CN109327462B - MAC address authentication method based on L2VPN network - Google Patents
MAC address authentication method based on L2VPN network Download PDFInfo
- Publication number
- CN109327462B CN109327462B CN201811350331.2A CN201811350331A CN109327462B CN 109327462 B CN109327462 B CN 109327462B CN 201811350331 A CN201811350331 A CN 201811350331A CN 109327462 B CN109327462 B CN 109327462B
- Authority
- CN
- China
- Prior art keywords
- mac address
- authentication
- enabled
- address authentication
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Landscapes
- Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an MAC address authentication method based on an L2VPN network, which comprises the steps of receiving a message, obtaining a source MAC address, a source port number and a VLAN ID of the message, searching a virtual port control table item according to the source port number and the VLAN ID to obtain a virtual port number; searching a data forwarding table item according to the MAC address, searching a virtual port control table item according to the virtual port number if the data forwarding table item is searched, determining whether to enable MAC address authentication based on the virtual port, and reporting the MAC address to a CPU for MAC address authentication if the data forwarding table item is enabled; and the CPU authenticates the MAC address and marks the MAC address as authenticated when the MAC address passes the authentication. The invention can realize the safety control of MAC address learning, aging and port drifting based on the virtual link.
Description
Technical Field
The invention relates to the technical field of computer network communication, in particular to an MAC address authentication method based on an L2VPN network.
Background
The MAC (Media Access Control) address is an address that a network device manufacturer produces and writes inside hardware for determining the location of a network device. In the prior art, MAC address authentication is an authentication method for controlling network access authority based on a port and a MAC address or based on a VLAN and a MAC address, and does not require a user to install any client software. Taking port-based MAC address authentication as an example, when the switching device enables MAC address authentication, after the port first detects the MAC address of the user, the authentication operation for the MAC address of the user is enabled. In the authentication process, the user does not need to manually input a user name and/or a password, if the authentication is successful, the user is allowed to access network resources through a port, otherwise, the MAC address of the user is added to be a silent MAC. And in the silent time, the switching equipment discards the messages from the same MAC address. However, the existing MAC address authentication method cannot realize the authentication of the MAC address based on the virtual link.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a MAC address authentication method based on an L2VPN network.
In order to achieve the purpose, the invention provides the following technical scheme: a MAC address authentication method based on L2VPN network includes
Receiving a message, acquiring a source MAC address, a source port number and a VLAN ID of the message, and further searching a virtual port control table entry according to the source port number and the VLAN ID to acquire a virtual port number;
searching a data forwarding table item according to the MAC address, further searching a virtual port control table item according to the virtual port number when the data forwarding table item is not searched, determining whether to enable MAC address authentication based on the virtual port, reporting the MAC address to a CPU for MAC address authentication when the MAC address authentication is enabled, and reporting the CPU because the MAC address authentication based on the virtual port is adopted;
and the CPU authenticates the MAC address and marks the MAC address as authenticated when the MAC address passes the authentication.
Preferably, whether to enable MAC address authentication based on the virtual port is determined by a value of an enable MAC address authentication field corresponding to the virtual port number, where the enable MAC address authentication field is provided in a virtual port control entry and is used to identify whether to enable MAC authentication based on the virtual port.
Preferably, when the MAC address authentication based on the virtual port is not enabled, the port control table entry is further searched according to the source port number to determine whether the MAC address authentication based on the port is enabled, and the MAC address is reported to the CPU for the MAC address authentication when the MAC address authentication based on the port is enabled, and the reason for reporting the MAC address to the CPU is the MAC address authentication based on the port.
Preferably, whether port-based MAC address authentication is enabled is determined by a value of an enable MAC address authentication field corresponding to the source port number, where the enable MAC address authentication field is set in a port control entry and is used to identify whether port-based MAC authentication is enabled.
Preferably, when the port-based MAC address authentication is not enabled, the VLAN control table entry is further searched according to the VLAN ID to determine whether the VLAN-based MAC address authentication is enabled, and the MAC address is reported to the CPU for MAC address authentication when enabled, and the reason for reporting to the CPU is the VLAN-based MAC address authentication.
Preferably, whether VLAN-based MAC address authentication is enabled is determined by a value of an enabled MAC address authentication field corresponding to the VLAN ID, where the enabled MAC address authentication field is provided in a VLAN control entry and is used to identify whether VLAN-based MAC authentication is enabled.
Preferably, the CPU marks whether the MAC address is authenticated by setting a value of a MAC authenticated field in an authenticated MAC entry.
Preferably, the CPU also sets a configurable aging timer for the authenticated MAC address.
The invention has the beneficial effects that:
the MAC address authentication method can realize the safety control of MAC address learning, aging and port drifting based on the virtual link, and is not only suitable for an L2VPN network, but also suitable for a VxLAN network, a Tunnel network and the like.
Drawings
FIG. 1 is a schematic flow chart of the method of the present invention;
FIG. 2 is a diagrammatic representation of a switch chip process flow;
fig. 3 is a CPU processing flow diagram.
Detailed Description
The technical solution of the embodiment of the present invention will be clearly and completely described below with reference to the accompanying drawings of the present invention.
As shown in fig. 1, the MAC address authentication method based on L2VPN network disclosed in the present invention includes
S100, receiving a message, acquiring a source MAC address, a source port number and a VLAN number of the message, and further searching a virtual port control table entry according to the source port number and the VLAN number to acquire a virtual port number;
specifically, the switch chip is mainly used for processing a network data packet, and when the switch chip is implemented, the switch chip analyzes a received message to obtain source MAC (Media Access Control) address information, source port number information, and VLAN ID information carried in the message. The switch chip includes, but is not limited to, an ASIC (Application specific integrated Circuit) chip, but may also be an FPGA (Field-programmable gate Array) chip or an NP (Network Processor) chip.
Further, a plurality of entries including a data forwarding entry (FDB), a Port control entry (Port) and a VLAN control entry are also configured in the switch chip. The FDB address table entry is used for forwarding the message, when the switching chip receives the message, the data forwarding table entry is searched according to MAC address information carried by the message, and the message is determined to be filtered or forwarded according to the search result. The Port control table entry is used for determining whether data from a certain Port enables Port-based MAC address authentication, and in implementation, an enabling MAC address authentication field (macAuthEn) may be added to the Port control table entry, and whether Port-based MAC address authentication is enabled is determined by setting a value of the enabling MAC address authentication field, for example, the value of the enabling MAC address authentication field corresponding to Port 1(Port1) is configured to be 1, and the value of the enabling MAC address authentication field corresponding to Port 2(Port2) is configured to be 0, when the switch chip receives messages from Port1 and Port2, the Port-based MAC address authentication is enabled for messages from Port1, so the switch chip reports the messages to the CPU for MAC address authentication, and the Port-based MAC address authentication is not enabled for messages from Port2, so the switch chip does not need to report the messages to the CPU for MAC address authentication. The VLAN control table entry is used to determine whether a packet from a certain VLAN enables MAC address authentication based on the VLAN, and when implemented, an enable MAC address authentication field may be added to the VLAN control table entry, and a value of the enable MAC address authentication field is set to determine whether MAC address authentication based on the VLAN is enabled, where if the value of the enable MAC address authentication field corresponding to the VLAN 100 is configured to be 1, MAC address authentication based on a port is enabled for the packet from the VLAN 100, so that the switching chip reports the packet to the CPU for MAC address authentication.
Furthermore, a Virtual Port control entry is further configured in the switch chip, which includes a source Port number field, a VLAN number (VLAN ID) field, and a Virtual Port number (Virtual Port) field, and is used to map the source Port number and the VLAN number of the packet to a Virtual Port number, for example, the configurable source Port is 1, and the Virtual Port number corresponding to the packet with the VLAN number of 100 is 20. Furthermore, an enabled MAC address authentication field (macAuthEn) can be added in the virtual port control table entry, whether virtual port-based MAC address authentication is enabled or not is determined by setting the value of the enabled MAC address authentication field, when the method is implemented, the switch chip analyzes the received message to obtain the source port number and VLAN number information carried by the message, searches the virtual port control table entry according to the source port number and the VLAN number, obtains the virtual port number corresponding to the message, further determines whether virtual port-based MAC address authentication is enabled or not, and reports the MAC address to the CPU for MAC address authentication if the virtual port-based MAC address authentication is enabled.
S200, searching a data forwarding table according to the MAC address, searching a virtual port control table item according to the virtual port number when the data forwarding table is not searched, determining whether to enable MAC address authentication based on the virtual port, and reporting the MAC address to a CPU for MAC address authentication when the MAC address authentication is enabled.
Specifically, as shown in fig. 1 and fig. 2, after the switch chip parses the packet to obtain the source MAC address, it searches the data forwarding table according to the source MAC address, if not found, further searches the virtual port control table entry according to the virtual port number, determines whether to enable MAC address authentication based on the virtual port according to the search result, if the MAC address authentication based on the virtual port is enabled, reports the source MAC address to the CPU for MAC address authentication, and configures the reason for reporting the CPU as MAC address authentication based on the virtual port, if the MAC address authentication based on the virtual port is not enabled, further searches the port control table entry according to the source port number, determines whether to enable MAC address authentication based on the port according to the search result, if the MAC address authentication based on the port is enabled, reports the source MAC address to the CPU for MAC address authentication, and configures the reason for reporting the CPU as MAC address authentication based on the port, if the port-based MAC address authentication is not enabled, further searching a VLAN control table entry according to the VLAN number, determining whether the VLAN-based MAC address authentication is enabled according to a search result, reporting the source MAC address to a CPU for MAC address authentication if the VLAN-based MAC address authentication is enabled, configuring the reason for reporting the CPU as the VLAN-based MAC address authentication, and processing the message in other modes if the VLAN-based MAC address authentication is not enabled.
In implementation, if port-based MAC address authentication and VLAN-based MAC address authentication are enabled at the same time, the port-based MAC address authentication is prioritized over the VLAN-based MAC address authentication, and the reason why the source MAC address reports to the CPU when the source MAC address reports to the CPU for MAC address authentication is port-based MAC address authentication.
As shown in fig. 2, when searching for a data forwarding table according to a source MAC address of a packet, if the data forwarding table is found, whether port migration occurs and whether authentication has been performed is further determined. Specifically, an authenticated MAC table entry (DsMAC table entry) corresponding to the data forwarding table is further configured in the switching chip, the DsMAC table entry is used for storing authenticated MAC address information, in implementation, a MAC authenticated field (macAuth field) is set in the DsMAC table entry, and whether the MAC address is authenticated is marked by setting a value of the macAuth field. When judging whether the authentication is carried out, searching DsMAC table items according to the source MAC address, and if so, indicating that the MAC address is authenticated; and when judging whether the port migration occurs or not, if the source port number or the virtual port number is inconsistent with the source port number or the virtual port number in the data forwarding table, indicating that the port migration has occurred. For a packet with port migration and an authenticated MAC address, there are generally four processing modes, which are discarding, forwarding without learning, forwarding, learning, and reporting to the CP U, respectively, where for a packet reporting to the CPU, the reason for reporting to the CPU is configured to be that an authenticated MAC generates port migration (macauthstatemove), and for a discarded packet, the reason for discarding is configured to be that an authenticated MAC packet (MacAuthDiscard).
S300, the CPU authenticates the MAC address and marks the M AC address as authenticated when the authentication is passed.
Specifically, as shown in fig. 3, the CPU authenticates the MAC address reported to the CPU, and when the MAC address passes the authentication, the CPU adds the MAC address to the data forwarding table, and sets a value of a macAuth field corresponding to the MAC address in the DsMAC entry to mark that the MAC address is authenticated. Further, the CPU configures a settable aging timer (time I dx) for the authenticated MAC address so as to be opposite to the aging time of the common MAC address. For the MAC address which is not authenticated, the MAC address is processed in other modes
The MAC address authentication method can realize the safety control of MAC address learning, aging and port drifting based on the virtual link, and is not only suitable for an L2VPN network, but also suitable for a VxLAN network, a Tunnel network and the like.
Therefore, the scope of the present invention should not be limited to the disclosure of the embodiments, but includes various alternatives and modifications without departing from the scope of the present invention, which is defined by the claims of the present patent application.
Claims (6)
1. A MAC address authentication method based on L2VPN network is characterized by comprising
Receiving a message, acquiring a source MAC address, a source port number and a VLAN ID of the message, and further searching a virtual port control table entry according to the source port number and the VLAN ID to acquire a virtual port number;
searching a data forwarding table item according to the MAC address, further searching a virtual port control table item according to the virtual port number when the data forwarding table item is not searched, determining whether to enable MAC address authentication based on the virtual port, reporting the MAC address to a CPU for MAC address authentication when the MAC address authentication based on the virtual port is enabled, reporting the CPU for the reason of the MAC address authentication based on the virtual port, further searching a port control table item according to the source port number when the MAC address authentication based on the virtual port is not enabled, determining whether to enable the MAC address authentication based on the port is enabled, reporting the MAC address to the CPU for MAC address authentication when the MAC address authentication based on the port is enabled, reporting the CPU for the MAC address authentication based on the port, and further searching a control table item according to the VLAN ID when the MAC address authentication based on the port is not enabled, determining whether to enable the MAC address authentication based on the VLAN, when the MAC address authentication based on the VLAN is enabled, reporting the MAC address to a CPU for MAC address authentication, wherein the reason for reporting the CPU is the MAC address authentication based on the VLAN;
and the CPU authenticates the MAC address and marks the MAC address as authenticated when the MAC address passes the authentication.
2. The method of claim 1, wherein whether the virtual port-based MAC address authentication is enabled is determined by a value of an enabled MAC address authentication field corresponding to a virtual port number, and the enabled MAC address authentication field is provided in a virtual port control entry for identifying whether the virtual port-based MAC authentication is enabled.
3. The method of claim 1, wherein whether port-based MAC address authentication is enabled is determined by a value of an enable MAC address authentication field corresponding to the source port number, the enable MAC address authentication field being provided in a port control entry for identifying whether port-based MAC authentication is enabled.
4. The method of claim 1, wherein whether VLAN based MAC address authentication is enabled is determined by a value of an enabled MAC address authentication field corresponding to a VLAN ID, the enabled MAC address authentication field being provided in a VLAN control entry for identifying whether VLAN based MAC authentication is enabled.
5. The method of claim 1, wherein the CPU marks whether the MAC address is authenticated by setting a value of a MAC authenticated field in an authenticated MAC entry.
6. The method of claim 1 wherein the CPU also sets a configurable aging timer for authenticated MAC addresses.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811350331.2A CN109327462B (en) | 2018-11-14 | 2018-11-14 | MAC address authentication method based on L2VPN network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811350331.2A CN109327462B (en) | 2018-11-14 | 2018-11-14 | MAC address authentication method based on L2VPN network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109327462A CN109327462A (en) | 2019-02-12 |
| CN109327462B true CN109327462B (en) | 2020-10-27 |
Family
ID=65260957
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811350331.2A Active CN109327462B (en) | 2018-11-14 | 2018-11-14 | MAC address authentication method based on L2VPN network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109327462B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113727222B (en) * | 2021-08-16 | 2023-11-03 | 烽火通信科技股份有限公司 | Method and device for detecting MAC address drift in PON system |
Family Cites Families (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2007074209A (en) * | 2005-09-06 | 2007-03-22 | Ntt Data Corp | Authentication vlan system, authentication server, and program |
| JP4814641B2 (en) * | 2006-01-30 | 2011-11-16 | 富士通株式会社 | Authentication VLAN switch |
| CN1889430A (en) * | 2006-06-21 | 2007-01-03 | 南京联创网络科技有限公司 | Safety identification control method based on 802.1 X terminal wideband switching-in |
| CN101197785A (en) * | 2008-01-04 | 2008-06-11 | 杭州华三通信技术有限公司 | MAC authentication method and apparatus |
| CN101860551B (en) * | 2010-06-25 | 2014-11-26 | 神州数码网络(北京)有限公司 | Multi-user authentication method and system under single access port |
| CN103929461B (en) * | 2013-08-12 | 2018-03-20 | 新华三技术有限公司 | Mac address information synchronous method and device in pile system |
| CN103441932B (en) * | 2013-08-30 | 2016-08-17 | 福建星网锐捷网络有限公司 | A kind of Host routes list item generates method and apparatus |
| CN103731355B (en) * | 2013-12-31 | 2017-01-25 | 迈普通信技术股份有限公司 | Method and system for avoiding Hash collision during MAC address learning |
| CN104144095B (en) * | 2014-08-08 | 2018-03-06 | 福建星网锐捷网络有限公司 | Terminal authentication method and interchanger |
| CN104333552B (en) * | 2014-11-04 | 2017-11-24 | 福建星网锐捷网络有限公司 | A kind of certification determines method and access device |
| CN106131066B (en) * | 2016-08-26 | 2019-09-17 | 新华三技术有限公司 | A kind of authentication method and device |
| CN107547336B (en) * | 2017-05-15 | 2020-11-06 | 新华三技术有限公司 | Method and device for adding authorized VLAN into authentication port |
| CN107294711B (en) * | 2017-07-11 | 2021-03-30 | 国网辽宁省电力有限公司 | Power information intranet message encryption issuing method based on VXLAN technology |
| CN108683660B (en) * | 2018-05-14 | 2020-09-08 | 杭州迪普科技股份有限公司 | MAC address authentication processing method and device |
-
2018
- 2018-11-14 CN CN201811350331.2A patent/CN109327462B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN109327462A (en) | 2019-02-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2950206C (en) | Flow entry configuration method, apparatus, and system | |
| US9110703B2 (en) | Virtual machine packet processing | |
| CN109347705B (en) | Loop detection method and device | |
| CN108243262B (en) | ARP table learning method and device and network three-layer equipment | |
| US11483239B2 (en) | Port configuration method and device, storage medium, and electronic device | |
| EP3832960B1 (en) | Establishment of fast forwarding table | |
| CN112437920A (en) | Abnormality detection device and abnormality detection method | |
| US11805049B2 (en) | Communication method and communications device | |
| CN109327462B (en) | MAC address authentication method based on L2VPN network | |
| WO2022268226A1 (en) | Client identification method and apparatus, and storage medium and network device | |
| EP3267641A1 (en) | Method and device realizing upload of protocol packet to cpu | |
| CN107666428B (en) | Method and device for detecting silent equipment | |
| CN112866114B (en) | Multicast message processing method and device | |
| CN111800338B (en) | Cross-AS EVPN route interaction method and device | |
| US9019951B2 (en) | Routing apparatus and method for processing network packet thereof | |
| CN106789671B (en) | Service message forwarding method and device | |
| CN112737850B (en) | Mutually exclusive access method and device | |
| EP2640015A1 (en) | Method and device for configuring vpls mac entry space | |
| CN112350945B (en) | MAC address learning method, gateway device and storage medium | |
| CN111262713B (en) | Message multicast processing method, processing device, readable medium and system | |
| CN111953486B (en) | Message processing method and device with self-authentication code | |
| CN110677385B (en) | Arp classification and forwarding method based on vlan | |
| CN114389844B (en) | Message processing method, device, electronic equipment and computer readable storage medium | |
| US20240154963A1 (en) | Client identification method and apparatus, and storage medium and network device | |
| WO2023174055A1 (en) | Message transmission method and communication apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 215101 unit 13 / 16, 4th floor, building B, No. 5, Xinghan street, Suzhou Industrial Park, Jiangsu Province Patentee after: Suzhou Shengke Communication Co.,Ltd. Address before: Unit 13 / 16, 4th floor, building B, No.5 Xinghan street, Suzhou Industrial Park, 215000 Jiangsu Province Patentee before: CENTEC NETWORKS (SU ZHOU) Co.,Ltd. |
|
| CP03 | Change of name, title or address |