CN106161457A - Network domains isolating device based on SDN and method - Google Patents

Network domains isolating device based on SDN and method Download PDF

Info

Publication number
CN106161457A
CN106161457A CN201610597418.4A CN201610597418A CN106161457A CN 106161457 A CN106161457 A CN 106161457A CN 201610597418 A CN201610597418 A CN 201610597418A CN 106161457 A CN106161457 A CN 106161457A
Authority
CN
China
Prior art keywords
port
network domains
sdn
address
data message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610597418.4A
Other languages
Chinese (zh)
Other versions
CN106161457B (en
Inventor
刘昱
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201610597418.4A priority Critical patent/CN106161457B/en
Publication of CN106161457A publication Critical patent/CN106161457A/en
Application granted granted Critical
Publication of CN106161457B publication Critical patent/CN106161457B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5069Address allocation for group communication, multicast communication or broadcast communication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A kind of network domains isolating device based on SDN, is applied to SDN controller, receives unit, data processing unit including quarantine domain administrative unit, message, and quarantine domain administrative unit sets up network domains list according to user's request;Message receives unit and receives the data message that SDN switch receives and forwards, and records the target MAC (Media Access Control) address in data message and the port of SDN switch reception data message;Data processing unit searches whether MAC Address exists the port mating target MAC (Media Access Control) address with port relation table;If existing, then judge whether the port that the port mating target MAC (Media Access Control) address and SDN switch receive data message is present in the same network domains in network domains list;The most then generate and issue forwarding flow table according to the port of coupling target MAC (Media Access Control) address.Present invention also offers network domains partition method based on SDN.The present invention can control the scope of network message broadcast, improves motility and the safety of network simultaneously.

Description

Network domains isolating device based on SDN and method
Technical field
The present invention relates to network communication field, specifically, a kind of network domains isolating device based on SDN and method.
Background technology
Network domains isolation refers to two or more computers or network are divided into isolated area, it is possible to will Level of securitys that be harmful to, different, the network domains of purposes dissimilar, different are kept apart, to ensure that data message is at trustable network Inside carry out secure interactive and resource-sharing, and control the broadcasting area of broadcasting packet.The partition method of network domains is main at present Including: access control technology, access control technology usually applies the access at router or three-tier switch interface to control to refer to Order, these instructions are used for telling which packet of router to receive, which packets need refusal.Connect as packet Receive or refusal, can be determined by the specific indicated condition being similar to source address, destination address, port numbers etc.;Virtual local area Net (Virtual Local Area Network, VLAN) technology, VLAN (VLAN) be one group of equipment in logic and User, these equipment and user do not limited by physical location, can be according to factors such as function, department and application by they groups Knit, communication each other just look like they in the same network segment as, VLAN of thus gaining the name.The most current Network domains partition method exists that configuration is complicated, the shortcoming of underaction, if the most both above technology realize general network every From function, be with the use of, to configure respectively on access device and convergence device (usually three-tier switch), configuration Complicated, fallibility, or run into special scene, it is also required to the situation of isolation, identical net between the network of the most identical VLAN Carry out situation about isolating etc. between Duan, be difficult in aforementioned manners.
Summary of the invention
In view of this, it is an object of the invention to provide one based on SDN (Software Defined Network, software Definition network) network domains isolating device and method so that Network Isolation is more flexible, efficient, safety.
A kind of based on SDN the network domains isolating device provided in embodiment of the present invention, is applied to SDN controller, institute State SDN controller and connect SDN switch, and include MAC Address and port relation table, connect including quarantine domain administrative unit, message Receiving unit, data processing unit, quarantine domain administrative unit sets up network domains list, described network domains list bag according to user's request The port of SDN switch described in purse rope network, and the port of described SDN switch is divided into several network domains;Message connects Receive unit and receive the data message that described SDN switch receives and forwards, and record the target MAC (Media Access Control) address in described data message And described SDN switch receives the port of described data message;Data processing unit searches described MAC Address and port relation Whether table exists the port mating described target MAC (Media Access Control) address;If existing, then judge the end of the described target MAC (Media Access Control) address of described coupling It is same described whether the port of mouth and the described SDN switch described data message of reception is present in described network domains list In network domains;The most then generate and issue forwarding flow table according to the port of the described target MAC (Media Access Control) address of described coupling.
Preferably, described data processing unit is additionally operable to there is not described coupling at described MAC Address with port relation table During the port of described target MAC (Media Access Control) address, determine described network domains according to the port of the described data message of described reception, and then for In the described network domains determined, other ports in addition to the port of the described data message of described reception are broadcasted.
Preferably, described data processing unit is additionally operable to judge that the port of the described target MAC (Media Access Control) address of described coupling is with described Whether the port receiving described data message is positioned at same SDN switch;The most then generate and issue described forwarding flow table;If , then do not determine whether the port of the described target MAC (Media Access Control) address of described coupling and the described data message of described reception port it Between whether there is reachable path;If having reachable path, then according to generating and issuing described forwarding flow table;If not having up to road Footpath, then the SDN switch controlling to receive data message abandons this data message.
Preferably, described network domains list can also include the MAC Address associating main frame.
Preferably, described network domains list can also carry out checking according to user's request, updates, delete.
A kind of based on SDN the network domains partition method provided in a further embodiment of this invention, is applied to SDN control Device, described SDN controller connects SDN switch, and includes MAC Address and port relation table, including: set up according to user's request Network domains list, described network domains list includes the port of SDN switch described in network, and by the end of described SDN switch Mouth is divided into several network domains;Receive the data message that described SDN switch receives and forwards, and record described data message In target MAC (Media Access Control) address and described SDN switch receive described data message port;Search described MAC Address and port Whether relation table exists the port mating described target MAC (Media Access Control) address;If existing, then judge the described target MAC (Media Access Control) address of described coupling Port and described SDN switch receive whether the port of described data message be present in described network domains list same In described network domains;The most then generate and issue forwarding flow table according to the port of the described target MAC (Media Access Control) address of described coupling.
Preferably, if there is not the described port mating described target MAC (Media Access Control) address with port relation table in described MAC Address, Then determine described network domains according to the port of the described data message of described reception, and then for the described network domains determined is removed institute State other ports outside the port receiving described data message to broadcast.
Preferably, the described port according to the described target MAC (Media Access Control) address of described coupling generates and issues the step of forwarding flow table Also include: judge whether the port of the port data message described with described reception of the described target MAC (Media Access Control) address of described coupling is positioned at Same SDN switch;The most then generate and issue described forwarding flow table;If it is not, then determine whether the described mesh of described coupling MAC Address port and the port of the described data message of described reception between whether there is reachable path;If having up to road Footpath, then according to generating and issuing described forwarding flow table;If not having reachable path, then control to receive the SDN switch of data message Abandon this data message.
Preferably, described network domains list can also include the MAC Address associating main frame.
Preferably, described network domains list can also carry out checking according to user's request, updates, delete.
Above-mentioned network domains partition method based on SDN, the isolation realizing network of freedom and flexibility, and then it is being independent of tradition VLAN and access control function in the case of effectively control network message broadcast scope, the most a certain degree of raising The safety of network.
Describe the present invention below in conjunction with the drawings and specific embodiments, but not as a limitation of the invention.
Accompanying drawing explanation
Fig. 1 is the applied environment figure of present invention network domains based on SDN isolating device 10 1 embodiment.
Fig. 2 is the functional block diagram of present invention network domains based on SDN isolating device 10 1 embodiment.
Fig. 3 is the functional block diagram of present invention network domains based on the SDN another embodiment of isolating device 10.
Fig. 4 is the flow chart of present invention network domains based on SDN partition method one embodiment.Main element symbol description
Network domains isolating device 10 based on SDN
SDN controller 1
SDN switch 2
Quarantine domain administrative unit 100
Message receives unit 102
Data processing unit 104
Memorizer 106
Processor 108
Following detailed description of the invention will further illustrate the present invention in conjunction with above-mentioned accompanying drawing.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Describe, it is clear that described embodiment is a part of embodiment of the present invention rather than whole embodiments wholely.Based on this Embodiment in bright, the every other enforcement that those of ordinary skill in the art are obtained under not making creative work premise Example, broadly falls into the scope of protection of the invention.
Fig. 1 is the applied environment figure of present invention network domains based on SDN isolating device 10 1 embodiment.In FIG, SDN controller 1 connects some SDN switch 2, and SDN switch 2 connects some main frames or subnet.In the present embodiment, if Dry main frame or subnet according to artificially needing to be divided into multiple territory, and then can realize network domains isolation and manage each network respectively Territory.
Fig. 2 is the functional block diagram of present invention network domains based on SDN isolating device 10 1 embodiment.In fig. 2, base Network domains isolating device 10 in SDN is applied to SDN controller 1, receives single including quarantine domain administrative unit 100, message Unit 102, data processing unit 104.
Quarantine domain administrative unit 100 is for setting up network domains list according to user's request.So-called network domains refer to for The region that some main frames or subnet artificially divide, in the present embodiment, some main frames or subnet can utilize SDN to hand over The port changed planes on 2 is indicated, and then to carry out man-made division by the port in SDN switch in network 2 be several Network domains, concrete example such as following table-1:
Table-1
Wherein by the port g0/1 of SDN switch 2 (SW1, SW2, SW3), g0/2, g0/3 are divided into territory A, are exchanged by SDN The port g0/4 of machine 2 (SW1, SW2), g0/5, g0/6 are divided into territory B, by port g0/7, the g0/8 of SDN switch 2 (SW1), G0/9 is divided into territory C.It addition, in the present embodiment, SDN controller 1 storage has MAC Address and port relation table (MAC- PORT table), the port of the corresponding SDN switch of MAC Address 2 of main frame that this relation table storage SDN controller learns it Between corresponding relation, the information in this form can be updated according to the reception of message, and the entry in form can also root Carry out aging according to the cycle that arranges of user, aging after entry delete immediately.
Certainly, in other embodiments, the description to quarantine domain is possible not only to retouch as described above by switch ports themselves State, it is also possible on this basis, increase the token state of main frame MAC.Table-2 is the token state increasing main frame MAC for territory A in table 1 Example, wherein in table-1 territory B, territory C increase main frame MAC explanation also as shown in territory A in table-2, the most no longer lift at this Example explanation.
Table-2
In the illustrating of above-mentioned table-2, the sign for territory A is possible not only to come with " switch+port " in table-1 Represent, it is also possible to be indicated by the way of " switch+MAC ", " MAC ", " switch+port+MAC ".So, the most permissible In the case of not interfereing with each other with traditional isolating means, realize isolation, namely can also configure VLAN in this isolation scheme With access the function such as control, method can also can also realize more complicated isolation scene demand simultaneously, specific as follows: 1. to realize More fine-grained isolation isolation based on " switch+port+MAC ";2. in the case of virtualized, realize particular field The isolation of scape, i.e. based on " MAC " isolation just can be real automatically virtual-machine drift to another one physical location when Following of its isolation configuration existing.
It addition, in other embodiments, above-mentioned quarantine domain administrative unit 100 can also as an independent module, Use application on SDN controller 1, it is only necessary to it meets and other of network domains isolating device 10 based on SDN The function of the information communication of functional module and performance requirement also can reach the technique effect in above-mentioned embodiment.
Message receives unit 102 and receives the data message that described SDN switch 2 forwards, and records the mesh in data message MAC Address and described SDN switch 2 receive the port (hereinafter referred to as input port) of described data message.In this reality Execute in mode, when a certain SDN switch 2 receives on the data message and this SDN switch 2 that a certain main frame sends without corresponding During forwarding flow table, forward it to SDN controller 1 and be received by message reception unit 102, and record the mesh in data message MAC Address and the input port of SDN switch 2.
Data processing unit 104 searches whether MAC Address exists the port mating target MAC (Media Access Control) address with port relation table (hereinafter referred to as output port);If existing, then judge whether output port and input port are present in network domains list In same network domains;The most then judge whether output port and input port are positioned at same SDN switch;The most then foundation Output port generates and issues forwarding flow table.
In the present embodiment, if mating the port of target MAC (Media Access Control) address at MAC Address with existence in port relation table, and Judge that this output port and the input port receiving data message are positioned at same network domains according to network domains list, but this is defeated When going out the situation that port and output port are not on same switch, data processing unit 104 need to judge input port and The path of output port whether up to, if up to, then generates and issues forwarding flow table to being correlated with according to the output port determined SDN switch 2;If unreachable, then the SDN switch 2 controlling to receive data message abandons this data message.
In the present embodiment, if mating the port of target MAC (Media Access Control) address at MAC Address with existence in port relation table, and Judge that this output port and the input port receiving data message are not on same network domains according to network domains list, number The SDN switch 2 then controlling to receive data message according to processing unit 104 abandons this data message.
In other embodiments, if MAC Address with port relation table does not exist the end mating target MAC (Media Access Control) address Mouthful, data processing module 104 is then according to the input port inquiry network domains list of record, it is judged which net this input port is in Network territory, however, it is determined that after network domains, data processing unit 104 controls data message in the network domains determined in addition to input port Port broadcast, it is achieved the forwarding of data message;If cannot judge, which network domains input port is in, then control to receive The SDN switch 2 of data message abandons this data message.In this embodiment, if having received destination host after broadcasting Response message time, now data processing module 104 can also according to receive response message automatically update above-mentioned MAC Address with Port relation table (MAC-PORT table).
In the above-described embodiment, data processing unit 104 also control receive forwarding flow table SDN switch 2 storage and Update the forwarding flow table received, and then the when of being received again by data message, it may be judged whether there is the datagram that coupling receives The forwarding flow table of literary composition, if existing, the most directly carrying out the forwarding of data message, and then improving the forward efficiency of data message.
In the above-described embodiment, quarantine domain administrative unit 100 according to user's request, quarantine domain can also be checked, Update, delete, and then realize the flexible management of quarantine domain.
Fig. 3 is the functional block diagram of present invention network domains based on the SDN another embodiment of isolating device 10.In figure 3, Network domains isolating device 10 based on SDN includes that quarantine domain administrative unit 100, message receive unit 102, data processing unit 104, memorizer 106 and processor 108, wherein quarantine domain administrative unit 100, message receive unit 102, data processing unit 104 are stored in memorizer 106 with the form of functional module, and then are performed to realize above-mentioned functions module by processor 108 Function.
Fig. 4 is the flow chart of present invention network domains based on SDN partition method one embodiment, and the method is applied to Fig. 2 Or the network domains isolating device 10 based on SDN in Fig. 3.Networking based on SDN domain separation device 10 may be present in SDN controller In 1.
In step S400, quarantine domain administrative unit 100 is for setting up network domains list according to user's request.So-called network domains Referring to the region artificially divided for some main frames or subnet, in the present embodiment, some main frames or subnet can To utilize the port in SDN switch 2 to characterize, and then carry out artificial drawing by the port in SDN switch in network 2 Point, and specifically the dividing as above described in table-1 of network domains list.It addition, in the present embodiment, SDN controller 1 storage has MAC Address and port relation table (MAC-PORT table), the MAC Address that this relation table storage has SDN controller to learn is corresponding Corresponding relation between the port of SDN switch 2, the information in this form can be updated according to the reception of message, table Entry in lattice can also carry out aging according to arranging the cycle, aging after entry delete immediately.
Certainly, in other embodiments, the description to quarantine domain is possible not only to as described above by SDN switch 2 Port characterizes, it is also possible on this basis, increases the token state of host MAC address, referring specifically to the narration above with respect to table-2.
It addition, in other embodiments, above-mentioned quarantine domain administrative unit 100 also serves as an independent module, integrated Application on SDN controller 1, it is only necessary to it meets other functions with network domains isolating device 10 based on SDN The function of the information communication of module and performance requirement also can reach the technique effect in above-mentioned embodiment.
In step S402, message receives unit 102 and receives the data message that described SDN switch 2 forwards, and records data Target MAC (Media Access Control) address in message and SDN switch 2 receive the port (hereinafter referred to as input port) of data message.At this In embodiment, when a certain SDN switch 2 receives the data message that a certain main frame sends, forward it to SDN controller 1 Received unit 102 by message to be received, and record the target MAC (Media Access Control) address in data message and receive this data message The input port of SDN switch 2.
In step S404, whether data processing unit 104 is searched MAC Address and is existed with port relation table and mate purpose MAC The port (hereinafter referred to as output port) of address.
In step S406, data processing unit 104 mates target MAC (Media Access Control) address at MAC Address with the existence of port relation table During port, it is judged that it is same that output port and SDN switch 2 receive whether the input port of data message be positioned in network domains list In one network domains.
In step S408, data processing unit 104 receives the input of data message in output port and SDN switch 2 When mouth is positioned at the same network domains in network domains list, it is judged that output port receives the input port of data message with switch Whether it is positioned at same SDN switch.
In step S410, data processing unit 104 receives the input port position of data message at output port and switch When same SDN switch, generate and issue forwarding flow table according to output port.
In step S412, data processing unit 104 receives the input port of data message not at output port with switch It is in same SDN switch, whether determines whether to receive between input port and the output port determined of data message There is reachable path.
In step S414, data processing unit 104 is judging the input port of reception data message and the outfan determined Do not have between Kou path up to time, then control SDN switch 2 abandon above-mentioned data message.If data processing unit 104 judges to connect Receive have between input port and the output port determined of data message path up to, then return to step S410, according to outfan Mouth generates and issues forwarding flow table.
It addition, data processing unit 104 judges that output port and SDN switch 2 receive data message in S406 Input port is not positioned in the same network domains in network domains list, according to step S414, controls to receive data message yet SDN switch 2 abandons this data message.
In step S416, if data processing unit 104 is searched MAC Address and do not existed with port relation table and mate purpose MAC The port of address, data processing module 104 is then according to the input port inquiry network domains list of record, it is judged that at this input port In which network domains, after determining network domains, data processing unit 104 controls data message in the network domains determined except input Port outside Kou is broadcasted, it is achieved the forwarding of data message.
Certainly, in the present embodiment, if data processing module 104 cannot judge at input port according to network domains list In which network domains, then can abandon this data message or public according to arranging the SDN switch 2 controlling to receive data message Broadcast in network domains.
In the described method of above-mentioned embodiment, data processing unit 104 also controls to receive the SDN exchange of forwarding flow table Machine 2 stores and updates received forwarding flow table, and then the when of being received again by data message, it may be judged whether there is coupling and receive The forwarding flow table of data message, and then improve the forward efficiency of data message.
In the described method of above-mentioned embodiment, quarantine domain administrative unit 100 can also be according to user's request to isolation Territory carries out checking, updates, deletes, and then realizes the flexible management of quarantine domain.
In the described method of above-mentioned embodiment, isolate and can also specify according to the demand of user with management single-ended 100 The legitimacy of MAC Address and port ownership, according to this legitimacy rule, determine MAC-PORT table and network domains list such as table- 1, the legitimacy of corresponding relation in table-2, so that the corresponding relation of self-learning function and user's input has certain safety Ensure.
By performing above-mentioned network domains partition method based on SDN, the isolation realizing network of freedom and flexibility, and then not The scope of network message broadcast is effectively controlled in the case of relying on traditional VLAN and accessing the function controlled, a certain degree of Improve the safety of network.Meanwhile, this method can realize more complicated isolation scene demand, such as, realize more fine granularity Isolation isolation based on certain port+MAC;The most such as need virtualized in the case of realize the isolation of special screne, The i.e. isolation of Intrusion Detection based on host MAC just can realize its isolation virtual machine (vm) migration to another one physical location when automatically Following of configuration.
It should be noted that embodiment as described above, it is not intended that the restriction to invention protection domain.Any at this The amendment made in bright spirit and principle, equivalent and improvement etc., should be included in protection scope of the present invention.

Claims (10)

1. a network domains partition method based on SDN, is applied to SDN controller, and described SDN controller connects SDN switch, And include MAC Address and port relation table, it is characterised in that including:
Setting up network domains list according to user's request, described network domains list includes the port of SDN switch described in network, and The port of described SDN switch is divided into several network domains;
Receive the data message that described SDN switch receives and forwards, and record target MAC (Media Access Control) address in described data message with And described SDN switch receives the port of described data message;
Search whether described MAC Address exists the port mating described target MAC (Media Access Control) address with port relation table;
If existing, then judge that the port of the described target MAC (Media Access Control) address of described coupling receives described data message with described SDN switch Port whether be present in the same described network domains in described network domains list;
The most then generate and issue forwarding flow table according to the port of the described target MAC (Media Access Control) address of described coupling.
2. network domains partition method based on SDN as claimed in claim 1, it is characterised in that also include:
If described MAC Address does not exist the described port mating described target MAC (Media Access Control) address with port relation table, then connect described in foundation The port receiving described data message determines described network domains, and then for the described network domains determined is removed the described number of described reception Broadcast according to other ports outside the port of message.
3. network domains partition method based on SDN as claimed in claim 1, it is characterised in that described according to described coupling institute State the port of target MAC (Media Access Control) address to generate and issue the step of forwarding flow table and also include:
Judge whether the port of the port data message described with described reception of the described target MAC (Media Access Control) address of described coupling is positioned at same SDN switch;
The most then generate and issue described forwarding flow table;
If it is not, then determine whether port and the described data message of described reception of the described target MAC (Media Access Control) address of described coupling Whether there is reachable path between port;
If having reachable path, then according to generating and issuing described forwarding flow table;
If not having reachable path, then the SDN switch controlling to receive data message abandons this data message.
4. network domains partition method based on SDN as claimed in claim 1, it is characterised in that in described network domains list also The MAC Address associating main frame can be included.
5. network domains partition method based on SDN as claimed in claim 1, it is characterised in that described network domains list also may be used To carry out checking according to user's request, update, to delete.
6. a network domains isolating device based on SDN, is applied to SDN controller, and described SDN controller connects SDN switch, And include MAC Address and port relation table, it is characterised in that including:
Quarantine domain administrative unit, for setting up network domains list according to user's request, described network domains list includes institute in network State the port of SDN switch, and the port of described SDN switch is divided into several network domains;
Message receives unit, for receiving the data message that described SDN switch receives and forwards, and records described data message In target MAC (Media Access Control) address and described SDN switch receive described data message port;And
Whether data processing unit, exist with port relation table mate described target MAC (Media Access Control) address for searching described MAC Address Port;If existing, then judge that the port of the described target MAC (Media Access Control) address of described coupling receives described datagram with described SDN switch Whether the port of literary composition is present in the same described network domains in described network domains list;The most then according to described coupling institute The port stating target MAC (Media Access Control) address generates and issues forwarding flow table.
7. network domains isolating device based on SDN as claimed in claim 6, it is characterised in that described data processing unit is also For when described MAC Address does not exist the described port mating described target MAC (Media Access Control) address with port relation table, connect described in foundation The port receiving described data message determines described network domains, and then for the described network domains determined is removed the described number of described reception Broadcast according to other ports outside the port of message.
8. network domains isolating device based on SDN as claimed in claim 6, it is characterised in that described data processing unit is also For judging whether the port of the port of the described target MAC (Media Access Control) address of described coupling data message described with described reception is positioned at same SDN switch;The most then generate and issue described forwarding flow table;If it is not, then determine whether the described purpose of described coupling Whether there is reachable path between port and the port of the described data message of described reception of MAC Address;If having reachable path, Then according to generating and issuing described forwarding flow table;If not having reachable path, then the SDN switch controlling to receive data message abandons This data message.
9. network domains isolating device based on SDN as claimed in claim 6, it is characterised in that in described network domains list also The MAC Address associating main frame can be included.
10. network domains isolating device based on SDN as claimed in claim 6, it is characterised in that described network domains list also may be used To carry out checking according to user's request, update, to delete.
CN201610597418.4A 2016-07-26 2016-07-26 Network domains isolating device and method based on SDN Active CN106161457B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610597418.4A CN106161457B (en) 2016-07-26 2016-07-26 Network domains isolating device and method based on SDN

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610597418.4A CN106161457B (en) 2016-07-26 2016-07-26 Network domains isolating device and method based on SDN

Publications (2)

Publication Number Publication Date
CN106161457A true CN106161457A (en) 2016-11-23
CN106161457B CN106161457B (en) 2019-09-27

Family

ID=58059915

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610597418.4A Active CN106161457B (en) 2016-07-26 2016-07-26 Network domains isolating device and method based on SDN

Country Status (1)

Country Link
CN (1) CN106161457B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106534201A (en) * 2016-12-26 2017-03-22 杭州盈高科技有限公司 Virtual machine risk rapid isolation method under software defined network (SDN) environment
CN106878986A (en) * 2017-01-05 2017-06-20 新华三技术有限公司 A kind of user isolation method and device
CN106961394A (en) * 2017-03-31 2017-07-18 联想(北京)有限公司 Suppress interchanger to flood the method and apparatus of storm
CN107733718A (en) * 2017-11-03 2018-02-23 中国电子科技网络信息安全有限公司 A kind of security isolation detection method for extensive SDN
CN111835859A (en) * 2020-07-20 2020-10-27 安徽华速达电子科技有限公司 Method for operating local area network equipment controller in cross-network segment mode and intelligent optical network equipment
CN112804131A (en) * 2021-01-08 2021-05-14 上海自恒信息科技有限公司 Access control method based on VLAN structure

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103166876A (en) * 2011-12-08 2013-06-19 中兴通讯股份有限公司 Transmission method for data among OpenFlow network domains and device
CN103986663A (en) * 2014-05-08 2014-08-13 中国联合网络通信集团有限公司 Data center, method for processing data and network controller
CN105227363A (en) * 2015-10-08 2016-01-06 上海斐讯数据通信技术有限公司 A kind of whole network port separation method based on SDN and device
US20160080505A1 (en) * 2014-09-16 2016-03-17 Telefonaktiebolaget L M Ericsson (Publ) Method and system of session-aware load balancing
CN105703960A (en) * 2016-04-25 2016-06-22 刘昱 Network function management system based on SDN and method thereof
US20160182378A1 (en) * 2014-12-18 2016-06-23 Telefonaktiebolaget L M Ericsson (Publ) Method and system for load balancing in a software-defined networking (sdn) system upon server reconfiguration

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103166876A (en) * 2011-12-08 2013-06-19 中兴通讯股份有限公司 Transmission method for data among OpenFlow network domains and device
CN103986663A (en) * 2014-05-08 2014-08-13 中国联合网络通信集团有限公司 Data center, method for processing data and network controller
US20160080505A1 (en) * 2014-09-16 2016-03-17 Telefonaktiebolaget L M Ericsson (Publ) Method and system of session-aware load balancing
US20160182378A1 (en) * 2014-12-18 2016-06-23 Telefonaktiebolaget L M Ericsson (Publ) Method and system for load balancing in a software-defined networking (sdn) system upon server reconfiguration
CN105227363A (en) * 2015-10-08 2016-01-06 上海斐讯数据通信技术有限公司 A kind of whole network port separation method based on SDN and device
CN105703960A (en) * 2016-04-25 2016-06-22 刘昱 Network function management system based on SDN and method thereof

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106534201A (en) * 2016-12-26 2017-03-22 杭州盈高科技有限公司 Virtual machine risk rapid isolation method under software defined network (SDN) environment
CN106878986A (en) * 2017-01-05 2017-06-20 新华三技术有限公司 A kind of user isolation method and device
CN106878986B (en) * 2017-01-05 2021-03-26 新华三技术有限公司 User isolation method and device
CN106961394A (en) * 2017-03-31 2017-07-18 联想(北京)有限公司 Suppress interchanger to flood the method and apparatus of storm
CN107733718A (en) * 2017-11-03 2018-02-23 中国电子科技网络信息安全有限公司 A kind of security isolation detection method for extensive SDN
CN107733718B (en) * 2017-11-03 2020-11-03 中国电子科技网络信息安全有限公司 Security isolation detection method for large-scale SDN network
CN111835859A (en) * 2020-07-20 2020-10-27 安徽华速达电子科技有限公司 Method for operating local area network equipment controller in cross-network segment mode and intelligent optical network equipment
CN112804131A (en) * 2021-01-08 2021-05-14 上海自恒信息科技有限公司 Access control method based on VLAN structure

Also Published As

Publication number Publication date
CN106161457B (en) 2019-09-27

Similar Documents

Publication Publication Date Title
CN106161457A (en) Network domains isolating device based on SDN and method
US11463279B2 (en) Method and apparatus for implementing a flexible virtual local area network
US11683386B2 (en) Systems and methods for protecting an identity in network communications
US20220131898A1 (en) Dynamic honeypots
CN102780608B (en) Efficient software-based private VLAN solution for distributed virtual switches
US8989188B2 (en) Preventing leaks among private virtual local area network ports due to configuration changes in a headless mode
EP3461072B1 (en) Access control in a vxlan
US8718071B2 (en) Method to pass virtual local area network information in virtual station interface discovery and configuration protocol
US9325524B2 (en) Overlay network capable of supporting storage area network (SAN) traffic
WO2018040530A1 (en) Method and apparatus for determining virtual machine migration
US9363207B2 (en) Private virtual local area network isolation
WO2015152436A1 (en) Sdn-based service chaining system
US20120297384A1 (en) Virtual Managed Network
EP2696538A1 (en) Method, system and controlling bridge for obtaining port extension topology information
CN103873374A (en) Message processing method and device in virtualized system
CN102780758A (en) Distributed policy service method and system
CN107547349A (en) A kind of method and device of virtual machine (vm) migration
CN103931144B (en) A kind of method, apparatus and system communicated in virtual Domain
CN105981330A (en) Enabling Load Balancing in a Network Virtualization Overlay Architecture
CN101436995A (en) Method for rapidly plugging IP address based on BGP virtual next-hop
CN105763444B (en) A kind of route synchronization method and device
CN108540386A (en) One kind preventing Business Stream interrupt method and device
CN111628939A (en) Flow classification processing method and device
US11811593B2 (en) Secure bi-directional network connectivity system between private networks
US11411998B2 (en) Reputation-based policy in enterprise fabric architectures

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant