CN112187740A - Network access control method and device, electronic equipment and storage medium - Google Patents

Network access control method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN112187740A
CN112187740A CN202010959086.6A CN202010959086A CN112187740A CN 112187740 A CN112187740 A CN 112187740A CN 202010959086 A CN202010959086 A CN 202010959086A CN 112187740 A CN112187740 A CN 112187740A
Authority
CN
China
Prior art keywords
mac address
terminal
source
address
identifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010959086.6A
Other languages
Chinese (zh)
Other versions
CN112187740B (en
Inventor
张灵峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruijie Networks Co Ltd
Original Assignee
Ruijie Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruijie Networks Co Ltd filed Critical Ruijie Networks Co Ltd
Priority to CN202010959086.6A priority Critical patent/CN112187740B/en
Publication of CN112187740A publication Critical patent/CN112187740A/en
Application granted granted Critical
Publication of CN112187740B publication Critical patent/CN112187740B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Abstract

The embodiment of the invention provides a network access control method, a network access control device, electronic equipment and a storage medium. The method comprises the following steps: receiving a message to be processed sent by a terminal, and determining a source MAC address and a source IP address corresponding to the message to be processed; searching for a source MAC address in an installed MAC address table item, and acquiring a first terminal identifier corresponding to the source MAC address; searching a source IP address in an installed static ARP address table item, and acquiring a second terminal identifier corresponding to the source IP address; and judging whether the first terminal identifier is the same as the second terminal identifier or not according to the ACL list item, and if so, releasing the message to be processed. According to the embodiment of the invention, whether the message is legal is judged by comparing the terminal identification corresponding to the source MAC address of the message with the terminal identification corresponding to the source IP address, so that the problem of equipment performance reduction caused by adding and deleting ACL entries due to frequent change of terminal behaviors is avoided, and the concurrent online capacity performance of the terminal is improved.

Description

Network access control method and device, electronic equipment and storage medium
Technical Field
The embodiment of the invention relates to the technical field of communication, in particular to a network access control method, a network access control device, electronic equipment and a storage medium.
Background
Network Access Control (NAC) is a plan for many manufacturers to participate in, and aims to prevent emerging hacking techniques such as viruses and worms from harming enterprise security. With NAC, a user may only allow legitimate, trustworthy endpoint devices, such as Personal Computers (PCs), servers, Palmtops (PDAs), to access the network, while not allowing other devices to access.
Currently, on a switch system, conventional NAC technology implementations include: dynamic Host Configuration Protocol security feature Snooping (DHCP Snooping), global Internet Protocol (IP) + Media Access Control (MAC) binding, port security, 802.1x authentication, secure channel, IP Source Address protection (IP Source Guard), and Address Resolution Protocol Check (ARP Check), etc. In an office network scene, the technical deployment of DHCP Snooping and IP Source Guard is common, and a user data table entry generated by DHCP Snooping record provides a safe application service for the IP Source Guard, so that a simple and applicable terminal user online scheme is realized.
DHCP Snooping: the method realizes the recording and monitoring of the use condition of the user IP address by snooping the DHCP interaction message between the Client and the server, and can also filter the illegal DHCP message, including the request message of the Client and the response message of the server.
IP Source Guard: by the IP Source Guard binding function, the IP message can be filtered through hardware, so that only a user with corresponding information in an IP message hardware filtering database can normally use the network, and the user is prevented from setting an IP address privately and forging the IP message.
The implementation process of the DHCP Snooping and IP Source Guard access control security technology in the switch comprises the following steps: the DHCP Snooping monitoring terminal applies for a protocol message between IPs from a DHCP server, and generates a DHCP Snooping Table record Table after the terminal obtains a legal IP address, wherein one record comprises information such as IP, MAC, lease time, a port, a Virtual Local Area Network (VLAN), type and the like. The IP Source Guard uses a DHCP Source Binding Table as a user security information Source, and issues an Access Control List (ACL) List to the hardware switch chip to filter illegal messages. The ACL list item takes IP and MAC as key matching points, and the IP message can be released only by matching the MAC address with the IP, thereby preventing illegal conditions such as private IP address setting of a user, IP message forgery and the like.
In the on-line scheme of the terminal, a hardware table item related to the terminal comprises: dynamic MAC addresses, dynamic ARP entries, and ACL entries. There are two main problems:
1. the method comprises the steps that a terminal sends an entry to hardware after being on-line, due to the fact that lease time of DHCP Snooping entries is long and is generally configured to be 4 hours, aging time of ARP entries is generally 1 hour, aging time of MAC addresses is generally 5 minutes, if a large number of terminals are on-line and off-line in a short time, the situation that a large number of entries remain exists, and the on-line of new terminal users is influenced.
2. Due to hardware limitations, frequent operation of ACL entries by the switch may result in performance degradation. In this scenario, if the behavior of the terminal changes frequently, the ACL entries are frequently operated, which affects the performance of the device and prevents concurrent online or migration of the terminal with large capacity.
Disclosure of Invention
In order to overcome the defects in the prior art, embodiments of the present invention provide a network access control method, apparatus, electronic device, and storage medium.
In a first aspect, an embodiment of the present invention provides a network access control method, applied in a switching device, including:
receiving a message to be processed sent by a terminal, and determining a source MAC address and a source IP address corresponding to the message to be processed;
searching an installed MAC address table entry in the switching equipment according to the source MAC address, and if the source MAC address exists in the MAC address table entry, acquiring a first terminal identifier corresponding to the source MAC address;
searching a static ARP address table entry installed in the switching equipment according to the source IP address, and if the source IP address exists in the static ARP address table entry, acquiring a second terminal identifier corresponding to the source IP address;
and judging whether the first terminal identifier is the same as the second terminal identifier or not according to the ACL list item installed in the switching equipment, and if so, releasing the message to be processed.
As above, optionally, before receiving the message to be processed sent by the terminal, the method further includes:
after the terminal is on line, acquiring a terminal MAC address of the terminal, and inquiring whether the terminal is legal from a DHCP snooping table entry;
if the terminal is legal, a first user identifier is distributed to the terminal, an MAC address table entry corresponding to the terminal MAC address in the DHCP snooping table entry is installed in the switching equipment, and the terminal identifier corresponding to the terminal MAC address is marked as the first user identifier;
installing a static ARP table entry in the switching equipment, wherein the static ARP table entry comprises the IP address of the terminal acquired from the DHCP snooping table entry, and marking the terminal identifier corresponding to the IP address as the first user identifier;
installing an ACL table item in the switching equipment, wherein an ACL rule corresponding to the ACL table item is as follows: and if the terminal identification corresponding to the source MAC address of the message to be processed is the same as the terminal identification corresponding to the source IP address, releasing the message to be processed.
As above, optionally, after searching the MAC address table entry installed in the switching device according to the source MAC address, the method further includes:
and if the source MAC address exists in the MAC address table entry, marking a hit identifier corresponding to the terminal MAC address as a first preset mark.
The method as described above, optionally, further includes:
if the source MAC address does not exist in the installed MAC address table entry, installing the MAC address table entry corresponding to the source MAC address, setting the first terminal identifier corresponding to the source MAC address as a second user identifier, and setting the hit identifier as the first preset mark.
The method as described above, optionally, further includes:
traversing all MAC address table entries installed in the switching equipment at intervals of a preset period, and if the hit identifier of a first MAC address is a second preset mark, deleting the MAC address table entry corresponding to the first MAC address and a static ARP table entry corresponding to the first MAC address from the switching equipment;
and if the hit identifier of the first MAC address is the first preset mark, changing the hit identifier into the second preset mark.
In a second aspect, an embodiment of the present invention provides a network access control apparatus, applied in a switching device, including:
the receiving module is used for receiving a message to be processed sent by a terminal and determining a source MAC address and a source IP address corresponding to the message to be processed;
a first obtaining module, configured to search an installed MAC address table entry in the switching device according to the source MAC address, and if the source MAC address exists in the MAC address table entry, obtain a first terminal identifier corresponding to the source MAC address;
a second obtaining module, configured to search a static ARP address entry installed in the switching device according to the source IP address, and if the source IP address exists in the static ARP address entry, obtain a second terminal identifier corresponding to the source IP address;
and the matching module is used for judging whether the first terminal identifier is the same as the second terminal identifier according to the ACL list items installed in the switching equipment, and if so, releasing the message to be processed.
The above apparatus, optionally, further comprises:
the judging module is used for acquiring the terminal MAC address of the terminal after the terminal is on-line and inquiring whether the terminal is legal or not from the DHCP snooping table item;
a first installation module, configured to allocate a first user identifier to the terminal if the terminal is legal, install an MAC address entry corresponding to the terminal MAC address in the DHCP snooping entry in the switching device, and mark the terminal identifier corresponding to the terminal MAC address as the first user identifier;
a second installation module, configured to install a static ARP entry in the switch device, where the static ARP entry includes the IP address of the terminal obtained from the DHCP snooping entry, and mark a terminal identifier corresponding to the IP address as the first user identifier;
a third installation module, configured to install an ACL entry in the switching device, where an ACL rule corresponding to the ACL entry is: and if the terminal identification corresponding to the source MAC address of the message to be processed is the same as the terminal identification corresponding to the source IP address, releasing the message to be processed.
As in the foregoing apparatus, optionally, the first obtaining module is further configured to:
and if the source MAC address exists in the MAC address table entry, marking a hit identifier corresponding to the terminal MAC address as a first preset mark.
The above apparatus, optionally, further comprises:
and the marking module is used for installing the MAC address table item corresponding to the source MAC address if the source MAC address does not exist in the installed MAC address table item, setting the first terminal identifier corresponding to the source MAC address as a second user identifier, and setting the hit identifier as the first preset mark.
The above apparatus, optionally, further comprises:
a deleting module, configured to traverse all MAC address table entries installed in the switching device every preset interval period, and if a hit identifier of a first MAC address is the second preset flag, delete an MAC address table entry corresponding to the first MAC address and a static ARP table entry corresponding to the first MAC address from the switching device;
accordingly, the tagging module is further configured to:
and if the hit identifier of the first MAC address is the first preset mark, changing the hit identifier into the second preset mark.
In a third aspect, an embodiment of the present invention provides an electronic device, including:
the processor and the memory are communicated with each other through a bus; the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform a method comprising: receiving a message to be processed sent by a terminal, and determining a source MAC address and a source IP address corresponding to the message to be processed; searching an installed MAC address table entry in the switching equipment according to the source MAC address, and if the source MAC address exists in the MAC address table entry, acquiring a first terminal identifier corresponding to the source MAC address; searching a static ARP address table entry installed in the switching equipment according to the source IP address, and if the source IP address exists in the static ARP address table entry, acquiring a second terminal identifier corresponding to the source IP address; and judging whether the first terminal identifier is the same as the second terminal identifier or not according to the ACL list item installed in the switching equipment, and if so, releasing the message to be processed.
In a fourth aspect, an embodiment of the present invention provides a storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the following method: receiving a message to be processed sent by a terminal, and determining a source MAC address and a source IP address corresponding to the message to be processed; searching an installed MAC address table entry in the switching equipment according to the source MAC address, and if the source MAC address exists in the MAC address table entry, acquiring a first terminal identifier corresponding to the source MAC address; searching a static ARP address table entry installed in the switching equipment according to the source IP address, and if the source IP address exists in the static ARP address table entry, acquiring a second terminal identifier corresponding to the source IP address; and judging whether the first terminal identifier is the same as the second terminal identifier or not according to the ACL list item installed in the switching equipment, and if so, releasing the message to be processed.
According to the network access control method provided by the embodiment of the invention, whether the message is legal or not is judged by comparing the terminal identifier corresponding to the source MAC address of the message with the terminal identifier corresponding to the source IP address, so that the problem of equipment performance reduction caused by adding and deleting ACL entries due to frequent change of terminal behaviors is avoided, and the concurrent online capacity performance of the terminal is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic flow chart of a network access control method according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a network access control apparatus according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic flow chart of a network access control method provided in an embodiment of the present invention, which is applied to a switching device, for example, a switch, and as shown in fig. 1, the method includes:
step S11, receiving a message to be processed sent by a terminal, and determining a source MAC address and a source IP address corresponding to the message to be processed;
step S12, searching an MAC address table entry installed in the switching device according to the source MAC address, and if the source MAC address exists in the MAC address table entry, acquiring a first terminal identifier corresponding to the source MAC address;
step S13, searching the static ARP address table item installed in the switching equipment according to the source IP address, and if the source IP address exists in the static ARP address table item, acquiring a second terminal identifier corresponding to the source IP address;
step S14, according to the ACL table entry installed in the switching device, determining whether the first terminal identifier is the same as the second terminal identifier, and if so, releasing the message to be processed.
Specifically, after a terminal accesses a network through a Wireless Access Point (AP), the terminal sends a DHCP request message, applies for an IP address to a DHCP server, performs MAC address learning with a switching device wired to one port of the AP, obtains a terminal MAC address by hardware, and sends the DHCP request message to the DHCP server, and the DHCP server determines whether the terminal is legal, where the determination method is the prior art and is not described here any more, and if the terminal is legal, the DHCP server returns an IP address allocated to the terminal, and stores the terminal MAC address and the IP address in a DHCP Snooping Table (DHCP Snooping Table). The terminal can then access the network via the assigned IP address.
When the switching device detects that the terminal is online, the MAC address of the terminal can be obtained, for example, the terminal MAC address is 00-16-EA-AE-3C-40, and the DHCP process is monitored, whether the terminal is legal is queried from the DHCP snooping entry, that is, whether the MAC address of the current terminal exists in the DHCP snooping entry, if so, the terminal is considered legal, a user identifier is allocated to the terminal, which is denoted as a first user identifier, which is abbreviated as a user ID, specifically, the user ID can be allocated to the terminal within a first preset range, for example, unused 005 is selected as the user ID in 001-999, then, the switching device installs the MAC address entry corresponding to the terminal MAC address in the DHCP snooping entry, marks the terminal identifier corresponding to the terminal MAC address as the first user identifier, for example, the terminal identifier corresponding to the MAC address 00-16-EA-AE-3C-40 is 005, it should be noted that the MAC address table entry here is a static MAC address table entry.
In addition, the switching device needs to install a static ARP entry, and it should be noted that, before this, the switching device needs to turn off the dynamic ARP address learning function, where the static ARP entry includes the IP address of the terminal obtained from the DHCP snooping entry, for example, the IP address of the terminal is: 192.168.0.0, and the terminal ID corresponding to the IP address is marked as the user ID, for example, the terminal ID corresponding to the IP address 192.168.0.0 is 005.
Finally, the switching equipment installs ACL entries, and ACL rules corresponding to the ACL entries are as follows: if the terminal identifier corresponding to the source MAC address of the message is the same as the terminal identifier corresponding to the source IP address, the message is released, otherwise the message is discarded, i.e. in the embodiment of the present invention, the ACL entry does not match the IP address and the MAC address separately, but matches the terminal identifier obtained through the MAC address and the terminal identifier obtained through the IP address, and if the terminal identifiers obtained through the two are consistent, the message is released.
After the entries are installed on the switching device, after an IP message sent by a certain terminal is received, a source MAC address and a source IP address corresponding to the message can be determined first, then the switching device searches an installed MAC address entry of the switching device according to the source MAC address of the message, if the source MAC address is found, a terminal identifier corresponding to the source MAC address is obtained and recorded as a first terminal identifier, then a static ARP address entry installed in the switching device is searched according to the source IP address, if the source IP address exists in the static ARP address entry, a terminal identifier corresponding to the source IP address is obtained and recorded as a second terminal identifier, then the switching device judges whether the first terminal identifier and the second terminal identifier are the same according to the installed ACL entry, if the first terminal identifier and the second terminal identifier are the same, the message is released, otherwise the message is discarded.
Because the ACL rule is set to be that if the terminal identifier corresponding to the source MAC address of the message is the same as the terminal identifier corresponding to the source IP address, the message is released, when the MAC address or the IP address of the terminal changes frequently, only the MAC address table entry and the static ARP table entry need to be changed, the ACL table entry does not need to be added and deleted frequently, and the switch operates the two table entries frequently, so that the performance is not reduced. In the embodiment of the invention, the ACL table item filtering function mainly aims at the IP message, hardware forwarding can be allowed only if the source MAC address and the source IP address of the IP message are in accordance with expectations, and illegal conditions such as private IP addresses of users, IP message counterfeiting and the like can be prevented. In addition, since the user ID is obtained according to the actual capacity of the switching device and can be allocated well in advance, the ACL table entry can be issued to the hardware in the initialization process of the switching device. In the process of frequent change of terminal behavior, ACL list items do not need to be changed, performance consumption is reduced, and the concurrency capacity of the terminal is improved.
According to the network access control method provided by the embodiment of the invention, whether the message is legal or not is judged by comparing the terminal identifier corresponding to the source MAC address of the message with the terminal identifier corresponding to the source IP address, so that the problem of equipment performance reduction caused by adding and deleting ACL entries due to frequent change of terminal behaviors is avoided, and the concurrent online capacity performance of the terminal is improved.
On the basis of the foregoing embodiment, further, after searching for an installed MAC address table entry in the switching device according to the source MAC address, the method further includes:
and if the source MAC address exists in the MAC address table entry, marking a hit identifier corresponding to the terminal MAC address as a first preset mark.
Specifically, after finding the source MAC address of the packet from the installed MAC address table entry, the switching device may further set a hit identifier corresponding to the MAC address, which is marked as hit, and mark the hit as a first preset mark, for example, as 1. That is, after the switching device finds the terminal MAC address from the local, it may mark hit corresponding to the terminal MAC address as 1, indicating that the terminal MAC is valid.
On the basis of the above embodiments, the method further includes:
if the source MAC address does not exist in the installed MAC address table entry, installing the MAC address table entry corresponding to the source MAC address, setting the first terminal identifier corresponding to the source MAC address as a second user identifier, and setting the hit identifier as the first preset mark.
Specifically, if a source MAC address does not exist in an installed MAC address entry on the switching device, directly installing an MAC address entry corresponding to the source MAC address, setting a first terminal identifier corresponding to the source MAC address to be a second user identifier, for example, set to 000, and setting a hit identifier to be a first preset flag, for example, set to 1, that is, as long as the switching device learns the MAC address of the terminal, the MAC address is considered to be legal, and it needs to be noted that the second user identifier is different from the first user identifier, that is, the user ID. Therefore, when the user sets an IP address or forges an IP message, the obtained first terminal identification is different from the second terminal identification necessarily, and the message is directly discarded by the exchange equipment.
On the basis of the above embodiments, the method further includes:
traversing all MAC address table entries installed in the switching equipment at intervals of a preset period, and if the hit identifier of a first MAC address is a second preset mark, deleting the MAC address table entry corresponding to the first MAC address and a static ARP table entry corresponding to the first MAC address from the switching equipment;
and if the hit identifier of the first MAC address is the first preset mark, changing the hit identifier into a second preset mark.
Specifically, lease time of a DHCP snooping entry is usually 4 hours, if a large number of terminals are online for less than 4 hours, the terminals are offline, a switching device does not clean static MAC addresses and static ARP entries, and hardware has a large number of entries remaining to occupy entry resources, so that a new terminal cannot be online. Therefore, in the embodiment of the present invention, the switching device adds a timing thread, monitors the hit identifier of the hardware MAC address table, specifically, the thread may configure a preset period according to an actual scene, for example, the thread is awakened for 5 minutes, and traverses the hardware MAC address table entries of the switching device, if the hit identifier of a certain MAC address is a second preset identifier, for example, hit is 0, it indicates that the terminal is offline, and deletes the MAC address table entry corresponding to the first MAC address and the static ARP table entry corresponding to the first MAC address from the switching device, but the DHCP snooping table entry continues to be retained, so as to prevent the terminal from going online again and not initiating the DHCP request again.
If the hit of the first MAC address is 1, changing the hit from 1 to 0, namely assuming that the terminal is offline, then directly waiting for the next preset period for judgment, if the terminal is not offline actually, sending the message again, and then setting the hit of the MAC address to 1 as long as the exchange equipment learns the MAC address of the terminal, no matter the MAC address table entry is installed locally or installed again, the information that the hit of the MAC address is 1 can be obtained when the thread is monitored next time, and then continuing to set the hit to 0. And circulating the steps, namely trying to assume that the terminal has no message every preset period, if the terminal has the message, the hit of the MAC address is updated to 1 by the switching equipment, if the message does not exist, the hit is 0, the message is still not sent by the terminal after the preset period is described, the terminal is judged to be offline, and the MAC address table entry corresponding to the first MAC address and the static ARP table entry corresponding to the first MAC address are deleted from the switching equipment.
In addition, in this embodiment of the present invention, the MAC address table entry may include: the system comprises an MAC address, a virtual local area network identifier VID, port information, a terminal identifier and a hit identifier, wherein the port information is outlet information, namely an MAC address outlet; the static ARP entry may include: the switch device comprises an IP address, a virtual network identifier (VRF), port information and a terminal identifier, wherein the port information ARP outlet information is port information connected with the switch device, namely which port of the AP the terminal accesses the switch.
The embodiment of the invention ensures that the legal terminal user can normally connect network resources by controlling the behavior of the terminal. Therefore, different behaviors of the terminal need to be processed, where the terminal behavior includes a terminal online behavior, a terminal migration behavior, and a terminal offline behavior.
The terminal migration can be divided into two situations, one is a terminal which can independently send a DHCP request message after the migration and reapply for IP, and the terminal can directly and quickly migrate. One is that a terminal that will not re-apply for IP needs to trigger the MAC address migration of the switching device, i.e. the MAC address exit is updated, and at this time, the port information of the MAC address table entry can be automatically updated after learning the MAC address information. And then, the switching equipment inquires the DHCP snooping table item, and if the terminal is legal, the switching equipment also needs to update the port information of the ARP table item according to the learned port information.
According to the network access control method provided by the embodiment of the invention, whether the message is legal is judged by comparing the terminal identifier corresponding to the source MAC address of the message with the terminal identifier corresponding to the source IP address, the problem of equipment performance reduction caused by adding and deleting ACL (access control list) entries due to frequent change of terminal behaviors is avoided, the entries are sent to hardware after the terminal is on line, and due to the fact that the lease time of DHCP Snooping entries is long, the MAC address entries are periodically monitored, the hardware entries of the terminal which is off line are deleted in time, and the concurrent on-line capacity performance of the terminal is improved.
Based on the same inventive concept, an embodiment of the present invention further provides a network access control apparatus, applied in a switching device, as shown in fig. 2, including: a receiving module 21, a first obtaining module 22, a second obtaining module 23 and a matching module 24, wherein:
the receiving module 21 is configured to receive a to-be-processed packet sent by a terminal, and determine a source MAC address and a source IP address corresponding to the to-be-processed packet;
the first obtaining module 22 is configured to search an installed MAC address table entry in the switching device according to the source MAC address, and if the source MAC address exists in the MAC address table entry, obtain a first terminal identifier corresponding to the source MAC address;
the second obtaining module 23 is configured to search a static ARP address entry installed in the switching device according to the source IP address, and if the source IP address exists in the static ARP address entry, obtain a second terminal identifier corresponding to the source IP address;
the matching module 24 is configured to determine whether the first terminal identifier is the same as the second terminal identifier according to the ACL entry installed in the switching device, and if so, pass the message to be processed.
The above apparatus, optionally, further comprises:
the judging module is used for acquiring the terminal MAC address of the terminal after the terminal is on-line and inquiring whether the terminal is legal or not from the DHCP snooping table item;
a first installation module, configured to allocate a first user identifier to the terminal if the terminal is legal, install an MAC address entry corresponding to the terminal MAC address in the DHCP snooping entry in the switching device, and mark the terminal identifier corresponding to the terminal MAC address as the first user identifier;
a second installation module, configured to install a static ARP entry in the switch device, where the static ARP entry includes the IP address of the terminal obtained from the DHCP snooping entry, and mark a terminal identifier corresponding to the IP address as the first user identifier;
a third installation module, configured to install an ACL entry in the switching device, where an ACL rule corresponding to the ACL entry is: and if the terminal identification corresponding to the source MAC address of the message to be processed is the same as the terminal identification corresponding to the source IP address, releasing the message to be processed.
As in the foregoing apparatus, optionally, the first obtaining module is further configured to:
and if the source MAC address exists in the MAC address table entry, marking a hit identifier corresponding to the terminal MAC address as a first preset mark.
The above apparatus, optionally, further comprises:
and the marking module is used for installing the MAC address table item corresponding to the source MAC address if the source MAC address does not exist in the installed MAC address table item, setting the first terminal identifier corresponding to the source MAC address as a second user identifier, and setting the hit identifier as the first preset mark.
The above apparatus, optionally, further comprises:
a deleting module, configured to traverse all MAC address table entries installed in the switching device every preset interval period, and if a hit identifier of a first MAC address is the second preset flag, delete an MAC address table entry corresponding to the first MAC address and a static ARP table entry corresponding to the first MAC address from the switching device;
accordingly, the tagging module is further configured to:
and if the hit identifier of the first MAC address is the first preset mark, changing the hit identifier into the second preset mark.
The apparatus provided in the embodiment of the present invention is configured to implement the method, and its functions specifically refer to the method embodiment, which is not described herein again.
Fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present invention, and as shown in fig. 3, the electronic device includes: a processor (processor)31, a memory (memory)32, and a bus 33;
wherein, the processor 31 and the memory 32 complete the communication with each other through the bus 33;
the processor 31 is configured to call program instructions in the memory 32 to perform the methods provided by the above-mentioned method embodiments, including, for example: receiving a message to be processed sent by a terminal, and determining a source MAC address and a source IP address corresponding to the message to be processed; searching an installed MAC address table entry in the switching equipment according to the source MAC address, and if the source MAC address exists in the MAC address table entry, acquiring a first terminal identifier corresponding to the source MAC address; searching a static ARP address table entry installed in the switching equipment according to the source IP address, and if the source IP address exists in the static ARP address table entry, acquiring a second terminal identifier corresponding to the source IP address; and judging whether the first terminal identifier is the same as the second terminal identifier or not according to the ACL list item installed in the switching equipment, and if so, releasing the message to be processed.
An embodiment of the present invention discloses a computer program product, which includes a computer program stored on a non-transitory computer readable storage medium, the computer program including program instructions, when the program instructions are executed by a computer, the computer can execute the methods provided by the above method embodiments, for example, the method includes: receiving a message to be processed sent by a terminal, and determining a source MAC address and a source IP address corresponding to the message to be processed; searching an installed MAC address table entry in the switching equipment according to the source MAC address, and if the source MAC address exists in the MAC address table entry, acquiring a first terminal identifier corresponding to the source MAC address; searching a static ARP address table entry installed in the switching equipment according to the source IP address, and if the source IP address exists in the static ARP address table entry, acquiring a second terminal identifier corresponding to the source IP address; and judging whether the first terminal identifier is the same as the second terminal identifier or not according to the ACL list item installed in the switching equipment, and if so, releasing the message to be processed.
Embodiments of the present invention provide a non-transitory computer-readable storage medium, which stores computer instructions, where the computer instructions cause the computer to perform the methods provided by the above method embodiments, for example, the methods include: receiving a message to be processed sent by a terminal, and determining a source MAC address and a source IP address corresponding to the message to be processed; searching an installed MAC address table entry in the switching equipment according to the source MAC address, and if the source MAC address exists in the MAC address table entry, acquiring a first terminal identifier corresponding to the source MAC address; searching a static ARP address table entry installed in the switching equipment according to the source IP address, and if the source IP address exists in the static ARP address table entry, acquiring a second terminal identifier corresponding to the source IP address; and judging whether the first terminal identifier is the same as the second terminal identifier or not according to the ACL list item installed in the switching equipment, and if so, releasing the message to be processed.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
The above-described embodiments of the apparatuses and the like are merely illustrative, wherein the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the embodiments of the present invention, and are not limited thereto; although embodiments of the present invention have been described in detail with reference to the foregoing embodiments, those skilled in the art will understand that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims (12)

1. A network access control method is applied to a switching device, and is characterized by comprising the following steps:
receiving a message to be processed sent by a terminal, and determining a source MAC address and a source IP address corresponding to the message to be processed;
searching an installed MAC address table entry in the switching equipment according to the source MAC address, and if the source MAC address exists in the MAC address table entry, acquiring a first terminal identifier corresponding to the source MAC address;
searching a static ARP address table entry installed in the switching equipment according to the source IP address, and if the source IP address exists in the static ARP address table entry, acquiring a second terminal identifier corresponding to the source IP address;
and judging whether the first terminal identifier is the same as the second terminal identifier or not according to the ACL list item installed in the switching equipment, and if so, releasing the message to be processed.
2. The method according to claim 1, wherein before receiving the message to be processed sent by the terminal, further comprising:
after the terminal is on line, acquiring a terminal MAC address of the terminal, and inquiring whether the terminal is legal from a DHCP snooping table entry;
if the terminal is legal, a first user identifier is distributed to the terminal, an MAC address table entry corresponding to the terminal MAC address in the DHCP snooping table entry is installed in the switching equipment, and the terminal identifier corresponding to the terminal MAC address is marked as the first user identifier;
installing a static ARP table entry in the switching equipment, wherein the static ARP table entry comprises the IP address of the terminal acquired from the DHCP snooping table entry, and marking the terminal identifier corresponding to the IP address as the first user identifier;
installing an ACL table item in the switching equipment, wherein an ACL rule corresponding to the ACL table item is as follows: and if the terminal identification corresponding to the source MAC address of the message to be processed is the same as the terminal identification corresponding to the source IP address, releasing the message to be processed.
3. The method of claim 1, wherein after searching the MAC address table entry installed in the switching device according to the source MAC address, the method further comprises:
and if the source MAC address exists in the MAC address table entry, marking a hit identifier corresponding to the terminal MAC address as a first preset mark.
4. The method of claim 3, further comprising:
if the source MAC address does not exist in the installed MAC address table entry, installing the MAC address table entry corresponding to the source MAC address, setting the first terminal identifier corresponding to the source MAC address as a second user identifier, and setting the hit identifier as the first preset mark.
5. The method of claim 4, further comprising:
traversing all MAC address table entries installed in the switching equipment at intervals of a preset period, and if the hit identifier of a first MAC address is a second preset mark, deleting the MAC address table entry corresponding to the first MAC address and a static ARP table entry corresponding to the first MAC address from the switching equipment;
and if the hit identifier of the first MAC address is the first preset mark, changing the hit identifier into the second preset mark.
6. A network access control apparatus, applied to a switching device, comprising:
the receiving module is used for receiving a message to be processed sent by a terminal and determining a source MAC address and a source IP address corresponding to the message to be processed;
a first obtaining module, configured to search an installed MAC address table entry in the switching device according to the source MAC address, and if the source MAC address exists in the MAC address table entry, obtain a first terminal identifier corresponding to the source MAC address;
a second obtaining module, configured to search a static ARP address entry installed in the switching device according to the source IP address, and if the source IP address exists in the static ARP address entry, obtain a second terminal identifier corresponding to the source IP address;
and the matching module is used for judging whether the first terminal identifier is the same as the second terminal identifier according to the ACL list items installed in the switching equipment, and if so, releasing the message to be processed.
7. The apparatus of claim 6, further comprising:
the judging module is used for acquiring the terminal MAC address of the terminal after the terminal is on-line and inquiring whether the terminal is legal or not from the DHCP snooping table item;
a first installation module, configured to allocate a first user identifier to the terminal if the terminal is legal, install an MAC address entry corresponding to the terminal MAC address in the DHCP snooping entry in the switching device, and mark the terminal identifier corresponding to the terminal MAC address as the first user identifier;
a second installation module, configured to install a static ARP entry in the switch device, where the static ARP entry includes the IP address of the terminal obtained from the DHCP snooping entry, and mark a terminal identifier corresponding to the IP address as the first user identifier;
a third installation module, configured to install an ACL entry in the switching device, where an ACL rule corresponding to the ACL entry is: and if the terminal identification corresponding to the source MAC address of the message to be processed is the same as the terminal identification corresponding to the source IP address, releasing the message to be processed.
8. The apparatus of claim 7, wherein the first obtaining module is further configured to:
and if the source MAC address exists in the MAC address table entry, marking a hit identifier corresponding to the terminal MAC address as a first preset mark.
9. The apparatus of claim 8, further comprising:
and the marking module is used for installing the MAC address table item corresponding to the source MAC address if the source MAC address does not exist in the installed MAC address table item, setting the first terminal identifier corresponding to the source MAC address as a second user identifier, and setting the hit identifier as the first preset mark.
10. The apparatus of claim 9, further comprising:
a deleting module, configured to traverse all MAC address table entries installed in the switching device every preset interval period, and if a hit identifier of a first MAC address is the second preset flag, delete an MAC address table entry corresponding to the first MAC address and a static ARP table entry corresponding to the first MAC address from the switching device;
accordingly, the tagging module is further configured to:
and if the hit identifier of the first MAC address is the first preset mark, changing the hit identifier into the second preset mark.
11. An electronic device, comprising:
the processor and the memory are communicated with each other through a bus; the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the method of any of claims 1 to 5.
12. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1 to 5.
CN202010959086.6A 2020-09-14 2020-09-14 Network access control method and device, electronic equipment and storage medium Active CN112187740B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010959086.6A CN112187740B (en) 2020-09-14 2020-09-14 Network access control method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010959086.6A CN112187740B (en) 2020-09-14 2020-09-14 Network access control method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN112187740A true CN112187740A (en) 2021-01-05
CN112187740B CN112187740B (en) 2022-09-16

Family

ID=73920747

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010959086.6A Active CN112187740B (en) 2020-09-14 2020-09-14 Network access control method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112187740B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113285918A (en) * 2021-04-08 2021-08-20 锐捷网络股份有限公司 ACL (access control list) filtering table item establishing method and device for network attack
CN113438245A (en) * 2021-06-29 2021-09-24 新华三信息安全技术有限公司 Information updating and message security detection method and device
CN114500175A (en) * 2022-02-21 2022-05-13 北京至周科技有限公司 Communication method for reversely dividing home VLAN based on IP address of user equipment
CN115714676A (en) * 2022-11-09 2023-02-24 四川天邑康和通信股份有限公司 Method for identifying and managing client by home router
CN115865839A (en) * 2023-01-20 2023-03-28 苏州浪潮智能科技有限公司 ACL management method, device, communication equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100293250A1 (en) * 2009-05-14 2010-11-18 Avaya Inc. Method to allow seamless connectivity for wireless devices in dhcp snooping/dynamic arp inspection/ip source guard enabled unified network
CN101895587A (en) * 2010-07-06 2010-11-24 中兴通讯股份有限公司 Method, device and system for preventing users from modifying IP addresses privately
CN101984693A (en) * 2010-11-16 2011-03-09 中兴通讯股份有限公司 Monitoring method and monitoring device for access of terminal to local area network (LAN)
WO2012088934A1 (en) * 2010-12-27 2012-07-05 中兴通讯股份有限公司 Method and switching device for filtering messages
CN104144095A (en) * 2014-08-08 2014-11-12 福建星网锐捷网络有限公司 Terminal authentication method and interchanger
CN109347784A (en) * 2018-08-10 2019-02-15 锐捷网络股份有限公司 Terminal admittance control method, controller, management and control devices and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100293250A1 (en) * 2009-05-14 2010-11-18 Avaya Inc. Method to allow seamless connectivity for wireless devices in dhcp snooping/dynamic arp inspection/ip source guard enabled unified network
CN101895587A (en) * 2010-07-06 2010-11-24 中兴通讯股份有限公司 Method, device and system for preventing users from modifying IP addresses privately
CN101984693A (en) * 2010-11-16 2011-03-09 中兴通讯股份有限公司 Monitoring method and monitoring device for access of terminal to local area network (LAN)
WO2012088934A1 (en) * 2010-12-27 2012-07-05 中兴通讯股份有限公司 Method and switching device for filtering messages
CN104144095A (en) * 2014-08-08 2014-11-12 福建星网锐捷网络有限公司 Terminal authentication method and interchanger
CN109347784A (en) * 2018-08-10 2019-02-15 锐捷网络股份有限公司 Terminal admittance control method, controller, management and control devices and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
曾梦良 等: "基于接入层的网络安全解决方案研究", 《微计算机信息》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113285918A (en) * 2021-04-08 2021-08-20 锐捷网络股份有限公司 ACL (access control list) filtering table item establishing method and device for network attack
CN113285918B (en) * 2021-04-08 2023-10-24 锐捷网络股份有限公司 ACL filtering table item establishing method and device for network attack
CN113438245A (en) * 2021-06-29 2021-09-24 新华三信息安全技术有限公司 Information updating and message security detection method and device
CN114500175A (en) * 2022-02-21 2022-05-13 北京至周科技有限公司 Communication method for reversely dividing home VLAN based on IP address of user equipment
CN115714676A (en) * 2022-11-09 2023-02-24 四川天邑康和通信股份有限公司 Method for identifying and managing client by home router
CN115865839A (en) * 2023-01-20 2023-03-28 苏州浪潮智能科技有限公司 ACL management method, device, communication equipment and storage medium
CN115865839B (en) * 2023-01-20 2023-05-23 苏州浪潮智能科技有限公司 ACL management method, ACL management device, communication equipment and storage medium

Also Published As

Publication number Publication date
CN112187740B (en) 2022-09-16

Similar Documents

Publication Publication Date Title
CN112187740B (en) Network access control method and device, electronic equipment and storage medium
US10868833B2 (en) DNS or network metadata policy for network control
US7249187B2 (en) Enforcement of compliance with network security policies
US8479048B2 (en) Root cause analysis method, apparatus, and program for IT apparatuses from which event information is not obtained
US20130212680A1 (en) Methods and systems for protecting network devices from intrusion
CN107547565B (en) Network access authentication method and device
EP2541835B1 (en) System and method for controlling access to network resources
CN110855709A (en) Access control method, device, equipment and medium for security access gateway
CN101827138B (en) Optimized method and device for processing IPV6 filter rule
EP3945739A1 (en) Non-intrusive / agentless network device identification
CN112822160B (en) Equipment identification method, device, equipment and machine-readable storage medium
WO2020107446A1 (en) Method and apparatus for obtaining attacker information, device, and storage medium
US8713306B1 (en) Network decoys
US20220263859A1 (en) Method and apparatus for defending against cyber attacks, receiving device and computer storage medium
US20140082693A1 (en) Updating security bindings in a network device
CN107690004B (en) Method and device for processing address resolution protocol message
CN101729314A (en) Method and device for recovering dynamic table entries and dynamic host configuration protocol snoopingsnooping equipment
US20080172742A1 (en) Information processing system
US8117181B2 (en) System for notification of group membership changes in directory service
CN115826444A (en) Security access control method, system, device and equipment based on DNS analysis
US7756976B2 (en) Systems and methods for denying rogue DHCP services
CN111953599B (en) Terminal authority control method and device, electronic equipment and storage medium
CN109246134B (en) Message control method and device
US10944719B2 (en) Restrict communications to device based on internet access
US8019856B1 (en) Automatic mapping and location discovery of computers in computer networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant