CN103595711A - Adjusting safety access method and exchanger - Google Patents

Adjusting safety access method and exchanger Download PDF

Info

Publication number
CN103595711A
CN103595711A CN201310546098.6A CN201310546098A CN103595711A CN 103595711 A CN103595711 A CN 103595711A CN 201310546098 A CN201310546098 A CN 201310546098A CN 103595711 A CN103595711 A CN 103595711A
Authority
CN
China
Prior art keywords
dhcp
list item
acl
message
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201310546098.6A
Other languages
Chinese (zh)
Inventor
梁小冰
向阳朝
陈翔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DIGITAL CHINA (SHANGHAI) HOLDINGS Ltd
DIGITAL CHINA NETWORKS (BEIJING) Ltd
Original Assignee
DIGITAL CHINA (SHANGHAI) HOLDINGS Ltd
DIGITAL CHINA NETWORKS (BEIJING) Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DIGITAL CHINA (SHANGHAI) HOLDINGS Ltd, DIGITAL CHINA NETWORKS (BEIJING) Ltd filed Critical DIGITAL CHINA (SHANGHAI) HOLDINGS Ltd
Priority to CN201310546098.6A priority Critical patent/CN103595711A/en
Publication of CN103595711A publication Critical patent/CN103595711A/en
Pending legal-status Critical Current

Links

Abstract

The invention discloses an adjusting safety access method and an exchanger. The adjusting safety access method comprises the steps that DHCP list items of user equipment in a protocol DHCP binding list are configured according to a dynamic host, ACL list items are issued according to the DHCP list items, and whether the ACL list items are full or not is judged; when the ACL list items are full, an ARP request message is broadcasted; whether an ARP response is received or not is monitored, and if the ARP response is not received, the ACL list items corresponding to an ACL rule of the DHCP list items in a hardware ACL are deleted. According to the adjusting safety access method and the exchanger, the access demands of more sets of DHCP user equipment can be met, and the utilization rate of an exchanger ACL is improved.

Description

A kind of method and switch of adjusting safety access
Technical field
The present invention relates to computer network data communication technical field, relate in particular to a kind of method and switch of adjusting safety access.
Background technology
DHCP (Dynamic Host Configuration Protocol, dynamic address resolution agreement) be a kind of automatic user assignment IP(Internet Protocol of being, the agreement interconnecting between network) agreement of address and other options (as gateway, domain name system), be widely used in local area network (LAN), DHCP has simplified the deployment of network, has also been easy to the maintenance of network.DHCP SNOOPING is a kind of proprietary protocol of the DHCP of monitoring request process, and it uses in switch, and the user that each is successfully obtained to IP generates a DHCP binding information.
Gratuitous ARP packet is a kind of special ARP message, and the transmitting terminal IP address of carrying in this message and target ip address are all the machine IP addresses, and message source MAC Address is the machine MAC Address, and the target MAC (Media Access Control) address of message is broadcast address.The IP address that equipment is determined miscellaneous equipment by external transmission gratuitous ARP packet whether with the IP address conflict of the machine.When miscellaneous equipment is received after gratuitous ARP packet, if find that the IP address in message is identical with the IP address of oneself, return to an arp reply to the equipment that sends gratuitous ARP packet, inform this IP address of equipment conflict.
ACL(Access Control List, Access Control List (ACL)) be the set of one or more rule, for identifying message flow.The rule here refers to the judgement statement of describing message matching condition, and matching condition can be the source address, destination address, port numbers of message etc.The network equipment identifies specific message according to these rules, and according to predefined strategy, it is processed.
In order to prevent user's access network privately, be convenient to the maintenance and management of network, can implement Access Control Policy in conjunction with DHCP SNOOPING, the main frame that obtains IP by DHCP mode can accesses network, and the main frame of setting up IP illegally will not allow accesses network.This access strategy need to be realized in conjunction with exchange hardware ACL, and each DHCP user need to issue an acl rule that allows accesses network.Due to switching equipment ACL list item finite capacity, therefore, when DHCP binding list item number is greater than the ACL list item number of equipment, the ACL that some DHCP binding list items are corresponding cannot issue, and these DHCP users cannot accesses network.
In the prior art, the ACL list item finite capacity of switching equipment, therefore, when DHCP binding list item number is greater than the number of capacity of ACL list item of equipment, the ACL list item that some DHCP binding list items are corresponding cannot issue, these DHCP subscriber equipmenies just cannot accesses network, and the utilance of Access Control List (ACL) is lower.
Summary of the invention
In view of this, the embodiment of the present invention provides a kind of method and switch of adjusting safety access, controls the technical problem of the utilance of list to solve switch-access that above background technology partly mentions.
On the one hand, the embodiment of the present invention provides a kind of method of adjusting safety access, comprising:
According to the DHCP list item of subscriber equipment in dynamic host configuration protocol DHCP binding table, according to described DHCP list item, issue ACL list item, judge that whether described ACL list item is full;
When described ACL list item is expired, broadcast address analysis protocol ARP request message, wherein, the IP address of the transmitting terminal of described ARP request message and the IP address of destination end are the IP address of subscriber equipment described in described DHCP list item, it is the MAC Address of subscriber equipment described in described DHCP list item that MAC Address is controlled in the media interviews of the transmitting terminal of described ARP request message, and the MAC Address of the destination end of described ARP request message is broadcast address;
Monitor and whether receive ARP response, if receive described ARP, respond, described DHCP list item is controlled to the ACL list item that in list ACL, acl rule is corresponding at hardware access and delete.
Preferably, described, according to the DHCP list item of subscriber equipment in dynamic host configuration protocol DHCP binding table, according to described DHCP list item, issue ACL list item, before judging that whether described ACL list item is full, also comprise:
Receive the DHCP request message of subscriber equipment and the back message using of Dynamic Host Configuration Protocol server, wherein, described DHCP request message comprises that DHCP tries to find out the MAC Address of process, incoming end slogan and virtual LAN VLAN number, and the back message using of described Dynamic Host Configuration Protocol server comprises that DHCP tries to find out IP address, rental period, gateway and the domain name system DNS number of process;
According to the DHCP request message of described subscriber equipment and the back message using of described Dynamic Host Configuration Protocol server, in DHCP binding table, create DHCP list item;
According to described DHCP list item, generate ACL list item.
Preferably, before the back message using of the DHCP of described reception subscriber equipment request message and Dynamic Host Configuration Protocol server, also comprise:
The monitor function that the DHCP of enabled switch tries to find out;
Issue a DHCP message redirecting to the acl rule of switch CPU, issue the acl rule that an acquiescence does not forward all messages simultaneously.
Preferably, described according to the DHCP request message of described subscriber equipment and the back message using of described Dynamic Host Configuration Protocol server, in DHCP binding table, create DHCP list item, comprising:
MAC Address in described DHCP request message, access interface and vlan number information are saved in the DHCP list item of binding table of described subscriber equipment;
After receiving the back message using of described Dynamic Host Configuration Protocol server, extract IP address and rental period in described back message using, and described IP address and rental period are added in the DHCP list item of binding table of described subscriber equipment.
Preferably, described ACL list item comprises: IP address, MAC Address, access interface and the vlan number of described subscriber equipment.
Answer in contrast, the embodiment of the present invention provides a kind of switch, comprising:
Judgement entry module, for according to the DHCP list item of dynamic host configuration protocol DHCP binding table subscriber equipment, issues ACL list item according to described DHCP list item, judges that whether described ACL list item is full;
Message request module, for when described ACL list item is expired, broadcast address analysis protocol ARP request message, wherein, the IP address of the transmitting terminal of described ARP request message and the IP address of destination end are the IP address of subscriber equipment described in described DHCP list item, it is the MAC Address of subscriber equipment described in described DHCP list item that MAC Address is controlled in the media interviews of the transmitting terminal of described ARP request message, and the MAC Address of the destination end of described ARP request message is broadcast address;
Monitor and reply module, for monitoring, whether receive ARP response, if receive described ARP, respond, described DHCP list item is controlled to the ACL list item that in list ACL, acl rule is corresponding at hardware access and delete.
Preferably, described switch also comprises:
Receive message module, be used for described according to the DHCP list item of dynamic host configuration protocol DHCP binding table subscriber equipment, according to described DHCP list item, issue ACL list item, before judging that whether described ACL list item is full, receive the DHCP request message of subscriber equipment and the back message using of Dynamic Host Configuration Protocol server, wherein, described DHCP request message comprises that DHCP tries to find out the MAC Address of process, incoming end slogan and virtual LAN VLAN number, and the back message using of described Dynamic Host Configuration Protocol server comprises that DHCP tries to find out IP address, rental period, gateway and the domain name system DNS number of process;
Create entry module, for according to the DHCP request message of described subscriber equipment and the back message using of described Dynamic Host Configuration Protocol server, in DHCP binding table, create DHCP list item;
Generating table entry module, for according to described DHCP list item, generates ACL list item.
Preferably, described switch also comprises:
Configuration module, for before receiving the DHCP request message of subscriber equipment and the back message using of Dynamic Host Configuration Protocol server, the monitor function that the DHCP of enabled switch tries to find out, issue a DHCP message redirecting to the acl rule of switch CPU, issue the acl rule that an acquiescence does not forward all messages simultaneously.
Preferably, described establishment entry module specifically for:
MAC Address in described DHCP request message, access interface and vlan number information are saved in the DHCP list item of binding table of described subscriber equipment;
After receiving the back message using of described Dynamic Host Configuration Protocol server, extract IP address and rental period in described back message using, and described IP address and rental period are added in the DHCP list item of binding table of described subscriber equipment.
Preferably, the ACL list item that described monitoring is replied in module comprises: IP address, MAC Address, access interface and the vlan number of described subscriber equipment.
The embodiment of the present invention provides a kind of method and switch of adjusting safety access, has following features: access requirement that can more DHCP subscriber equipmenies, has improved the utilance that switch-access is controlled list.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is only embodiments of the invention, for those of ordinary skills, do not paying under the prerequisite of creative work, other accompanying drawing can also be provided according to the accompanying drawing providing.
Fig. 1 is the applicable network application figure of the embodiment of the present invention;
Fig. 2 is the realization flow figure that first embodiment of the invention provides the method for adjusting safety access;
Fig. 3 is the realization flow figure of the method that accesses safely of adjustment that second embodiment of the invention provides;
Fig. 4 is the structural representation of the device of the switch that provides of third embodiment of the invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, rather than whole embodiment.Embodiment based in the present invention, those of ordinary skills, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.
The applicable network environment of the embodiment of the present invention as shown in Figure 1.In network, be provided with switch, it is connected with a plurality of subscriber equipmenies with Dynamic Host Configuration Protocol server respectively.
Embodiment mono-
Fig. 1 is the realization flow figure of the method that accesses safely of adjustment that first embodiment of the invention provides.The switch that the method that the embodiment of the present invention provides can be provided by the embodiment of the present invention in the network environment shown in Fig. 1 is carried out.As shown in Figure 2, a kind of method of adjusting safety access that the embodiment of the present invention one provides comprises:
Step S201, according to the DHCP list item of subscriber equipment in dynamic host configuration protocol DHCP binding table, issues ACL list item according to described DHCP list item, judges that whether described ACL list item is full.
Step 202, when described ACL list item is expired, broadcast address analysis protocol ARP request message.
In step 202, described ARP request message can be gratuitous ARP request message, the IP address of its transmitting terminal and the IP address of destination end are the IP address of subscriber equipment described in described DHCP list item, the MAC Address of the transmitting terminal of described ARP request message is the MAC Address of subscriber equipment described in described DHCP list item, and the MAC Address of the destination end of described ARP request message is broadcast address.Thus, can convey each subscriber equipment that switch is connected and all receive this message, and respond according to protocols having.Because ARP request message is that address based on each list item sends, thus if subscriber equipment is online, will inevitably receive the ARP request message consistent with self address, and need carry out ARP response according to agreement.
Step S203, monitors and whether receives ARP response, if receive described ARP, responds, and described DHCP list item is controlled to the ACL list item that in list ACL, acl rule is corresponding at hardware access and deletes.
Need to describe, switch monitors whether receive ARP response, if receive ARP before described second timer is set duration cut-off, responds, and determines that the subscriber equipment of described DHCP list item is in off-line state.
In step S203, described acl rule be in Access Control List (ACL) for identifying the judgement statement of the matching condition of message flow, described ACL list item can comprise: IP address, MAC Address, access interface and the vlan number of described subscriber equipment.
The method that the adjustment that the present embodiment one provides accesses safely, by monitoring, whether receiving ARP responds, judge that whether the relative user equipment of DHCP list item is in off-line state, and ACL list item corresponding to the subscriber equipment of deleting the DHCP list item under off-line state, can, for subscriber equipment provides ACL list item space, improve the utilance of switch-access control list.In such scheme, can to ACL list item, clear up maintenance in time.Utilized gratuitous ARP request message and ARP thereof to respond, effectively utilized existing message mechanism, without expansion extra equipment and software, so the popularization of technology is convenient, cost is low.
Embodiment bis-
Fig. 3 is that second embodiment of the invention provides a kind of realization flow figure that adjusts the method for safety access.The present embodiment be take embodiment mono-as basis, and hardware environment is identical with embodiment mono-.As shown in Figure 3, the method that the embodiment of the present invention provides comprises:
Step 301, receives the DHCP request message of subscriber equipment and the back message using of Dynamic Host Configuration Protocol server.
In embodiments of the present invention, described DHCP request message comprises MAC Address, incoming end slogan and the vlan number of DHCP SNOOPING process, and the back message using of described Dynamic Host Configuration Protocol server comprises IP address, rental period, gateway and the domain name system DNS number of DHCP SNOOPING process.
Step 302 according to the DHCP request message of described subscriber equipment and the back message using of described Dynamic Host Configuration Protocol server, creates DHCP list item in DHCP binding table.
In embodiments of the present invention, described DHCP list item comprises: MAC Address, access interface, vlan number, IP address and rental period.The constructive process of described DHCP list item: the MAC Address in described DHCP request message, access interface and vlan number information are saved in the DHCP list item of binding table of described subscriber equipment; After receiving the back message using of described Dynamic Host Configuration Protocol server, extract IP address and rental period in described back message using, and described IP address and rental period are added in the DHCP list item of binding table of described subscriber equipment.
Step 303, according to described DHCP list item, generates ACL list item.
Wherein, described DHCP list item comprises: IP address, MAC Address, access interface, vlan number and rental period.Extract IP address, MAC Address, access interface and vlan number in described DHCP list item, generate corresponding ACL list item.After the message that switch is received, while only having list item in message and a subitem in the described ACL list item in switch to match, can forward described message.
Step 304, judges that whether described ACL list item is full, when described ACL list item is expired, and broadcast address analysis protocol ARP request message;
Step S305 monitors whether receive ARP response, if receive described ARP, responds, and described DHCP list item is controlled to the ACL list item that in list ACL, acl rule is corresponding at hardware access and deletes.
The method that the adjustment that the present embodiment provides accesses safely, is the preferred embodiment proposing on the basis of embodiment mono-, reaches identical function, can provide ACL list item space for subscriber equipment, has improved the utilance of switch-access control list.
Further, before the back message using of the DHCP of described reception subscriber equipment request message and Dynamic Host Configuration Protocol server, preferably also comprise: the monitor function that the DHCP of enabled switch tries to find out; Issue a DHCP message redirecting to the acl rule of switch CPU, issue the acl rule that an acquiescence does not forward all messages simultaneously, wherein, described acl rule is for identifying the judgement statement of the matching condition of message flow in Access Control List (ACL).The usefulness of this scheme is to start the safety function of DHCP SNOOPING process, and pre-configured acl rule, makes switch according to the acl rule information that E-Packets targetedly, guarantees the fail safe that switch E-Packets.
Embodiment tri-
Fig. 4 is the structural representation of the device that comprises of switch that third embodiment of the invention provides.As shown in Figure 4, the device that the embodiment of the present invention provides comprises: module 407 is replied in judgement entry module 405, message request module 406 and monitoring.
Judgement entry module 405, for according to the DHCP list item of dynamic host configuration protocol DHCP binding table subscriber equipment, issues ACL list item according to described DHCP list item, judges that whether described ACL list item is full; Message request module 406, for when described ACL list item is expired, broadcast address analysis protocol ARP request message, wherein, the IP address of the transmitting terminal of described ARP request message and the IP address of destination end are the IP address of subscriber equipment described in described DHCP list item, it is the MAC Address of subscriber equipment described in described DHCP list item that MAC Address is controlled in the media interviews of the transmitting terminal of described ARP request message, and the MAC Address of the destination end of described ARP request message is broadcast address; Monitor and reply module 407, for monitoring, whether receive ARP response, if receive described ARP, respond, described DHCP list item is controlled to the ACL list item that in list ACL, acl rule is corresponding at hardware access and delete.
In such scheme, by judgement entry module 405, carry out broadcast arp request message, and judgement receives ARP response, and then whether the relative user equipment that judges DHCP list item is in off-line state, by monitoring, reply ACL list item corresponding to subscriber equipment that module 407 is deleted the DHCP list item under off-line state, can carry out cleaning in time to the ACL list item of the subscriber equipment of off-line and safeguard, improve the utilance of switch-access control list.Effectively utilized existing message mechanism, without expansion extra equipment and software, so the popularization of technology is convenient, cost is low.
In such scheme, preferably, also comprise: receive message module 402, create entry module 403 and generating table entry module 404.
Wherein, described reception message module 402, for according to first timer timing cycle, according to the DHCP list item of subscriber equipment in DHCP binding table, before broadcast arp request message, receive the DHCP request message of subscriber equipment and the back message using of Dynamic Host Configuration Protocol server, wherein, described DHCP request message comprises MAC Address, incoming end slogan and the vlan number of DHCPSNOOPING process, and the back message using of described Dynamic Host Configuration Protocol server comprises IP address, rental period, gateway and the domain name system DNS number of DHCP SNOOPING process.Described establishment entry module 403 for according to the DHCP request message of described subscriber equipment and the back message using of described Dynamic Host Configuration Protocol server, creates DHCP list item in DHCP binding table.Described generating table entry module 404, for according to described DHCP list item, generates ACL list item.
In such scheme, preferably, also comprise: configuration module 401, for before receiving the DHCP request message of subscriber equipment and the back message using of Dynamic Host Configuration Protocol server, the monitor function of the DHCP SNOOPING of enabled switch, issue a DHCP message redirecting to the acl rule of switch CPU, issue the acl rule that an acquiescence does not forward all messages simultaneously.
Further, described establishment entry module 403 specifically for: the MAC Address in described DHCP request message, access interface and vlan number information are saved in the DHCP list item of binding table of described subscriber equipment; After receiving the back message using of described Dynamic Host Configuration Protocol server, extract IP address and rental period in described back message using, and described IP address and rental period are added in the DHCP list item of binding table of described subscriber equipment.
In embodiments of the present invention, the ACL list item that described monitoring is replied in module 407 can comprise: IP address, MAC Address, access interface and the vlan number of described subscriber equipment.
The method that the switch that the present embodiment provides accesses safely for the adjustment of carrying out any embodiment of the present invention and providing, possesses corresponding functional module, reaches identical technique effect.
Obviously, those skilled in the art should be understood that, above-mentioned each module of the present invention or each step can realize with general calculation element, they can concentrate on single calculation element, or be distributed on the network that a plurality of calculation elements form, alternatively, they can realize with the executable program code of computer installation, thereby they can be stored in storage device and be carried out by calculation element, or they are made into respectively to each integrated circuit modules, or a plurality of modules in them or step are made into single integrated circuit module to be realized.Like this, the present invention is not restricted to the combination of any specific hardware and software.
These are only the preferred embodiments of the present invention, be not limited to the present invention, to those skilled in the art, the present invention can have various changes and variation.All any modifications of doing, be equal to replacement, improvement etc., within protection scope of the present invention all should be included within spirit of the present invention and principle.

Claims (10)

1. a method of adjusting safety access, is characterized in that, comprising:
According to the DHCP list item of subscriber equipment in dynamic host configuration protocol DHCP binding table, according to described DHCP list item, issue ACL list item, judge that whether described ACL list item is full;
When described ACL list item is expired, broadcast address analysis protocol ARP request message, wherein, the IP address of the transmitting terminal of described ARP request message and the IP address of destination end are the IP address of subscriber equipment described in described DHCP list item, it is the MAC Address of subscriber equipment described in described DHCP list item that MAC Address is controlled in the media interviews of the transmitting terminal of described ARP request message, and the MAC Address of the destination end of described ARP request message is broadcast address;
Monitor and whether receive ARP response, if receive described ARP, respond, described DHCP list item is controlled to the ACL list item that in list ACL, acl rule is corresponding at hardware access and delete.
2. the method that adjustment safety according to claim 1 accesses, it is characterized in that, described, according to the DHCP list item of subscriber equipment in dynamic host configuration protocol DHCP binding table, according to described DHCP list item, issue ACL list item, before judging that whether described ACL list item is full, also comprise:
Receive the DHCP request message of subscriber equipment and the back message using of Dynamic Host Configuration Protocol server, wherein, described DHCP request message comprises that DHCP tries to find out the MAC Address of process, incoming end slogan and virtual LAN VLAN number, and the back message using of described Dynamic Host Configuration Protocol server comprises that DHCP tries to find out IP address, rental period, gateway and the domain name system DNS number of process;
According to the DHCP request message of described subscriber equipment and the back message using of described Dynamic Host Configuration Protocol server, in DHCP binding table, create DHCP list item;
According to described DHCP list item, generate ACL list item.
3. the method for adjusting safety access according to claim 2, is characterized in that, before the back message using of the DHCP of described reception subscriber equipment request message and Dynamic Host Configuration Protocol server, also comprises:
The monitor function that the DHCP of enabled switch tries to find out;
Issue a DHCP message redirecting to the acl rule of switch CPU, issue the acl rule that an acquiescence does not forward all messages simultaneously.
4. the method for adjusting safety access according to claim 2, is characterized in that, described according to the DHCP request message of described subscriber equipment and the back message using of described Dynamic Host Configuration Protocol server, creates DHCP list item in DHCP binding table, comprising:
MAC Address in described DHCP request message, access interface and vlan number information are saved in the DHCP list item of binding table of described subscriber equipment;
After receiving the back message using of described Dynamic Host Configuration Protocol server, extract IP address and rental period in described back message using, and described IP address and rental period are added in the DHCP list item of binding table of described subscriber equipment.
5. the method for adjusting safety access according to claim 1, is characterized in that, described ACL list item comprises: IP address, MAC Address, access interface and the vlan number of described subscriber equipment.
6. a switch, is characterized in that, comprising:
Judgement entry module, for according to the DHCP list item of dynamic host configuration protocol DHCP binding table subscriber equipment, issues ACL list item according to described DHCP list item, judges that whether described ACL list item is full;
Message request module, for when described ACL list item is expired, broadcast address analysis protocol ARP request message, wherein, the IP address of the transmitting terminal of described ARP request message and the IP address of destination end are the IP address of subscriber equipment described in described DHCP list item, it is the MAC Address of subscriber equipment described in described DHCP list item that MAC Address is controlled in the media interviews of the transmitting terminal of described ARP request message, and the MAC Address of the destination end of described ARP request message is broadcast address;
Monitor and reply module, for monitoring, whether receive ARP response, if receive described ARP, respond, described DHCP list item is controlled to the ACL list item that in list ACL, acl rule is corresponding at hardware access and delete.
7. switch according to claim 6, is characterized in that, also comprises:
Receive message module, be used for described according to the DHCP list item of dynamic host configuration protocol DHCP binding table subscriber equipment, according to described DHCP list item, issue ACL list item, before judging that whether described ACL list item is full, receive the DHCP request message of subscriber equipment and the back message using of Dynamic Host Configuration Protocol server, wherein, described DHCP request message comprises that DHCP tries to find out the MAC Address of process, incoming end slogan and virtual LAN VLAN number, and the back message using of described Dynamic Host Configuration Protocol server comprises that DHCP tries to find out IP address, rental period, gateway and the domain name system DNS number of process;
Create entry module, for according to the DHCP request message of described subscriber equipment and the back message using of described Dynamic Host Configuration Protocol server, in DHCP binding table, create DHCP list item;
Generating table entry module, for according to described DHCP list item, generates ACL list item.
8. switch according to claim 7, is characterized in that, also comprises:
Configuration module, for before receiving the DHCP request message of subscriber equipment and the back message using of Dynamic Host Configuration Protocol server, the monitor function that the DHCP of enabled switch tries to find out, issue a DHCP message redirecting to the acl rule of switch CPU, issue the acl rule that an acquiescence does not forward all messages simultaneously.
9. switch according to claim 7, is characterized in that, described establishment entry module specifically for:
MAC Address in described DHCP request message, access interface and vlan number information are saved in the DHCP list item of binding table of described subscriber equipment;
After receiving the back message using of described Dynamic Host Configuration Protocol server, extract IP address and rental period in described back message using, and described IP address and rental period are added in the DHCP list item of binding table of described subscriber equipment.
10. switch according to claim 6, is characterized in that, the ACL list item that described monitoring is replied in module comprises: IP address, MAC Address, access interface and the vlan number of described subscriber equipment.
CN201310546098.6A 2013-11-06 2013-11-06 Adjusting safety access method and exchanger Pending CN103595711A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310546098.6A CN103595711A (en) 2013-11-06 2013-11-06 Adjusting safety access method and exchanger

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310546098.6A CN103595711A (en) 2013-11-06 2013-11-06 Adjusting safety access method and exchanger

Publications (1)

Publication Number Publication Date
CN103595711A true CN103595711A (en) 2014-02-19

Family

ID=50085693

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310546098.6A Pending CN103595711A (en) 2013-11-06 2013-11-06 Adjusting safety access method and exchanger

Country Status (1)

Country Link
CN (1) CN103595711A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106034054A (en) * 2015-03-17 2016-10-19 阿里巴巴集团控股有限公司 Redundant access control list ACL rule file detection method and apparatus thereof
CN108259271A (en) * 2018-02-01 2018-07-06 天津天地伟业信息系统集成有限公司 A kind of method for detecting link state after more network card bindings by ARP
CN108512714A (en) * 2017-02-28 2018-09-07 华为技术有限公司 A kind of message transmitting method, relevant device and system

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050055573A1 (en) * 2003-09-10 2005-03-10 Smith Michael R. Method and apparatus for providing network security using role-based access control
US20050259654A1 (en) * 2004-04-08 2005-11-24 Faulk Robert L Jr Dynamic access control lists
CN1870627A (en) * 2005-08-09 2006-11-29 华为技术有限公司 Anti-offence method for ARP buffer storage list
CN1941722A (en) * 2006-08-29 2007-04-04 杭州华为三康技术有限公司 Method and device for maintaining DHCP safety property list by detecting customer terminal
CN101106512A (en) * 2007-09-03 2008-01-16 华为技术有限公司 A processing method and device for QinQ termination configuration
CN101179583A (en) * 2007-12-17 2008-05-14 杭州华三通信技术有限公司 Method and equipment preventing user counterfeit internet
CN101237378A (en) * 2008-03-11 2008-08-06 杭州华三通信技术有限公司 Mapping method and device of virtual LAN
CN101304372A (en) * 2008-06-18 2008-11-12 华为技术有限公司 Method, equipment and system for collocating access control list
US20080316982A1 (en) * 2007-06-20 2008-12-25 Microsoft Corporation Managing Dense Wireless Access Point Infrastructures in Wireless Local Area Networks
CN101453447A (en) * 2007-12-03 2009-06-10 华为技术有限公司 Customer aging method for dynamic host configuration protocol DHCP and access equipment
US20110106947A1 (en) * 2009-10-30 2011-05-05 Hangzhou H3C Technologies Co., Ltd. Method and Apparatus for Dual Stack Access
CN102868605A (en) * 2012-09-05 2013-01-09 浙江宇视科技有限公司 Looped network data protection method and device

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050055573A1 (en) * 2003-09-10 2005-03-10 Smith Michael R. Method and apparatus for providing network security using role-based access control
US20050259654A1 (en) * 2004-04-08 2005-11-24 Faulk Robert L Jr Dynamic access control lists
CN1870627A (en) * 2005-08-09 2006-11-29 华为技术有限公司 Anti-offence method for ARP buffer storage list
CN1941722A (en) * 2006-08-29 2007-04-04 杭州华为三康技术有限公司 Method and device for maintaining DHCP safety property list by detecting customer terminal
US20080316982A1 (en) * 2007-06-20 2008-12-25 Microsoft Corporation Managing Dense Wireless Access Point Infrastructures in Wireless Local Area Networks
CN101106512A (en) * 2007-09-03 2008-01-16 华为技术有限公司 A processing method and device for QinQ termination configuration
CN101453447A (en) * 2007-12-03 2009-06-10 华为技术有限公司 Customer aging method for dynamic host configuration protocol DHCP and access equipment
CN101179583A (en) * 2007-12-17 2008-05-14 杭州华三通信技术有限公司 Method and equipment preventing user counterfeit internet
CN101237378A (en) * 2008-03-11 2008-08-06 杭州华三通信技术有限公司 Mapping method and device of virtual LAN
CN101304372A (en) * 2008-06-18 2008-11-12 华为技术有限公司 Method, equipment and system for collocating access control list
US20110106947A1 (en) * 2009-10-30 2011-05-05 Hangzhou H3C Technologies Co., Ltd. Method and Apparatus for Dual Stack Access
CN102868605A (en) * 2012-09-05 2013-01-09 浙江宇视科技有限公司 Looped network data protection method and device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106034054A (en) * 2015-03-17 2016-10-19 阿里巴巴集团控股有限公司 Redundant access control list ACL rule file detection method and apparatus thereof
CN106034054B (en) * 2015-03-17 2019-07-05 阿里巴巴集团控股有限公司 Redundant access controls list acl rule file test method and device
CN108512714A (en) * 2017-02-28 2018-09-07 华为技术有限公司 A kind of message transmitting method, relevant device and system
CN108259271A (en) * 2018-02-01 2018-07-06 天津天地伟业信息系统集成有限公司 A kind of method for detecting link state after more network card bindings by ARP

Similar Documents

Publication Publication Date Title
EP2364543B1 (en) Broadband network access
CN101883158B (en) Method and client for acquiring VLAN (Virtual Local Area Network) IDs (Identifiers) and network protocol addresses
US9729501B2 (en) System and data card for stateless automatic configuration of IPv6 address and method for implementing the same
CN101179515B (en) Method and device for inhibiting black hole routing
CN103825777A (en) DMZ server switching method and device
CN101197811B (en) Method for improving server reliability in dynamic main unit configuration protocol under proxy mode
CN103595711A (en) Adjusting safety access method and exchanger
CN102801623A (en) Multi-access data transmitting method and device
CN104869665A (en) Network connection control method, router and mobile equipment
CN105959282A (en) Protection method and device for DHCP attack
CN102917082B (en) Penetrate information push method and the system of network address translation
CN102347903B (en) Data message forwarding method as well as device and system
CN104581977B (en) WLAN user management method, apparatus and system
WO2017000625A1 (en) Dynamic host configuration protocol (dhcp) server management method and apparatus
CN101873320A (en) Client information verification method based on DHCPv6 relay and device thereof
CN103795581A (en) Address processing method and address processing device
CN102594808A (en) System and method for preventing Dynamic Host Configuration Protocol for Internet Protocol Version 6 (DHCPv6) server spoofing
CN100362814C (en) Method for realizing user detection based on neightbour discovery technique
CN104486252B (en) A kind of method and device of thin-client access standard client
CN104283982B (en) A kind of method that DMZ host automatically points to, system and gateway
CN102025797A (en) Address prefix processing method, device, system and network equipment
CN107592261A (en) Message processing method, device and router
CN103561129A (en) Secure access and real-time updating method and interchanger
WO2014035783A1 (en) Systems and methods for efficient remote security panel configuration and management
CN103986794A (en) Protocol address management method for port DHCP server

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20140219