CN115694850A - VLAN switching-based terminal access control method - Google Patents

VLAN switching-based terminal access control method Download PDF

Info

Publication number
CN115694850A
CN115694850A CN202110833900.4A CN202110833900A CN115694850A CN 115694850 A CN115694850 A CN 115694850A CN 202110833900 A CN202110833900 A CN 202110833900A CN 115694850 A CN115694850 A CN 115694850A
Authority
CN
China
Prior art keywords
vlan
switch
server
port
data packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110833900.4A
Other languages
Chinese (zh)
Inventor
朱凤刚
杨黎明
张强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Chinasoft Goldencis Software Co ltd
Original Assignee
Shandong Chinasoft Goldencis Software Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Chinasoft Goldencis Software Co ltd filed Critical Shandong Chinasoft Goldencis Software Co ltd
Priority to CN202110833900.4A priority Critical patent/CN115694850A/en
Publication of CN115694850A publication Critical patent/CN115694850A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Small-Scale Networks (AREA)

Abstract

The invention provides a terminal access control method based on VLAN switching, which comprises the following steps: connecting a server to a governing network requires two portal connections: a service management port; trunk port of the exchanger; II, secondly: adding connection information of the switch at the server; thirdly, the method comprises the following steps: the server is connected with the switch through the configured connection information and configures the switch; fourthly, the method comprises the following steps: after the switch finds that the mac address is online, the server immediately switches the port where the mac address is located to the isolation VLAN, and normal access is blocked; fifthly: the server receives the data packet; forwarding the arp request and the dns request to a normal VLAN; for the http network request, redirecting the access address to a server, and guiding to perform network authentication; sixthly: and after the terminal user in the isolation area downloads software from the server for installation and the system is repaired and passes the security check, the server switches the port of the switch to a legal VLAN, and the switch can normally access the network subsequently.

Description

一种基于VLAN切换的终端准入控制方法A Terminal Admission Control Method Based on VLAN Switching

技术领域technical field

本发明涉及一种基于VLAN切换的终端准入控制方法,属于网络安全技术领域。The invention relates to a terminal admission control method based on VLAN switching, and belongs to the technical field of network security.

背景技术Background technique

在信息化建设全面展开的今天,越来越多的企事业单位和政务部门将信息技术应用于现代化办公和业务处理,经过多年的网络建设,已逐步形成了一个完整的网络,对于安全准入系统的灵活性、复杂度的要求随之变高。网络越来越复杂,终端接入方式也越来越多,网络中存在着各种各样的新老网络设备,存在各种复杂的网络结构,像各类终端、多种品牌的交换机等。因此,如何做到灵活控制、安全接入,在多种接入方式并存的环境下,如何很好的满足及适应客户网络的复杂性是准入研究必须解决的难题。Today, with the informatization construction in full swing, more and more enterprises, institutions and government departments are applying information technology to modern office and business processing. After years of network construction, a complete network has gradually formed. For security access The requirements for flexibility and complexity of the system become higher accordingly. The network is becoming more and more complex, and there are more and more terminal access methods. There are various new and old network devices in the network, and there are various complex network structures, such as various terminals and switches of various brands. Therefore, how to achieve flexible control and secure access, and how to satisfy and adapt to the complexity of customer networks in an environment where multiple access methods coexist are difficult problems that must be solved in access research.

VLAN安全网关技术是在基于IP的网络上建立多种虚拟网关动态切换机制的方法。VLAN安全网关技术的工作原理,克服了相同子网VLAN不能通信的难题,使得相同子网段设备虽然处于不同VLAN中,同样可以实现不在三层路由基础上仍能相互通讯的功能。与此同时,在多虚拟网关技术切换VLAN的过程中系统可以引导进入认证页面解决了非桌管客户端无法进行WEB认证的弊端。从安装的角度来看,减少了网络管理员巨大的工作量。VLAN security gateway technology is a method to establish a variety of virtual gateway dynamic switching mechanisms on an IP-based network. The working principle of VLAN security gateway technology overcomes the problem that VLANs in the same subnet cannot communicate, so that although devices in the same subnet are in different VLANs, they can still communicate with each other without layer-3 routing. At the same time, in the process of switching VLANs with multi-virtual gateway technology, the system can guide to enter the authentication page, which solves the disadvantage that non-desktop management clients cannot perform WEB authentication. From the perspective of installation, it reduces the huge workload of network administrators.

网络二层准入现有的方案还有基于802.1x技术的准入,这是交换机提供的一种接入设备认证入网的方式,通过客户端发送EAP协议的认证数据包,交换机将认证信息发送给AAA服务器进行认证,认证通过后的设备可以入网。但基于802.1x的准入方式需要交换机对802.1x支持,因而对低端老旧的设备难以实际应用,而且需要对所有交换机进行手动配置且各厂商的配置方式差异巨大,运维工作量巨大。802.1x准入依赖终端设备安装客户端,也限制了其应用范围。The existing solution for network layer 2 access is also access based on 802.1x technology. This is a method provided by the switch to authenticate access devices to the network. The client sends an authentication packet of the EAP protocol, and the switch sends the authentication information to the network. Authenticate to the AAA server, and devices that pass the authentication can access the network. However, the 802.1x-based access method requires the switch to support 802.1x, so it is difficult to apply to low-end and old equipment, and all switches need to be manually configured, and the configuration methods of each manufacturer vary greatly, resulting in a huge workload for operation and maintenance. 802.1x access depends on the terminal equipment to install the client, which also limits its application range.

基于VLAN的准入方式解决了802.1x的上述问题,但也存在一些实现难题:The VLAN-based admission method solves the above-mentioned problems of 802.1x, but there are still some implementation difficulties:

1.由于基于终端mac地址进行管理,造成了管理方面的困难。1. Due to the management based on the terminal mac address, it causes difficulties in management.

2.需要对交换机进行配置,需要有一定的运维能力。2. The switch needs to be configured, and certain operation and maintenance capabilities are required.

3.终端接入网络后,系统对其进行隔离的反应时间较长。3. After the terminal is connected to the network, the system takes a long time to isolate it.

发明内容Contents of the invention

为解决上述问题,本发明提出一种基于VLAN切换的终端准入控制方法,具体技术方案如下,In order to solve the above problems, the present invention proposes a terminal admission control method based on VLAN switching, and the specific technical scheme is as follows,

一种基于VLAN切换的终端准入控制方法,包括如下步骤:A terminal admission control method based on VLAN switching, comprising the steps of:

步骤一:将服务器连接到管控网络,需要两个网口连接:一个业务管理口,提供可以正常访问的ip地址;一个连接到交换机的trunk口;Step 1: To connect the server to the management and control network, two network ports are required to connect: one business management port, which provides an ip address that can be accessed normally; one is connected to the trunk port of the switch;

步骤二:在服务器添加交换机的连接信息;Step 2: Add the connection information of the switch to the server;

步骤三:服务器通过配置的连接信息连接交换机,并对交换机进行配置;Step 3: The server connects to the switch through the configured connection information, and configures the switch;

步骤四:交换机发现mac地址上线后,服务器立即将mac地址所在的端口切换至隔离VLAN,阻断其对网络的正常访问;Step 4: After the switch discovers that the mac address is online, the server immediately switches the port where the mac address is located to the isolated VLAN to block its normal access to the network;

步骤五:隔离区的终端用户进行网络访问时,由于处于隔离VLAN,与正常网络相互不通,数据包会通过trunk口一路传输到服务器连接的trunk口上,服务器可以接收到该数据包;对于arp请求、dns请求转发至正常VLAN;对于http的网络请求,将访问地址重定向到服务器,引导隔离区终端用户进行网络认证;Step 5: When the end users in the isolated area access the network, because they are in the isolated VLAN and cannot communicate with the normal network, the data packets will be transmitted all the way to the trunk port connected to the server through the trunk port, and the server can receive the data packet; for the arp request , dns requests are forwarded to the normal VLAN; for http network requests, the access address is redirected to the server, and the terminal users in the isolated area are guided to perform network authentication;

步骤六:隔离区终端用户从服务器下载软件安装并进行系统修复通过安全检查后,服务器将该终端用户所在的交换机端口切换至合法VLAN,后续该终端用户可以正常访问网络。Step 6: The terminal user in the isolated area downloads software from the server to install and perform system repair. After passing the security check, the server switches the switch port where the terminal user is located to a legal VLAN, and then the terminal user can access the network normally.

优选的,所述步骤二中的连接信息具体是指telnet或ssh连接信息。Preferably, the connection information in the step 2 specifically refers to telnet or ssh connection information.

优选的,所述步骤三中对交换机进行配置的信息包括交换机厂商、登录方式、ip地址、端口号、用户名、密码、高级密码,通过配置的信息,服务器可以采用对应的连接方式连接交换机下发控制命令。Preferably, the information configured on the switch in the step 3 includes the switch manufacturer, login method, ip address, port number, user name, password, and advanced password. Through the configured information, the server can use the corresponding connection method to connect to the switch. Send a control command.

优选的,所述步骤四中交换机通过mac-trap和定时轮询的方式发现mac地址上线。Preferably, in step 4, the switch discovers that the mac address is online through mac-trap and regular polling.

进一步的,所述步骤四中交换机发现mac地址上线后,交换机向服务器发送mac-trap信息,服务器通过发送trap的ip地址查找配置连接的交换机,通过该配置的信息连接交换机,然后依据trap消息中的端口和mac地址信息对交换机的对应端口进行VLAN切换,将该端口切换至隔离VLAN。Further, after the switch discovers that the mac address is online in the step 4, the switch sends mac-trap information to the server, and the server searches for the switch configured to connect by sending the ip address of the trap, connects the switch through the information of the configuration, and then according to the information in the trap message The corresponding port and mac address information of the switch is used to perform VLAN switching on the corresponding port of the switch, and the port is switched to the isolated VLAN.

优选的,所述步骤五中服务器通过trunk口获取到的数据包为802.1Q数据包,802.1Q数据包中包括12位的虚拟局域网识别符VID,虚拟局域网识别符VID标记了该数据包所在的VLAN,准入系统中通过mac地址关联了隔离VLAN和正常VLAN,如果数据包中源mac地址为隔离mac且VID为隔离VLAN,说明该数据包为隔离VLAN发出的请求数据包;如果数据包的目的mac地址为隔离mac且VID为正常VLAN,说明该数据包为到隔离VLAN的响应数据包;对于需要放行的请求包,将数据包中的VID字段修改为正常VLAN的id,然后将修改后的数据包通过trunk口发出;对于需要放行的响应包,将数据包中的VID字段修改为隔离VLAN的id,然后将修改后的数据包通过trunk口发出;通过服务器的转发,实现了隔离VLAN和正常VLAN之间有限的数据通信。Preferably, the data packet obtained by the server through the trunk port in the step 5 is an 802.1Q data packet, and the 802.1Q data packet includes a 12-bit virtual local area network identifier VID, and the virtual local area network identifier VID marks the location where the data packet is located. VLAN, the mac address in the admission system associates the isolated VLAN with the normal VLAN. If the source mac address in the data packet is the isolated mac and the VID is the isolated VLAN, it means that the data packet is a request packet sent by the isolated VLAN; The destination mac address is the isolated mac and the VID is the normal VLAN, indicating that the data packet is a response data packet to the isolated VLAN; for the request packet that needs to be released, modify the VID field in the data packet to the id of the normal VLAN, and then modify the The data packet is sent through the trunk port; for the response packet that needs to be released, the VID field in the data packet is modified to the id of the isolated VLAN, and then the modified data packet is sent through the trunk port; through the forwarding of the server, the isolated VLAN is realized Limited data communication with normal VLANs.

本发明对交换机要求比较低,交换机只需要支持VLAN配置与切换功能即可。运维量小,通过后台连接配置的方式,大大简化了运维工作量。不强制要求安装客户端,应用场景比较广泛。The present invention has relatively low requirements on the switch, and the switch only needs to support VLAN configuration and switching functions. The amount of operation and maintenance is small, and the workload of operation and maintenance is greatly simplified through the background connection configuration. It is not mandatory to install the client, and the application scenarios are relatively wide.

附图说明Description of drawings

图1是本发明一种基于VLAN切换的终端准入控制方法的工作流程图。Fig. 1 is a working flowchart of a terminal admission control method based on VLAN switching in the present invention.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

VLAN:Virtual Local Area Network,即虚拟局域网。虚拟局域网(VLAN)是一组逻辑上的设备和用户,这些设备和用户并不受物理位置的限制,可以根据功能、部门及应用等因素将它们组织起来,相互之间的通信就好像它们在同一个网段中一样,由此得名虚拟局域网。VLAN: Virtual Local Area Network, that is, a virtual local area network. A virtual local area network (VLAN) is a group of logical devices and users. These devices and users are not limited by physical locations. They can be organized according to factors such as functions, departments, and applications. They communicate with each other as if they are in It is the same in the same network segment, hence the name virtual local area network.

802.1Q:即Virtual Bridged Local Area Networks,IEEE 802.1q以及VLANTagging属于互联网下IEEE 802.1的标准规范,允许多个网桥(Bridge)在信息不被外泄的情况下公开的共享同一个实体网上。802.1Q: Virtual Bridged Local Area Networks, IEEE 802.1q and VLANTagging belong to the standard specification of IEEE 802.1 under the Internet, allowing multiple bridges (Bridge) to share the same physical network publicly without information being leaked.

如图1所示,一种基于VLAN切换的终端准入控制方法,包括如下步骤:As shown in Figure 1, a terminal admission control method based on VLAN switching includes the following steps:

步骤一:将服务器连接到管控网络,需要两个网口连接:一个业务管理口,提供可以正常访问的ip地址;一个连接到交换机的trunk口,交换机与交换机之间均通过trunk相连;Step 1: To connect the server to the management and control network, two network ports are required to connect: a business management port, which provides an ip address that can be accessed normally; a trunk port connected to the switch, and the switch is connected to the switch through the trunk;

步骤二:在服务器添加交换机的telnet或ssh连接信息;Step 2: Add the telnet or ssh connection information of the switch to the server;

步骤三:服务器通过配置的连接信息连接交换机,并对交换机进行配置;Step 3: The server connects to the switch through the configured connection information, and configures the switch;

步骤四:交换机通过mac-trap和定时轮询的方式,发现mac地址上线后,服务器立即将mac地址所在的端口切换至隔离VLAN,阻断其对网络的正常访问;Step 4: After the switch discovers that the mac address is online through mac-trap and regular polling, the server immediately switches the port where the mac address is located to an isolated VLAN to block its normal access to the network;

步骤五:隔离区的终端用户进行网络访问时,由于处于隔离VLAN,与正常网络相互不通,数据包会通过trunk口一路传输到服务器连接的trunk口上,服务器可以接收到该数据包;对于arp请求、dns请求转发至正常VLAN;对于http的网络请求,将访问地址重定向到服务器,引导隔离区终端用户进行网络认证;Step 5: When the end users in the isolated area access the network, because they are in the isolated VLAN and cannot communicate with the normal network, the data packets will be transmitted all the way to the trunk port connected to the server through the trunk port, and the server can receive the data packet; for arp requests , dns requests are forwarded to the normal VLAN; for http network requests, the access address is redirected to the server, and the terminal users in the isolated area are guided to perform network authentication;

步骤六:隔离区终端用户从服务器下载软件安装并进行系统修复通过安全检查后,服务器将该终端用户所在的交换机端口切换至合法VLAN,后续该终端用户可以正常访问网络。通过交换机mac-trap和定时轮询的方式,发现mac地址离线后,清除该终端用户的连接信息,减少系统数据维护量。Step 6: The terminal user in the isolated area downloads software from the server to install and perform system repair. After passing the security check, the server switches the switch port where the terminal user is located to a legal VLAN, and then the terminal user can access the network normally. Through switch mac-trap and regular polling, after the mac address is found to be offline, the connection information of the terminal user is cleared to reduce the amount of system data maintenance.

所述步骤三中对交换机进行配置的信息包括交换机厂商、登录方式、ip地址、端口号、用户名、密码、高级密码,通过配置的信息,服务器可以采用对应的连接方式连接交换机下发控制命令。不同厂商的交换机控制指令不同,因而需要给交换机下发对应版本的控制指令。如华为交换机将端口GigabitEthernet 0/0/1切换至VLAN 10指令为:The information configured on the switch in the step 3 includes the switch manufacturer, login method, ip address, port number, user name, password, and advanced password. Through the configured information, the server can use the corresponding connection method to connect to the switch to issue control commands . The switch control commands of different manufacturers are different, so it is necessary to deliver the corresponding version of the control command to the switch. For example, the command to switch port GigabitEthernet 0/0/1 to VLAN 10 on a Huawei switch is:

interface GigabitEthernet 0/0/1interface GigabitEthernet 0/0/1

port default VLAN 10port default VLAN 10

quitquit

当设备连接到交换机,交换机发现mac地址上线后,交换机向服务器发送mac-trap信息,服务器通过发送trap的ip地址查找配置连接的交换机,通过该配置的信息连接交换机,然后依据trap消息中的端口和mac地址信息对交换机的对应端口进行VLAN切换,将该端口切换至隔离VLAN。When the device is connected to the switch and the switch finds that the mac address is online, the switch sends mac-trap information to the server, and the server searches for the configured switch by sending the ip address of the trap, connects to the switch through the configured information, and then uses the port in the trap message and mac address information to perform VLAN switching on the corresponding port of the switch, and switch the port to the isolated VLAN.

处于隔离VLAN的设备,由于无法跟正常网络通信,因而设备发送的数据包会在隔离VLAN中进行传播。通过各节点的trunk链路,这些数据包可以一路传输到服务器连接的trunk口上,服务器可以接收到该数据包。服务器通过trunk口获取到的数据包为802.1Q数据包。802.1Q并非实际封入原始帧中,相反,在以太网帧格式里,在mac地址源与以太网类型/长度的原始帧里添加一32位的域(field)。VLAN标签领域必须遵守下列格式:The device in the isolated VLAN cannot communicate with the normal network, so the data packets sent by the device will be propagated in the isolated VLAN. Through the trunk links of each node, these data packets can be transmitted all the way to the trunk port connected to the server, and the server can receive the data packets. The data packets obtained by the server through the trunk port are 802.1Q data packets. 802.1Q is not actually encapsulated in the original frame, instead, in the Ethernet frame format, a 32-bit field (field) is added to the original frame of the mac address source and the Ethernet type/length. The VLAN tag field must adhere to the following format:

16bits16bits 3bits3bits 1bit1 bit 12bits12bits TPIDTPID PCPPCP CFICFI VIDVID

标签协议识别符(Tag Protocol Identifier,TPID):一组16位的域其数值被设置在0x8100,以用来辨别某个IEEE 802.1q的帧成为“已被标注的”,而这个域所被标定位置与以太形式/长度与未标签帧的域相同,这是为了用来区别未标签的帧。Tag Protocol Identifier (TPID): A set of 16-bit fields whose value is set at 0x8100 to identify an IEEE 802.1q frame as "marked", and this field is marked The position is the same as the field of the ether form/length and the untagged frame, which is used to distinguish the untagged frame.

优先权代码点(Priority Code Point,PCP):以一组3比特的域当作IEEE 802.1q优先权的参考,从0(最低)到7(最高),用来对数据流(音频、视频、文件等等)作传输的优先级。Priority Code Point (Priority Code Point, PCP): A set of 3-bit domains is used as a reference for IEEE 802.1q priority, from 0 (lowest) to 7 (highest), used for data streams (audio, video, files, etc.) as the transfer priority.

标准格式指示(Canonical Format Indicator,CFI):1比特的域。若是这个域的值为1,则mac地址则为非标准格式;若为0,则为标准格式;在以太交换器中他通常默认为0。在以太和令牌环中,CFI用来做为两者的兼容。若帧在以太端中接收数据则CFI的值须设为1,且这个端口不能与未标签的其他端口桥接。Canonical Format Indicator (Canonical Format Indicator, CFI): a 1-bit field. If the value of this field is 1, the mac address is in non-standard format; if it is 0, it is in standard format; it usually defaults to 0 in Ethernet switches. In Ethernet and Token Ring, CFI is used as a compatibility between the two. The value of CFI must be set to 1 if the frame is receiving data on the Ethernet port, and this port cannot be bridged with other untagged ports.

虚拟局域网识别符(VLAN Identifier,VID):12位的域,用来具体指出帧是属于哪个特定VLAN。值为0时,表示帧不属于任何一个VLAN;此时,802.1Q标签代表优先权。12位的值0x000和0xFFF为保留值,其他的值都可用来做为共4094个VLAN的识别符。在桥接器上,VLAN1在管理上做为保留值。这个12位的域可分为两个6比特的域以延伸目的(Destination)与源(Source)之48位地址,18位的三重标记(Triple-Tagging)可和原本的48位相加成为66比特的地址。Virtual Local Area Network Identifier (VLAN Identifier, VID): a 12-bit field, used to specifically indicate which specific VLAN the frame belongs to. When the value is 0, it means that the frame does not belong to any VLAN; at this time, the 802.1Q tag represents the priority. The 12-bit values 0x000 and 0xFFF are reserved values, and other values can be used as identifiers for a total of 4094 VLANs. On the bridge, VLAN1 is administratively reserved. This 12-bit field can be divided into two 6-bit fields to extend the 48-bit address of the destination (Destination) and the source (Source), and the 18-bit triple-tagging (Triple-Tagging) can be added to the original 48 bits to become 66 bit address.

服务器主要关注VLAN标签中的VID字段,该字段标记了该数据包所在的VLAN。准入系统中通过mac地址关联了隔离VLAN和正常VLAN。如果数据包中源mac地址为隔离mac且VID为隔离VLAN,说明该数据包为隔离VLAN发出的请求数据包。如果数据包的目的mac地址为隔离mac且VID为正常VLAN,说明该数据包为到隔离VLAN的响应数据包。对于需要放行的请求包,将数据包中的VID字段修改为正常VLAN的id,然后将修改后的数据包通过trunk口发出。对于需要放行的响应包,将数据包中的VID字段修改为隔离VLAN的id,然后将修改后的数据包通过trunk口发出。通过服务器的转发,实现了隔离VLAN和正常VLAN之间有限的数据通信。The server mainly pays attention to the VID field in the VLAN tag, which marks the VLAN in which the data packet is located. In the admission system, the isolation VLAN and the normal VLAN are associated through the mac address. If the source mac address in the data packet is the isolated mac and the VID is the isolated VLAN, it means that the data packet is a request packet sent by the isolated VLAN. If the destination mac address of the data packet is an isolated mac and the VID is a normal VLAN, it means that the data packet is a response data packet to the isolated VLAN. For the request packet that needs to be released, modify the VID field in the data packet to the id of the normal VLAN, and then send the modified data packet through the trunk port. For the response packet that needs to be released, modify the VID field in the data packet to the id of the isolated VLAN, and then send the modified data packet through the trunk port. Through the forwarding of the server, the limited data communication between the isolated VLAN and the normal VLAN is realized.

如,内网中有一台接入交换机,正常访问的VLAN为10。将VLAN服务器连接到核心交换机,服务器的业务地址与VLAN10可以正常通信。设备连接到交换机时,交换机发送mac-trap信息到服务器,服务器通过解析,识别到该交换机的A端口有mac地址接入。服务器通过配置的连接信息连接交换机,将A端口切换至配置的隔离VLAN 999,从而将接入设备隔离,无法与网络内的合法设备通信。For example, there is an access switch in the intranet, and VLAN 10 is normally accessed. Connect the VLAN server to the core switch, and the service address of the server can communicate with VLAN10 normally. When the device is connected to the switch, the switch sends mac-trap information to the server, and the server recognizes that the A port of the switch has a mac address through analysis. The server connects to the switch through the configured connection information, and switches the A port to the configured isolation VLAN 999, so that the access device is isolated and cannot communicate with legitimate devices in the network.

设备接入之后对网络发起访问,服务器通过trunk口获取到访问数据包,并对arp、dns等基础请求转发到正常VLAN,同时将http请求重定向到服务器的页面地址,引导用户进行认证。用户在服务器的引导下正常认证放行之后,服务器将设备所在交换机的端口切换回正常VLAN,该设备可以正常入网。After the device is connected, it initiates access to the network, and the server obtains the access data packet through the trunk port, and forwards basic requests such as arp and dns to the normal VLAN, and at the same time redirects the http request to the page address of the server to guide the user to authenticate. After the user passes the normal authentication under the guidance of the server, the server switches the port of the switch where the device is located back to the normal VLAN, and the device can access the network normally.

本发明通过终端信息、交换机arp缓存信息对IP和MAC地址进行匹配,从而可以通过可读性更高的IP地址的形式进行管理;运维方面,通过在系统中对交换机telnet或ssh连接进行配置,可以通过服务器自动对交换机进行配置,大大简化了运维的难度。可以通过在交换机上开启mac-trap功能,向服务器发送mac地址上线和离线信息,从而加速系统的反应速度。The present invention matches the IP and MAC addresses through the terminal information and the arp cache information of the switch, so that it can be managed in the form of a more readable IP address; in terms of operation and maintenance, the telnet or ssh connection of the switch is configured in the system , the switch can be automatically configured through the server, which greatly simplifies the difficulty of operation and maintenance. You can enable the mac-trap function on the switch to send the mac address online and offline information to the server, thereby speeding up the response speed of the system.

尽管参照前述实施例对本发明进行了详细的说明,对于本领域的技术人员来说,其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。Although the present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art can still modify the technical solutions described in the aforementioned embodiments, or perform equivalent replacements for some of the technical features. Within the spirit and principles of the present invention, any modifications, equivalent replacements, improvements, etc., shall be included in the protection scope of the present invention.

Claims (6)

1. A terminal access control method based on VLAN switching is characterized in that: the method comprises the following steps:
the method comprises the following steps: connecting a server to a management and control network requires two portal connections: a service management port for providing ip address which can be accessed normally; a trunk port connected to the switch;
step two: adding connection information of the switch at the server;
step three: the server is connected with the switch through the configured connection information and configures the switch;
step four: after the switch finds that the mac address is online, the server immediately switches the port where the mac address is located to the isolation VLAN, and normal access of the port to the network is blocked;
step five: when the terminal user in the isolation area accesses the network, because the terminal user is in the isolation VLAN and is not communicated with the normal network, the data packet can be transmitted to a trunk port connected with the server through the trunk port, and the server can receive the data packet; forwarding the arp request and the dns request to a normal VLAN; for the http network request, redirecting the access address to a server, and guiding the terminal user in the isolation area to perform network authentication;
step six: after the terminal user in the isolation area downloads software from the server for installation and the system is repaired and passes the security check, the server switches the port of the switch where the terminal user is located to a legal VLAN, and the subsequent terminal user can normally access the network.
2. A VLAN switching based terminal admission control method according to claim 1, wherein: the connection information in the second step specifically refers to telnet or ssh connection information.
3. The VLAN switching-based terminal admission control method according to claim 1, wherein: the information configuring the switch in the third step includes a manufacturer of the switch, a login mode, an ip address, a port number, a user name, a password and a high-level password, and the server can be connected with the switch by adopting a corresponding connection mode to issue a control command through the configured information.
4. The VLAN switching-based terminal admission control method according to claim 1, wherein: and the switch in the fourth step discovers the mac address online through a mac-trap and a timed polling mode.
5. A VLAN switch based terminal admission control method according to claim 4, characterised in that: and after finding that the mac address is online, the switch in the fourth step sends mac-trap information to the server, the server searches for the switch configured and connected through sending the ip address of the trap, connects the switch through the configured information, and then performs VLAN switching on the corresponding port of the switch according to the port and the mac address information in the trap message, and switches the port to the isolation VLAN.
6. The VLAN switching-based terminal admission control method according to claim 1, wherein: in the fifth step, the data packet obtained by the server through the trunk port is an 802.1Q data packet, the 802.1Q data packet includes a 12-bit virtual local area network identifier VID, the virtual local area network identifier VID marks the VLAN where the data packet is located, the isolated VLAN and the normal VLAN are associated in the admission system through the mac address, and if the source mac address in the data packet is the isolated mac and the VID is the isolated VLAN, it indicates that the data packet is a request data packet sent by the isolated VLAN; if the destination mac address of the data packet is the isolation mac and the VID is the normal VLAN, the data packet is a response data packet to the isolation VLAN; for a request packet needing to be released, modifying a VID field in a data packet into an id of a normal VLAN, and then sending out the modified data packet through a trunk port; for response packets needing to be released, modifying VID fields in the data packets into id of an isolation VLAN, and then sending out the modified data packets through trunk ports; limited data communication between the isolated VLAN and the normal VLAN is realized through the forwarding of the server.
CN202110833900.4A 2021-07-23 2021-07-23 VLAN switching-based terminal access control method Pending CN115694850A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110833900.4A CN115694850A (en) 2021-07-23 2021-07-23 VLAN switching-based terminal access control method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110833900.4A CN115694850A (en) 2021-07-23 2021-07-23 VLAN switching-based terminal access control method

Publications (1)

Publication Number Publication Date
CN115694850A true CN115694850A (en) 2023-02-03

Family

ID=85043967

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110833900.4A Pending CN115694850A (en) 2021-07-23 2021-07-23 VLAN switching-based terminal access control method

Country Status (1)

Country Link
CN (1) CN115694850A (en)

Similar Documents

Publication Publication Date Title
US7469298B2 (en) Method and system for enabling layer 2 transmission of IP data frame between user terminal and service provider
US6167052A (en) Establishing connectivity in networks
CN102106122B (en) System and method for DSL subcriber identification over Ethernet network
CN107959654B (en) A data transmission method, device and hybrid cloud system
CN103747499B (en) For for the wired and public control protocol of radio node method and apparatus
US9001829B2 (en) Techniques for routing data between network areas
CN101006707B (en) Method for switching Ip packets between client networks and Ip provider networks by means of an access network
JP5053376B2 (en) Point-to-multipoint capability in bridged networks
AU2003243064B2 (en) An arrangement and a method relating to ethernet access systems
US9300604B2 (en) Multiple prefix connections with translated virtual local area network
JP2009530973A (en) Logical group endpoint discovery for data communication networks
KR20120100927A (en) Implementation method and system of virtual private network
WO2004107671A1 (en) Communication device
WO2007124679A1 (en) Method and system of network communication
CN103327137A (en) Router domain name access method
WO2008037210A1 (en) Method and device for transferring message in virtual private lan
WO2006108344A1 (en) Method for realizing vpn
CN1266887C (en) Virtual switch for supplying virtual LAN service and method
CN109391517B (en) Method for monitoring data traffic in an overlay network
EP1940085B1 (en) Method and device for service binding
WO2007104201A1 (en) A method for forwarding message in the service tunnel of the ethernet application and a system thereof
KR20060059877A (en) Apparatus and method for Ethernet access system
KR20170001655A (en) Method for user authentication, and method for controlling service function chain by using the same
CN115694850A (en) VLAN switching-based terminal access control method
CN115348238A (en) DHCP relay method, VTEP gateway, electronic device and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20230203