CN107071085A - Network equipment MAC Address collocation method and device - Google Patents
Network equipment MAC Address collocation method and device Download PDFInfo
- Publication number
- CN107071085A CN107071085A CN201710258099.9A CN201710258099A CN107071085A CN 107071085 A CN107071085 A CN 107071085A CN 201710258099 A CN201710258099 A CN 201710258099A CN 107071085 A CN107071085 A CN 107071085A
- Authority
- CN
- China
- Prior art keywords
- user
- interface
- source mac
- message
- information table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/622—Layer-2 addresses, e.g. medium access control [MAC] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5084—Providing for device mobility
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Small-Scale Networks (AREA)
Abstract
This disclosure relates to which network equipment MAC Address collocation method and device, methods described include:The message received according to first interface, obtains the source MAC and user's characteristic information of the message;There is the source MAC in information table, and the corresponding outgoing interface of the source MAC that is recorded in described information table it is different from the first interface when, the corresponding user's characteristic information of the source MAC recorded in the user's characteristic information and described information table that are carried according to the message detects whether user is validated user;In the case where detecting user for validated user, outgoing interface corresponding with source MAC in described information table is set to first interface.User's detection can first be carried out when network equipment MAC Address is configured according to the network equipment MAC Address collocation method and device of the disclosure, it can prevent non-legally user from constructing counterfeit message aggression network, ensureing network security with the authenticity and correctness of effective detection user.
Description
Technical field
This disclosure relates to communication technical field, more particularly to a kind of network equipment MAC Address collocation method and device.
Background technology
MAC (Media Access Control) address, free translation is media access control, or is physical address, hardware
Address, for defining the position of the network equipment.
The network equipment can configure the mapping of the MAC Address and network device interface of connected equipment by static table
Relation, in the equipment transportation being connected with the network equipment or when the network equipment adds new connection equipment, can be changed by hand
Static table configuration information.The mapping relations for configuring MAC Address and interface by static table can improve the security and surely of network
It is qualitative, but there is also using and change inconvenience, be easily configured mistake and cause network failure, the problems such as.
The content of the invention
In view of this, the present disclosure proposes a kind of network equipment MAC Address collocation method and device, non-conjunction can prevented
Method user attacking network, while ensure network security, solve manual static configuration inconvenience and be easily configured mistake and cause network
The problem of failure.
According to the one side of the disclosure there is provided a kind of network equipment MAC Address collocation method, including:Connect according to first
The message that mouth is received, obtains the source MAC and user's characteristic information of the message;There is the source MAC in information table
When the corresponding outgoing interface of the source MAC recorded in address, and described information table is different from the first interface, according to institute
The corresponding user's characteristic information inspection of the source MAC recorded in the user's characteristic information and described information table of stating message carrying
Survey whether user is validated user;The user is being detected in the case of validated user, by described information table with it is described
The corresponding outgoing interface of source MAC is set to the first interface.
According to another aspect of the present disclosure there is provided a kind of network equipment MAC Address configuration device, including:Acquisition module,
For the message received according to first interface, the source MAC and user's characteristic information of the message are obtained;Detection module,
The corresponding outgoing interface of the source MAC recorded for existing in information table in the source MAC, and described information table
When different from the first interface, the source recorded in the user's characteristic information and described information table that are carried according to the message
Whether the corresponding user's characteristic information detection user of MAC Address is validated user;First setup module, for detect it is described
In the case that user is validated user, outgoing interface corresponding with the source MAC in described information table is set to described the
One interface.
By detecting that user's characteristic information judges to send the legitimacy of the user of message, user is being detected for validated user
In the case of, the MAC Address of the network equipment is configured.Matched somebody with somebody according to the network equipment MAC Address of disclosure above-described embodiment
User's detection can first be carried out when MAC is migrated by putting method and apparatus, can be prevented with the authenticity and correctness of effective detection user
While only non-legally user constructs counterfeit message aggression network, ensures network security and stability, it can also reduce and repair by hand
Change static MAC configuration needs, the problems such as reduction artificial interference causes the network failure that configuration error is brought.
According to below with reference to the accompanying drawings to detailed description of illustrative embodiments, the further feature and aspect of the disclosure will become
It is clear.
Brief description of the drawings
Comprising in the description and constituting accompanying drawing and the specification of a part of specification and together illustrate the disclosure
Exemplary embodiment, feature and aspect, and for explaining the principle of the disclosure.
Fig. 1 shows the flow chart of the network equipment MAC Address collocation method according to the embodiment of the disclosure one.
Fig. 2 shows the flow chart of the network equipment MAC Address collocation method according to the embodiment of the disclosure one.
Fig. 3 shows the flow chart of the network equipment MAC Address collocation method according to the embodiment of the disclosure one.
Fig. 4 shows the step S12 of the network equipment MAC Address collocation method according to the embodiment of the disclosure one example
Flow chart.
Fig. 5 shows the application exemplary plot of the network equipment MAC Address collocation method according to the example of the disclosure one.
Fig. 6 shows the application exemplary plot of the network equipment MAC Address collocation method according to the example of the disclosure one.
Fig. 7 shows the schematic diagram according to the whether legal process of the detection user of the example of the disclosure one.
Fig. 8 shows the application exemplary plot of the network equipment MAC Address collocation method according to another example of the disclosure.
Fig. 9 shows the block diagram of the network equipment MAC Address configuration device according to the embodiment of the disclosure one.
Figure 10 shows the block diagram of the network equipment MAC Address configuration device according to the embodiment of the disclosure one.
Figure 11 shows the block diagram of the network equipment MAC Address configuration device according to the embodiment of the disclosure one.
Embodiment
Describe various exemplary embodiments, feature and the aspect of the disclosure in detail below with reference to accompanying drawing.It is identical in accompanying drawing
Reference represent the same or analogous element of function.Although the various aspects of embodiment are shown in the drawings, remove
Non-specifically is pointed out, it is not necessary to accompanying drawing drawn to scale.
Special word " exemplary " is meant " being used as example, embodiment or illustrative " herein.Here as " exemplary "
Illustrated any embodiment should not necessarily be construed as preferred or advantageous over other embodiments.
In addition, in order to better illustrate the disclosure, numerous details are given in embodiment below.
It will be appreciated by those skilled in the art that without some details, the disclosure can equally be implemented.In some instances, for
Method well known to those skilled in the art, means, element and circuit are not described in detail, in order to highlight the purport of the disclosure.
Fig. 1 shows the flow chart of the network equipment MAC Address collocation method according to the embodiment of the disclosure one, and this method can be answered
For the network equipment, such as router, hub or interchanger, virtual network device, server etc. are applied also for.Such as
Shown in Fig. 1, this method includes:
Step S11, the message received according to first interface obtains the source MAC and user characteristics letter of the message
Breath.
Message (message) is the data cell of exchange and transmission in network, i.e. the website data block disposably to be sent.
Packet, packet, data frame can be constantly packaged into transmitting procedure to transmit, the mode of encapsulation includes adding some information
Section, the message segment of addition can be heading (being also header), be the data organized with certain format.With IP-based reality
Exemplified by the networking application of border, header can include protocol type (such as TCP, UDP), source IP address, purpose IP address, source MAC
The information such as address, target MAC (Media Access Control) address, source port number and destination slogan.
In this example, the network equipment from first interface after message is received, and header progress parsing, which can be obtained, to be needed
The information wanted, for example, source MAC and user's characteristic information of the message etc..Wherein, user's characteristic information can refer to
The information such as the application program or the feature of service type of offer that can be loaded by user distinguish the information of different user,
The information of type of service is for example represented, is specifically as follows UDP port number, TCP port number etc..Wherein, udp protocol is applicable basis
Udp port differentiates the multiple application programs operated in same equipment.User characteristics can also be recognized according to application layer message,
For example, according to application file (filename, suffix name) information etc., the disclosure is not construed as limiting to this.
, there is the source MAC recorded in the source MAC, and described information table in information table in step S12
When corresponding outgoing interface is different from the first interface, in the user's characteristic information and described information table that are carried according to the message
Whether the corresponding user's characteristic information detection user of the source MAC of record is validated user.
The application exemplary plot of the network equipment MAC Address collocation method according to the example of the disclosure one is shown respectively in Fig. 5, Fig. 6.
As shown in figure 5, the network equipment can include multiple interfaces (for example, interface A, interface B), store in the network device
There is information table, in a kind of possible embodiment, described information table can record MAC Address, corresponding with MAC Address go out to connect
Message breath and user's characteristic information etc..
As shown in fig. 6, the network equipment is receiving message from first interface (interface B) and is obtaining the source MAC of the message
After address information, the source MAC whether can have been have recorded in look-up table in described information table;In described information table
In there is the source MAC in the case of, represent the network equipment may receive (be probably from interface B or interface A study
MAC Address) corresponding with the source MAC user message that sends or be also likely to be the excessively described source MAC of static configuration
Location.The network equipment can further confirm that the corresponding outgoing interface of the source MAC recorded in information table connects with described first
Whether mouth (interface B) is identical, the corresponding outgoing interface of the source MAC recorded in described information table and the first interface
When different, expression is needed to carry out network equipment MAC Address configuration, and the identity of the user can be examined before configuration
Survey, whether confirm it is validated user, to prevent disabled user from constructing counterfeit message aggression network.
Step S13, is detecting the user in the case of validated user, by described information table with the source MAC
The corresponding outgoing interface in address is set to the first interface.
As shown in figure 5, being recorded in the user's characteristic information and described information table that the network equipment is carried according to the message
The corresponding user's characteristic information of the source MAC detect the user in the case of validated user, can will described in
Outgoing interface corresponding with the source MAC is revised as the first interface (interface B) in information table, that is, by the source
The corresponding outgoing interface of MAC Address is set to first interface (interface B).
, can also be to recording institute corresponding with the source MAC in information table in a kind of possible embodiment
State user's characteristic information to be updated, in order to carry out detection user validation before MAC Address configuration next time.
By detecting that user's characteristic information judges to send the legitimacy of the user of message, user is being detected for validated user
In the case of, the MAC Address of the network equipment is configured.Matched somebody with somebody according to the network equipment MAC Address of disclosure above-described embodiment
The method of putting can first carry out user's detection when MAC is configured, and can prevent non-conjunction with the authenticity and correctness of effective detection user
While method user constructs counterfeit message aggression network, ensures network security and stability, modification by hand can also be reduced static
MAC configuration needs, the problems such as reduction artificial interference causes the network failure that configuration error is brought.
In correlation technique, by configuring static MAC, MAC is bound to fixed interface, static state MAC side is changed during migration
Formula solves the above problems.For example, by while outgoing interface corresponding with the MAC Address is changed to interface B in MAC Address list item, hand
Work changes static state MAC, and the MAC Address is tied into interface B.But modification static state MAC configurations are inconvenient for use by hand, and easily lead
Cause configuration error, the problems such as causing network failure.And according to the network equipment MAC Address configuration side of disclosure above-described embodiment
Method, detecting the user, to carry out MAC Address configuration in the case of validated user, can to solve non-legally user construction imitative
The problem of emitting message aggression network, it is not necessary to change static state MAC by hand, reduces the configuration needs of modification static state MAC by hand, reduction
The problems such as artificial interference causes the network failure that configuration error is brought.
Fig. 2 shows the flow chart of the network equipment MAC Address collocation method according to the embodiment of the disclosure one.As shown in Fig. 2
Based on the embodiment shown in Fig. 1, the method for the present embodiment also includes:
Step S14, in the case of the source MAC is not present in information table, records described in described information table
Source MAC, first interface, and the message carry user's characteristic information corresponding relation.
As shown in fig. 6, in the case of the source MAC is not present in described information table, representing the network equipment first
It is secondary to receive the message that user corresponding with the source MAC sends.Now, the network equipment is learned by first interface (interface B)
The source MAC of the user is practised, and records in described information table the source MAC, corresponding with the source MAC
Corresponding relation of user's characteristic information that one interface (interface B) and the message are carried etc., so as in MAC of the next time to the user
Whether it is that validated user is detected to the user before address configuration.
Wherein, described information table can be the mac address table stored based on the network equipment, or, can also be newly-built one
List is recorded to the corresponding relation between above- mentioned information, and the disclosure is not construed as limiting to this.As shown in table 1 information table shows
Example, the user characteristics that the source MAC, first interface corresponding with the source MAC and the message can be carried
The corresponding relation record of information is set to going out for the source MAC in described information table, that is, by the first interface
Interface.
The information table of table 1
MAC Address | Outgoing interface | User's characteristic information |
MAC Address 1 | Interface 1 | User's characteristic information 1 |
MAC Address 2 | Interface 2 | User's characteristic information 2 |
… | … | … |
By learning the source MAC and user's characteristic information and associated storage of user, in order in the network device
Whether detection user is validated user before being configured to the MAC Address of user.Set according to the network of disclosure above-described embodiment
Standby MAC Address collocation method can first carry out user's detection when MAC configure, effectively to determine the authenticity and correctly of user
Property, prevent non-legally user from constructing counterfeit message aggression network, ensureing network security and stability.
Fig. 3 shows the flow chart of the network equipment MAC Address collocation method according to the embodiment of the disclosure one.As shown in figure 3,
Based on the embodiment shown in Fig. 1, the method for the present embodiment also includes:
The first interface, in the case where detecting the user for non-legally user, is not then set to by step S15
Outgoing interface.
For example, as shown in fig. 6, the user's characteristic information and described information that are carried in the network equipment according to the message
The corresponding user's characteristic information of the source MAC recorded in table detects the user in the case of non-legally user,
The source MAC and first interface can be recorded in blacklist list in association, with the source MAC in information table
The first interface and user's characteristic information of location associated storage can keep constant.The network equipment is received next time from first interface
When carrying the message of the source MAC, directly abandon, that is, reject the message of MAC Address transmission, prevent non-conjunction
Method user constructs counterfeit message aggression network, ensures network security and stability.
While the source MAC and first interface are recorded in blacklist list in association, it can open
One blacklist list list item ageing timer, after can remove the MAC Address in list item and interface message after list item aging
Blacklist list, the network equipment can receive the message that the corresponding user of the source MAC sends from first interface again.It is logical
Cross and the first interface is not set to outgoing interface, the first interface can be set not receive what the source MAC was sent
Message, can prevent non-legally user's attacking network;Blacklist row are removed by setting list item ageing timer, after list item aging
Table, the network equipment can receive the message that the source MAC is sent from first interface again, can prevent legal correct
User the problem of can not migrate.Wherein, the time segment length of list item ageing timer timing can be entered according to the actual needs
Row is set, and the disclosure is not construed as limiting to this.
Fig. 4 shows an example of step S12 in the network equipment MAC Address collocation method according to the embodiment of the disclosure one
Flow chart.As shown in figure 4, in step s 12, remembering in the user's characteristic information and described information table that are carried according to the message
The corresponding user's characteristic information of the source MAC of record detects whether the user is validated user, including:
Step S121, obtains the user's characteristic information that the message is carried and the source MAC recorded in described information table
The matching result of the corresponding user's characteristic information in address;
Step S122, judges whether the user is validated user according to the matching result.
Determine to exist in information table the source recorded in above-mentioned source MAC, and described information table in the network equipment
When the corresponding outgoing interface of MAC Address is different from the first interface, i.e., the network equipment needs to carry out the situation of MAC Address configuration
Under, whether to be first that validated user is detected to prevent non-legally user from constructing counterfeit message to the user for sending the message
Attacking network.From described above, the network equipment is recorded in equipment user characteristics corresponding with the source MAC
Information, is obtained after the user's characteristic information that the message is carried, the user's characteristic information and the network equipment that the message is carried
The user's characteristic information recorded in interior described information table carries out matching and obtains matching result, may determine that according to matching result described
Whether user is validated user.
For example, as shown in figure 5, the network equipment includes interface A and interface B, interface A and interface B belong to VLAN
10.As described above, using the user's characteristic information to represent the information of type of service (for example, UDP port number or TCP port number
Deng) exemplified by illustrate.The network equipment can create an example of information table as shown in table 2 below to record user characteristics letter
Breath.
The information table of table 2
MAC Address | Outgoing interface | VLAN ID | Port numbers type | Port numbers |
0-0-1 | A | VLAN 10 | UDP | 101-110 |
… | … | … |
By taking UDP type ports number as an example, as shown in Figure 6, it is assumed that the network equipment for the first time from interface A with receiving source MAC
UDP port number is 101-110 in the message that location sends for 0-0-1 user, message.The network equipment learns MAC Address and in letter
Source MAC (0-0-1) described in associated record and interface A and UDP port number 101-110 in table are ceased, as shown in table 2.
The network equipment have received the message for the user that source MAC is 0-0-1 from interface B again, true by searching information table
, it is necessary to detect whether user is legal use when determining to exist in table source MAC 0-0-1 and corresponding outgoing interface different from interface B
Family.The network equipment opens NQA (Network Quality Analyzer, Network Quality Analysis) and monitors service, to source MAC
Recorded in port numbers and information table that the udp port carried for 0-0-1 message carries out port scan and obtained according to scanning
101-110 port numbers are matched, and may determine that whether the user is validated user according to matching result, for example, according to
Judge whether the user is validated user with successful port numbers quantity, ratio etc..
It is recording with the source MAC in the user's characteristic information and information table that the message that receives carries by matching
Corresponding user's characteristic information, the legitimacy of the user is judged according to matching result.Can be with the authenticity of effective detection user
And correctness, can be with while preventing that non-legally user from constructing counterfeit message aggression network, ensureing network security and stability
Reduce the configuration needs of modification static state MAC by hand, the problems such as reduction artificial interference causes the network failure that configuration error is brought.
In a kind of possible embodiment, the matching result be the message carry traffic type information with it is described
The matching ratio of the corresponding traffic type information of the source MAC recorded in information table;
Step S122, is specifically included:
Step S1221, when the matching ratio is more than predetermined threshold value, then judges user for validated user.
For example, still by taking above-mentioned example as an example, the UDP that the network equipment is carried to source MAC for 0-0-1 message
It is 101-106,109-110 that port, which carries out obtaining UDP port number after port scan,.The network equipment will scan obtained udp port
Number (101-106,109-110) is one by one with recording UDP port number (101- corresponding with the source MAC in information table
110) matched, for example, by taking port 101 as an example, the network equipment searches the port numbers in information table, if finding port 101
Then the match is successful, record matching situation (for example, the match is successful is recorded as 1, it fails to match is recorded as 0), and port is then searched again
102nd, record matching situation, the matching result until obtaining whole port numbers that scanning is obtained.It is of course also possible to enter in turn
OK, for example, will be recorded in information table UDP port number (101-110) corresponding with the source MAC one by one with the network equipment
The UDP port number (101-106,109-110) that scanning is obtained is matched, and record matching situation, and the disclosure is not limited this
It is fixed.Matching result is obtained according to the match condition of record, such as the quantity, matching ratio that the match is successful.
In a kind of possible embodiment, the matching result is the port numbers that message is carried and recorded in information table
The port numbers quantity that the match is successful corresponding with the source MAC accounts for recorded in information table corresponding with the source MAC
Port numbers sum ratio.The quantity that the match is successful be message carry port numbers in being recorded in information table and the source
The corresponding port numbers identical port numbers quantity of MAC Address.Still by taking above-mentioned example as an example, understand that message is taken according to matching record
8 in the UDP port number of band with what is recorded in information table in UDP port number corresponding with the source MAC are identical, also
It is total that to be matching ratio for the quantity (8) that the match is successful account for the corresponding UDP port number of the source MAC recorded in information table
The ratio of number (10), i.e., 80%.
Wherein, the predetermined threshold value can be pre-set, for example, can be 50%.In above-mentioned example, matching
Ratio is 80%, more than 50%, and the network equipment can judge user as validated user using this, now, and the network equipment can be by information
Outgoing interface corresponding with MAC Address 0-0-1 is revised as interface B in table, that is, interface B is set into MAC Address 0-0-1
Corresponding outgoing interface, while the user's characteristic information in information table can be revised as [101,102,103,104,105,106,
109,110], user's characteristic information detection is carried out when being configured in order to next MAC Address.
When the UDP port number that scanning obtains the message carrying for being 0-0-1 with source MAC is 106-109, matching ratio
For 40%, less than 50%, the network equipment can judge user as non-legally user using this, it is understood that there may be non-legally user construction is counterfeit
Message aggression network;Accordingly, the network equipment can add source MAC 0-0-1 in blacklist list, and first interface will no longer connect
Receive the message that source MAC sends for 0-0-1 user.
In a kind of possible embodiment, the network equipment can also often scan acquisition a port number with regard to carrying out inquiry
Match somebody with somebody, the quantity of matching port numbers exceedes such as the 50% of the user source port number total quantity associated with the source MAC, then
It is validated user to think user, no longer carries out monitoring scanning, and the method that the disclosure is used to specific matching process is not construed as limiting.
Fig. 7 shows the schematic diagram according to the whether legal process of the detection user of the embodiment of the disclosure one.As shown in fig. 7,
The network equipment is opened NQA and monitored and self-defined port match proportion threshold value (predetermined threshold value), to the report that source MAC is 0-0-1
It is 101-106,109-110 that the udp port that text is carried, which carries out obtaining UDP port number after port scan, and the network equipment will be scanned
Obtained UDP port number (101-106,109-110) is one by one with recording UDP corresponding with the source MAC in information table
Port numbers (101-110) match and record matching situation, and matching ratio is determined according to record.Judge matching ratio with presetting
The relation of threshold value, in the case where matching ratio is more than predetermined threshold value, judges user for validated user, source in fresh information table
The corresponding outgoing interfaces of MAC Address 0-0-1 are interface B (user that source MAC is 0-0-1 namely is moved into interface B);
In the case that matching ratio is less than or equal to predetermined threshold value, user is judged for non-legally user, by source MAC 0-0-1 and is connect
Mouth B is added in blacklist list, now will not receive the message that source MAC is provided for 0-0-1 user from interface B.
The process for defining the predetermined threshold value of port match ratio can be in network device initiating process completion, can also root every time
Redefined according to demand, the disclosure is not construed as limiting to this.
Udp protocol is applicable the multiple application programs differentiated and operated in same equipment according to port numbers, in source MAC
In the case of identical, then according to the application program (UDP port number) of operation may determine that whether same equipment, that is,
It can decide whether as validated user.TCP port number in ICP/IP protocol is applied to differentiate the service that main frame can be provided, than
Such as Web service, FTP service, SMTP services, different network services can be distinguished according to different TCP port numbers, accordingly may be used
To judge being same main frame, that is, it can decide whether as validated user.Certainly, the disclosure is not limited to use udp port
Number or TCP port number as user's characteristic information, the other specification of application layer can also be used, the disclosure is not construed as limiting to this.
It can prevent non-with the authenticity and correctness of effective detection user according to the MAC Address moving method of disclosure above-described embodiment
While validated user constructs counterfeit message aggression network, ensures network security and stability, modification by hand can also be reduced quiet
State MAC configuration needs, the problems such as reduction artificial interference causes the network failure that configuration error is brought.
In a kind of possible embodiment, the network equipment MAC Address collocation method of above example can also be applied
In VXLAN networks, a kind of example for the user that the virtual machine in VXLAN networks can be considered in above-described embodiment.
Fig. 8 shows the application exemplary plot of the network equipment MAC Address collocation method according to another example of the disclosure.Such as Fig. 8
It is shown, by taking VTEP1 as an example, when VTEP1 receives the VXLAN data of distal end VTEP2 transmissions from VXLAN tunnel2 tunnels
After frame, decapsulated, its affiliated VXLAN is judged according to VXLAN ID, and it is VSI 1 to find correspondence VSI, obtains the data
The source MAC and user's characteristic information (can be virtual machine characteristic information here) for the distal end virtual machine VM2 that frame is carried;Can be
Search whether to have have recorded the source MAC in information table, there is a situation where the source MAC in described information table
Under, it can represent that VTEP1 VSI 1 (by tunnel2 or tunnel1) received void corresponding with the source MAC
The data frame or VTEP1 static configurations that plan machine VM2 is sent cross the MAC Address.VTEP1 can further confirm that the source MAC
The corresponding outgoing interface information in address, the corresponding outgoing interface of the source MAC recorded in information table is different from tunnel2
When, expression is needed to carry out MAC Address configuration, and the identity for the user that send the data frame can be detected before configuration,
Whether be validated user, prevent disabled user from constructing counterfeit data frame attacking network if confirming it.
The source recorded in the virtual machine characteristic information and described information table that VTEP1 is carried according to the data frame
The corresponding virtual machine characteristic information of MAC Address detects the virtual machine VM2 in the case of legal virtual machine, can will described in
Outgoing interface corresponding with the source MAC is revised as tunnel2 in information table, that is, the source MAC is corresponding
Virtual machine VM2 tunnel (outgoing interface) has moved to tunnel2.It can also update and the source MAC accordingly void
Plan machine characteristic information, in order to carry out next time detecting virtual machine legitimacy before address transfer.
In the case of the source MAC is not present in described information table, represent that VTEP1 is received and the source for the first time
The data frame that the corresponding virtual machine VM2 of MAC Address is sent.Now, VTEP1 learns virtual machine VM2 source MAC, in institute
State and the source MAC, tunnel2 are recorded in information table, and the corresponding of virtual machine characteristic information that the data frame is carried is closed
System.
The source recorded in the virtual machine characteristic information and described information table that VTEP1 is carried according to the data frame
The corresponding virtual machine characteristic information of MAC Address detects the virtual machine VM2 in the case of non-legally virtual machine, then not by institute
State tunnel2 and be set to outgoing interface, the source MAC and tunnel2 can be recorded in blacklist list in association.
VTEP1 next times, in the data frame that the tunnel2 virtual machines for receiving the source MAC are sent, directly abandon, that is, refuse
The data frame that the virtual machine of the MAC Address is sent is received absolutely, prevents non-legally virtual machine from constructing counterfeit data frame attacking network, protecting
Demonstrate,prove network security and stability.
While the source MAC and tunnel2 are recorded in blacklist list in association, one can be opened
Individual blacklist list list item ageing timer is black after that can remove the MAC Address in list item and interface message after list item aging
List list, VTEP1 can receive the data frame that the corresponding virtual machine of the source MAC is sent from first interface again.
By the way that the source MAC and tunnel2 are recorded in blacklist list in association, set described
Tunnel2 is not received with the data frame of the virtual machine transmission of the source MAC, can prevent illegal virtual machine from attacking;In table
The MAC Address in list item and interface message are removed into blacklist list after item aging, VTEP1 can receive data frame again, can
To prevent the problem of legal correct virtual machine can not be migrated.Wherein, the time segment length of ageing timer timing can be with
It is configured according to the actual needs, the disclosure is not construed as limiting to this.
When applied to VXLAN networks, detect whether the virtual machine is legal void according to the virtual machine characteristic information
The process of plan machine is similar with the method in real network, will not be repeated here.
Fig. 9 shows the block diagram of the network equipment MAC Address configuration device according to the embodiment of the disclosure one.The device can be applied
In the network equipment, such as router, hub or interchanger, virtual network device, server etc. are applied also for.As schemed
Shown in 9, the device includes:Acquisition module 91, the setup module 93 of detection module 92 and first.
Acquisition module 91, for the message received according to first interface, obtains source MAC and the user of the message
Characteristic information;
Detection module 92, the source recorded for existing in information table in the source MAC, and described information table
When the corresponding outgoing interface of MAC Address is different from the first interface, the user's characteristic information and described carried according to the message
Whether the corresponding user's characteristic information detection user of the source MAC recorded in information table is validated user;
First setup module 93, in the case where detecting the user for validated user, by described information table
Outgoing interface corresponding with the source MAC is set to the first interface.
Network equipment by detect user's characteristic information judge send message user legitimacy, be detecting user
MAC Address is configured in the case of validated user.Can be with according to the network equipment MAC Address configuration device of disclosure above-described embodiment
User's detection is first carried out when MAC is migrated, can prevent non-legally user from constructing with the authenticity and correctness of effective detection user
While counterfeit message aggression network, guarantee network security and stability, can also reduce the configuration of modification static state MAC by hand needs
Ask, the problems such as reduction artificial interference causes the network failure that configuration error is brought.
Figure 10 shows the block diagram of the network equipment MAC Address configuration device according to the embodiment of the disclosure one.As shown in Figure 10,
In a kind of possible embodiment, described device also includes:Logging modle 94.
Logging modle 94, in the case of the source MAC is not present in information table, remembers in described information table
Record the source MAC, first interface, and the corresponding relation of user's characteristic information that the message is carried.
In a kind of possible embodiment, described device also includes:Second setup module 95.
Second setup module 95, for detecting the user in the case of non-legally user, then not by described the
One interface is set to outgoing interface.
In a kind of possible embodiment, the detection module 92 includes:Acquiring unit 921 and judging unit 922.
Acquiring unit 921, for obtaining the user's characteristic information that the message is carried and the institute recorded in described information table
State the matching result of the corresponding user's characteristic information of source MAC;
Judging unit 922, for judging whether the user is validated user according to the matching result.
In a kind of possible embodiment, the user's characteristic information includes the information for being used to represent type of service.
In a kind of possible embodiment, the matching result be the message carry traffic type information with it is described
The matching ratio of the corresponding traffic type information of the source MAC recorded in information table.
The judging unit 922 is specifically for judging that user uses to be legal when the matching ratio is more than predetermined threshold value
Family.
Figure 11 is a kind of block diagram of MAC Address moving apparatus 1900 according to an exemplary embodiment.For example, device
1900 may be provided in a server.Reference picture 11, device 1900 include processing assembly 1922, its further comprise one or
Multiple processors, and as the memory resource representated by memory 1932, for store can by processing assembly 1922 execution
Instruction, such as application program.The application program stored in memory 1932 can include it is one or more each
Corresponding to the module of one group of instruction.In addition, processing assembly 1922 is configured as execute instruction, to perform the above method.
Device 1900 can also include the power management that a power supply module 1926 is configured as performs device 1900, one
Wired or wireless network interface 1950 is configured as device 1900 being connected to network, and input and output (I/O) interface
1958.Device 1900 can be operated based on the operating system for being stored in memory 1932, such as Windows ServerTM, Mac
OS XTM, UnixTM, LinuxTM, FreeBSDTM or similar.
In the exemplary embodiment, a kind of non-volatile computer readable storage medium storing program for executing including instructing, example are additionally provided
Such as include the memory 1932 of instruction, above-mentioned instruction can be performed to complete the above method by the processing assembly 1922 of device 1900.
The disclosure can be system, method and/or computer program product.Computer program product can include computer
Readable storage medium storing program for executing, containing for making processor realize the computer-readable program instructions of various aspects of the disclosure.
Computer-readable recording medium can keep and store to perform the tangible of the instruction that equipment is used by instruction
Equipment.Computer-readable recording medium for example can be-- but be not limited to-- storage device electric, magnetic storage apparatus, optical storage
Equipment, electromagnetism storage device, semiconductor memory apparatus or above-mentioned any appropriate combination.Computer-readable recording medium
More specifically example (non exhaustive list) includes:Portable computer diskette, hard disk, random access memory (RAM), read-only deposit
It is reservoir (ROM), erasable programmable read only memory (EPROM or flash memory), static RAM (SRAM), portable
Compact disk read-only storage (CD-ROM), digital versatile disc (DVD), memory stick, floppy disk, mechanical coding equipment, for example thereon
Be stored with instruction punch card or groove internal projection structure and above-mentioned any appropriate combination.It is used herein above to calculate
Machine readable storage medium storing program for executing is not construed as instantaneous signal in itself, the electromagnetic wave of such as radio wave or other Free propagations, logical
Cross the electromagnetic wave (for example, the light pulse for passing through fiber optic cables) of waveguide or the propagation of other transmission mediums or transmitted by electric wire
Electric signal.
Computer-readable program instructions as described herein can be downloaded to from computer-readable recording medium each calculate/
Processing equipment, or outer computer is downloaded to or outer by network, such as internet, LAN, wide area network and/or wireless network
Portion's storage device.Network can be transmitted, be wirelessly transferred including copper transmission cable, optical fiber, router, fire wall, interchanger, gateway
Computer and/or Edge Server.Adapter or network interface in each calculating/processing equipment are received from network to be counted
Calculation machine readable program instructions, and the computer-readable program instructions are forwarded, for the meter being stored in each calculating/processing equipment
In calculation machine readable storage medium storing program for executing.
For perform the disclosure operation computer program instructions can be assembly instruction, instruction set architecture (ISA) instruction,
Machine instruction, machine-dependent instructions, microcode, firmware instructions, condition setup data or with one or more programming languages
Source code or object code that any combination is write, programming language of the programming language including object-oriented-such as
Smalltalk, C++ etc., and conventional procedural programming languages-such as " C " language or similar programming language.Computer
Readable program instructions can perform fully on the user computer, partly perform on the user computer, as one solely
Vertical software kit is performed, part is performed or completely in remote computer on the remote computer on the user computer for part
Or performed on server.In the situation of remote computer is related to, remote computer can be by network-bag of any kind
LAN (LAN) or wide area network (WAN)-be connected to subscriber computer are included, or, it may be connected to outer computer is (such as sharp
With ISP come by Internet connection).In certain embodiments, by using computer-readable program instructions
Status information carry out personalized customization electronic circuit, such as PLD, field programmable gate array (FPGA) or can
Programmed logic array (PLA) (PLA), the electronic circuit can perform computer-readable program instructions, so as to realize each side of the disclosure
Face.
Referring herein to the method according to the embodiment of the present disclosure, device (system) and computer program product flow chart and/
Or block diagram describes various aspects of the disclosure.It should be appreciated that each square frame and flow chart of flow chart and/or block diagram and/
Or in block diagram each square frame combination, can be realized by computer-readable program instructions.
These computer-readable program instructions can be supplied to all-purpose computer, special-purpose computer or other programmable datas
The processor of processing unit, so as to produce a kind of machine so that these instructions are passing through computer or other programmable datas
During the computing device of processing unit, work(specified in one or more of implementation process figure and/or block diagram square frame is generated
The device of energy/action.Can also be the storage of these computer-readable program instructions in a computer-readable storage medium, these refer to
Order causes computer, programmable data processing unit and/or other equipment to work in a specific way, so that, be stored with instruction
Computer-readable medium then includes a manufacture, and it is included in one or more of implementation process figure and/or block diagram square frame
The instruction of the various aspects of defined function/action.
Computer-readable program instructions can also be loaded into computer, other programmable data processing units or other
In equipment so that perform series of operation steps on computer, other programmable data processing units or miscellaneous equipment, to produce
Raw computer implemented process, so that performed on computer, other programmable data processing units or miscellaneous equipment
Instruct function/action specified in one or more of implementation process figure and/or block diagram square frame.
Flow chart and block diagram in accompanying drawing show the system, method and computer journey of multiple embodiments according to the disclosure
Architectural framework in the cards, function and the operation of sequence product.At this point, each square frame in flow chart or block diagram can generation
One module of table, program segment or a part for instruction, the module, program segment or a part for instruction are used comprising one or more
In the executable instruction for realizing defined logic function.In some realizations as replacement, the function of being marked in square frame
Can be with different from the order marked in accompanying drawing generation.For example, two continuous square frames can essentially be held substantially in parallel
OK, they can also be performed in the opposite order sometimes, and this is depending on involved function.It is also noted that block diagram and/or
The combination of each square frame in flow chart and the square frame in block diagram and/or flow chart, can use function as defined in execution or dynamic
The special hardware based system made is realized, or can be realized with the combination of specialized hardware and computer instruction.
It is described above the presently disclosed embodiments, described above is exemplary, and non-exclusive, and
It is not limited to disclosed each embodiment.In the case of without departing from the scope and spirit of illustrated each embodiment, for this skill
Many modifications and changes will be apparent from for the those of ordinary skill in art field.The selection of term used herein, purport
The principle, practical application or the technological improvement to the technology in market of each embodiment are best being explained, or is leading this technology
Other those of ordinary skill in domain are understood that each embodiment disclosed herein.
Claims (12)
1. a kind of network equipment MAC Address collocation method, it is characterised in that including:
The message received according to first interface, obtains the source MAC and user's characteristic information of the message;
There is the corresponding outgoing interface of the source MAC recorded in the source MAC, and described information table in information table
When different from the first interface, the source recorded in the user's characteristic information and described information table that are carried according to the message
Whether the corresponding user's characteristic information detection user of MAC Address is validated user;
The user is being detected in the case of validated user, by described information table it is corresponding with the source MAC go out
Interface is set to the first interface.
2. network equipment MAC Address collocation method according to claim 1, it is characterised in that methods described also includes:
In the case of the source MAC is not present in information table, the source MAC, the are recorded in described information table
One interface, and the message carry user's characteristic information corresponding relation.
3. network equipment MAC Address collocation method according to claim 1, it is characterised in that methods described also includes:
In the case where detecting the user for non-legally user, then the first interface outgoing interface is not set to.
4. network equipment MAC Address collocation method according to claim 1, it is characterised in that carried according to the message
User's characteristic information and described information table in the corresponding user's characteristic information of the source MAC that records detect the user
Whether it is validated user, including:
Obtain the user's characteristic information user corresponding with the source MAC recorded in described information table that the message is carried
The matching result of characteristic information;
Judge whether the user is validated user according to the matching result.
5. the network equipment MAC Address collocation method according to claim any one of 1-4, it is characterised in that the user
Characteristic information includes the information for being used to represent type of service.
6. network equipment MAC Address collocation method according to claim 5, it is characterised in that
The matching result is the traffic type information that the message is carried and the source MAC recorded in described information table
The matching ratio of corresponding traffic type information;
Judge whether the user is validated user according to the matching result, specifically include:
When the matching ratio is more than predetermined threshold value, then judge user for validated user.
7. a kind of network equipment MAC Address configuration device, it is characterised in that including:
Acquisition module, for the message received according to first interface, obtains the source MAC and user characteristics letter of the message
Breath;
Detection module, the source MAC recorded for existing in information table in the source MAC, and described information table
When the corresponding outgoing interface in location is different from the first interface, the user's characteristic information and described information table carried according to the message
Whether the corresponding user's characteristic information detection user of the source MAC of middle record is validated user;
First setup module, for detecting the user in the case of validated user, by described information table with it is described
The corresponding outgoing interface of source MAC is set to the first interface.
8. network equipment MAC Address configuration device according to claim 7, it is characterised in that described device also includes:
Logging modle, in the case of the source MAC is not present in information table, records described in described information table
Source MAC, first interface, and the message carry user's characteristic information corresponding relation.
9. network equipment MAC Address configuration device according to claim 7, it is characterised in that described device also includes:
Second setup module, in the case where detecting the user for non-legally user, then not by the first interface
It is set to outgoing interface.
10. network equipment MAC Address configuration device according to claim 7, it is characterised in that the detection module bag
Include:
Acquiring unit, for obtaining the user's characteristic information that the message is carried and the source MAC recorded in described information table
The matching result of the corresponding user's characteristic information in address;
Judging unit, for judging whether the user is validated user according to the matching result.
11. the network equipment MAC Address configuration device according to claim any one of 7-10, it is characterised in that the use
Family characteristic information includes the information for being used to represent type of service.
12. network equipment MAC Address configuration device according to claim 11, it is characterised in that
The matching result is the traffic type information that the message is carried and the source MAC recorded in described information table
The matching ratio of corresponding traffic type information;
The acquiring unit is specifically for when the matching ratio is more than predetermined threshold value, then judging user for validated user.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710258099.9A CN107071085A (en) | 2017-04-19 | 2017-04-19 | Network equipment MAC Address collocation method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710258099.9A CN107071085A (en) | 2017-04-19 | 2017-04-19 | Network equipment MAC Address collocation method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107071085A true CN107071085A (en) | 2017-08-18 |
Family
ID=59600576
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710258099.9A Pending CN107071085A (en) | 2017-04-19 | 2017-04-19 | Network equipment MAC Address collocation method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107071085A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110267123A (en) * | 2019-06-20 | 2019-09-20 | 朱桂清 | A kind of multiport intersects the network wiring frame of wiring |
CN113595812A (en) * | 2021-06-25 | 2021-11-02 | 深圳市联洲国际技术有限公司 | Client identification method, device, storage medium and network equipment |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1992713A (en) * | 2005-12-30 | 2007-07-04 | 西门子(中国)有限公司 | Method and apparatus for preventing deception of media access control layer |
CN101217539A (en) * | 2007-12-29 | 2008-07-09 | 杭州华三通信技术有限公司 | A firewall device and method for treatment of secondary forwarding message |
CN101577645A (en) * | 2009-06-12 | 2009-11-11 | 北京星网锐捷网络技术有限公司 | Method and device for detecting counterfeit network equipment |
CN101820432A (en) * | 2010-05-12 | 2010-09-01 | 中兴通讯股份有限公司 | Safety control method and device of stateless address configuration |
CN101841445A (en) * | 2010-04-20 | 2010-09-22 | 北京星网锐捷网络技术有限公司 | User identifying method and device for internet connection sharing |
CN104333538A (en) * | 2014-10-22 | 2015-02-04 | 杭州盈高科技有限公司 | Network device access method |
CN104735175A (en) * | 2015-03-31 | 2015-06-24 | 盛科网络(苏州)有限公司 | Control method and device for MAC address learning |
CN105939348A (en) * | 2016-05-16 | 2016-09-14 | 杭州迪普科技有限公司 | MAC address authentication method and apparatus |
-
2017
- 2017-04-19 CN CN201710258099.9A patent/CN107071085A/en active Pending
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1992713A (en) * | 2005-12-30 | 2007-07-04 | 西门子(中国)有限公司 | Method and apparatus for preventing deception of media access control layer |
CN101217539A (en) * | 2007-12-29 | 2008-07-09 | 杭州华三通信技术有限公司 | A firewall device and method for treatment of secondary forwarding message |
CN101577645A (en) * | 2009-06-12 | 2009-11-11 | 北京星网锐捷网络技术有限公司 | Method and device for detecting counterfeit network equipment |
CN101841445A (en) * | 2010-04-20 | 2010-09-22 | 北京星网锐捷网络技术有限公司 | User identifying method and device for internet connection sharing |
CN101820432A (en) * | 2010-05-12 | 2010-09-01 | 中兴通讯股份有限公司 | Safety control method and device of stateless address configuration |
CN104333538A (en) * | 2014-10-22 | 2015-02-04 | 杭州盈高科技有限公司 | Network device access method |
CN104735175A (en) * | 2015-03-31 | 2015-06-24 | 盛科网络(苏州)有限公司 | Control method and device for MAC address learning |
CN105939348A (en) * | 2016-05-16 | 2016-09-14 | 杭州迪普科技有限公司 | MAC address authentication method and apparatus |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110267123A (en) * | 2019-06-20 | 2019-09-20 | 朱桂清 | A kind of multiport intersects the network wiring frame of wiring |
CN113595812A (en) * | 2021-06-25 | 2021-11-02 | 深圳市联洲国际技术有限公司 | Client identification method, device, storage medium and network equipment |
WO2022268226A1 (en) * | 2021-06-25 | 2022-12-29 | 联洲集团有限公司 | Client identification method and apparatus, and storage medium and network device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10581885B1 (en) | Reinforcement learning method in which discount factor is automatically adjusted | |
US20160112269A1 (en) | Identifying configuration inconsistency in edge-based software defined networks (sdn) | |
CN104144156B (en) | Message processing method and device | |
CN112437016B (en) | Network traffic identification method, device, equipment and computer storage medium | |
CN115277102B (en) | Network attack detection method and device, electronic equipment and storage medium | |
US20180115466A1 (en) | Systems and methods for scalable network modeling | |
US10970391B2 (en) | Classification method, classification device, and classification program | |
CN107071085A (en) | Network equipment MAC Address collocation method and device | |
CN110096013A (en) | A kind of intrusion detection method and device of industrial control system | |
CN110233779B (en) | Test method, test system and computer readable storage medium | |
JP2023536972A (en) | Low latency identification of network device properties | |
CN106789358A (en) | Business recognition method and system based on DPI | |
US20210158217A1 (en) | Method and Apparatus for Generating Application Identification Model | |
US20230344755A1 (en) | Determining flow paths of packets through nodes of a network | |
CN108418758A (en) | A kind of list packet recognition methods and flow bootstrap technique | |
CN107360062A (en) | Verification method, system and the DPI equipment of DPI equipment recognition results | |
US11799721B2 (en) | Document driven network configuration updater | |
CN109525478B (en) | SSL VPN connection method and device | |
US11323417B2 (en) | Network management apparatus, network management method, and non-transitory computer-readable storage medium | |
Fifield et al. | Remote operating system classification over ipv6 | |
CN104468861B (en) | The method, apparatus and system of terminal recognition | |
CN110661796B (en) | User action flow identification method and device | |
CN104168295B (en) | A kind of system and processing method based on ipsec hardware fire wall under IPv6 | |
CN114143079A (en) | Verification device and method for packet filtering strategy | |
JP2003333084A (en) | Method of setting packet-filtering rule |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170818 |
|
RJ01 | Rejection of invention patent application after publication |