CN103825846A - Method and device for implementing port safety - Google Patents
Method and device for implementing port safety Download PDFInfo
- Publication number
- CN103825846A CN103825846A CN201410073440.XA CN201410073440A CN103825846A CN 103825846 A CN103825846 A CN 103825846A CN 201410073440 A CN201410073440 A CN 201410073440A CN 103825846 A CN103825846 A CN 103825846A
- Authority
- CN
- China
- Prior art keywords
- port
- network user
- user
- mac address
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a method and device for implementing port safety, and relates to the technical field of networks. A network user can be bound with one or more or all ports of an interchanger so that it can be guaranteed that the user can have the access to a network flexibly and safely. The method specifically comprises the steps that the MAC address of the network user is stored in the mode of a dynamic table when which port the network user has the access to is not determined; when the ports of the interchanger receive the messages of the network user, the stored dynamic table is updated, the messages are compared with the configuration of a network manager according to the acquired port of the network user and VLAN information, the fact that the network user is a legal user and have the access to the network from the legal port is determined, and the MAC table of the network user is modified into a static table. According to the technical scheme, the method and device are mainly applied to the network access process of the network user.
Description
Technical field
The present invention relates to networking technology area, relate in particular to a kind of implementation method and device of port security.
Background technology
Ethernet switch is compared other network equipment, and ease for use is very outstanding, plugs the just accessible network of ethernet line, although this convenience is conducive to network design, also has potential safety hazard, easily occurs the situation of un-authorised access to network.For safety access problem, multiple technologies in Ethernet, are introduced, wherein port security technology is the most frequently used one, port security technology is by the network user's MAC Address, VLAN(Virtual Local Area Network, VLAN) port binding of ID and switch gets up, limiting the network user can only be from the port access network of binding, and unbundling user can not accesses network, thereby guarantees the fail safe of network data.But in the port security technical process of stating in realization, the same network user's MAC Address, VLAN ID can only with of a switch port binding, can not be tied to multiple ports, more can not with all of the port binding of switch.
Concrete, switch ports themselves safety function is divided into two parts.A part is software control module, and another part is the management to exchanger chip mac address table resource.Further, after some interface enabling port security features in switch, first turn off the MAC Address hardware learning functionality of this port, open source MAC simultaneously and search the control switch of dropping packets of failure, but ARP(Address Resolution is Protocol, address resolution protocol) message is not subject to the restriction of this switch, the CPU that switch can directly be given this ARP message this switch inside processes, CPU receives after this ARP message, parse the MAC Address of message, VLAN id information, and the configuration of these information and network manager is contrasted.If the validated user that the configuration that the network user of these information representatives is network managers allows, the CPU of switch writes this network user's MAC Address in the mac address table of exchanger chip, like this in the time that this network user's next message arrives, can in the mac address table of exchanger chip, search successfully, and then normally forward the namely normal accesses network of the follow-up energy of this network user.If can not find corresponding information in the configuration of network manager, CPU can not write exchanger chip by MAC Address, and this user's subsequent packet can be dropped because can not find out MAC information in exchanger chip, that is to say that this network user can not accesses network.
Existing port security technology, only allows a port binding of the network user and switch.On the one hand, network manager differs, and definite network user will from which port access network exactly surely; On the other hand, in actual applied environment, the network user's service position is variation often, thereby just must change access interface.These two factors cause, and network manager is the switch ports themselves that the network user configures, and are different to a great extent from the port of the actual access of this network user, and then can cause this network user can not accesses network.So the method for binding in the urgent need to multiple or whole ports of a kind of network user and switch, with guarantee the network user can be flexibly, accesses network safely.
Summary of the invention
Embodiments of the invention provide a kind of implementation method and device of port security, and one or more or whole ports of a network user and switch are bound, with guarantee user can be flexibly, accesses network safely.
For achieving the above object, embodiments of the invention adopt following technical scheme:
An implementation method for port security, comprising:
Before receiving the network user's message, obtain the described network user's MAC Address according to the configuration of network manager, store the described network user's MAC Address with the form of dynamic entry, form the MAC address entries of exchange chip, the port of described MAC address entries is set to cpu port;
In the time receiving the described network user's message, upgrade described MAC address entries, and obtain the described network user's port and virtual LAN VLAN information; The port of the MAC address entries after described renewal is the port of the described message of actual reception;
According to the described network user's port and vlan information, contrast with the configuration of network manager, judge whether the described network user is validated user;
When definite described network user is validated user, revising described MAC address entries is static entry.
An implement device for port security, comprising:
Acquiring unit, for before receiving the network user's message, obtain the described network user's MAC Address according to the configuration of network manager, and store the described network user's MAC Address with the form of dynamic entry, the MAC address entries that forms exchange chip, the port of described MAC address entries is set to the port of CPU;
Updating block, in the time receiving the described network user's message, upgrades the described MAC address entries forming by described acquiring unit; The port of the MAC address entries after described renewal is the port of the described message of actual reception;
Described acquiring unit, also for upgrading after described MAC address entries at described updating block, obtains the described network user's port and virtual LAN VLAN information;
Judging unit, for the described network user's that obtains according to described acquiring unit port and vlan information, contrasts with the configuration of network manager, judges whether the described network user is validated user;
Revise unit, for by the judgement of described judging unit, determine that the described network user is validated user, revising described MAC address entries is static entry.
The implementation method of a kind of port security that the embodiment of the present invention provides, in the time can not determine the network user from which port accesses, with the form storage networking user's of dynamic entry MAC Address, in the time that access interface receives the network user's message, upgrade the dynamic entry of storage, and according to this network user's who obtains port and vlan information, determine that this network user is validated user, the MAC address entries of revising this network user is revised as static entry.In prior art, the network user can only with of a switch port binding, not while specifying access interface when receiving the port of message, cause this network user's message to be dropped, thereby cause the problem of access to netwoks failure, and the technical scheme that the embodiment of the present invention provides makes a network user and can bind with one or more or whole ports of switch, with guarantee the network user can be flexibly, accesses network safely.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skills, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
The flow chart of a kind of port security implementation method that Fig. 1 provides for one embodiment of the invention;
The flow chart of a kind of port security implementation method that Fig. 2 provides for another embodiment of the present invention;
The flow chart of the another kind of port security implementation method that Fig. 3 provides for one embodiment of the invention;
The composition schematic diagram of the implement device of a kind of port security that Fig. 4 provides for one embodiment of the invention;
The composition schematic diagram of the implement device of the another kind of port security that Fig. 5 provides for one embodiment of the invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, rather than whole embodiment.Based on the embodiment in the present invention, those of ordinary skills, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.
One embodiment of the invention provides a kind of implementation method of port security, and as shown in Figure 1, the method comprises:
101,, before receiving the network user's message, according to the configuration of network manager, with the form storage networking user's of dynamic entry MAC Address, form MAC address entries.
Wherein, the port of MAC address entries is set to the port of CPU.
Because switch now can not determine the network user is from which port access, and therefore, the network user's now state is state unconfirmed.
102,, in the time receiving the network user's message, upgrade MAC address entries, and obtain the network user's port and vlan information.
Wherein, the port of the MAC address entries after renewal is the port of this network user's message of actual reception.Obtain the network user's port information for determining this network user's access interface.
103, by the network user's who obtains port and vlan information, contrast with the configuration of network manager, judge that whether the network user is validated user and from legal port access network.
Wherein, in the time that this network user is validated user, represent that switch allows this network user by receiving the port of message, visits network.
104, when definite network user is validated user, modification MAC address entries is static entry.
Wherein, static entry can not move, and now MAC address entries is revised as to static entry, refers to this network user and the port binding that receives its message, and then by this port access network.
The implementation method of a kind of port security that the embodiment of the present invention provides, in the time can not determine the network user from which port accesses, with the form storage networking user's of dynamic entry MAC Address, in the time that the port of switch receives the network user's message, upgrade the dynamic entry of storage, and according to this network user's who obtains port and vlan information, determine that this network user is validated user and be that the MAC address entries of revising this network user is revised as static entry from legal port access network.In prior art, the network user can only with of a switch port binding, not while specifying access interface when receiving the port of message, cause this network user's message to be dropped, thereby cause the problem of access to netwoks failure, and the technical scheme that the embodiment of the present invention provides makes a network user and can bind with one or more or whole ports of switch, with guarantee the network user can be flexibly, accesses network safely.
In conjunction with the description of a upper embodiment, realize for more perfect the technical scheme that above-described embodiment is described, also need to carry out following step:
First, according to the network user's port and vlan information, judge that whether the network user is validated user and from before legal port access network, need to get the configuration of network manager.
Wherein, the configuration of network manager at least comprises the corresponding relation of the network user and switch ports themselves, that is to say the port of the switch that stipulates that the network user can access.With respect to only allowing the network user to bind a port in existing port security, the present embodiment is in the time of configuration, just make the network user to access from one or more or whole ports, so just significantly improve the flexibility of network user's access and don't lost fail safe, improve the availability of whole network, reduced network design difficulty and maintenance cost.
Concrete, according to the network user's port and vlan information, judge that whether the network user is validated user and from legal port access network, comprising:
When the network user's port and vlan information, and when corresponding configuration consistency, determine that this network user is validated user with the network user in network manager configuration.Judge that whether the described network user is that the method for validated user is, judge that whether the described network user's MAC Address is legal and whether from legal port access network.
Also there is another kind of implementation in the embodiment of the present invention, in this implementation, make network user's access network flexibly, such as, when the network user need to change in the situation of access interface because of change in location, in this case, prior art just no longer allows network user's access network, this implementation to make network user's access network flexibly.
Concrete, be modified to after static entry at the network user's MAC address entries,
Exchange opportunity is removed the source hit in tag in static entry according to predetermined period, and in setting-up time, source hit in tag does not exchange by chip and again arranges, and the network user's static entry is revised as to dynamic entry.
What deserves to be explained is, in this implementation, because the network user exists the situation that rolls off the production line or shut down, that is to say, this network user is within considerable time, the port access network of the CPU that can again not arrange by original initialization of static entry, or this network user changes to other port access network, for guarantee the network user can be again from this port or change to other port access network, in this implementation, can delete the source hit in tag in static entry, make the network user again in state unconfirmed.
Wherein, source hit in tag represents that the network user passes through designated port accesses network.
What deserves to be explained is that the switch of mentioning in the embodiment of the present invention, except comprising general Ethernet switch, also comprises the routers exchange board of supporting port security feature.
Another embodiment of the present invention provides a kind of implementation method of port security, and as shown in Figure 2, the method comprises:
201, switch has enabled all of the port of port security feature, turns off MAC Address hardware learning functionality.
202, switch receiving network managing person's configuration.
Wherein, the configuration of this network manager can be configured voluntarily by network manager, in this arranges, the same network user can bind with the one or more or all of the port of switch, and the configuration of this network manager comprises port security rule, the corresponding relation of this port security Rule Expression network user's MAC Address and the port of switch.
Such as, comprise that in this port security rule of embodiment MAC Address is that the network user of MAC1 can visit network by the A on switch, B port.
What deserves to be explained is, the embodiment of the present invention does not limit above-mentioned 201,202 execution sequence, 202 can before 201, carry out yet.
Further what deserves to be explained is, in embodiments of the present invention, the network user of the description of following step take the network user's MAC Address as MAC1 is described as example, and in following description, this network user is referred to as user MAC1.
203, the state of user MAC1 is set is state unconfirmed to the CPU of switch.
What deserves to be explained is, owing to not when request access network, can not determining this network user is in which port access, and now the network user's state is set to state unconfirmed the network user.
204, CPU regularly writes exchange chip by the MAC Address of user MAC1 with the form of dynamic entry in advance.
205, the port that the port of this dynamic entry is CPU is set, and the MAC address entries source coupling that this MAC1 is set abandons.
What deserves to be explained is, it is corresponding that MAC address entries source coupling herein abandons with the state unconfirmed in above-mentioned 203, in the time that user MAC1 is state unconfirmed, the MAC address entries source coupling that CPU arranges MAC1 abandons, and arrange this MAC address entries source mate the user MAC1 that abandons not with any port match of switch, what namely now arrange is that user MAC1 can not pass through any port access network of switch.
206, switch receives the message that network user MAC1 sends.
What deserves to be explained is, the embodiment of the present invention reaches switch and describes as example take the message of user MAC1 from A port.
207, the port in the dynamic entry at the MAC Address place of exchange chip renewal user MAC1 is the actual port of receiving message.
In conjunction with the description in above-mentioned 206, because this user MAC1 is from port A access, the port in the MAC Address place dynamic entry of user MAC1 is updated to port A.
What deserves to be explained is, abandon because the dynamic entry of user MAC1 is now provided with MAC address entries source coupling, user MAC1 now can not be by any port access network on switch.
208, CPU detects that the dynamic entry port at the MAC Address place of network user MAC1 in exchange chip changes, and extracts port and vlan information.
Wherein, the dynamic entry port of the MAC Address of user MAC1 changes, and the port that refers to user MAC1 is changed to the port A of actual access by the port of the CPU arranging.
209, CPU compares the configuration of the port of extraction and vlan information and network manager.
Further, in conjunction with the description in above-mentioned 202, this user MAC1 is allowed through port A access network, nearlyer step, and the dynamic entry that upgrades this user MAC1 in exchange chip is static entry.
What deserves to be explained is, static entry can not move, and that is to say, in the time that the network user's MAC address entries is static entry, the port binding of this user and the indication of this static entry, can not move.
In the another kind of implementation of the embodiment of the present invention, due in actual application, there is shutdown in the network user, roll off the production line or the situation such as position migration, in these cases, this network user may be long-term by before the port access network of binding, or be replaced by by other port and visit network.If continue to adopt prior art, because existing port safety only allows the network user and a port binding, can cause normally accesses network of user.
In order to address this problem, the embodiment of the present invention provides following implementation, and in this implementation, changes access interface be described into example with the network user, as shown in Figure 3, the A port take user MAC1 from switch forwards B port to and describes as example in the present embodiment.
301, the B port of switch receives the message of user MAC1.
What deserves to be explained is, remain the A port of binding in conjunction with the description of above-described embodiment user MAC1 now.
302, CPU removes the source hit in tag of MAC1 according to predetermined period, in setting-up time, source hit in tag does not have exchanged chip again to arrange, that is to say that the network user is not for a long time again from this port access network, the static entry of revising this user MAC1 in exchange chip is dynamic entry.
Concrete, CPU regularly removes the source hit in tag of MAC1, that is to say, and for the network user who has static entry, if this network user can not hit in long-time, the static entry of revising in exchange chip is dynamic entry.
What deserves to be explained is, remove the source hit in tag of MAC1 at CPU, and when revising MAC address entries in exchange chip and being dynamic entry, the port of user MAC1 is set to again the port of CPU, and CPU abandons for this dynamic entry arranges source coupling, and the state of revising this user MAC1 is state unconfirmed.
303, the message of user MAC1 arrives switch from B port, and the MAC Address place dynamic entry middle port that exchange chip upgrades user MAC1 is B port.
304, CPU detects that the port of the dynamic entry at the MAC Address place of the network user MAC1 in chip changes, and extracts port and the vlan information of the actual access of this user MAC1.
305, CPU compares extracting the port of actual access and the configuration of vlan information and network manager.
In conjunction with the description of above-described embodiment, now network manager be configured to allow this user MAC1 can pass through B port access network, now relatively extract port B and the vlan information of the actual access of network user MAC1, when the port of the actual access corresponding with port information that in the configuration of described network manager, this network user MAC1 is corresponding and vlan information and the network user MAC1 of extraction and vlan information configuration consistency, determine that the described network user is validated user, judge that the MAC Address of described network user MAC1 is legal and be from legal port B access network.
Nearlyer step, the dynamic entry that upgrades the MAC Address place of this user MAC1 in exchange chip is static entry, revise user MAC1 the list item at MAC Address place be static entry in, removing source match flag, be normal operating condition by the state of user MAC1 by status modifier unconfirmed, this follow-up user MAC1 can pass through the normal accesses network of B port, and user MAC1 moves successfully to B port from A port since then.
In addition what deserves to be explained is, in the time that above-mentioned user MAC1 forwards C port to from B port, the executable operations that execution step moves to B port with this above-mentioned user MAC1 from A port is identical, but this user MAC1 of description in conjunction with above-described embodiment can only pass through A port and B port access network, that is to say that user MAC1 can not pass through C port access network, further, the message of user MAC1 continues to abandon, and user MAC1 can not move to C port.
What deserves to be explained is, the embodiment of the present invention for be that prior art middle port can not carry out safely overall situation binding and the technical scheme that proposes.Can realize and the technical scheme of port security overall situation binding with texts but exist in prior art, adopt ACL(Access Control List, Access Control List (ACL)).
Concrete, MAC Address, VLAN id information that ACL can the global registration network user, be not limited to some ports while allowing network user's accesses network, can limit the access of disabled user to network simultaneously.But adopt ACL technology must use the hardware resource of exchange chip.And be a kind of narrow resources for exchange chip ACL, many other functions also need to use ACL resource, and low-end switch has thousand ACL list item resources of hundreds of bar to one or two conventionally, and even some low-end switch even do not have ACL resource.So there is larger restriction in the use of ACL, is not suitable for generally applying.With respect to ACL technology, the technical scheme that the embodiment of the present invention provides, has saved hardware resource, widely applicable, and technical solution of the present invention is no longer launched to describe in conjunction with ACL technology.
Another embodiment of the present invention provides the device of a kind of port security overall situation binding, and as shown in Figure 4, this device comprises: acquiring unit 41, updating block 42, judging unit 43, modification unit 44.
Acquiring unit 41, for before receiving the network user's message, obtains the described network user's MAC Address according to the configuration of network manager, and stores the described network user's MAC Address with the form of dynamic entry, forms the MAC address entries of exchange chip.
Wherein, the port of MAC address entries is set to the port of CPU.
Updating block 42, in the time receiving the network user's message, upgrades the MAC address entries forming by acquiring unit 41.
What deserves to be explained is, the port of the MAC address entries after renewal is the port of actual reception message.
Described acquiring unit 41, also for upgrading after MAC address entries at updating block 42, obtains the network user's port and virtual LAN VLAN information.
Judging unit 43, for the network user's that obtains according to acquiring unit 41 port and vlan information, contrasts with the configuration of network manager, judges whether the network user is validated user.
Revise unit 44, for by the judgement of judging unit 43, determine that the network user is validated user, modification MAC address entries is static entry.
Optionally, as shown in Figure 5, this device also comprises: receiving element 45, clearing cell 46.
Receiving element 45, for receiving network managing person's configuration.
Wherein, the configuration of network manager at least comprises the corresponding relation of the network user and switch ports themselves, and at least one port of the network user and switch exists corresponding relation.
Further alternative, judging unit 43, specifically for when the network user's port and vlan information, with this network user when corresponding configuration consistency, determines the network user be validated user in the network manager receiving configuration with receiving element 45.
Concrete, judging unit 43, for judging that whether the network user's MAC Address is legal and whether determine from legal port access network whether this network user is validated user.
Further, only having legal and this network user of MAC Address as this network user is during from legal port access network, just determines that this network user is validated user.
Clearing cell 46, for removing the source hit in tag of revising the static entry of revising unit 44 according to predetermined period;
Described modification unit 44, also for removing after the hit in tag of source when clearing cell 46, in setting-up time, source hit in tag does not have exchanged chip again to arrange, and the static entry of revising the network user is dynamic entry.
Wherein, source hit in tag represents that the network user passes through designated port accesses network.
The implement device of a kind of port security that the embodiment of the present invention provides, acquiring unit is in the time can not determine the network user from which port accesses, with the form storage networking user's of dynamic entry MAC Address, in the time that the port of switch receives the network user's message, upgrade the dynamic entry of storage by updating block, and this network user's who is obtained by judging unit basis port and vlan information, determine that this network user is validated user and is from legal port access network, the MAC address entries of revising this network user by revising unit is revised as static entry.In prior art, the network user can only with of a switch port binding, not while specifying access interface when receiving the port of message, cause this network user's message to be dropped, thereby cause the problem of access to netwoks failure, and the technical scheme that the embodiment of the present invention provides makes a network user and can bind with one or more or whole ports of switch, with guarantee the network user can be flexibly, accesses network safely.
Above-described method of the present invention not only goes for Ethernet switch, is also applicable to have the router of function of exchange, so the switch of carrying in the embodiment of the present invention can not be served as the restriction to invention.
Through the above description of the embodiments, those skilled in the art can be well understood to the mode that the present invention can add essential common hardware by software and realize, and can certainly pass through hardware, but in a lot of situation, the former is better execution mode.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product is stored in the storage medium can read, as the floppy disk of computer, hard disk or CD etc., comprise that some instructions are in order to make a computer equipment (can be personal computer, server, or the network equipment etc.) carry out the method described in each embodiment of the present invention.
The above; be only the specific embodiment of the present invention, but protection scope of the present invention is not limited to this, any be familiar with those skilled in the art the present invention disclose technical scope in; can expect easily changing or replacing, within all should being encompassed in protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of described claim.
Claims (10)
1. an implementation method for port security, is characterized in that, comprising:
Before receiving the network user's message, obtain the described network user's MAC Address according to the configuration of network manager, store the described network user's MAC Address with the form of dynamic entry, form the MAC address entries of exchange chip, the port of described MAC address entries is set to cpu port;
In the time receiving the described network user's message, upgrade described MAC address entries, and obtain the described network user's port and virtual LAN VLAN information; The port of the MAC address entries after described renewal is the port of the described message of actual reception;
According to the described network user's port and vlan information, contrast with the configuration of network manager, judge whether the described network user is validated user;
When definite described network user is validated user, revising described MAC address entries is static entry.
2. method according to claim 1, is characterized in that, described method also comprises:
Receiving network managing person's configuration, the configuration of described network manager at least comprises the corresponding relation of the described network user and described switch ports themselves; There is corresponding relation at least one port of the described network user and described switch.
3. method according to claim 2, is characterized in that, according to the described network user's port and vlan information, judges that whether the described network user is validated user, comprises;
When the described network user's port and vlan information, and when corresponding configuration consistency, determine that the described network user is validated user with the described network user in the configuration of described network manager.
4. method according to claim 3, is characterized in that, after the described MAC address entries of modification is static entry, described method also comprises:
Remove the source hit in tag of described static entry according to predetermined period;
After described source hit in tag is eliminated, in setting-up time, source hit in tag does not have exchanged chip again to arrange, and the static entry of revising the described network user is dynamic entry;
Described source hit in tag represents that the described network user is by designated port accesses network.
5. according to the method described in claim 1-4 any one, it is characterized in that, judge that whether the described network user is that the method for validated user is, judge that whether the described network user's MAC Address is legal and whether from legal port access network.
6. an implement device for port security, is characterized in that, comprising:
Acquiring unit, for before receiving the network user's message, obtain the described network user's MAC Address according to the configuration of network manager, and store the described network user's MAC Address with the form of dynamic entry, the MAC address entries that forms exchange chip, the port of described MAC address entries is set to the port of CPU;
Updating block, in the time receiving the described network user's message, upgrades the described MAC address entries forming by described acquiring unit; The port of the MAC address entries after described renewal is the port of the described message of actual reception;
Described acquiring unit, also for upgrading after described MAC address entries at described updating block, obtains the described network user's port and virtual LAN VLAN information;
Judging unit, for the described network user's that obtains according to described acquiring unit port and vlan information, contrasts with the configuration of network manager, judges whether the described network user is validated user;
Revise unit, for by the judgement of described judging unit, determine that the described network user is validated user, revising described MAC address entries is static entry.
7. device according to claim 6, is characterized in that, described device also comprises:
Receiving element, for receiving network managing person's configuration, the configuration of described network manager at least comprises the corresponding relation of the described network user and described switch ports themselves; There is corresponding relation at least one port of the described network user and described switch.
8. device according to claim 7, it is characterized in that, described judging unit, specifically for port and vlan information as the described network user, with in the configuration of described network manager, when corresponding configuration consistency, determine that the described network user is validated user with the described network user.
9. device according to claim 7, is characterized in that, described judging unit, specifically for judging that whether the described network user's MAC Address is legal and whether determine from legal port access network whether the described network user is validated user.
10. the device described in any according to claim 6-8, is characterized in that, described device also comprises:
Clearing cell, for removing the source hit in tag of the described static entry of revising described modification unit according to predetermined period;
Described modification unit, also for removing when described clearing cell after the hit in tag of described source, in setting-up time, source hit in tag does not have exchanged chip again to arrange, and the static entry of revising the described network user is dynamic entry;
Described source hit in tag represents that the described network user is by designated port accesses network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410073440.XA CN103825846B (en) | 2014-02-28 | 2014-02-28 | Method and device for implementing port safety |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410073440.XA CN103825846B (en) | 2014-02-28 | 2014-02-28 | Method and device for implementing port safety |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103825846A true CN103825846A (en) | 2014-05-28 |
| CN103825846B CN103825846B (en) | 2017-02-15 |
Family
ID=50760682
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410073440.XA Active CN103825846B (en) | 2014-02-28 | 2014-02-28 | Method and device for implementing port safety |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103825846B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108306805A (en) * | 2018-01-29 | 2018-07-20 | 新华三技术有限公司 | Port under port security mechanism migrates control method and device |
| CN112910784A (en) * | 2019-12-03 | 2021-06-04 | 华为技术有限公司 | Method, device and system for determining route |
| CN114785691A (en) * | 2022-04-18 | 2022-07-22 | 广东润联信息技术有限公司 | Network security management and control method and device, computer equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101043329A (en) * | 2006-06-15 | 2007-09-26 | 华为技术有限公司 | Method and system for protecting network attack |
| US20100195661A1 (en) * | 2002-12-20 | 2010-08-05 | Foundry Networks, Inc. | Optimizations and Enhancements to the IEEE RSTP 802.1w Implementation |
| CN102594704A (en) * | 2012-03-20 | 2012-07-18 | 神州数码网络(北京)有限公司 | Control method for address accessing network based on security port |
| CN103201982A (en) * | 2010-11-01 | 2013-07-10 | 惠普发展公司,有限责任合伙企业 | Managing MAC moves with secure port groups |
-
2014
- 2014-02-28 CN CN201410073440.XA patent/CN103825846B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100195661A1 (en) * | 2002-12-20 | 2010-08-05 | Foundry Networks, Inc. | Optimizations and Enhancements to the IEEE RSTP 802.1w Implementation |
| CN101043329A (en) * | 2006-06-15 | 2007-09-26 | 华为技术有限公司 | Method and system for protecting network attack |
| CN103201982A (en) * | 2010-11-01 | 2013-07-10 | 惠普发展公司,有限责任合伙企业 | Managing MAC moves with secure port groups |
| CN102594704A (en) * | 2012-03-20 | 2012-07-18 | 神州数码网络(北京)有限公司 | Control method for address accessing network based on security port |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108306805A (en) * | 2018-01-29 | 2018-07-20 | 新华三技术有限公司 | Port under port security mechanism migrates control method and device |
| CN108306805B (en) * | 2018-01-29 | 2020-12-29 | 新华三技术有限公司 | Port migration control method and device under port security mechanism |
| CN112910784A (en) * | 2019-12-03 | 2021-06-04 | 华为技术有限公司 | Method, device and system for determining route |
| CN114785691A (en) * | 2022-04-18 | 2022-07-22 | 广东润联信息技术有限公司 | Network security management and control method and device, computer equipment and storage medium |
| CN114785691B (en) * | 2022-04-18 | 2024-04-16 | 华润智算科技(广东)有限公司 | Network security control method and device, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103825846B (en) | 2017-02-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10666508B2 (en) | Unified software defined networking configuration management over multiple hosting environments | |
| EP2866393B1 (en) | Method and apparatus for determining virtual machine drifting | |
| CN109842694B (en) | Method for synchronizing MAC addresses, network equipment and computer readable storage medium | |
| CN109981493B (en) | Method and device for configuring virtual machine network | |
| US20150009828A1 (en) | Network System, Switch and Method of Network Configuration | |
| US20170180456A1 (en) | Method, device, and system for controlling network device auto-provisioning | |
| CN103946834A (en) | Virtual network interface objects | |
| EP3451592B1 (en) | Packet transmission between vxlan domains | |
| CN110673941B (en) | Migration method of micro-services in multiple computer rooms, electronic equipment and storage medium | |
| US9491043B2 (en) | Communication path switching device, communication path switching method and communication path switching program | |
| US10178068B2 (en) | Translating network attributes of packets in a multi-tenant environment | |
| CN105763440A (en) | Message forwarding method and device | |
| CN105245386A (en) | Method and system for automatic positioning of server connection relation | |
| CN112019545B (en) | Honeypot network deployment method, device, equipment and medium | |
| CN107645402B (en) | Route management method and device | |
| US8887237B2 (en) | Multimode authentication | |
| CN107682275B (en) | Message monitoring method and device | |
| CN109240796A (en) | Virtual machine information acquisition methods and device | |
| CN103701822A (en) | Access control method | |
| JP2016048854A (en) | Data transfer system and method | |
| CN103581325A (en) | Cloud computing resource pool system and implement method thereof | |
| CN105429946A (en) | System and method of preventing forging IP address based on SDN virtual switch | |
| CN103825846A (en) | Method and device for implementing port safety | |
| CN105049546B (en) | A kind of Dynamic Host Configuration Protocol server is the method and device of client distribution IP address | |
| CN108259295B (en) | MAC address synchronization method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |