CN112468384A

CN112468384A - Communication method, device, switch, AP and AC

Info

Publication number: CN112468384A
Application number: CN202011328793.1A
Authority: CN
Inventors: 赵海峰
Original assignee: Hangzhou H3C Technologies Co Ltd
Current assignee: New H3C Information Technologies Co Ltd
Priority date: 2020-11-24
Filing date: 2020-11-24
Publication date: 2021-03-09
Anticipated expiration: 2040-11-24
Also published as: CN112468384B

Abstract

The application provides a communication method, a device, a switch, an AP and an AC, which are applied to the technical field of communication. And the communication based on the Overlay technology can be realized without supporting the Overlay protocol by the AP, the requirement on the AP is reduced, the network access of various types of APs can be realized through the AC, the applicability is strong, and the compatibility is high.

Description

Communication method, device, switch, AP and AC

Technical Field

The present application relates to the field of communications technologies, and in particular, to a communication method, an apparatus, a switch, an AP, and an AC.

Background

With the rapid development of wireless networks, wireless networks have become a necessary means for improving the level of informatization as an extension of wired networks. How to reasonably plan and fuse the wired network and the wireless network, ensure the safety of network information and ensure the consistency of network safety strategies is an urgent problem to be solved.

An Overlay Network is a Virtual Network superimposed on an existing physical Network, generally, the Virtual Network herein refers to a Virtual 2-layer Network, and the model can bring many advantages such as configuration simplification and terminal migration, and typical 2-layer Overlay technologies include VXLAN (Virtual Extensible Local Area Network ), NVGRE (Network Virtualization using general Routing Encapsulation), STT (Stateless Transport Tunneling, Stateless Transport tunnel), and the like. The micro-segmentation scheme is based on an Ovelay network, can support more detailed user service division capacity, can decouple the user role from the network, enables the network to have more flexible space, and simplifies the difficulty of network reconstruction.

In one example, when a terminal accesses an AP (Wireless Access Point), a Network Attached Storage (NAS) of the terminal is often located at an AC (Wireless Access Point Controller), an identity is also obtained at the AC, and data forwarding is performed at a wired Leaf (aggregation switch), so that local forwarding is implemented, and AC load is reduced.

Taking the VXLAN technology as an example, based on the above communication process, since the identity is obtained on the AC, in the prior art, the VXLAN identity is allocated to the terminal through the AC, and a VXLAN tunnel is passed between the AP and the Leaf (aggregation switch), so that the AP is required to support VXLAN tunnel encapsulation, the requirement on the AP performance is high, and for an AP network that cannot support the VXLAN technology, the VXLAN technology cannot be applied, so that network communication based on the Overlay technologies such as VXLAN cannot be realized. Therefore, how to realize communication based on the Overlay technology on the basis that the AP does not support the Overlay protocol becomes an urgent problem to be solved.

Disclosure of Invention

The application aims to provide a communication method, a communication device, a switch, an AP and an AC, so that communication based on an Overlay technology is realized on the basis that the AP does not support an Overlay protocol. The specific technical scheme is as follows:

in a first aspect, the present application provides a communication method applied to a wired switch in a communication system, where the communication system further includes a wireless controller AC and at least two wireless access points AP, and the method includes:

receiving a first message which is sent by a target AP and carries a VLAN identity;

under the condition that the first message is a Dynamic Host Configuration Protocol (DHCP) request message and the combination of the VLAN identity and the target port is not bound to an Overlay virtual network, binding the combination of the VLAN identity and the target port to a specified Overlay virtual network according to a strategy, wherein the target port is a port for receiving the first message in the wired switch;

applying for an IP address in the specified Overlay virtual network, and sending the applied IP address to the target AP so that the target AP forwards the applied IP address to a target wireless terminal, wherein the target wireless terminal is a terminal for sending the first message;

under the condition that the first message needs to be forwarded, acquiring a security group tag SGT corresponding to the first message to obtain a first SGT corresponding to the target wireless terminal;

and correspondingly processing the first message according to the first SGT.

In an example, the obtaining the SGT corresponding to the first packet and obtaining the first SGT corresponding to the target wireless terminal when the first packet needs to be forwarded includes:

and under the condition that the first message needs to be forwarded, acquiring the SGT corresponding to the combination of the VLAN identity and the target port to obtain the first SGT corresponding to the target wireless terminal.

and when the first message needs to be forwarded, acquiring the SGT corresponding to the IP address of the target wireless terminal, and acquiring the first SGT corresponding to the target wireless terminal.

In one example, the performing, according to the first SGT, the corresponding processing on the first packet includes:

obtaining an SGT corresponding to the target IP address according to the target IP address of the first message to obtain a second SGT;

and forwarding the first message under the condition that a preset security policy indicates that a terminal with the role of the first SGT is allowed to access a terminal with the role of the second SGT.

In one example, the determining, according to the destination IP address of the first packet, an SGT corresponding to the destination IP address to obtain a second SGT includes:

and inquiring a local ARP table according to the destination IP address of the first message, determining the SGT corresponding to the destination IP address, and obtaining a second SGT.

adding the first SGT into the first message, and forwarding the first message added with the first SGT according to the destination IP address of the first message;

the method further comprises the following steps:

after receiving a second message aiming at the IP address of the target wireless terminal, acquiring a third SGT of a source terminal carried by the second message, wherein the source terminal is a terminal generating the second message;

and forwarding the second message to the target wireless terminal under the condition that a preset security policy indicates that the terminal with the third SGT role is allowed to access the terminal with the first SGT role.

In one example, the method further comprises:

after a first SGT corresponding to the target wireless terminal is obtained for the first time, recording the corresponding relation between the IP address of the target wireless terminal and the first SGT into a local ARP table;

and announcing the corresponding relation between the IP address of the target wired switch and the first SGT to other wired switches in the communication system according to a preset announcing period so that the other wired switches maintain own ARP tables.

In a second aspect, the present application provides a communication method, which is applied to an AC in a communication system, where the communication system further includes at least two wired switches and at least two APs, and the method includes:

acquiring an authentication request of a target wireless terminal sent by a target AP, wherein the authentication request comprises an MAC address of the target wireless terminal;

determining a VLAN identity of the target wireless terminal according to the authentication request of the target wireless terminal, wherein the VLAN identity of the target wireless terminal corresponds to the grouping strategy of the target wireless terminal;

and sending the VLAN identity of the target wireless terminal to the target AP.

In one example, the communication system further includes an authentication server, and the determining the VLAN id of the target wireless terminal according to the authentication request of the target wireless terminal includes:

sending an authentication request of the target wireless terminal to the authentication server so that the authentication server allocates a VLAN identity to the target wireless terminal according to the authentication request and a preset grouping strategy;

and acquiring the VLAN identity of the target wireless terminal sent by the authentication server.

In a third aspect, the present application provides a communication method applied to an AP in a communication system, where the communication system further includes at least two wired switches and an AC, and the method includes:

after receiving an authentication request of a target wireless terminal, sending the authentication request to the AC, wherein the authentication request comprises an MAC address of the target wireless terminal;

acquiring a VLAN identity of the target wireless terminal sent by the AC, and recording the corresponding relation between the VLAN identity of the target wireless terminal and the MAC address of the target wireless terminal, wherein the VLAN identity of the target wireless terminal corresponds to a grouping strategy of the target wireless terminal;

and after receiving the first message of the target wireless terminal, adding the VLAN identity of the target wireless terminal into the first message, and sending the first message added with the VLAN identity to a wired switch.

In a fourth aspect, the present application provides a communication apparatus applied to a wired switch in a communication system, where the communication system further includes an AC and at least two APs, and the apparatus includes:

the first message receiving module is used for receiving a first message which is sent by a target AP and carries a VLAN identity;

the virtual network binding module is used for binding the combination of the VLAN identity and the target port to a specified Overlay virtual network according to a strategy under the condition that the first message is a DHCP request message and the combination of the VLAN identity and the target port is not bound to the Overlay virtual network, wherein the target port is a port for receiving the first message in the wired switch;

an IP address application module, configured to apply for an IP address in the specified Overlay virtual network, and send the applied IP address to the target AP, so that the target AP forwards the applied IP address to a target wireless terminal, where the target wireless terminal is a terminal that sends the first packet;

an SGT obtaining module, configured to obtain an SGT corresponding to the first packet when the first packet needs to be forwarded, to obtain a first SGT corresponding to the target wireless terminal;

and the first message processing module is used for correspondingly processing the first message according to the first SGT.

In an example, the SGT obtaining module is specifically configured to: and under the condition that the first message needs to be forwarded, acquiring the SGT corresponding to the combination of the VLAN identity and the target port to obtain the first SGT corresponding to the target wireless terminal.

In an example, the SGT obtaining module is specifically configured to: and when the first message needs to be forwarded, acquiring the SGT corresponding to the IP address of the target wireless terminal, and acquiring the first SGT corresponding to the target wireless terminal.

In one example, the first packet processing module includes:

the SGT determining submodule is used for acquiring an SGT corresponding to the destination IP address according to the destination IP address of the first message to obtain a second SGT;

and the first message forwarding sub-module is used for forwarding the first message under the condition that a preset security policy indicates that the terminal with the first SGT is allowed to access the terminal with the second SGT.

In one example, the SGT determination submodule is specifically configured to: and inquiring a local ARP table according to the destination IP address of the first message, determining the SGT corresponding to the destination IP address, and obtaining a second SGT.

In one example, the first packet processing module is specifically configured to: adding the first SGT to the first message; forwarding the first message added with the first SGT according to the destination IP address of the first message;

the device further comprises: a second message processing module, configured to obtain a third SGT of a source terminal carried by a second message after receiving the second message for the IP address of the target wireless terminal, where the source terminal is a terminal that generates the second message; and forwarding the second message to the target wireless terminal under the condition that a preset security policy indicates that the terminal with the third SGT role is allowed to access the terminal with the first SGT role.

In one example, the apparatus further comprises:

the local ARP table updating module is used for recording the corresponding relation between the IP address of the target wireless terminal and the first SGT into a local ARP table after the first SGT corresponding to the target wireless terminal is obtained for the first time;

and the identity information issuing module is used for notifying the corresponding relation between the IP address of the target wired switch and the first SGT to other wired switches in the communication system according to a preset notification period so as to enable the other wired switches to maintain the ARP tables of the other wired switches.

In a fifth aspect, the present application provides a communication apparatus applied to an AC in a communication system, where the communication system further includes at least two wired switches and at least two APs, the apparatus includes:

the authentication request acquisition module is used for acquiring an authentication request of a target wireless terminal sent by a target AP, wherein the authentication request comprises an MAC address of the target wireless terminal;

a VLAN identity acquisition module, configured to determine a VLAN identity of the target wireless terminal according to the authentication request of the target wireless terminal, where the VLAN identity of the target wireless terminal corresponds to a grouping policy of the target wireless terminal;

and the VLAN identity forwarding module is used for sending the VLAN identity of the target wireless terminal to the target AP.

In one example, the VLAN id obtaining module is specifically configured to: sending an authentication request of the target wireless terminal to the authentication server so that the authentication server allocates a VLAN identity to the target wireless terminal according to the authentication request and a preset grouping strategy; and acquiring the VLAN identity of the target wireless terminal sent by the authentication server.

In a sixth aspect, the present application provides a communication apparatus, applied to an AP in a communication system, where the communication system further includes at least two wired switches and an AC, and the apparatus includes:

the authentication request forwarding module is used for sending an authentication request to the AC after receiving the authentication request of a target wireless terminal, wherein the authentication request comprises the MAC address of the target wireless terminal;

a VLAN id receiving module, configured to obtain a VLAN id of the target wireless terminal sent by the AC, and record a correspondence between the VLAN id of the target wireless terminal and an MAC address of the target wireless terminal, where the VLAN id of the target wireless terminal corresponds to a grouping policy of the target wireless terminal;

and the VLAN identity adding module is used for adding the VLAN identity of the target wireless terminal into the first message after receiving the first message of the target wireless terminal and sending the first message added with the VLAN identity to the wired switch.

In a seventh aspect, the present application provides a wired switch, including a processor and a memory;

the memory is used for storing a computer program;

the processor is configured to implement any one of the communication methods applied to the wired switch in the present application when executing the program stored in the memory.

In an eighth aspect, the present application provides an AC comprising a processor and a memory;

the memory is used for storing a computer program;

the processor is configured to implement any one of the communication methods applied to the AC in the present application when executing the program stored in the memory.

In a ninth aspect, the present application provides an AP comprising a processor and a memory;

the memory is used for storing a computer program;

the processor is configured to implement any one of the communication methods applied to the AP in the present application when executing the program stored in the memory.

In a tenth aspect, the present application provides a computer-readable storage medium having a computer program stored therein, the computer program, when executed by a processor, implementing the communication method of any of the present applications.

According to the communication method, the communication device, the switch, the AP and the AC, the wireless AC is used as an authentication NAS point of the wireless terminal, the wired switch is used for a differential section scheme of data forwarding, the VLAN identity is used for representing a micro section, the VLAN identity is converted into an SGT form on the wired switch, and wired and wireless integrated communication is achieved on the basis of an Overlay network and the differential section scheme. And on the basis that the AP does not support the Overlay protocol, the communication based on the Overlay technology is realized, the requirement on the AP is reduced, the network access of various types of APs can be realized through the AC, the applicability is strong, and the compatibility is high. Of course, not all advantages described above need to be achieved at the same time in the practice of any one product or method of the present application.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

Fig. 1a is a first schematic diagram of a communication method applied to a communication system according to the present application;

fig. 1b is a second schematic diagram of a communication method applied to a communication system according to the present application;

fig. 1c is a third schematic diagram of a communication method applied to a communication system according to the present application;

fig. 1d is a fourth schematic diagram of the communication method applied to the communication system according to the present application;

fig. 2 is a first schematic diagram of a communication method applied to a wired switch according to the present application;

fig. 3 is a second schematic diagram of the communication method applied to the wired switch of the present application;

fig. 4 is a third schematic diagram of a communication method applied to a wired switch according to the present application;

fig. 5 is a fourth schematic diagram of the communication method applied to the wired switch of the present application;

fig. 6 is a first schematic diagram of the communication method applied to AC according to the present application;

fig. 7 is a second schematic diagram of the communication method applied to AC according to the present application;

fig. 8 is a schematic diagram of a communication method applied to an AP according to the present application

Fig. 9 is a first schematic diagram of a communication system of the present application;

fig. 10 is a second schematic diagram of a communication system of the present application;

fig. 11 is a third schematic diagram of the communication system of the present application;

FIG. 12 is a fourth schematic diagram of the communication system of the present application;

fig. 13 is a schematic view of a communication device applied to a wired switch according to the present application;

fig. 14 is a schematic diagram of a communication device of the present application applied to an AC;

fig. 15 is a schematic diagram of a communication device applied to an AP according to the present application;

fig. 16 is a schematic diagram of a wired switch of the present application.

Detailed Description

The technical solutions in the present application will be described clearly and completely with reference to the accompanying drawings of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

First, terms in the present application are explained:

VXLAN (Virtual Extensible Local Area Network): the Network is a two-layer VPN (Local Area Network) technology based on an IP Network and adopting a "MAC (Media Access Control) in UDP (User Datagram Protocol)" encapsulation form.

Service accompanying: the range of information or assets which can be accessed by different kinds of users is limited, namely, the service, and the condition that the access authority is not changed, namely, the service is accompanied can be met when the users work in any position of a campus network in a mobile mode.

SGT (Security Group Tags): and the user acquires the SGT through authentication, and determines the user access right according to the SGT.

Leaf: an aggregation switch.

Spine: a core switch.

AAA (Authentication, Authorization, Accounting, Authentication, Authorization, Accounting): the server program can process the user access request, provides authentication authorization and account service, and mainly aims to manage the user access to the network server and provide service for the user with access right.

Micro-segmentation: micro-segmentation is a fine grouping strategy, can realize more fine endpoint service division based on user grouping, and is marked by SGT in a campus network. The strategy implemented by the micro-segmentation scheme is based on the SGT.

In the prior art, for example, VXLAN technology is taken as an example, a VXLAN tunnel is formed between an AP and a Leaf, and the VXLAN technology cannot be applied to an AP network which cannot support the VXLAN technology, so that network communication based on the Overlay technology such as VXLAN cannot be realized. Therefore, how to realize communication based on the Overlay technology on the basis that the AP does not support the Overlay protocol becomes an urgent problem to be solved.

In view of the above, the present application provides a communication method applied to a communication system including an AC, at least two APs and at least two wired switches, and referring to fig. 1a, the method includes:

s101, an AC acquires an authentication request of a target wireless terminal sent by a target AP, wherein the authentication request comprises an MAC address of the target wireless terminal; according to the authentication request of the target wireless terminal, determining a Virtual Local Area Network (VLAN) identity of the target wireless terminal, and sending the VLAN identity of the target wireless terminal to the target AP.

The target wireless terminal may be any wireless terminal; the target AP is an AP accessed by the target wireless terminal. And the target wireless terminal sends an access request to the target AP, and the target AP sends an authentication request indicating that the target wireless terminal requests to access to the AC after receiving the access request, wherein the authentication request comprises the MAC address of the target wireless terminal. The VLAN id of the target wireless terminal corresponds to the grouping policy of the target wireless terminal, in one example, the VLAN id of the target wireless terminal corresponds to the differentiated segment of the target wireless terminal.

The VLAN identification can be allocated to the target wireless terminal by the AC, and after the AC receives the authentication request of the target wireless terminal, the AC confirms the VLAN identification of the target wireless terminal according to the MAC address of the target wireless terminal. In one example, the AC determines a differential segment of the target wireless terminal according to the MAC address of the target wireless terminal, and selects a VLAN id corresponding to the differential segment as the VLAN id allocated to the target wireless terminal. In one example, one micro-segment corresponds to one VLAN id, and different micro-segments have different authoritative identities.

The VLAN id may be assigned by an authentication server, and in one example, the determining the VLAN id of the target wireless terminal according to the authentication request of the target wireless terminal includes: the AC sends an authentication request of the target wireless terminal to the authentication server, so that the authentication server allocates a VLAN identity identifier for the target wireless terminal according to the authentication request and a preset grouping strategy; and acquiring the VLAN identity of the target wireless terminal sent by the authentication server.

After receiving the message indicating that the target wireless terminal requests access, the AC may send an authentication request of the target wireless terminal to the authentication server, where the authentication request may carry the MAC address of the target wireless terminal. The authentication server may be an AAA capable server. The authentication server authenticates the target wireless terminal after receiving an authentication request of the target wireless terminal sent by the AC, and after the authentication is passed, the authentication server determines a differential section corresponding to the target wireless terminal and selects a VLAN identity corresponding to the differential section as the VLAN identity allocated to the target wireless terminal. The authentication server may authenticate the target wireless terminal based on a globally unique identifier of the target wireless terminal, or based on an account and a password transmitted by the target wireless terminal. And the authentication server sends a message carrying the VLAN identification allocated to the target wireless terminal to the AC. The authentication server authorizes the wireless terminal, can support a third-party authentication system, and can meet various requirements of users.

And S102, the target AP acquires the VLAN identity of the target wireless terminal sent by the AC, records the corresponding relation between the VLAN identity of the target wireless terminal and the MAC address of the target wireless terminal, and after receiving the first message of the target wireless terminal, the target AP adds the VLAN identity to the first message of the target wireless terminal and sends the first message added with the VLAN identity to the wired switch.

After receiving the VLAN id of the target wireless terminal, the target AP binds the MAC address (hereinafter referred to as the target MAC address) of the target wireless terminal and the VLAN id thereof, that is, records the correspondence between the VLAN id of the target wireless terminal and the MAC address of the target wireless terminal.

The first message is a message generated by the target wireless terminal, and for the target AP, the first message is an uplink message, that is, the target AP needs to forward the first message to the wired switch. After receiving the first message from the target wireless terminal, the VLAN id bound by the target wireless terminal is added to the first message, for example, in a process of encapsulating the first message based on a VLAN protocol, the VLAN id is encapsulated in a header of the message. The target AP sends the first packet carrying the VLAN id to the wired switch, and the wired switch that receives the first packet is hereinafter referred to as a target wired switch. The target wired switch may be specifically a wired Leaf switch, taking an Overlay virtual network as a VXLAN network as an example, and may be a VTEP (VXLAN Tunnel End Point).

In one example, the first packet carrying the VLAN id may also carry uplink data of the target wireless terminal. The target wireless terminal sends a first message carrying uplink data to the target AP, and after the target AP receives the first message of the target wireless terminal each time, the VLAN identity corresponding to the target wireless terminal is packaged into a designated field of a message header of the first message based on a VLAN protocol, and the first message with the VLAN identity added is sent to the target wired switch.

And S103, the target wired switch receives a first message which is sent by a target AP and carries the VLAN identity.

And S104, when the first message is a DHCP (Dynamic Host Configuration Protocol) request message and the combination of the VLAN identity and the target port is not bound to an Overlay virtual network, binding the combination of the VLAN identity and the target port to a specified Overlay virtual network according to a strategy, wherein the target port is a port for receiving the first message in a target wired switch.

The port of the target wired switch, which receives the first packet carrying the VLAN id, is called a target port. In one example, the target wired switch determines whether the combination of the VLAN id and the target port is bound to the Overlay Virtual Network according to the VLAN id + the target port in the first message, that is, determines whether the VLAN id + the target port is bound to an Overlay Virtual Network VNI (Virtual Network Identifier). Taking the example that the Overlay virtual Network is a VXLAN virtual Network, it is determined whether the VLAN id + target port is already bound to a VNI (VXLAN Network Identifier) of VXLAN.

In one example, a VLAN in a port corresponds to an Overlay virtual network, and the VLAN id corresponds to an SGT. In this case, when a port of the target wired switch receives a new VLAN id for the first time, the combination of the VLAN id and the target port may be bound to the specified Overlay virtual network according to the policy, including: judging whether a corresponding appointed Overlay virtual network is established; under the condition that the corresponding appointed Overlay virtual network is not established, establishing the appointed Overlay virtual network; and binding the combination of the VLAN identification and the target port to the specified Overlay virtual network. In this case, the Overlay virtual network is designated as the Overlay virtual network corresponding to the combination of the VLAN id + the target port. In another example, multiple VLAN ids in a port may correspond to an Overlay virtual network, and each VLAN id corresponds to a different SGT.

And S105, the target wired switch applies for an IP address in the specified Overlay virtual network, sends the applied IP address to the target AP, and forwards the applied IP address to a target wireless terminal by the target AP, wherein the target wireless terminal is a terminal for sending the first message.

The Overlay virtual network supports a 3-layer IP network, under the condition that the first message is a DHCP request message, the target wired switch applies for an IP address for the target wireless terminal in the appointed Overlay virtual network, after the IP address is applied from the appointed Overlay virtual network, the target wired switch sends the applied IP address to the target AP, and the target AP forwards the applied IP address to the target wireless terminal.

And S106, when the first message needs to be forwarded, the target wired switch acquires the SGT corresponding to the first message to acquire the first SGT corresponding to the target wireless terminal.

For a first message to be forwarded, the target wired switch acquires an SGT corresponding to the first message, that is, an SGT corresponding to the target wireless terminal, which is hereinafter referred to as a first SGT.

In an example, when the first packet needs to be forwarded, the obtaining, by the target wired switch, the SGT corresponding to the first packet to obtain the first SGT corresponding to the target wireless terminal includes: when the first message needs to be forwarded, the target wired switch acquires the SGT corresponding to the combination of the VLAN id and the target port to obtain the first SGT corresponding to the target wireless terminal, that is, the corresponding SGT, that is, the identity of the target wireless terminal in the grouping policy, that is, the first SGT, is determined by the combination of the VLAN id and the target port.

The first SGT may represent a micro segment corresponding to the target ue. The Overlay virtual network supports a 3-layer IP network and supports a security group label, and the target wired switch converts the VLAN identity into an SGT (service gateway T), namely a first SGT, in the specified Overlay virtual network. In one example, the target wired switch includes a preset mapping table, where the preset mapping table records a correspondence between a VLAN id and an SGT, where the SGT represents a micro-segment. The VLAN id may be converted to an SGT according to a preset mapping table.

In an example, when the first packet needs to be forwarded, the obtaining, by the target wired switch, the SGT corresponding to the first packet to obtain the first SGT corresponding to the target wireless terminal includes: and when the first message needs to be forwarded, the target wired switch acquires the SGT corresponding to the IP address of the target wireless terminal to obtain a first SGT corresponding to the target wireless terminal.

The target wired switch may perform forced ARP (Address Resolution Protocol) Resolution according to a Session Initiation Protocol (SIP), and obtain an SGT corresponding to the IP Address of the target wireless terminal, that is, a first SGT. The target wired switch may record the correspondence of the IP address and the SGT in a local ARP table.

The correspondence between the IP address and the SGT in the ARP may be obtained in various ways, and in one example, after applying for the IP address for the target wireless terminal, the correspondence between the IP address and the first SGT is recorded in the ARP table. In one example, the target wired switch queries a local ARP table according to the IP address of the wireless terminal, and if the IP table entry is not recorded in the local ARP table, the target wired switch sends an ARP request message to the communication system to obtain the MAC and the SGT corresponding to the IP address, and records the MAC and the SGT in the local ARP table.

In one example, the method further comprises: after the target wired switch acquires a first SGT corresponding to the target wireless terminal for the first time, recording the corresponding relation between the IP address of the target wireless terminal and the first SGT into a local ARP table; and the target wired switch informs other wired switches in the communication system of the corresponding relation between the IP address of the target wired switch and the first SGT according to a preset informing period so that the other wired switches maintain own ARP tables.

The target wired switch locally stores an ARP table, and after the target wired switch first obtains the first SGT corresponding to the target wireless terminal, for example, after the target wired switch first converts the VLAN id into the first SGT in the specified Overlay virtual network, the target wired switch records the correspondence between the IP address of the target wireless terminal and the first SGT in the local ARP table. The preset notification period can be set by self according to actual conditions. In one example, the target wired switch may issue a corresponding relationship between an IP Address and an SGT in its ARP table to each wired switch in the communication system along with a route advertisement, and each wired switch may maintain its ARP (Address Resolution Protocol) table according to the received corresponding relationship between the IP Address and the SGT. In one example, the target wired switch may issue the identity information of the target wireless terminal to each wired switch using an EVPN (Ethernet Virtual Private Network). Similarly, the current wired switch also receives the correspondence between the IP addresses advertised by other wired switches in the communication system and the SGTs, and maintains the ARP table local to the current wired switch according to the received correspondence between the IP addresses and the SGTs.

And S107, the target wired switch correspondingly processes the first message according to the first SGT.

Each SGT corresponds to a corresponding security policy, and the corresponding relation between the SGT and the security policy can be set by user according to actual conditions. And the target wired switch correspondingly processes the first message according to a preset execution strategy and the first SGT.

In one example, the enforcement policy is to enforce a security policy locally at the target wired switch for the first packet. In this case, the target wired switch performs corresponding processing on the first packet of the target wireless terminal based on the security policy corresponding to the first SGT, where the processing may include operations of immediate sending, delayed sending, discarding, and the like. In one example, referring to fig. 1b, the step S107 includes:

s1071, the target wired switch acquires the SGT corresponding to the target IP address according to the target IP address of the first message to obtain a second SGT.

In one example, the target wired switch may query a local ARP table according to the destination IP address of the first packet, determine the SGT corresponding to the destination IP address, and obtain the second SGT.

If the target wired switch does not include the target IP address in the local ARP table, the target wired switch may send an ARP request packet to other wired switches in the communication system, where the ARP request packet carries the target IP address, and when the other wired switches need to respond to the ARP request packet, the other wired switches respond, and return a second SGT packet corresponding to the IP address to the target wired switch, so that the target wired switch obtains the second SGT corresponding to the target IP address.

S1072, when the preset security policy indicates that the terminal with the first SGT is allowed to access the terminal with the second SGT, forwarding the first packet.

The preset security policy indicates that a terminal with a first SGT role is allowed to access a terminal with a second SGT role, that is, the security policy allows a target wireless terminal to access a terminal to be accessed, and at this time, the target wired switch forwards the first packet to the terminal to be accessed according to a specified routing policy. In an example, when a preset security policy does not allow a terminal with a role of a first SGT to access a terminal with a role of a second SGT, that is, when the target wireless terminal is not allowed to access the terminal to be accessed, the target wired switch discards the first packet.

For example, the target wired switch acquires a first message of a target user terminal, determines a corresponding SGT1 through the VLAN id + the target port, determines a role SGT2 corresponding to a target IP address according to the target IP address of the first message, determines to forward the first message according to a security policy, that is, if the policy allows the SGT1 to access the SGT2, then forwards the first message; if the policy does not allow the SGT1 to access the SGT2, the first message is discarded.

The access rights and security policies may be stored in the local storage of the target wired switch, or may be stored centrally in one device, for example, in an authentication server. The target wired switch can obtain the access authority of the target wireless terminal aiming at the terminal to be accessed based on the SGT of the target wireless terminal and the SGT of the terminal to be accessed, so that the security policy corresponding to the access authority is obtained. And the target wired switch executes a corresponding security policy aiming at the message of the target wireless terminal in the process that the target wireless terminal accesses the terminal to be accessed.

In the application, the target wired switch distinguishes roles according to the message of the target wireless terminal through the VLAN in the process that the target wireless terminal accesses the terminal to be accessed, and realizes the security policy according to the roles, so that the micro-segmented security policy management can be realized even if the AP does not support the Overlay protocol.

In one example, the enforcement policy is to enforce a security policy on the first packet at a remote location from the target wired switch. In this case, the security policy such as the access right of the first packet may be implemented at a remote end, and in an example, referring to fig. 1c, the step S107 includes:

s1073, adding the first SGT to the first message; and forwarding the first message added with the first SGT according to the destination IP address of the first message.

The execution policy in the target wired switch may be to add the first SGT to a header of the first packet based on the IP protocol, and after receiving the first packet added with the first SGT, the remote end may execute the corresponding execution policy based on the first SGT. In one example, the remote end is a wired switch to which the terminal to be accessed accesses, and the IP address of the terminal to be accessed is the destination IP address of the first message. After receiving a first message added with a first SGT, a remote end acquires a second SGT of a terminal to be accessed based on a destination IP address of the first message, and forwards the first message to the terminal to be accessed under the condition that a preset security policy indicates that the terminal with the role of the first SGT is allowed to access the terminal with the role of the second SGT.

In a case where a remote end of a target wireless terminal executes a security policy for a first packet, the target wired switch may also serve as a remote end of another packet, in an example, referring to fig. 1d, the method further includes:

and S108, after receiving a second message aiming at the IP address of the target wireless terminal, acquiring a third SGT of a source terminal carried by the second message, wherein the source terminal is a terminal generating the second message.

And S109, forwarding the second message to the target wireless terminal when the preset security policy indicates that the terminal with the third SGT is allowed to access the terminal with the first SGT.

The source IP address of the second packet is the IP address of the source terminal, and the destination IP address of the second packet is the IP address of the destination wireless terminal. The second message carries a third SGT of the source terminal, and the third SGT represents a differential segment allocated to the source terminal. And under the condition that the security policy indicates that the terminal with the third SGT role is not allowed to access the terminal with the first SGT role, discarding the second message. And forwarding the second message to the target wireless terminal under the condition that the security policy indicates that the terminal with the third SGT is allowed to access the terminal with the first SGT. The target wired switch may perform Portal authentication based on a destination IP address of the second packet, that is, an IP address of the target wireless terminal, determine a target port, send the second packet to the target AP using the target port, and forward the second packet to the target wireless terminal after the target AP receives the second packet.

In the application, a wireless AC is used as an authentication NAS point of a wireless terminal, a wired switch is used for a data forwarding differential section scheme, a VLAN identity is used for representing a micro-section, the VLAN identity is converted into an SGT form on the wired switch, and management of the wireless terminal is realized on the basis of an Overlay network and the differential section scheme. And the AP does not need to support an Overlay protocol, the requirement on the AP is reduced, network access of various types of APs can be realized through the AC, the applicability is strong, and the compatibility is high.

The present application further provides a communication method applied to a wired switch in a communication system, where the communication system further includes an AC and at least two APs, and referring to fig. 2, the method includes:

s201, receiving a first message carrying a VLAN identity sent by a target AP.

And S202, binding the combination of the VLAN identity and the target port to a specified Overlay virtual network according to a strategy under the condition that the first message is a DHCP request message and the combination of the VLAN identity and the target port is not bound to the Overlay virtual network, wherein the target port is a port for receiving the first message in the wired switch.

S203, applying for an IP address in the specified Overlay virtual network, and sending the applied IP address to the target AP, so that the target AP forwards the applied IP address to a target wireless terminal, where the target wireless terminal is a terminal that sends the first packet.

And S204, acquiring the SGT corresponding to the first message under the condition that the first message needs to be forwarded, and acquiring the first SGT corresponding to the target wireless terminal.

And S205, performing corresponding processing on the first message according to the first SGT.

The communication method applied to the wired switch in the communication system of the present application may further include, as shown in fig. 3:

s301, receiving a first message carrying a VLAN identity sent by a target AP.

And S302, when the first message is a DHCP request message and the combination of the VLAN identity and the target port is not bound to an Overlay virtual network, binding the combination of the VLAN identity and the target port to a specified Overlay virtual network according to a strategy, wherein the target port is a port of the wired switch for receiving the first message.

And S303, applying for an IP address in the specified Overlay virtual network, and sending the applied IP address to the target AP so that the target AP forwards the applied IP address to a target wireless terminal, wherein the target wireless terminal is a terminal for sending the first message.

S304, when the first packet needs to be forwarded, obtaining an SGT corresponding to the first packet, and obtaining a first SGT corresponding to the target wireless terminal.

S305, obtaining the SGT corresponding to the target IP address according to the target IP address of the first message, and obtaining a second SGT.

S306, under the condition that the preset security policy indicates that the terminal with the role of the first SGT is allowed to access the terminal with the role of the second SGT, the first message is forwarded.

The communication method applied to the wired switch in the communication system of the present application may further include, as shown in fig. 4:

s401, receiving a first message carrying a VLAN identity sent by a target AP.

S402, when the first message is a DHCP request message and the combination of the VLAN id and the target port is not bound to an Overlay virtual network, binding the combination of the VLAN id and the target port to a specified Overlay virtual network according to a policy, where the target port is a port in the wired switch that receives the first message.

And S403, applying for an IP address in the specified Overlay virtual network, and sending the applied IP address to the target AP so that the target AP forwards the applied IP address to a target wireless terminal, wherein the target wireless terminal is a terminal for sending the first message.

S404, acquiring the SGT corresponding to the first packet when the first packet needs to be forwarded, and acquiring the first SGT corresponding to the target wireless terminal.

S405, adding the first SGT to the first message.

S406, forwarding the first message added with the first SGT according to the destination IP address of the first message.

The communication method applied to the wired switch in the communication system of the present application may further include, as shown in fig. 5:

s501, receiving a first message which is sent by a target AP and carries a VLAN identity.

And S502, binding the combination of the VLAN identity and the target port to a specified Overlay virtual network according to a strategy under the condition that the first message is a DHCP request message and the combination of the VLAN identity and the target port is not bound to the Overlay virtual network, wherein the target port is a port for receiving the first message in the wired switch.

S503, applying for an IP address in the specified Overlay virtual network, and sending the applied IP address to the target AP, so that the target AP forwards the applied IP address to a target wireless terminal, where the target wireless terminal is a terminal that sends the first packet.

S504, when the first packet needs to be forwarded, obtaining an SGT corresponding to the first packet, and obtaining a first SGT corresponding to the target wireless terminal.

S505, add the first SGT to the first message.

S506, forwarding the first message added with the first SGT according to the destination IP address of the first message.

S507, after receiving a second packet for the IP address of the target wireless terminal, acquiring a third SGT of the source terminal carried in the second packet, where the source terminal is a terminal that generates the second packet.

And S508, under the condition that the preset security policy indicates that the terminal with the third SGT is allowed to access the terminal with the first SGT, forwarding the second message to the target wireless terminal.

In an example, the obtaining the SGT corresponding to the first packet and obtaining the first SGT corresponding to the target wireless terminal when the first packet needs to be forwarded includes: and under the condition that the first message needs to be forwarded, acquiring the SGT corresponding to the combination of the VLAN identity and the target port, and acquiring the first SGT corresponding to the target wireless terminal.

In an example, the obtaining the SGT corresponding to the first packet and obtaining the first SGT corresponding to the target wireless terminal when the first packet needs to be forwarded includes: and when the first message needs to be forwarded, acquiring the SGT corresponding to the IP address of the target wireless terminal, and acquiring the first SGT corresponding to the target wireless terminal.

In one example, the binding the VLAN id and the target port combination to a specified Overlay virtual network according to a policy includes: judging whether a corresponding appointed Overlay virtual network is established; under the condition that the appointed Overlay virtual network is not established, establishing the appointed Overlay virtual network; and binding the combination of the VLAN identification and the target port to the specified Overlay virtual network.

In one example, the determining, according to the destination IP address of the first packet, an SGT corresponding to the destination IP address to obtain a second SGT includes: and inquiring a local ARP table according to the target IP address of the first message, determining the SGT corresponding to the target IP address, and obtaining a second SGT.

In one example, the method further comprises: after a first SGT corresponding to the target wireless terminal is obtained for the first time, recording the corresponding relation between the IP address of the target wireless terminal and the first SGT into a local ARP table; and announcing the corresponding relation between the IP address of the target wired switch and the first SGT to other wired switches in the communication system according to a preset announcing period so that the other wired switches maintain own ARP tables.

The above-mentioned communication method applied to the wired switch in the communication system can be implemented by the wired switch, and specifically, the wired switch is a Leaf switch. For a specific implementation process of the communication method applied to the wired switch in the communication system, reference may be made to the method steps executed by the wired switch in the communication method applied to the communication system, which are not described herein again.

The present application further provides a communication method applied to an AC in a communication system, where the communication system further includes at least two wired switches and at least two APs, and referring to fig. 6, the method includes:

s601, acquiring an authentication request of a target wireless terminal sent by a target AP, where the authentication request includes a MAC address of the target wireless terminal.

S602, determining the VLAN identity of the target wireless terminal according to the authentication request of the target wireless terminal, wherein the VLAN identity of the target wireless terminal corresponds to the grouping strategy of the target wireless terminal.

S603, the VLAN ID of the target wireless terminal is sent to the target AP.

In an example, the communication system further includes an authentication server, and as shown in fig. 7, the communication method applied to the AC in the communication system may further include:

s701, obtaining an authentication request of a target wireless terminal sent by a target AP, where the authentication request includes a MAC address of the target wireless terminal.

S702, sending an authentication request of the target wireless terminal to the authentication server, so that the authentication server allocates a VLAN identity to the target wireless terminal according to the authentication request and a preset grouping policy.

S703, obtaining the VLAN id of the target wireless terminal sent by the authentication server, where the VLAN id of the target wireless terminal corresponds to the grouping policy of the target wireless terminal.

S704, sending the VLAN id of the target wireless terminal to the target AP.

The communication method applied to the AC in the communication system described above may be implemented by an AC. For a specific implementation process of the communication method applied to the AC in the communication system, reference may be made to the method steps executed by the AC in the communication method applied to the communication system, which are not described herein again.

The present application further provides a communication method applied to an AP in a communication system, where the communication system further includes at least two wired switches and an AC, and referring to fig. 8, the method includes:

s801, upon receiving an authentication request from a target wireless terminal, transmits the authentication request to the AC, wherein the authentication request includes a MAC address of the target wireless terminal.

S802, obtaining the VLAN identity of the target wireless terminal sent by the AC, and recording the corresponding relation between the VLAN identity of the target wireless terminal and the MAC address of the target wireless terminal, wherein the VLAN identity of the target wireless terminal corresponds to the grouping strategy of the target wireless terminal.

And S803, after receiving the first message of the target wireless terminal, adding the VLAN identity of the target wireless terminal into the first message, and sending the first message added with the VLAN identity to the wired switch.

The above-described communication method applied to the AP in the communication system may be implemented by the AP. For a specific implementation process of the AP communication method applied in the communication system, reference may be made to the method steps executed by the AP in the communication method applied in the communication system, which are not described herein again.

The present application provides how to access a wireless terminal to a wired network, and the specific architecture of the wired network may refer to the architecture of the wired network in the related art, for example, the wired network may be a wired network architecture composed of a plurality of wired aggregation switches and at least one wired core switch, where the wired aggregation switches are used to access an AP and a wired terminal, and the wired core switch is used to implement communication between the wired aggregation switches.

The present application also provides a communication system, see fig. 9, comprising:

AC 11, at least two APs 12, and at least two wired switches 13;

the AC is configured to obtain an authentication request of a target wireless terminal sent by a target AP, where the authentication request includes an MAC address of the target wireless terminal; determining a VLAN identity of the target wireless terminal according to the authentication request of the target wireless terminal, wherein the VLAN identity of the target wireless terminal corresponds to the grouping strategy of the target wireless terminal; sending the VLAN identity of the target wireless terminal to the target AP;

the AP is configured to acquire the VLAN id of the target wireless terminal sent by the AC, and record a correspondence between the VLAN id of the target wireless terminal and the MAC address of the target wireless terminal; after receiving the first message of the target wireless terminal, adding the VLAN identity of the target wireless terminal into the first message, and sending the first message added with the VLAN identity to a wired switch;

the wired switch is used for receiving a first message carrying the VLAN identity; under the condition that the first message is a DHCP request message and the combination of the VLAN identity and the target port is not bound to an Overlay virtual network, binding the combination of the VLAN identity and the target port to a specified Overlay virtual network according to a strategy, wherein the target port is a port for receiving the first message in the wired switch; applying for an IP address in the specified Overlay virtual network, and sending the applied IP address to the target AP so that the target AP forwards the applied IP address to a target wireless terminal, wherein the target wireless terminal is a terminal for sending the first message; under the condition that the first message needs to be forwarded, acquiring an SGT corresponding to the first message to obtain a first SGT of the target wireless terminal; and correspondingly processing the first message according to the first SGT.

In one example, referring to fig. 10, the system further comprises:

the authentication server 14 is configured to, after receiving an authentication request of the target wireless terminal sent by an AC, allocate a VLAN id to the target wireless terminal according to a preset grouping policy;

the AC is specifically configured to send an authentication request of the target wireless terminal to the authentication server; and receiving the VLAN identity of the target wireless terminal sent by the authentication server.

In an example, the wired switch is specifically configured to: and under the condition that the first message needs to be forwarded, acquiring the SGT corresponding to the combination of the VLAN identity and the target port, and acquiring the first SGT corresponding to the target wireless terminal.

In an example, the wired switch is specifically configured to: and when the first message needs to be forwarded, acquiring the SGT corresponding to the IP address of the target wireless terminal, and acquiring the first SGT corresponding to the target wireless terminal.

In an example, the wired switch is specifically configured to obtain, according to a destination IP address of the first packet, an SGT corresponding to the destination IP address to obtain a second SGT; and under the condition that a preset security policy indicates that the terminal with the role of the first SGT is allowed to access the terminal with the role of the second SGT, forwarding the first message.

In an example, the wired switch is specifically configured to: and inquiring a local ARP table according to the target IP address of the first message, determining the SGT corresponding to the target IP address, and obtaining a second SGT.

In an example, the wired switch is specifically configured to: adding the first SGT to the first message; and forwarding the first message added with the first SGT according to the destination IP address of the first message.

In one example, the wired switch is further configured to: after receiving a second message aiming at the IP address of the target wireless terminal, acquiring a third SGT of a source terminal carried by the second message, wherein the source terminal is a terminal generating the second message; and forwarding the second message to the target wireless terminal under the condition that a preset security policy indicates that the terminal with the third SGT is allowed to access the terminal with the first SGT.

In an example, the wired switch is specifically configured to: judging whether a corresponding appointed Overlay virtual network is established; under the condition that the appointed Overlay virtual network is not established, establishing the appointed Overlay virtual network; and binding the combination of the VLAN identification and the target port to the specified Overlay virtual network.

In one example, the wired switch is further configured to: after a first SGT corresponding to the target wireless terminal is obtained for the first time, recording the corresponding relation between the IP address of the target wireless terminal and the first SGT into a local ARP table; and announcing the corresponding relation between the IP address of the target wired switch and the first SGT to other wired switches in the communication system according to a preset announcing period so that the other wired switches maintain own ARP tables.

In one example, referring to fig. 11 and 12, the wired switch 13 is embodied as a wired aggregation switch 131, and the system further includes a wired core switch 15. The wired core switch 15 is used to enable communication between the wired aggregation switches 131.

The present application further provides a communication device, applied to a wired switch in a communication system, where the communication system further includes an AC and at least two APs, and referring to fig. 13, the communication device includes:

a first message receiving module 21, configured to receive a first message that carries a VLAN identity and is sent by a target AP;

a virtual network binding module 22, configured to bind, according to a policy, the combination of the VLAN id and the target port to a specified Overlay virtual network when the first message is a DHCP request message and the combination of the VLAN id and the target port is not bound to the Overlay virtual network, where the target port is a port in the wired switch that receives the first message;

an IP address application module 23, configured to apply for an IP address in the specified Overlay virtual network, and send the applied IP address to the target AP, so that the target AP forwards the applied IP address to a target wireless terminal, where the target wireless terminal is a terminal that sends the first packet;

an SGT obtaining module 24, configured to obtain an SGT corresponding to the first packet when the first packet needs to be forwarded, to obtain a first SGT corresponding to the target wireless terminal;

and a first packet processing module 25, configured to perform corresponding processing on the first packet according to the first SGT.

In an example, the SGT obtaining module is specifically configured to: and under the condition that the first message needs to be forwarded, acquiring the SGT corresponding to the combination of the VLAN identity and the target port, and acquiring the first SGT corresponding to the target wireless terminal.

In an example, the first packet processing module includes:

the SGT determining submodule is used for acquiring an SGT corresponding to the target IP address according to the target IP address of the first message to obtain a second SGT;

In an example, the SGT determining submodule is specifically configured to: and inquiring a local ARP table according to the target IP address of the first message, determining the SGT corresponding to the target IP address, and obtaining a second SGT.

In an example, the first packet processing module is specifically configured to: adding the first SGT to the first message; and forwarding the first message added with the first SGT according to the destination IP address of the first message.

In one example, the apparatus further comprises: a second message processing module, configured to obtain a third SGT of a source terminal carried by a second message after receiving the second message for the IP address of the target wireless terminal, where the source terminal is a terminal that generates the second message; and forwarding the second message to the target wireless terminal under the condition that a preset security policy indicates that the terminal with the third SGT is allowed to access the terminal with the first SGT.

In an example, the virtual network binding module is specifically configured to: judging whether a corresponding appointed Overlay virtual network is established; under the condition that the appointed Overlay virtual network is not established, establishing the appointed Overlay virtual network; and binding the combination of the VLAN identification and the target port to the specified Overlay virtual network.

In one example, the apparatus further comprises: a local ARP table updating module, configured to record, after a first SGT corresponding to the target wireless terminal is obtained for the first time, a correspondence between an IP address of the target wireless terminal and the first SGT in a local ARP table;

The present application further provides a communication apparatus applied to an AC in a communication system, where the communication system further includes at least two wired switches and at least two APs, and referring to fig. 14, the apparatus includes:

an authentication request obtaining module 31, configured to obtain an authentication request of a target wireless terminal sent by a target AP, where the authentication request includes an MAC address of the target wireless terminal;

a VLAN id obtaining module 32, configured to determine, according to the authentication request of the target wireless terminal, a VLAN id of the target wireless terminal, where the VLAN id of the target wireless terminal corresponds to a grouping policy of the target wireless terminal;

a VLAN id forwarding module 33, configured to send the VLAN id of the target wireless terminal to the target AP.

In an example, the VLAN id obtaining module is specifically configured to: sending an authentication request of the target wireless terminal to the authentication server, so that the authentication server allocates a VLAN identity to the target wireless terminal according to the authentication request and a preset grouping strategy; and acquiring the VLAN identity of the target wireless terminal sent by the authentication server.

The present application further provides a communication apparatus applied to an AP in a communication system, where the communication system further includes at least two wired switches and an AC, and referring to fig. 15, the apparatus includes:

an authentication request forwarding module 41, configured to send an authentication request to the AC after receiving an authentication request of a target wireless terminal, where the authentication request includes a MAC address of the target wireless terminal;

a VLAN id receiving module 42, configured to obtain a VLAN id of the target wireless terminal sent by the AC, and record a correspondence between the VLAN id of the target wireless terminal and the MAC address of the target wireless terminal, where the VLAN id of the target wireless terminal corresponds to a grouping policy of the target wireless terminal;

the VLAN id adding module 43 is configured to, after receiving the first message of the target wireless terminal, add the VLAN id of the target wireless terminal to the first message, and send the first message with the VLAN id added to the wired switch.

The application also provides an AC comprising a processor and a memory;

the memory is used for storing a computer program;

the processor is configured to implement any of the above communication methods applied to the AC when executing the program stored in the memory.

The application also provides an AP, which comprises a processor and a memory;

the memory is used for storing a computer program;

the processor is configured to implement any of the above-described communication methods applied to the AP when executing the program stored in the memory.

The present application also provides a wired switch, see fig. 16, comprising: a processor 51, a communication interface 52, a memory 53 and a communication bus 54;

the processor 51, the communication interface 52 and the memory 53 complete mutual communication through the communication bus 54;

the memory 53 for storing a computer program;

the processor 51 is configured to implement the method steps executed by any of the wired switches when executing the computer program stored in the memory 53.

The communication bus mentioned in the wired switch may be a PCI (Peripheral Component Interconnect) bus, an EISA (Extended Industry Standard Architecture) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.

The communication interface is used for communication between the wired switch and other devices.

The Memory may include a RAM (Random Access Memory) or an NVM (Non-Volatile Memory), such as at least one disk Memory. In one example, the memory may also be at least one memory device located remotely from the processor.

The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also a DSP (Digital Signal Processing), an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component.

The present application also provides a computer-readable storage medium, in which a computer program is stored, and the computer program, when executed by a processor, implements any of the above-described communication methods applied to a wired switch.

The present application also provides a computer-readable storage medium, in which a computer program is stored, and the computer program, when executed by a processor, implements any of the above-described communication methods applied to the AP.

The present application also provides a computer-readable storage medium having a computer program stored therein, where the computer program, when executed by a processor, implements any of the above-mentioned communication methods applied to an AC.

The present application provides a computer program product containing instructions which, when run on a computer, cause the computer to perform any of the above-described communication methods applied to a wired switch.

The present application also provides a computer program product containing instructions which, when run on a computer, cause the computer to perform any of the above-described communication methods applied to an AP.

The present application also provides a computer program product containing instructions which, when run on a computer, cause the computer to perform any of the above-described communication methods applied to an AC.

In the above examples, this may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the procedures or functions described in accordance with the present application are generated, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., coaxial cable, fiber optic, digital subscriber line) or wirelessly (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.

It should be noted that, in this document, the technical features in the various alternatives can be combined to form the scheme as long as the technical features are not contradictory, and the scheme is within the scope of the disclosure of the present application. Relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

The embodiments in the present specification are described in a related manner, each embodiment focuses on differences from other embodiments, and the same and similar parts in the embodiments are referred to each other.

The above description is only for the preferred embodiment of the present application and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application are included in the protection scope of the present application.

Claims

1. A communication method applied to a wired switch in a communication system, the communication system further including a wireless controller AC and at least two wireless access points AP, the method comprising:

and correspondingly processing the first message according to the first SGT.

2. The method according to claim 1, wherein the obtaining the SGT corresponding to the first packet and obtaining the first SGT corresponding to the target wireless terminal when the first packet needs to be forwarded includes:

3. The method according to claim 1, wherein the obtaining the SGT corresponding to the first packet and obtaining the first SGT corresponding to the target wireless terminal when the first packet needs to be forwarded includes:

4. The method according to any of claims 1-3, wherein the performing, according to the first SGT, the corresponding processing on the first packet includes:

5. The method according to claim 4, wherein the determining, according to the destination IP address of the first packet, the SGT corresponding to the destination IP address to obtain a second SGT includes:

6. The method according to any of claims 1-3, wherein the performing, according to the first SGT, the corresponding processing on the first packet includes:

the method further comprises the following steps:

7. The method of claim 1, further comprising:

8. A communication method applied to an AC in a communication system, the communication system further including at least two wired switches and at least two APs, the method comprising:

and sending the VLAN identity of the target wireless terminal to the target AP.

9. The method of claim 8, wherein the communication system further comprises an authentication server, and wherein determining the VLAN identity of the target wireless terminal based on the authentication request of the target wireless terminal comprises:

10. A communication method applied to an AP in a communication system, the communication system further including at least two wired switches and an AC, the method comprising:

11. A communication apparatus, applied to a wired switch in a communication system, the communication system further including an AC and at least two APs, the apparatus comprising:

12. The apparatus according to claim 11, wherein the SGT obtaining module is specifically configured to: and under the condition that the first message needs to be forwarded, acquiring the SGT corresponding to the combination of the VLAN identity and the target port to obtain the first SGT corresponding to the target wireless terminal.

13. The apparatus according to claim 11, wherein the SGT obtaining module is specifically configured to: and when the first message needs to be forwarded, acquiring the SGT corresponding to the IP address of the target wireless terminal, and acquiring the first SGT corresponding to the target wireless terminal.

14. The apparatus according to any of claims 11-13, wherein the first packet processing module comprises:

15. The apparatus according to claim 14, wherein the SGT determination submodule is specifically configured to: and inquiring a local ARP table according to the destination IP address of the first message, determining the SGT corresponding to the destination IP address, and obtaining a second SGT.

16. The apparatus according to any one of claims 11 to 13, wherein the first packet processing module is specifically configured to: adding the first SGT to the first message; forwarding the first message added with the first SGT according to the destination IP address of the first message;

17. The apparatus of claim 11, further comprising:

18. A communication apparatus, applied to an AC in a communication system, the communication system further including at least two wired switches and at least two APs, the apparatus comprising:

19. The apparatus of claim 18, wherein the VLAN id obtaining module is specifically configured to: sending an authentication request of the target wireless terminal to the authentication server so that the authentication server allocates a VLAN identity to the target wireless terminal according to the authentication request and a preset grouping strategy; and acquiring the VLAN identity of the target wireless terminal sent by the authentication server.

20. A communication apparatus, applied to an AP in a communication system, the communication system further including at least two wired switches and an AC, the apparatus comprising:

21. A wired switch, comprising a processor and a memory;

the memory is used for storing a computer program;

the processor is configured to implement the communication method according to any one of claims 1 to 7 when executing the program stored in the memory.

22. An AC comprising a processor and a memory;

the memory is used for storing a computer program;

the processor is configured to implement the communication method according to any one of claims 8 to 9 when executing the program stored in the memory.

23. An AP comprising a processor and a memory;

the memory is used for storing a computer program;

the processor is configured to implement the communication method according to claim 10 when executing the program stored in the memory.