CN114244695B - Terminal online configuration method and device of isolated network and network management system - Google Patents
Terminal online configuration method and device of isolated network and network management system Download PDFInfo
- Publication number
- CN114244695B CN114244695B CN202111679750.2A CN202111679750A CN114244695B CN 114244695 B CN114244695 B CN 114244695B CN 202111679750 A CN202111679750 A CN 202111679750A CN 114244695 B CN114244695 B CN 114244695B
- Authority
- CN
- China
- Prior art keywords
- terminal
- online
- online terminal
- information
- interface
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000002955 isolation Methods 0.000 claims abstract description 19
- 238000004590 computer program Methods 0.000 claims description 20
- 230000008569 process Effects 0.000 abstract description 14
- 238000004891 communication Methods 0.000 abstract description 6
- 230000002776 aggregation Effects 0.000 description 18
- 238000004220 aggregation Methods 0.000 description 18
- 238000010586 diagram Methods 0.000 description 11
- 230000003993 interaction Effects 0.000 description 7
- 230000006870 function Effects 0.000 description 5
- 230000008859 change Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0876—Aspects of the degree of configuration automation
- H04L41/0886—Fully automatic configuration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
Abstract
The application belongs to the field of communication and provides a terminal online configuration method, device and network management system of an isolated network, wherein the method comprises the following steps: a temporary IP address is allocated for the terminal on line; receiving reporting information of the online terminal based on the allocated temporary IP address, and determining network equipment information accessed to the online terminal according to the reporting information; acquiring authentication information of the online terminal, and determining a VLAN ID to which the online terminal belongs according to the authentication information; and carrying out isolation configuration on the network equipment accessed to the online terminal according to the VLAN ID to which the online terminal belongs and the network equipment information accessed to the online terminal. In the configuration method, the whole process is automatically completed by the network management system, so that professional personnel are not required to configure the network management system, the labor consumption can be reduced, and the configuration efficiency of the terminal on line of the isolation network is effectively improved.
Description
Technical Field
The application belongs to the field of communication, and particularly relates to a terminal online configuration method and device of an isolated network and a network management system.
Background
VLAN (virtual local area network) is a logical segment of a network user to which a switch port is connected. The virtual local area network is not limited by the physical location of network users, and network segmentation can be performed according to the needs of the users. The virtual local area network based on the switch can effectively solve the problems of conflict domain, broadcast domain and bandwidth of the local area network.
The switch of VLAN technology can isolate the data exchange between the network devices in different groups, thus effectively improving the security of the network. However, when a new device is added in the network or after an interface connected with a terminal in the network is changed, the terminal is on line again, and a professional staff is required to perform on-line configuration on a port of the network device connected with the new on-line device, the configuration process is troublesome, and the on-line efficiency of the terminal of the isolated network is not improved.
Disclosure of Invention
In view of this, the embodiments of the present application provide a terminal online configuration method, device and network management system for an isolated network, so as to solve the problem in the prior art that when a terminal is online, a professional staff is required to configure the terminal online, so that the configuration process is troublesome, and the improvement of the terminal online efficiency in the isolated network is not facilitated.
A first aspect of an embodiment of the present application provides a method for configuring terminal online of an isolated network, where the method includes:
a temporary IP address is allocated for the terminal on line;
receiving reporting information of the online terminal based on the allocated temporary IP address, and determining network equipment information accessed to the online terminal according to the reporting information;
acquiring authentication information of the online terminal, and determining a VLAN ID to which the online terminal belongs according to the authentication information;
and carrying out isolation configuration on the network equipment accessed to the online terminal according to the VLAN ID to which the online terminal belongs and the network equipment information accessed to the online terminal.
With reference to the first aspect, in a first possible implementation manner of the first aspect, receiving reporting information of the online terminal based on the allocated temporary IP address, determining network device information accessing the online terminal according to the reporting information includes:
receiving reporting information sent by the online terminal through a core switching device according to the allocated temporary IP address, wherein the reporting information comprises an interface of the core switching device of a network accessed by the online terminal and an MAC address of the online terminal;
and determining network equipment information accessed to the online terminal according to the reported information.
With reference to the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, when the online terminal is a wired terminal, determining network equipment information accessing the online terminal according to the reported information includes:
calling an interface of the core switching equipment according to the reported information, acquiring an MAC address table of the core switching equipment, and acquiring an interface associated with the wired terminal in the core switching equipment according to the MAC address table of the core switching equipment and the MAC address of the wired terminal;
if the interface associated with the wired terminal in the core switching equipment is connected with a convergence switch, acquiring an MAC address table of the convergence switch, and acquiring the interface associated with the wired terminal in the convergence switch by combining the MAC address of the wired terminal;
if the interface associated with the wired terminal in the core switching equipment or the convergence switch is connected with an access switch, acquiring an access switch MAC address table, and determining the interface of the wired terminal accessed to the access switch according to the MAC address of the access switch and the MAC address of the wired terminal.
With reference to the first possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, when the online terminal is a wireless terminal, determining network equipment information accessing the online terminal according to the reported information includes:
receiving access point information associated with the online terminal;
and determining an access point for accessing the online terminal according to the access point information.
With reference to the first aspect, in a fourth possible implementation manner of the first aspect, acquiring authentication information of the online terminal includes:
when the online terminal is a wired terminal, the authentication information is acquired in an 802.1X authentication mode, wherein the authentication information comprises one or more of an IP address, an access interface, an access service set identifier and a login account of the online terminal.
With reference to the first aspect, in a fifth possible implementation manner of the first aspect, acquiring authentication information of the online terminal includes:
when the online terminal is a wireless terminal, the authentication information is acquired in a Portal authentication mode, wherein the authentication information comprises one or more of an IP address, an access interface, an access service set identifier and a login account of the online terminal.
With reference to the first aspect, in a sixth possible implementation manner of the first aspect, performing isolation configuration on a network device accessing the online terminal according to a VLAN ID to which the online terminal belongs and network device information accessing the online terminal, where the isolation configuration includes:
when the online terminal is a wired terminal, setting PVID and VLAN ID of an interface of network equipment accessed to the online terminal according to VLAN ID to which the online terminal belongs;
when the online terminal is a wireless terminal, setting a VLAN ID of an access point accessed to the online terminal according to the VLAN ID of the online terminal.
A second aspect of an embodiment of the present application provides a terminal online configuration apparatus of an isolated network, where the apparatus includes:
an IP address allocation unit for allocating a temporary IP address to an online terminal;
the interface determining unit is used for receiving the report information of the online terminal based on the allocated temporary IP address and determining network equipment information accessed to the online terminal according to the report information;
an ID determining unit, configured to obtain authentication information of the online terminal, and determine, according to the authentication information, a VLAN ID to which the online terminal belongs;
and the configuration unit is used for carrying out isolation configuration on the network equipment accessed to the online terminal according to the VLAN ID to which the online terminal belongs and the network equipment information accessed to the online terminal.
A third aspect of the embodiments of the present application provides a network management system comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the method according to any one of the first aspects when the computer program is executed.
A fourth aspect of the embodiments of the present application provides a computer-readable storage medium storing a computer program which, when executed by a processor, implements the steps of the method according to any one of the first aspects.
Compared with the prior art, the embodiment of the application has the beneficial effects that: according to the method and the system, the IP address is allocated to the online terminal through the dynamic configuration protocol, the reporting information of the online terminal is obtained based on the allocated temporary IP address, the network equipment information accessed to the online terminal is determined according to the reporting information, the VLAN ID to which the online terminal belongs is determined according to the authentication information of the online terminal, the network equipment accessed to the online terminal is isolated and configured according to the determined VLAN ID, the whole process can be automatically completed by a network management system, the configuration of the network equipment can be carried out without professional personnel, the labor consumption can be reduced, and the configuration efficiency of the online terminal of an isolated network is effectively improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required for the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a network for isolated configuration provided in an embodiment of the present application;
fig. 2 is a schematic implementation flow diagram of a terminal online configuration method of an isolated network according to an embodiment of the present application;
fig. 3 is a schematic diagram of a wired terminal online interaction flow provided in an embodiment of the present application;
fig. 4 is a schematic diagram of a wireless terminal online interaction flow provided in an embodiment of the present application;
fig. 5 is a schematic implementation flow diagram of an interface determining method for accessing a wired terminal according to an embodiment of the present application;
fig. 6 is a schematic implementation flow chart of an interface determining method for accessing a wireless terminal according to an embodiment of the present application;
fig. 7 is a schematic diagram of a terminal online configuration device of an isolated network according to an embodiment of the present application;
fig. 8 is a schematic diagram of a network management system according to an embodiment of the present application.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system configurations, techniques, etc. in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
In order to illustrate the technical solutions described in the present application, the following description is made by specific examples.
The isolation network in the embodiment of the application comprises a virtual local area network constructed by a virtual local area network technology. By configuring the interface of the access network device, parameters such as PVID (Chinese is called Port-based virtual local area network identifier, english is called Port VLAN ID), VLAN ID and the like are included. The interface to which the online terminal is connected may change due to a change in the use environment of the user. For example, in the network topology diagram shown in fig. 1, an online terminal may be connected to any switch, including, for example, a core switching device, a convergence switch, or an access switch. For wireless terminals, it is possible to connect to any of the switches through an access point.
In the network topology diagram shown in fig. 1, a core switching device is connected through a router, and an interface of the core switching device is connected with an Access Controller (AC), a convergence switch and a network management system. Wherein the interface of the aggregation switch may be connected to the access switch. The interface of the access switch may be connected to a wired terminal or access point. Under the access point, the wireless terminal can be connected in a wireless manner. Any switch, including core switching equipment, aggregation switch and access switch, can be directly connected with the terminal or connected with the terminal through the access point.
The user may change the position during the use of the terminal. For example, a smart phone, tablet or notebook computer may be used in different office scenarios. The topology of the access terminal may also change as the usage scenario changes. Or when new equipment starts to be used, professional staff is required to perform isolation configuration on the online terminal so that the online terminal meets the expected data communication requirement and the safety requirement.
Fig. 2 is a schematic implementation flow chart of a terminal online configuration method of an isolated network according to an embodiment of the present application, which is described in detail below:
in S201, a temporary IP address is allocated to the terminal on line.
In this embodiment of the present application, the online terminal is a terminal that needs to be online, and the terminal includes a wired terminal or a wireless terminal. In a possible scenario, the online terminal includes a re-online terminal or a first-time online terminal. The online terminal may include a smart phone, tablet, notebook, desktop, or other intelligent device.
In order to meet the communication requirement and the isolation configuration requirement of the online terminal, an IP address needs to be allocated to the online terminal when the terminal is online. The embodiment of the application can allocate an IP address to the online terminal based on a dynamic host configuration protocol (english is abbreviated as DHCP and english is abbreviated as Dynamic Host Configuration Protocol). As shown in fig. 3 or fig. 4, the online interaction flow may include:
and 1.1, the online terminal sends a DHCP discovery request to the core switching equipment.
When the on-line terminal (user PC in fig. 3 and 4) sends a DHCP discover request to the core switching device, the on-line terminal does not have any IP address. The online terminal sends a DHCP discover in a broadcast mode to search for a DHCP server. I.e., broadcast information having a destination IP address of 255.255.255.255. Each host on the network that installs the TCP/IP protocol will receive this broadcast message.
1.2 the core switching device relays or broadcasts the DHCP discovery request to the network management system (NMS for short, network Management System for all english).
The NMS receives the DHCP request relayed or broadcast by the core switching device and then makes a DHCP response.
And 1.3, the network management system allocates a temporary unknown group IP address for the online terminal.
The NMS selects one IP address from the IP addresses which are not allocated yet to be allocated to the online terminal according to the received DHCP request and responds to the request. The IP address is a temporary IP address. The VLAN ID to which the IP address belongs is the VLAN ID of the unknown group.
And 1.4, after receiving the temporary IP address distributed by the network management system, the online terminal sends a response for receiving the IP address to the network management system.
If there are multiple DHCP servers in the network that assign IP addresses to the on-line terminal, the on-line terminal typically accepts the first received IP address as the temporary IP address for the on-line terminal.
1.5, NMS confirms the temporary IP address allocated to the online terminal.
After the NMS receives the DHCP request information returned by the online terminal, the NMS sends a DHCP ACK confirmation message containing the provided IP address and other settings to the online terminal, and tells the online terminal that the IP address provided by the NMS can be used.
In S202, the reporting information of the online terminal is received based on the allocated temporary IP address, and the network device information of the online terminal is determined according to the reporting information.
The reported information may be information of an online wired terminal or information of an online wireless terminal. When the core switching equipment receives the ARP of the new terminal, the core switching equipment can be triggered to report, and the core switching equipment can also report for the access controller. The reported information may include an IP address of the online terminal, a MAC address, an interface of a core switching device of a network where the online terminal is located, and a VLAN ID to which the assigned temporary IP address belongs. If the reported information includes the VLAN ID to which the temporary IP address belongs, the VLAN IDs determined in S203 may be compared, and if the two are inconsistent, the packet to which the online terminal belongs may be configured according to the VLAN ID determined in S203.
As shown in fig. 3 and fig. 4, the process of determining the interface of the access online terminal by means of ARP reporting may include:
and 2.1, the online terminal sends an ARP request to the core switching equipment.
2.2, the core switching device reports the ARP request to the NMS.
The ARP request comprises an IP address of the online terminal, an MAC address of the online terminal, an interface of core switching equipment of a network where the online terminal is located and a VLAN ID to which a temporary IP address of the online terminal belongs.
And 2.3, accessing the network equipment information of the online terminal by the NMS.
The NMS can determine the network equipment information of the access to the online terminal according to the reported interface of the core switching equipment and the predetermined network topology information. For a wired terminal, the specific determination and configuration process may be as shown in fig. 5, including:
in S501, an interface of a core switching device is called, a MAC address table in the core switching device is obtained, and an interface of the core switching device associated with the online terminal is determined.
And determining the interface of the core switching equipment of the network where the online terminal is located according to the information reported by the ARP request. Invoking the interface may access the MAC address table of the core switching device. And the MAC address table stores the MAC address of the equipment which performs data interaction through the core switching equipment and the corresponding relation of the MAC address of the equipment in the interface of the core switching equipment. According to the MAC address of the online terminal included in the reporting information, the interface associated with the online terminal in the core switching equipment can be determined by combining the corresponding relation in the MAC address table.
In S502, according to a predetermined topology structure, a convergence switch associated with the online terminal is determined.
According to the interface of the core switching equipment associated with the online terminal, combining the equipment information connected with the interface of the core switching equipment in the preset topological structure, if the online equipment in the network is connected with the core switching equipment through the aggregation switch, the aggregation switch associated with the online terminal can be determined. If there is no aggregation switch, an access switch associated with the access terminal may be determined based on the topology.
The topology structure can acquire the topology structure of the network through an LLDP protocol. Alternatively, the topology of the network may be determined based on data collected by the staff.
In S503, an interface of the aggregation switch is called, a MAC address table in the aggregation switch is obtained, and an interface of the aggregation switch associated with the online terminal is determined.
And the corresponding relation between the MAC address of the equipment for carrying out data interaction through the convergent switch and the interfaces of the convergent switch is stored in the MAC address table in the convergent switch, and according to the corresponding relation, the interfaces of the convergent switch associated with the online terminal can be determined by combining the MAC address of the online terminal.
In S504, according to a predetermined topology, an access switch associated with the online terminal is determined.
After determining the interface of the core switching equipment associated with the online terminal or the interface of the aggregation switch associated with the online terminal, according to the topology structure, the determined interface of the core switching equipment or the equipment connected with the interface of the aggregation switch can be an access switch. Based on the determined interface of the access switch, data in the access switch may be accessed, including, for example, accessing a MAC address table in the access switch.
In S505, the interface of the access switch is invoked, the MAC address table in the access switch is obtained, and the interface of the access switch, which is accessed to the online terminal, is determined.
According to the corresponding relation between the MAC address of the equipment stored in the access switch and the interface of the access switch, the interface of the access switch connected with the online terminal can be determined by combining the MAC address of the online terminal, and the online terminal can be isolated and configured based on the interface.
In S506, the interface of the access switch is invoked, and the interface of the access terminal accessing the access switch is configured in isolation.
After determining the interface for connecting the online terminal in the access switch, the isolation configuration can be performed based on the interface, so as to configure the VLAN ID to which the online terminal belongs.
For a wireless terminal, the specific determination and configuration process may be as shown in fig. 6, including:
in S601, it is determined whether the access controller reports access point information associated with the online terminal.
After the online terminal is associated with the access point, the access controller can receive information reported by the access point, including the MAC address of the online terminal associated with the access point, the access service set identifier, and the like. And the access controller is further reported to the network control system according to the received reporting information and the access point information.
In S602, an access point interface is invoked according to access point information, and the online terminal is configured in isolation.
After receiving the access point information reported by the access controller, the network control system can perform isolation configuration on the access point based on the MAC address of the online terminal. For example, the access point interface may be invoked based on the MAC address of the online terminal to perform isolation configuration on the online terminal. Or, the interface of the access point may be called based on the IP address allocated by the online terminal and corresponding to the packet, so as to perform isolation configuration on the online terminal.
In S603, if the access controller does not report the access point information associated with the online terminal, the access controller acquires the MAC address table in the core switching device according to the interface of the core switching device of the network where the online terminal is located, and determines the interface of the core switching device associated with the online terminal.
The interface of the core switching equipment of the network where the online terminal is located can be determined according to the information reported by the ARP request. Invoking the interface may access the MAC address table of the core switching device. And the MAC address table stores the MAC address of the equipment which performs data interaction through the core switching equipment and the corresponding relation of the MAC address of the equipment in the interface of the core switching equipment. According to the MAC address of the online terminal included in the reporting information, the interface associated with the online terminal in the core switching equipment can be determined by combining the corresponding relation in the MAC address table.
In S604, according to a predetermined topology structure, a convergence switch associated with the online terminal is determined.
According to the interface of the core switching equipment associated with the online terminal, combining the equipment information connected with the interface of the core switching equipment in the preset topological structure, if the online equipment in the network is connected with the core switching equipment through the aggregation switch, the aggregation switch associated with the online terminal can be determined. If the associated interface in the core switching device is not connected to the aggregation switch, an access switch associated with the access terminal may be determined based on the topology.
In S605, an interface of the aggregation switch is called, a MAC address table in the aggregation switch is obtained, and an interface of the aggregation switch associated with the online terminal is determined.
And the corresponding relation between the MAC address of the equipment for carrying out data interaction through the convergent switch and the interfaces of the convergent switch is stored in the MAC address table in the convergent switch, and according to the corresponding relation, the interfaces of the convergent switch associated with the online terminal can be determined by combining the MAC address of the online terminal.
In S606, according to a predetermined topology, an access switch associated with the online terminal is determined.
After determining the interface of the core switching equipment associated with the online terminal or the interface of the aggregation switch associated with the online terminal, according to the topology structure, the determined interface of the core switching equipment or the equipment connected with the interface of the aggregation switch can be an access switch. Based on the determined interface of the access switch, data in the access switch may be accessed, including, for example, accessing a MAC address table in the access switch.
In S607, an interface of the access switch is invoked, a MAC address table in the access switch is obtained, and an interface of the access switch associated with the online terminal is determined.
And the corresponding relation between the MAC address of the equipment which exchanges data with the access switch and the interface of the access switch is stored in the MAC address table in the access switch. According to the MAC address of the online terminal, the interface in the access switch associated with the online terminal can be determined in the corresponding relation.
In S608, access point information associated with the online terminal is determined according to a predetermined topology structure.
According to the correspondence between the MAC address of the device stored in the access switch and the interface of the access switch, in combination with the predetermined topology structure, the device information connected to the interface associated with the online terminal in the access switch, that is, the access point information, including, for example, the access point IP address, may be determined, and the process goes to S602.
2.4, the NMS records the network equipment information accessed to the online terminal and the IP address of the online terminal.
The network device information of the access online terminal may include an interface of the network device of the access online terminal, or include information such as an IP address and an access interface of the network device of the access wireless online terminal.
And 2.5, the core switching equipment receives and records the corresponding relation between the VLAN ID and the MAC address of the online terminal, or the corresponding relation between the group and the MAC address of the online terminal.
For the wireless terminal, the wireless access point reports the association information of the wireless terminal to an Access Controller (AC), and the access controller reports the association information to a Network Management System (NMS). The reporting information reported by the access point to the access controller may include the MAC address of the online terminal and the access service set identifier of the online terminal. The reported information reported by the access point to the network management system may include information such as the MAC address of the online terminal, the access service set identifier of the online terminal, and the access point associated with the online terminal.
In S203, the authentication information of the online terminal is acquired, and the VLAN ID to which the online terminal belongs is determined according to the authentication information.
After determining the network equipment information of the online terminal (including, for example, an access interface of the network equipment of the online terminal or an access point of the online terminal, etc.), the network management system needs to determine the configuration information of the network equipment, including the VLAN ID to which the online terminal belongs, etc.
When determining the VLAN ID to which the online terminal belongs, the VLAN ID to which the online terminal belongs may be determined based on the authentication manner.
As shown in fig. 3, the VLAN ID to which the online terminal belongs may be determined based on the 802.1X authentication method. As shown in fig. 3, the authentication process includes:
and 3.1, the online terminal sends an 802.1X authentication request to the core switching equipment.
And 3.2, the core switching equipment sends a Radius authentication request to the network management system.
And 3.3, the network management system determines the user group to which the network equipment belongs according to the user group matched by the account number.
3.4, the network management system sets the interface VLAN and PVID of the switch S.
And 3.5, the network management system returns a Radius authentication result to the core switching equipment.
And 3.6, the core switching equipment returns an 802.1x authentication result to the network equipment.
For the wireless terminal, a portal authentication mode can be adopted to determine the interface of the access online terminal. As shown in fig. 4, includes:
1. the online terminal sends a Portal authentication request to the AC.
2. The AC forwards the Portal authentication request to the network management system.
3. A Network Management System (NMS) matches a user group according to an account number, and places a user online terminal into the user group.
4. The network management system configures the access point according to the determined user group.
5. The network management system returns a Portal authentication result to the AC.
6. And the AC returns a Portal authentication result to the online terminal.
Wherein, the user group matching based on the account number in the authentication message is only one optional implementation mode. And the user group matched with the online terminal can be determined according to the information such as the access service set identifier, the IP address, the access interface and the like of the online terminal.
In S204, according to the VLAN ID to which the online terminal belongs and the network device information of the online terminal, the network device accessing the online terminal is configured in an isolated manner.
After determining the VLAN ID to which the online terminal belongs and accessing the network equipment information of the online terminal, the network management system can automatically set the interface, including setting the PVID of the port to be the same as the VLAN ID to which the online terminal belongs. For the wireless access point, the VLAN ID corresponding to the IP addresses of the wireless access point and the online terminal, or the VLAN ID corresponding to the MAC addresses of the wireless access point and the online terminal, may be set as the VLAN ID to which the online terminal belongs.
In this embodiment of the present application, after isolation configuration is performed on the network device connected to the online terminal, the IP address of the online terminal may be determined according to the VLAN to which the online terminal belongs in a DHCP renewing stage, so that the IP address of the online terminal meets a preset requirement of a corresponding relationship between a packet and an IP address. For example, as shown in fig. 3 and fig. 4, after the online terminal sends a DHCP request to the core switching device, the core switching device relays the DHCP request to the network management system, and the network management system reassigns the IP address of the online terminal. And the online terminal accesses network data according to the access strategy of the virtual local area network and the reassigned IP address.
It should be understood that the sequence number of each step in the foregoing embodiment does not mean that the execution sequence of each process should be determined by the function and the internal logic of each process, and should not limit the implementation process of the embodiment of the present application in any way.
Fig. 7 is a schematic diagram of a terminal online configuration device of an isolated network according to an embodiment of the present application, where the device includes:
an IP address allocation unit 701, configured to allocate a temporary IP address to an online terminal;
an interface determining unit 702, configured to receive reporting information of the online terminal based on the allocated temporary IP address, and determine network device information accessing the online terminal according to the reporting information;
an ID determining unit 703, configured to obtain authentication information of the online terminal, and determine a VLAN ID to which the online terminal belongs according to the authentication information;
and a configuration unit 704, configured to perform isolation configuration on the network device accessed to the online terminal according to the VLAN ID to which the online terminal belongs and the network device information accessed to the online terminal.
The terminal on-line configuration device of the isolated network shown in fig. 7 corresponds to the terminal on-line configuration method of the isolated network shown in fig. 2.
Fig. 8 is a schematic diagram of a network management system according to an embodiment of the present application. As shown in fig. 8, the network management system 8 of this embodiment includes: a processor 80, a memory 81 and a computer program 82 stored in said memory 81 and executable on said processor 80, for example a terminal on-line configuration program of an isolated network. The processor 80, when executing the computer program 82, implements the steps in the terminal on-line configuration method embodiments of the respective isolated networks described above. Alternatively, the processor 80, when executing the computer program 82, performs the functions of the modules/units of the apparatus embodiments described above.
By way of example, the computer program 82 may be partitioned into one or more modules/units that are stored in the memory 81 and executed by the processor 80 to complete the present application. The one or more modules/units may be a series of computer program instruction segments capable of performing specific functions for describing the execution of the computer program 82 in the network management system 8.
The network management system may include, but is not limited to, a processor 80, a memory 81. It will be appreciated by those skilled in the art that fig. 8 is merely an example of network management system 8 and is not limiting of network management system 8, and may include more or fewer components than shown, or may combine certain components, or different components, e.g., the network management system may also include input and output devices, network access devices, buses, etc.
The processor 80 may be a central processing unit (Central Processing Unit, CPU), other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 81 may be an internal storage unit of the network management system 8, such as a hard disk or a memory of the network management system 8. The memory 81 may be an external storage device of the network management system 8, for example, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card) or the like, which are provided in the network management system 8. Further, the memory 81 may also include both an internal storage unit and an external storage device of the network management system 8. The memory 81 is used for storing the computer program and other programs and data required by the network management system. The memory 81 may also be used to temporarily store data that has been output or is to be output.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional units and modules is illustrated, and in practical application, the above-described functional distribution may be performed by different functional units and modules according to needs, i.e. the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-described functions. The functional units and modules in the embodiment may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit, where the integrated units may be implemented in a form of hardware or a form of a software functional unit. In addition, specific names of the functional units and modules are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working process of the units and modules in the above system may refer to the corresponding process in the foregoing method embodiment, which is not described herein again.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and in part, not described or illustrated in any particular embodiment, reference is made to the related descriptions of other embodiments.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus/terminal device and method may be implemented in other manners. For example, the apparatus/terminal device embodiments described above are merely illustrative, e.g., the division of the modules or units is merely a logical function division, and there may be additional divisions in actual implementation, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection via interfaces, devices or units, which may be in electrical, mechanical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated modules/units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. With such understanding, the present application implements all or part of the flow of the method of the above embodiments, and may also be implemented by hardware associated with computer program instructions, where the computer program may be stored on a computer readable storage medium, where the computer program, when executed by a processor, implements the steps of the method embodiments described above. Wherein the computer program comprises computer program code which may be in source code form, object code form, executable file or some intermediate form etc. The computer readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), an electrical carrier signal, a telecommunications signal, a software distribution medium, and so forth. It should be noted that the computer readable medium may include content that is subject to appropriate increases and decreases as required by jurisdictions in which such content is subject to legislation and patent practice, such as in certain jurisdictions in which such content is not included as electrical carrier signals and telecommunication signals.
The above embodiments are only for illustrating the technical solution of the present application, and are not limiting; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application.
Claims (10)
1. A method for configuring a terminal of an isolated network on-line, the method comprising:
a temporary IP address is allocated for the online terminal;
receiving reporting information sent by the online terminal through a core switching device according to the allocated temporary IP address, wherein the reporting information comprises an interface of the core switching device of a network accessed by the online terminal and an MAC address of the online terminal;
determining network equipment information accessed to the online terminal according to the reported information;
acquiring authentication information of the online terminal, and determining a VLAN ID to which the online terminal belongs according to the authentication information;
according to VLAN ID of the online terminal and network equipment information accessed to the online terminal, performing isolation configuration on the network equipment accessed to the online terminal;
when the online terminal is a wireless terminal, before receiving the report information sent by the online terminal via the core switching device according to the allocated temporary IP address, the method further includes:
judging whether the wireless terminal reported by the wireless access point is a wireless terminal associated with the wireless access point or not;
when the wireless terminal reported by the wireless access point is a wireless terminal pre-associated with the wireless access point, determining the associated access point information as network equipment information for accessing the wireless terminal.
2. The method of claim 1, wherein when the online terminal is a wired terminal, determining network device information accessing the online terminal according to the report information, comprises:
determining a first interface associated with the wired terminal in the core switching equipment according to the reported information;
acquiring a MAC address table of the network equipment when the first interface is connected with the network equipment, acquiring a second interface associated with the wired terminal in the network equipment by combining the MAC address of the wired terminal, and acquiring a third interface associated with the wired terminal in the network equipment when the second interface is connected with the network equipment until the interface associated with the wired terminal is connected with the wired terminal;
and when the interface associated with the wired terminal in the core switching equipment or the network equipment is connected with the wired terminal, determining network equipment information accessed to the wired terminal according to the interface.
3. The method according to claim 1, wherein when the wireless terminal reported by the wireless access point is not a wireless terminal associated with the wireless access point in advance, determining network equipment information of accessing the online terminal according to the reported information includes:
determining a first interface associated with a wired terminal in the core switching equipment according to the reported information;
acquiring a MAC address table of the network equipment when the first interface is connected with the network equipment and is not an access point of the wireless terminal, acquiring a second interface associated with the wired terminal in the network equipment by combining the MAC address of the wired terminal, and acquiring a third interface associated with the wired terminal in the network equipment when the second interface is connected with the network equipment and is not the access point of the wireless terminal until the network equipment connected with the interface associated with the wired terminal is the access point;
and when the core switching equipment or the network equipment connected with the interface associated with the wired terminal in the network equipment is an access point, determining the access point information accessed to the wired terminal as the network equipment information accessed to the wireless terminal.
4. The method of claim 1, wherein obtaining authentication information of the online terminal comprises:
when the online terminal is a wired terminal, the authentication information is acquired in an 802.1X authentication mode, wherein the authentication information comprises one or more of an IP address, an access interface and a login account of the online terminal.
5. The method of claim 1, wherein obtaining authentication information of the online terminal comprises:
and when the online terminal is a wireless terminal, acquiring the authentication information in a Portal authentication mode.
6. The method of claim 5, wherein the authentication information comprises one or more of an IP address, an access interface, an access service set identification, a login account number of the online terminal.
7. The method according to claim 1, wherein the isolating configuration of the network device accessing the online terminal according to the VLAN ID to which the online terminal belongs and the network device information accessing the online terminal includes:
when the online terminal is a wired terminal, setting PVID and VLAN ID of an interface of network equipment accessed to the online terminal according to VLAN ID to which the online terminal belongs;
when the online terminal is a wireless terminal, setting a VLAN ID of an access point accessed to the online terminal according to the VLAN ID of the online terminal.
8. A terminal on-line configuration device of an isolated network, the device comprising:
an IP address allocation unit for allocating a temporary IP address to an online terminal;
an interface determining unit, configured to receive a report message sent by the online terminal via a core switching device according to the allocated temporary IP address, where the report message includes an interface of the core switching device of the network to which the online terminal is connected and a MAC address of the online terminal; determining network equipment information accessed to the online terminal according to the reported information;
an ID determining unit, configured to obtain authentication information of the online terminal, and determine, according to the authentication information, a VLAN ID to which the online terminal belongs;
the configuration unit is used for carrying out isolation configuration on the network equipment accessed to the online terminal according to the VLAN ID to which the online terminal belongs and the network equipment information accessed to the online terminal;
when the online terminal is a wireless terminal, before executing the interface determining unit, the device is further configured to determine whether the wireless terminal reported by the wireless access point is a wireless terminal associated with the wireless access point; when the wireless terminal reported by the wireless access point is a wireless terminal pre-associated with the wireless access point, determining the associated access point information as network equipment information for accessing the wireless terminal.
9. A network management system comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements the steps of the method according to any one of claims 1 to 7 when the computer program is executed by the processor.
10. A computer readable storage medium storing a computer program, characterized in that the computer program when executed by a processor implements the steps of the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111679750.2A CN114244695B (en) | 2021-12-31 | 2021-12-31 | Terminal online configuration method and device of isolated network and network management system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111679750.2A CN114244695B (en) | 2021-12-31 | 2021-12-31 | Terminal online configuration method and device of isolated network and network management system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114244695A CN114244695A (en) | 2022-03-25 |
| CN114244695B true CN114244695B (en) | 2024-03-19 |
Family
ID=80745378
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111679750.2A Active CN114244695B (en) | 2021-12-31 | 2021-12-31 | Terminal online configuration method and device of isolated network and network management system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114244695B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1471259A (en) * | 2002-07-10 | 2004-01-28 | �ձ�������ʽ���� | User authentication system and user authentication method |
| US7568107B1 (en) * | 2003-08-20 | 2009-07-28 | Extreme Networks, Inc. | Method and system for auto discovery of authenticator for network login |
| CN104144095A (en) * | 2014-08-08 | 2014-11-12 | 福建星网锐捷网络有限公司 | Terminal authentication method and interchanger |
| WO2015096737A1 (en) * | 2013-12-26 | 2015-07-02 | 华为技术有限公司 | Method, apparatus and system for controlling auto-provisioning of network device |
| CN106131066A (en) * | 2016-08-26 | 2016-11-16 | 杭州华三通信技术有限公司 | A kind of authentication method and device |
| WO2018045994A1 (en) * | 2016-09-09 | 2018-03-15 | 新华三技术有限公司 | Network access control |
| CN109413649A (en) * | 2018-11-06 | 2019-03-01 | 新华三技术有限公司 | A kind of access authentication method and device |
| WO2021057962A1 (en) * | 2019-09-27 | 2021-04-01 | 华为技术有限公司 | Tunnel configuration method, apparatus and system, and device and storage medium |
| CN112714370A (en) * | 2019-10-26 | 2021-04-27 | 华为技术有限公司 | Service configuration method, equipment and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8893258B2 (en) * | 2012-06-11 | 2014-11-18 | Cisco Technology, Inc. | System and method for identity based authentication in a distributed virtual switch network environment |
-
2021
- 2021-12-31 CN CN202111679750.2A patent/CN114244695B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1471259A (en) * | 2002-07-10 | 2004-01-28 | �ձ�������ʽ���� | User authentication system and user authentication method |
| US7568107B1 (en) * | 2003-08-20 | 2009-07-28 | Extreme Networks, Inc. | Method and system for auto discovery of authenticator for network login |
| WO2015096737A1 (en) * | 2013-12-26 | 2015-07-02 | 华为技术有限公司 | Method, apparatus and system for controlling auto-provisioning of network device |
| CN104144095A (en) * | 2014-08-08 | 2014-11-12 | 福建星网锐捷网络有限公司 | Terminal authentication method and interchanger |
| CN106131066A (en) * | 2016-08-26 | 2016-11-16 | 杭州华三通信技术有限公司 | A kind of authentication method and device |
| WO2018045994A1 (en) * | 2016-09-09 | 2018-03-15 | 新华三技术有限公司 | Network access control |
| CN107809496A (en) * | 2016-09-09 | 2018-03-16 | 新华三技术有限公司 | Method for network access control and device |
| CN109413649A (en) * | 2018-11-06 | 2019-03-01 | 新华三技术有限公司 | A kind of access authentication method and device |
| WO2021057962A1 (en) * | 2019-09-27 | 2021-04-01 | 华为技术有限公司 | Tunnel configuration method, apparatus and system, and device and storage medium |
| CN112714370A (en) * | 2019-10-26 | 2021-04-27 | 华为技术有限公司 | Service configuration method, equipment and system |
Non-Patent Citations (5)
| Title |
|---|
| "Integration of Wifi services based on the IEEE802. 11u standard";H Yamaki;《IEEE》;全文 * |
| "Research and Mass Deployment of Non-cognitive Authentication Strategy Based on Campus Wireless Network";D Huangfu;《 ITM Web of Conferences》;全文 * |
| 基于802.1X协议的局域网安全接入认证的设计与实现;白雨石;;信息与电脑(理论版)(第02期);全文 * |
| 王昌旭 ; 周振柳 ; 许榕生 ; .网络接入安全控制研究.计算机应用与软件.2008,(第11期),全文. * |
| 网络接入安全控制研究;王昌旭;周振柳;许榕生;;计算机应用与软件(第11期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114244695A (en) | 2022-03-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3327992B1 (en) | Method of selecting network slice and system utilizing same | |
| EP2866390A1 (en) | Communication method and system | |
| US9832136B1 (en) | Streaming software to multiple virtual machines in different subnets | |
| CN111865621B (en) | Method and device for accessing gateway | |
| CN109417492B (en) | Network function NF management method and NF management equipment | |
| CN114070723B (en) | Virtual network configuration method and system of bare metal server and intelligent network card | |
| US20220060881A1 (en) | Group management method, apparatus, and system | |
| CN112235175B (en) | Access method and access device of network bridge equipment and network bridge equipment | |
| CN112333733B (en) | Network connection establishing method and electronic equipment | |
| CN104618522B (en) | The method and Ethernet access equipment that IP address of terminal automatically updates | |
| WO2012109849A1 (en) | Method and apparatus for mac address allocation | |
| WO2007006200A1 (en) | A method and system for realizing the access management of the network devices | |
| CN104734930B (en) | Method and device for realizing access of Virtual Local Area Network (VLAN) to Variable Frequency (VF) network and Fiber Channel Frequency (FCF) | |
| WO2016202016A1 (en) | Device management method, apparatus and system | |
| CN114244695B (en) | Terminal online configuration method and device of isolated network and network management system | |
| CN109889421B (en) | Router management method, device, terminal, system and storage medium | |
| CN112583655A (en) | Data transmission method and device, electronic equipment and readable storage medium | |
| CN107172229B (en) | Router configuration method and device | |
| CN110753135A (en) | IP address configuration method, configuration equipment and storage medium | |
| CN113364661B (en) | Comprehensive networking method and device, electronic equipment and computer readable medium | |
| CN112583949A (en) | VPC (virtual private network) public network access method and VPC equipment | |
| CN116389345A (en) | Method and device for transmitting segmented routing strategy and network transmission system | |
| CN113098834A (en) | Access control method, device, equipment and system | |
| CN115134230B (en) | Switch management method, system, equipment and readable storage medium | |
| US11374793B2 (en) | Network segment allocation system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |