shown in Figure 7, comprising:
Interface module 2, for receiving the ARP information of three-layer equipment, and the port mac address corresponding informance of two-layer equipment, specifically can be referring to said method embodiment related description;
Processing module 4, when listening to ARP information change, obtains corresponding MAC Address according to the IP address in the ARP information changing; According to MAC Address, search the port mac address corresponding informance of two layers and/or three layers corresponding access device, obtain access device port corresponding to IP address, specifically can be referring to the search procedure in said method.
Can also comprise: alarm module 6, for IP address and the legal IP address of access device port are compared, after judgement IP address is illegal address, carries out alarm and/or sealing access device port.
Alarm module is further, can also monitor the port mac address corresponding informance of two layers and/or three-layer equipment, and compare with legal port mac address corresponding relation, judges whether to occur illegal MAC Address; And/or the ARP information of the three-layer equipment of monitoring and legal IP address and the corresponding relation of MAC Address are compared, judge whether to occur illegal IP address or MAC Address.
Fig. 8 is address supervising device embodiment bis-structural representations according to the present invention.As Fig. 8, processing module 4 can comprise:
Inquiry submodule 42, for obtaining two layers corresponding or three-layer equipment access interface of IP address according to MAC Address; When two layers or three-layer equipment access interface are cascade port, search subordinate equipment port mac address corresponding informance; According to the port mac address corresponding informance of subordinate equipment, search subordinate equipment access interface corresponding to IP address, until the final access device port obtaining is non-cascade port, specifically can, referring to said method embodiment related description, at this, no longer same or similar content be repeated in this description.
Can also comprise: sub module stored 44, for single queuing data storage organization of setting up, when subordinate equipment port mac address corresponding informance to be found is not stored in single queuing data storage organization, the available storage location in single queuing data storage organization is stored the subordinate equipment port mac address corresponding informance finding in order; Otherwise directly extract from single queuing data storage organization.Specifically can, referring to said method embodiment related description, at this, no longer same or similar content be repeated in this description.
Each embodiment of said method invention can realize in the device that possesses structure shown in Fig. 7-Fig. 8 structure chart.Wherein, the device shown in Fig. 7 and Fig. 8 can be arranged in network management system, and illegal address is monitored in real time.
Can implement technology described herein by various means.For instance, these technology may be implemented in hardware, firmware, software or its combination.For hardware implementation scheme, processing module 4 may be implemented in one or more application-specific integrated circuit (ASIC)s (ASIC), digital signal processor (DSP), programmable logic device (PLD), field programmable gate array (FPGA), processor, controller, microcontroller, microprocessor, electronic installation, other through design to carry out in the electronic unit or its combination of function described herein.
For firmware and/or implement software scheme, the module of available execution function described herein (for example, process, step, flow process etc.) is implemented described technology.Firmware and/or software code can be stored in memory and by processor and carry out.Memory may be implemented in processor or processor outside.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can complete by the relevant hardware of program command, aforesaid program can be stored in a computer read/write memory medium, this program, when carrying out, is carried out the step that comprises said method embodiment; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CDs.
Finally it should be noted that: the foregoing is only the preferred embodiments of the present invention, be not limited to the present invention, although the present invention is had been described in detail with reference to previous embodiment, for a person skilled in the art, its technical scheme that still can record aforementioned each embodiment is modified, or part technical characterictic is wherein equal to replacement.Within the spirit and principles in the present invention all, any modification of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.
Claims (9)
1. an address monitoring method, is characterized in that, comprising:
Receive the ARP information of three-layer equipment;
When listening to described ARP information change, according to the IP address in the ARP information of described variation, obtain corresponding MAC Address;
The port mac address corresponding informance of searching two layers and/or three-layer equipment according to described MAC Address, obtains access device port corresponding to described IP address;
Wherein, described MAC Address is searched the port mac address corresponding informance of two layers and/or three-layer equipment, obtains access device port corresponding to described IP address and comprises:
According to described MAC Address, obtain described IP address corresponding two layers or three-layer equipment access interface;
When described three layers or two-layer equipment access interface are cascade port, search subordinate equipment port mac address corresponding informance;
According to described subordinate equipment port mac address corresponding informance, search subordinate's cascade device access interface corresponding to described IP address, until the final access device port obtaining is non-cascade port;
Using the non-cascade access device port of finally searching as access device port corresponding to described IP address.
2. method according to claim 1, is characterized in that, also comprises:
Described IP address and the legal IP address of described access device port are compared, judge that whether described IP address is illegal;
After judging that described IP address is illegal, carry out monitoring alarm and/or seal described access device port.
3. method according to claim 1, is characterized in that, also comprises:
Monitor the port mac address corresponding informance of described two-layer equipment and/or three-layer equipment, the port mac address corresponding informance of monitoring and legal port mac address corresponding informance are compared, judge whether to occur illegal MAC Address;
And/or the described ARP information of the described three-layer equipment of monitoring and legal IP address and the corresponding relation of MAC Address are compared, judge whether to occur illegal IP address or MAC Address.
4. method according to claim 1, is characterized in that, according to described subordinate equipment port mac address corresponding informance, searches subordinate's cascade device access interface corresponding to described IP address, until the final access device port obtaining is that non-cascade port comprises:
In single queuing data storage organization of having set up, when subordinate equipment port mac address corresponding informance to be found is not stored in described single queuing data storage organization, the available storage location in described single queuing data storage organization is stored the subordinate equipment port mac address corresponding informance finding in order; Otherwise directly extract from described single queuing data storage organization.
5. according to the method described in claim 1-4 any one, it is characterized in that, by Simple Network Management Protocol SNMP, receive described ARP information and described port mac address corresponding informance;
Wherein, described three-layer equipment comprises core router, core switch, convergence switch.
6. an address supervising device, is characterized in that, comprising:
Interface module, for receiving the ARP information of three-layer equipment, and the port mac address corresponding informance of two layers and/or three-layer equipment;
Processing module, when listening to described ARP information change, obtains corresponding MAC Address according to the IP address in the ARP information of described variation; The port mac address corresponding informance of searching described two layers and/or three-layer equipment according to described MAC Address, obtains access device port corresponding to described IP address;
Wherein, described processing module comprises:
Inquiry submodule, for obtaining described IP address corresponding two layers or three-layer equipment access interface according to described MAC Address; When described three layers or two-layer equipment access interface are cascade port, search subordinate equipment port mac address corresponding informance; According to the port mac address corresponding informance of described subordinate equipment, search subordinate equipment access interface corresponding to described IP address, until the final access device port obtaining is non-cascade port.
7. device according to claim 6, is characterized in that, also comprises:
Alarm module, for described IP address and the legal IP address of described access device port are compared, after judging that described IP address is illegal address, carries out alarm and/or seals described access device port.
8. device according to claim 7, it is characterized in that, described alarm module is the port mac address corresponding informance of described two layers and/or three-layer equipment of monitoring further, the port mac address corresponding informance of monitoring and legal port mac address corresponding informance are compared, judge whether to occur illegal MAC Address; And/or the described ARP information of the described three-layer equipment of monitoring and legal IP address and the corresponding relation of MAC Address are compared, judge whether to occur illegal IP address or MAC Address.
9. device according to claim 6, is characterized in that, described processing module also comprises:
Sub module stored, for single queuing data storage organization of setting up, when subordinate equipment port mac address corresponding informance to be found is not stored in described single queuing data storage organization, the available storage location in described single queuing data storage organization is stored the subordinate equipment port mac address corresponding informance finding in order; Otherwise directly extract from described single queuing data storage organization.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010624258.0A CN102572000B (en) | 2010-12-31 | 2010-12-31 | address monitoring method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010624258.0A CN102572000B (en) | 2010-12-31 | 2010-12-31 | address monitoring method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102572000A CN102572000A (en) | 2012-07-11 |
| CN102572000B true CN102572000B (en) | 2014-10-01 |
Family
ID=46416456
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010624258.0A Expired - Fee Related CN102572000B (en) | 2010-12-31 | 2010-12-31 | address monitoring method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102572000B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20140008714A (en) * | 2012-07-11 | 2014-01-22 | 현대모비스 주식회사 | Transmitter and method of arp communication verifying validity check and system of arp communication verifying validity check using the same |
| CN102970173B (en) * | 2012-12-25 | 2015-07-15 | 迈普通信技术股份有限公司 | Method and network management system for discovering illegal devices |
| CN103259732B (en) * | 2013-04-03 | 2016-09-28 | 北京邮电大学 | A kind of SDN broadcast processing method triggering agency based on ARP event |
| CN103457882A (en) * | 2013-08-29 | 2013-12-18 | 国家电网公司 | Intelligent substation secure access method |
| CN105991794B (en) * | 2015-06-01 | 2019-05-07 | 杭州迪普科技股份有限公司 | A kind of address learning method and device |
| CN105897464B (en) * | 2016-03-30 | 2019-08-23 | 国网福建省电力有限公司 | Electric power Intranet remote application monitoring method based on MAC Address control |
| CN107094187A (en) * | 2017-04-01 | 2017-08-25 | 汕头大学 | A kind of method of the access switch port of automatic lookup MAC Address |
| CN107809348B (en) * | 2017-09-19 | 2021-04-20 | 广西电网有限责任公司电力科学研究院 | Terminal state monitoring method for power grid big data distributed system |
| TWI666896B (en) * | 2017-12-26 | 2019-07-21 | 資易國際股份有限公司 | Automatic repair method of network device real and virtual address corresponding failure |
| CN113438162B (en) * | 2021-05-21 | 2022-11-04 | 翱捷科技股份有限公司 | Method and device for realizing two-layer forwarding |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101098291A (en) * | 2006-06-29 | 2008-01-02 | 中兴通讯股份有限公司 | Method for preventing disturbance of medium accessing control address table on access equipment |
| CN101436934A (en) * | 2008-10-20 | 2009-05-20 | 福建星网锐捷网络有限公司 | Method, system and equipment for controlling user upper wire |
| CN101984693A (en) * | 2010-11-16 | 2011-03-09 | 中兴通讯股份有限公司 | Monitoring method and monitoring device for access of terminal to local area network (LAN) |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100432675B1 (en) * | 2003-09-19 | 2004-05-27 | 주식회사 아이앤아이맥스 | Method of controlling communication between equipments on a network and apparatus for the same |
-
2010
- 2010-12-31 CN CN201010624258.0A patent/CN102572000B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101098291A (en) * | 2006-06-29 | 2008-01-02 | 中兴通讯股份有限公司 | Method for preventing disturbance of medium accessing control address table on access equipment |
| CN101436934A (en) * | 2008-10-20 | 2009-05-20 | 福建星网锐捷网络有限公司 | Method, system and equipment for controlling user upper wire |
| CN101984693A (en) * | 2010-11-16 | 2011-03-09 | 中兴通讯股份有限公司 | Monitoring method and monitoring device for access of terminal to local area network (LAN) |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102572000A (en) | 2012-07-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102572000B (en) | address monitoring method and device | |
| CN107911258B (en) | SDN network-based security resource pool implementation method and system | |
| Afanasyev et al. | ndnSIM: NDN simulator for NS-3 | |
| US8903964B2 (en) | Auto-configuration of network captured traffic device | |
| CN103036733B (en) | Unconventional network accesses monitoring system and the monitoring method of behavior | |
| US20070201490A1 (en) | System and method for implementing ethernet MAC address translation | |
| CN108206792B (en) | Topological structure discovery method and device of switch | |
| EP3817286B1 (en) | Method and apparatus for generating network topology | |
| JP6193473B2 (en) | Computer-implemented method, computer program product and computer | |
| US9231831B2 (en) | Method and network system of converting a layer two network from a spanning tree protocol mode to a routed mesh mode without a spanning tree protocol | |
| JP2006020085A (en) | Network system, network bridge device, network managing device and network address solution method | |
| CN102571738B (en) | Based on the intrusion prevention method and system that VLAN exchanges | |
| CN105791072A (en) | Access method and device of Ethernet virtual network | |
| CN102045190A (en) | Network topology discovery method and device | |
| CN107222462A (en) | A kind of LAN internals attack being automatically positioned of source, partition method | |
| US8914503B2 (en) | Detected IP link and connectivity inference | |
| CN106685817A (en) | Flow switching method and device for box-side devices | |
| Yin et al. | SNMP-based network topology discovery algorithm and implementation | |
| CN105376163A (en) | Discovery method and device of network topological structure | |
| CN102970173B (en) | Method and network management system for discovering illegal devices | |
| Kuliesius et al. | Sdn/legacy hybrid network control system | |
| US7729353B1 (en) | System, method and computer program product for discovering network connectivity among network devices based on topological information | |
| CN106992911B (en) | Data center network access device | |
| Peng et al. | Physical topology discovery based on spanning tree protocol | |
| CN107483340B (en) | A kind of dynamic routing notifying method and SDN controller and network system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20141001 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |