CN111953599B - Terminal authority control method and device, electronic equipment and storage medium - Google Patents
Terminal authority control method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN111953599B CN111953599B CN202010672161.0A CN202010672161A CN111953599B CN 111953599 B CN111953599 B CN 111953599B CN 202010672161 A CN202010672161 A CN 202010672161A CN 111953599 B CN111953599 B CN 111953599B
- Authority
- CN
- China
- Prior art keywords
- table entry
- host
- terminal
- identifier
- vrf
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/58—Association of routers
- H04L45/586—Association of routers of virtual routers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
- H04L45/745—Address table lookup; Address filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Abstract
The invention provides a terminal authority control method and device, electronic equipment and a storage medium. The method comprises the following steps: receiving a data message which is sent by a source terminal and used for accessing a target terminal, and searching a host table entry corresponding to the target terminal from a Virtual Routing Forwarding (VRF) table entry of the source terminal; if the VRF table item does not have the host table item, installing the host table item corresponding to the target terminal in the VRF table item, and marking the host identification of the host table item as a first identification; sending an access authority query request of the source terminal to a Central Processing Unit (CPU) according to the first identifier; if the source terminal has the authority of accessing the target terminal, adding the address information of the target terminal in the host table entry, and updating the host identifier of the host table entry into a second identifier; and forwarding the data message according to the second identifier and the address information of the destination terminal. The invention solves the ACL expansion problem caused by the fact that the same terminal belongs to a plurality of temporary groups.
Description
Technical Field
The embodiment of the invention relates to the technical field of communication, in particular to a terminal authority control method and device, electronic equipment and a storage medium.
Background
In a campus network scenario, most of terminal Access Control is implemented by Access Control Lists (ACLs) based on Internet Protocol (IP), but in some industrial scenarios, ACL expansion may occur if the ACL is used. For example, in a campus network of a financial and internet company, there are scenarios of group authority and temporal group, fig. 1 is a schematic diagram of a temporal group scenario in the prior art, as shown in fig. 1:
user1-1 and User1-2 in User group 1; user2-1 and User2-2 in User group 2; user1-1 and User2-1 form provisional group 3;
the effects produced by the above user groups are as follows:
1. users in the group can visit each other:
(1) the User1-1 and the User1-2 can mutually visit; (2) user2-1 and User2-2 can interact with each other; (3) the User1-1 and the User2-1 can visit each other;
2. different groups of users cannot have mutual access:
(1) user1-1 and User2-2 cannot be in mutual access; (2) user2-2 and User1-2 are not mutually accessible.
In the scene, an IP-based ACL is used for temporary group management, and when default deny any is put through the entries of the IP of the same network segment at the same time, every two users of the temporary group need to put through the ACL, and the ACL entries can be exponentially increased along with the increase of the temporary group, so that the ACL entries are expanded.
Disclosure of Invention
Aiming at the defects in the prior art, the embodiment of the invention provides a terminal authority control method and device, electronic equipment and a storage medium.
In a first aspect, an embodiment of the present invention provides a terminal authority control method, including:
receiving a data message which is sent by a source terminal and used for accessing a target terminal, and searching a host table entry corresponding to the target terminal from a Virtual Routing Forwarding (VRF) table entry of the source terminal;
if the VRF table entry does not have the host table entry, installing the host table entry corresponding to the destination terminal in the VRF table entry, and marking the host identifier of the host table entry as a first identifier;
sending an access authority query request of the source terminal to a Central Processing Unit (CPU) according to the first identifier;
if the source terminal has the authority of accessing the destination terminal, adding the address information of the destination terminal in the host table entry, and updating the host identifier of the host table entry into a second identifier;
and forwarding the data message according to the second identifier and the address information of the destination terminal.
The method as described above, optionally, further includes:
if the source terminal has no authority to access the destination terminal, directly marking the host identifier of the host table entry as a third identifier;
and discarding the data message according to the third identifier.
The method as described above, optionally, further includes:
and if the VRF table entry comprises a host table entry corresponding to the destination terminal, processing the data message according to the host table entry.
As above, optionally, the processing the data packet according to the host table entry includes:
if the host identifier of the host table entry is a second identifier, forwarding the data message according to the address information corresponding to the host table entry in the VRF table entry;
and if the host identifier of the host table entry is the third identifier, discarding the data message.
As above, optionally, after adding the address information of the destination terminal in the host table entry, the method further includes:
recording the update time of the host table entry corresponding to the target terminal in the VRF table entry;
and if the difference value between the current time and the updating time is greater than a preset threshold value, deleting the host table entry corresponding to the target terminal from the VRF table entry of the source terminal.
As above, optionally, before receiving the data packet of the access destination terminal sent by the source terminal, the method further includes:
and distributing a VRF table entry for each network access terminal, wherein the initial value of the VRF table entry is null.
In a second aspect, an embodiment of the present invention provides a terminal authority control apparatus, including:
the query module is used for receiving a data message which is sent by a source terminal and used for accessing a destination terminal, and searching a host table entry corresponding to the destination terminal from a Virtual Routing Forwarding (VRF) table entry of the source terminal;
a new creation module, configured to install a host table entry corresponding to the destination terminal in the VRF table entry if the host table entry does not exist in the VRF table entry, and mark a host identifier of the host table entry as a first identifier;
the uploading module is used for sending an access authority query request of the source terminal to a Central Processing Unit (CPU) according to the first identifier;
the installation module is used for adding the address information of the destination terminal in the host table entry and updating the host identity of the host table entry into a second identity if the source terminal has the authority of accessing the destination terminal;
and the forwarding module is used for forwarding the data message according to the second identifier and the address information of the destination terminal.
The above apparatus, optionally, further comprises:
the updating module is used for directly marking the host identifier of the host table entry as a third identifier if the source terminal has no authority of accessing the destination terminal;
and the discarding module is used for discarding the data message according to the third identifier.
The above apparatus, optionally, further comprises:
and the processing module is used for processing the data message according to the host table entry if the VRF table entry comprises the host table entry corresponding to the target terminal.
As with the apparatus described above, optionally, the processing module is specifically configured to:
if the host identifier of the host table entry is a second identifier, forwarding the data message according to the address information corresponding to the host table entry in the VRF table entry;
and if the host identifier of the host table entry is the third identifier, discarding the data message.
The above apparatus, optionally, further comprises:
the recording module is used for recording the updating time of the host table entry corresponding to the target terminal in the VRF table entry;
and the aging module is used for deleting the host table entry corresponding to the destination terminal from the VRF table entry of the source terminal if the difference value between the current time and the updating time is greater than a preset threshold value.
The above apparatus, optionally, further comprises:
and the initialization module is used for distributing VRF table entries for each network access terminal, and the initial values of the VRF table entries are null.
In a third aspect, an embodiment of the present invention provides an electronic device, including:
the processor and the memory are communicated with each other through a bus; the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform a method comprising: receiving a data message which is sent by a source terminal and used for accessing a target terminal, and searching a host table entry corresponding to the target terminal from a Virtual Routing Forwarding (VRF) table entry of the source terminal; if the VRF table entry does not have the host table entry, installing the host table entry corresponding to the target terminal in the VRF table entry, and marking the host identifier of the host table entry as a first identifier; sending an access authority query request of the source terminal to a Central Processing Unit (CPU) according to the first identifier; if the source terminal has the authority of accessing the destination terminal, adding the address information of the destination terminal in the host table entry, and updating the host identifier of the host table entry into a second identifier; and forwarding the data message according to the second identifier and the address information of the destination terminal.
In a fourth aspect, an embodiment of the present invention provides a storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the following method: receiving a data message which is sent by a source terminal and used for accessing a target terminal, and searching a host table entry corresponding to the target terminal from a Virtual Routing Forwarding (VRF) table entry of the source terminal; if the VRF table entry does not have the host table entry, installing the host table entry corresponding to the target terminal in the VRF table entry, and marking the host identifier of the host table entry as a first identifier; sending an access authority query request of the source terminal to a Central Processing Unit (CPU) according to the first identifier; if the source terminal has the authority of accessing the destination terminal, adding the address information of the destination terminal in the host table entry, and updating the host identifier of the host table entry into a second identifier; and forwarding the data message according to the second identifier and the address information of the destination terminal.
The terminal access control method provided by the embodiment of the invention has the advantages that the terminals are used as the partition granularity, the VRF is independently partitioned for each terminal, the VRF table items are dynamically installed, the host resources required by each terminal are loaded according to the requirements, and the purpose of realizing the access control of network resources through the VRF configuration of the access control combined terminal is provided.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a diagram of a temporary group scene in the prior art;
fig. 2 is a schematic flow chart of a terminal permission control method according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a terminal permission control apparatus according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 2 is a schematic flow chart of a terminal right control method provided in an embodiment of the present invention, and as shown in fig. 2, the method includes:
step S21, receiving a data message sent by a source terminal for accessing a destination terminal, and searching a host table entry corresponding to the destination terminal from a Virtual Routing Forwarding (VRF) table entry of the source terminal;
specifically, in order to solve the problem of ACL expansion occurring in the temporary group scene by performing authority control through IP conventionally, an embodiment of the present invention provides a terminal authority control method based on a Virtual Routing Forwarding (VRF) table entry, which is applied to a switch chip and can be implemented by a Field Processors (FPs) of the switch chip. Each network access terminal independently divides VRF, configures host table item information corresponding to the terminal access authority in the terminal VRF, and realizes the purpose of network resource access control by FP matching the terminal VRF.
Firstly, distributing a VRF table item for each network access terminal, wherein the initial value of the VRF table item is null.
In practical application, a port of a network device connected to a terminal needs to be configured with an independent three-layer Interface, which may be a routing Interface or a Switch Virtual Interface (SVI), and when the terminal accesses an exchange device, allocates VRF resources for the terminal and maintains a corresponding relationship between the VRF and the terminal, for example, after the terminal accesses the exchange device, obtains an SVI identifier, creates a new VRF, and when an initial value is null, marks the new VRF with the SVI identifier of the terminal.
For example, table 1 is a logical group and authority relationship table divided by users to terminals, and as shown in table 1, two User group groups 1, group2 and a temporary group3 are created, a User1-1, a User1-2 belong to group1, and a User2-1 and a User2-2 belong to group 2; user1-1 and User2-1 form a temporary group. Wherein, the same user can belong to a plurality of user groups to solve the problem of temporary inter-access of resources in the group.
TABLE 1 logic groups and authority relation table of user to terminal division
Table 2 is a table associating the VRF and the terminal, where the terminal information may be represented by a terminal IP address or terminal MAC address information, and the terminal VRF may be marked by an SVI or a routing interface, which is not limited in this embodiment of the present invention.
Table 2 VRF and terminal association table
| User' s | Terminal IP | SVI | VRF |
| User1-1 | 1.1.1.1 | 10 | 10 |
| User1-2 | 1.1.1.2 | 11 | 11 |
| User2-1 | 2.2.2.1 | 20 | 20 |
| User2-2 | 2.2.2.2 | 21 | 21 |
After establishing the VRF of each network access terminal and after the source terminal initiates the data message for accessing the destination terminal, the FP inquires whether the host table entry corresponding to the destination terminal exists or not through the VRF of the source terminal.
Step S22, if the VRF table entry does not have the host table entry, installing the host table entry corresponding to the destination terminal in the VRF table entry, and marking the host identifier of the host table entry as a first identifier;
specifically, when the source terminal initiates a data packet accessing the destination terminal for the first time, because the VRF of the source terminal is empty, the host table entry of the destination terminal is not found in the VRF table entry at this time, the host table entry corresponding to the destination terminal is installed in the VRF table entry of the source terminal, and the host identifier of the host table entry is marked as the first identifier, for example, the clid of the host table entry is marked as 0.
Step S23, according to the first identification, sending an access authority inquiry request of the source terminal to a Central Processing Unit (CPU);
specifically, the system needs to issue three FP chip table entries by default:
FP entry FP-1: determining that the data message with the host identifier of the host table entry of the destination terminal as the second identifier can be put through by searching the VRF, for example, a message identifying that the clsid is 1 can be put through;
FP entry FP-2: determining that the data message with the host identifier of the host table entry of the destination terminal as the third identifier can be released by searching the VRF, for example, identifying that the message with the clsid being 2 is not released;
FP entry FP-3: and determining that the host identifier of the host table entry of the destination terminal is the first identifier by searching the VRF, and sending the message to the CPU for inquiring authority, for example, identifying the message with clid equal to 0 to be sent to the CPU.
When the FP of the switching chip recognizes that the host identity of the host table entry of the destination terminal in the VRF table entries of the source terminal is the first identity, the message is sent to the CPU through the FP, the access right of the source terminal is inquired through the CPU, whether the access right has the right to access the destination terminal is judged, namely, when the inquiry of the destination terminal in the VRF fails, the VRF table entry installation application is initiated through the FP. The CPU may maintain the VRF table of the terminal as shown in table 3 according to user settings, and determine whether the source terminal has the authority to access the destination terminal by looking up the table.
TABLE 3 terminal VRF table
Step S24, if the source terminal has the authority to access the destination terminal, adding the address information of the destination terminal in the host table entry, and updating the host identifier of the host table entry to a second identifier;
specifically, if the source terminal has the right to access the destination terminal, for example, the source terminal and the destination terminal in table 1 are in the same user group, the address information of the destination terminal, for example, the IP address of the destination terminal, is added to the host table entry corresponding to the destination terminal, and the host identifier of the host table entry of the destination terminal is updated to the second identifier, for example, the clsid is updated to 1.
And step S25, forwarding the data message according to the second identifier and the address information of the destination terminal.
Specifically, as the FP entry is issued in advance, and the FP identifies that the host identifier of the host entry of the destination terminal is the second identifier, the data packet is forwarded according to the address information of the destination terminal of the host entry. At this time, the address information of the destination terminal already in the VRF of the source terminal can directly forward the data message according to the VRF. In practical application, different vlans can be distributed to the terminal in combination with terminal authentication, such as dot1x vlan jump, mac vlan and other different modes, so that different three-layer SVIs are generated to bind VRFs of different terminals; in addition, the authority setting can be set based on the group, and the corresponding relationship between the user and the group can be associated through a system such as radius.
The terminal access control method provided by the embodiment of the invention uses the terminal as a partition granularity, independently partitions the VRF for each terminal, dynamically installs VRF table items, loads the host resource required by each terminal as required, and realizes the purpose of network resource access control by the VRF configuration of the access control combined terminal.
On the basis of the above embodiment, further, the method further comprises:
if the source terminal has no authority to access the destination terminal, directly marking the host identifier of the host table entry as a third identifier;
and discarding the data message according to the third identifier.
Specifically, if the CPU queries the access right of the source terminal and finds that the source terminal does not have the right to access the destination terminal, the host identifier of the host table entry of the destination terminal in the VRF table entry of the source terminal is directly marked as the third identifier, for example, the clsid is marked as 2. And directly discarding the data message by the FP according to the third identifier, and directly discarding the data message when the host identifier of the destination terminal is inquired as the third identifier by the FP when the subsequent source terminal initiates the data message for accessing the destination terminal again, so that the access right of the same destination terminal is avoided being inquired for many times, and the system efficiency is improved.
On the basis of the above embodiments, the method further includes:
and if the VRF table entry comprises a host table entry corresponding to the destination terminal, processing the data message according to the host table entry.
Specifically, if the VRF of the source terminal has installed the host table entry of the destination terminal, the FP may directly process the data packet according to the host table entry.
For example, if the host identifier of the host table entry is the second identifier, the data packet is forwarded according to the address information corresponding to the host table entry in the VRF table entry, that is, according to the second identifier, the egress route of the data packet can be directly found from the VEF, and the packet is directly forwarded without forwarding the packet through the ACL;
if the host identifier of the host table entry is the third identifier, the data message is directly discarded, so that the authority only needs to be inquired once for the access request of the same destination terminal.
On the basis of the foregoing embodiments, further, after adding the address information of the destination terminal in the host table entry, the method further includes:
recording the update time of the host table entry corresponding to the target terminal in the VRF table entry;
and if the difference value between the current time and the updating time is greater than a preset threshold value, deleting the host table entry corresponding to the target terminal from the VRF table entry of the source terminal.
Specifically, after the address information of the destination terminal is added to the host table entry, the update time of the host table entry corresponding to the destination terminal in the VRF table entry may also be recorded, and if the difference between the current time and the update time is greater than a preset threshold, that is, if the traffic of the destination terminal is not accessed within a period of time, the host table entry corresponding to the destination terminal is deleted from the VRF table entry of the source terminal, the aging recovery of the VRF table entry is maintained, and the table entry resources are saved.
For example, taking the temporary scene in the background art as an example, two scenes of allowing and not allowing to put through are divided:
and (one) allowing the scene to be opened, wherein the User1-1 accesses the User 2-1:
when a User1-1 accesses the network, distributing VRF10 to a User1-1 terminal according to a terminal access port or an SVI port, wherein an initial VRF10 table entry is empty; when a terminal User1-1 initiates to access a data message of the User2-1, since a VRF table of the terminal is empty at the moment, an FP-3 table entry is hit, and the access right of the User1-1 is inquired from the message to a CPU on the FP; the CPU acquires the authority of inquiring User1-1 to access User2-1 from the maintained VRF table, and returns to put through; installing a host table entry of a User2-1 in a VRF10, and simultaneously setting clsid of the host table entry to 1; the subsequent User1-1 accesses the message of the User2-1 to search the VRF10 to find an exit route from the chip; and when the FP-1 is hit in the FP searching stage, the message can be normally sent out.
And (II) not allowing the User1-1 to access the User 2-2:
when a User1-1 accesses the network, distributing VRF10 to a User1-1 terminal according to a terminal access port or an SVI port, wherein an initial VRF10 table entry is empty; when a terminal User1-1 initiates to access a data message of a User2-2, since a VRF table of the terminal is empty at the moment, an FP-3 table entry is hit, and the access right of the User1-1 is inquired from the message to a CPU on the FP; the CPU obtains the authority of inquiring User1-1 to access User2-2 from the maintained VRF table and returns no connection; installing a host table entry of a User2-2 in a VRF10, and simultaneously setting clsid of the host table entry to 2; the subsequent message that User1-1 accesses User2-2 hits FP-2 in the FP lookup stage, and the message can be directly discarded.
The terminal authority control method provided by the embodiment of the invention uses a dynamic VRF table entry installation technology, loads the host resources required by each terminal according to the needs, ages the host routing resources which are not used for a long time at regular time, and can greatly save the VRF resources.
Based on the same inventive concept, an embodiment of the present invention further provides a terminal right control apparatus, as shown in fig. 3, including: a query module 31, a new building module 32, an uploading module 33, an installation module 34 and a forwarding module 35, wherein
The query module 31 is configured to receive a data packet sent by a source terminal and used for accessing a destination terminal, and search a host table entry corresponding to the destination terminal from a virtual router forwarding VRF table entry of the source terminal; the new creation module 32 is configured to install a host table entry corresponding to the destination terminal in the VRF table entry if the host table entry does not exist in the VRF table entry, and mark a host identifier of the host table entry as a first identifier; the uploading module 33 is configured to send an access right query request of the source terminal to a central processing unit CPU according to the first identifier; the installation module 34 is configured to add address information of the destination terminal to the host table entry if the source terminal has the right to access the destination terminal, and update the host identifier of the host table entry to a second identifier; the forwarding module 35 is configured to forward the data packet according to the second identifier and the address information of the destination terminal.
The above apparatus, optionally, further comprises:
the updating module is used for directly marking the host identifier of the host table entry as a third identifier if the source terminal has no authority of accessing the destination terminal;
and the discarding module is used for discarding the data message according to the third identifier.
The above apparatus, optionally, further comprises:
and the processing module is used for processing the data message according to the host table entry if the VRF table entry comprises the host table entry corresponding to the target terminal.
As with the apparatus described above, optionally, the processing module is specifically configured to:
if the host identifier of the host table entry is a second identifier, forwarding the data message according to the address information corresponding to the host table entry in the VRF table entry;
and if the host identifier of the host table entry is the third identifier, discarding the data message.
The above apparatus, optionally, further comprises:
the recording module is used for recording the updating time of the host table entry corresponding to the target terminal in the VRF table entry;
and the aging module is used for deleting the host table entry corresponding to the destination terminal from the VRF table entry of the source terminal if the difference value between the current moment and the updating moment is greater than a preset threshold value.
The above apparatus, optionally, further comprises:
and the initialization module is used for distributing VRF table entries for each network access terminal, and the initial values of the VRF table entries are null.
The apparatus provided in the embodiment of the present invention is configured to implement the method, and its functions are specifically referred to the method embodiment, which are not described herein again.
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention, and as shown in fig. 4, the electronic device includes: a processor (processor)41, a memory (memory)42, and a bus 43;
wherein, the processor 41 and the memory 42 complete the communication with each other through the bus 43;
An embodiment of the present invention discloses a computer program product, which includes a computer program stored on a non-transitory computer readable storage medium, the computer program including program instructions, when the program instructions are executed by a computer, the computer can execute the methods provided by the above method embodiments, for example, the method includes: receiving a data message which is sent by a source terminal and used for accessing a target terminal, and searching a host table entry corresponding to the target terminal from a Virtual Routing Forwarding (VRF) table entry of the source terminal; if the VRF table entry does not have the host table entry, installing the host table entry corresponding to the target terminal in the VRF table entry, and marking the host identifier of the host table entry as a first identifier; sending an access authority query request of the source terminal to a Central Processing Unit (CPU) according to the first identifier; if the source terminal has the authority of accessing the destination terminal, adding the address information of the destination terminal in the host table entry, and updating the host identifier of the host table entry into a second identifier; and forwarding the data message according to the second identifier and the address information of the destination terminal.
Embodiments of the present invention provide a non-transitory computer-readable storage medium, which stores computer instructions, where the computer instructions cause the computer to perform the methods provided by the above method embodiments, for example, the methods include: receiving a data message which is sent by a source terminal and used for accessing a destination terminal, and searching a host table entry corresponding to the destination terminal from a Virtual Routing Forwarding (VRF) table entry of the source terminal; if the VRF table entry does not have the host table entry, installing the host table entry corresponding to the target terminal in the VRF table entry, and marking the host identifier of the host table entry as a first identifier; according to the first identification, sending an access authority inquiry request of the source terminal to a Central Processing Unit (CPU); if the source terminal has the authority of accessing the destination terminal, adding the address information of the destination terminal in the host table entry, and updating the host identifier of the host table entry into a second identifier; and forwarding the data message according to the second identifier and the address information of the destination terminal.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
The above-described embodiments of the apparatuses and the like are merely illustrative, wherein the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the embodiments of the present invention, and are not limited thereto; although embodiments of the present invention have been described in detail with reference to the foregoing embodiments, those skilled in the art will understand that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.
Claims (14)
1. A terminal authority control method is characterized by comprising the following steps:
receiving a data message which is sent by a source terminal and used for accessing a target terminal, and searching a host table entry corresponding to the target terminal from a Virtual Routing Forwarding (VRF) table entry of the source terminal;
if the VRF table entry does not have the host table entry, installing the host table entry corresponding to the target terminal in the VRF table entry, and marking the host identifier of the host table entry as a first identifier;
sending an access authority query request of the source terminal to a Central Processing Unit (CPU) according to the first identifier;
if the source terminal has the authority of accessing the destination terminal, adding the address information of the destination terminal in the host table entry, and updating the host identifier of the host table entry into a second identifier;
and forwarding the data message according to the second identifier and the address information of the destination terminal.
2. The method of claim 1, further comprising:
if the source terminal has no authority to access the destination terminal, directly marking the host identifier of the host table entry as a third identifier;
and discarding the data message according to the third identifier.
3. The method of claim 1, further comprising:
and if the VRF table entry comprises a host table entry corresponding to the target terminal, processing the data message according to the host table entry.
4. The method of claim 3, wherein the processing the data packet according to the host table entry comprises:
if the host identifier of the host table entry is a second identifier, forwarding the data message according to the address information corresponding to the host table entry in the VRF table entry;
and if the host identifier of the host table entry is the third identifier, discarding the data message.
5. The method according to claim 1, further comprising, after adding the address information of the destination terminal in the host table entry:
recording the update time of the host table entry corresponding to the target terminal in the VRF table entry;
and if the difference value between the current moment and the updating moment is larger than a preset threshold value, deleting the host table entry corresponding to the target terminal from the VRF table entry of the source terminal.
6. The method according to claim 1, wherein before receiving the data packet sent by the source terminal and accessing the destination terminal, the method further comprises:
and distributing a VRF table entry for each network access terminal, wherein the initial value of the VRF table entry is null.
7. A terminal authority control device, comprising:
the query module is used for receiving a data message which is sent by a source terminal and used for accessing a destination terminal, and searching a host table entry corresponding to the destination terminal from a Virtual Routing Forwarding (VRF) table entry of the source terminal;
a new creation module, configured to install a host table entry corresponding to the destination terminal in the VRF table entry if the host table entry does not exist in the VRF table entry, and mark a host identifier of the host table entry as a first identifier;
the uploading module is used for sending an access authority query request of the source terminal to a Central Processing Unit (CPU) according to the first identifier;
the installation module is used for adding the address information of the destination terminal in the host table entry and updating the host identifier of the host table entry into a second identifier if the source terminal has the authority of accessing the destination terminal;
and the forwarding module is used for forwarding the data message according to the second identifier and the address information of the destination terminal.
8. The apparatus of claim 7, further comprising:
the updating module is used for directly marking the host identifier of the host table entry as a third identifier if the source terminal has no authority of accessing the destination terminal;
and the discarding module is used for discarding the data message according to the third identifier.
9. The apparatus of claim 7, further comprising:
and the processing module is used for processing the data message according to the host table entry if the VRF table entry comprises the host table entry corresponding to the target terminal.
10. The apparatus of claim 9, wherein the processing module is specifically configured to:
if the host identifier of the host table entry is a second identifier, forwarding the data message according to the address information corresponding to the host table entry in the VRF table entry;
and if the host identifier of the host table entry is the third identifier, discarding the data message.
11. The apparatus of claim 7, further comprising:
the recording module is used for recording the updating time of the host table entry corresponding to the target terminal in the VRF table entry;
and the aging module is used for deleting the host table entry corresponding to the destination terminal from the VRF table entry of the source terminal if the difference value between the current time and the updating time is greater than a preset threshold value.
12. The apparatus of claim 7, further comprising:
and the initialization module is used for distributing VRF table entries for each network access terminal, and the initial values of the VRF table entries are null.
13. An electronic device, comprising:
the processor and the memory are communicated with each other through a bus; the memory stores program instructions executable by the processor, the program instructions being invoked by the processor to perform the method of any of claims 1 to 6.
14. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010672161.0A CN111953599B (en) | 2020-07-14 | 2020-07-14 | Terminal authority control method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010672161.0A CN111953599B (en) | 2020-07-14 | 2020-07-14 | Terminal authority control method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111953599A CN111953599A (en) | 2020-11-17 |
| CN111953599B true CN111953599B (en) | 2022-06-21 |
Family
ID=73341535
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010672161.0A Active CN111953599B (en) | 2020-07-14 | 2020-07-14 | Terminal authority control method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111953599B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113839949B (en) * | 2021-09-26 | 2023-10-24 | 锐捷网络股份有限公司 | Access right management and control system, method, chip and electronic equipment |
| CN113965401B (en) * | 2021-11-01 | 2023-09-19 | 新华三技术有限公司合肥分公司 | Message forwarding method and device and electronic equipment |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1571374A (en) * | 2003-07-23 | 2005-01-26 | 华为技术有限公司 | A method for controlling access right of private network user |
| CN101908996A (en) * | 2010-08-24 | 2010-12-08 | 福建星网锐捷网络有限公司 | Method for accessing private network and data transmission method, device and system |
| WO2016062085A1 (en) * | 2014-10-21 | 2016-04-28 | 中兴通讯股份有限公司 | Virtual network realization method, nve and nva device and system |
| CN106973016A (en) * | 2017-03-15 | 2017-07-21 | 杭州迪普科技股份有限公司 | Access control method, device and equipment |
| CN107426100A (en) * | 2017-08-29 | 2017-12-01 | 杭州迪普科技股份有限公司 | A kind of VPN user access methods and device based on user's group |
| US10129144B1 (en) * | 2016-06-27 | 2018-11-13 | Amazon Technologies, Inc. | Extending virtual routing and forwarding using source identifiers |
| EP3462685A1 (en) * | 2017-09-29 | 2019-04-03 | Juniper Networks, Inc. | Connecting virtual nodes in a network device using abstract fabric interfaces |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090222880A1 (en) * | 2008-03-03 | 2009-09-03 | Tresys Technology, Llc | Configurable access control security for virtualization |
-
2020
- 2020-07-14 CN CN202010672161.0A patent/CN111953599B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1571374A (en) * | 2003-07-23 | 2005-01-26 | 华为技术有限公司 | A method for controlling access right of private network user |
| CN101908996A (en) * | 2010-08-24 | 2010-12-08 | 福建星网锐捷网络有限公司 | Method for accessing private network and data transmission method, device and system |
| WO2016062085A1 (en) * | 2014-10-21 | 2016-04-28 | 中兴通讯股份有限公司 | Virtual network realization method, nve and nva device and system |
| US10129144B1 (en) * | 2016-06-27 | 2018-11-13 | Amazon Technologies, Inc. | Extending virtual routing and forwarding using source identifiers |
| CN106973016A (en) * | 2017-03-15 | 2017-07-21 | 杭州迪普科技股份有限公司 | Access control method, device and equipment |
| CN107426100A (en) * | 2017-08-29 | 2017-12-01 | 杭州迪普科技股份有限公司 | A kind of VPN user access methods and device based on user's group |
| EP3462685A1 (en) * | 2017-09-29 | 2019-04-03 | Juniper Networks, Inc. | Connecting virtual nodes in a network device using abstract fabric interfaces |
Non-Patent Citations (1)
| Title |
|---|
| Deploy Multi Protocol Label Switching (MPLS) Using Virtual Routing and Forwarding (VRF);Samiullah Mehraban等;《2018 2nd International Conference on Trends in Electronics and Informatics (ICOEI)》;20181203;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111953599A (en) | 2020-11-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11895154B2 (en) | Method and system for virtual machine aware policy management | |
| CN107733670B (en) | Forwarding strategy configuration method and device | |
| US11258667B2 (en) | Network management method and related device | |
| US20190260693A1 (en) | Virtual network | |
| EP2192725B1 (en) | Packet switch being partitioned into virtual LANs (VLANs) | |
| EP3461072B1 (en) | Access control in a vxlan | |
| CN103795602B (en) | Network strategy configuration method and device of virtual network | |
| CN108848034B (en) | Network equipment and table entry learning method | |
| CN112486626A (en) | Method and device for determining virtual machine migration | |
| US20150103692A1 (en) | Host Traffic Driven Network Orchestration within Data Center Fabric | |
| CN111953599B (en) | Terminal authority control method and device, electronic equipment and storage medium | |
| EP2922246A1 (en) | Method, device and data center network for cross-service zone communication | |
| US20180198643A1 (en) | Packet transmission method and apparatus | |
| US10693785B2 (en) | Method and system for forwarding data, virtual load balancer, and readable storage medium | |
| CN112887229B (en) | Session information synchronization method and device | |
| US20150052575A1 (en) | Steering Traffic Among Multiple Network Services Using a Centralized Dispatcher | |
| WO2018113701A1 (en) | Resource scheduling method | |
| CN107819776B (en) | Message processing method and device | |
| CN107517129B (en) | Method and device for configuring uplink interface of equipment based on OpenStack | |
| CN110391919B (en) | Multicast traffic forwarding method and device, and electronic device | |
| CN109756411B (en) | Message forwarding method and device, first VTEP device and storage medium | |
| CN109743357B (en) | Method and device for realizing service access continuity | |
| EP3503484B1 (en) | Message transmission methods and devices | |
| WO2021000619A1 (en) | Method and device for packet forwarding | |
| CN111294316B (en) | Network isolation method and device based on user mode protocol stack virtual router |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |