CN107547336B - Method and device for adding authorized VLAN into authentication port - Google Patents

Method and device for adding authorized VLAN into authentication port Download PDF

Info

Publication number
CN107547336B
CN107547336B CN201710340126.7A CN201710340126A CN107547336B CN 107547336 B CN107547336 B CN 107547336B CN 201710340126 A CN201710340126 A CN 201710340126A CN 107547336 B CN107547336 B CN 107547336B
Authority
CN
China
Prior art keywords
vlan
port
tag
authenticated
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710340126.7A
Other languages
Chinese (zh)
Other versions
CN107547336A (en
Inventor
刘勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Information Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN201710340126.7A priority Critical patent/CN107547336B/en
Publication of CN107547336A publication Critical patent/CN107547336A/en
Application granted granted Critical
Publication of CN107547336B publication Critical patent/CN107547336B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Small-Scale Networks (AREA)

Abstract

The embodiment of the invention provides a method and a device for adding an authentication port into an authorized VLAN, wherein the method for adding the authentication port into the authorized VLAN comprises the following steps: receiving a message sent by a user side to a port to be authenticated, and triggering Media Access Control (MAC) authentication; when the message is determined to carry a virtual local area network Tag VLAN Tag field, determining that a port to be authenticated is added into an authorized VLAN in a Tag carrying mode; and when determining that the message does not carry the VLAN Tag field, determining that the port to be authenticated is added into the authorized VLAN in a Tag-free mode. The proposal provided by the embodiment of the invention adds the authorized VLAN, thereby improving the adaptability of the authentication port to add the authorized VLAN.

Description

Method and device for adding authorized VLAN into authentication port
Technical Field
The invention relates to the technical field of networks, in particular to a method and a device for adding an authorized VLAN into an authentication port.
Background
VLAN (Virtual Local Area Network) refers to an end-to-end logical Network that can span different Network segments and networks and is constructed by Network management software on the basis of a switched Local Area Network. Since VLANs are logically, rather than physically, divided, network nodes within the same VLAN are not restricted to being within the same physical scope. Broadcast and unicast traffic in one VLAN is not forwarded to other VLANs, which helps to control traffic, reduce equipment investment, simplify network management, and improve network security, and thus, VLAN technology is widely used.
Media Access Control (MAC) authentication is an authentication method for controlling network Access rights of a user based on a port and an MAC address. After the MAC address of the user is detected on the port which starts the MAC authentication for the first time, the authentication operation of the user is started, and the user does not need to manually input a user name or a password in the authentication process. If the user authentication is successful, the user is allowed to access the network resource through the port.
After the user passes the MAC authentication, a remote server, such as a remote AAA (authentication, authorization, and Accounting) server, may issue an authorization VLAN at an authentication port of the access switch, allowing the user to access network resources in the authorization VLAN. Currently, the method for adding the MAC authentication port to the authorized VLAN includes: configuring Tag (Tag) attribute of authorized VLAN on the server; and manually configuring the Tag attribute of the authorized VLAN at the MAC authentication port of the switch. Configuring a Tag attribute of an authorized VLAN on a server, and determining a mode of adding an authentication port into the authorized VLAN according to the Tag attribute, namely, if the server configures an issued authorized VLAN with the Tag attribute, adding the authentication port into the authorized VLAN in the mode of adding the Tag; if the authorized VLAN issued by the server configuration does not carry the Tag, the authentication port is added into the authorized VLAN in a Tag-free mode.
Because the method for determining the mode of adding the authentication port into the authorized VLAN according to the Tag attribute of the authorized VLAN configured by the server needs to configure and plan the Tag attribute of the authorized VLAN in advance for different access users, the adaptability of adding the authentication port into the authorized VLAN is poor.
Disclosure of Invention
The embodiment of the invention aims to provide a method and a device for adding an authentication port into an authorized VLAN, so as to improve the adaptability of adding the authentication port into the authorized VLAN. The specific technical scheme is as follows:
in a first aspect, an embodiment of the present invention provides a method for authenticating a port to join an authorized VLAN, where the method includes:
receiving a message sent by a user side to a port to be authenticated, and triggering Media Access Control (MAC) authentication;
when the message is determined to carry a VLAN Tag field, determining that the port to be authenticated is added into an authorized VLAN in a Tag carrying mode;
and when determining that the message does not carry a VLAN Tag field, determining that the port to be authenticated is added into the authorized VLAN in a Tag-free mode.
Optionally, the receiving a message sent by the user side to the port to be authenticated, and triggering MAC authentication includes:
receiving a message sent by a user side to a port to be authenticated;
judging whether the message carries a VLAN Tag field or not;
if the event carries the identifier, generating a new MAC event carrying a marked VLAN ID, wherein the marked VLAN ID is as follows: VLAN ID information carried by the VLAN Tag field in the message;
if not, generating a new MAC event carrying a PVID of the virtual local area network with the port, wherein the PVID is as follows: VLAN ID information of a default VLAN allocated to the message;
and triggering MAC authentication according to the new MAC event.
Optionally, the determining that the packet carries a VLAN Tag field includes:
when the new MAC event is judged to carry the marked VLAN ID, determining that the message carries a VLAN Tag field;
the determining that the message does not carry a VLAN Tag field includes:
and when the new MAC event is judged to carry the PVID, determining that the message does not carry the VLAN Tag field.
Optionally, after the receiving user sends a message to the port to be authenticated and triggers MAC authentication, the method further includes:
acquiring a first VLAN ID of a default VLAN of the port to be authenticated;
when the VLAN ID information carried in the new MAC event is determined to be a marked VLAN ID, determining the marked VLAN ID to be a second VLAN ID of an authorized VLAN;
and when the second VLAN ID is the same as the first VLAN ID, determining that the port to be authenticated is added into an authorized VLAN in a Tag-free mode.
Optionally, after the receiving user sends a message to the port to be authenticated and triggers MAC authentication, the method further includes:
when the priority of the configured Tag attribute of the authentication port is set to be the highest in advance, judging whether the Tag attribute of the authorized VLAN is configured on the port to be authenticated, wherein the Tag attribute comprises a Tag and a Tag which is not configured;
if so, determining a mode of adding the port to be authenticated into the authorized VLAN according to the Tag attribute;
if not, when determining that the message carries a VLAN Tag field, determining that the port to be authenticated is added to an authorized VLAN in a Tag-carrying manner; and when determining that the message does not carry a VLAN Tag field, determining that the port to be authenticated is added into the authorized VLAN in a Tag-free mode.
In a second aspect, an embodiment of the present invention provides an apparatus for authenticating a port to join an authorized VLAN, where the apparatus includes:
the trigger module is used for receiving a message sent by a user side to a port to be authenticated and triggering MAC authentication;
the determining module is used for determining that the port to be authenticated is added to the authorized VLAN in a Tag-carrying mode when the VLAN Tag field is determined to be carried in the message;
the determining module is further configured to determine that the port to be authenticated is added to the authorized VLAN in a manner without Tag when it is determined that the VLAN Tag field is not carried in the message.
Optionally, the triggering module includes:
the receiving unit is used for receiving a message sent by a user side to a port to be authenticated;
a judging unit, configured to judge whether the message carries a VLAN Tag field;
a generating unit, configured to generate a new MAC event carrying a marked VLAN ID when a determination result of the determining unit is carrying, where the marked VLAN ID is: VLANID information carried by the VLAN Tag field in the message;
the generating unit is further configured to generate a new MAC event carrying a PVID when the determination result of the determining unit is not carried, where the PVID is: VLAN ID information of a default VLAN allocated to the message;
and the triggering unit is used for triggering the MAC authentication according to the new MAC event.
Optionally, the determining module is specifically configured to:
when the new MAC event is judged to carry the marked VLAN ID, determining that the message carries a VLAN Tag field;
the determining module is specifically further configured to:
and when the new MAC event is judged to carry the PVID, determining that the message does not carry the VLAN Tag field.
Optionally, the apparatus further comprises:
the acquiring module is used for acquiring a first VLAN ID of a default VLAN of the port to be authenticated;
the determining module is further configured to determine that the VLAN ID carried in the new MAC event is a tagged VLAN ID, and when determining that the VLAN ID is a second VLAN ID of an authorized VLAN;
the determining module is further configured to determine that the port to be authenticated is added to the authorized VLAN without Tag when the second VLAN ID is the same as the first VLAN ID.
Optionally, the apparatus further comprises:
the device comprises a judging module, a judging module and a judging module, wherein the judging module is used for judging whether the Tag attribute of an authorized VLAN is configured on a port to be authenticated when the priority of the Tag attribute configured on the authentication port is preset to be the highest, and the Tag attribute comprises a Tag and no Tag;
the determining module is further configured to determine, when the determination result of the determining module is yes, a manner in which the port to be authenticated is added to the authorized VLAN according to the Tag attribute;
the determining module is further configured to determine that the port to be authenticated is added to the authorized VLAN in a Tag-carrying manner when the determination result of the determining module is negative and when the VLAN Tag field is determined to be carried in the message; and when determining that the message does not carry a VLAN Tag field, determining that the port to be authenticated is added into the authorized VLAN in a Tag-free mode.
The method and the device for adding the authorized VLAN into the authentication port provided by the embodiment of the invention trigger MAC authentication when receiving a message sent by a user end, and dynamically determine the mode of adding the authorized VLAN into the port to be authenticated by judging whether the message carries the VLAN Tag field or not in the MAC authentication process because the message may carry the VLAN Tag field or not, thereby realizing automatic configuration of the Tag attribute of the authorized VLAN and having stronger adaptability without configuring the Tag attribute of the authorized VLAN in advance.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a first flowchart of a method for adding an authorized VLAN to an authentication port according to an embodiment of the present invention;
fig. 2 is a second flowchart of a method for adding an authorized VLAN to an authentication port according to an embodiment of the present invention;
fig. 3 is a third flowchart illustrating a method for adding an authorized VLAN to an authentication port according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a first structure of a device for authenticating a port to join an authorized VLAN according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a second structure of a device for authenticating a port to join an authorized VLAN according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a third structure of a device for authenticating a port to join an authorized VLAN according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to improve the adaptability of the authentication port to join the authorized VLAN, the embodiment of the invention provides a method and a device for joining the authentication port to the authorized VLAN.
First, a method for adding an authorized VLAN to an authenticated port according to an embodiment of the present invention is described below.
It should be noted that an execution subject of the method for authenticating a port to join an authorized VLAN according to the embodiment of the present invention may be a device, such as a switch, that performs an information exchange function in a communication system, where the device at least includes a chip that can perform logic processing, such as a DSP (Digital Signal Processor), an ARM (Advanced Reduced Instruction Set Computer microprocessor), an FPGA (Field Programmable Gate Array), or the like. The method for adding the authorized VLAN to the authentication port according to the embodiment of the present invention may be implemented by software, a hardware circuit and/or a logic circuit disposed in the execution main body. It should be emphasized that the embodiments of the present invention are applicable to different application scenarios, including direct connection or non-direct connection of a user side.
As shown in fig. 1, a method for authenticating a port to join an authorized VLAN according to an embodiment of the present invention includes the following steps:
s101, receiving a message sent by a user side to a port to be authenticated, and triggering Media Access Control (MAC) authentication.
It should be noted that, a message is sent from a user end to a switch port, before the message is transmitted to the switch port, a VLAN Tag field may be already set in the message, or a VLAN Tag field may not be set in the message, for a port to be authenticated, in order to automatically issue an authorization authentication attribute of the port to be authenticated through MAC authentication according to whether the received message carries the VLAN Tag field, when the message is received, MAC authentication needs to be triggered.
It is understood that, in general, a trigger instruction may be generated according to a trigger condition, and then MAC authentication may be triggered according to the trigger instruction.
Optionally, the receiving a message sent by the user end to the port to be authenticated, and triggering MAC authentication, includes:
firstly, a message sent by a user side to a port to be authenticated is received.
It should be noted that, in the embodiment of the present invention, a state of receiving a message sent by a user end may be defined as a trigger condition.
Secondly, whether the message carries the VLAN Tag field or not is judged.
And if the VLAN Tag field is carried in the message, generating a new MAC event carrying the marked VLAN ID.
Wherein, the marked VLAN ID is: VLAN ID information carried by VLAN Tag field in the message. It should be noted that, when the port to be authenticated receives the packet with the VLAN Tag field, even if the VLAN ID of the packet is not in the VLAN ID list through which the port to be authenticated runs, the port to be authenticated transmits the VLAN ID to the processing chip of the switch, and generates a new MAC event carrying the VLAN ID according to the VLAN ID, and sends the new MAC event to the processing chip, where the new MAC event can be understood as a trigger instruction for triggering MAC authentication, so as to trigger MAC authentication.
And if the VLAN Tag field is not carried in the message, generating a new MAC event carrying the PVID of the virtual local area network identification of the port.
Wherein, PVID is: VLAN ID information of a default VLAN assigned to the message. It should be noted that, when a port to be authenticated receives a packet without a VLAN Tag field, even if the default VLAN ID of the port is not in the VLAN ID list allowed by the port, the switch assigns a PVID of the port to be authenticated to the packet, where the PVID includes VLAN ID information, generates a new MAC event carrying the PVID, and sends the new MAC event to a processing chip of the switch, where the new MAC event may be understood as a trigger instruction for triggering MAC authentication, thereby triggering MAC authentication.
And finally, triggering MAC authentication according to the new MAC event.
It should be noted that the new MAC event serves as a trigger instruction for triggering MAC authentication, and when the processing chip receives the new MAC event, MAC authentication may be started. It is understood that the process of MAC authentication may be performed by a processing chip of the switch.
S102, when the message is determined to carry the VLAN Tag field, the port to be authenticated is determined to be added into the authorized VLAN in a Tag carrying mode.
It should be noted that, after receiving the new MAC event, the processing chip of the switch executes the MAC authentication process, and since the packet has two types, namely, a VLAN Tag field and a VLAN Tag field, in order to enable the Tag attribute of the port to be authenticated to correspond to whether the packet carries the VLAN Tag field, it is necessary to determine whether the packet carries the VLAN Tag field before determining the Tag attribute of the port to be authenticated.
Optionally, the determining that the packet carries the VLAN Tag field includes:
and when the new MAC event is judged to carry the marked VLAN ID, determining that the message carries a VLAN Tag field.
It should be noted that, because the VLAN ID value carried in the new MAC event is generated according to whether the packet carries a VLAN Tag field, and if the packet carries a VLAN Tag field, the generated new MAC event carries a tagged VLAN ID, the new MAC event is determined to carry the VLAN Tag field by determining that the new MAC event carries the tagged VLAN ID, so as to determine that the port to be authenticated is added to the authorized VLAN in a Tag-carrying manner, where ID information of the authorized VLAN is the same as the tagged VLAN ID.
S103, when the VLAN Tag field is not carried in the message, the port to be authenticated is determined to be added into the authorized VLAN in a Tag-free mode.
It should be noted that, when the VLAN Tag field is not carried in the packet, the port needs to be configured without the Tag attribute according to the existing VLAN technology to transmit the packet without the Tag.
Optionally, the determining that the VLAN Tag field is not carried in the message includes:
and when the new MAC event is judged to carry the PVID, determining that the message does not carry the VLAN Tag field.
It should be noted that, because the VLAN ID value carried in the new MAC event is generated according to whether the packet carries a VLAN Tag field, and if the packet does not carry a VLAN Tag field, the generated new MAC event carries a PVID, the new MAC event is determined to not carry the VLAN Tag field by determining that the new MAC event carries the PVID, so as to determine that the port to be authenticated joins the authorized VLAN without Tag. In practical application, aiming at the condition of direct connection, the original VLAN where the user side is located is a default VLAN of a port to be authenticated, and when a field without a VLAN Tag is received, the port is automatically added into an authorized VLAN in a Tag-free mode after the user side passes authentication. For the case of non-direct connection, the original VLAN where the user end is located and the authorized VLAN are generally the same VLAN.
It should be noted that the method for adding an authorized VLAN from the authentication port can be analyzed and obtained, and the process of determining that the port to be authenticated is added to the authorized VLAN can be automatically implemented according to the received message through MAC authentication of the processing chip in the switch, so the process of the method can be defined as an automatic Tag mode, and in the automatic Tag mode, the priority of the Tag attribute for automatically configuring the authorized VLAN by the switch is higher than the traditional Tag attribute for configuring the authorized VLAN on the server and the Tag attribute for manually configuring the authorized VLAN at the MAC authentication port of the switch.
By applying the embodiment, when a message sent by a user side is received, the MAC authentication is triggered, and since the message may or may not carry the VLAN Tag field, in the MAC authentication process, the way of adding the port to be authenticated to the authorized VLAN is dynamically determined by judging whether the message carries the VLAN Tag field, and the Tag attribute of the authorized VLAN does not need to be configured in advance, so that the automatic configuration of the Tag attribute of the authorized VLAN is realized, and the method has strong adaptability.
Based on the embodiment shown in fig. 1, as shown in fig. 2, another method for authenticating a port to join an authorized VLAN is provided in the embodiment of the present invention, and after S101, the method further includes the following steps:
s201, acquiring a first VLAN ID of a default VLAN of a port to be authenticated.
It should be noted that the default VLAN is often planned in advance, and the VLAN ID of the default VLAN of the port to be authenticated may be directly obtained.
S202, when the VLAN ID information carried in the new MAC event is determined to be the marked VLAN ID, the marked VLAN ID is determined to be the second VLAN ID of the authorized VLAN.
S203, when the second VLAN ID is the same as the first VLAN ID, the port to be authenticated is determined to be added into the authorized VLAN in a mode without Tag.
It should be noted that, for the case that the new MAC event carries the PVID, the authorized VLAN may be added according to the VLAN id of the default VLAN and in a manner without Tag, which is not described herein again. However, for the case that the new MAC event carries a tagged VLAN ID, that is, the message carries a VLAN Tag field, in general, the authorized VLAN is added with Tag according to the tagged VLAN ID in the VLAN Tag field, but if the tagged VLAN ID is the same as the VLAN ID of the default VLAN, it is difficult to determine whether to add the authorized VLAN with Tag or add the authorized VLAN without Tag, thereby causing false operations such as false alarm and the like. Therefore, for such a situation, the embodiment of the present invention defines that, when the above situation occurs, the port to be authenticated joins the authorized VLAN without Tag, so as to avoid misoperation.
It should be emphasized that S101 to S103 are identical to the embodiment shown in fig. 1, and are not described in detail here.
By applying the embodiment, when a message sent by a user side is received, the MAC authentication is triggered, and since the message may or may not carry the VLAN Tag field, in the MAC authentication process, the way of adding the port to be authenticated to the authorized VLAN is dynamically determined by judging whether the message carries the VLAN Tag field, and the Tag attribute of the authorized VLAN does not need to be configured in advance, so that the automatic configuration of the Tag attribute of the authorized VLAN is realized, and the method has strong adaptability. And aiming at the VLAN Tag field carried in the message, and the marked VLAN ID is the same as the VLAN ID of the default VLAN, the port to be authenticated is added into the authorized VLAN in a Tag-free mode, so that misoperation is avoided.
Based on the embodiment shown in fig. 1, as shown in fig. 3, another authentication method for testimony comparison is provided in the embodiment of the present invention, and after S101, the method further includes the following steps:
s301, when the priority of the Tag attribute configured on the authentication port is set to be the highest, whether the Tag attribute of the authorized VLAN is configured on the port to be authenticated is judged, if so, S302 is executed, otherwise, S102 is executed.
Wherein the Tag attributes include Tag with and Tag without. It should be noted that, for some special clients, for example, a message without the VLAN Tag field is sent first, and then a message with the VLAN Tag field is sent, special processing is required. Because the message without the VLAN Tag field is received first and MAC authentication is triggered, under the automatic Tag mode, the port to be authenticated can be added into the authorized VLAN in a Tag-free mode, when the port to be authenticated receives the message with the VLAN Tag field sent by the same user side again, MAC authentication can not be triggered again, and the port to be authenticated can not be added into the authorized VLAN in a Tag-containing mode, so that the user side can not access the network.
For the above situation, the port configuration Tag attribute of the port to be authenticated may be set to have the highest priority, for example, the port hybrid VLAN-list { tagged | untagged } configuration priority on the port is set to be higher than the function of the automatic Tag mode, that is, if the Tag attribute of the authorized VLAN is configured on the port, the port configuration is taken as the standard. Therefore, when the port is configured with the Tag attribute with the highest priority, it is first required to determine whether the Tag attribute of the authorized VLAN is configured on the port to be authenticated. If the Tag attribute of the authorized VLAN is configured, the way of adding the port to be authenticated to the authorized VLAN is determined according to the Tag attribute, and if the Tag attribute of the authorized VLAN is not located, the way of adding the port to be authenticated to the authorized VLAN may be determined according to the automatic Tag mode in the embodiment shown in fig. 1.
S302, according to the Tag attribute, determining a mode of adding the port to be authenticated into the authorized VLAN.
It should be noted that, if the Tag attribute of the authorized VLAN is configured on the port to be authenticated, the manner in which the port to be authenticated joins the authorized VLAN may be determined, that is, if the Tag attribute of the authorized VLAN configured on the port to be authenticated is a Tag, the manner in which the port to be authenticated joins the authorized VLAN is determined as a Tag; and if the Tag attribute of the authorized VLAN configured on the port to be authenticated is not carrying the Tag, determining that the mode of adding the port to be authenticated into the authorized VLAN is the mode without the Tag.
It should be emphasized that S101 to S103 are identical to the embodiment shown in fig. 1, and are not described in detail here.
By applying the embodiment, when a message sent by a user side is received, the MAC authentication is triggered, and since the message may or may not carry the VLAN Tag field, in the MAC authentication process, the way of adding the port to be authenticated to the authorized VLAN is dynamically determined by judging whether the message carries the VLAN Tag field, and the Tag attribute of the authorized VLAN does not need to be configured in advance, so that the automatic configuration of the Tag attribute of the authorized VLAN is realized, and the method has strong adaptability. And aiming at the condition that the same user side respectively sends different messages, the success rate of the user side for accessing the network is improved.
It should be noted that another embodiment of the method for authenticating a port to join an authorized VLAN according to the embodiments of the present invention may include S101 to S103 shown in fig. 1, S201 to S203 shown in fig. 2, and S301 and S302 shown in fig. 3.
Corresponding to the foregoing embodiments, an embodiment of the present invention provides a device for authenticating a port to join an authorized VLAN, where as shown in fig. 4, the device includes:
the triggering module 410 is configured to receive a message sent by a user end to a port to be authenticated, and trigger MAC authentication;
a determining module 420, configured to determine, when it is determined that the packet carries a VLAN Tag field, that the port to be authenticated is added to an authorized VLAN in a manner of a Tag;
the determining module 420 is further configured to determine that the port to be authenticated is added to the authorized VLAN without Tag when it is determined that the VLAN Tag field is not carried in the message.
By applying the embodiment, when a message sent by a user side is received, the MAC authentication is triggered, and since the message may or may not carry the VLAN Tag field, in the MAC authentication process, the way of adding the port to be authenticated to the authorized VLAN is dynamically determined by judging whether the message carries the VLAN Tag field, and the Tag attribute of the authorized VLAN does not need to be configured in advance, so that the automatic configuration of the Tag attribute of the authorized VLAN is realized, and the method has strong adaptability.
Optionally, the triggering module 410 includes:
the receiving unit is used for receiving a message sent by a user side to a port to be authenticated;
a judging unit, configured to judge whether the message carries a VLAN Tag field;
a generating unit, configured to generate a new MAC event carrying a marked VLAN ID when a determination result of the determining unit is carrying, where the marked VLAN ID is: VLANID information carried by the VLAN Tag field in the message;
the generating unit is further configured to generate a new MAC event carrying a PVID when the determination result of the determining unit is not carried, where the PVID is: VLAN ID information of a default VLAN allocated to the message;
and the triggering unit is used for triggering the MAC authentication according to the new MAC event.
Optionally, the determining module 420 is specifically configured to:
when the new MAC event is judged to carry the marked VLAN ID, determining that the message carries a VLAN Tag field;
the determining module 420 is specifically configured to:
and when the new MAC event is judged to carry the PVID, determining that the message does not carry the VLAN Tag field.
It should be noted that the device for adding the authorized VLAN to the authentication port in the embodiment of the present invention is a device that applies the method for adding the authorized VLAN to the authentication port, and all embodiments of the method for adding the authorized VLAN to the authentication port are applicable to the device for adding the authorized VLAN to the authentication port, and can achieve the same or similar beneficial effects.
Further, on the basis of including the triggering module 410 and the determining module 420, as shown in fig. 5, the apparatus for authenticating a port to join an authorized VLAN according to the embodiment of the present invention further includes:
an obtaining module 510, configured to obtain a first VLAN ID of a default VLAN of the port to be authenticated;
the determining module 420 is configured to determine that the VLAN ID carried in the new MAC event is a tagged VLAN ID, and when determining that the VLAN ID is a second VLAN ID of an authorized VLAN;
the determining module 420 is configured to determine that the port to be authenticated is added to the authorized VLAN without Tag when the second VLAN ID is the same as the first VLAN ID.
By applying the embodiment, when a message sent by a user side is received, the MAC authentication is triggered, and since the message may or may not carry the VLAN Tag field, in the MAC authentication process, the way of adding the port to be authenticated to the authorized VLAN is dynamically determined by judging whether the message carries the VLAN Tag field, and the Tag attribute of the authorized VLAN does not need to be configured in advance, so that the automatic configuration of the Tag attribute of the authorized VLAN is realized, and the method has strong adaptability. And aiming at the VLAN Tag field carried in the message, and the marked VLAN ID is the same as the VLAN ID of the default VLAN, the port to be authenticated is added into the authorized VLAN in a Tag-free mode, so that misoperation is avoided.
Further, on the basis of including the triggering module 410 and the determining module 420, as shown in fig. 6, the apparatus for authenticating a port to join an authorized VLAN according to the embodiment of the present invention further includes:
a determining module 610, configured to determine whether a Tag attribute of an authorized VLAN is configured on a port to be authenticated when a priority of configuring the Tag attribute of the authentication port is set to be highest, where the Tag attribute includes a Tag and no Tag;
the determining module 420 is further configured to determine, when the determination result of the determining module is yes, a manner for adding the port to be authenticated to the authorized VLAN according to the Tag attribute;
the determining module 420 is configured to determine that the port to be authenticated is added to the authorized VLAN in a Tag-carrying manner when the determination result of the determining module is negative and when the VLAN Tag field is determined to be carried in the message; and when determining that the message does not carry a VLAN Tag field, determining that the port to be authenticated is added into the authorized VLAN in a Tag-free mode.
By applying the embodiment, when a message sent by a user side is received, the MAC authentication is triggered, and since the message may or may not carry the VLAN Tag field, in the MAC authentication process, the way of adding the port to be authenticated to the authorized VLAN is dynamically determined by judging whether the message carries the VLAN Tag field, and the Tag attribute of the authorized VLAN does not need to be configured in advance, so that the automatic configuration of the Tag attribute of the authorized VLAN is realized, and the method has strong adaptability. And aiming at the condition that the same user side respectively sends different messages, the success rate of the user side for accessing the network is improved.
It is understood that, in another embodiment of the present invention, the apparatus for authenticating a port to join an authorized VLAN may include: a triggering module 410, a determining module 420, an obtaining module 510, and a determining module 610.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (8)

1. A method for authenticating a port for joining an authorized VLAN, the method comprising:
receiving a message sent by a user side to a port to be authenticated, and triggering Media Access Control (MAC) authentication;
when the message is determined to carry a VLAN Tag field, determining that the port to be authenticated is added into an authorized VLAN in a Tag carrying mode;
when determining that the message does not carry a VLAN Tag field, determining that the port to be authenticated is added into an authorized VLAN in a Tag-free mode;
the receiving of the message sent by the user side to the port to be authenticated triggers MAC authentication, including:
receiving a message sent by a user side to a port to be authenticated;
judging whether the message carries a VLAN Tag field or not;
if the event carries the identifier, generating a new MAC event carrying a marked VLAN ID, wherein the marked VLAN ID is as follows: VLAN ID information carried by the VLAN Tag field in the message;
if not, generating a new MAC event carrying a PVID of the virtual local area network with the port, wherein the PVID is as follows: VLAN ID information of a default VLAN allocated to the message;
and triggering MAC authentication according to the new MAC event.
2. The method of claim 1, wherein the determining that the packet carries a VLAN Tag field comprises:
when the new MAC event is judged to carry the marked VLAN ID, determining that the message carries a VLAN Tag field;
the determining that the message does not carry a VLAN Tag field includes:
and when the new MAC event is judged to carry the PVID, determining that the message does not carry the VLAN Tag field.
3. The method according to claim 1, wherein after the receiving user end sends a message to the port to be authenticated and triggers MAC authentication, the method further comprises:
acquiring a first VLAN ID of a default VLAN of the port to be authenticated;
when the VLAN ID information carried in the new MAC event is determined to be a marked VLAN ID, determining the marked VLAN ID to be a second VLAN ID of an authorized VLAN;
and when the second VLAN ID is the same as the first VLAN ID, determining that the port to be authenticated is added into an authorized VLAN in a Tag-free mode.
4. The method according to claim 1, wherein after the receiving user end sends a message to the port to be authenticated and triggers MAC authentication, the method further comprises:
when the priority of the configured Tag attribute of the authentication port is set to be the highest in advance, judging whether the Tag attribute of the authorized VLAN is configured on the port to be authenticated, wherein the Tag attribute comprises a Tag and a Tag which is not configured;
if so, determining a mode of adding the port to be authenticated into the authorized VLAN according to the Tag attribute;
if not, when determining that the message carries a VLAN Tag field, determining that the port to be authenticated is added to an authorized VLAN in a Tag-carrying manner; and when determining that the message does not carry a VLAN Tag field, determining that the port to be authenticated is added into the authorized VLAN in a Tag-free mode.
5. An apparatus for authenticating a port for joining an authorized VLAN, the apparatus comprising:
the trigger module is used for receiving a message sent by a user side to a port to be authenticated and triggering MAC authentication;
the determining module is used for determining that the port to be authenticated is added to the authorized VLAN in a Tag-carrying mode when the VLAN Tag field is determined to be carried in the message;
the determining module is further configured to determine that the port to be authenticated is added to an authorized VLAN in a manner without Tag when it is determined that the VLAN Tag field is not carried in the message;
the trigger module includes:
the receiving unit is used for receiving a message sent by a user side to a port to be authenticated;
a judging unit, configured to judge whether the message carries a VLAN Tag field;
a generating unit, configured to generate a new MAC event carrying a tagged VLAN ID when a determination result of the determining unit is carrying, where the tagged VLAN ID is: VLAN ID information carried by the VLAN Tag field in the message;
the generating unit is further configured to generate a newMAC event carrying a PVID when the determination result of the determining unit is not carried, where the PVID is: VLAN ID information of a default VLAN allocated to the message;
and the triggering unit is used for triggering the MAC authentication according to the new MAC event.
6. The apparatus of claim 5, wherein the determining module is specifically configured to:
when the new MAC event is judged to carry the marked VLAN ID, determining that the message carries a VLAN Tag field;
the determining module is specifically further configured to:
and when the new MAC event is judged to carry the PVID, determining that the message does not carry the VLAN Tag field.
7. The apparatus of claim 5, further comprising:
the acquiring module is used for acquiring a first VLAN ID of a default VLAN of the port to be authenticated;
the determining module is further configured to determine that the VLAN ID carried in the new MAC event is a marked VLAN ID, and when determining that the VLAN ID information is a second VLAN ID of an authorized VLAN;
the determining module is further configured to determine that the port to be authenticated is added to the authorized VLAN without Tag when the second VLAN ID is the same as the first VLAN ID.
8. The apparatus of claim 5, further comprising:
the device comprises a judging module, a judging module and a judging module, wherein the judging module is used for judging whether the Tag attribute of an authorized VLAN is configured on a port to be authenticated when the priority of the Tag attribute configured on the authentication port is preset to be the highest, and the Tag attribute comprises a Tag and no Tag;
the determining module is further configured to determine, when the determination result of the determining module is yes, a manner in which the port to be authenticated is added to the authorized VLAN according to the Tag attribute;
the determining module is further configured to determine that the port to be authenticated is added to the authorized VLAN in a Tag-carrying manner when the determination result of the determining module is negative and when the VLAN Tag field is determined to be carried in the message; and when determining that the message does not carry a VLAN Tag field, determining that the port to be authenticated is added into the authorized VLAN in a Tag-free mode.
CN201710340126.7A 2017-05-15 2017-05-15 Method and device for adding authorized VLAN into authentication port Active CN107547336B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710340126.7A CN107547336B (en) 2017-05-15 2017-05-15 Method and device for adding authorized VLAN into authentication port

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710340126.7A CN107547336B (en) 2017-05-15 2017-05-15 Method and device for adding authorized VLAN into authentication port

Publications (2)

Publication Number Publication Date
CN107547336A CN107547336A (en) 2018-01-05
CN107547336B true CN107547336B (en) 2020-11-06

Family

ID=60966886

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710340126.7A Active CN107547336B (en) 2017-05-15 2017-05-15 Method and device for adding authorized VLAN into authentication port

Country Status (1)

Country Link
CN (1) CN107547336B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109327462B (en) * 2018-11-14 2020-10-27 盛科网络(苏州)有限公司 MAC address authentication method based on L2VPN network

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101102188A (en) * 2006-07-07 2008-01-09 华为技术有限公司 A method and system for mobile access to VLAN
CN101197785A (en) * 2008-01-04 2008-06-11 杭州华三通信技术有限公司 MAC authentication method and apparatus
CN101702679A (en) * 2009-11-26 2010-05-05 福建星网锐捷网络有限公司 Message processing method and exchange apparatus based on virtual local area network
CN101860551A (en) * 2010-06-25 2010-10-13 神州数码网络(北京)有限公司 Multi-user authentication method and system under single access port
CN104660527A (en) * 2015-03-20 2015-05-27 上海斐讯数据通信技术有限公司 Service switch, virtual local area network (VLAN)-spanning point-to-point protocol over Ethernet (PPPoE) network system and VLAN-spanning PPPoE network method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100238813A1 (en) * 2006-06-29 2010-09-23 Nortel Networks Limited Q-in-Q Ethernet rings

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101102188A (en) * 2006-07-07 2008-01-09 华为技术有限公司 A method and system for mobile access to VLAN
CN101197785A (en) * 2008-01-04 2008-06-11 杭州华三通信技术有限公司 MAC authentication method and apparatus
CN101702679A (en) * 2009-11-26 2010-05-05 福建星网锐捷网络有限公司 Message processing method and exchange apparatus based on virtual local area network
CN101860551A (en) * 2010-06-25 2010-10-13 神州数码网络(北京)有限公司 Multi-user authentication method and system under single access port
CN104660527A (en) * 2015-03-20 2015-05-27 上海斐讯数据通信技术有限公司 Service switch, virtual local area network (VLAN)-spanning point-to-point protocol over Ethernet (PPPoE) network system and VLAN-spanning PPPoE network method

Also Published As

Publication number Publication date
CN107547336A (en) 2018-01-05

Similar Documents

Publication Publication Date Title
JP3845086B2 (en) Controlled multicast system and method of execution
CN110311929B (en) Access control method and device, electronic equipment and storage medium
EP3396928B1 (en) Method for managing network access rights and related device
CN108881308B (en) User terminal and authentication method, system and medium thereof
WO2015101125A1 (en) Network access control method and device
WO2017152754A1 (en) Method and apparatus for secure communication of software defined network (sdn)
CN112217771B (en) Data forwarding method and data forwarding device based on tenant information
WO2012019410A1 (en) Method and apparatus for preventing illegal encroachment in internal network of intelligent home
CN113556274B (en) Method, device, system, controller and equipment for terminal access authentication
US10432476B2 (en) Method, apparatus, and system for joining node to network
CN111371664B (en) Virtual private network access method and equipment
WO2010003354A1 (en) An authentication server and a control method for the mobile communication terminal accessing the virtual private network
CN108990062B (en) Intelligent security Wi-Fi management method and system
CN106790251B (en) User access method and user access system
WO2016054888A1 (en) Method and device for creating subscription resource
CN108966363B (en) Connection establishing method and device
EP2985954A1 (en) Secure network access processing method and apparatus
US20240089178A1 (en) Network service processing method, system, and gateway device
CN107547336B (en) Method and device for adding authorized VLAN into authentication port
CN113938525A (en) 5G universal terminal access management and resource scheduling platform server, system and method
CN114884771B (en) Identity network construction method, device and system based on zero trust concept
CN109981462B (en) Message processing method and device
CN108712398B (en) Port authentication method of authentication server, switch and storage medium
CN103188662B (en) A kind of method and device verifying WAP (wireless access point)
CN115499177A (en) Cloud desktop access method, zero-trust gateway, cloud desktop client and server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20230629

Address after: 310052 11th Floor, 466 Changhe Road, Binjiang District, Hangzhou City, Zhejiang Province

Patentee after: H3C INFORMATION TECHNOLOGY Co.,Ltd.

Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466

Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd.

TR01 Transfer of patent right