CN103701784A - Host machine protection method - Google Patents
Host machine protection method Download PDFInfo
- Publication number
- CN103701784A CN103701784A CN201310692812.2A CN201310692812A CN103701784A CN 103701784 A CN103701784 A CN 103701784A CN 201310692812 A CN201310692812 A CN 201310692812A CN 103701784 A CN103701784 A CN 103701784A
- Authority
- CN
- China
- Prior art keywords
- address
- port
- broadcast request
- access
- main frame
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a communication technology, solves the problem of no protection method based on IP (Internet protocol) rules existing in the existing port security technology, and provides a host machine protection method. The host machine protection method has the main technical scheme that firstly, a port security system is started at a port, the port security system is initialized, parameters are set, then, the IP rules are configured on the port, the IP rules comprise at least one admission IP address, then, the port security system sends an ARP (address resolution protocol) broadcasting request to one host machine corresponding to each admission IP address, the port security system extracts a corresponding MAC (media access control) address after receiving the ARP reply of the effective host machine, in addition, the obtained MAC address, a corresponding VLAN ID (virtual local area network identification) and a port number are simultaneously written into a static forwarding table entry, and the layer-2 forwarding of messages matched with the static forwarding table entry under the port at the time can be realized after the table look-up success. The host machine protection method has the beneficial effects that convenience is brought to users, and the method is applicable to the port security protection.
Description
Technical field
The present invention relates to the communication technology, particularly the safe Access Control Technique of two-layer equipment.
Background technology
Switch, as the most close network equipment accessing terminal in network environment, carries out safe access control to it particularly important, and port security technology is the safe Access Control Technique of consequent a kind of two-layer network device based on port.
Two layers of forwarding of the network equipment are undertaken by searching mac address table, for the message that cannot find source MAC table and can not learn this list item, will be dropped.The most frequently used way of current port security administration module is to be with VLAN ID to carry out security control for host MAC address and the entry port message of needs protection, by define the modes such as concrete MAC is regular, MAC+VLAN is regular in equipment end, realizes specific security strategy.
Current port security technology is mainly to be realized port is carried out to access control by the MAC rule of definition based on port or MAC+VLAN rule, concrete mode is for to be set to abandon (DROP) pattern by port security feature port repeat state, only have by the MAC rule of definition or the message of the corresponding static address list item of MAC+VLAN rule generation and could realize forwarding, thereby realize the safe access control function of port, but because adopting the form of 16 systems, MAC Address is described, its memorize is poor, in actual scale network design, there is very large inconvenience.Meanwhile, the rule of MAC Address can only be carried out access control based on accessing terminal, and for the application scenarios that needs IP based network address to protect, has significant limitation.
Summary of the invention
Object of the present invention is exactly to overcome the shortcoming of not carrying out means of defence in current port security technology based on IP rule, and a kind of main frame means of defence is provided.
The present invention solves its technical problem, and the technical scheme of employing is that a kind of main frame means of defence, is characterized in that, comprises the following steps:
Step 1, interface enabling port security mechanism, the initialization of port security mechanism, setup parameter;
Step 2, on port configuration of IP rule, this IP rule comprises at least one access IP address;
Step 3, each main frame corresponding to access IP address is sent to an ARP broadcast request;
Step 4, receive after the arp reply of effective main frame, extract corresponding MAC Address, and by obtain MAC Address write in the lump in static forwarding list item with corresponding virtual local area network No. VLAN ID and port numbers.
Concrete, in step 1, described parameter comprises that ARP broadcast request polling cycle and ARP broadcast request send number at every turn.
Further, step 3 comprises following concrete steps:
Step 301, port security system judge that the ARP broadcast request whether the access IP number of addresses in IP rule is greater than setting sends number at every turn, if enter next step, if not enter step 303;
Step 302, port security system be take the ARP broadcast request polling cycle set and according to access IP address arrangement order, are sent ARP broadcast request in the mode of poll as the time cycle at every turn, a corresponding main frame corresponding to access IP address of each ARP broadcast request, until when not sending ARP broadcast request that the corresponding access IP number of addresses of ARP broadcast request is less than or equal to setting and sending number, enter next step at every turn;
Step 303, the port security system main frame corresponding to all access IP address that does not send ARP broadcast request sends ARP broadcast request.
Concrete, in step 302, described in put in order as the ascending arrangement in IP address.
Further, step 302 comprises following concrete steps:
Step 302A, port security system are not carried out ascending arrangement to sending the corresponding access IP address of ARP broadcast request, and main frame corresponding to access IP address that the ARP broadcast request that sequentially selection is set wherein sends number at every turn sends ARP broadcast request;
Step 302B, port security system wait setting-up time;
The ARP the broadcast request whether corresponding access IP number of addresses that the judgement of step 302C, port security system does not send ARP broadcast request is greater than setting sends number at every turn, if get back to step 302A, otherwise enters next step.
Concrete, in step 1, described parameter comprises keepalive period.
Further, in step 3, also comprise: it is 0 that port security system sends at the main frame corresponding to all access IP address the keep-alive timing of resetting after ARP broadcast request completes, and starts timing;
Step 4 is later further comprising the steps of:
Step 5, port security system judge whether keep-alive timing reaches the keepalive period of setting, if get back to step 3, otherwise wait for.
Concrete, in step 2, described IP rule comprises that at least one access IP address refers to: IP rule comprises an access IP address or a continuous access IP address field.
Further, in step 1, described port security system initialization refers to: remove the dynamic forwarding-table item of all MAC Address under this port, and port address learning state is set to abandon (DROP) pattern.
The invention has the beneficial effects as follows, by the above-mentioned main frame means of defence based on IP rule, realize the port security means of defence based on IP rule, enriched the application scenarios of port security system and optimized greatly the deployment means of port security system, facilitated user.
Accompanying drawing explanation
Fig. 1 is the flow chart of a kind of main frame means of defence in the embodiment of the present invention.
Embodiment
Below in conjunction with embodiment and accompanying drawing, describe technical scheme of the present invention in detail.
In a kind of main frame means of defence of the present invention, first port open port security system, port security system initialization, setup parameter, then on port, configuration of IP is regular, this IP rule comprises at least one access IP address, port security system sends an ARP broadcast request to each main frame corresponding to access IP address again, port security system is after the arp reply that receives effective main frame, extract corresponding MAC Address, and will get to such an extent that MAC Address writes in static forwarding list item in the lump with corresponding VLAN ID and port numbers, the message that now mates this static forwarding list item under port just can be realized two layers of forwarding after tabling look-up successfully.
Embodiment
The flow chart of a kind of main frame means of defence in the embodiment of the present invention, referring to Fig. 1, specifically comprises the following steps:
Step 1, port open port security mechanism, port security system initialization, setup parameter.
In this step, parameter comprises that ARP broadcast request polling cycle and ARP broadcast request send number at every turn, is designated as respectively t and n, take n=10 as example in this example, in parameter, can also comprise keepalive period, is designated as S; Port security system initialization refers to: remove all MAC Address static forwarding list items under this port, and port address learning state is set to abandon (DROP) pattern.
Step 2, on port configuration of IP rule, this IP rule comprises at least one access IP address.
In this step, IP rule comprises that at least one access IP address refers to: IP network rule comprises an access IP address or a continuous access IP address field, in this example, access IP number of addresses is designated as to m, access IP address field in IP network rule be take 10.0.0.1-10.0.0.15 as example, i.e. 15 access IP addresses.
Step 3, each main frame corresponding to access IP address is sent to an ARP broadcast request.
This step can comprise following concrete steps:
Step 301, port security system judge that the ARP broadcast request whether the access IP number of addresses in IP network rule is greater than setting sends number n at every turn, if enter next step, if not enter step 303, in this example, be and judge whether 15 be greater than 10, be greater than 10 due to 15, enter step 302;
Step 302, port security system be take t and according to access IP address arrangement order, are sent n ARP broadcast request in the mode of poll as the cycle at every turn, in this example, be 10 ARP broadcast request here, a corresponding main frame corresponding to access IP address of each ARP broadcast request, until when not sending the corresponding access IP number of addresses of ARP broadcast request and being less than or equal to n, enter next step;
Step 303, the port security system main frame corresponding to all access IP address that does not send ARP broadcast request sends ARP broadcast request.
Wherein, in step 302, putting in order to be the ascending arrangement in IP address, and its concrete steps are:
Step 302A, port security system are not carried out ascending arrangement to sending the corresponding access IP address of ARP broadcast request, sequentially select n main frame corresponding to access IP address wherein to send ARP broadcast request, in this example, be and sequentially select 10 main frames corresponding to access IP address wherein to send ARP broadcast request, the corresponding access IP number of addresses that does not now send ARP broadcast request is 5, here, can preset an i value, shilling i=0;
Step 302B, port security system wait t time, now, make i=i+1;
Whether the corresponding access IP number of addresses that step 302C, the judgement of port security system do not send ARP broadcast request is greater than n, can be understood as and judge whether m-n * i is greater than n, if get back to step 302A, if not enter next step, in this example, be the corresponding access IP number of addresses 5 that judgement do not send ARP broadcast request and whether be greater than 10, be less than 10 due to 5, directly enter step 303.
If be provided with keepalive period S in step 1, after can working as port security system main frame corresponding to all access IP address being sent ARP broadcast request and completed, replacement keep-alive timing is 0, and starts timing.
Step 4, receive after the arp reply of effective main frame, extract corresponding MAC Address, and will get to such an extent that MAC Address writes in static forwarding list item in the lump with corresponding VLAN ID and port numbers.
In this step, port security system is after the arp reply that receives effective main frame, extract corresponding MAC Address, and by the MAC Address getting and corresponding VLAN ID, port numbers writes in static forwarding list item in the lump, if do not get corresponding arp reply, shows now under port, not have this main frame, this IP network rule temporarily, in without coming into force list item state, writes static forwarding list item until follow-up main frame has corresponding ARP message to trigger again.
Further comprising the steps of in this example:
Step 5, port security system judge whether keep-alive timing reaches S, if get back to step 3, otherwise continue to wait for.
Claims (9)
1. a main frame means of defence, is characterized in that, comprises the following steps:
Step 1, interface enabling port security mechanism, the initialization of port security mechanism, setup parameter;
Step 2, on port configuration of IP rule, this IP rule comprises at least one access IP address;
Step 3, each main frame corresponding to access IP address is sent to an ARP broadcast request;
Step 4, receive after the arp reply of effective main frame, extract corresponding MAC Address, and by obtain MAC Address write in the lump in static forwarding list item with corresponding virtual local area network No. VLAN ID and port numbers.
2. main frame means of defence as claimed in claim 1, is characterized in that, in step 1, described parameter comprises that ARP broadcast request polling cycle and ARP broadcast request send number at every turn.
3. main frame means of defence as claimed in claim 2, is characterized in that, step 3 comprises following concrete steps:
Step 301, port security system judge that the ARP broadcast request whether the access IP number of addresses in IP rule is greater than setting sends number at every turn, if enter next step, if not enter step 303;
Step 302, port security system be take the ARP broadcast request polling cycle set and according to access IP address arrangement order, are sent ARP broadcast request in the mode of poll as the time cycle at every turn, a corresponding main frame corresponding to access IP address of each ARP broadcast request, until when not sending ARP broadcast request that the corresponding access IP number of addresses of ARP broadcast request is less than or equal to setting and sending number, enter next step at every turn;
Step 303, the port security system main frame corresponding to all access IP address that does not send ARP broadcast request sends ARP broadcast request.
4. main frame means of defence as claimed in claim 3, is characterized in that, in step 302, described in put in order as the ascending arrangement in IP address.
5. main frame means of defence as claimed in claim 4, is characterized in that, step 302 comprises following concrete steps:
Step 302A, port security system are not carried out ascending arrangement to sending the corresponding access IP address of ARP broadcast request, and main frame corresponding to access IP address that the ARP broadcast request that sequentially selection is set wherein sends number at every turn sends ARP broadcast request;
Step 302B, port security system wait setting-up time;
The ARP the broadcast request whether corresponding access IP number of addresses that the judgement of step 302C, port security system does not send ARP broadcast request is greater than setting sends number at every turn, if so, gets back to step 302A, otherwise enters next step.
6. main frame means of defence as claimed in claim 1, is characterized in that, in step 1, described parameter also comprises keepalive period.
7. main frame means of defence as claimed in claim 6, is characterized in that, in step 3, also comprises: it is 0 that port security mechanism sends at the main frame corresponding to all access IP address the keep-alive timing of resetting after ARP broadcast request completes, and starts timing; And/or
Described method is further comprising the steps of:
Step 5, port security system judge whether keep-alive timing reaches S, if get back to step 3, otherwise continue to wait for.
8. the main frame means of defence as described in claim 1-7 any one, is characterized in that, in step 2, described IP rule comprises that at least one access IP address refers to: IP rule comprises an access IP address or a continuous access IP address field.
9. the main frame means of defence as described in claim 1-7 any one, is characterized in that, in step 1, described port security system initialization refers to: remove the dynamic forwarding-table item of all MAC Address under this port, and port address learning state is set to abandon pattern.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310692812.2A CN103701784B (en) | 2013-12-17 | 2013-12-17 | Host machine protection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310692812.2A CN103701784B (en) | 2013-12-17 | 2013-12-17 | Host machine protection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103701784A true CN103701784A (en) | 2014-04-02 |
| CN103701784B CN103701784B (en) | 2017-02-15 |
Family
ID=50363181
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310692812.2A Active CN103701784B (en) | 2013-12-17 | 2013-12-17 | Host machine protection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103701784B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106789282A (en) * | 2016-12-28 | 2017-05-31 | 青岛海天炜业过程控制技术股份有限公司 | It is a kind of to realize the method that the agreement low latencies of IEC60870 5 104 process industrial fireproof wall |
| CN106911724A (en) * | 2017-04-27 | 2017-06-30 | 杭州迪普科技股份有限公司 | A kind of message processing method and device |
| CN107135203A (en) * | 2017-04-05 | 2017-09-05 | 北京明朝万达科技股份有限公司 | A kind of method and system of terminal access control strategy optimization |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1567839A (en) * | 2003-06-24 | 2005-01-19 | 华为技术有限公司 | Port based network access control method |
| CN101521658A (en) * | 2008-02-29 | 2009-09-02 | 上海博达数据通信有限公司 | Realizing method for Ethernet ARP scanning which is applied in broadband router |
| CN101741702A (en) * | 2008-11-25 | 2010-06-16 | 中兴通讯股份有限公司 | Method and device for limiting broadcast of ARP request |
| CN103401706A (en) * | 2013-07-26 | 2013-11-20 | 迈普通信技术股份有限公司 | Method and device for configuring port security |
-
2013
- 2013-12-17 CN CN201310692812.2A patent/CN103701784B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1567839A (en) * | 2003-06-24 | 2005-01-19 | 华为技术有限公司 | Port based network access control method |
| CN101521658A (en) * | 2008-02-29 | 2009-09-02 | 上海博达数据通信有限公司 | Realizing method for Ethernet ARP scanning which is applied in broadband router |
| CN101741702A (en) * | 2008-11-25 | 2010-06-16 | 中兴通讯股份有限公司 | Method and device for limiting broadcast of ARP request |
| CN103401706A (en) * | 2013-07-26 | 2013-11-20 | 迈普通信技术股份有限公司 | Method and device for configuring port security |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106789282A (en) * | 2016-12-28 | 2017-05-31 | 青岛海天炜业过程控制技术股份有限公司 | It is a kind of to realize the method that the agreement low latencies of IEC60870 5 104 process industrial fireproof wall |
| CN107135203A (en) * | 2017-04-05 | 2017-09-05 | 北京明朝万达科技股份有限公司 | A kind of method and system of terminal access control strategy optimization |
| CN107135203B (en) * | 2017-04-05 | 2019-03-08 | 北京明朝万达科技股份有限公司 | A kind of method and system of terminal access control strategy optimization |
| CN106911724A (en) * | 2017-04-27 | 2017-06-30 | 杭州迪普科技股份有限公司 | A kind of message processing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103701784B (en) | 2017-02-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107070691B (en) | Cross-host communication method and system of Docker container | |
| CN104601432B (en) | A kind of message transmitting method and equipment | |
| WO2014115157A8 (en) | Address resolution in software-defined networks | |
| US20170237655A1 (en) | Forwarding Data Packets In Software Defined Networks | |
| US9237098B2 (en) | Media access control (MAC) address summation in Datacenter Ethernet networking | |
| EP3282649B1 (en) | Data packet forwarding | |
| CN102394831A (en) | Flow uninterruptible method and device based on virtual machine VM (virtual memory) migration | |
| CN101883158A (en) | Method and client for acquiring VLAN (Virtual Local Area Network) IDs (Identifiers) and network protocol addresses | |
| US8472420B2 (en) | Gateway device | |
| US10574570B2 (en) | Communication processing method and apparatus | |
| CN108011754B (en) | Transfer control separation system, backup method and device | |
| CN106302525B (en) | Network space security defense method and system based on camouflage | |
| CN103248720A (en) | Method and device for inquiring physical address | |
| WO2013103868A3 (en) | DISCOVERY IN MoCA NETWORKS | |
| CN102821023A (en) | Method and device for dynamically migrating VLAN (virtual local area network) configuration | |
| CN104283783B (en) | The method and apparatus that gateway device E-Packets in a kind of plug and play network | |
| CN106716870B (en) | Local packet switching at satellite device | |
| CN103701784A (en) | Host machine protection method | |
| CN103795630A (en) | Message transmitting method and device of label switching network | |
| CN108259295B (en) | MAC address synchronization method and device | |
| CN104113609A (en) | MAC address distributing method and apparatus | |
| CN102857421B (en) | A kind of VLL fault detection method and equipment | |
| CN104333467A (en) | Gateway proxy method and device for wireless network link failure of rail transit | |
| CN104253878A (en) | VLAN (Virtual Local Area Network) information management system and method of DHCP (Dynamic Host Configuration Protocol) RELAY termination sub-interface | |
| CN103402197A (en) | Hidden position and path protection method based on IPv6 (Internet Protocol Version 6) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |