CN103560960A - Access control list dynamic updating method and Ethernet switch - Google Patents
Access control list dynamic updating method and Ethernet switch Download PDFInfo
- Publication number
- CN103560960A CN103560960A CN201310538472.8A CN201310538472A CN103560960A CN 103560960 A CN103560960 A CN 103560960A CN 201310538472 A CN201310538472 A CN 201310538472A CN 103560960 A CN103560960 A CN 103560960A
- Authority
- CN
- China
- Prior art keywords
- dhcpv6
- neighbor node
- neighbor
- access control
- list item
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Small-Scale Networks (AREA)
Abstract
The invention discloses an access control list dynamic updating method and an Ethernet switch. The access control list dynamic updating method comprises the steps that at least one neighbor request message is sent to a neighbor node corresponding to a list item in a DHCPv6 binding list according to the timing cycle of a first timer, and meanwhile a second timer is started for the neighbor node; at least one neighbor notice message which is fed back by the neighbor node and corresponds to the at least one neighbor request message is monitored; if the at least one neighbor notice message fed back by the neighbor node is not received before the time set the second timer is up, the off-line state of the neighbor node is determined; when the off-line state of the neighbor node is monitored, an access control rule, corresponding to the off-line neighbor node, in an access control list is deleted. By means of the access control list dynamic updating method and the Ethernet switch, the utilization ratio of the access control list of the Ethernet switch is improved.
Description
Technical field
The present invention relates to technical field of the computer network, relate in particular to Access Control List (ACL) dynamic updating method and Ethernet switch.
Background technology
DynamicHost arranges protocol edition 6 (Dynamic Host Configuration Protocol Version6, DHCPv6) be the procotol of a local area network (LAN), user's datagram protocol (User datagram protocol, UDP) work, mainly contain two purposes: to user, this gives internal network keeper as all computers being made to the means of central management to the automatic distributing IP v6 of internal network or Internet service provider address.DHCPv6, as a kind of address distribution that has state, all improves than using the stateless address method of salary distribution to have significantly in fail safe and manageability, in the network higher to security requirement, will be widely used.And because host node IPv6 address is distributed unitedly by DHCPv6 server, the situation that there will not be address to repeat, the address conflict problem of having avoided stateless address configuration and manual configuration node interface IPv6 address to bring.It is a kind of proprietary protocol of the DHCPv6 of monitoring request process that DHCPv6 monitors (DHCPv6SNOOPING), and it uses in switch, for each user who successfully obtains IP generates a DHCPv6 binding information.
IPv6 has been used duplicate address detection technology, duplicate address detection will be carried out in the IPv6 address of each interface first at the beginning of generating, therefore can in this link, broadcast neighbor request message, destination address is exactly self the IPv6 address that will detect, if several times are not received relevant neighbours' response message after retransmitting, this address can be used, and address state is from become effectively temporarily, and this node can be used this IPv6 address to carry out network traffic as source data packet address.
Access Control List (ACL) (Access Control List, ACL) is the set of one or more acl rule, for identifying message flow.The rule here refers to the judgement statement of describing message matching condition, and matching condition can be the source address, destination address, port numbers of message etc.The network equipment identifies specific message according to these rules, and according to predefined strategy, it is processed.
In order to prevent user's access network privately, be convenient to the maintenance and management of network, can monitor to implement Access Control Policy in conjunction with DHCPv6, the main frame that obtains IP by DHCPv6 mode can accesses network, and the main frame of setting up IP illegally will not allow accesses network.Fig. 1 be prior art provide pass through the network architecture diagram that DHCPv6 mode is obtained IP.Referring to Fig. 1, the main frame 103,104 in Ethernet can send DHCPv6 to DHCP v6 server 101 by Ethernet switch 102 and ask, DHCPv6 server 101 is according to main frame 103, the 104 DHCPv6 requests that send are returned to DHCPv6 and are replied, and come for main frame 103,104 distributing IP addresses.This access strategy need to be realized in conjunction with the Access Control List (ACL) in switch, and each DHCPv6 user need to issue an access control rule that allows accesses network.Finite capacity due to the Access Control List (ACL) of Ethernet switch, therefore, on the list item number of Access Control List (ACL) that need to be stored in list item number in Access Control List (ACL) and be greater than equipment in limited time, the list item of the Access Control List (ACL) that some list items are corresponding cannot issue, and the DHCPv6 user that these list items are corresponding cannot accesses network.
Summary of the invention
In view of this, the present invention proposes a kind of Access Control List (ACL) dynamic updating method and Ethernet switch, to improve the utilance of the Access Control List (ACL) of Ethernet switch.
First aspect, the embodiment of the present invention provides a kind of Access Control List (ACL) dynamic updating method, and described method comprises:
According to the timing cycle of first timer, neighbor node corresponding to list item in DHCPv6 binding table sends at least one neighbor request message, is that described neighbor node starts second timer simultaneously;
Monitor at least one neighbours announcement message corresponding with described at least one neighbor request message of described neighbor node feedback;
If do not receive at least one neighbours' announcement message of neighbor node feedback before described second timer regularly ends, determine off-line of described neighbor node;
When monitoring neighbor node off-line, off-line neighbor node corresponding access control rule in Access Control List (ACL) is deleted.
Second aspect, the embodiment of the present invention provides a kind of Ethernet switch, and described Ethernet switch comprises:
Neighbor request message sending module, for according to the timing cycle of first timer, neighbor node corresponding to list item in DHCPv6 binding table sends at least one neighbor request message, is that described neighbor node starts second timer simultaneously;
Neighbours' announcement message is monitored module, for monitoring at least one neighbours announcement message corresponding with described at least one neighbor request message of described neighbor node feedback;
Neighbor node off-line determination module, if for do not receive at least one neighbours' announcement message of neighbor node feedback before described second timer regularly ends, determine off-line of described neighbor node;
Access control rule removing module, for when monitoring neighbor node off-line, deletes off-line neighbor node corresponding access control rule in Access Control List (ACL).
Access Control List (ACL) dynamic updating method and Ethernet switch that the embodiment of the present invention provides, by detecting whether off-line of neighbor node, and when monitoring neighbor node off-line, the neighbor node of off-line corresponding list item in described Access Control List (ACL) is deleted, improved the utilance of the Access Control List (ACL) of Ethernet switch.
Accompanying drawing explanation
By reading the detailed description that non-limiting example is done of doing with reference to the following drawings, it is more obvious that other features, objects and advantages of the present invention will become:
Fig. 1 be prior art provide pass through the network architecture diagram that DHCPv6 mode is obtained IP;
Fig. 2 is the flow chart of the Access Control List (ACL) dynamic updating method that provides of first embodiment of the invention;
Fig. 3 is the flow chart of the Access Control List (ACL) dynamic updating method that provides of second embodiment of the invention;
Fig. 4 is the flow chart that the DHCPv6 binding list item in the Access Control List (ACL) dynamic updating method that provides of second embodiment of the invention creates;
Fig. 5 is the structure chart of the Ethernet switch that provides of third embodiment of the invention.
Embodiment
Below in conjunction with drawings and Examples, the present invention is described in further detail.Be understandable that, specific embodiment described herein is only for explaining the present invention, but not limitation of the invention.It also should be noted that, for convenience of description, in accompanying drawing, only show part related to the present invention but not full content.
Fig. 2 shows the first embodiment of the present invention.
Fig. 2 is the flow chart of the Access Control List (ACL) dynamic updating method that provides of first embodiment of the invention.The method of the present embodiment is carried out by Ethernet switch, and this switch can connect a plurality of subscriber equipmenies as neighbor node.In this switch, conventionally at hardware layer, dispose DHCPv6 binding table and ACL table, the message repeating for carrying out hardware, disposes corresponding DHCPv6 binding table at software layer, records the list item corresponding with each neighbor node.Referring to Fig. 2, described Access Control List (ACL) dynamic updating method comprises:
Step S210, according to the timing cycle of first timer, neighbor node corresponding to list item in DHCPv6 binding table sends at least one neighbor request message, is that described neighbor node starts second timer simultaneously.
Described DHCPv6 binding table is that the DHCPv6 request that Ethernet switch passes through monitoring users is set up, and recording user is asked the IPv6 address that obtains and the list of the direct corresponding relation of user by DHCPv6.Each list item in described DHCPv6 binding table comprises VLAN, the network interface of correspondence and the life cycle of described IPv6 address that user's IPv6 address, MAC Address, user is affiliated.
A kind of message that described neighbor request message is Ethernet switch the neighbor node in Ethernet sends in order to survey its neighbor node in Ethernet.Other nodes in Ethernet receive after the neighbor request message of Ethernet switch transmission, according to the source address in described neighbor request message, to Ethernet switch, feed back the neighbours announcement message corresponding with original neighbor request message.Ethernet switch receives after neighbours' announcement message of other nodes feedback, thinks that the node that has fed back neighbours' announcement message is own neighbor node in Ethernet.
In the present embodiment, Ethernet switch sends at least one neighbor request message according to the timing cycle of first timer to neighbor node corresponding to list item in described DHCPv6 binding table.Wherein, described first timer sends the time interval of neighbor request message for defining described Ethernet switch.When sending neighbor request message to neighbor node, Ethernet switch also starts second timer.In the present embodiment, described second timer receives the time limit of the neighbours announcement message corresponding with neighbor request message for defining described Ethernet switch.
Step S220, monitors at least one neighbours announcement message corresponding with described at least one neighbor request message that described neighbor node feeds back.
Neighbor node, after receiving the neighbor request message of Ethernet switch transmission, when destination address is identical with the machine, can feed back the neighbours announcement message corresponding with described neighbor request message.To neighbor node, sending after neighbor request message, neighbours' announcement message that Ethernet switch sends neighbor node is monitored.
Concrete, Ethernet switch reads the data head of all packets that receive, and the data content that is the packet of neighbours' announcement message to the type of packet reads.
Because Ethernet switch may be more than one to the number of the neighbor request message of neighbor node transmission, the number of therefore supervising neighbours' announcement message of audible neighbor node feedback also may be more than one.The advantage that sends a plurality of neighbor request message is to guarantee the reliable reception of neighbor node.
Step S230, if do not receive at least one neighbours' announcement message of neighbor node feedback before described second timer regularly ends, determines off-line of described neighbor node.
Described second timer receives the time limit of the neighbours announcement message corresponding with neighbor request message for defining described Ethernet switch.If before the time limit of described second timer definition arrives, Ethernet switch does not receive at least one neighbours' announcement message of neighbor node feedback, Ethernet switch is determined off-line of described neighbor node.
In the present embodiment, the timing interval of described second timer and the timing interval of described first timer do not have inevitable associated.Be the timing interval that the timing interval of second timer can be less than described first timer, also can equal the timing interval of described first timer, can also be greater than the timing interval of described first timer.
Step S240, when monitoring neighbor node off-line, deletes off-line neighbor node corresponding access control rule in Access Control List (ACL).
Access control rule refers to the judgement statement of describing message matching condition.Concrete, message matching condition can be the source address, destination address, port numbers of message etc.Ethernet switch identifies specific message according to access control rule, and according to predefined strategy, it is processed.Described Access Control List (ACL) is that Ethernet switch creates and safeguards according to DHCPv6 binding table, for the list of memory access control law.
When Ethernet switch monitors neighbor node during off-line, in Access Control List (ACL), search the access control rule corresponding to neighbor node of off-line, and the access control rule that finds is deleted, to avoid described Access Control List (ACL) to be occupied by the access control rule of the neighbor node of off-line.
The present embodiment sends at least one neighbor request message by timing to neighbor node corresponding to list item in DHCPv6 binding table, and do not receive in the given time in the situation of neighbours' announcement message access control rule corresponding in Access Control List (ACL) is deleted, improved the utilance of the Access Control List (ACL) of Ethernet switch.The embodiment of the present invention utilizes timer to trigger the offline inspection to neighbor node, can to access control list, carry out list item removing timely, the off-line node that cleaning takies in time.And, take full advantage of the message mechanism of existing neighbor request message and announcement message, without increasing extra hardware cost and research and development of software expense.
Fig. 3 and Fig. 4 show the second embodiment of the present invention.
Fig. 3 is the flow chart of the Access Control List (ACL) dynamic updating method that provides of second embodiment of the invention.Described Access Control List (ACL) dynamic updating method be take above-described embodiment as basis, further, according to the timing cycle of first timer, before sending at least one neighbor request message to neighbor node corresponding to list item in DHCPv6 binding table, described method also comprises:
Step S310, the DHCPv6 that starts neighbor node monitors (DHCPv6SNOOPING) process, for the neighbor node listening to creates list item in DHCPv6 binding table.
Ethernet switch carries out DHCPv6 monitoring to neighbor node, when listening to new neighbor node, adds fashionablely, creates the list item of DHCPv6 binding table in described DHCPv6 binding table.Effective life cycle of the port that the list item of the DHCPv6 binding table of described establishment comprises the IPv6 address of neighbor node, VLAN, neighbor node under the MAC Address of neighbor node, neighbor node are corresponding and the IPv6 address of described neighbor node.
Step S320, issues Access Control List (ACL) according to DHCPv6 binding list item.
Effective life cycle of the port that the list item of the DHCPv6 binding table creating comprises the IPv6 address of neighbor node, VLAN, neighbor node under the MAC Address of neighbor node, neighbor node are corresponding and the IPv6 address of described neighbor node.
When Ethernet switch creates after the list item of DHCPv6 binding table neighbor node, Ethernet switch issues Access Control List (ACL).Described Access Control List (ACL) comprises: user's IPv6 address, MAC Address, access interface and access VLAN.
Fig. 4 is the flow chart that the DHCPv6 binding list item in the Access Control List (ACL) dynamic updating method that provides of second embodiment of the invention creates.Referring to Fig. 4, preferred, the DHCPv6 snoop procedure of described startup neighbor node, comprises for the neighbor node listening to creates list item in DHCPv6 binding table:
Sub-step S311, the DHCPv6 monitor function of enabled switch, configuration is the CPU to switch by the DHCPv6 message redirecting receiving, and issues the access control rule that an acquiescence does not forward all messages simultaneously.
Aforesaid operations can be directed to CPU by message, so that carry out list item foundation.And by acl rule, forbid message repeating, to improve the fail safe in network.
Sub-step S312, monitors the DHCPv6 request that neighbor node sends of obtaining.
Sub-step S313, according to the source media access control address in described DHCPv6 request, whether inquiry exists in DHCPv6 binding table.
Sub-step S314, if described source media access control address does not exist in DHCPv6 binding table, the neighbor node of asking for the DHCPv6 sending creates an interim request (REQUEST) binding list item in DHCPv6 binding table, record transmission sign (Transaction-ID), port and the Virtual Local Area Network information of described source MAC, request, and DHCPv6 is asked from can casually forwarding.
Sub-step S315, monitors and obtains the DHCPv6 response packet that DHCPv6 server returns to neighbor node.
Sub-step S316, resolves and obtains the Transaction-ID asking, IPv6 address and the effective life cycle VLAN from DHCPv6 response packet.
Sub-step S317, according to Transaction-ID, the interim request of inquiry binding list item in DHCPv6 binding table.
Sub-step S318 if existed, creates a binding list item for described neighbor node in described DHCPv6 binding table, records IPv6 address, media access control address, VLAN, port numbers and effective life cycle of DHCPv6 node.
Preferably, neighbor node corresponding to list item in described DHCPv6 binding table sends at least one neighbor request message and comprises: for neighbor node corresponding to list item in described DHCPv6 binding table creates at least one neighbor request message, wherein, described in each, to be configured to the Internet Internet Control Message Protocol version 6ICMPv6 type be 135 to neighbor request message, IPv6 stem source address is assigned address not, the destination address of IPv6 stem is requested node multicast address, and requested node is the neighbor node that DHCPv6 binding list item is corresponding.
The present embodiment is by creating the list item in DHCPv6 binding table when the discovering neighbor node, and issues Access Control List (ACL) after the list item in creating DHCPv6 binding table, realized the dynamic creation of Access Control List (ACL).
Fig. 5 shows the third embodiment of the present invention.
Fig. 5 is the structure chart of the Ethernet switch that provides of third embodiment of the invention.Referring to Fig. 5, described Ethernet switch comprises: neighbor request message sending module 530, neighbours' announcement message are monitored module 540, neighbor node off-line determination module 550 and access control rule removing module 560.
Described neighbor request message sending module 530 is for according to the timing cycle of first timer, and neighbor node corresponding to list item in DHCPv6 binding table sends at least one neighbor request message, is that described neighbor node starts second timer simultaneously.
Described neighbours' announcement message is monitored module 540 for monitoring at least one neighbours announcement message corresponding with described at least one neighbor request message of described neighbor node feedback.
If described neighbor node off-line determination module 550, for do not receive at least one neighbours' announcement message of neighbor node feedback before described second timer regularly ends, is determined off-line of described neighbor node.
Described access control rule removing module 560, for when monitoring neighbor node off-line, is deleted off-line neighbor node corresponding access control rule in Access Control List (ACL).
Preferably, described Ethernet switch also comprises: DHCPv6 binding list item creation module 510 and Access Control List (ACL) issue module 520.
Before described DHCPv6 binding list item creation module 510 sends at least one neighbor request message for neighbor node corresponding to the list item to DHCPv6 binding table, the DHCPv6 that starts neighbor node monitors (DHCPv6SCOOPING) process, for the neighbor node listening to creates list item in DHCPv6 binding table.
Described Access Control List (ACL) issues module 520 for issuing Access Control List (ACL) according to DHCPv6 binding list item.
Further preferred, described DHCPv6 binding list item creation module 510 comprises: the preset submodule 511 of switch, DHCPv6 request monitoring submodule 512, source MAC inquire about submodule 513, ask binding list item establishment submodule 514, DHCPv6 response packet monitoring submodule 515, DHCPv6 to reply parameter acquiring submodule 516, ask binding list item inquiry submodule 517 and binding list item to create submodule 518 temporarily temporarily.
The preset submodule 511 of described switch is for the DHCPv6 monitor function of enabled switch, and configuration is the CPU to switch by the DHCPv6 message redirecting receiving, and issues the access control rule that an acquiescence does not forward all messages simultaneously.
Described DHCPv6 request monitoring submodule 512 is for monitoring the DHCPv6 request that neighbor node sends of obtaining.
Described source MAC inquiry submodule 513 is for controlling geology according to the source media interviews of described DHCPv6 request, and whether inquiry exists in DHCPv6 binding table.
Described interim request binding list item creates submodule 514 for controlling geology when DHCPv6 binding table does not exist in the media interviews of described source, the neighbor node of asking for the DHCPv6 sending creates an interim request binding list item in DHCPv6 binding table, record transmission sign, port and information of virtual local area network that geology, request are controlled in the media interviews of described source, and DHCPv6 is asked from can casually forwarding.
Described DHCPv6 response packet is monitored submodule 515 and is obtained for monitoring the DHCPv6 response packet that DHCPV6 server returns to neighbor node.
Described DHCPv6 replys parameter acquiring submodule 516 for resolving the transmission sign of the request of acquisition from DHCPv6 response packet, the IPv6 address of VLAN and effectively life cycle.
Described interim request binding list item inquiry submodule 517, for according to transmission sign, is inquired about interim request binding list item in DHCPv6 binding table.
Described binding list item creates submodule 518 for when the existence of DHCPv6 binding table is asked binding list item temporarily, for described neighbor node creates a binding list item in described DHCPv6 binding table, record IPv6 address, media access control address, VLAN, port numbers and effective life cycle of DHCPv6 node.
Further preferred, described Access Control List (ACL) issues module 520 and creates at least one neighbor request message specifically for neighbor node corresponding to list item in described DHCPv6 binding table, wherein, described in each, to be configured to the Internet Internet Control Message Protocol version 6 types be 135 to neighbor request message, IPv6 stem source address is assigned address not, the destination address of IPv6 stem is requested node multicast address, and requested node is the neighbor node that DHCPv6 binding list item is corresponding.
The present embodiment sends at least one neighbor request message by timing to neighbor node corresponding to list item in DHCPv6 binding table, and do not receive in the given time in the situation of neighbours' announcement message access control rule corresponding in Access Control List (ACL) is deleted, improved the utilance of the Access Control List (ACL) of Ethernet switch.
The invention described above embodiment sequence number, just to describing, does not represent the quality of embodiment.
Those of ordinary skills should be understood that, above-mentioned each module of the present invention or each step can realize with general calculation element, they can concentrate on single calculation element, or be distributed on the network that a plurality of calculation elements form, alternatively, they can realize with the executable program code of computer installation, thereby they can be stored in storage device and be carried out by calculation element, or they are made into respectively to each integrated circuit modules, or a plurality of modules in them or step are made into single integrated circuit module realize.Like this, the present invention is not restricted to the combination of any specific hardware and software.
Each embodiment in this specification all adopts the mode of going forward one by one to describe, and each embodiment stresses is the difference with other embodiment, the identical similar part between each embodiment mutually referring to.
Finally, also it should be noted that, in this article, relation such as the first and second grades belongs to and is only used for an entity or operation to separate with another entity or operating space, and not necessarily requires or imply and between these entities or operation, have the relation of any this reality or sequentially.
The foregoing is only the preferred embodiments of the present invention, be not limited to the present invention, to those skilled in the art, the present invention can have various changes and variation.All any modifications of doing, be equal to replacement, improvement etc., within protection scope of the present invention all should be included within spirit of the present invention and principle.
Claims (8)
1. an Access Control List (ACL) dynamic updating method, is characterized in that, comprising:
According to the timing cycle of first timer, neighbor node corresponding to list item in DHCPv6 binding table sends at least one neighbor request message, is that described neighbor node starts second timer simultaneously;
Monitor at least one neighbours announcement message corresponding with described at least one neighbor request message of described neighbor node feedback;
If do not receive at least one neighbours' announcement message of neighbor node feedback before described second timer regularly ends, determine off-line of described neighbor node;
When monitoring neighbor node off-line, off-line neighbor node corresponding access control rule in Access Control List (ACL) is deleted.
2. method according to claim 1, is characterized in that, before neighbor node corresponding to list item in DHCPv6 binding table sends at least one neighbor request message, described method also comprises:
Start the DHCPv6 snoop procedure of neighbor node, for the neighbor node listening to creates list item in DHCPv6 binding table;
According to DHCPv6 binding list item, issue Access Control List (ACL).
3. method according to claim 2, is characterized in that, starts the DHCPv6 snoop procedure of neighbor node, for the neighbor node listening to creates list item in DHCPv6 binding table, comprises:
The DHCPv6 monitor function of enabled switch, configuration is the CPU to switch by the DHCPv6 message redirecting receiving, and issues the access control rule that an acquiescence does not forward all messages simultaneously;
The DHCPv6 request that neighbor node sends is obtained in monitoring;
According to the source media access control address in described DHCPv6 request, whether inquiry exists in DHCPv6 binding table;
If described source MAC does not exist in DHCPv6 binding table, the neighbor node of asking for the DHCPv6 sending creates an interim request binding list item in DHCPv6 binding table, record transmission sign, port and the information of virtual local area network of described source media access control address, request, and DHCPv6 is asked from can casually forwarding;
The DHCPv6 response packet that DHCPV6 server returns to neighbor node is obtained in monitoring;
From DHCPv6 response packet, resolve and obtain the transmission sign of asking, IPv6 address and the effective life cycle information of virtual local area network;
According to transmission sign, the interim request of inquiry binding list item in DHCPv6 binding table;
If existed, for described neighbor node, in described DHCPv6 binding table, create a binding list item, record IPv6 address, media access control address, information of virtual local area network, port numbers and effective life cycle of DHCPv6 node.
4. method according to claim 1, is characterized in that, sends at least one neighbor request message comprise to neighbor node corresponding to list item in described DHCPv6 binding table:
For neighbor node corresponding to list item in described DHCPv6 binding table creates at least one neighbor request message, wherein, described in each, to be configured to the Internet Internet Control Message Protocol version 6ICMPv6 type be 135 to neighbor request message, IPv6 stem source address is assigned address not, the destination address of IPv6 stem is requested node multicast address, and requested node is the neighbor node that DHCPv6 binding list item is corresponding.
5. an Ethernet switch, is characterized in that, comprising:
Neighbor request message sending module, for according to the timing cycle of first timer, neighbor node corresponding to list item in DHCPv6 binding table sends at least one neighbor request message, is that described neighbor node starts second timer simultaneously;
Neighbours' announcement message is monitored module, for monitoring at least one neighbours announcement message corresponding with described at least one neighbor request message of described neighbor node feedback;
Neighbor node off-line determination module, if for do not receive at least one neighbours' announcement message of neighbor node feedback before described second timer regularly ends, determine off-line of described neighbor node;
Access control rule removing module, for when monitoring neighbor node off-line, deletes off-line neighbor node corresponding access control rule in Access Control List (ACL).
6. Ethernet switch according to claim 5, is characterized in that, also comprises:
DHCPv6 binding list item creation module, for before neighbor node corresponding to the list item to DHCPv6 binding table sends at least one neighbor request message, start the DHCPv6 snoop procedure of neighbor node, for the neighbor node listening to creates list item in DHCPv6 binding table;
Access Control List (ACL) issues module, for issuing Access Control List (ACL) according to DHCPv6 binding list item.
7. Ethernet switch according to claim 6, is characterized in that, described DHCPv6 binding list item creation module comprises:
The preset submodule of switch, for the DHCPv6 monitor function of enabled switch, configuration is the CPU to switch by the DHCPv6 message redirecting receiving, and issues the access control rule that an acquiescence does not forward all messages simultaneously;
DHCPv6 request monitoring submodule, for monitoring the DHCPv6 request that neighbor node sends of obtaining;
Whether source MAC inquires about submodule, for according to the source media access control address of described DHCPv6 request, inquire about and exist in DHCPv6 binding table;
Interim request binding list item creates submodule, be used at described source MAC when DHCPv6 binding table does not exist, the neighbor node of asking for the DHCPv6 sending creates an interim request binding list item in DHCPv6 binding table, record transmission sign, port and the information of virtual local area network of described source media access control address, request, and DHCPv6 is asked from can casually forwarding;
DHCPv6 response packet is monitored submodule, for monitoring, obtains the DHCPv6 response packet that DHCPv6 server returns to neighbor node;
DHCPv6 replys parameter acquiring submodule, for resolving the transmission sign of the request of acquisition from DHCPv6 response packet, the IPv6 address of information of virtual local area network and effectively life cycle;
Interim request binding list item inquiry submodule, for identifying according to transmission, the interim request of inquiry binding list item in DHCPv6 binding table;
Binding list item creates submodule, while asking binding list item for existing at DHCPv6 binding table temporarily, for described neighbor node creates a binding list item in described DHCPv6 binding table, record IPv6 address, media access control address, information of virtual local area network, port numbers and effective life cycle of DHCPv6 node.
8. Ethernet switch according to claim 5, is characterized in that, described neighbor request message sending module specifically for:
For neighbor node corresponding to list item in described DHCPv6 binding table creates at least one neighbor request message, wherein, described in each, to be configured to the Internet Internet Control Message Protocol version 6ICMPv6 type be 135 to neighbor request message, IPv6 stem source address is assigned address not, the destination address of IPv6 stem is requested node multicast address, and requested node is the neighbor node that DHCPv6 binding list item is corresponding.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310538472.8A CN103560960A (en) | 2013-11-04 | 2013-11-04 | Access control list dynamic updating method and Ethernet switch |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310538472.8A CN103560960A (en) | 2013-11-04 | 2013-11-04 | Access control list dynamic updating method and Ethernet switch |
Publications (1)
Publication Number | Publication Date |
---|---|
CN103560960A true CN103560960A (en) | 2014-02-05 |
Family
ID=50015112
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310538472.8A Pending CN103560960A (en) | 2013-11-04 | 2013-11-04 | Access control list dynamic updating method and Ethernet switch |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103560960A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115022180A (en) * | 2022-05-18 | 2022-09-06 | 浪潮思科网络科技有限公司 | Topology management method, device, equipment and medium based on RoCE-SAN |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1484405A (en) * | 2003-08-11 | 2004-03-24 | 北京港湾网络有限公司 | Method for speeding ARP table entry aging for switch board |
CN101729314A (en) * | 2009-11-26 | 2010-06-09 | 福建星网锐捷网络有限公司 | Method and device for recovering dynamic table entries and dynamic host configuration protocol snoopingsnooping equipment |
CN102546663A (en) * | 2012-02-23 | 2012-07-04 | 神州数码网络(北京)有限公司 | Method and device for preventing duplication address detection attack |
CN102571816A (en) * | 2012-02-15 | 2012-07-11 | 神州数码网络(北京)有限公司 | Method and system for preventing attack caused by neighbor learning |
CN102594882A (en) * | 2012-02-08 | 2012-07-18 | 神州数码网络(北京)有限公司 | Neighbor discovery proxy method and system based on Dynamic Host Configuration Protocol for Internet Protocol Version 6 (DHCPv6) monitoring |
-
2013
- 2013-11-04 CN CN201310538472.8A patent/CN103560960A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1484405A (en) * | 2003-08-11 | 2004-03-24 | 北京港湾网络有限公司 | Method for speeding ARP table entry aging for switch board |
CN101729314A (en) * | 2009-11-26 | 2010-06-09 | 福建星网锐捷网络有限公司 | Method and device for recovering dynamic table entries and dynamic host configuration protocol snoopingsnooping equipment |
CN102594882A (en) * | 2012-02-08 | 2012-07-18 | 神州数码网络(北京)有限公司 | Neighbor discovery proxy method and system based on Dynamic Host Configuration Protocol for Internet Protocol Version 6 (DHCPv6) monitoring |
CN102571816A (en) * | 2012-02-15 | 2012-07-11 | 神州数码网络(北京)有限公司 | Method and system for preventing attack caused by neighbor learning |
CN102546663A (en) * | 2012-02-23 | 2012-07-04 | 神州数码网络(北京)有限公司 | Method and device for preventing duplication address detection attack |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115022180A (en) * | 2022-05-18 | 2022-09-06 | 浪潮思科网络科技有限公司 | Topology management method, device, equipment and medium based on RoCE-SAN |
CN115022180B (en) * | 2022-05-18 | 2024-05-28 | 浪潮思科网络科技有限公司 | Topology management method, device, equipment and medium based on RoCE-SAN |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102148752B (en) | Routing implementing method based on content distribution network and related equipment and system | |
CN101465889B (en) | Network address translation equipment and request method of response address analysis protocol | |
US8767737B2 (en) | Data center network system and packet forwarding method thereof | |
US7415536B2 (en) | Address query response method, program, and apparatus, and address notification method, program, and apparatus | |
US8250184B2 (en) | System, network entities and computer programs for configuration management of a dynamic host configuration protocol framework | |
CN105554179B (en) | Dns resolution method, system in local area network | |
CN101577675B (en) | Method and device for protecting neighbor table in IPv6 network | |
CN105897444B (en) | Multicast group management method and device | |
CN102710811B (en) | Realize method and the switch of dhcp address safety distribution | |
CN101753458B (en) | Method and device for processing ND neighbor table entry | |
US8725852B1 (en) | Dynamic network action based on DHCP notification | |
CN101827138B (en) | Optimized method and device for processing IPV6 filter rule | |
CN103856569A (en) | Method and device for synchronizing domain name system resource information | |
JPWO2008152807A1 (en) | MAC address deduplication method, network device management system, server and information device | |
CN103825975A (en) | Cdn node distribution server and system | |
CN106657434B (en) | method and device for checking IP address | |
CN102685270A (en) | Method and equipment for distributing dynamic addresses | |
US20160119186A1 (en) | Zero-configuration networking protocol | |
CN101820432A (en) | Safety control method and device of stateless address configuration | |
CN102025799A (en) | Method for discovery and automatic configuration for IP address of device | |
CN101179515B (en) | Method and device for inhibiting black hole routing | |
CN101197811B (en) | Method for improving server reliability in dynamic main unit configuration protocol under proxy mode | |
CN103414641B (en) | Neighbor table item release, device and the network equipment | |
CN102594839B (en) | Method for distinguishing pseudo dynamic host configuration protocol (DHCP) servers and switchboards | |
CN101729314A (en) | Method and device for recovering dynamic table entries and dynamic host configuration protocol snoopingsnooping equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140205 |