CN115499167A - Control method for realizing remote access admission management to local area network IP terminal - Google Patents

Control method for realizing remote access admission management to local area network IP terminal Download PDF

Info

Publication number
CN115499167A
CN115499167A CN202211007959.9A CN202211007959A CN115499167A CN 115499167 A CN115499167 A CN 115499167A CN 202211007959 A CN202211007959 A CN 202211007959A CN 115499167 A CN115499167 A CN 115499167A
Authority
CN
China
Prior art keywords
local area
area network
terminal
network
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211007959.9A
Other languages
Chinese (zh)
Inventor
杨基明
严正侃
马燕茹
周玥丹
吴平
朱建
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Information Consulting and Designing Institute Co Ltd
Original Assignee
China Information Consulting and Designing Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Information Consulting and Designing Institute Co Ltd filed Critical China Information Consulting and Designing Institute Co Ltd
Priority to CN202211007959.9A priority Critical patent/CN115499167A/en
Publication of CN115499167A publication Critical patent/CN115499167A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0213Standardised network management protocols, e.g. simple network management protocol [SNMP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Abstract

The invention provides a control method for realizing remote access admission management of an IP terminal of a local area network, which comprises the following steps: step 1, designing a network according to a partition mode; step 2, the IP terminal is divided into different subarea networks according to the equipment type, the function service positioning or the access characteristic; step 3, configuring gateway VLANIF addresses of all the subarea networks; step 4, starting the SNMP service, configuring read-write authority, and pointing the target host address connected with the SNMP to the address of the interface program server; step 5, binding all IP addresses planned for the IP terminal with the virtual MAC address; and 6, when the IP terminal needs to be newly accessed in the local area network, reporting the MAC information table of the IP terminal equipment needing to be accessed to a network administrator for approval. The implementation method is particularly suitable for enterprises with more branch network nodes, and can effectively improve the network security.

Description

Control method for realizing remote access admission management to local area network IP terminal
Technical Field
The invention relates to the technical field of IP networks, in particular to a control method for realizing remote access admission management of a local area network IP terminal.
Background
When network nodes of an enterprise branch are numerous, or the branch is far away and cannot arrange that a network manager stays in the field, the access of IP terminal equipment in a local area network inside the branch generally lacks effective access management, and under the condition that the network manager does not know, the IP terminal equipment which is not approved can be newly accessed, so that certain potential safety risk hazards can be brought to the enterprise network. The technical means is adopted to realize the admission management of the accessed IP terminal in each branch local area network. Currently, there is an implementation scheme for access admission to a terminal in the market, for example, a radius mode is adopted, but the type of the managed terminal is single, and the terminal is mainly a PC terminal of a user. Probes are deployed in the network for scanning, and admission management is realized by means of post comparison, but the timeliness is poor, soft probes or hard probe equipment need to be deployed, and when more data need to be deployed to a branch office local area network, larger investment cost is needed.
Disclosure of Invention
The invention aims to: the technical problem to be solved by the invention is to provide a control method for realizing remote local area network IP terminal access admission management based on an SNMP protocol aiming at the defects of the prior art, so as to realize network access admission management on various IP terminal devices (no matter private network IP devices with services limited in a local area network or external network or enterprise intranet IP devices needing to provide services to the outside of the local area network) and guarantee network safety. The method specifically comprises the following steps:
step 1, a local area network designs the network according to a partition mode, and service data access requirements do not exist between IP terminals in a single partition; service data access flow in the local area network needs to be forwarded between the partitions;
step 2, dividing the IP terminal into different subarea networks according to the equipment type, the function service positioning or the access characteristic, namely Virtual Local Area Network (VLAN), and planning different IP Network segments for different subareas;
step 3, configuring gateway VLANIF (VLAN interface, which is a logic interface) addresses of all the partition networks on the local area network outlet switch, wherein for the IP network segments which are not started, the gateway addresses cannot be configured on the local area network outlet switch in advance;
and 4, starting the SNMP service on the local area network outlet switch, configuring read-write authority, and pointing the target host address connected with the SNMP to the address of the interface program server.
Step 5, binding all IP addresses planned for the IP terminal and virtual MAC addresses (such as the virtual MAC addresses: 1111-2222-3333) through an SNMP protocol, and writing the IP addresses and the virtual MAC addresses into ARP static table entries of a local area network switch through an interface program in a static ARP table entry mode;
step 6, when a new IP terminal needs to be accessed in the local area network, the MAC information table of the IP terminal equipment needing to be accessed must be reported to a network administrator for examination and approval, a corresponding IP address is allocated after the examination and approval is passed, and the IP and MAC mapping relation needs to be written into an ARP static table entry of an outlet switch of the local area network by an interface program and taking an SNMP protocol as a load;
in step 1, the general principle of network partition is that the access flow of service data needs to be controlled to be forwarded between different partitions. Generally, a local area network can be divided into at least two network partitions, wherein a device for which service data access traffic needs to go out of the local area network is divided into one partition, and a device for which service data access traffic does not need to go out of the local area network is divided into one partition or more than two partitions. Under the condition of more equipment quantity and equipment types, the equipment with service data access flow which does not need to go out of the local area network can be divided into a plurality of partitions, and the network partitions can be divided according to the equipment type, function positioning or access characteristics.
In step 2, if the local area network includes a database server, a WEB server, and an application server, the general access requirements are as follows: the WEB server accesses the application server, the application server accesses the database server, the similar equipment is divided into one VLAN, namely the database server, the WEB server and the application server need to be divided into different VLANs, and different network segment addresses are allocated.
Step 6, after the IP-MAC mapping relation is written into an ARP static table entry of the local area network outlet switch by an interface program through examination and approval of a network administrator and taking an SNMP protocol as a load, the IP terminal can carry out normal communication in the local area network or out of the local area network; if the IP terminal is accessed privately, the communication cannot be realized because the ARP table item conflicts or the gateway address is lacked:
(1) If the address in the planned IP address section is directly used, when a new IP terminal accesses data and a backhaul access requests the new IP terminal through ARP, the currently allocated IP address is bound with a virtual MAC address, so that conflict is caused and communication cannot be performed.
(2) If an address within the IP address segment is used that is not enabled, communication will not be possible due to the lack of a gateway address on the local area network egress switch.
Through the partitioned network design and the combination of the characteristics of the SNMP standard protocol, the MAC-IP mapping relation issued by the interface program deployed in the remote network is written into the ARP static table entry on the local area network outlet switch, thereby realizing the access management of the IP terminal in the local area network.
Has the beneficial effects that: the invention has simple realization method, the LAN only needs to adjust the structure, the remote end only needs to develop an interface program to realize the standardization and normalization of the IP terminal access admission management, and the realization method is suitable for various IP terminals, not only comprises conventional IT equipment such as a server and IP storage, but also can support various intelligent terminal equipment such as an IP camera and NVR, and takes the standardized protocol as the realization basis, the existing network environment has the condition of implementing the admission management, and the scheme realization threshold is low. The implementation method is particularly suitable for enterprises with more branch network nodes, and can realize the admission management of the IP terminal of each node network under the condition of limited project budget and improve the safety of the enterprise network.
Drawings
The foregoing and/or other advantages of the invention will become further apparent from the following detailed description of the invention when taken in conjunction with the accompanying drawings.
Fig. 1 is a diagram of a local area network architecture.
Fig. 2 is a local area network data flow diagram.
Detailed Description
The invention provides a control method for realizing remote access admission management of an IP terminal of a local area network, which comprises the following steps:
step 1, a local area network designs the network according to a partition mode, and service data access requirements do not exist between IP terminals in a single partition; service data access flow in the local area network needs to be forwarded between the partitions;
step 2, the IP terminal is divided into different subarea networks according to the equipment type, the function service positioning or the access characteristic, namely Virtual Local Area Network (VLAN), and different IP Network segments are planned for different subareas;
step 3, configuring gateway VLANIF (VLAN interface, which is a logic interface) addresses of all the partition networks on the local area network outlet switch, and for the IP network segments which are not started, the gateway addresses cannot be configured on the local area network outlet switch in advance;
and 4, starting the SNMP service on the local area network outlet switch, configuring read-write authority, and pointing the target host address connected with the SNMP to the address of the interface program server.
Step 5, binding all IP addresses planned for the IP terminal and virtual MAC addresses (such as the virtual MAC addresses: 1111-2222-3333) through an SNMP protocol, and writing the IP addresses and the virtual MAC addresses into ARP static table entries of a local area network switch through an interface program in a static ARP table entry mode;
step 6, when a new IP terminal needs to be accessed in the local area network, the MAC information table of the IP terminal equipment needing to be accessed must be reported to a network administrator for examination and approval, a corresponding IP address is allocated after the examination and approval is passed, and the IP and MAC mapping relation needs to be written into an ARP static table entry of an outlet switch of the local area network by an interface program and taking an SNMP protocol as a load;
in step 1, the general principle of network partition is that the access flow of service data needs to be controlled to be forwarded between different partitions. Generally, a local area network can be divided into at least two network partitions, wherein a device for which service data access traffic needs to go out of the local area network is divided into one partition or more than two partitions, and a device for which service data access traffic does not need to go out of the local area network is divided into one partition. Under the condition of more equipment quantity and equipment types, the equipment with service data access flow which does not need to go out of the local area network can be divided into a plurality of partitions, and the network partitions can be divided according to the equipment type, function positioning or access characteristics.
In step 2, if the local area network includes a database server, a WEB server, and an application server, the general access requirements are as follows: the WEB server accesses the application server, the application server accesses the database server, the similar equipment is divided into one VLAN, namely the database server, the WEB server and the application server need to be divided into different VLANs, and different network segment addresses are allocated.
Step 6, after the IP-MAC mapping relation is written into an ARP static table entry of the local area network outlet switch by an interface program through examination and approval of a network administrator and taking an SNMP protocol as a load, the IP terminal can carry out normal communication in the local area network or out of the local area network; if the IP terminal is accessed privately, the communication cannot be realized because the ARP table item conflicts or the gateway address is lacked:
(1) If the address in the planned IP address section is directly used, when a new IP terminal accesses data and a backhaul access requests the new IP terminal through ARP, the currently allocated IP address is bound with a virtual MAC address, so that conflict is caused and communication cannot be performed.
(2) If an address within the disabled IP address segment is used, communication will be disabled due to the lack of a gateway address on the local area network egress switch.
Examples
As shown in fig. 1 and fig. 2, the local area network is divided into three network partitions, and devices in the partitioned network allocate IP addresses of different network segments. At the far end of the network, an interface program should be developed to provide IP terminal access management service, which is responsible for the distribution management of IP addresses, and after the IP-MAC mapping relation is written into the ARP static table entry of the local area network switch or the gateway switch through the SNMP protocol. Simple Network Management Protocol (SNMP) is a standard protocol designed specifically for managing network nodes (servers, workstations, routers, switches, HUBS, etc.) in an IP network. ARP (Address Resolution Protocol) is a TCP/IP Protocol that acquires a physical Address from an IP Address.
The interface address or management address configured by the local area network outlet switch can be routed on a far end comprising an intranet or an extranet, namely, the remote connectable access.
And reading or modifying the ARP table entry through the SNMP, and obtaining or setting object information through the SNMP. The request and response of SNMP commands are done by means of MIB (management information base), table 1 below is MIB ipnethomedia table entry:
TABLE 1
Figure BDA0003809680140000051
ARP entries can be added, modified, deleted by editing the ARP table entry EditEntry function.
In a specific implementation, the present application provides a computer storage medium and a corresponding data processing unit, where the computer storage medium is capable of storing a computer program, and the computer program, when executed by the data processing unit, may execute the inventive content of the control method for implementing remote access admission management to an IP terminal in a local area network and some or all of the steps in each embodiment provided by the present invention. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), a Random Access Memory (RAM), or the like.
It is clear to those skilled in the art that the technical solutions in the embodiments of the present invention can be implemented by means of a computer program and its corresponding general-purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention or portions thereof that contribute to the prior art may be embodied in the form of a computer program, that is, a software product, which may be stored in a storage medium and include several instructions for enabling a device (which may be a personal computer, a server, a single chip microcomputer, an MUU, or a network device, etc.) including a data processing unit to execute the method according to each embodiment or some portions of the embodiments of the present invention.
The present invention provides a control method for implementing remote access admission management to an IP terminal in a local area network, and a plurality of methods and approaches for implementing the technical solution are provided, and the above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, a plurality of improvements and modifications may be made without departing from the principle of the present invention, and these improvements and modifications should also be regarded as the protection scope of the present invention. All the components not specified in the present embodiment can be realized by the prior art.

Claims (7)

1. A control method for realizing remote access admission management to a local area network IP terminal is characterized by comprising the following steps:
step 1, a local area network designs the network according to a partition mode, and service data access requirements do not exist between IP terminals in a single partition; service data access flow in the local area network needs to be forwarded between the partitions;
step 2, the IP terminal is divided into different subarea networks, namely Virtual Local Area Networks (VLANs) according to the equipment type, the functional service positioning or the access characteristics, and different IP network segments are planned for different subareas;
step 3, configuring gateway VLANIF addresses of all the subarea networks on the local area network outlet switch, wherein the gateway addresses cannot be configured on the local area network outlet switch in advance for IP network segments which are not started;
step 4, on the local area network outlet switch, starting the SNMP service, configuring read-write authority, and pointing the target host address connected with the SNMP to the address of the interface program server;
step 5, binding all IP addresses planned for IP terminals and virtual MAC addresses through an SNMP protocol, and writing the IP addresses and the virtual MAC addresses into ARP static entries of a local area network switch through an interface program in a static ARP entry mode;
and 6, when an IP terminal needs to be newly accessed in the local area network, reporting an MAC information table of the IP terminal equipment needing to be accessed to a network manager for examination and approval, distributing a corresponding IP address after the examination and approval are passed, and writing the mapping relation between the IP and the MAC into an ARP static table entry of an exit switch of the local area network by using an SNMP protocol as a bearer through an interface program.
2. The method according to claim 1, wherein in step 1, the local area network is divided into at least two network partitions, wherein the device whose service data access traffic needs to go out of the local area network is divided into one partition, and the device whose service data access traffic does not need to go out of the local area network is divided into one partition or more than two partitions.
3. The method according to claim 2, wherein in step 2, if the local area network includes a database server, a WEB server, and an application server, the access requirement is: the WEB server accesses the application server, the application server accesses the database server, the similar equipment is divided into one VLAN, namely the database server, the WEB server and the application server need to be divided into different VLANs, and different network segment addresses are allocated.
4. The method according to claim 3, wherein in step 6, after the approval by the network administrator, the IP-MAC mapping relationship is written into the ARP static entry of the lan egress switch via the interface program using SNMP protocol as a bearer, the IP terminal can perform normal communication in or out of the lan.
5. The method of claim 4, wherein in step 6, if the IP terminal is accessed privately, the communication cannot be performed because of ARP table entry conflict or lack of gateway address.
6. The method of claim 5, wherein in step 6, if the address in the planned IP address segment is directly used, when the new IP terminal performs data access, and when the new IP terminal performs ARP request, the backhaul access is unable to communicate because the currently allocated IP address is bound with the virtual MAC address.
7. The method of claim 6 wherein in step 6, if an address in the segment of the IP address that is not enabled is used, communication is disabled due to the lack of a gateway address on the local area network egress switch.
CN202211007959.9A 2022-08-22 2022-08-22 Control method for realizing remote access admission management to local area network IP terminal Pending CN115499167A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211007959.9A CN115499167A (en) 2022-08-22 2022-08-22 Control method for realizing remote access admission management to local area network IP terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211007959.9A CN115499167A (en) 2022-08-22 2022-08-22 Control method for realizing remote access admission management to local area network IP terminal

Publications (1)

Publication Number Publication Date
CN115499167A true CN115499167A (en) 2022-12-20

Family

ID=84466606

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211007959.9A Pending CN115499167A (en) 2022-08-22 2022-08-22 Control method for realizing remote access admission management to local area network IP terminal

Country Status (1)

Country Link
CN (1) CN115499167A (en)

Similar Documents

Publication Publication Date Title
JP4567293B2 (en) file server
JP3782600B2 (en) Network device management apparatus, network device management method, and recording medium
US7496052B2 (en) Automatic VLAN ID discovery for ethernet ports
US5835720A (en) IP discovery apparatus and method
JP4343760B2 (en) Network protocol processor
AU2008289199B2 (en) System and method for enforcing network device provisioning policy
US7779082B2 (en) Address management device
US8990395B2 (en) Controlling access to managed objects in networked devices
CN110572439B (en) Cloud monitoring method based on metadata service and virtual forwarding network bridge
EP1317711A1 (en) Architecture for providing block-level storage access over a computer network
US8094674B2 (en) Method and system for implementing network device access management
US7136907B1 (en) Method and system for informing an operating system in a system area network when a new device is connected
JP4329412B2 (en) File server system
US7039922B1 (en) Cluster with multiple paths between hosts and I/O controllers
CN115499167A (en) Control method for realizing remote access admission management to local area network IP terminal
CN109889421A (en) Management method, device, terminal, system and the storage medium of router
JP4485875B2 (en) Storage connection changing method, storage management system and program
CN110838966B (en) Equipment connection control method and device
JP4227234B2 (en) Network device control apparatus and method
WO2017156979A1 (en) Media access control (mac) address processing method and device
JP4095594B2 (en) Network device control method and apparatus
CN115134230B (en) Switch management method, system, equipment and readable storage medium
CN111917858B (en) Remote management system, method, device and server
JP4236223B2 (en) Network device control apparatus and method
Mažuolis Computer network modernization project for a credit reporting agency

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination