CN115499167A - Control method for realizing remote access admission management to local area network IP terminal - Google Patents
Control method for realizing remote access admission management to local area network IP terminal Download PDFInfo
- Publication number
- CN115499167A CN115499167A CN202211007959.9A CN202211007959A CN115499167A CN 115499167 A CN115499167 A CN 115499167A CN 202211007959 A CN202211007959 A CN 202211007959A CN 115499167 A CN115499167 A CN 115499167A
- Authority
- CN
- China
- Prior art keywords
- local area
- area network
- terminal
- network
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/02—Standardisation; Integration
- H04L41/0213—Standardised network management protocols, e.g. simple network management protocol [SNMP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Abstract
The invention provides a control method for realizing remote access admission management of an IP terminal of a local area network, which comprises the following steps: step 1, designing a network according to a partition mode; step 2, the IP terminal is divided into different subarea networks according to the equipment type, the function service positioning or the access characteristic; step 3, configuring gateway VLANIF addresses of all the subarea networks; step 4, starting the SNMP service, configuring read-write authority, and pointing the target host address connected with the SNMP to the address of the interface program server; step 5, binding all IP addresses planned for the IP terminal with the virtual MAC address; and 6, when the IP terminal needs to be newly accessed in the local area network, reporting the MAC information table of the IP terminal equipment needing to be accessed to a network administrator for approval. The implementation method is particularly suitable for enterprises with more branch network nodes, and can effectively improve the network security.
Description
Technical Field
The invention relates to the technical field of IP networks, in particular to a control method for realizing remote access admission management of a local area network IP terminal.
Background
When network nodes of an enterprise branch are numerous, or the branch is far away and cannot arrange that a network manager stays in the field, the access of IP terminal equipment in a local area network inside the branch generally lacks effective access management, and under the condition that the network manager does not know, the IP terminal equipment which is not approved can be newly accessed, so that certain potential safety risk hazards can be brought to the enterprise network. The technical means is adopted to realize the admission management of the accessed IP terminal in each branch local area network. Currently, there is an implementation scheme for access admission to a terminal in the market, for example, a radius mode is adopted, but the type of the managed terminal is single, and the terminal is mainly a PC terminal of a user. Probes are deployed in the network for scanning, and admission management is realized by means of post comparison, but the timeliness is poor, soft probes or hard probe equipment need to be deployed, and when more data need to be deployed to a branch office local area network, larger investment cost is needed.
Disclosure of Invention
The invention aims to: the technical problem to be solved by the invention is to provide a control method for realizing remote local area network IP terminal access admission management based on an SNMP protocol aiming at the defects of the prior art, so as to realize network access admission management on various IP terminal devices (no matter private network IP devices with services limited in a local area network or external network or enterprise intranet IP devices needing to provide services to the outside of the local area network) and guarantee network safety. The method specifically comprises the following steps:
step 1, a local area network designs the network according to a partition mode, and service data access requirements do not exist between IP terminals in a single partition; service data access flow in the local area network needs to be forwarded between the partitions;
step 2, dividing the IP terminal into different subarea networks according to the equipment type, the function service positioning or the access characteristic, namely Virtual Local Area Network (VLAN), and planning different IP Network segments for different subareas;
step 3, configuring gateway VLANIF (VLAN interface, which is a logic interface) addresses of all the partition networks on the local area network outlet switch, wherein for the IP network segments which are not started, the gateway addresses cannot be configured on the local area network outlet switch in advance;
and 4, starting the SNMP service on the local area network outlet switch, configuring read-write authority, and pointing the target host address connected with the SNMP to the address of the interface program server.
Step 5, binding all IP addresses planned for the IP terminal and virtual MAC addresses (such as the virtual MAC addresses: 1111-2222-3333) through an SNMP protocol, and writing the IP addresses and the virtual MAC addresses into ARP static table entries of a local area network switch through an interface program in a static ARP table entry mode;
step 6, when a new IP terminal needs to be accessed in the local area network, the MAC information table of the IP terminal equipment needing to be accessed must be reported to a network administrator for examination and approval, a corresponding IP address is allocated after the examination and approval is passed, and the IP and MAC mapping relation needs to be written into an ARP static table entry of an outlet switch of the local area network by an interface program and taking an SNMP protocol as a load;
in step 1, the general principle of network partition is that the access flow of service data needs to be controlled to be forwarded between different partitions. Generally, a local area network can be divided into at least two network partitions, wherein a device for which service data access traffic needs to go out of the local area network is divided into one partition, and a device for which service data access traffic does not need to go out of the local area network is divided into one partition or more than two partitions. Under the condition of more equipment quantity and equipment types, the equipment with service data access flow which does not need to go out of the local area network can be divided into a plurality of partitions, and the network partitions can be divided according to the equipment type, function positioning or access characteristics.
In step 2, if the local area network includes a database server, a WEB server, and an application server, the general access requirements are as follows: the WEB server accesses the application server, the application server accesses the database server, the similar equipment is divided into one VLAN, namely the database server, the WEB server and the application server need to be divided into different VLANs, and different network segment addresses are allocated.
Step 6, after the IP-MAC mapping relation is written into an ARP static table entry of the local area network outlet switch by an interface program through examination and approval of a network administrator and taking an SNMP protocol as a load, the IP terminal can carry out normal communication in the local area network or out of the local area network; if the IP terminal is accessed privately, the communication cannot be realized because the ARP table item conflicts or the gateway address is lacked:
(1) If the address in the planned IP address section is directly used, when a new IP terminal accesses data and a backhaul access requests the new IP terminal through ARP, the currently allocated IP address is bound with a virtual MAC address, so that conflict is caused and communication cannot be performed.
(2) If an address within the IP address segment is used that is not enabled, communication will not be possible due to the lack of a gateway address on the local area network egress switch.
Through the partitioned network design and the combination of the characteristics of the SNMP standard protocol, the MAC-IP mapping relation issued by the interface program deployed in the remote network is written into the ARP static table entry on the local area network outlet switch, thereby realizing the access management of the IP terminal in the local area network.
Has the beneficial effects that: the invention has simple realization method, the LAN only needs to adjust the structure, the remote end only needs to develop an interface program to realize the standardization and normalization of the IP terminal access admission management, and the realization method is suitable for various IP terminals, not only comprises conventional IT equipment such as a server and IP storage, but also can support various intelligent terminal equipment such as an IP camera and NVR, and takes the standardized protocol as the realization basis, the existing network environment has the condition of implementing the admission management, and the scheme realization threshold is low. The implementation method is particularly suitable for enterprises with more branch network nodes, and can realize the admission management of the IP terminal of each node network under the condition of limited project budget and improve the safety of the enterprise network.
Drawings
The foregoing and/or other advantages of the invention will become further apparent from the following detailed description of the invention when taken in conjunction with the accompanying drawings.
Fig. 1 is a diagram of a local area network architecture.
Fig. 2 is a local area network data flow diagram.
Detailed Description
The invention provides a control method for realizing remote access admission management of an IP terminal of a local area network, which comprises the following steps:
step 1, a local area network designs the network according to a partition mode, and service data access requirements do not exist between IP terminals in a single partition; service data access flow in the local area network needs to be forwarded between the partitions;
step 2, the IP terminal is divided into different subarea networks according to the equipment type, the function service positioning or the access characteristic, namely Virtual Local Area Network (VLAN), and different IP Network segments are planned for different subareas;
step 3, configuring gateway VLANIF (VLAN interface, which is a logic interface) addresses of all the partition networks on the local area network outlet switch, and for the IP network segments which are not started, the gateway addresses cannot be configured on the local area network outlet switch in advance;
and 4, starting the SNMP service on the local area network outlet switch, configuring read-write authority, and pointing the target host address connected with the SNMP to the address of the interface program server.
Step 5, binding all IP addresses planned for the IP terminal and virtual MAC addresses (such as the virtual MAC addresses: 1111-2222-3333) through an SNMP protocol, and writing the IP addresses and the virtual MAC addresses into ARP static table entries of a local area network switch through an interface program in a static ARP table entry mode;
step 6, when a new IP terminal needs to be accessed in the local area network, the MAC information table of the IP terminal equipment needing to be accessed must be reported to a network administrator for examination and approval, a corresponding IP address is allocated after the examination and approval is passed, and the IP and MAC mapping relation needs to be written into an ARP static table entry of an outlet switch of the local area network by an interface program and taking an SNMP protocol as a load;
in step 1, the general principle of network partition is that the access flow of service data needs to be controlled to be forwarded between different partitions. Generally, a local area network can be divided into at least two network partitions, wherein a device for which service data access traffic needs to go out of the local area network is divided into one partition or more than two partitions, and a device for which service data access traffic does not need to go out of the local area network is divided into one partition. Under the condition of more equipment quantity and equipment types, the equipment with service data access flow which does not need to go out of the local area network can be divided into a plurality of partitions, and the network partitions can be divided according to the equipment type, function positioning or access characteristics.
In step 2, if the local area network includes a database server, a WEB server, and an application server, the general access requirements are as follows: the WEB server accesses the application server, the application server accesses the database server, the similar equipment is divided into one VLAN, namely the database server, the WEB server and the application server need to be divided into different VLANs, and different network segment addresses are allocated.
Step 6, after the IP-MAC mapping relation is written into an ARP static table entry of the local area network outlet switch by an interface program through examination and approval of a network administrator and taking an SNMP protocol as a load, the IP terminal can carry out normal communication in the local area network or out of the local area network; if the IP terminal is accessed privately, the communication cannot be realized because the ARP table item conflicts or the gateway address is lacked:
(1) If the address in the planned IP address section is directly used, when a new IP terminal accesses data and a backhaul access requests the new IP terminal through ARP, the currently allocated IP address is bound with a virtual MAC address, so that conflict is caused and communication cannot be performed.
(2) If an address within the disabled IP address segment is used, communication will be disabled due to the lack of a gateway address on the local area network egress switch.
Examples
As shown in fig. 1 and fig. 2, the local area network is divided into three network partitions, and devices in the partitioned network allocate IP addresses of different network segments. At the far end of the network, an interface program should be developed to provide IP terminal access management service, which is responsible for the distribution management of IP addresses, and after the IP-MAC mapping relation is written into the ARP static table entry of the local area network switch or the gateway switch through the SNMP protocol. Simple Network Management Protocol (SNMP) is a standard protocol designed specifically for managing network nodes (servers, workstations, routers, switches, HUBS, etc.) in an IP network. ARP (Address Resolution Protocol) is a TCP/IP Protocol that acquires a physical Address from an IP Address.
The interface address or management address configured by the local area network outlet switch can be routed on a far end comprising an intranet or an extranet, namely, the remote connectable access.
And reading or modifying the ARP table entry through the SNMP, and obtaining or setting object information through the SNMP. The request and response of SNMP commands are done by means of MIB (management information base), table 1 below is MIB ipnethomedia table entry:
TABLE 1
ARP entries can be added, modified, deleted by editing the ARP table entry EditEntry function.
In a specific implementation, the present application provides a computer storage medium and a corresponding data processing unit, where the computer storage medium is capable of storing a computer program, and the computer program, when executed by the data processing unit, may execute the inventive content of the control method for implementing remote access admission management to an IP terminal in a local area network and some or all of the steps in each embodiment provided by the present invention. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), a Random Access Memory (RAM), or the like.
It is clear to those skilled in the art that the technical solutions in the embodiments of the present invention can be implemented by means of a computer program and its corresponding general-purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention or portions thereof that contribute to the prior art may be embodied in the form of a computer program, that is, a software product, which may be stored in a storage medium and include several instructions for enabling a device (which may be a personal computer, a server, a single chip microcomputer, an MUU, or a network device, etc.) including a data processing unit to execute the method according to each embodiment or some portions of the embodiments of the present invention.
The present invention provides a control method for implementing remote access admission management to an IP terminal in a local area network, and a plurality of methods and approaches for implementing the technical solution are provided, and the above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, a plurality of improvements and modifications may be made without departing from the principle of the present invention, and these improvements and modifications should also be regarded as the protection scope of the present invention. All the components not specified in the present embodiment can be realized by the prior art.
Claims (7)
1. A control method for realizing remote access admission management to a local area network IP terminal is characterized by comprising the following steps:
step 1, a local area network designs the network according to a partition mode, and service data access requirements do not exist between IP terminals in a single partition; service data access flow in the local area network needs to be forwarded between the partitions;
step 2, the IP terminal is divided into different subarea networks, namely Virtual Local Area Networks (VLANs) according to the equipment type, the functional service positioning or the access characteristics, and different IP network segments are planned for different subareas;
step 3, configuring gateway VLANIF addresses of all the subarea networks on the local area network outlet switch, wherein the gateway addresses cannot be configured on the local area network outlet switch in advance for IP network segments which are not started;
step 4, on the local area network outlet switch, starting the SNMP service, configuring read-write authority, and pointing the target host address connected with the SNMP to the address of the interface program server;
step 5, binding all IP addresses planned for IP terminals and virtual MAC addresses through an SNMP protocol, and writing the IP addresses and the virtual MAC addresses into ARP static entries of a local area network switch through an interface program in a static ARP entry mode;
and 6, when an IP terminal needs to be newly accessed in the local area network, reporting an MAC information table of the IP terminal equipment needing to be accessed to a network manager for examination and approval, distributing a corresponding IP address after the examination and approval are passed, and writing the mapping relation between the IP and the MAC into an ARP static table entry of an exit switch of the local area network by using an SNMP protocol as a bearer through an interface program.
2. The method according to claim 1, wherein in step 1, the local area network is divided into at least two network partitions, wherein the device whose service data access traffic needs to go out of the local area network is divided into one partition, and the device whose service data access traffic does not need to go out of the local area network is divided into one partition or more than two partitions.
3. The method according to claim 2, wherein in step 2, if the local area network includes a database server, a WEB server, and an application server, the access requirement is: the WEB server accesses the application server, the application server accesses the database server, the similar equipment is divided into one VLAN, namely the database server, the WEB server and the application server need to be divided into different VLANs, and different network segment addresses are allocated.
4. The method according to claim 3, wherein in step 6, after the approval by the network administrator, the IP-MAC mapping relationship is written into the ARP static entry of the lan egress switch via the interface program using SNMP protocol as a bearer, the IP terminal can perform normal communication in or out of the lan.
5. The method of claim 4, wherein in step 6, if the IP terminal is accessed privately, the communication cannot be performed because of ARP table entry conflict or lack of gateway address.
6. The method of claim 5, wherein in step 6, if the address in the planned IP address segment is directly used, when the new IP terminal performs data access, and when the new IP terminal performs ARP request, the backhaul access is unable to communicate because the currently allocated IP address is bound with the virtual MAC address.
7. The method of claim 6 wherein in step 6, if an address in the segment of the IP address that is not enabled is used, communication is disabled due to the lack of a gateway address on the local area network egress switch.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211007959.9A CN115499167A (en) | 2022-08-22 | 2022-08-22 | Control method for realizing remote access admission management to local area network IP terminal |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211007959.9A CN115499167A (en) | 2022-08-22 | 2022-08-22 | Control method for realizing remote access admission management to local area network IP terminal |
Publications (1)
Publication Number | Publication Date |
---|---|
CN115499167A true CN115499167A (en) | 2022-12-20 |
Family
ID=84466606
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211007959.9A Pending CN115499167A (en) | 2022-08-22 | 2022-08-22 | Control method for realizing remote access admission management to local area network IP terminal |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115499167A (en) |
-
2022
- 2022-08-22 CN CN202211007959.9A patent/CN115499167A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP4567293B2 (en) | file server | |
JP3782600B2 (en) | Network device management apparatus, network device management method, and recording medium | |
US7496052B2 (en) | Automatic VLAN ID discovery for ethernet ports | |
US5835720A (en) | IP discovery apparatus and method | |
JP4343760B2 (en) | Network protocol processor | |
AU2008289199B2 (en) | System and method for enforcing network device provisioning policy | |
US7779082B2 (en) | Address management device | |
US8990395B2 (en) | Controlling access to managed objects in networked devices | |
CN110572439B (en) | Cloud monitoring method based on metadata service and virtual forwarding network bridge | |
EP1317711A1 (en) | Architecture for providing block-level storage access over a computer network | |
US8094674B2 (en) | Method and system for implementing network device access management | |
US7136907B1 (en) | Method and system for informing an operating system in a system area network when a new device is connected | |
JP4329412B2 (en) | File server system | |
US7039922B1 (en) | Cluster with multiple paths between hosts and I/O controllers | |
CN115499167A (en) | Control method for realizing remote access admission management to local area network IP terminal | |
CN109889421A (en) | Management method, device, terminal, system and the storage medium of router | |
JP4485875B2 (en) | Storage connection changing method, storage management system and program | |
CN110838966B (en) | Equipment connection control method and device | |
JP4227234B2 (en) | Network device control apparatus and method | |
WO2017156979A1 (en) | Media access control (mac) address processing method and device | |
JP4095594B2 (en) | Network device control method and apparatus | |
CN115134230B (en) | Switch management method, system, equipment and readable storage medium | |
CN111917858B (en) | Remote management system, method, device and server | |
JP4236223B2 (en) | Network device control apparatus and method | |
Mažuolis | Computer network modernization project for a credit reporting agency |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |