CN115694850A - VLAN switching-based terminal access control method - Google Patents
VLAN switching-based terminal access control method Download PDFInfo
- Publication number
- CN115694850A CN115694850A CN202110833900.4A CN202110833900A CN115694850A CN 115694850 A CN115694850 A CN 115694850A CN 202110833900 A CN202110833900 A CN 202110833900A CN 115694850 A CN115694850 A CN 115694850A
- Authority
- CN
- China
- Prior art keywords
- vlan
- server
- switch
- port
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Small-Scale Networks (AREA)
Abstract
The invention provides a terminal access control method based on VLAN switching, which comprises the following steps: connecting a server to a governing network requires two portal connections: a service management port; trunk port of the exchanger; II, secondly: adding connection information of the switch at the server; thirdly, the method comprises the following steps: the server is connected with the switch through the configured connection information and configures the switch; fourthly, the method comprises the following steps: after the switch finds that the mac address is online, the server immediately switches the port where the mac address is located to the isolation VLAN, and normal access is blocked; fifthly: the server receives the data packet; forwarding the arp request and the dns request to a normal VLAN; for the http network request, redirecting the access address to a server, and guiding to perform network authentication; sixthly: and after the terminal user in the isolation area downloads software from the server for installation and the system is repaired and passes the security check, the server switches the port of the switch to a legal VLAN, and the switch can normally access the network subsequently.
Description
Technical Field
The invention relates to a VLAN switching-based terminal access control method, belonging to the technical field of network security.
Background
Nowadays, with the comprehensive development of information-based construction, more and more enterprises and public institutions and government departments apply information technology to modern office and business processing, and a complete network is gradually formed through network construction for many years, so that the requirements on the flexibility and complexity of a safety access system become higher. The network is more and more complex, the terminal access modes are more and more, various new and old network devices exist in the network, and various complex network structures exist, such as various terminals, switches of various brands and the like. Therefore, how to achieve flexible control and safe access and how to well meet and adapt to the complexity of a client network in an environment with a plurality of access modes are difficult problems which must be solved by admission research.
The VLAN security gateway technology is a method for establishing various virtual gateway dynamic switching mechanisms on an IP-based network. The working principle of the VLAN security gateway technology overcomes the difficulty that the same subnet VLAN can not communicate, so that the same subnet section equipment can still communicate with each other without being positioned in the three layers of routing although the same subnet section equipment is positioned in different VLANs. Meanwhile, the system can be guided to enter an authentication page in the process of switching the VLAN by the multi-virtual gateway technology, so that the defect that the non-desk management client cannot carry out WEB authentication is overcome. From an installation point of view, the huge workload of the network administrator is reduced.
The existing scheme of network two-layer access also has access based on 802.1x technology, which is a mode provided by a switch for accessing equipment to access network by authentication, an authentication data packet of EAP protocol is sent by a client, the switch sends authentication information to an AAA server for authentication, and the equipment after the authentication can access the network. However, the admission mode based on 802.1x requires the switch to support 802.1x, so that it is difficult to apply to low-end old equipment in practice, and all switches need to be configured manually, and the configuration mode difference of each manufacturer is huge, and the operation and maintenance workload is huge. 802.1x admission relies on terminal equipment to install clients, which also limits its application scope.
The VLAN-based admission scheme solves the above problems of 802.1x, but also has some implementation difficulties:
1. management is difficult due to the fact that management is performed based on the mac address of the terminal.
2. The switch needs to be configured, and certain operation and maintenance capacity is needed.
3. After the terminal accesses the network, the response time of the system for isolating the terminal is longer.
Disclosure of Invention
In order to solve the above problems, the present invention provides a terminal admission control method based on VLAN switching, the specific technical scheme is as follows,
a terminal admission control method based on VLAN switching comprises the following steps:
the method comprises the following steps: connecting a server to a management and control network requires two portal connections: a service management port for providing normally accessible ip address; a trunk port connected to the switch;
step two: adding connection information of the switch at the server;
step three: the server is connected with the switch through the configured connection information and configures the switch;
step four: after the switch finds that the mac address is on line, the server immediately switches the port where the mac address is located to the isolation VLAN, and normal access to the network is blocked;
step five: when the terminal user in the isolation area accesses the network, because the terminal user is in the isolation VLAN and is not communicated with the normal network, the data packet can be transmitted to a trunk port connected with the server through one path of the trunk port, and the server can receive the data packet; forwarding the arp request and the dns request to a normal VLAN; for the http network request, redirecting the access address to a server, and guiding the terminal user in the isolation area to perform network authentication;
step six: after the terminal user in the isolation area downloads software from the server for installation and the system is repaired and passes the security check, the server switches the port of the switch where the terminal user is located to a legal VLAN, and the subsequent terminal user can normally access the network.
Preferably, the connection information in the second step specifically refers to telnet or ssh connection information.
Preferably, the information for configuring the switch in the third step includes a manufacturer of the switch, a login mode, an ip address, a port number, a user name, a password, and a high-level password, and the server may use a corresponding connection mode to connect the switch to issue the control command through the configured information.
Preferably, the switch in the fourth step discovers the mac address online by means of mac-trap and timed polling.
Further, after the switch finds that the mac address is online in the fourth step, the switch sends mac-trap information to the server, the server searches for the switch configured for connection by sending the ip address of the trap, connects the switch through the configured information, performs VLAN switching on the corresponding port of the switch according to the port in the trap message and the mac address information, and switches the port to the isolated VLAN.
Preferably, in the fifth step, the data packet obtained by the server through the trunk port is an 802.1Q data packet, the 802.1Q data packet includes a 12-bit virtual local area network identifier VID, the virtual local area network identifier VID marks the VLAN where the data packet is located, the isolated VLAN and the normal VLAN are associated through the mac address in the admission system, and if the source mac address in the data packet is the isolated mac and the VID is the isolated VLAN, it is determined that the data packet is a request data packet sent by the isolated VLAN; if the destination mac address of the data packet is the isolation mac and the VID is the normal VLAN, the data packet is a response data packet to the isolation VLAN; for a request packet needing to be released, modifying a VID field in a data packet into an id of a normal VLAN, and then sending out the modified data packet through a trunk port; for the response packet needing to be released, modifying the VID field in the data packet into the id of the isolation VLAN, and then sending out the modified data packet through a trunk port; limited data communication between the isolated VLAN and the normal VLAN is realized through the forwarding of the server.
The invention has lower requirement on the switch, and the switch only needs to support the VLAN configuration and switching function. The operation and maintenance workload is small, and the operation and maintenance workload is greatly simplified in a background connection configuration mode. The client is not required to be installed forcibly, and the application scene is wider.
Drawings
Fig. 1 is a working flow chart of a VLAN switching-based terminal admission control method according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
VLAN: virtual Local Area Network, i.e. Virtual Local Area Network. A Virtual Local Area Network (VLAN) is a group of logical devices and users, which are not limited by physical location, and can be organized according to functions, departments, applications, and other factors, and communicate with each other as if they are in the same network segment, thereby obtaining a virtual local area network.
802.1Q: namely, virtual Bridge Local Area Networks, IEEE 802.1q and VLAN Tagging belong to the standard specification of IEEE 802.1 under the internet, allowing multiple bridges (bridges) to publicly share the same physical network without information leakage.
As shown in fig. 1, a VLAN switching based terminal admission control method includes the following steps:
the method comprises the following steps: connecting a server to a governing network requires two portal connections: a service management port for providing ip address which can be accessed normally; a trunk port connected to the switch, the switch and the switch are connected through trunk;
step two: adding telnet or ssh connection information of the switch at the server;
step three: the server is connected with the switch through the configured connection information and configures the switch;
step four: the switch finds that the mac address is on line through a mac-trap and timing polling mode, the server immediately switches the port where the mac address is located to an isolation VLAN, and normal access of the server to the network is blocked;
step five: when the terminal user in the isolation area accesses the network, because the terminal user is in the isolation VLAN and is not communicated with the normal network, the data packet can be transmitted to a trunk port connected with the server through one path of the trunk port, and the server can receive the data packet; forwarding the arp request and the dns request to a normal VLAN; for the http network request, redirecting the access address to a server, and guiding the terminal user in the isolation area to perform network authentication;
step six: after the terminal user in the isolation area downloads software from the server for installation and the system is repaired and passes the security check, the server switches the port of the switch where the terminal user is located to a legal VLAN, and the subsequent terminal user can normally access the network. Through the way of exchange mac-trap and timing polling, after discovering the mac address off-line, clear the connection information of the terminal user, reduce the system data maintenance volume.
The information for configuring the switch in the third step includes a manufacturer of the switch, a login mode, an ip address, a port number, a user name, a password and a high-level password, and the server can be connected with the switch to issue the control command by adopting a corresponding connection mode through the configured information. The switch control commands of different manufacturers are different, so that the switch is required to be issued with control commands of corresponding versions. If the instruction of the Huawei switch to switch the port gigabit Ethernet 0/0/1 to the VLAN10 is as follows:
interface GigabitEthernet 0/0/1
port default VLAN 10
quit
when the equipment is connected to the switch, the switch sends mac-trap information to the server after finding that the mac address is on line, the server searches for the switch which is configured and connected through sending the ip address of the trap, the switch is connected through the configured information, then the VLAN switching is carried out on the corresponding port of the switch according to the port in the trap message and the mac address information, and the port is switched to the isolation VLAN.
Since the device in the isolated VLAN cannot communicate with the normal network, the data packet sent by the device propagates through the isolated VLAN. Through the trunk links of the nodes, the data packets can be transmitted all the way to the trunk ports connected to the server, and the server can receive the data packets. The data packet obtained by the server through the trunk port is an 802.1Q data packet. 802.1Q is not actually encapsulated in the original frame, instead, in ethernet frame format, a 32-bit field is added to the original frame of mac address source and ethernet type/length. The VLAN tag field must comply with the following format:
| 16bits | 3bits | 1bit | 12bits |
| TPID | PCP | CFI | VID |
tag Protocol Identifier (TPID): a set of 16-bit fields with values set at 0x8100 is used to distinguish certain IEEE 802.1q frames as "tagged", and this field is labeled with the same etherform/length as the fields of untagged frames in order to distinguish the untagged frames.
Priority Code Point (PCP): a set of 3-bit fields is used as a reference for IEEE 802.1q priority, from 0 (lowest) to 7 (highest), to prioritize the transmission of data streams (audio, video, files, etc.).
Standard Format Indicator (CFI): a 1-bit field. If the value of this field is 1, then the mac address is in a non-standard format; if the value is 0, the standard format is adopted; he usually defaults to 0 in an ethernet switch. In the ethernet and token ring, CFI is used for compatibility of both. If the frame receives data in the ethernet port then the value of CFI must be set to 1 and this port cannot be bridged with another port that is not tagged.
Virtual local area network Identifier (VLAN Identifier, VID): a 12-bit field to specify which particular VLAN the frame belongs to. When the value is 0, the frame does not belong to any VLAN; at this time, the 802.1Q tag represents priority. The 12-bit values 0x000 and 0xFFF are reserved values, and other values can be used as identifiers for a total of 4094 VLANs. VLAN1 is administratively reserved on the bridge. The 12-bit field can be divided into two 6-bit fields to extend the 48-bit address of the Destination (Destination) and Source (Source), and the 18-bit Triple-tag (Triple-Tagging) can be added to the original 48-bit address to form a 66-bit address.
The server is primarily concerned with the VID field in the VLAN tag that marks the VLAN on which the packet is located. The isolation VLAN and the normal VLAN are associated in the admission system through the mac address. And if the source mac address in the data packet is the isolation mac and the VID is the isolation VLAN, the data packet is a request data packet sent by the isolation VLAN. If the destination mac address of the packet is the quarantine mac and the VID is the normal VLAN, it indicates that the packet is a response packet to the quarantine VLAN. For the request packet needing to be released, the VID field in the data packet is modified into the id of the normal VLAN, and then the modified data packet is sent out through a trunk port. For the response packet needing to be released, the VID field in the data packet is modified into the id of the isolation VLAN, and then the modified data packet is sent out through a trunk port. Limited data communication between the isolated VLAN and the normal VLAN is realized through the forwarding of the server.
For example, there is an access switch in the intranet, and the VLAN for normal access is 10. The VLAN server is connected to the core switch and the service address of the server can communicate with VLAN10 as normal. When the equipment is connected to the switch, the switch sends mac-trap information to the server, and the server recognizes that the A port of the switch has mac address access through analysis. The server connects the switch through the configured connection information, switches the A port to the configured isolation VLAN 999, thereby isolating the access device and being incapable of communicating with the legal device in the network.
After the device is accessed, the device initiates access to the network, the server acquires an access data packet through a trunk port, forwards basic requests such as arp and dns to a normal VLAN, and redirects an http request to a page address of the server to guide a user to authenticate. After the user passes the normal authentication under the guidance of the server, the server switches the port of the switch where the equipment is located back to the normal VLAN, and the equipment can normally access the network.
The invention matches the IP and the MAC address through the terminal information and the arp cache information of the switch, thereby being capable of managing through the form of the IP address with higher readability; in the aspect of operation and maintenance, the telnet or ssh connection of the switch is configured in the system, and the switch can be automatically configured through the server, so that the difficulty of operation and maintenance is greatly simplified. The mac-trap function can be started on the switch, and the on-line and off-line information of the mac address can be sent to the server, so that the response speed of the system is accelerated.
Although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that modifications may be made to the embodiments described in the foregoing embodiments, or equivalents may be substituted for elements thereof.
Claims (6)
1. A terminal access control method based on VLAN switching is characterized in that: the method comprises the following steps:
the method comprises the following steps: connecting a server to a management and control network requires two portal connections: a service management port for providing ip address which can be accessed normally; a trunk port connected to the switch;
step two: adding connection information of the switch at the server;
step three: the server is connected with the switch through the configured connection information and configures the switch;
step four: after the switch finds that the mac address is online, the server immediately switches the port where the mac address is located to the isolation VLAN, and normal access of the port to the network is blocked;
step five: when the terminal user in the isolation area accesses the network, because the terminal user is in the isolation VLAN and is not communicated with the normal network, the data packet can be transmitted to a trunk port connected with the server through the trunk port, and the server can receive the data packet; forwarding the arp request and the dns request to a normal VLAN; for the http network request, redirecting the access address to a server, and guiding the terminal user in the isolation area to perform network authentication;
step six: after the terminal user in the isolation area downloads software from the server for installation and the system is repaired and passes the security check, the server switches the port of the switch where the terminal user is located to a legal VLAN, and the subsequent terminal user can normally access the network.
2. A VLAN switching based terminal admission control method according to claim 1, wherein: the connection information in the second step specifically refers to telnet or ssh connection information.
3. The VLAN switching-based terminal admission control method according to claim 1, wherein: the information configuring the switch in the third step includes a manufacturer of the switch, a login mode, an ip address, a port number, a user name, a password and a high-level password, and the server can be connected with the switch by adopting a corresponding connection mode to issue a control command through the configured information.
4. The VLAN switching-based terminal admission control method according to claim 1, wherein: and the switch in the fourth step discovers the mac address online through a mac-trap and a timed polling mode.
5. A VLAN switch based terminal admission control method according to claim 4, characterised in that: and after finding that the mac address is online, the switch in the fourth step sends mac-trap information to the server, the server searches for the switch configured and connected through sending the ip address of the trap, connects the switch through the configured information, and then performs VLAN switching on the corresponding port of the switch according to the port and the mac address information in the trap message, and switches the port to the isolation VLAN.
6. The VLAN switching-based terminal admission control method according to claim 1, wherein: in the fifth step, the data packet obtained by the server through the trunk port is an 802.1Q data packet, the 802.1Q data packet includes a 12-bit virtual local area network identifier VID, the virtual local area network identifier VID marks the VLAN where the data packet is located, the isolated VLAN and the normal VLAN are associated in the admission system through the mac address, and if the source mac address in the data packet is the isolated mac and the VID is the isolated VLAN, it indicates that the data packet is a request data packet sent by the isolated VLAN; if the destination mac address of the data packet is the isolation mac and the VID is the normal VLAN, the data packet is a response data packet to the isolation VLAN; for a request packet needing to be released, modifying a VID field in a data packet into an id of a normal VLAN, and then sending out the modified data packet through a trunk port; for response packets needing to be released, modifying VID fields in the data packets into id of an isolation VLAN, and then sending out the modified data packets through trunk ports; limited data communication between the isolated VLAN and the normal VLAN is realized through the forwarding of the server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110833900.4A CN115694850A (en) | 2021-07-23 | 2021-07-23 | VLAN switching-based terminal access control method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110833900.4A CN115694850A (en) | 2021-07-23 | 2021-07-23 | VLAN switching-based terminal access control method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115694850A true CN115694850A (en) | 2023-02-03 |
Family
ID=85043967
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110833900.4A Pending CN115694850A (en) | 2021-07-23 | 2021-07-23 | VLAN switching-based terminal access control method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115694850A (en) |
-
2021
- 2021-07-23 CN CN202110833900.4A patent/CN115694850A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7469298B2 (en) | Method and system for enabling layer 2 transmission of IP data frame between user terminal and service provider | |
| EP3228053B1 (en) | Enf selection for nfvi | |
| EP1471684B1 (en) | Method and apparatus for determining shared broadcast domains of network switches, ports and interfaces | |
| EP1826957B1 (en) | Dynamic building of VLAN interfaces based on subscriber information | |
| JP4960437B2 (en) | Logical group endpoint discovery for data communication networks | |
| US7808994B1 (en) | Forwarding traffic to VLAN interfaces built based on subscriber information strings | |
| US7656872B2 (en) | Packet forwarding apparatus and communication network suitable for wide area Ethernet service | |
| US6167052A (en) | Establishing connectivity in networks | |
| US7489700B2 (en) | Virtual access router | |
| US8897255B2 (en) | Dynamic VLANs in wireless networks | |
| US8243602B2 (en) | Dynamically configuring attributes of a parent circuit on a network element | |
| US8064458B2 (en) | Method and apparatus for simulating IP multinetting | |
| WO2004107671A1 (en) | Communication device | |
| KR20090077753A (en) | Point-to-multipoint functionality in a bridged network | |
| JP5679343B2 (en) | Cloud system, gateway device, communication control method, and communication control program | |
| EP1701516B1 (en) | Method for facilitating application server functionality and access node comprising the same | |
| WO2007124679A1 (en) | Method and system of network communication | |
| CN109391517B (en) | Method for monitoring data traffic in an overlay network | |
| WO2007104201A1 (en) | A method for forwarding message in the service tunnel of the ethernet application and a system thereof | |
| KR20170001655A (en) | Method for user authentication, and method for controlling service function chain by using the same | |
| CN115694850A (en) | VLAN switching-based terminal access control method | |
| KR20060059877A (en) | An arrangement and a method relating to ethernet access systems | |
| CN218920438U (en) | Internet access control system based on VXLAN | |
| Huawei Technologies Co., Ltd. | Ethernet Switching Technologies | |
| CN115426217A (en) | Internet access control system and method based on VXLAN |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |