CN103401706B - A method and apparatus for secure a port - Google Patents

A method and apparatus for secure a port Download PDF

Info

Publication number
CN103401706B
CN103401706B CN201310318249.2A CN201310318249A CN103401706B CN 103401706 B CN103401706 B CN 103401706B CN 201310318249 A CN201310318249 A CN 201310318249A CN 103401706 B CN103401706 B CN 103401706B
Authority
CN
China
Prior art keywords
host
port
mac address
switch
user
Prior art date
Application number
CN201310318249.2A
Other languages
Chinese (zh)
Other versions
CN103401706A (en
Inventor
何斌
Original Assignee
迈普通信技术股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 迈普通信技术股份有限公司 filed Critical 迈普通信技术股份有限公司
Priority to CN201310318249.2A priority Critical patent/CN103401706B/en
Publication of CN103401706A publication Critical patent/CN103401706A/en
Application granted granted Critical
Publication of CN103401706B publication Critical patent/CN103401706B/en

Links

Abstract

本发明实施例提供一种配置端口安全的方法及装置,涉及网络通信技术领域,可以自动获知交换机所有端口连接的主机的MAC地址和IP地址,并进行自动绑定。 Method and apparatus embodiments of the present invention provide a secure port configuration, it relates to network communication technologies, and can automatically learn the MAC addresses of all hosts connected to the switch port and IP address, and automatically bound. 本发明实施例通过交换机接收用户指定的待启用端口安全的端口;通过读取本地保存的MAC地址表,所述交换机获取连接所述端口的主机的MAC地址;利用获取的所述主机的MAC地址,所述交换机通过读取保存的ARP表,获取所述主机的IP地址;所述交换机将所述主机的MAC地址和所述主机的IP地址自动绑定到所述端口上。 Port to be enabled port security embodiments of the invention specified by the user through the switch; by reading the locally stored MAC address table, acquires the MAC address of the switch ports connected to the host; using the obtained MAC address of the host , by reading the stored switch ARP table, obtain the IP address of the host; the switch MAC address and IP address of the host of the host automatically bind to the port. 本发明适于配置端口安全时采用。 When using the present invention is adapted to configure the port security.

Description

一种配置端口安全的方法及装置 A method and apparatus for secure a port

技术领域 FIELD

[0001] 本发明涉及网络通信技术领域,尤其涉及一种配置端口安全的方法及装置。 [0001] The present invention relates to network communication technology, and particularly relates to a method and an apparatus for port security configuration.

背景技术 Background technique

[0002] 在以太交换网络中,为防止非法主机入侵网络,需要在接入交换机上启用端口安全功能,来定义合法的用户主机。 [0002] In order to prevent the illegal invasion of a host network, you need to enable port security on an Ethernet access switch in switched networks, to define the legitimate user host. 通过在交换机端口上绑定接入主机的媒体访问控制(Media Access Control,MAC)地址和互联网协议(Internet Protocol, IP)地址,来定义合法的用户主机,只允许合法的主机访问网络,而其他主机均不能访问网络,保证网络数据的安全性。 By binding access hosts on the switch port MAC (Media Access Control, MAC) address and Internet Protocol (Internet Protocol, IP) address of the host to define the legitimate user, allowing only legitimate hosts to access the network, while the other the host can not access the network, ensure the security of network data.

[0003] 在现有技术中,网络运维工程师在交换机上配置端口安全的MAC地址和IP地址并将MAC地址和IP地址绑定到接口上时,需要提前获知交换机每个端口连接的合法主机的MAC 地址和IP地址,把交换机端口与主机的对应关系一一梳理清楚,然后在大量交换机端口上对成千上万的主机的MAC地址和IP地址进行绑定。 When [0003] In the prior art, the network operation and maintenance engineers port security configuration on the switch MAC address and IP address and MAC address and IP address is bound to an interface, the host needs to learn legitimate switch connected to each port in advance MAC addresses and IP addresses, the switch port corresponding relationship with the host eleven disentangled, then thousands of host MAC address and IP address bound to the large number of switch ports.

[0004] 然而,采用现有技术配置端口安全时,网络运维人员需要提前获知交换机每个端口连接的合法主机的MAC地址和IP地址,并将合法主机的MAC地址和IP地址绑定到相应的端口上,使得操作复杂,效率较低。 [0004] However, when using the prior art configuration port security, network operation and maintenance personnel need to know in advance the MAC address and IP address of legitimate host connected to each port of the switch, and bind the MAC address and IP address corresponding to the valid host on the port, so that the complicated operation and low efficiency.

发明内容 SUMMARY

[0005] 本发明的实施例提供一种配置端口安全的方法及装置,可以自动获知交换机所有端口连接的主机的MAC地址和IP地址,并进行自动绑定,从而操作简单,提高了工作效率。 [0005] Embodiments of the present invention to provide a method and apparatus for port security may be automatically learned MAC addresses of all hosts connected to the switch port and IP address, and automatically bound, easy operation and improve work efficiency.

[0006] 第一方面,本发明的实施例提供一种配置端口安全的方法,包括: [0006] In a first aspect, embodiments of the present invention provides a method of configuring port security, comprising:

[0007] 交换机接收用户指定的待启用端口安全的端口; [0007] The switch receives a user-specified port security to be enabled port;

[0008] 通过读取本地保存的媒体访问控制MAC地址表,所述交换机获取连接所述端口的主机的MAC地址; [0008] By reading the locally stored media access control MAC address table, the switch is connected to the host acquires the MAC address of the port;

[0009] 利用获取的所述主机的MAC地址,所述交换机通过读取保存的地址解析协议ARP 表,获取所述主机的互联网协议IP地址; [0009] obtained by using the host MAC address resolution protocol ARP table of the switch by reading the stored address, obtaining the Internet Protocol IP address of the host;

[0010] 所述交换机将所述主机的MAC地址和所述主机的IP地址自动绑定到所述端口上。 [0010] The switch MAC address and IP address of the host of the host automatically bind to the port.

[0011] 第二方面,本发明的实施例提供一种配置端口安全的装置,包括: [0011] In a second aspect, embodiments of the present invention provides a configuration port security device, comprising:

[0012] 第一接收模块,用于接收用户指定的待启用端口安全的端口; [0012] a first receiving module, configured to receive a user-specified port security to be enabled port;

[0013] 第一获取模块,用于通过读取本地保存的媒体访问控制MAC地址表,获取连接所述端口的主机的MAC地址; [0013] The first acquiring module, for reading the locally stored by the media access control MAC address table, acquires the MAC address of the host connected to said port;

[0014] 第二获取模块,用于利用获取的所述主机的MAC地址,通过读取保存的地址解析协议ARP表,获取所述主机的互联网协议IP地址; [0014] The second acquiring module, for acquiring the use of the host MAC address, by reading the saved table ARP protocol, the host acquires an Internet Protocol IP address;

[0015] 绑定模块,用于将所述主机的MAC地址和所述主机的IP地址自动绑定到所述端口上。 [0015] Binding module, an IP address for the MAC address of the host and the host automatically bound to the port.

[0016] 本发明实施例提供的一种配置端口安全的方法及装置,通过交换机接收用户指定的待启用端口安全的端口;通过读取本地保存的MAC地址表,所述交换机获取连接所述端口的主机的MAC地址;利用获取的所述主机的MAC地址,所述交换机通过读取保存的ARP表,获取所述主机的IP地址;从而得到所述交换机每个端口连接的主机的MAC地址和IP地址,最后自动完成对所述交换机所有端口连接的合法主机的所述MAC地址和所述IP地址的端口安全绑定。 [0016] A method and apparatus for the configuration port security according to an embodiment of the present invention, the received user-specified port security to be enabled by the switch port; by reading the locally stored MAC address table, acquiring said switch connecting said port MAC address of the host; using a MAC address of the host acquired by reading the stored switch ARP table, obtain the IP address of the host; to obtain the MAC address of the host connected to each port and switch IP address, the last port automatically secure binding for all the legitimate host port of the switch MAC address and the IP address. 现有技术中配置端口安全的时,网络运维人员需要提前获知交换机每个端口连接的合法主机的MAC地址和IP地址,并将合法主机的MAC地址和IP地址绑定到相应的端口上,使得操作复杂,效率较低,本发明实施例可以自动获知交换机所有端口连接的主机的MAC地址和IP地址,并进行自动绑定,从而操作简单,提高了工作效率。 When the prior art port security, the network operation and maintenance personnel need to know in advance the MAC address and IP address of legitimate host connected to each port of the switch, and bind the MAC address and IP address of legitimate host to the corresponding port, such complex operations, less efficient, embodiment of the present invention may automatically learn MAC addresses of all hosts connected to the switch port and IP address, and automatically bound, easy operation and improve work efficiency.

附图说明 BRIEF DESCRIPTION

[0017]为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。 [0017] In order to more clearly illustrate the technical solutions in the embodiments or the prior art embodiment of the present invention, briefly introduced hereinafter, embodiments are described below in the accompanying drawings or described in the prior art needed to be used in describing the embodiments the drawings are only some embodiments of the present invention, those of ordinary skill in the art is concerned, without any creative effort, and can obtain other drawings based on these drawings.

[0018]图1为本发明一个实施例提供的一种配置端口安全的方法的流程图; [0018] FIG. 1 is a flowchart of one configuration port security method according to an embodiment of the present invention, a;

[0019]图2为本发明另一个实施例提供的MAC地址表的示意图; [0019] Fig 2 a schematic view of another embodiment of the MAC address table provided by the embodiment of the present invention;

[0020]图3为本发明另一个实施例提供的接入层交换机与网关设备的示意图; [0020] FIG. 3 is a schematic access layer device and the gateway switch provided in another embodiment of the present invention;

[0021]图4为本发明另一个实施例提供的ARP表的示意图; [0021] FIG. 4 is another schematic ARP table according to an embodiment of the present invention;

[0022]图5为本发明另一个实施例提供的另一种配置端口安全的方法的流程图; [0022] FIG. 5 another flow diagram of another configuration of the port security method according to an embodiment of the present invention;

[0023]图6为本发明另一个实施例提供的交换机上的待启用端口安全的端口与连接端口的主机的MAC地址、主机的IP地址的对应关系示意图; MAC Address [0023] FIG. 6 and the connection port of the host port on the switch to be provided to enable a port to another embodiment of the present invention, the safety, the correspondence between the IP address of the host schematic;

[0024]图7为本发明另一个实施例提供的一种配置端口安全的装置的框图; [0024] FIG. 7 is a block diagram showing one configuration port security device according to another embodiment of the present invention to provide;

[0025]图8为本发明另一个实施例提供的另一种配置端口安全的装置的框图。 [0025] FIG. 8 is a block diagram showing another configuration of the device port security provided in another embodiment of the present invention.

具体实施方式 Detailed ways

[0026]下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。 [0026] below in conjunction with the present invention in the accompanying drawings, technical solutions of embodiments of the present invention are clearly and completely described, obviously, the described embodiments are merely part of embodiments of the present invention, but not all embodiments example. 基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。 Based on the embodiments of the present invention, those of ordinary skill in the art to make all other embodiments without creative work obtained by, it falls within the scope of the present invention.

[0027]本发明实施例提供一种配置端口安全的方法,该方法的执行主体为交换机,如图1 所示,该方法包括: [0027] Example embodiments provide a method of the present invention, port security configuration, perform the method of the switch body shown in Figure 1, the method comprising:

[0028] 步骤101,交换机接收用户指定的待启用端口安全的端口。 [0028] Step 101, the switch to be enabled to receive a user specified port security port.

[0029]可选的,本步骤中用户指定的待启用端口安全的端口可以是用户根据不同类型端口的不同功能来指定的,待启用端口安全的端口可以是交换机的部分端口,也可以是本交换机的全部端口,即所述用户指定的待启用端口安全的端口至少为一个。 [0029] Alternatively, the present step is the port to be designated by the user to enable the user port security may be specified depending on the features of different types of ports, the ports to be enabled port security may be part of a port of the switch, may also be present all ports, i.e., specified by the user to be enabled switch port security for at least one port.

[0030]当用户指定某个端口启用端口安全时,可以将这些端口连接主机。 [0030] When the user specifies a port enable port security, these ports can be connected to the host. 例如,所述交换机中待启用端口安全的端口A连接了主机A、待启用端口安全的端口B连接了主机B、待启用端口安全的端口C连接了主机C。 For example, to enable the switch to be connected to the port A secure host port A, port security is enabled to be connected to the port B of the host B, to enable the port to be connected to a secure host C. Port C

[0031]步骤102,通过读取本地保存的媒体访问控制MAC地址表,所述交换机获取连接所述端口的主机的MAC地址。 [0031] Step 102, by reading the locally stored media access control MAC address table, the switch acquires the MAC address of the port connected to the host.

[0032] 其中,所述MAC地址表中保存了与至少一个主机连接的各个端口对应的端口标识以及所述至少一个主机的MAC地址,并且所述各个端口对应的端口标识与连接所述各个端口的主机的MAC地址--对应。 [0032] wherein, the MAC address table stored MAC address of each port corresponding to the port identification and the at least one host is connected to at least one host and the port connected to the respective port identifier of each port corresponding to MAC address of the host - corresponds.

[0033] 其中,本步骤中主机在通过所述交换机进行通信的的过程中,所述交换机自动学习到了这些主机的MAC地址,形成MAC地址表。 [0033] wherein, during this step hosts communicating through the switch, the switch automatically learns the MAC address of the host MAC address table is formed.

[0034] 可选的,如图2所示本地保存的MAC地址表包括所述交换机上的至少一个端口和与端口连接的主机的MAC地址的对应关系信息,比如端口A对应主机A的MAC地址,主机A的MAC 地址可以为:0001 • 7A00 • 0011,端口B对应主机B的MAC地址,主机B的MAC地址可以为: 0001.7A00.0012,端口C对应主机C的MAC地址,主机C的MAC地址可以为:0001.7A00.0013。 [0034] Alternatively, as shown in FIG locally stored MAC address table comprises at least one correspondence relationship between the MAC address and port of the host connected to the port on the switch, such as the MAC address corresponding to the port A of the host A , the MAC address of host a may be: 0001 • 7A00 • 0011, the port B corresponding to the MAC address of host B, the MAC address of host B can be: 0001.7A00.0012, port C C corresponding to the MAC address of the host, the host's MAC C address can: 0001.7A00.0013. 通过所述交换机的MAC地址表即可获取到任意端口连接的主机的職(:地址。 To obtain the level (host connected through any port of the switch MAC address table: address.

[0035] 步骤103,利用获取的所述主机的MAC地址,所述交换机通过读取保存的地址解析协议(Address Resolut ion Protocol,ARP)表,获取所述主机的互联网协议(Internet Protocol,IP)地址。 [0035] Step 103, MAC address acquired using the host, the host switch obtaining the internet protocol (Internet Protocol, IP) by reading the saved ARP (Address Resolut ion Protocol, ARP) table, address.

[0036] 其中,在实际组网过程中如图3所示,交换机与网关设备可以为不同的设备,交换机仅承担二层转发,与承担三层转发的网关设备分别完成各自的转发操作;另外,所述交换机与网关设备也可以合并为一台设备,即交换机直接承担二层转发和本来由网关设备承担的三层转发。 [0036] wherein, in the course of the actual network shown in Figure 3, the gateway device may be a switch with a different device, the switch can only take Layer forwarding, layer 3 forwarding and commitment gateway device forwards the respective operations are completed; Further , and said switch gateway device may also be combined into a single device, i.e. the switch would have been undertaken directly borne by the Frame forwarding and Layer 3 forwarding gateway device.

[0037] 可选的,当所述交换机与网关设备为不同的设备时,主机在通过所述交换机和网关设备通信的过程中,网关设备通过ARP协议根据学习到的这些主机的MAC地址和IP地址的对应关系,形成ARP表。 [0037] Alternatively, when the switch device is a different gateway devices, through communication with the host device and the gateway switch process, the gateway device through the ARP protocol MAC address learning according to these IP hosts and corresponding relationship between the address, the ARP is formed. 此时,所述ARP表保存在网关设备中,则交换机获取所述MAC地址对应的所述主机的IP地址包括:所述交换机登陆到所述网关设备上,读取所述网关设备中保存的ARP表,并通过所述网关设备保存的ARP表,获取所述MAC地址对应的IP地址。 In this case, the ARP table stored in the gateway device, the switch acquires the MAC address corresponding to the IP address of the host comprises: the landing switch to the gateway device, the gateway device to read stored ARP table held by the gateway device ARP table, to acquire the MAC address corresponding to the IP address.

[0038]当交换机与网关设备为同一设备时,即所述交换机除承担二层转发外,还同时作为承担三层转发的网关设备,则ARP表保存在所述交换机中,通过读取本地保存的ARP表,所述交换机直接获取所述主机的的IP地址。 [0038] When the switch and the gateway device is the same device, i.e. the switch in addition to bearing Layer forwarding, but also acts as the gateway to assume 3 forwarding, the ARP table stored in the switch by reading locally stored ARP table, direct access to the switch of the host IP address.

[0039] 进一步可选的,所述ARP表中保存了连接所述各个端口的至少一个主机的IP地址以及所述至少一个主机的MAC地址,并且所述至少一个主机的IP地址与所述至少一个主机的MAC地址——对应。 [0039] Further, optionally, the ARP table holds IP addresses of the respective port connecting at least one host and at least one MAC address of the host, and IP address of the at least one host and at least MAC address of a host - corresponds.

[0040] 如图4所示的网关设备的ARP表具备各主机的MAC地址和IP地址的对应关系信息。 [0040] ARP table shown in FIG gateway apparatus correspondence information includes a MAC address and IP address of each host. 比如主机A的MAC地址和主机A的IP地址的对应关系为:0001.7A00.0011对应192.168.1.11; 主机B的MAC地址和主机B的IP地址的对应关系为:0001.7A00.0012对应192 • 168 • 1 • 12;主机C的MAC地址和主机C的IP地址的对应关系为:0001.7A00.0013对应192.168.1.13。 Such association between the IP address and MAC address of host A, the host A is: 0001.7A00.0011 corresponding to 192.168.1.11; association between the IP address and MAC address of host B to host B: 0001.7A00.0012 corresponding to 192 • 168 • 1 • 12; association between the IP address and MAC address of the host C to host C: 0001.7A00.0013 corresponding to 192.168.1.13.

[0041] 步骤104,所述交换机将所述主机的MAC地址和所述主机的IP地址自动绑定到所述端口上。 [0041] Step 104, the switch MAC address and IP address of the host of the host automatically bind to the port.

[0042]可选的,在本步骤之前,步骤103之后,所述交换机保存所述用户指定的待启用端口安全的端口及所述端口下的主机的MAC地址和主机的IP地址到对应关系表;依次显示所述对应关系表中的对应关系表项信息供用户进行确认;接收用户对合法主机所在的对应关系表项进行确认的标识。 IP address and port of a host MAC address [0042] Optionally, prior to the present step, after the step 103, saving the user-specified switch port security to be enabled and the host port to the correspondence table ; sequentially displays the correspondence relation correspondence table entries in the table for the user to confirm; receiving a user confirmation of the identification of the correspondence table entry valid host resides.

[0043] 可选的,本步骤包括:根据所述用户标识的所述对应关系表项中的合法主机MAC地址、IP地址以及对应的端口,所述交换机将所述合法主机的MAC地址和所述合法主机的IP地址自动绑定到所述合法主机连接的对应端口上。 [0043] Optionally, this step comprising: the MAC address of the legal correspondence table entry in the user ID, IP address and port corresponding to the MAC address of the switch and the host legitimate said valid host IP address automatically bound to a corresponding port of the legitimate host connection.

[0044] 可选的,所述对应关系表中可能存在非法用户对应的对应关系记录,这是因为在所述交换机在启用端口安全之前不能排除有非法用户已经接入到了网络,所以需要让用户确认一下交换机上各个端口连接的主机对应的用户的合法性,排除非法用户。 [0044] Alternatively, there may be a correspondence relationship corresponding to the illegal recording relation table corresponding to the user, since the switch port security before enabling the user has not exclude an illegal access to the network, it is necessary to allow the user confirm the legitimacy of the host connected to each port on the switch corresponding users, excluding unauthorized users. 然后对每条对应关系表项提供是否合法的选项,由用户一一确认每条主机表项的合法性,接收并记录用户标识的合法主机对应的对应关系表项。 And then provide the legality of options for each correspondence table entries, one by one to confirm the legitimacy of each host table entry by the user, receives and records the corresponding legal host user ID correspondence table entries.

[0045] 进一步可选的,本步骤中所述交换机完成端口安全的MAC地址和IP地址的自动绑定时,可以通过调用所述交换机上的端口安全接口函数,根据用户指定的待启用端口安全的每个端口,对确认合法的每台主机,将合法主机的MAC地址和合法主机的IP地址自动绑定到合法主机连接的对应端口上。 [0045] Further, optionally, the step of automatically binding present in the MAC address and switch port security complete IP addresses, may be enabled through the port security port security interface function is called on the switch specified by the user to be each port of each host to confirm valid, the IP address of the host MAC address valid and legitimate host automatically bind to the corresponding port legitimate host connection.

[0046] 本发明提供一种配置端口安全的方法,通过交换机接收用户指定的待启用端口安全的端口;通过读取本地保存的MAC地址表,所述交换机获取连接所述端口的主机的MAC地址;利用获取的所述主机的MAC地址,所述交换机通过读取保存的ARP表,获取所述主机的IP 地址;所述交换机将所述主机的MAC地址和所述主机的IP地址自动绑定到所述端口上,使得本发明可以自动获知交换机所有端口连接的主机的MAC地址和IP地址,并进行自动绑定,使得操作简单,提高了工作效率。 [0046] The present invention provides a method for port security configuration, designated to be received by the user port security-enabled switch port; by reading the locally stored MAC address table, acquires the MAC address of the switch port connected to said host ; using the obtained MAC address of the host, by reading the stored switch ARP table, obtain the IP address of the host; the switch MAC address and IP address of the host of the host automatically bound to the port, so that the present invention may automatically learn the MAC address to all ports connected to the host switch and the IP address, and automatically bound, such that the operation is simple, improve work efficiency.

[0047] 本发明实施例提供一种配置端口安全的方法,如图5所示,该方法包括: [0047] Example embodiments provide a method for configuring port security, the present invention is shown in Figure 5, the method comprising:

[0048] 步骤501,交换机接收用户指定的待启用端口安全的端口。 [0048] Step 501, the switch to be enabled to receive a user specified port security port.

[0049]可选的,本步骤中用户指定的待启用端口安全的端口可以是用户根据不同类型端口的不同功能来指定的,待启用端口安全的端口可以是交换机的部分端口,也可以是本交换机的全部端口,即所述用户指定的待启用端口安全的端口至少为一个。 [0049] Alternatively, the present step is the port to be designated by the user to enable the user port security may be specified depending on the features of different types of ports, the ports to be enabled port security may be part of a port of the switch, may also be present all ports, i.e., specified by the user to be enabled switch port security for at least one port.

[0050] 当用户指定某个端口启用端口安全时,可以将这些端口连接主机。 [0050] When the user specifies a port enable port security, these ports can be connected to the host. 例如,所述交换机中待启用端口安全的端口A连接了主机A、待启用端口安全的端口B连接了主机B、待启用端口安全的端口C连接了主机C。 For example, to enable the switch to be connected to the port A secure host port A, port security is enabled to be connected to the port B of the host B, to enable the port to be connected to a secure host C. Port C

[0051] 步骤502,通过读取本地保存的MAC地址表,所述交换机获取连接所述端口的主机的MAC地址。 [0051] Step 502, by reading the locally stored MAC address table, acquires the MAC address of the switch is connected to the host port.

[0052] 可选的,主机在通过所述交换机进行通信的的过程中,所述交换机自动学习到了这些主机的MAC地址,并根据学习到的不同主机的MAC地址形成MAC地址表。 [0052] Alternatively, host communication process through said switch, said switch automatically learn the MAC address of the host and the MAC address table is formed according to a different MAC address learning hosts. 其中,所述MAC地址表中保存了与至少一个主机连接的各个端口对应的端口标识以及所述至少一个主机的MAC地址,并且所述各个端口对应的端口标识与连接所述各个端口的主机的MAC地址——对应。 Wherein said MAC address table stored in the respective ports corresponding to the port ID and the MAC address of the at least one host and at least one host is connected, and the port identifier corresponding to respective port connecting the respective host ports MAC address - corresponds.

[0053] 可选的,如图2所示的本地保存的MAC地址表包括所述交换机上的至少一个端口和与端口连接的主机的MAC地址的对应关系信息,比如端口A对应主机A的MAC地址,主机A的MAC地址可以为:0001.7A00.0011,端口B对应主机B的MAC地址,主机B的MAC地址可以为: 0001 • 7A00 • 0012,端口C对应主机C的MAC地址,主机C的MAC地址可以为:0001.7A00.0013。 [0053] Alternatively, the MAC address table as shown in FIG. 2 stored locally comprises at least one correspondence relationship between the MAC address and port of the host connected to the port on the switch, such as MAC port corresponding to a host A is A address MAC address, host a may be: 0001.7A00.0011, port B corresponding to the MAC address of host B, the MAC address of host B can be: 0001 • 7A00 • 0012, the port corresponding to the MAC address of host C C, and C of the host MAC address can be: 0001.7A00.0013. 通过所述交换机的MAC地址表即可获取到任意端口连接的主机的MAC地址。 To obtain the MAC address of the host through any port of the switch MAC address table.

[0054] 步骤503,利用获取的所述主机的MAC地址,所述交换机通过读取保存的ARP表,获取所述主机的IP地址。 [0054] Step 503, MAC address acquired using the host, by reading the stored switch ARP table, obtain the IP address of the host.

[0055] 可选的,本步骤与附图1中步骤103相同,交换机获取所述MAC地址对应的所述主机的IP地址的过程具体可参见步骤103的描述,在此不再一一赘述。 Alternatively, the same [0055] The present step is a step 103 the drawings, the switch obtain the IP address of the host to the MAC address corresponding to the specific process, see the description of step 103, which is not detailed herein.

[0056] 需要说明的是,步骤501、步骤502以及步骤503自动完成了获取交换机端口连接的主机的MAC地址和IP地址,与现有技术中需要网络运维工程师手动获取与端口连接的主机的MAC地址和IP地址相比,本发明实施例提供的方案操作简单,效率较高。 [0056] Incidentally, step 501, step 502 and step 503 of obtaining host automatically connected switch port MAC address and IP address, acquires the host port connected to the manual network operation and maintenance engineers required in the prior art MAC address and IP address scheme as compared to an embodiment of the present invention is simple, high efficiency.

[0057] 步骤504,所述交换机保存所述用户指定的待启用端口安全的端口及所述端口下的主机的MAC地址和主机的IP地址到对应关系表。 Host MAC address and IP address of the host and the port on which the [0057] Step 504, storing the said switch enabled to be designated by the user to secure the port correspondence table.

[0058] 步骤505,所述交换机依次显示所述对应关系表中的对应关系表项信息供用户进行确认。 [0058] Step 505, the switch to sequentially display the correspondence relationship entries corresponding relationship table for the user to confirm.

[0059] 具体来说,根据交换机端口连接的各主机,以及获得的各主机的MAC地址以及各主机的IP地址,形成交换机端口、主机MAC地址以及主机IP地址的对应关系,并将交换机端口与主机MAC地址、主机IP地址的对应关系表显示出来。 [0059] Specifically, the MAC address of the IP address of each switch port connected to the host, as well as a host and obtained for each host, form a corresponding relationship between the switch port, the MAC address and IP address of the host, and the switch port the MAC address, host IP address correspondence table is displayed. 如图6所示,交换机端口与主机MAC地址、主机IP地址的对应关系表可以为端口A对应主机A的MAC地址和IP地址,主机A的MAC地址可以为0001 • 7A00 • 0011,主机A的IP地址可以为192 • 168 • 1 • 11;端口B对应主机B的MAC地址和IP地址:主机B的MAC地址可以为0001.7A00.0012,主机B的IP地址可以为192.168.1.12; 端口C对应主机C的MAC地址和IP地址,主机C的MAC地址可以为0001.7A00.0013,主机C的IP 地址可以为192.168.1.13。 As shown, the switch port correspondence table between the MAC address, IP address may correspond to host A 6 A MAC address is a port MAC address and IP address, host A may be 0001 • 7A00 • 0011, host A IP addresses may be 192 • 168 • 1 • 11; B corresponding to the port B of the host MAC address and IP address: MAC address of host B may 0001.7A00.0012, IP address of host B may 192.168.1.12; C corresponding to the port host MAC address and the MAC address C IP addresses, host C may be 0001.7A00.0013, IP address of the host C may be 192.168.1.13.

[0060] 步骤506,所述交换机接收用户对合法主机所在的对应关系表项进行确认的标识。 [0060] Step 506, the switch receives an identification of the user for confirmation of the correspondence table entry valid host resides.

[0061] 可选的,附图6所示的交换机端口与主机MAC地址、主机IP地址的对应关系表中可能存在非法用户对应的对应关系记录,这是因为在所述交换机在启用端口安全之前可能有非法用户已经接入到了网络,因此需要让用户确认一下交换机上各个端口连接的主机对应的用户的合法性,排除非法用户的主机的对应关系表。 [0061] Alternatively, the drawings and the correspondence table of the switch port the MAC address, host IP addresses shown in Figure 6 may be present illegal recording correspondence relationship corresponding to the user, since the safety switch before enabling the port there may have been an illegal user access to the network, so users need to confirm the legitimacy of the host connected to each port on the switch corresponding to the user, excluded correspondence table a host of illegal users. 可选的,在对应关系表中的每条对应关系记录后设置是否合法的选项,由用户一一确认每条对应关系记录的合法性,记录下用户确认合法的主机的对应关系记录。 Optionally, each in the correspondence table corresponding relationship record after setting the legality of the option by the user eleven confirm the legitimacy of each correspondence relationship record, record the user to confirm the correspondence between the legal record of the host.

[0062] 步骤507,所述交换机将所述主机的MAC地址和所述主机的IP地址自动绑定到所述端口上。 [0062] Step 507, the switch MAC address and IP address of the host of the host automatically bind to the port.

[0063] 可选的,所述交换机根据所述用户标识的所述对应关系表项中的合法主机MAC地址、IP地址以及对应的端口,所述交换机将所述合法主机的MAC地址和所述合法主机的IP地址自动绑定到所述合法主机连接的对应的端口上。 [0063] Alternatively, the switch according to the user identifier corresponding to the MAC address table valid entry, IP address and corresponding port, the switch of the legitimate host's MAC address and the IP address is legitimate host automatically bind to the corresponding said connection port valid host.

[0064] 进一步可选的,本步骤中所述交换机完成端口安全的MAC地址和IP地址的自动绑定,可以通过调用所述交换机上的端口安全模块接口函数,根据用户指定的待启用端口安全的每个端口以及确认合法的每台主机,将合法主机的MAC地址和合法主机的IP地址自动绑定到合法主机连接的对应端口上。 [0064] Further optionally, this step automatic binding MAC address of the switch to complete the IP address and port security may be enabled by the port security module interface port security function is called on the switch specified by the user to be each port of each host and identifying legitimate, the IP address of the host MAC address valid and legitimate host automatically bind to the corresponding port legitimate host connection.

[0065] 本发明提供一种配置端口安全的方法,通过读取本地保存的MAC地址表,所述交换机获取连接待启用端口安全的端口的主机的MAC地址;利用获取的所述主机的MAC地址,所述交换机通过读取保存的ARP表,获取所述主机的IP地址;从而得到所述交换机每个端口连接的主机的MAC地址和IP地址,最后自动完成对所述交换机所有端口连接的合法主机的所述MAC地址和所述IP地址的端口安全绑定;在以太局域网环境中,当网络运维工程师需要在交换机上大量配置端口安全MAC地址和IP地址绑定时,通过采用本发明的技术方案,将大大提高网络运维工程师的工作效率。 [0065] The present invention provides a method for configuring port security, by reading the locally stored MAC address table, the switch port to be acquired MAC address port security enabled host; using the obtained MAC address of the host , by reading the stored switch ARP table to acquire the IP address of the host; to obtain the MAC address of each port connected to the host switch and the IP address, the last valid automatically switch all connected ports port security binding the host's MAC address and the IP address; in an Ethernet LAN environment, when the network operation and maintenance engineer needs to switch on a large number of the port security MAC address and IP address binding upon, the present invention technology program, will greatly improve the efficiency of network operation and maintenance engineers.

[0066] 本发明提供一种配置端口安全的装置,如图7所示,该装置包括:第一接收模块701,第一获取模块702,第二获取模块703,绑定模块704。 [0066] The present invention provides an apparatus port security configuration, shown in Figure 7, the apparatus comprising: a first receiving module 701, a first acquiring module 702, a second acquisition module 703, a binding module 704.

[0067] 第一接收模块701,用于接收用户指定的待启用端口安全的端口。 [0067] a first receiving module 701, configured to receive a user-specified port security to be enabled port.

[0068]可选的,用户指定的待启用端口安全的端口可以是用户根据不同类型端口的不同功能来指定的,待启用端口安全的端口可以是交换机的部分端口,也可以是本交换机的全部端口。 [0068] Optionally, to enable the port to be designated by the user port security may be specified by the user depending on the features of different types of ports, the ports to be enabled port security may be part of a port of the switch, the switch may be all of port.

[0069] 第一获取模块702,用于通过读取本地保存的MAC地址表,获取连接所述端口主机的MAC地址。 [0069] The first acquiring module 702 is configured by reading locally stored MAC address table, acquiring the connection port of the host MAC address.

[0070] 其中,所述MAC地址表中保存了与至少一个主机连接的各个端口对应的端口标识以及所述至少一个主机的MAC地址,并且所述各个端口对应的端口标识与连接所述各个端口的主机的MAC地址——对应。 [0070] wherein, the MAC address table stored MAC address of each port corresponding to the port identification and the at least one host is connected to at least one host and the port connected to the respective port identifier of each port corresponding to MAC address of the host - corresponds.

[0071]可选的,主机在通过所述交换机进行通信的的过程中,所述交换机根据自动学习到的这些主机的MAC地址,形成MAC地址表。 [0071] Alternatively, host communication process through said switch, said switch automatically learns the MAC address of the host to form the MAC address table. 即所述本地保存的MAC地址表具备端口和MAC地址的对应关系信息,根据读取本地保存的MAC地址表,第一获取模块702就可获取对应的MAC 地址。 I.e., the stored local MAC address correspondence information table includes a MAC address and the port, according to the stored read local MAC address table, a first acquiring module 702 can acquire the MAC address.

[0072] 第二获取模块703,用于利用获取的所述主机的MAC地址,通过读取保存的ARP表, 获取所述主机的IP地址。 [0072] The second acquiring module 703, the MAC address acquired by using the host, by reading the ARP table stored, obtain the IP address of the host.

[0073] 绑定模块704,用于将所述主机的MAC地址和所述主机的IP地址自动绑定到所述端口上。 [0073] The binding module 704, an IP address for the MAC address of the host and the host automatically bound to the port.

[0074] 可选的,在实际组网过程中,交换机与网关设备可以为不同的设备,交换机仅承担二层转发,与承担三层转发的网关设备分别完成各自的转发操作;另外,所述交换机与网关设备也可以合并为一台设备,即交换机直接承担二层转发和本来由网关设备承担的三层转发。 [0074] Optionally, in the course of the actual network, the gateway device may switch to a different device, the switch can only take Layer forwarding, layer 3 forwarding and commitment gateway device forwards the respective operations are completed; Further, the switches and the gateway device may be combined into a single device, i.e. the switch would have been undertaken directly borne by the Frame forwarding and Layer 3 forwarding gateway device.

[0075] 可选的,当所述交换机与网关设备为不同的设备时,主机在通过所述交换机和网关设备通信的过程中,网关设备通过ARP协议根据学习到的这些主机的MAC地址和IP地址的对应关系,形成ARP表。 [0075] Alternatively, when the switch device is a different gateway devices, through communication with the host device and the gateway switch process, the gateway device through the ARP protocol MAC address learning according to these IP hosts and corresponding relationship between the address, the ARP is formed.

[0076]当交换机与网关设备为同一设备时,即将网关设备设置在所述交换机中,则ARP表保存在所述交换机中,通过读取保存的ARP表,所述交换机直接获取所述主机的的IP地址。 [0076] When the switch and the gateway device is the same device, i.e. the gateway device provided in the switch, the ARP table stored in the switch, by reading the ARP saving, direct access to the switch of the host IP address. [0077]可选的,所述ARP表中保存了连接所述各个端口的至少一个主机的IP地址以及所述至少一个主机的MAC地址,并且所述至少一个主机的IP地址与所述至少一个主机的MAC地址--对应。 [0077] Optionally, the ARP table holds IP addresses of the respective port connecting at least one host and at least one MAC address of the host and the at least one IP address and the host at least one MAC address of the host - corresponds.

[0078] 进一步可选的,如图8所示,所述第二获取模块703,包括:第一获取单元7031,或者,第二获取单元7032。 [0078] Further, optionally, as shown in FIG. 8, the second acquiring module 703, comprising: a first obtaining unit 7031, or the second obtaining unit 7032.

[0079] 第一获取单元7031,用于当所述交换机仅承担二层转发时,通过读取网关设备保存的ARP表,获取所述主机的IP地址;或者, [0079] a first obtaining unit 7031, configured to switch the Layer 2 forwarding bear only saved by reading the ARP gateway device, obtain the IP address of the host; or

[0080] 第二获取单元7032,用于当所述交换机作为承担三层转发的网关设备时,通过读取本地保存的ARP表,获取所述主机的IP地址。 [0080] The second obtaining unit 7032, configured to, when said switch to assume as the gateway device 3 forwarding, by reading the ARP table stored locally, the host IP address acquired.

[0081] 进一步可选的,如图8所示,所述配置端口安全的装置,还包括:保存模块705,显示模块706,第二接收模块707。 [0081] Further, optionally, as shown in FIG. 8, the configuration port security device, further comprising: a storage module 705, display module 706, a second receiving module 707.

[0082] 在第二获取模块703通过保存的地址解析协议ARP表,获取所述MAC地址对应的所述主机的互联网协议IP地址之后,保存模块705,用于保存所述用户指定的待启用端口安全的端口及所述端口下的主机的MAC地址和主机的IP地址到对应关系表; After [0082] In the second obtaining module 703 stored in the ARP Address Resolution Protocol, acquiring the MAC address corresponding to the host an Internet Protocol IP address, storing module 705, configured to save the user specified to be enabled port secure the port and IP address and MAC address of the host port to the host in a correspondence table;

[0083] 显示模块706,用于依次显示所述对应关系表中的对应关系表项信息供用户进行确认; [0083] The display module 706 for sequentially displaying the correspondence relationship entries corresponding relationship table for the user to confirm;

[0084] 第二接收模块707,用于接收用户对合法主机所在的对应关系表项进行确认的标识。 [0084] The second receiving module 707, configured to receive an identification of the user for confirmation of the correspondence table entry valid host resides.

[0085] 可选的,所述绑定模块704,用于: [0085] Alternatively, the binding module 704, configured to:

[0086] 根据所述用户标识的所述对应关系表项中的合法主机MAC地址、IP地址以及对应的端口,所述交换机将所述合法主机的MAC地址和所述合法主机的IP地址自动绑定到所述合法主机连接的对应端口上。 [0086] According to the legal user identifier corresponding to the MAC address table entry, and the IP address of the corresponding port, the switch MAC address of the legitimate IP address and the host automatically tied valid host set the corresponding port on the legitimate host connection.

[0087] 可选的,所述对应关系表项中可能存在非法用户对应的对应关系记录,这是因为在所述交换机在启用端口安全之前不能排除有非法用户已经接入到了网络,所以需要让用户确认一下交换机上各个端口连接的主机对应的用户的合法性,排除非法用户,最后接收用户标识的合法主机的对应关系表。 [0087] Alternatively, the correspondence table entries may exist in the corresponding relationship record corresponding to the user's illegal, because the switch before enabling port security can not rule out unauthorized users have access to the network, we need to let users confirm the legitimacy of the host connected to each port on the switch corresponding users, excluding unauthorized users, last received legal correspondence table host user ID.

[0088] 可选的,绑定模块704进行端口安全的MAC地址和IP地址的自动绑定时,可以通过调用所述交换机上的端口安全模块接口函数,针对用户指定的每个端口,对确认合法的每台主机,绑定模块704将合法主机的MAC地址和合法主机的IP地址自动绑定到所述端口上。 [0088] Binding MAC address automatically Alternatively, the binding module 704 and secure port IP address, the secure module via the port on the interface function call to the switch, for each port designated by the user, the confirmation each host legal, binding module 704 an IP address and MAC address is legitimate host valid host automatically bound to the port. [0089]需要说明的是,附图7与附图8所示装置中,其各个模块的具体实施过程以及各个模块之间的信息交互等内容,由于与本发明方法实施例基于同一发明构思,可以参见方法实施例,在此不一一赘述。 [0089] Incidentally, as shown in figures 7 and 8 reference apparatus, the information interaction between other modules of the specific embodiment of the process and its various modules, since the method embodiments of the present invention is based on the same inventive concept, you can refer to Example, which are not detailed herein.

[0090]本发明提供一种配置端口安全的装置,通过第一接收模块接收用户指定的待启用端口安全的端口;通过读取本地保存的MAC地址表,第一获取模块获取连接所述端口的主机的MAC地址;利用获取的所述主机的MAC地址,通过读取保存的ARP表,第二获取模块获取所述主机的IP地址;绑定模块将所述主机的MAC地址和所述主机的IP地址自动绑定到所述端口上,使得本发明可以自动获知交换机所有端口连接的主机的MAC地址和IP地址,并进行自动绑定,使得操作简单,提高了工作效率。 [0090] The present invention provides an apparatus configured port security, user specified receiving port security to be enabled by a first port receiving module; by reading the MAC address table stored locally, a first acquiring module acquires the connection port MAC address of the host; the host acquired by using the MAC address, by reading the ARP table stored, the second acquiring module acquires the IP address of the host; binding to the host module and the MAC address of the host automatically bind the IP address to the port, so that the present invention may automatically learn MAC addresses of all hosts connected to the switch port and IP address, and automatically bound, such that the operation is simple, improve work efficiency.

[0091] 需说明的是,以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。 [0091] It should be noted that the embodiments described apparatus is merely exemplary, as a unit wherein the separate parts may be or may not be physically separated, as part of the display unit may be or It may not be physical units, i.e. may be located in one place, or may be distributed to multiple network units. 可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。 You can select some or all of the modules according to actual needs to achieve the object of the solutions of the embodiments. 本领域普通技术人员在不付出创造性劳动的情况下,即可以理解并实施。 Those of ordinary skill in the art without creative efforts, can be understood and implemented.

[0092]通过以上的实施方式的描述,所属领域的技术人员可以清楚地了解到本发明可借助软件加必需的通用硬件的方式来实现,当然也可以通过专用硬件包括专用集成电路、专用CPU、专用存储器、专用元器件等来实现,但很多情况下前者是更佳的实施方式。 [0092] By the above described embodiments, those skilled in the art may clearly understand that the present invention may be implemented by software plus necessary universal hardware implemented, of course, by dedicated hardware may include application specific integrated circuit, the CPU-specific, dedicated memory, and other components to achieve specific, but in many cases, it is a preferred embodiment. 基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在可读取的存储介质中,如计算机的软盘,U盘、移动硬盘、只读存储器(R〇M,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、 磁碟或者光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述的方法。 Based on such understanding, the technical solutions of the present invention in essence or the part contributing to the prior art may be embodied in a software product out, in the storage medium may be readable, such as a floppy disk of the computer software product is stored , U disk, mobile hard disk, a read-only memory (R〇M, Read-Only memory), a random access memory (RAM, random access memory), a magnetic disk or optical disk, and include several instructions that enable a computer device ( It may be a personal computer, a server, or network device) to execute the methods according to embodiments of the present invention.

[0093]本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。 [0093] In the present specification, various embodiments are described in a progressive manner, similar portions of the same between the various embodiments refer to each other, are different from the embodiment and the other embodiments described each embodiment focus. 尤其,对于装置和系统实施例而言,由于其基本相似于方法实施例,所以描述得比较简单,相关之处参见方法实施例的部分说明即可。 In particular, embodiments of apparatus and system for, since they are substantially similar to the method embodiments, the description is relatively simple, some embodiments of the methods see relevant point can be described.

[0094]以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。 [0094] The above are only specific embodiments of the present invention, but the scope of the present invention is not limited thereto, any skilled in the art in the art within the technical scope of the present invention is disclosed, variations may readily occur or Alternatively, it shall fall within the protection scope of the present invention. 因此,本发明的保护范围应所述以权利要求的保护范围为准。 Accordingly, the scope of the present invention should be in the scope of the claims and their equivalents.

Claims (6)

1. 一种配置端口安全的方法,其特征在于,包括: 交换机接收用户指定的待启用端口安全的端口; 通过读取本地保存的媒体访问控制MAC地址表,所述交换机获取连接所述端口的主机的MAC地址; 当所述交换机作为承担三层转发的网关设备时,利用获取的所述主机的MAC地址,所述交换机通过读取保存的地址解析协议ARP表,获取所述主机的互联网协议IP地址; 所述交换机保存所述用户指定的待启用端口安全的端口及所述端口下的主机的MAC地址和主机的IP地址到对应关系表; 依次显示所述对应关系表中的对应关系表项信息供用户进行确认; 接收用户对合法主机所在的对应关系表项进行确认的标识; 所述交换机将所述主机的MAC地址和所述主机的IP地址自动绑定到所述端口上。 A port security method characterized by comprising: receiving a user-specified switch port security to be enabled port; by reading the locally stored media access control MAC address table, said switch connecting said port to obtain MAC address of the host; gateway device when said switch as a bear-3 forwarding, using the acquired MAC address of the host, the saved switch by reading the ARP address Resolution protocol, Internet protocol of the host acquires IP addresses; host MAC address and the IP address of the host is stored in the user-specified switch port security to be enabled and the port to port correspondence table; sequentially displaying the correspondence table correspondence table information for the user to confirm the entry; receiving a user confirmation of the identification of the correspondence table entry valid host resides; the switch MAC address and IP address of the host of the host automatically bind to the port.
2. 根据权利要求1所述的方法,其特征在于, 所述用户指定的待启用端口安全的端口至少为一个。 2. The method according to claim 1, wherein said user specified port security to be enabled for at least one port.
3. 根据权利要求1所述的方法,其特征在于,所述交换机将所述主机的MAC地址和所述主机的IP地址自动绑定到所述端口上,包括: 根据所述用户标识的所述对应关系表项中的合法主机MAC地址、IP地址以及对应的端口,所述交换机将所述合法主机的MAC地址和所述合法主机的IP地址自动绑定到所述合法主机连接的对应的端口上。 3. The method according to claim 1, wherein the switch MAC address and IP address of the host of the host automatically bind to the port, comprising: the user identification according to the said correspondence table entry valid host MAC address, IP address and port corresponding to the IP address of the switch MAC address of the host and the legally valid host automatically bind the corresponding valid host connection port.
4. 一种配置端口安全的装置,其特征在于,包括: 第一接收模块,用于接收用户指定的待启用端口安全的端口; 第一获取模块,用于通过读取本地保存的媒体访问控制MAC地址表,获取连接所述端口的主机的MAC地址; 第二获取模块,用于当交换机作为承担三层转发的网关设备时,利用获取的所述主机的MAC地址,通过读取保存的地址解析协议ARP表,获取所述主机的互联网协议IP地址; 保存模块,用于保存所述用户指定的待启用端口安全的端口及所述端口下的主机的MAC地址和主机的IP地址到对应关系表; 显示模块,用于依次显示所述对应关系表中的对应关系表项信息供用户进行确认; 第二接收模块,用于接收用户对合法主机所在的对应关系表项进行确认的标识; 绑定模块,用于将所述主机的MAC地址和所述主机的IP地址自动绑定到所述端口上。 A port security device, characterized in that, comprising: a first receiving module, the receiving port designated by the user to enable the port to be used for security; a first acquiring module, for reading the locally stored by the media access control MAC address table, acquires the MAC address of the host connected to the port; a second acquiring module, configured to bear a gateway device when the switch 3 forwarding, using the acquired MAC address of the host, the read address stored by Resolution protocol ARP table to obtain the Internet protocol IP address of the host; storing module, for storing the user specified to be enabled MAC address and IP address of the host port and host port security in relation to the corresponding port of the table; display means for sequentially displaying the correspondence relationship entries corresponding relationship table for the user to confirm; a second receiving module, configured to receive an identification of the user for confirmation of the correspondence table entry valid host is located; tie given module, the IP address for the MAC address of the host and the host automatically bound to the port.
5. 根据权利要求4所述的装置,其特征在于, 所述用户指定的待启用端口安全的端口至少为一个。 5. The apparatus as claimed in claim 4, wherein the port of the port security is enabled to be specified for at least one user.
6. 根据权利要求4所述的装置,其特征在于,所述绑定模块,包括: 根据所述用户标识的所述对应关系表项中的合法主机MAC地址、IP地址以及对应的端口,所述交换机将所述合法主机的MAC地址和所述合法主机的IP地址自动绑定到所述合法主机连接的对应端口上。 6. The apparatus as claimed in claim 4, wherein the binding module, comprising: the MAC address of the legal correspondence table entry in the user ID, IP address and corresponding port, the IP address of the MAC address of said switch and said valid host legitimate host automatically bind the corresponding port on the legitimate host connection.
CN201310318249.2A 2013-07-26 2013-07-26 A method and apparatus for secure a port CN103401706B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310318249.2A CN103401706B (en) 2013-07-26 2013-07-26 A method and apparatus for secure a port

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310318249.2A CN103401706B (en) 2013-07-26 2013-07-26 A method and apparatus for secure a port

Publications (2)

Publication Number Publication Date
CN103401706A CN103401706A (en) 2013-11-20
CN103401706B true CN103401706B (en) 2017-07-21

Family

ID=49565237

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310318249.2A CN103401706B (en) 2013-07-26 2013-07-26 A method and apparatus for secure a port

Country Status (1)

Country Link
CN (1) CN103401706B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103701784B (en) * 2013-12-17 2017-02-15 迈普通信技术股份有限公司 One kind of host protection method
CN105024949A (en) * 2014-04-28 2015-11-04 国网山西省电力公司电力科学研究院 Port automatically binding method and system
CN105357125B (en) * 2015-09-24 2018-07-17 上海斐讯数据通信技术有限公司 System and method for obtaining species lists online terminal

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101193116A (en) * 2007-07-09 2008-06-04 福建星网锐捷网络有限公司 A method, system and router for coordinated prevention from address parsing protocol attack
CN101610171A (en) * 2009-07-22 2009-12-23 天津市电力公司 Switching device automatic configuration method based on IEC61850 model
CN102546396A (en) * 2011-12-15 2012-07-04 广东电网公司电力科学研究院 Configuration method and system of instation exchanger of electric device remote supervision system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7735114B2 (en) * 2003-09-04 2010-06-08 Foundry Networks, Inc. Multiple tiered network security system, method and apparatus using dynamic user policy assignment
CN102594704A (en) * 2012-03-20 2012-07-18 神州数码网络(北京)有限公司 Control method for address accessing network based on security port

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101193116A (en) * 2007-07-09 2008-06-04 福建星网锐捷网络有限公司 A method, system and router for coordinated prevention from address parsing protocol attack
CN101610171A (en) * 2009-07-22 2009-12-23 天津市电力公司 Switching device automatic configuration method based on IEC61850 model
CN102546396A (en) * 2011-12-15 2012-07-04 广东电网公司电力科学研究院 Configuration method and system of instation exchanger of electric device remote supervision system

Also Published As

Publication number Publication date
CN103401706A (en) 2013-11-20

Similar Documents

Publication Publication Date Title
JP5166517B2 (en) Network management device
CN103563295B (en) The method of distribution of information about one or more electrical devices and systems
US20130136126A1 (en) Data center network system and packet forwarding method thereof
CN102739645B (en) VM migration method and device security policy
CN103001999B (en) Private cloud server for public cloud networks, intelligent client device and method
US20150113172A1 (en) Deploying and managing networked devices
US20080192648A1 (en) Method and system to create a virtual topology
KR101530472B1 (en) Method and apparatus for remote delivery of managed usb services via a mobile computing device
RU2562438C2 (en) Network system and network management method
CN101083607B (en) Internet accessing server for inside and outside network isolation and its processing method
CN101952811A (en) Various methods and apparatuses for a central management station for automatic distribution of configuration information to remote devices
EP2745542B1 (en) Portal authentication method and access controller
CN102112979A (en) Secure resource name resolution
US9350608B2 (en) Method and system for using virtual tunnel end-point registration and virtual network identifiers to manage virtual extensible local area network access
US8238238B2 (en) Performing networking tasks based on destination networks
JP2018506211A (en) System and method for monitoring the virtual network
EP2654268B1 (en) Address allocation processing method and apparatus
JP5521620B2 (en) Relay device, the virtual machine system and relay method
CN101465856B (en) Method and system for controlling user access
US20070064624A1 (en) System and method for floating port configuration
US20080195756A1 (en) Method and system to access a service utilizing a virtual communications device
US8341250B2 (en) Networking device provisioning
EP2169877B1 (en) Processing method and device for qinq termination configuration
CN104243210A (en) Method and system for remotely having access to administrative web pages of routers
US20080022120A1 (en) System, Method and Computer Program Product for Secure Access Control to a Storage Device

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination