CN112383646A - Security entry configuration method and device, SDN controller and medium - Google Patents

Security entry configuration method and device, SDN controller and medium Download PDF

Info

Publication number
CN112383646A
CN112383646A CN202011273111.1A CN202011273111A CN112383646A CN 112383646 A CN112383646 A CN 112383646A CN 202011273111 A CN202011273111 A CN 202011273111A CN 112383646 A CN112383646 A CN 112383646A
Authority
CN
China
Prior art keywords
entry
snooping
table entry
security
entries
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011273111.1A
Other languages
Chinese (zh)
Other versions
CN112383646B (en
Inventor
霍晓宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Big Data Technologies Co Ltd
Original Assignee
New H3C Big Data Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Big Data Technologies Co Ltd filed Critical New H3C Big Data Technologies Co Ltd
Priority to CN202011273111.1A priority Critical patent/CN112383646B/en
Publication of CN112383646A publication Critical patent/CN112383646A/en
Application granted granted Critical
Publication of CN112383646B publication Critical patent/CN112383646B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]

Abstract

The embodiment of the invention provides a configuration method and device of a safety table entry, an SDN controller and a medium, and relates to the technical field of communication. The embodiment of the application comprises the following steps: collecting DHCP Snooping table items, ARP Snooping table items and WLAN Snooping table items of each AP of each switch in the controlled network topology; generating a safety table entry according to the collected DHCP Snooping table entry, ARP Snooping table entry and WLAN Snooping table entry; and receiving information of the terminals to be bound, and statically binding the security table entry of each terminal to be bound to the switch or the AP accessed by the terminal to be bound, so that the switch and the AP in the network topology perform message filtering based on the statically bound security table entry. On the premise of ensuring the access security of the terminal, the configuration workload can be reduced, and the configuration efficiency can be improved.

Description

Security entry configuration method and device, SDN controller and medium
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for configuring a security entry, an SDN controller, and a medium.
Background
The network security is very important for the network of each enterprise, at present, some small-scale network points exist, such as small-scale business network points in the financial industry, network points in the retail industry and the like, the small-scale network points have the characteristics of small networking scale and small number of access users, each small-scale network point also needs to be communicated with a headquarters, and the headquarters is responsible for deployment and management.
The mass small-branch networking is suitable for being managed through a Software Defined Network (SDN) controller, a Network administrator does not need to be familiar with a configuration method of each Network device, and the SDN controller can issue Network configurations to the Network devices in batches according to Network topology, device models, service characteristics and the like to complete automatic deployment.
For massive small-branch networking, if an IP Source address protection (IP Source address protection) function is used to filter a message, an IP address allocation manner of a Dynamic Host Configuration Protocol (DHCP) is adopted, and then a binding table entry of DHCP interception (Snooping) can be obtained, so that effective filtering of the message is realized. However, some terminals using static IP addresses inevitably exist in the network, and the message carrying the static IP addresses cannot be effectively filtered through the IP Source Guard function.
If binding table entries of the terminal using the static IP address are manually configured for each interface, the interfaces in the branch network need to be configured one by one, so that the configuration workload is large and the efficiency is low. If the SDN controller is used to implement branch network deployment, an administrator needs to collect each static IP address and Media Access Control (MAC) address, and once the administrator inputs an IP address and an MAC address incorrectly, the terminal cannot normally Access the network, or cannot effectively filter a message, and the security of terminal Access cannot be guaranteed.
Disclosure of Invention
Embodiments of the present invention provide a method and an apparatus for configuring a security entry, an SDN controller, and a medium, which can reduce configuration workload and improve configuration efficiency on the premise of ensuring security of terminal access. The specific technical scheme is as follows:
in a first aspect, an embodiment of the present application provides a method for configuring a security entry, where the method is applied to a software defined network SDN controller, and the method includes:
collecting a Dynamic Host Configuration Protocol (DHCP) Snooping table entry, an Address Resolution Protocol (ARP) Snooping table entry and a Wireless Local Area Network (WLAN) Snooping table entry of each wireless Access Point (AP) of each switch in a controlled network topology;
generating a safety table entry according to the collected DHCP Snooping table entry, ARP Snooping table entry and WLAN Snooping table entry;
and receiving information of the terminals to be bound, and statically binding the security table entry of each terminal to be bound to the switch or the AP accessed by the terminal to be bound, so that the switch and the AP in the network topology perform message filtering based on the statically bound security table entry.
In a possible implementation manner, the generating a security entry according to the collected DHCP Snooping entry, ARP Snooping entry, and WLAN Snooping entry includes:
according to the network topology, deleting DHCP Snooping table items and ARP Snooping table items which take a neighbor switch interface as an access interface from the collected DHCP Snooping table items and ARP Snooping table items, and deleting DHCP Snooping table items and ARP Snooping table items which take an AP interface as an access interface;
modifying the entries with the same MAC address in the rest DHCP Snooping entries and ARP Snooping entries;
and generating a security entry by taking the MAC address of the terminal in the WLAN Snooping entry, the modified DHCP Snooping entry and the ARP Snooping entry as a terminal unique identifier, wherein the security entry comprises the MAC address, the IP address, the VLAN identifier, the access position, the source information and a binding mark, and the binding mark is used for indicating whether the security entry is bound with an interface of the network equipment.
In a possible implementation manner, the modifying the entries having the same MAC address in the remaining DHCP Snooping entries and ARP Snooping entries includes:
searching the entries with the same MAC address in the rest DHCP Snooping entries and ARP Snooping entries;
and deleting the DHCP Snooping table entries and the ARP Snooping table entries in the ARP Snooping table entries with the same MAC addresses.
In one possible implementation manner, before the collecting DHCP Snooping entries and ARP Snooping entries of each switch and WLAN Snooping entries of each AP in the controlled network topology, the method further includes:
inquiring whether a switch interface and an AP in the network topology are configured with a static binding table item;
if the AP in the network topology is configured with the static binding table entry, adding the static binding table entry of the AP to the safety table entry list, setting the source information to be null, and setting the binding mark to be bound;
if the switch interface in the network topology is configured with a static binding table item, judging whether the switch interface is connected with other switches;
if the switch interface is connected with other switches, sending a first warning message to remind a user of selecting whether to reserve a static binding table item of the switch interface;
if the static binding table item of the switch interface is identified to be selected and reserved by the user, the static binding table item of the switch interface is added to the safety table item list, source information is set to be null, and a binding mark is set to be bound; if the static binding table entry of the switch interface is identified to be not reserved by the user selection, deleting the static binding table entry of the switch interface;
and if the switch interface is not connected with other switches, adding the static binding table entry of the switch interface to the safety table entry list, setting the source information to be null, and setting the binding mark to be bound.
In a possible implementation manner, after generating the security entry according to the collected DHCP Snooping entry, ARP Snooping entry, and WLAN Snooping entry, the method further includes:
aiming at the MAC address of each generated safety table entry, judging whether a target static binding table entry corresponding to the MAC address of the safety table entry exists in the safety table entry list or not;
if the safety table entry does not exist, adding the safety table entry to the safety table entry list;
if the source information of the target static binding table entry exists and the source information of the target static binding table entry is null, updating the source information of the target static binding table entry into the source information of the safety table entry;
judging whether the IP address, VLAN identification and access position of the target static binding table entry are consistent with those of the safety table entry;
if the target static binding table entries are consistent, the target static binding table entries are reserved;
if any item is inconsistent, sending a second alarm message to prompt a user to select to reserve the target static binding item or reserve the safety item;
if the user selects to reserve the target static binding table item, reserving the target static binding table item; if the user selects to keep the safety table item, deleting the target static binding table item and adding the safety table item to the safety table item list.
In a possible implementation manner, after receiving information of the terminals to be bound and statically binding a security entry of each terminal to be bound to a switch or AP to which the terminal to be bound accesses, the method further includes:
synchronizing the corresponding relation between the MAC address and the IP address in the security entry of the terminal to be bound, wherein the source information of the security entry is DHCP, to a DHCP server, so that the DHCP server allocates the IP address for the terminal according to the corresponding relation.
In one possible implementation, the method further includes:
and receiving the information of the terminal to be unbound, and deleting the safety table entry of the terminal to be unbound from the switch or AP corresponding to the terminal to be bound.
In a second aspect, an embodiment of the present application provides an apparatus for configuring a security entry, where the apparatus is applied to a software defined network SDN controller, and the apparatus includes:
the acquisition module is used for acquiring a Dynamic Host Configuration Protocol (DHCP) Snooping table entry, an Address Resolution Protocol (ARP) Snooping table entry and a Wireless Local Area Network (WLAN) Snooping table entry of each wireless Access Point (AP) in the controlled network topology;
the generating module is used for generating a safety table entry according to the collected DHCP Snooping table entry, ARP Snooping table entry and WLAN Snooping table entry;
the receiving module is also used for receiving the information of the terminal to be bound;
and the binding module is used for statically binding the security table entry of each terminal to be bound to the switch or the AP accessed by the terminal to be bound so as to enable the switch and the AP in the network topology to perform message filtering based on the statically bound security table entry.
In a possible implementation manner, the generating module is specifically configured to:
according to the network topology, deleting DHCP Snooping table items and ARP Snooping table items which take a neighbor switch interface as an access interface from the collected DHCP Snooping table items and ARP Snooping table items, and deleting DHCP Snooping table items and ARP Snooping table items which take an AP interface as an access interface;
modifying the entries with the same MAC address in the rest DHCP Snooping entries and ARP Snooping entries;
and generating a security entry by taking the MAC address of the terminal in the WLAN Snooping entry, the modified DHCP Snooping entry and the ARP Snooping entry as a terminal unique identifier, wherein the security entry comprises the MAC address, the IP address, the VLAN identifier, the access position, the source information and a binding mark, and the binding mark is used for indicating whether the security entry is bound with an interface of the network equipment.
In a possible implementation manner, the generating module is specifically configured to:
searching the entries with the same MAC address in the rest DHCP Snooping entries and ARP Snooping entries;
and deleting the DHCP Snooping table entries and the ARP Snooping table entries in the ARP Snooping table entries with the same MAC addresses.
In one possible implementation, the apparatus further includes:
the query module is used for querying whether the switch interface and the AP in the network topology are configured with static binding table entries;
an adding module, configured to add, if the AP in the network topology is configured with a static binding table entry, the static binding table entry of the AP to the security table entry list, set source information to null, and set a binding flag to be bound;
the judging module is used for judging whether the switch interface in the network topology is connected to other switches or not if the switch interface is configured with a static binding table item;
the alarm module is used for sending out a first alarm message to remind a user of selecting whether to reserve the static binding table item of the switch interface if the switch interface is connected to other switches;
the adding module is further configured to add the static binding table entry of the switch interface to the security table entry list if it is identified that the user selects to reserve the static binding table entry of the switch interface, set source information to be null, and set a binding flag to be bound; if the static binding table entry of the switch interface is identified to be not reserved by the user selection, deleting the static binding table entry of the switch interface;
the adding module is further configured to add a static binding table entry of the switch interface to the security table entry list if the switch interface is not connected to another switch, set source information to be null, and set a binding flag to be bound.
In a possible implementation manner, the determining module is further configured to determine, for an MAC address of each generated security entry, whether a target static binding entry corresponding to the MAC address of the security entry exists in the security entry list;
the adding module is configured to add the security entry to the security entry list if the judging module determines that the target static binding entry corresponding to the MAC address of the security entry does not exist in the security entry list;
an updating module, configured to update source information of the target static binding table entry to the source information of the security table entry if the determining module determines that the security table entry list has the target static binding table entry corresponding to the MAC address of the security table entry and the source information of the target static binding table entry is null;
the judging module is also used for judging whether the IP address, the VLAN identification and the access position of the target static binding table entry are consistent with those of the safety table entry;
the reservation module is used for reserving the target static binding table item if the judgment result of the judgment module is consistent;
the alarm module is further configured to send a second alarm message to prompt the user to select to reserve the target static binding table entry or the security table entry if any item is inconsistent according to the judgment result of the judgment module;
the reservation module is further configured to reserve the target static binding table entry if the user selects to reserve the target static binding table entry;
the adding module is further configured to delete the target static binding table entry and add the security table entry to the security table entry list if the user selects to keep the security table entry.
In one possible implementation, the apparatus further includes:
and the synchronization module is used for synchronizing the corresponding relation between the MAC address and the IP address in the security list item of the terminal to be bound, wherein the source information of the security list item is DHCP, to a DHCP server, so that the DHCP server allocates the IP address for the terminal according to the corresponding relation.
In one possible implementation, the apparatus further includes: a deletion module;
the receiving module is also used for receiving the information of the terminal to be unbound;
and the deleting module is used for deleting the safety table entry of the terminal to be unbound from the switch or the AP corresponding to the terminal to be bound.
In a third aspect, an embodiment of the present invention further provides an electronic device, including a processor, a communication interface, a memory, and a communication bus, where the processor and the communication interface complete communication between the memory and the processor through the communication bus;
a memory for storing a computer program;
and the processor is used for realizing the steps of the configuration method of any one of the safety items when executing the program stored in the memory.
In a fourth aspect, this application further provides a computer-readable storage medium, in which a computer program is stored, and when executed by a processor, the computer program implements the method for configuring a security entry in the first aspect.
In a fifth aspect, an embodiment of the present application further provides a computer program product containing instructions, which when run on a computer, causes the computer to perform the method for configuring a security entry described in the above first aspect.
By adopting the technical scheme, the SDN controller can acquire the information of the terminal adopting the dynamic IP address in the network topology by acquiring the DHCP Snooping table items and the WLAN Snooping table items, and can acquire the information of the terminal adopting the static IP address in the network topology by acquiring the ARP Snooping table items. After the SDN controller generates the security table item list according to the acquired information, the SDN controller can receive the information of the terminal to be bound, and then the SDN controller statically binds the security table items of the terminal to be bound to the switch or the AP accessed by the terminal to be bound, so that message filtering can be realized. Therefore, by adopting the method, the static IP addresses and the MAC addresses of the terminals do not need to be manually collected, the SDN controller can comprehensively collect the terminal information using the static IP addresses and the terminal information using the dynamic IP addresses, the batch binding of the safety items corresponding to the terminals can be realized, the configuration workload is reduced on the premise of ensuring the safety of the terminals, and the configuration efficiency is improved.
Of course, not all of the advantages described above need to be achieved at the same time in the practice of any one product or method of the invention.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other embodiments can be obtained by using the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a network system according to an embodiment of the present application;
fig. 2 is a flowchart of a method for configuring a security entry according to an embodiment of the present application;
fig. 3 is an exemplary diagram of a network topology provided by an embodiment of the present application;
fig. 4 is a flowchart of another configuration method for a security entry according to an embodiment of the present application;
fig. 5 is a flowchart of another configuration method for a security entry according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a configuration apparatus for a security entry according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an SDN controller according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to reduce configuration workload and improve configuration efficiency on the premise of ensuring terminal access security, embodiments of the present application provide a method for configuring a security entry, where the method may be applied to a scenario in which a SDN controller manages a large number of small-branch networks. Illustratively, as shown in fig. 1, the embodiment of the present application may be applied to a network system as shown in fig. 1. The headquarters of the network system includes an SDN controller, a DHCP server, an Authentication, Authorization, and Accounting (AAA) server, and the headquarters network is connected to each branch network through the Internet (Internet), two branch networks are exemplarily shown in fig. 1, and the number of branch networks in actual implementation is not limited thereto.
The branch network may include a gateway, a switch connected to the gateway, an AP connected to the switch, and a terminal. The terminal can access the switch in a wired connection mode, and can also access the AP in a wireless connection mode. The switch may specifically be a two-layer switch.
The number of devices in the branch network shown in fig. 1 is merely an example, and the number of devices in an actual implementation is not limited thereto.
On the basis of fig. 1, as shown in fig. 2, an embodiment of the present application provides a method for configuring a security entry, where the method is applied to an SDN controller, and the method includes:
s201, collecting DHCP Snooping entries and ARP Snooping entries of all switches in the controlled network topology and WLAN Snooping entries of all wireless Access Points (AP).
After the branch networks under the SDN controller come online, the SDN controller may calculate a network topology of each branch network, where each branch network is a network point, each network point has a unique ID, and each device in the network point has a unique ID.
Optionally, the SDN controller may calculate the network topology of each branch network by using a Link Layer Discovery Protocol (LLDP), or may also apply other methods for calculating the network topology in the related art, which is not limited in this embodiment of the present application.
The DHCP Snooping table entries, the ARP Snooping table entries and the WLAN Snooping table entries all comprise IP addresses, MAC addresses, VLAN identifications and access interface information of the terminals.
S202, generating a safety table entry according to the collected DHCP Snooping table entry, ARP Snooping table entry and WLAN Snooping table entry.
S203, receiving the information of the terminals to be bound, and statically binding the security table entry of each terminal to be bound to the switch or AP accessed by the terminal to be bound, so that the switch and the AP in the network topology perform message filtering based on the statically bound security table entry.
If the access position of the safety table entry of the terminal to be bound is a switch interface, binding the safety table entry to the switch interface; if the access position of the security entry of the terminal to be bound is a Service Set Identifier (SSID), binding the security entry of the terminal to be bound to the AP corresponding to the SSID.
Furthermore, the switch in the network topology filters the message according to the security table entry bound by each interface, and forwards the message if the received message is matched with the security table entry; and if the received message is not matched with the safety table item, filtering the message.
Similarly, the AP in the network topology filters the packet according to the bound security entry.
By adopting the technical scheme, the SDN controller can acquire the information of the terminal adopting the dynamic IP address in the network topology by acquiring the DHCP Snooping table items and the WLAN Snooping table items, and can acquire the information of the terminal adopting the static IP address in the network topology by acquiring the ARP Snooping table items. After the SDN controller generates the security table item list according to the acquired information, the SDN controller can receive the information of the terminal to be bound, and then the SDN controller statically binds the security table items of the terminal to be bound to the switch or the AP accessed by the terminal to be bound, so that message filtering can be realized. Therefore, by adopting the method, the static IP addresses and the MAC addresses of the terminals do not need to be manually collected, the SDN controller can comprehensively collect the terminal information using the static IP addresses and the terminal information using the dynamic IP addresses, the batch binding of the safety items corresponding to the terminals can be realized, the configuration workload is reduced on the premise of ensuring the safety of the terminals, and the configuration efficiency is improved.
In an embodiment, after the SDN controller generates the security entry, the SDN controller may display the generated security entry list through the SDN controller or through a terminal device capable of communicating with the SDN controller, so that a user selects information of a terminal to be bound from the security entry list, and the SDN controller statically binds the security entry of each terminal to be bound to a switch or an AP to which the terminal to be bound is accessed based on the information of the terminal to be bound selected by the user.
In the embodiment of the application, after the SDN controller calculates the network topology, the SDN controller may control a switch capable of connecting the wired terminal to start DHCP Snooping and ARP Snooping, and control the AP to start WLAN Snooping. As shown in fig. 3, taking the network topology of a branch network as an example, one interface of a router is connected to one interface of a switch 1, and one interface of the switch 1 is connected to an AP; two interfaces of the router are connected to two interfaces of the switch 2 through two-layer link aggregation, one interface of the switch 2 is connected to one interface of the switch 3, and each of the remaining interfaces of the switch 3 is connected to one AP. The interfaces referred to in fig. 3 are all two-layer ethernet interfaces.
It can be seen that the switch 1 has two idle interfaces, so the switch 1 is a switch capable of connecting wired terminals, and the switch 1 can start DHCP Snooping and ARP Snooping.
The switch 2 has an idle interface, so the switch 2 is also a switch capable of connecting wired terminals, and the switch 1 can start DHCP Snooping and ARP Snooping.
Switch 3 does not have an idle interface, so DHCP Snooping and ARP Snooping are not turned on for switch 3.
Each AP in fig. 3 may provide a wireless access service for the terminal, so the APs in fig. 3 all turn on WLAN Snooping.
In the embodiment of the present application, the SDN controller or the terminal device capable of communicating with the SDN controller has a page for turning on a "dynamic binding switch", and a user may select a branch network that needs to be security controlled by the method provided in the embodiment of the present application through the page. In the following, a display page on the SDN controller is taken as an example, and the display function on the SDN controller referred to in the following may also be implemented by a terminal device in communication with the SDN controller.
After the terminals in each branch network are on-line, a function button for synchronizing terminal information can be displayed in the SDN controller, and if the function button is triggered, the SDN controller collects DHCP Snooping entries, ARP Snooping entries of each switch and WLAN Snooping entries of each wireless access point AP in a controlled network topology.
In another embodiment, the SDN controller may also collect, in real time, DHCP Snooping entries and ARP Snooping entries of each switch in the network topology and WLAN Snooping entries of each wireless access point AP.
After the SDN controller collects DHCP Snooping entries, ARP Snooping entries, and WLAN Snooping entries of each wireless access point AP of each switch in the controlled network topology, a mesh point ID and a switch ID may be added to the DHCP Snooping entries and the ARP Snooping entries, and a mesh point ID and an SSID may be added to the WLAN Snooping entries according to the source of each collected entry.
In an embodiment, if the network topology calculated by the SDN controller does not include a wireless AP, the SDN controller may collect DHCP Snooping entries and ARP Snooping entries of each switch in the controlled network topology, and then generate a security entry according to the collected DHCP Snooping entries and ARP Snooping entries. And then receiving the information of the terminals to be bound, and statically binding the security table entry of each terminal to be bound to the switch accessed by the terminal to be bound, so that the switch performs message filtering based on the statically bound security table entry.
In an embodiment of the present application, as shown in fig. 4, in the step S202, generating the security entry according to the collected DHCP Snooping entry, ARP Snooping entry, and WLAN Snooping entry, which may specifically be implemented as:
s2021, according to the network topology, deleting the DHCP Snooping table entry and the ARP Snooping table entry which use the neighbor switch interface as the access interface, and deleting the DHCP Snooping table entry and the ARP Snooping table entry which use the AP interface as the access interface.
For example, if the access interface of the DHCP Snooping entry acquired by the switch 2 is the interface of the switch 3, it is described that the switch 3 may also acquire the DHCP Snooping entry, and in order to avoid that both the switch 2 and the switch 3 control the terminal corresponding to the DHCP Snooping entry, the DHCP Snooping entry acquired by the switch 2 may be deleted, so as to avoid unnecessary processing overhead.
S2022, amending the entries with the same MAC address in the rest DHCP Snooping entries and ARP Snooping entries.
The step can be specifically realized as follows: and searching the entries with the same MAC address in the rest DHCP Snooping entries and ARP Snooping entries, and deleting the DHCP Snooping entries with the same MAC address and the ARP Snooping entries in the ARP Snooping entries.
In an embodiment, it may be configured to, for an MAC address included in each ARP Snooping entry, find whether a DHCP Snooping entry also has the MAC address;
if the DHCP Snooping table entry with the MAC address is found, and the IP address, the VLAN address and the access position information which are included in the ARP Snooping table entry and the DHCP Snooping table entry are all consistent, determining that the actual source of the table entry corresponding to the MAC address is the DHCP, and only the DHCP Snooping table entry can be reserved; or directly generating a security table entry based on the ARP Snooping table entry and the DHCP Snooping table entry, and recording the source information of the security table entry as DHCP.
If the DHCP Snooping table entry with the MAC address is searched, and the IP address, the VLAN address and the access position information which are included in the ARP Snooping table entry and the DHCP Snooping table entry are consistent, the DHCP Snooping table entry can be taken as a reference, and the ARP Snooping table entry is deleted; or directly generating a security table entry according to the DHCP Snooping table entry.
S2023, taking the MAC address of the terminal in the WLAN Snooping table entry, the corrected DHCP Snooping table entry and the ARP Snooping table entry as the unique terminal identifier to generate a safety table entry.
The security table entry comprises an MAC address, an IP address, a VLAN identifier, an access position, source information and a binding mark of the terminal, wherein the binding mark is used for indicating whether the security table entry is bound with an interface of the network equipment.
It can be understood that, if only one of the DHCP Snooping entries and the ARP Snooping entries having the same MAC address is reserved in S2022, in this step, a security entry may be generated for each entry in the WLAN Snooping entry, the modified DHCP Snooping entry, and the ARP Snooping entry.
As an example, the generated security table entry is shown in Table 1.
TABLE 1
MAC address IP address VLAN identification Access location Source information Binding flag
MAC1 IP1 Vlan2 Network point 1/exchanger 1/interface 1 DHCP Whether or not
MAC2 IP2 Vlan2 Network point 1/exchanger 1/interface 2 ARP Whether or not
MAC3 IP3 Vlan3 Mesh point 2/AP1/SSID1 DHCP Whether or not
MACN IPN Vlan3 Network point 2/exchanger 3/interface 1 ARP Whether or not
By adopting the method, before generating the safety table entry, the table entry taking the neighbor switch interface as the access interface and the table entry taking the AP interface as the access interface can be deleted, thereby avoiding double control of the same MAC address. And the residual DHCP Snooping table entries and ARP Snooping table entries are corrected, so that the accuracy of the table entries can be improved, and the generation of safety table entries with repeated MAC addresses is avoided.
There may be a partial switch interface or the AP has been configured with a static binding entry before the security entry is generated by the SDN controller. In order to uniformly control the part of the switch interfaces and the APs, in this embodiment of the application, before the step S201 of collecting the DHCP Snooping entries and the ARP Snooping entries of each switch and the WLAN Snooping entries of each AP in the controlled network topology, the method further includes:
and inquiring whether the switch interface and the AP in the network topology are configured with the static binding table item.
The static binding table entry is a table entry which is already bound and is used for forwarding control of the message.
If the AP in the network topology is configured with the static binding table entry, the static binding table entry of the AP is added to the safety table entry list, the source information is set to be null, and the binding mark is set to be bound.
The configured static binding table entry of the AP means that the wireless service under the radio frequency port of the AP has been configured with the static binding table entry.
If the switch interface in the network topology is configured with the static binding table entry, the following processing is carried out:
judging whether the switch interface is connected to other switches or not;
and if the switch interface is connected with other switches, sending a first alarm message to remind a user of selecting whether to reserve the static binding table entry of the switch interface.
If the switch interface is configured with the static binding table entry, it indicates that a terminal using a static IP address accesses the switch interface, but the switch interface is also connected to another switch at this time, and there may be a situation of configuration error, so that a first alarm message is sent. For example, the first warning message may be "there is a static binding table entry, reserved at switch interface 1? Accordingly, two buttons, yes and no, may be present on the display page for user selection.
If the static binding table item of the switch interface is identified to be selected and reserved by the user, the static binding table item of the switch interface is added into the safety table item list, the source information is set to be null, and the binding mark is set to be bound; and if the static binding table entry of the switch interface is identified to be not reserved by the user selection, deleting the static binding table entry of the switch interface.
And if the switch interface is not connected with other switches, adding the static binding table entry of the switch interface into the safety table entry list, setting the source information to be null, and setting the binding mark to be bound.
Because static binding entries may exist in the security entry list, in order to avoid the duplication between the static binding entries and the security entries generated in S202, the SDN controller needs to check each security entry according to the MAC address. Based on this, as shown in fig. 5, after the above S202 generates the security entry according to the collected DHCP Snooping entry, ARP Snooping entry and WLAN Snooping entry, the method further includes:
s501, aiming at the MAC address of each generated safety entry, judging whether a target static binding entry corresponding to the MAC address of the safety entry exists in a safety entry list or not.
If not, executing S502; if yes, go to S503.
And S502, adding the safety entry into a safety entry list.
S503, if the source information of the target static binding table entry is empty, updating the source information of the target static binding table entry to the source information of the security table entry.
S504, whether the IP address, the VLAN identification and the access position of the target static binding table entry are consistent with those of the safety table entry is judged.
If yes, go to S505; if not, that is, there is any inconsistency, then S506 is executed.
And S505, reserving a target static binding table item.
If the IP address, VLAN identification and access position of the target static binding table entry are consistent with those of the safety table entry, the safety table entry does not need to be added to the safety table entry list repeatedly.
S506, sending a second alarm message to prompt the user to select to reserve the target static binding table item or reserve the safety table item.
For example, the second warning message may be that the terminal information accessed by the "XX interface does not match the bound terminal information, and please check. "
And S507, if the user selects to reserve the target static binding table item, reserving the target static binding table item.
S508, if the user selects to reserve the safety table item, deleting the target static binding table item and adding the safety table item to the safety table item list.
By adopting the method, if the switch interface and the AP are configured with the static binding table entries, the SDN controller can add the static binding table entries into the safety table entry list, so that the SDN controller can uniformly manage the switch and the AP, and the MAC address is searched for the safety table entries generated by the SDN controller based on the static binding table entries, so that the repeated safety table entries can be prevented from being added into the safety table entry list. Configuration errors can be found by comparing the static binding table items with the same MAC address with the safety table items, so that a user can check in time based on the alarm message, and the access safety of the terminal is further ensured.
In another embodiment of the present application, after receiving information of a terminal to be bound and statically binding a security entry of each terminal to be bound to a switch or an AP to which the terminal to be bound accesses, an SDN controller synchronizes, in the security entry of the terminal to be bound, a correspondence between an MAC address and an IP address included in a security entry whose source information is DHCP, to a DHCP server, so that the DHCP server allocates an IP address to the terminal according to the correspondence.
By the method, the DHCP server can distribute the same IP address for the terminal when the same terminal is on-line again, so that the IP address corresponding to the terminal in the safety entry can be prevented from changing, and the maintenance of the safety entry is simpler.
In another embodiment of the present application, the SDN controller may further receive information of a terminal to be unbound, and delete a security entry of the terminal to be unbound from a switch or an AP corresponding to the terminal to be unbound.
Optionally, the SDN controller may expose the generated security entry list, so that a user selects information of the terminal to be unbound from the security entry list, and in response to a selection operation of the user, deletes the security entry of the terminal to be unbound from a switch or an AP corresponding to the terminal to be bound.
The SDN controller can also realize a function page of a binding terminal, the page is hidden by default, and the page is visible to a user only after a dynamic binding terminal switch is turned on.
The page is used for displaying a safety entry list, and can provide buttons of 'start binding' and 'unbinding' so that a user can select a terminal to be bound and a terminal to be unbound from the safety entry list.
The page can display a complete safety entry list, can also display a safety entry corresponding to an unbound terminal according to needs, or display a safety entry corresponding to a bound terminal, or can display safety entries of different branch networks by screening.
In this embodiment of the present application, if a new terminal access exists, the user may select the synchronized terminal information again, so that the SDN controller may generate the security entry for the new terminal access according to the method improved in the above embodiment.
If the terminal leaves the network, the access position is changed or the IP address acquisition mode is changed, the user can select to unbind the terminal, so that the SDN controller automatically deletes the switch interface accessed by the terminal or the security entry corresponding to the terminal in the AP.
Based on the same technical concept, an embodiment of the present application further provides an apparatus for configuring a security entry, where the apparatus is applied to an SDN controller, and as shown in fig. 6, the apparatus includes:
an acquisition module 601, configured to acquire a dynamic host configuration protocol DHCP Snooping entry, an address resolution protocol ARP Snooping entry, and a wireless local area network WLAN Snooping entry of each wireless access point AP of each switch in a controlled network topology;
a generating module 602, configured to generate a security entry according to the collected DHCP Snooping entry, ARP Snooping entry, and WLAN Snooping entry;
a receiving module 603, configured to receive information of a terminal to be bound;
the binding module 604 is configured to statically bind the security entry of each terminal to be bound to the switch or the AP to which the terminal to be bound accesses, so that the switch and the AP in the network topology perform message filtering based on the statically bound security entry.
Optionally, the generating module 602 is specifically configured to:
according to the network topology, deleting DHCP Snooping table items and ARP Snooping table items which take a neighbor switch interface as an access interface from the collected DHCP Snooping table items and ARP Snooping table items, and deleting DHCP Snooping table items and ARP Snooping table items which take an AP interface as an access interface;
modifying the entries with the same MAC address in the rest DHCP Snooping entries and ARP Snooping entries;
and generating a security table entry by taking the MAC address of the terminal in the WLAN Snooping table entry, the modified DHCP Snooping table entry and the ARP Snooping table entry as a terminal unique identifier, wherein the security table entry comprises the MAC address, the IP address, the VLAN identifier, the access position, the source information and a binding mark, and the binding mark is used for indicating whether the security table entry is bound with an interface of the network equipment.
Optionally, the generating module 602 is specifically configured to:
searching the entries with the same MAC address in the rest DHCP Snooping entries and ARP Snooping entries;
and deleting the DHCP Snooping table entries and the ARP Snooping table entries in the ARP Snooping table entries with the same MAC addresses.
Optionally, the apparatus further comprises:
the query module is used for querying whether the switch interface and the AP in the network topology are configured with the static binding table entry;
the adding module is used for adding the static binding table entry of the AP into the safety table entry list if the AP in the network topology is configured with the static binding table entry, setting the source information to be null and setting the binding mark to be bound;
the judging module is used for judging whether the switch interface is connected with other switches or not if the switch interface in the network topology is configured with the static binding table entry;
the alarm module is used for sending out a first alarm message to remind a user of selecting whether to reserve a static binding table item of the switch interface if the switch interface is connected to other switches;
the adding module is also used for adding the static binding table entry of the switch interface into the safety table entry list if the static binding table entry of the switch interface is selected to be reserved by the user, setting the source information to be null and setting the binding mark to be bound; if the static binding table item of the switch interface is identified to be not reserved by the user selection, deleting the static binding table item of the switch interface;
and the adding module is also used for adding the static binding table entry of the switch interface to the safety table entry list if the switch interface is not connected to other switches, setting the source information to be null, and setting the binding mark to be bound.
Optionally, the determining module is further configured to determine, for the MAC address of each generated security entry, whether a target static binding entry corresponding to the MAC address of the security entry exists in the security entry list;
the adding module is used for adding the safety table item into the safety table item list if the judging module determines that the target static binding table item corresponding to the MAC address of the safety table item does not exist in the safety table item list;
the updating module is used for updating the source information of the target static binding table entry into the source information of the safety table entry if the judging module determines that the target static binding table entry corresponding to the MAC address of the safety table entry exists in the safety table entry list and the source information of the target static binding table entry is null;
the judging module is also used for judging whether the IP address, the VLAN identification and the access position of the target static binding table item are consistent with those of the safety table item;
the reservation module is used for reserving the target static binding table item if the judgment result of the judgment module is consistent;
the alarm module is also used for sending a second alarm message to prompt a user to select to reserve a target static binding table item or reserve the safety table item if any item is inconsistent according to the judgment result of the judgment module;
the reservation module is also used for reserving the target static binding table item if the user selects to reserve the target static binding table item;
and the adding module is also used for deleting the target static binding table item and adding the safety table item to the safety table item list if the user selects to reserve the safety table item.
Optionally, the apparatus further comprises:
and the synchronization module is used for synchronizing the corresponding relation between the MAC address and the IP address in the security table entry of the terminal to be bound, wherein the source information of the security table entry is DHCP, to the DHCP server, so that the DHCP server allocates the IP address for the terminal according to the corresponding relation.
Optionally, the apparatus further comprises: a deletion module;
the receiving module 603 is further configured to receive information of the terminal to be unbound;
and the deleting module is used for deleting the safety table entry of the terminal to be unbound from the switch or the AP corresponding to the terminal to be bound.
By adopting the technical scheme, the SDN controller can acquire the information of the terminal adopting the dynamic IP address in the network topology by acquiring the DHCP Snooping table items and the WLAN Snooping table items, and can acquire the information of the terminal adopting the static IP address in the network topology by acquiring the ARP Snooping table items. After the SDN controller generates the security table item list according to the acquired information, the SDN controller can receive the information of the terminal to be bound, and then the SDN controller statically binds the security table items of the terminal to be bound to the switch or the AP accessed by the terminal to be bound, so that message filtering can be realized. Therefore, by adopting the method, the static IP addresses and the MAC addresses of the terminals do not need to be manually collected, the SDN controller can comprehensively collect the terminal information using the static IP addresses and the terminal information using the dynamic IP addresses, the batch binding of the safety items corresponding to the terminals can be realized, the configuration workload is reduced on the premise of ensuring the safety of the terminals, and the configuration efficiency is improved.
The SDN controller according to the embodiment of the present application is further provided, as shown in fig. 7, including a processor 701, a communication interface 702, a memory 703 and a communication bus 704, where the processor 701, the communication interface 702, and the memory 703 complete mutual communication through the communication bus 704,
a memory 703 for storing a computer program;
the processor 701 is configured to implement the method steps in the above-described method embodiments when executing the program stored in the memory 703.
The communication bus mentioned in the SDN controller may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the SDN controller and other devices.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In another embodiment of the present invention, a computer-readable storage medium is further provided, in which a computer program is stored, and the computer program, when executed by a processor, implements the steps of any one of the above-mentioned security entry configuration methods.
In another embodiment, a computer program product is provided, which includes instructions, when executed on a computer, cause the computer to perform the method for configuring any of the above-mentioned embodiments.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the device, SDN controller and media embodiments, since they are substantially similar to the method embodiments, the description is simple, and it is sufficient to refer to the partial description of the method embodiments for relevant points.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (16)

1. A method for configuring security table entries, the method being applied to a Software Defined Network (SDN) controller, the method comprising:
collecting a Dynamic Host Configuration Protocol (DHCP) Snooping table entry, an Address Resolution Protocol (ARP) Snooping table entry and a Wireless Local Area Network (WLAN) Snooping table entry of each wireless Access Point (AP) of each switch in a controlled network topology;
generating a safety table entry according to the collected DHCP Snooping table entry, ARP Snooping table entry and WLAN Snooping table entry;
and receiving information of the terminals to be bound, and statically binding the security table entry of each terminal to be bound to the switch or the AP accessed by the terminal to be bound, so that the switch and the AP in the network topology perform message filtering based on the statically bound security table entry.
2. The method of claim 1, wherein generating the security entry according to the collected DHCP Snooping entry, ARP Snooping entry, and WLAN Snooping entry comprises:
according to the network topology, deleting DHCP Snooping table items and ARP Snooping table items which take a neighbor switch interface as an access interface from the collected DHCP Snooping table items and ARP Snooping table items, and deleting DHCP Snooping table items and ARP Snooping table items which take an AP interface as an access interface;
modifying the entries with the same MAC address in the rest DHCP Snooping entries and ARP Snooping entries;
and generating a security entry by taking the MAC address of the terminal in the WLAN Snooping entry, the modified DHCP Snooping entry and the ARP Snooping entry as a terminal unique identifier, wherein the security entry comprises the MAC address, the IP address, the VLAN identifier, the access position, the source information and a binding mark, and the binding mark is used for indicating whether the security entry is bound with an interface of the network equipment.
3. The method of claim 2, wherein the modifying the entries with the same MAC address in the remaining DHCP Snooping entries and ARP Snooping entries comprises:
searching the entries with the same MAC address in the rest DHCP Snooping entries and ARP Snooping entries;
and deleting the DHCP Snooping table entries and the ARP Snooping table entries in the ARP Snooping table entries with the same MAC addresses.
4. The method of claim 2 or 3, wherein before the collecting DHCP Snooping entries and ARP Snooping entries for each switch and WLAN Snooping entries for each AP in the controlled network topology, the method further comprises:
inquiring whether a switch interface and an AP in the network topology are configured with a static binding table item;
if the AP in the network topology is configured with the static binding table entry, adding the static binding table entry of the AP to the safety table entry list, setting the source information to be null, and setting the binding mark to be bound;
if the switch interface in the network topology is configured with a static binding table item, judging whether the switch interface is connected with other switches;
if the switch interface is connected with other switches, sending a first warning message to remind a user of selecting whether to reserve a static binding table item of the switch interface;
if the static binding table item of the switch interface is identified to be selected and reserved by the user, the static binding table item of the switch interface is added to the safety table item list, source information is set to be null, and a binding mark is set to be bound; if the static binding table entry of the switch interface is identified to be not reserved by the user selection, deleting the static binding table entry of the switch interface;
and if the switch interface is not connected with other switches, adding the static binding table entry of the switch interface to the safety table entry list, setting the source information to be null, and setting the binding mark to be bound.
5. The method of claim 4, wherein after generating the security entry according to the collected DHCP Snooping entry, ARP Snooping entry and WLAN Snooping entry, the method further comprises:
aiming at the MAC address of each generated safety table entry, judging whether a target static binding table entry corresponding to the MAC address of the safety table entry exists in the safety table entry list or not;
if the safety table entry does not exist, adding the safety table entry to the safety table entry list;
if the source information of the target static binding table entry exists and the source information of the target static binding table entry is null, updating the source information of the target static binding table entry into the source information of the safety table entry;
judging whether the IP address, VLAN identification and access position of the target static binding table entry are consistent with those of the safety table entry;
if the target static binding table entries are consistent, the target static binding table entries are reserved;
if any item is inconsistent, sending a second alarm message to prompt a user to select to reserve the target static binding item or reserve the safety item;
if the user selects to reserve the target static binding table item, reserving the target static binding table item; if the user selects to keep the safety table item, deleting the target static binding table item and adding the safety table item to the safety table item list.
6. The method according to claim 1, wherein after receiving the information of the terminals to be bound and statically binding the security entry of each terminal to be bound to the switch or AP to which the terminal to be bound accesses, the method further comprises:
synchronizing the corresponding relation between the MAC address and the IP address in the security entry of the terminal to be bound, wherein the source information of the security entry is DHCP, to a DHCP server, so that the DHCP server allocates the IP address for the terminal according to the corresponding relation.
7. The method of claim 1, further comprising:
and receiving the information of the terminal to be unbound, and deleting the safety table entry of the terminal to be unbound from the switch or AP corresponding to the terminal to be bound.
8. An apparatus for configuring security table entries, the apparatus being applied to a Software Defined Network (SDN) controller, the apparatus comprising:
the acquisition module is used for acquiring a Dynamic Host Configuration Protocol (DHCP) Snooping table entry, an Address Resolution Protocol (ARP) Snooping table entry and a Wireless Local Area Network (WLAN) Snooping table entry of each wireless Access Point (AP) in the controlled network topology;
the generating module is used for generating a safety table entry according to the collected DHCP Snooping table entry, ARP Snooping table entry and WLAN Snooping table entry;
the receiving module is used for receiving the information of the terminal to be bound;
and the binding module is used for statically binding the security table entry of each terminal to be bound to the switch or the AP accessed by the terminal to be bound so as to enable the switch and the AP in the network topology to perform message filtering based on the statically bound security table entry.
9. The apparatus of claim 8, wherein the generating module is specifically configured to:
according to the network topology, deleting DHCP Snooping table items and ARP Snooping table items which take a neighbor switch interface as an access interface from the collected DHCP Snooping table items and ARP Snooping table items, and deleting DHCP Snooping table items and ARP Snooping table items which take an AP interface as an access interface;
modifying the entries with the same MAC address in the rest DHCP Snooping entries and ARP Snooping entries;
and generating a security entry by taking the MAC address of the terminal in the WLAN Snooping entry, the modified DHCP Snooping entry and the ARP Snooping entry as a terminal unique identifier, wherein the security entry comprises the MAC address, the IP address, the VLAN identifier, the access position, the source information and a binding mark, and the binding mark is used for indicating whether the security entry is bound with an interface of the network equipment.
10. The apparatus of claim 9, wherein the generating module is specifically configured to:
searching the entries with the same MAC address in the rest DHCP Snooping entries and ARP Snooping entries;
and deleting the DHCP Snooping table entries and the ARP Snooping table entries in the ARP Snooping table entries with the same MAC addresses.
11. The apparatus of claim 9 or 10, further comprising:
the query module is used for querying whether the switch interface and the AP in the network topology are configured with static binding table entries;
an adding module, configured to add, if the AP in the network topology is configured with a static binding table entry, the static binding table entry of the AP to the security table entry list, set source information to null, and set a binding flag to be bound;
the judging module is used for judging whether the switch interface in the network topology is connected to other switches or not if the switch interface is configured with a static binding table item;
the alarm module is used for sending out a first alarm message to remind a user of selecting whether to reserve the static binding table item of the switch interface if the switch interface is connected to other switches;
the adding module is further configured to add the static binding table entry of the switch interface to the security table entry list if it is identified that the user selects to reserve the static binding table entry of the switch interface, set source information to be null, and set a binding flag to be bound; if the static binding table entry of the switch interface is identified to be not reserved by the user selection, deleting the static binding table entry of the switch interface;
the adding module is further configured to add a static binding table entry of the switch interface to the security table entry list if the switch interface is not connected to another switch, set source information to be null, and set a binding flag to be bound.
12. The apparatus of claim 11,
the judging module is further configured to judge, for the MAC address of each generated security entry, whether a target static binding entry corresponding to the MAC address of the security entry exists in the security entry list;
the adding module is configured to add the security entry to the security entry list if the judging module determines that the target static binding entry corresponding to the MAC address of the security entry does not exist in the security entry list;
an updating module, configured to update source information of the target static binding table entry to the source information of the security table entry if the determining module determines that the security table entry list has the target static binding table entry corresponding to the MAC address of the security table entry and the source information of the target static binding table entry is null;
the judging module is also used for judging whether the IP address, the VLAN identification and the access position of the target static binding table entry are consistent with those of the safety table entry;
the reservation module is used for reserving the target static binding table item if the judgment result of the judgment module is consistent;
the alarm module is further configured to send a second alarm message to prompt the user to select to reserve the target static binding table entry or the security table entry if any item is inconsistent according to the judgment result of the judgment module;
the reservation module is further configured to reserve the target static binding table entry if the user selects to reserve the target static binding table entry;
the adding module is further configured to delete the target static binding table entry and add the security table entry to the security table entry list if the user selects to keep the security table entry.
13. The apparatus of claim 8, further comprising:
and the synchronization module is used for synchronizing the corresponding relation between the MAC address and the IP address in the security list item of the terminal to be bound, wherein the source information of the security list item is DHCP, to a DHCP server, so that the DHCP server allocates the IP address for the terminal according to the corresponding relation.
14. The apparatus of claim 8, further comprising: a deletion module;
the receiving module is also used for receiving the information of the terminal to be unbound;
and the deleting module is used for deleting the safety table entry of the terminal to be unbound from the switch or the AP corresponding to the terminal to be bound.
15. An SDN controller is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing mutual communication through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any of claims 1 to 7 when executing a program stored in the memory.
16. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any one of claims 1 to 7.
CN202011273111.1A 2020-11-13 2020-11-13 Security entry configuration method and device, SDN controller and medium Active CN112383646B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011273111.1A CN112383646B (en) 2020-11-13 2020-11-13 Security entry configuration method and device, SDN controller and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011273111.1A CN112383646B (en) 2020-11-13 2020-11-13 Security entry configuration method and device, SDN controller and medium

Publications (2)

Publication Number Publication Date
CN112383646A true CN112383646A (en) 2021-02-19
CN112383646B CN112383646B (en) 2022-04-22

Family

ID=74583974

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011273111.1A Active CN112383646B (en) 2020-11-13 2020-11-13 Security entry configuration method and device, SDN controller and medium

Country Status (1)

Country Link
CN (1) CN112383646B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070121617A1 (en) * 2005-11-29 2007-05-31 Cisco Technology, Inc. Extending sso for DHCP snooping to two box redundancy
CN101060495A (en) * 2007-05-22 2007-10-24 华为技术有限公司 Message processing method, system and equipment
CN101141304A (en) * 2007-09-18 2008-03-12 杭州华三通信技术有限公司 Management method and equipment of ACL regulation
CN102316101A (en) * 2011-08-09 2012-01-11 神州数码网络(北京)有限公司 Safe access method based on dynamic host configuration protocol (DHCP) SNOOPING
CN102413044A (en) * 2011-11-16 2012-04-11 华为技术有限公司 Method, device, equipment and system for generating DHCP (Dynamic Host Configuration Protocol) Snooping binding table
CN103248720A (en) * 2012-02-13 2013-08-14 中兴通讯股份有限公司 Method and device for inquiring physical address
KR101489178B1 (en) * 2013-09-12 2015-02-03 숭실대학교산학협력단 Device and method for arp spoofing detection
CN105430113A (en) * 2015-11-03 2016-03-23 上海斐讯数据通信技术有限公司 SDN APR message processing method and device, SDN controller and SDN switch

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070121617A1 (en) * 2005-11-29 2007-05-31 Cisco Technology, Inc. Extending sso for DHCP snooping to two box redundancy
CN101060495A (en) * 2007-05-22 2007-10-24 华为技术有限公司 Message processing method, system and equipment
CN101141304A (en) * 2007-09-18 2008-03-12 杭州华三通信技术有限公司 Management method and equipment of ACL regulation
CN102316101A (en) * 2011-08-09 2012-01-11 神州数码网络(北京)有限公司 Safe access method based on dynamic host configuration protocol (DHCP) SNOOPING
CN102413044A (en) * 2011-11-16 2012-04-11 华为技术有限公司 Method, device, equipment and system for generating DHCP (Dynamic Host Configuration Protocol) Snooping binding table
CN103248720A (en) * 2012-02-13 2013-08-14 中兴通讯股份有限公司 Method and device for inquiring physical address
KR101489178B1 (en) * 2013-09-12 2015-02-03 숭실대학교산학협력단 Device and method for arp spoofing detection
CN105430113A (en) * 2015-11-03 2016-03-23 上海斐讯数据通信技术有限公司 SDN APR message processing method and device, SDN controller and SDN switch

Also Published As

Publication number Publication date
CN112383646B (en) 2022-04-22

Similar Documents

Publication Publication Date Title
US10985991B2 (en) Relay device, program, and display control method
CN107733670B (en) Forwarding strategy configuration method and device
CN109842694B (en) Method for synchronizing MAC addresses, network equipment and computer readable storage medium
CN105897444B (en) Multicast group management method and device
CN109995641B (en) Information processing method, computing node and storage medium
CN105554179B (en) Dns resolution method, system in local area network
RU2719437C1 (en) Method of administering nf network function and nf administration device
CN110493366B (en) Method and device for adding access point into network management
CN108418806B (en) Message processing method and device
CN109041086B (en) Configuration method and device of OpenFlow instance
CN109495369B (en) Message forwarding method and device
US9166884B2 (en) Network location service
US20060146742A1 (en) Mobile router, position management server, mobile network management system, and mobile network management method
CN107948979B (en) Information processing method and device and auditing equipment
CN108684044A (en) A kind of user behavior detecting system, method and device
JP2003078541A (en) Network connecting device, system, and method
CN112383646B (en) Security entry configuration method and device, SDN controller and medium
CN109710676A (en) Data capture method, device and the electronic equipment of CMDB model
CN109600265B (en) Access circuit AC configuration information issuing method, device and server
CN110958124B (en) Multicast group management method, device, readable storage medium and computer
CN109617817B (en) Method and device for generating forwarding table entry of MLAG networking
CN101656722B (en) Method for generating dynamic host configuration protocol (DHCP) snooping binding information, and device thereof
JP2003101566A (en) Network equipment management method and system
WO2022183713A1 (en) Data storage method, apparatus, and device, and storage medium
CN110769462B (en) Network access control method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant