CN107071085A - Network equipment MAC Address collocation method and device - Google Patents

Network equipment MAC Address collocation method and device Download PDF

Info

Publication number
CN107071085A
CN107071085A CN201710258099.9A CN201710258099A CN107071085A CN 107071085 A CN107071085 A CN 107071085A CN 201710258099 A CN201710258099 A CN 201710258099A CN 107071085 A CN107071085 A CN 107071085A
Authority
CN
China
Prior art keywords
user
interface
source mac
message
information table
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710258099.9A
Other languages
Chinese (zh)
Inventor
李璇
马臻
王伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201710258099.9A priority Critical patent/CN107071085A/en
Publication of CN107071085A publication Critical patent/CN107071085A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/622Layer-2 addresses, e.g. medium access control [MAC] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5084Providing for device mobility
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Small-Scale Networks (AREA)

Abstract

This disclosure relates to which network equipment MAC Address collocation method and device, methods described include:The message received according to first interface, obtains the source MAC and user's characteristic information of the message;There is the source MAC in information table, and the corresponding outgoing interface of the source MAC that is recorded in described information table it is different from the first interface when, the corresponding user's characteristic information of the source MAC recorded in the user's characteristic information and described information table that are carried according to the message detects whether user is validated user;In the case where detecting user for validated user, outgoing interface corresponding with source MAC in described information table is set to first interface.User's detection can first be carried out when network equipment MAC Address is configured according to the network equipment MAC Address collocation method and device of the disclosure, it can prevent non-legally user from constructing counterfeit message aggression network, ensureing network security with the authenticity and correctness of effective detection user.

Description

Network equipment MAC Address collocation method and device
Technical field
This disclosure relates to communication technical field, more particularly to a kind of network equipment MAC Address collocation method and device.
Background technology
MAC (Media Access Control) address, free translation is media access control, or is physical address, hardware Address, for defining the position of the network equipment.
The network equipment can configure the mapping of the MAC Address and network device interface of connected equipment by static table Relation, in the equipment transportation being connected with the network equipment or when the network equipment adds new connection equipment, can be changed by hand Static table configuration information.The mapping relations for configuring MAC Address and interface by static table can improve the security and surely of network It is qualitative, but there is also using and change inconvenience, be easily configured mistake and cause network failure, the problems such as.
The content of the invention
In view of this, the present disclosure proposes a kind of network equipment MAC Address collocation method and device, non-conjunction can prevented Method user attacking network, while ensure network security, solve manual static configuration inconvenience and be easily configured mistake and cause network The problem of failure.
According to the one side of the disclosure there is provided a kind of network equipment MAC Address collocation method, including:Connect according to first The message that mouth is received, obtains the source MAC and user's characteristic information of the message;There is the source MAC in information table When the corresponding outgoing interface of the source MAC recorded in address, and described information table is different from the first interface, according to institute The corresponding user's characteristic information inspection of the source MAC recorded in the user's characteristic information and described information table of stating message carrying Survey whether user is validated user;The user is being detected in the case of validated user, by described information table with it is described The corresponding outgoing interface of source MAC is set to the first interface.
According to another aspect of the present disclosure there is provided a kind of network equipment MAC Address configuration device, including:Acquisition module, For the message received according to first interface, the source MAC and user's characteristic information of the message are obtained;Detection module, The corresponding outgoing interface of the source MAC recorded for existing in information table in the source MAC, and described information table When different from the first interface, the source recorded in the user's characteristic information and described information table that are carried according to the message Whether the corresponding user's characteristic information detection user of MAC Address is validated user;First setup module, for detect it is described In the case that user is validated user, outgoing interface corresponding with the source MAC in described information table is set to described the One interface.
By detecting that user's characteristic information judges to send the legitimacy of the user of message, user is being detected for validated user In the case of, the MAC Address of the network equipment is configured.Matched somebody with somebody according to the network equipment MAC Address of disclosure above-described embodiment User's detection can first be carried out when MAC is migrated by putting method and apparatus, can be prevented with the authenticity and correctness of effective detection user While only non-legally user constructs counterfeit message aggression network, ensures network security and stability, it can also reduce and repair by hand Change static MAC configuration needs, the problems such as reduction artificial interference causes the network failure that configuration error is brought.
According to below with reference to the accompanying drawings to detailed description of illustrative embodiments, the further feature and aspect of the disclosure will become It is clear.
Brief description of the drawings
Comprising in the description and constituting accompanying drawing and the specification of a part of specification and together illustrate the disclosure Exemplary embodiment, feature and aspect, and for explaining the principle of the disclosure.
Fig. 1 shows the flow chart of the network equipment MAC Address collocation method according to the embodiment of the disclosure one.
Fig. 2 shows the flow chart of the network equipment MAC Address collocation method according to the embodiment of the disclosure one.
Fig. 3 shows the flow chart of the network equipment MAC Address collocation method according to the embodiment of the disclosure one.
Fig. 4 shows the step S12 of the network equipment MAC Address collocation method according to the embodiment of the disclosure one example Flow chart.
Fig. 5 shows the application exemplary plot of the network equipment MAC Address collocation method according to the example of the disclosure one.
Fig. 6 shows the application exemplary plot of the network equipment MAC Address collocation method according to the example of the disclosure one.
Fig. 7 shows the schematic diagram according to the whether legal process of the detection user of the example of the disclosure one.
Fig. 8 shows the application exemplary plot of the network equipment MAC Address collocation method according to another example of the disclosure.
Fig. 9 shows the block diagram of the network equipment MAC Address configuration device according to the embodiment of the disclosure one.
Figure 10 shows the block diagram of the network equipment MAC Address configuration device according to the embodiment of the disclosure one.
Figure 11 shows the block diagram of the network equipment MAC Address configuration device according to the embodiment of the disclosure one.
Embodiment
Describe various exemplary embodiments, feature and the aspect of the disclosure in detail below with reference to accompanying drawing.It is identical in accompanying drawing Reference represent the same or analogous element of function.Although the various aspects of embodiment are shown in the drawings, remove Non-specifically is pointed out, it is not necessary to accompanying drawing drawn to scale.
Special word " exemplary " is meant " being used as example, embodiment or illustrative " herein.Here as " exemplary " Illustrated any embodiment should not necessarily be construed as preferred or advantageous over other embodiments.
In addition, in order to better illustrate the disclosure, numerous details are given in embodiment below. It will be appreciated by those skilled in the art that without some details, the disclosure can equally be implemented.In some instances, for Method well known to those skilled in the art, means, element and circuit are not described in detail, in order to highlight the purport of the disclosure.
Fig. 1 shows the flow chart of the network equipment MAC Address collocation method according to the embodiment of the disclosure one, and this method can be answered For the network equipment, such as router, hub or interchanger, virtual network device, server etc. are applied also for.Such as Shown in Fig. 1, this method includes:
Step S11, the message received according to first interface obtains the source MAC and user characteristics letter of the message Breath.
Message (message) is the data cell of exchange and transmission in network, i.e. the website data block disposably to be sent. Packet, packet, data frame can be constantly packaged into transmitting procedure to transmit, the mode of encapsulation includes adding some information Section, the message segment of addition can be heading (being also header), be the data organized with certain format.With IP-based reality Exemplified by the networking application of border, header can include protocol type (such as TCP, UDP), source IP address, purpose IP address, source MAC The information such as address, target MAC (Media Access Control) address, source port number and destination slogan.
In this example, the network equipment from first interface after message is received, and header progress parsing, which can be obtained, to be needed The information wanted, for example, source MAC and user's characteristic information of the message etc..Wherein, user's characteristic information can refer to The information such as the application program or the feature of service type of offer that can be loaded by user distinguish the information of different user, The information of type of service is for example represented, is specifically as follows UDP port number, TCP port number etc..Wherein, udp protocol is applicable basis Udp port differentiates the multiple application programs operated in same equipment.User characteristics can also be recognized according to application layer message, For example, according to application file (filename, suffix name) information etc., the disclosure is not construed as limiting to this.
, there is the source MAC recorded in the source MAC, and described information table in information table in step S12 When corresponding outgoing interface is different from the first interface, in the user's characteristic information and described information table that are carried according to the message Whether the corresponding user's characteristic information detection user of the source MAC of record is validated user.
The application exemplary plot of the network equipment MAC Address collocation method according to the example of the disclosure one is shown respectively in Fig. 5, Fig. 6.
As shown in figure 5, the network equipment can include multiple interfaces (for example, interface A, interface B), store in the network device There is information table, in a kind of possible embodiment, described information table can record MAC Address, corresponding with MAC Address go out to connect Message breath and user's characteristic information etc..
As shown in fig. 6, the network equipment is receiving message from first interface (interface B) and is obtaining the source MAC of the message After address information, the source MAC whether can have been have recorded in look-up table in described information table;In described information table In there is the source MAC in the case of, represent the network equipment may receive (be probably from interface B or interface A study MAC Address) corresponding with the source MAC user message that sends or be also likely to be the excessively described source MAC of static configuration Location.The network equipment can further confirm that the corresponding outgoing interface of the source MAC recorded in information table connects with described first Whether mouth (interface B) is identical, the corresponding outgoing interface of the source MAC recorded in described information table and the first interface When different, expression is needed to carry out network equipment MAC Address configuration, and the identity of the user can be examined before configuration Survey, whether confirm it is validated user, to prevent disabled user from constructing counterfeit message aggression network.
Step S13, is detecting the user in the case of validated user, by described information table with the source MAC The corresponding outgoing interface in address is set to the first interface.
As shown in figure 5, being recorded in the user's characteristic information and described information table that the network equipment is carried according to the message The corresponding user's characteristic information of the source MAC detect the user in the case of validated user, can will described in Outgoing interface corresponding with the source MAC is revised as the first interface (interface B) in information table, that is, by the source The corresponding outgoing interface of MAC Address is set to first interface (interface B).
, can also be to recording institute corresponding with the source MAC in information table in a kind of possible embodiment State user's characteristic information to be updated, in order to carry out detection user validation before MAC Address configuration next time.
By detecting that user's characteristic information judges to send the legitimacy of the user of message, user is being detected for validated user In the case of, the MAC Address of the network equipment is configured.Matched somebody with somebody according to the network equipment MAC Address of disclosure above-described embodiment The method of putting can first carry out user's detection when MAC is configured, and can prevent non-conjunction with the authenticity and correctness of effective detection user While method user constructs counterfeit message aggression network, ensures network security and stability, modification by hand can also be reduced static MAC configuration needs, the problems such as reduction artificial interference causes the network failure that configuration error is brought.
In correlation technique, by configuring static MAC, MAC is bound to fixed interface, static state MAC side is changed during migration Formula solves the above problems.For example, by while outgoing interface corresponding with the MAC Address is changed to interface B in MAC Address list item, hand Work changes static state MAC, and the MAC Address is tied into interface B.But modification static state MAC configurations are inconvenient for use by hand, and easily lead Cause configuration error, the problems such as causing network failure.And according to the network equipment MAC Address configuration side of disclosure above-described embodiment Method, detecting the user, to carry out MAC Address configuration in the case of validated user, can to solve non-legally user construction imitative The problem of emitting message aggression network, it is not necessary to change static state MAC by hand, reduces the configuration needs of modification static state MAC by hand, reduction The problems such as artificial interference causes the network failure that configuration error is brought.
Fig. 2 shows the flow chart of the network equipment MAC Address collocation method according to the embodiment of the disclosure one.As shown in Fig. 2 Based on the embodiment shown in Fig. 1, the method for the present embodiment also includes:
Step S14, in the case of the source MAC is not present in information table, records described in described information table Source MAC, first interface, and the message carry user's characteristic information corresponding relation.
As shown in fig. 6, in the case of the source MAC is not present in described information table, representing the network equipment first It is secondary to receive the message that user corresponding with the source MAC sends.Now, the network equipment is learned by first interface (interface B) The source MAC of the user is practised, and records in described information table the source MAC, corresponding with the source MAC Corresponding relation of user's characteristic information that one interface (interface B) and the message are carried etc., so as in MAC of the next time to the user Whether it is that validated user is detected to the user before address configuration.
Wherein, described information table can be the mac address table stored based on the network equipment, or, can also be newly-built one List is recorded to the corresponding relation between above- mentioned information, and the disclosure is not construed as limiting to this.As shown in table 1 information table shows Example, the user characteristics that the source MAC, first interface corresponding with the source MAC and the message can be carried The corresponding relation record of information is set to going out for the source MAC in described information table, that is, by the first interface Interface.
The information table of table 1
MAC Address Outgoing interface User's characteristic information
MAC Address 1 Interface 1 User's characteristic information 1
MAC Address 2 Interface 2 User's characteristic information 2
By learning the source MAC and user's characteristic information and associated storage of user, in order in the network device Whether detection user is validated user before being configured to the MAC Address of user.Set according to the network of disclosure above-described embodiment Standby MAC Address collocation method can first carry out user's detection when MAC configure, effectively to determine the authenticity and correctly of user Property, prevent non-legally user from constructing counterfeit message aggression network, ensureing network security and stability.
Fig. 3 shows the flow chart of the network equipment MAC Address collocation method according to the embodiment of the disclosure one.As shown in figure 3, Based on the embodiment shown in Fig. 1, the method for the present embodiment also includes:
The first interface, in the case where detecting the user for non-legally user, is not then set to by step S15 Outgoing interface.
For example, as shown in fig. 6, the user's characteristic information and described information that are carried in the network equipment according to the message The corresponding user's characteristic information of the source MAC recorded in table detects the user in the case of non-legally user, The source MAC and first interface can be recorded in blacklist list in association, with the source MAC in information table The first interface and user's characteristic information of location associated storage can keep constant.The network equipment is received next time from first interface When carrying the message of the source MAC, directly abandon, that is, reject the message of MAC Address transmission, prevent non-conjunction Method user constructs counterfeit message aggression network, ensures network security and stability.
While the source MAC and first interface are recorded in blacklist list in association, it can open One blacklist list list item ageing timer, after can remove the MAC Address in list item and interface message after list item aging Blacklist list, the network equipment can receive the message that the corresponding user of the source MAC sends from first interface again.It is logical Cross and the first interface is not set to outgoing interface, the first interface can be set not receive what the source MAC was sent Message, can prevent non-legally user's attacking network;Blacklist row are removed by setting list item ageing timer, after list item aging Table, the network equipment can receive the message that the source MAC is sent from first interface again, can prevent legal correct User the problem of can not migrate.Wherein, the time segment length of list item ageing timer timing can be entered according to the actual needs Row is set, and the disclosure is not construed as limiting to this.
Fig. 4 shows an example of step S12 in the network equipment MAC Address collocation method according to the embodiment of the disclosure one Flow chart.As shown in figure 4, in step s 12, remembering in the user's characteristic information and described information table that are carried according to the message The corresponding user's characteristic information of the source MAC of record detects whether the user is validated user, including:
Step S121, obtains the user's characteristic information that the message is carried and the source MAC recorded in described information table The matching result of the corresponding user's characteristic information in address;
Step S122, judges whether the user is validated user according to the matching result.
Determine to exist in information table the source recorded in above-mentioned source MAC, and described information table in the network equipment When the corresponding outgoing interface of MAC Address is different from the first interface, i.e., the network equipment needs to carry out the situation of MAC Address configuration Under, whether to be first that validated user is detected to prevent non-legally user from constructing counterfeit message to the user for sending the message Attacking network.From described above, the network equipment is recorded in equipment user characteristics corresponding with the source MAC Information, is obtained after the user's characteristic information that the message is carried, the user's characteristic information and the network equipment that the message is carried The user's characteristic information recorded in interior described information table carries out matching and obtains matching result, may determine that according to matching result described Whether user is validated user.
For example, as shown in figure 5, the network equipment includes interface A and interface B, interface A and interface B belong to VLAN 10.As described above, using the user's characteristic information to represent the information of type of service (for example, UDP port number or TCP port number Deng) exemplified by illustrate.The network equipment can create an example of information table as shown in table 2 below to record user characteristics letter Breath.
The information table of table 2
MAC Address Outgoing interface VLAN ID Port numbers type Port numbers
0-0-1 A VLAN 10 UDP 101-110
By taking UDP type ports number as an example, as shown in Figure 6, it is assumed that the network equipment for the first time from interface A with receiving source MAC UDP port number is 101-110 in the message that location sends for 0-0-1 user, message.The network equipment learns MAC Address and in letter Source MAC (0-0-1) described in associated record and interface A and UDP port number 101-110 in table are ceased, as shown in table 2.
The network equipment have received the message for the user that source MAC is 0-0-1 from interface B again, true by searching information table , it is necessary to detect whether user is legal use when determining to exist in table source MAC 0-0-1 and corresponding outgoing interface different from interface B Family.The network equipment opens NQA (Network Quality Analyzer, Network Quality Analysis) and monitors service, to source MAC Recorded in port numbers and information table that the udp port carried for 0-0-1 message carries out port scan and obtained according to scanning 101-110 port numbers are matched, and may determine that whether the user is validated user according to matching result, for example, according to Judge whether the user is validated user with successful port numbers quantity, ratio etc..
It is recording with the source MAC in the user's characteristic information and information table that the message that receives carries by matching Corresponding user's characteristic information, the legitimacy of the user is judged according to matching result.Can be with the authenticity of effective detection user And correctness, can be with while preventing that non-legally user from constructing counterfeit message aggression network, ensureing network security and stability Reduce the configuration needs of modification static state MAC by hand, the problems such as reduction artificial interference causes the network failure that configuration error is brought.
In a kind of possible embodiment, the matching result be the message carry traffic type information with it is described The matching ratio of the corresponding traffic type information of the source MAC recorded in information table;
Step S122, is specifically included:
Step S1221, when the matching ratio is more than predetermined threshold value, then judges user for validated user.
For example, still by taking above-mentioned example as an example, the UDP that the network equipment is carried to source MAC for 0-0-1 message It is 101-106,109-110 that port, which carries out obtaining UDP port number after port scan,.The network equipment will scan obtained udp port Number (101-106,109-110) is one by one with recording UDP port number (101- corresponding with the source MAC in information table 110) matched, for example, by taking port 101 as an example, the network equipment searches the port numbers in information table, if finding port 101 Then the match is successful, record matching situation (for example, the match is successful is recorded as 1, it fails to match is recorded as 0), and port is then searched again 102nd, record matching situation, the matching result until obtaining whole port numbers that scanning is obtained.It is of course also possible to enter in turn OK, for example, will be recorded in information table UDP port number (101-110) corresponding with the source MAC one by one with the network equipment The UDP port number (101-106,109-110) that scanning is obtained is matched, and record matching situation, and the disclosure is not limited this It is fixed.Matching result is obtained according to the match condition of record, such as the quantity, matching ratio that the match is successful.
In a kind of possible embodiment, the matching result is the port numbers that message is carried and recorded in information table The port numbers quantity that the match is successful corresponding with the source MAC accounts for recorded in information table corresponding with the source MAC Port numbers sum ratio.The quantity that the match is successful be message carry port numbers in being recorded in information table and the source The corresponding port numbers identical port numbers quantity of MAC Address.Still by taking above-mentioned example as an example, understand that message is taken according to matching record 8 in the UDP port number of band with what is recorded in information table in UDP port number corresponding with the source MAC are identical, also It is total that to be matching ratio for the quantity (8) that the match is successful account for the corresponding UDP port number of the source MAC recorded in information table The ratio of number (10), i.e., 80%.
Wherein, the predetermined threshold value can be pre-set, for example, can be 50%.In above-mentioned example, matching Ratio is 80%, more than 50%, and the network equipment can judge user as validated user using this, now, and the network equipment can be by information Outgoing interface corresponding with MAC Address 0-0-1 is revised as interface B in table, that is, interface B is set into MAC Address 0-0-1 Corresponding outgoing interface, while the user's characteristic information in information table can be revised as [101,102,103,104,105,106, 109,110], user's characteristic information detection is carried out when being configured in order to next MAC Address.
When the UDP port number that scanning obtains the message carrying for being 0-0-1 with source MAC is 106-109, matching ratio For 40%, less than 50%, the network equipment can judge user as non-legally user using this, it is understood that there may be non-legally user construction is counterfeit Message aggression network;Accordingly, the network equipment can add source MAC 0-0-1 in blacklist list, and first interface will no longer connect Receive the message that source MAC sends for 0-0-1 user.
In a kind of possible embodiment, the network equipment can also often scan acquisition a port number with regard to carrying out inquiry Match somebody with somebody, the quantity of matching port numbers exceedes such as the 50% of the user source port number total quantity associated with the source MAC, then It is validated user to think user, no longer carries out monitoring scanning, and the method that the disclosure is used to specific matching process is not construed as limiting.
Fig. 7 shows the schematic diagram according to the whether legal process of the detection user of the embodiment of the disclosure one.As shown in fig. 7, The network equipment is opened NQA and monitored and self-defined port match proportion threshold value (predetermined threshold value), to the report that source MAC is 0-0-1 It is 101-106,109-110 that the udp port that text is carried, which carries out obtaining UDP port number after port scan, and the network equipment will be scanned Obtained UDP port number (101-106,109-110) is one by one with recording UDP corresponding with the source MAC in information table Port numbers (101-110) match and record matching situation, and matching ratio is determined according to record.Judge matching ratio with presetting The relation of threshold value, in the case where matching ratio is more than predetermined threshold value, judges user for validated user, source in fresh information table The corresponding outgoing interfaces of MAC Address 0-0-1 are interface B (user that source MAC is 0-0-1 namely is moved into interface B); In the case that matching ratio is less than or equal to predetermined threshold value, user is judged for non-legally user, by source MAC 0-0-1 and is connect Mouth B is added in blacklist list, now will not receive the message that source MAC is provided for 0-0-1 user from interface B. The process for defining the predetermined threshold value of port match ratio can be in network device initiating process completion, can also root every time Redefined according to demand, the disclosure is not construed as limiting to this.
Udp protocol is applicable the multiple application programs differentiated and operated in same equipment according to port numbers, in source MAC In the case of identical, then according to the application program (UDP port number) of operation may determine that whether same equipment, that is, It can decide whether as validated user.TCP port number in ICP/IP protocol is applied to differentiate the service that main frame can be provided, than Such as Web service, FTP service, SMTP services, different network services can be distinguished according to different TCP port numbers, accordingly may be used To judge being same main frame, that is, it can decide whether as validated user.Certainly, the disclosure is not limited to use udp port Number or TCP port number as user's characteristic information, the other specification of application layer can also be used, the disclosure is not construed as limiting to this. It can prevent non-with the authenticity and correctness of effective detection user according to the MAC Address moving method of disclosure above-described embodiment While validated user constructs counterfeit message aggression network, ensures network security and stability, modification by hand can also be reduced quiet State MAC configuration needs, the problems such as reduction artificial interference causes the network failure that configuration error is brought.
In a kind of possible embodiment, the network equipment MAC Address collocation method of above example can also be applied In VXLAN networks, a kind of example for the user that the virtual machine in VXLAN networks can be considered in above-described embodiment.
Fig. 8 shows the application exemplary plot of the network equipment MAC Address collocation method according to another example of the disclosure.Such as Fig. 8 It is shown, by taking VTEP1 as an example, when VTEP1 receives the VXLAN data of distal end VTEP2 transmissions from VXLAN tunnel2 tunnels After frame, decapsulated, its affiliated VXLAN is judged according to VXLAN ID, and it is VSI 1 to find correspondence VSI, obtains the data The source MAC and user's characteristic information (can be virtual machine characteristic information here) for the distal end virtual machine VM2 that frame is carried;Can be Search whether to have have recorded the source MAC in information table, there is a situation where the source MAC in described information table Under, it can represent that VTEP1 VSI 1 (by tunnel2 or tunnel1) received void corresponding with the source MAC The data frame or VTEP1 static configurations that plan machine VM2 is sent cross the MAC Address.VTEP1 can further confirm that the source MAC The corresponding outgoing interface information in address, the corresponding outgoing interface of the source MAC recorded in information table is different from tunnel2 When, expression is needed to carry out MAC Address configuration, and the identity for the user that send the data frame can be detected before configuration, Whether be validated user, prevent disabled user from constructing counterfeit data frame attacking network if confirming it.
The source recorded in the virtual machine characteristic information and described information table that VTEP1 is carried according to the data frame The corresponding virtual machine characteristic information of MAC Address detects the virtual machine VM2 in the case of legal virtual machine, can will described in Outgoing interface corresponding with the source MAC is revised as tunnel2 in information table, that is, the source MAC is corresponding Virtual machine VM2 tunnel (outgoing interface) has moved to tunnel2.It can also update and the source MAC accordingly void Plan machine characteristic information, in order to carry out next time detecting virtual machine legitimacy before address transfer.
In the case of the source MAC is not present in described information table, represent that VTEP1 is received and the source for the first time The data frame that the corresponding virtual machine VM2 of MAC Address is sent.Now, VTEP1 learns virtual machine VM2 source MAC, in institute State and the source MAC, tunnel2 are recorded in information table, and the corresponding of virtual machine characteristic information that the data frame is carried is closed System.
The source recorded in the virtual machine characteristic information and described information table that VTEP1 is carried according to the data frame The corresponding virtual machine characteristic information of MAC Address detects the virtual machine VM2 in the case of non-legally virtual machine, then not by institute State tunnel2 and be set to outgoing interface, the source MAC and tunnel2 can be recorded in blacklist list in association. VTEP1 next times, in the data frame that the tunnel2 virtual machines for receiving the source MAC are sent, directly abandon, that is, refuse The data frame that the virtual machine of the MAC Address is sent is received absolutely, prevents non-legally virtual machine from constructing counterfeit data frame attacking network, protecting Demonstrate,prove network security and stability.
While the source MAC and tunnel2 are recorded in blacklist list in association, one can be opened Individual blacklist list list item ageing timer is black after that can remove the MAC Address in list item and interface message after list item aging List list, VTEP1 can receive the data frame that the corresponding virtual machine of the source MAC is sent from first interface again.
By the way that the source MAC and tunnel2 are recorded in blacklist list in association, set described Tunnel2 is not received with the data frame of the virtual machine transmission of the source MAC, can prevent illegal virtual machine from attacking;In table The MAC Address in list item and interface message are removed into blacklist list after item aging, VTEP1 can receive data frame again, can To prevent the problem of legal correct virtual machine can not be migrated.Wherein, the time segment length of ageing timer timing can be with It is configured according to the actual needs, the disclosure is not construed as limiting to this.
When applied to VXLAN networks, detect whether the virtual machine is legal void according to the virtual machine characteristic information The process of plan machine is similar with the method in real network, will not be repeated here.
Fig. 9 shows the block diagram of the network equipment MAC Address configuration device according to the embodiment of the disclosure one.The device can be applied In the network equipment, such as router, hub or interchanger, virtual network device, server etc. are applied also for.As schemed Shown in 9, the device includes:Acquisition module 91, the setup module 93 of detection module 92 and first.
Acquisition module 91, for the message received according to first interface, obtains source MAC and the user of the message Characteristic information;
Detection module 92, the source recorded for existing in information table in the source MAC, and described information table When the corresponding outgoing interface of MAC Address is different from the first interface, the user's characteristic information and described carried according to the message Whether the corresponding user's characteristic information detection user of the source MAC recorded in information table is validated user;
First setup module 93, in the case where detecting the user for validated user, by described information table Outgoing interface corresponding with the source MAC is set to the first interface.
Network equipment by detect user's characteristic information judge send message user legitimacy, be detecting user MAC Address is configured in the case of validated user.Can be with according to the network equipment MAC Address configuration device of disclosure above-described embodiment User's detection is first carried out when MAC is migrated, can prevent non-legally user from constructing with the authenticity and correctness of effective detection user While counterfeit message aggression network, guarantee network security and stability, can also reduce the configuration of modification static state MAC by hand needs Ask, the problems such as reduction artificial interference causes the network failure that configuration error is brought.
Figure 10 shows the block diagram of the network equipment MAC Address configuration device according to the embodiment of the disclosure one.As shown in Figure 10, In a kind of possible embodiment, described device also includes:Logging modle 94.
Logging modle 94, in the case of the source MAC is not present in information table, remembers in described information table Record the source MAC, first interface, and the corresponding relation of user's characteristic information that the message is carried.
In a kind of possible embodiment, described device also includes:Second setup module 95.
Second setup module 95, for detecting the user in the case of non-legally user, then not by described the One interface is set to outgoing interface.
In a kind of possible embodiment, the detection module 92 includes:Acquiring unit 921 and judging unit 922.
Acquiring unit 921, for obtaining the user's characteristic information that the message is carried and the institute recorded in described information table State the matching result of the corresponding user's characteristic information of source MAC;
Judging unit 922, for judging whether the user is validated user according to the matching result.
In a kind of possible embodiment, the user's characteristic information includes the information for being used to represent type of service.
In a kind of possible embodiment, the matching result be the message carry traffic type information with it is described The matching ratio of the corresponding traffic type information of the source MAC recorded in information table.
The judging unit 922 is specifically for judging that user uses to be legal when the matching ratio is more than predetermined threshold value Family.
Figure 11 is a kind of block diagram of MAC Address moving apparatus 1900 according to an exemplary embodiment.For example, device 1900 may be provided in a server.Reference picture 11, device 1900 include processing assembly 1922, its further comprise one or Multiple processors, and as the memory resource representated by memory 1932, for store can by processing assembly 1922 execution Instruction, such as application program.The application program stored in memory 1932 can include it is one or more each Corresponding to the module of one group of instruction.In addition, processing assembly 1922 is configured as execute instruction, to perform the above method.
Device 1900 can also include the power management that a power supply module 1926 is configured as performs device 1900, one Wired or wireless network interface 1950 is configured as device 1900 being connected to network, and input and output (I/O) interface 1958.Device 1900 can be operated based on the operating system for being stored in memory 1932, such as Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM or similar.
In the exemplary embodiment, a kind of non-volatile computer readable storage medium storing program for executing including instructing, example are additionally provided Such as include the memory 1932 of instruction, above-mentioned instruction can be performed to complete the above method by the processing assembly 1922 of device 1900.
The disclosure can be system, method and/or computer program product.Computer program product can include computer Readable storage medium storing program for executing, containing for making processor realize the computer-readable program instructions of various aspects of the disclosure.
Computer-readable recording medium can keep and store to perform the tangible of the instruction that equipment is used by instruction Equipment.Computer-readable recording medium for example can be-- but be not limited to-- storage device electric, magnetic storage apparatus, optical storage Equipment, electromagnetism storage device, semiconductor memory apparatus or above-mentioned any appropriate combination.Computer-readable recording medium More specifically example (non exhaustive list) includes:Portable computer diskette, hard disk, random access memory (RAM), read-only deposit It is reservoir (ROM), erasable programmable read only memory (EPROM or flash memory), static RAM (SRAM), portable Compact disk read-only storage (CD-ROM), digital versatile disc (DVD), memory stick, floppy disk, mechanical coding equipment, for example thereon Be stored with instruction punch card or groove internal projection structure and above-mentioned any appropriate combination.It is used herein above to calculate Machine readable storage medium storing program for executing is not construed as instantaneous signal in itself, the electromagnetic wave of such as radio wave or other Free propagations, logical Cross the electromagnetic wave (for example, the light pulse for passing through fiber optic cables) of waveguide or the propagation of other transmission mediums or transmitted by electric wire Electric signal.
Computer-readable program instructions as described herein can be downloaded to from computer-readable recording medium each calculate/ Processing equipment, or outer computer is downloaded to or outer by network, such as internet, LAN, wide area network and/or wireless network Portion's storage device.Network can be transmitted, be wirelessly transferred including copper transmission cable, optical fiber, router, fire wall, interchanger, gateway Computer and/or Edge Server.Adapter or network interface in each calculating/processing equipment are received from network to be counted Calculation machine readable program instructions, and the computer-readable program instructions are forwarded, for the meter being stored in each calculating/processing equipment In calculation machine readable storage medium storing program for executing.
For perform the disclosure operation computer program instructions can be assembly instruction, instruction set architecture (ISA) instruction, Machine instruction, machine-dependent instructions, microcode, firmware instructions, condition setup data or with one or more programming languages Source code or object code that any combination is write, programming language of the programming language including object-oriented-such as Smalltalk, C++ etc., and conventional procedural programming languages-such as " C " language or similar programming language.Computer Readable program instructions can perform fully on the user computer, partly perform on the user computer, as one solely Vertical software kit is performed, part is performed or completely in remote computer on the remote computer on the user computer for part Or performed on server.In the situation of remote computer is related to, remote computer can be by network-bag of any kind LAN (LAN) or wide area network (WAN)-be connected to subscriber computer are included, or, it may be connected to outer computer is (such as sharp With ISP come by Internet connection).In certain embodiments, by using computer-readable program instructions Status information carry out personalized customization electronic circuit, such as PLD, field programmable gate array (FPGA) or can Programmed logic array (PLA) (PLA), the electronic circuit can perform computer-readable program instructions, so as to realize each side of the disclosure Face.
Referring herein to the method according to the embodiment of the present disclosure, device (system) and computer program product flow chart and/ Or block diagram describes various aspects of the disclosure.It should be appreciated that each square frame and flow chart of flow chart and/or block diagram and/ Or in block diagram each square frame combination, can be realized by computer-readable program instructions.
These computer-readable program instructions can be supplied to all-purpose computer, special-purpose computer or other programmable datas The processor of processing unit, so as to produce a kind of machine so that these instructions are passing through computer or other programmable datas During the computing device of processing unit, work(specified in one or more of implementation process figure and/or block diagram square frame is generated The device of energy/action.Can also be the storage of these computer-readable program instructions in a computer-readable storage medium, these refer to Order causes computer, programmable data processing unit and/or other equipment to work in a specific way, so that, be stored with instruction Computer-readable medium then includes a manufacture, and it is included in one or more of implementation process figure and/or block diagram square frame The instruction of the various aspects of defined function/action.
Computer-readable program instructions can also be loaded into computer, other programmable data processing units or other In equipment so that perform series of operation steps on computer, other programmable data processing units or miscellaneous equipment, to produce Raw computer implemented process, so that performed on computer, other programmable data processing units or miscellaneous equipment Instruct function/action specified in one or more of implementation process figure and/or block diagram square frame.
Flow chart and block diagram in accompanying drawing show the system, method and computer journey of multiple embodiments according to the disclosure Architectural framework in the cards, function and the operation of sequence product.At this point, each square frame in flow chart or block diagram can generation One module of table, program segment or a part for instruction, the module, program segment or a part for instruction are used comprising one or more In the executable instruction for realizing defined logic function.In some realizations as replacement, the function of being marked in square frame Can be with different from the order marked in accompanying drawing generation.For example, two continuous square frames can essentially be held substantially in parallel OK, they can also be performed in the opposite order sometimes, and this is depending on involved function.It is also noted that block diagram and/or The combination of each square frame in flow chart and the square frame in block diagram and/or flow chart, can use function as defined in execution or dynamic The special hardware based system made is realized, or can be realized with the combination of specialized hardware and computer instruction.
It is described above the presently disclosed embodiments, described above is exemplary, and non-exclusive, and It is not limited to disclosed each embodiment.In the case of without departing from the scope and spirit of illustrated each embodiment, for this skill Many modifications and changes will be apparent from for the those of ordinary skill in art field.The selection of term used herein, purport The principle, practical application or the technological improvement to the technology in market of each embodiment are best being explained, or is leading this technology Other those of ordinary skill in domain are understood that each embodiment disclosed herein.

Claims (12)

1. a kind of network equipment MAC Address collocation method, it is characterised in that including:
The message received according to first interface, obtains the source MAC and user's characteristic information of the message;
There is the corresponding outgoing interface of the source MAC recorded in the source MAC, and described information table in information table When different from the first interface, the source recorded in the user's characteristic information and described information table that are carried according to the message Whether the corresponding user's characteristic information detection user of MAC Address is validated user;
The user is being detected in the case of validated user, by described information table it is corresponding with the source MAC go out Interface is set to the first interface.
2. network equipment MAC Address collocation method according to claim 1, it is characterised in that methods described also includes:
In the case of the source MAC is not present in information table, the source MAC, the are recorded in described information table One interface, and the message carry user's characteristic information corresponding relation.
3. network equipment MAC Address collocation method according to claim 1, it is characterised in that methods described also includes:
In the case where detecting the user for non-legally user, then the first interface outgoing interface is not set to.
4. network equipment MAC Address collocation method according to claim 1, it is characterised in that carried according to the message User's characteristic information and described information table in the corresponding user's characteristic information of the source MAC that records detect the user Whether it is validated user, including:
Obtain the user's characteristic information user corresponding with the source MAC recorded in described information table that the message is carried The matching result of characteristic information;
Judge whether the user is validated user according to the matching result.
5. the network equipment MAC Address collocation method according to claim any one of 1-4, it is characterised in that the user Characteristic information includes the information for being used to represent type of service.
6. network equipment MAC Address collocation method according to claim 5, it is characterised in that
The matching result is the traffic type information that the message is carried and the source MAC recorded in described information table The matching ratio of corresponding traffic type information;
Judge whether the user is validated user according to the matching result, specifically include:
When the matching ratio is more than predetermined threshold value, then judge user for validated user.
7. a kind of network equipment MAC Address configuration device, it is characterised in that including:
Acquisition module, for the message received according to first interface, obtains the source MAC and user characteristics letter of the message Breath;
Detection module, the source MAC recorded for existing in information table in the source MAC, and described information table When the corresponding outgoing interface in location is different from the first interface, the user's characteristic information and described information table carried according to the message Whether the corresponding user's characteristic information detection user of the source MAC of middle record is validated user;
First setup module, for detecting the user in the case of validated user, by described information table with it is described The corresponding outgoing interface of source MAC is set to the first interface.
8. network equipment MAC Address configuration device according to claim 7, it is characterised in that described device also includes:
Logging modle, in the case of the source MAC is not present in information table, records described in described information table Source MAC, first interface, and the message carry user's characteristic information corresponding relation.
9. network equipment MAC Address configuration device according to claim 7, it is characterised in that described device also includes:
Second setup module, in the case where detecting the user for non-legally user, then not by the first interface It is set to outgoing interface.
10. network equipment MAC Address configuration device according to claim 7, it is characterised in that the detection module bag Include:
Acquiring unit, for obtaining the user's characteristic information that the message is carried and the source MAC recorded in described information table The matching result of the corresponding user's characteristic information in address;
Judging unit, for judging whether the user is validated user according to the matching result.
11. the network equipment MAC Address configuration device according to claim any one of 7-10, it is characterised in that the use Family characteristic information includes the information for being used to represent type of service.
12. network equipment MAC Address configuration device according to claim 11, it is characterised in that
The matching result is the traffic type information that the message is carried and the source MAC recorded in described information table The matching ratio of corresponding traffic type information;
The acquiring unit is specifically for when the matching ratio is more than predetermined threshold value, then judging user for validated user.
CN201710258099.9A 2017-04-19 2017-04-19 Network equipment MAC Address collocation method and device Pending CN107071085A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710258099.9A CN107071085A (en) 2017-04-19 2017-04-19 Network equipment MAC Address collocation method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710258099.9A CN107071085A (en) 2017-04-19 2017-04-19 Network equipment MAC Address collocation method and device

Publications (1)

Publication Number Publication Date
CN107071085A true CN107071085A (en) 2017-08-18

Family

ID=59600576

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710258099.9A Pending CN107071085A (en) 2017-04-19 2017-04-19 Network equipment MAC Address collocation method and device

Country Status (1)

Country Link
CN (1) CN107071085A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110267123A (en) * 2019-06-20 2019-09-20 朱桂清 A kind of multiport intersects the network wiring frame of wiring
CN113595812A (en) * 2021-06-25 2021-11-02 深圳市联洲国际技术有限公司 Client identification method, device, storage medium and network equipment

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1992713A (en) * 2005-12-30 2007-07-04 西门子(中国)有限公司 Method and apparatus for preventing deception of media access control layer
CN101217539A (en) * 2007-12-29 2008-07-09 杭州华三通信技术有限公司 A firewall device and method for treatment of secondary forwarding message
CN101577645A (en) * 2009-06-12 2009-11-11 北京星网锐捷网络技术有限公司 Method and device for detecting counterfeit network equipment
CN101820432A (en) * 2010-05-12 2010-09-01 中兴通讯股份有限公司 Safety control method and device of stateless address configuration
CN101841445A (en) * 2010-04-20 2010-09-22 北京星网锐捷网络技术有限公司 User identifying method and device for internet connection sharing
CN104333538A (en) * 2014-10-22 2015-02-04 杭州盈高科技有限公司 Network device access method
CN104735175A (en) * 2015-03-31 2015-06-24 盛科网络(苏州)有限公司 Control method and device for MAC address learning
CN105939348A (en) * 2016-05-16 2016-09-14 杭州迪普科技有限公司 MAC address authentication method and apparatus

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1992713A (en) * 2005-12-30 2007-07-04 西门子(中国)有限公司 Method and apparatus for preventing deception of media access control layer
CN101217539A (en) * 2007-12-29 2008-07-09 杭州华三通信技术有限公司 A firewall device and method for treatment of secondary forwarding message
CN101577645A (en) * 2009-06-12 2009-11-11 北京星网锐捷网络技术有限公司 Method and device for detecting counterfeit network equipment
CN101841445A (en) * 2010-04-20 2010-09-22 北京星网锐捷网络技术有限公司 User identifying method and device for internet connection sharing
CN101820432A (en) * 2010-05-12 2010-09-01 中兴通讯股份有限公司 Safety control method and device of stateless address configuration
CN104333538A (en) * 2014-10-22 2015-02-04 杭州盈高科技有限公司 Network device access method
CN104735175A (en) * 2015-03-31 2015-06-24 盛科网络(苏州)有限公司 Control method and device for MAC address learning
CN105939348A (en) * 2016-05-16 2016-09-14 杭州迪普科技有限公司 MAC address authentication method and apparatus

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110267123A (en) * 2019-06-20 2019-09-20 朱桂清 A kind of multiport intersects the network wiring frame of wiring
CN113595812A (en) * 2021-06-25 2021-11-02 深圳市联洲国际技术有限公司 Client identification method, device, storage medium and network equipment
WO2022268226A1 (en) * 2021-06-25 2022-12-29 联洲集团有限公司 Client identification method and apparatus, and storage medium and network device

Similar Documents

Publication Publication Date Title
US10581885B1 (en) Reinforcement learning method in which discount factor is automatically adjusted
US20160112269A1 (en) Identifying configuration inconsistency in edge-based software defined networks (sdn)
CN104144156B (en) Message processing method and device
CN112437016B (en) Network traffic identification method, device, equipment and computer storage medium
CN115277102B (en) Network attack detection method and device, electronic equipment and storage medium
US20180115466A1 (en) Systems and methods for scalable network modeling
US10970391B2 (en) Classification method, classification device, and classification program
CN107071085A (en) Network equipment MAC Address collocation method and device
CN110096013A (en) A kind of intrusion detection method and device of industrial control system
CN110233779B (en) Test method, test system and computer readable storage medium
JP2023536972A (en) Low latency identification of network device properties
CN106789358A (en) Business recognition method and system based on DPI
US20210158217A1 (en) Method and Apparatus for Generating Application Identification Model
US20230344755A1 (en) Determining flow paths of packets through nodes of a network
CN108418758A (en) A kind of list packet recognition methods and flow bootstrap technique
CN107360062A (en) Verification method, system and the DPI equipment of DPI equipment recognition results
US11799721B2 (en) Document driven network configuration updater
CN109525478B (en) SSL VPN connection method and device
US11323417B2 (en) Network management apparatus, network management method, and non-transitory computer-readable storage medium
Fifield et al. Remote operating system classification over ipv6
CN104468861B (en) The method, apparatus and system of terminal recognition
CN110661796B (en) User action flow identification method and device
CN104168295B (en) A kind of system and processing method based on ipsec hardware fire wall under IPv6
CN114143079A (en) Verification device and method for packet filtering strategy
JP2003333084A (en) Method of setting packet-filtering rule

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170818

RJ01 Rejection of invention patent application after publication