Disclosure of Invention
In view of this, an object of the embodiments of the present invention is to provide a method and an apparatus for determining a terminal access position, which can determine a terminal access position for different terminal devices or different types of terminal devices, improve positioning accuracy, reduce manual workload, and further sense dynamic changes of a connection relationship of the terminal devices, and alarm and disable ports for devices accessing in an illegal manner.
In view of the above object, an aspect of the embodiments of the present invention provides a method for determining a terminal access location, including the following steps:
scanning an IP table, an MAC table and an ARP table of a core switch, and determining an IP-MAC corresponding relation and a port-MAC corresponding relation of the core switch;
circularly acquiring MAC tables of all access switches, matching the ARP tables of the access switches, and determining the connection relation between all terminal equipment and ports of the access switches;
and determining the real access positions of all the terminal equipment according to the link states of the ports of the access switch.
In some embodiments, scanning an IP table, a MAC table, and an ARP table of a core switch, and determining an IP-MAC correspondence and a port-MAC correspondence of the core switch comprises:
scanning an IP table of a core switch and determining an IP range;
actively scanning an IP range and updating an MAC table and an ARP table of a core switch;
scanning an ARP table of a core switch and determining an IP-MAC corresponding relation;
the MAC table of the core switch is scanned and the port-MAC correspondence is determined.
In some embodiments, circularly acquiring the MAC tables of all the access switches and matching the ARP tables of the access switches, and determining the connection relationship between all the terminal devices and the ports of the access switches includes:
circularly acquiring MAC tables of all access switches and updating port-MAC corresponding relations;
and matching the port-MAC corresponding relation with an ARP table of the access switch to obtain the IP-port corresponding relation of all the terminal equipment, and taking the IP-port corresponding relation as the connection relation of all the terminal equipment and the ports of the access switch.
In some embodiments, determining the true access locations of all end devices from the link states of the ports of the access switch comprises:
determining the link state of each port of the Access switch as Access or Trunk;
determining a port with the link state of Access as a real Access position of corresponding terminal equipment;
and determining the port with the link state of Trunk as a suspected access position of the corresponding terminal equipment, and further scanning an access switch directly connected with the Trunk port to determine the real access position of the corresponding terminal equipment.
In some embodiments, the core switch and all access switches turn on SNMP (Simple network management Protocol) services.
In some embodiments, the terminal device is a single device or a hub that is connected to multiple devices simultaneously.
In another aspect of the embodiment of the present invention, an apparatus for determining a terminal access position is also provided, and the method is used.
In another aspect of the embodiments of the present invention, there is also provided a computer device including a memory, at least one processor, and a computer program stored on the memory and executable on the processor, the processor executing the program to perform the method described above.
In another aspect of the embodiments of the present invention, a computer-readable storage medium is further provided, which stores a computer program, and the computer program, when executed by a processor, performs the above-mentioned method.
In another aspect of the embodiments of the present invention, there is also provided a computer program product including a computer program stored on a computer-readable storage medium, the computer program including instructions which, when executed by a computer, cause the computer to perform the above method.
The invention has the following beneficial technical effects: the method and the device for determining the terminal access position provided by the embodiment of the invention can determine the terminal access position aiming at different terminal equipment or different types of terminal equipment by determining the IP-MAC corresponding relation and the port-MAC corresponding relation of the core switch, determining the connection relation between all the terminal equipment and the port of the access switch and determining the real access position of all the terminal equipment, thereby improving the positioning accuracy, reducing the manual workload, and further sensing the dynamic change of the connection relation of the terminal equipment, alarming illegal access equipment and forbidding the port.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the following embodiments of the present invention are described in further detail with reference to the accompanying drawings.
It should be noted that all expressions using "first" and "second" in the embodiments of the present invention are used for distinguishing two entities with the same name but different names or different parameters, and it should be noted that "first" and "second" are merely for convenience of description and should not be construed as limitations of the embodiments of the present invention, and they are not described in any more detail in the following embodiments.
In view of the above object, a first aspect of the embodiments of the present invention proposes a first embodiment of a method for determining a terminal access position for different terminal devices or different types of terminal devices. Fig. 1 is a schematic flow chart illustrating a method for determining an access location of a terminal according to a first embodiment of the present invention.
The method for determining the access position of the terminal comprises the following steps:
step S101, scanning an IP table, an MAC table and an ARP table of a core switch, and determining the IP-MAC corresponding relation and the port-MAC corresponding relation of the core switch;
step S103, circularly acquiring MAC tables of all access switches and matching ARP tables of the access switches, and determining the connection relation between all terminal equipment and ports of the access switches;
step S105, determining the real access positions of all the terminal devices according to the link states of the ports of the access switch.
Optionally, determining the real access location of the terminal device is to determine a link relationship (port) through known terminal device information (for example, MAC) according to a correspondence between IP, MAC, and port, and to reach the terminal device along a link through a virtual address (IP).
In some embodiments, scanning an IP table, a MAC table, and an ARP table of a core switch, and determining an IP-MAC correspondence and a port-MAC correspondence of the core switch comprises:
scanning an IP table of a core switch and determining an IP range;
actively scanning an IP range and updating an MAC table and an ARP table of a core switch;
scanning an ARP table of a core switch and determining an IP-MAC corresponding relation;
the MAC table of the core switch is scanned and the port-MAC correspondence is determined.
In some embodiments, circularly acquiring the MAC tables of all the access switches and matching the ARP tables of the access switches, and determining the connection relationship between all the terminal devices and the ports of the access switches includes:
circularly acquiring MAC tables of all access switches and updating port-MAC corresponding relations;
and matching the port-MAC corresponding relation with an ARP table of the access switch to obtain the IP-port corresponding relation of all the terminal equipment, and taking the IP-port corresponding relation as the connection relation of all the terminal equipment and the ports of the access switch.
In some embodiments, determining the true access locations of all end devices from the link states of the ports of the access switch comprises:
determining the link state of each port of the Access switch as Access or Trunk;
determining a port with the link state of Access as a real Access position of corresponding terminal equipment;
and determining the port with the link state of Trunk as a suspected access position of the corresponding terminal equipment, and further scanning an access switch directly connected with the Trunk port to determine the real access position of the corresponding terminal equipment.
Optionally, the Access switch further scanning the Trunk port to which the Access switch is directly connected may still obtain a new Trunk port, and may continue to scan until the Access port is obtained. The Access port is the true Access location of the device, while the Trunk port is only a point on one available link path of the device. The embodiment of the invention can more accurately position the true position of the equipment by using the Access port as the effective port of the identification equipment.
In some embodiments, the SNMP service is turned on by both the core switch and all access switches.
Optionally, the SNMP service is configured to allow other devices to obtain internal information of the local switch through the protocol. In the invention, the core switch acquires behaviors such as MAC tables of the access switch and the like and needs the support of SNMP service.
In some embodiments, the terminal device is a single device or a hub that is connected to multiple devices simultaneously.
Wherein optionally the hub does not actively interact with the core switch and the access switch due to the inability to perform network management. Hubs are considered to be independent end devices in a network.
It can be seen from the foregoing embodiments that, in the method for determining a terminal access position provided in the embodiments of the present invention, by determining the IP-MAC correspondence and the port-MAC correspondence of the core switch, determining the connection relationships between all terminal devices and the ports of the access switch, and determining the real access positions of all terminal devices, the terminal access position can be determined for different terminal devices or different types of terminal devices, thereby improving positioning accuracy, reducing manual workload, and further sensing the dynamic change violation of the connection relationship of the terminal devices, and alarming the device accessing the terminal device and disabling the port.
The embodiment of the invention also provides a second embodiment of a method for determining the access position of the terminal aiming at different terminal equipment or different types of terminal equipment. Fig. 2 is a schematic flowchart illustrating a second embodiment of the method for determining the access location of the terminal according to the present invention.
As shown in fig. 2, the boundary of the system can be determined by first scanning the IP list of the core switch to determine all subnets of the core switch. After the whole network subnet is obtained, all subnet addresses are scanned in a Ping mode, the IP addresses are confirmed to be alive or not existed, and the MAC table of the access switch can be updated to the latest and latest MAC information. And then, scanning an ARP table of the switch to obtain an IP-MAC corresponding relation, and storing the IP-MAC corresponding relation in a terminal information module for allowing NAC to be accessed. And circularly acquiring an MAC forwarding table of the access switch to update the relationship between the port and the MAC, and searching the IP address of the terminal in an information table of the terminal according to the MAC address to obtain the link relationship between the PC and the access switch. And further acquiring the link state of the port, and accurately confirming that the MAC address is connected to the port only if the port is an Access port, thereby accurately determining the Access position relation of the equipment. If the port is Trunk port, only the suspected access position can be marked. Only an explicit Access port can determine the real Access position of the equipment; the suspected access location may determine that an access switch exists under the port, and may scan the access switch to confirm the true access location relationship. The method can control and bind the flow of the port and accurately control the access position based on the accurate terminal access position.
Fig. 3 shows a schematic diagram of the network system structure of the present embodiment. As shown in fig. 3, the network system includes:
an access control (NAC) responsible for device management and switch management;
the network-manageable switch is used for configuring the SNMP service;
HUB devices (wire connectors) as part of the test;
the terminal is respectively accessed to the switch and the HUB equipment;
external networks, i.e., extranet resources;
and the server area is an intranet server.
The admittance NAC is connected with a core switch, the equipment which survives the whole network is scanned, the outer network and the server are respectively accessed into the core switch, the access switches A and B are respectively connected with Trunk ports Eth0/1 and Eth0/2 of the core switch, the PC1 is connected with an access switch AEth0/2 port, the PC2 and the PC3 are connected with the HUB, and the HUB equipment is connected with an Eth0/2 port of the access switch B.
The admittance NAC scans a Vlan IP table of the core switch through the SNMP; determining the IP range of the whole network; actively scanning all found IP ranges to ensure the integrity of an ARP table and an MAC table of the whole network switch; and scanning the ARP table entry of the core switch through the SNMP to discover all the corresponding IP-MAC relations.
Next, the MAC tables of all the access switches a, B are scanned separately via SNMP. Scanning the Access switch A to obtain (Eth0/2, MAC-PC1) that the Eth0/2 port has the MAC address corresponding to the PC1, and determining that the PC1 is connected with the Eth0/2 port of the Access switch A by matching the ARP table entry and the port state (Access) of the Access switch. Since HUB is not available for network management; the MAC addresses corresponding to the PC2 and the PC3 appear on an Eth0/2 port of the Access switch B, and the Eth0/2 port belongs to an Access port, so that the PC2 and the PC3 are determined to be connected with an Eth0/2 port of the Access switch B.
Combining the whole topological relation; determining Eth0/2 port of terminal PC1 equipment connection switch A; PC2, PC3 connects Eth0/2 port of switch B, the access position as terminal attribute adds to the admittance NAC, do corresponding action according to the tactics.
It can be seen from the foregoing embodiments that, in the terminal access position determining method provided in the embodiments of the present invention, by determining the IP-MAC correspondence and the port-MAC correspondence of the core switch, determining the connection relationships between all terminal devices and the ports of the access switch, and determining the actual access positions of all terminal devices, the terminal access position determination can be performed for different terminal devices or different types of terminal devices, so as to improve the positioning accuracy, reduce the manual workload, and further sense the dynamic change of the connection relationships of the terminal devices, and alert an illegally accessed device and disable the ports.
It should be particularly noted that, the steps in the embodiments of the terminal access location determining method described above can be mutually intersected, replaced, added, or deleted, and therefore, the terminal access location determining method based on these reasonable permutation and combination transformations shall also belong to the scope of the present invention, and shall not limit the scope of the present invention to the described embodiments.
In view of the above object, a second aspect of the embodiments of the present invention proposes a first embodiment of an apparatus capable of determining a terminal access position for different terminal devices or different types of terminal devices. The device for determining the access position of the terminal uses the method for determining the access position of the terminal.
The terminal access position determining device provided by the embodiment of the invention can determine the terminal access position aiming at different terminal equipment or different types of terminal equipment by determining the IP-MAC corresponding relation and the port-MAC corresponding relation of the core switch, determining the connection relation between all the terminal equipment and the ports of the access switch and determining the real access positions of all the terminal equipment, thereby improving the positioning accuracy, reducing the manual workload, and further sensing the dynamic change of the connection relation of the terminal equipment, alarming the illegally accessed equipment and forbidding the ports.
It should be particularly noted that the above-mentioned embodiments of the device for determining the access position of the terminal employ the embodiments of the method for determining the access position of the terminal to specifically describe the working process of each module, and those skilled in the art can easily think that these modules are applied to other embodiments of the method for determining the access position of the terminal. Of course, since the steps of the method for determining the access position of the terminal can be mutually crossed, replaced, added, or deleted, the device for determining the access position of the terminal with these reasonable permutations and combinations should also belong to the scope of the present invention, and should not limit the scope of the present invention to the embodiment.
In view of the above object, a third aspect of the embodiments of the present invention proposes an embodiment of a computer device executing the method for determining the access location of the terminal.
The computer device for executing the method for determining the access position of the terminal comprises a memory, at least one processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the computer program to execute any one of the methods.
Fig. 4 is a schematic hardware structure diagram of an embodiment of a computer device for executing the method for determining the access position of the terminal according to the present invention.
Taking the computer device shown in fig. 4 as an example, the computer device includes a processor 401 and a memory 402, and may further include: an input device 403 and an output device 404.
The processor 401, the memory 402, the input device 403 and the output device 404 may be connected by a bus or other means, and fig. 4 illustrates an example of a connection by a bus.
The memory 402, which is a non-volatile computer-readable storage medium, can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules, such as program instructions/modules corresponding to the method for determining the access position of the terminal in the embodiment of the present application. The processor 401 executes various functional applications of the server and data processing, namely, a method for determining a terminal access position of the above-described method embodiment, by running the nonvolatile software program, instructions and modules stored in the memory 402.
The memory 402 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the determination device of the terminal access location, and the like. Further, the memory 402 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, memory 402 may optionally include memory located remotely from processor 401, which may be connected to local modules via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 403 may receive input numeric or character information and generate key signal inputs related to user settings and function control of the determination device of the access position of the terminal. The output device 404 may include a display device such as a display screen.
Program instructions/modules corresponding to the one or more terminal access location determination methods are stored in the memory 402 and, when executed by the processor 401, perform the terminal access location determination methods of any of the method embodiments described above.
Any embodiment of the computer device executing the method for determining the access position of the terminal can achieve the same or similar effects as any corresponding method embodiment.
In view of the above object, a fourth aspect of the embodiments of the present invention provides a computer-readable storage medium storing computer-executable instructions, where the computer-executable instructions can execute the method for determining the access location of the terminal in any of the above method embodiments and the device/system for determining the access location of the terminal in any of the above device/system embodiments. Embodiments of the computer-readable storage medium may achieve the same or similar effects as any of the aforementioned method and apparatus/system embodiments corresponding thereto.
In view of the above object, a fifth aspect of the embodiments of the present invention proposes a computer program product, which includes a computer program stored on a computer-readable storage medium, the computer program including instructions that, when executed by a computer, cause the computer to execute the method for determining a terminal access position in any of the above method embodiments and the apparatus/system for determining a terminal access position in any of the above apparatus/system embodiments. Embodiments of the computer program product may achieve the same or similar effects as any of the aforementioned method and apparatus/system embodiments corresponding thereto.
Finally, it should be noted that, as will be understood by those skilled in the art, all or part of the processes of the methods of the above embodiments may be implemented by a computer program, which may be stored in a computer-readable storage medium, and when executed, may include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like. Embodiments of the computer program may achieve the same or similar effects as any of the preceding method embodiments to which it corresponds.
In addition, the apparatuses, devices and the like disclosed in the embodiments of the present invention may be various electronic terminal devices, such as a mobile phone, a Personal Digital Assistant (PDA), a tablet computer (PAD), a smart television and the like, or may be a large terminal device, such as a server and the like, and therefore the scope of protection disclosed in the embodiments of the present invention should not be limited to a specific type of apparatus, device. The client disclosed in the embodiment of the present invention may be applied to any one of the above electronic terminal devices in the form of electronic hardware, computer software, or a combination of both.
Furthermore, the method disclosed according to an embodiment of the present invention may also be implemented as a computer program executed by a CPU, and the computer program may be stored in a computer-readable storage medium. The computer program, when executed by the CPU, performs the above-described functions defined in the method disclosed in the embodiments of the present invention.
Further, the above method steps and system elements may also be implemented using a controller and a computer readable storage medium for storing a computer program for causing the controller to implement the functions of the above steps or elements.
Further, it should be understood that the computer-readable storage media (e.g., memory) described herein may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory, by way of example and not limitation, nonvolatile memory may include Read Only Memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory volatile memory may include Random Access Memory (RAM), which may serve as external cache memory, by way of example and not limitation, RAM may be available in a variety of forms, such as synchronous RAM (DRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), enhanced DRAM (ESDRAM), synchronous link DRAM (S L DRAM, and Direct Rambus RAM (DRRAM).
Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as software or hardware depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the disclosed embodiments of the present invention.
The various illustrative logical blocks, modules, and circuits described in connection with the disclosure herein may be implemented or performed with the following components designed to perform the functions described herein: a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination of these components. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP, and/or any other such configuration.
The steps of a method or algorithm described in connection with the disclosure herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC. The ASIC may reside in a user terminal. In the alternative, the processor and the storage medium may reside as discrete components in a user terminal.
In one or more exemplary designs, the functions may be implemented in hardware, software, firmware, or any combination thereof.A computer readable medium includes a computer storage medium and a communication medium including any medium that facilitates transfer of a computer program from one location to another.A storage medium may be any available medium that can be accessed by a general purpose or special purpose computer.
The foregoing is an exemplary embodiment of the present disclosure, but it should be noted that various changes and modifications could be made herein without departing from the scope of the present disclosure as defined by the appended claims. The functions, steps and/or actions of the method claims in accordance with the disclosed embodiments described herein need not be performed in any particular order. Furthermore, although elements of the disclosed embodiments of the invention may be described or claimed in the singular, the plural is contemplated unless limitation to the singular is explicitly stated.
It should be understood that, as used herein, the singular forms "a," "an," "the" are intended to include the plural forms as well, unless the context clearly supports the exception. It should also be understood that "and/or" as used herein is meant to include any and all possible combinations of one or more of the associated listed items.
The numbers of the embodiments disclosed in the embodiments of the present invention are merely for description, and do not represent the merits of the embodiments.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, of embodiments of the invention is limited to these examples; within the idea of an embodiment of the invention, also technical features in the above embodiment or in different embodiments may be combined and there are many other variations of the different aspects of an embodiment of the invention as described above, which are not provided in detail for the sake of brevity. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of the embodiments of the present invention are intended to be included within the scope of the embodiments of the present invention.