CN117792751A - Learning limiting method and device for source MAC address, computing equipment and storage medium - Google Patents
Learning limiting method and device for source MAC address, computing equipment and storage medium Download PDFInfo
- Publication number
- CN117792751A CN117792751A CN202311835248.5A CN202311835248A CN117792751A CN 117792751 A CN117792751 A CN 117792751A CN 202311835248 A CN202311835248 A CN 202311835248A CN 117792751 A CN117792751 A CN 117792751A
- Authority
- CN
- China
- Prior art keywords
- vlan
- learning
- source mac
- mac address
- learned
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 56
- 238000005242 forging Methods 0.000 abstract description 7
- 238000010586 diagram Methods 0.000 description 7
- 230000005540 biological transmission Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 238000013507 mapping Methods 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000006835 compression Effects 0.000 description 2
- 238000007906 compression Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 238000002124 flame ionisation detection Methods 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Small-Scale Networks (AREA)
Abstract
The application relates to a learning restriction method, a learning restriction device, a computing device and a storage medium of a source MAC address, wherein the method comprises the following steps: receiving a message sent by a terminal, and determining a source MAC address and a VLAN ID in the message; inquiring data corresponding to the VLAN ID and the source MAC address in the MAC table item, and acquiring the learned number and the maximum allowed learned number of the source MAC address corresponding to the VLAN ID in the VLAN learning restriction table when inquiring the miss; when the learned number is less than the maximum allowed number of learns, learn the source MAC address and update the learned number. Therefore, by limiting the maximum allowed learning number in the VLAN learning limiting table, a hacker is prevented from consuming the resources of the MAC table item by forging a large number of source MAC addresses of the same VLAN, so that the problem that network traffic cannot be normally processed due to the exhaustion of the resources of the MAC table item is caused, and the normal use of the switch equipment is ensured.
Description
Technical Field
The present disclosure relates to the field of MAC address learning technologies, and in particular, to a method, an apparatus, a computing device, and a storage medium for limiting learning of a source MAC address.
Background
The ethernet switch is a switch based on ethernet transmission data, and is a network device that completes ethernet data frame forwarding based on MAC (Media Access Control ) address identification.
An MAC address table is arranged in the Ethernet switch, and the corresponding information of all MAC addresses in the network and all ports of the switch is recorded.
Because the capacity of the MAC address table of the Ethernet switch is limited, if an attacker falsifies a large number of unknown MAC addresses to communicate, the Ethernet switch continuously learns, so that the MAC addresses are expressed to the upper limit of the stored MAC addresses, new MAC addresses cannot be added into the MAC address table any more, data become broadcast and form MAC flooding attack, thus the attacker can capture data frames, the network security is poor, and the network bandwidth resources are exhausted, thereby influencing the normal use of the Ethernet switch.
Disclosure of Invention
In view of the above problems in the prior art, the present application provides a method, an apparatus, a computing device, and a storage medium for restricting learning of a source MAC address, which prevent a hacker from consuming resources of a MAC entry by forging a large number of source MAC addresses of the same VLAN, so as to cause a problem that network traffic cannot be handled normally due to exhaustion of the resources of the MAC entry, and ensure normal use of switch devices.
To achieve the above object, a first aspect of the present application provides a method for restricting learning of a source MAC address, which is applied to a switch device, where the switch device is configured with a MAC table entry, a VLAN table, and a VLAN learning restriction table, and includes:
receiving a message sent by a terminal, and determining a source MAC address and a VLAN ID in the message;
inquiring data corresponding to the VLAN ID and the source MAC address in the MAC table item, and acquiring the learned number and the maximum allowed learned number of the source MAC address corresponding to the VLAN ID in the VLAN learning restriction table when inquiring the miss;
when the learned number is less than the maximum allowed number of learns, learn the source MAC address and update the learned number.
By limiting the maximum allowable learning number in the VLAN learning limiting table, the method can prevent hackers from consuming the resources of the MAC table entries by forging a large number of source MAC addresses of the same VLAN, so that the problem that network traffic cannot be normally processed due to the exhaustion of the resources of the MAC table entries is caused, and the normal use of the exchanger equipment is ensured; and when the number of the learned source MAC addresses does not reach the maximum allowable learning number, the new source MAC addresses can be continuously learned, the space of the MAC table entry is fully utilized, and the subsequent data transmission and routing are also convenient.
As a possible implementation manner of the first aspect, the MAC entry includes a source MAC address and an FID corresponding to the VLAN ID;
the querying the data corresponding to the VLAN ID and the source MAC address in the MAC entry includes:
acquiring an FID corresponding to the VLAN ID in the message;
and according to the obtained FID and the source MAC address, inquiring data corresponding to the FID and the source MAC address in the MAC table entry.
From the above, the MAC entry is queried based on the FID and the source MAC address, so as to determine whether there is data corresponding to the FID and the source MAC address in the MAC entry.
As a possible implementation manner of the first aspect, the MAC entry further includes an ingress port of a switch device;
the method further comprises the steps of:
inquiring an inlet port of the switch equipment corresponding to the source MAC address from the MAC table item when the data corresponding to the FID and the source MAC address are inquired in the MAC table item;
determining an inlet port of the switch equipment for receiving the message;
and determining that the query is not hit when the queried input port is inconsistent with the determined input port.
From the above, the queried ingress port is compared with the determined ingress port to determine whether the query hits, enabling the switch device to dynamically adjust its subsequent execution policy. Specifically, when the query hit is determined, the switch device forwards the received message to the corresponding port according to the queried ingress port, so that the data frame can be ensured to be transmitted according to the expected path; when a query miss is determined, a subsequent procedure of learning the source MAC address is performed.
As one possible implementation manner of the first aspect, the obtaining the learned number and the maximum allowed learned number of the source MAC addresses corresponding to the VLAN IDs in the VLAN learning restriction table includes:
calculating an index value according to the FID corresponding to the VLAN ID and a preset offset value;
and reading the content corresponding to the index value in the MAC table item according to the index value, wherein the content comprises the learned number and the maximum allowed learning number of the source MAC address.
From the above, based on the FID and the offset value, the index of the VLAN learning restriction table, which is a position for locating the VLAN ID corresponding to the FID in the VLAN learning restriction table, can be determined so as to acquire the learned number and the maximum allowable learning number of the source MAC address corresponding to the VLAN ID in the VLAN learning restriction table.
As a possible implementation manner of the first aspect, the learning the source MAC address includes:
and writing the source MAC address, the input port of the switch equipment receiving the message and the FID corresponding to the VLAN ID into the MAC table entry.
By the method, the MAC table entry is updated, and the searching efficiency and accuracy are improved when the following exchanger equipment queries the data of the corresponding VLAN ID and the source MAC address in the MAC table entry.
As a possible implementation manner of the first aspect, the updating the learned number includes:
the learned number in the VLAN learning restriction table is increased by 1.
From the above, when the switch device learns a new source MAC address, it is necessary to add 1 to the learned number to reflect the number of source MAC addresses that the switch device has learned, until the number of source MAC addresses that have learned is equal to or greater than the maximum allowable learning number, at this time, the learned number is not updated any more, and data overflow is prevented.
As a possible implementation manner of the first aspect, the method further includes:
inquiring the VLAN table to obtain the state of a VLAN learning switch corresponding to the VLAN ID;
and when the state of the VLAN learning switch is enabled, acquiring the learned number and the maximum allowed learned number of the source MAC address corresponding to the VLAN ID in the VLAN learning restriction table.
Thus, when the state of the VLAN learning switch is enabled, an accurate basis is provided for the subsequent execution of learning the source MAC address by the acquired learned number and the maximum allowed learning number of the source MAC address corresponding to the VLAN ID.
To achieve the above object, a second aspect of the present application provides a learning restriction device for a source MAC address, the learning restriction device being configured with a MAC table entry, a VLAN table, and a VLAN learning restriction table, comprising:
the receiving unit is used for receiving the message sent by the terminal and determining a source MAC address and VLAN ID in the message;
an obtaining unit, configured to query the MAC entry for data corresponding to the VLAN ID and the source MAC address, and obtain a learned number and a maximum allowed learning number of source MAC addresses corresponding to the VLAN ID in the VLAN learning restriction table when the query is missed;
a learning unit configured to learn the source MAC address and update the learned number when the learned number is smaller than the maximum allowable learning number.
By limiting the maximum allowable learning number in the VLAN learning limiting table, the learning limiting device can prevent hackers from consuming resources of the MAC table entries by forging a large number of source MAC addresses of the same VLAN, so that the problem that network traffic cannot be normally processed due to the exhaustion of the resources of the MAC table entries is caused, and normal use of switch equipment is ensured; and when the number of the learned source MAC addresses does not reach the maximum allowable learning number, the new source MAC addresses can be continuously learned, the space of the MAC table entry is fully utilized, and the subsequent data transmission and routing are also convenient.
To achieve the above object, a third aspect of the present application provides a computing device, including:
processor and method for controlling the same
A memory having stored thereon program instructions that, when executed by the processor, cause the processor to perform any of the learning restriction methods of the first aspect.
To achieve the above object, a fourth aspect of the present application provides a storage medium having stored thereon program instructions that, when executed by a computer, cause the computer to perform any one of the learning restriction methods of the first aspect.
Drawings
Fig. 1 is a schematic flow chart of main steps of a learning restriction method for a source MAC address provided in the present application;
FIG. 2 is a flow chart of steps of a method for learning restriction of source MAC addresses according to one embodiment provided herein;
FIG. 3 is a schematic diagram of a source MAC address learning restriction device provided in the present application;
FIG. 4 is a schematic structural diagram of a computing device provided herein;
it should be understood that in the foregoing structural schematic diagrams, the sizes and forms of the respective block diagrams are for reference only and should not constitute an exclusive interpretation of the embodiments of the present invention. The relative positions and inclusion relationships between the blocks presented by the structural diagrams are merely illustrative of structural relationships between the blocks, and are not limiting of the physical connection of embodiments of the present invention.
Detailed Description
The technical scheme provided by the application is further described below by referring to the accompanying drawings and examples. It should be understood that the system structures and service scenarios provided in the embodiments of the present application are mainly for illustrating possible implementations of the technical solutions of the present application, and should not be construed as the only limitation of the technical solutions of the present application. As one of ordinary skill in the art can know, with the evolution of the system structure and the appearance of new service scenarios, the technical scheme provided in the application is applicable to similar technical problems.
It should be understood that the technical solution provided in the embodiments of the present application includes a learning restriction method, apparatus, switch, computing device and storage medium for a source MAC address. Because the principles of solving the problems in these technical solutions are the same or similar, in the following description of the specific embodiments, some repetition is not described in detail, but it should be considered that these specific embodiments have mutual references and can be combined with each other.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. If there is a discrepancy, the meaning described in the present specification or the meaning obtained from the content described in the present specification is used. In addition, the terminology used herein is for the purpose of describing embodiments of the present application only and is not intended to be limiting of the present application.
The embodiment of the application provides a learning restriction method of a source MAC address, which is applied to switch equipment, wherein the switch equipment is configured with a MAC table item, a VLAN table and a VLAN learning restriction table, and as shown in fig. 1, the method comprises the following steps:
s101, receiving a message sent by a terminal, and determining a source MAC address and VLAN ID in the message;
s102, inquiring data corresponding to the VLAN ID and the source MAC address in the MAC table entry, and acquiring the learned number and the maximum allowed learned number of the source MAC address corresponding to the VLAN ID in the VLAN learning restriction table when inquiring the data without hit;
it should be noted that, in step S102, the VLAN ID may be obtained from the message, or may be configured by the switch device. In practical application, the design method can be set according to practical conditions, is not particularly limited, and can meet the requirements of different scenes and improve the flexibility of the design.
S103, when the learned number is smaller than the maximum allowed learning number, the source MAC address is learned and the learned number is updated.
Therefore, the application provides a learning limiting method of the source MAC address, which prevents a hacker from consuming resources of an MAC table item by forging a large number of source MAC addresses of the same VLAN by limiting the maximum allowable learning number in a VLAN learning limiting table, so that the problem that network traffic cannot be normally processed due to the exhaustion of the resources of the MAC table item is caused, and ensures the normal use of switch equipment; and when the number of the learned source MAC addresses does not reach the maximum allowable learning number, the new source MAC addresses can be continuously learned, the space of the MAC table entry is fully utilized, and the subsequent data transmission and routing are also convenient.
In some embodiments, the MAC entry includes a FID corresponding to a source MAC address and a VLAN ID;
the querying the data corresponding to the VLAN ID and the source MAC address in the MAC entry includes:
acquiring an FID corresponding to the VLAN ID in the message;
and according to the obtained FID and the source MAC address, inquiring data corresponding to the FID and the source MAC address in the MAC table entry.
How to acquire the FID corresponding to the VLAN ID in the message will be explained as follows.
Specifically, a VLAN mapping table is configured on the switch device, and the VLAN mapping table records a correspondence between each VLAN ID and FID; when the exchanger equipment receives a message sent by a terminal, the message carries a VLAN ID which is used for identifying the VLAN to which the message belongs; the switch device searches the VLAN mapping table for the FID corresponding to the VLAN ID according to the VLAN ID in the message.
Illustratively, the VLAN mapping table may contain the following entries:
VLAN ID 10 corresponds to FID 0x100
VLAN ID 20 corresponds to FID 0x200
VLAN ID 30 corresponds to FID 0x300
For example, if the VLAN ID in the packet received by the switch device is 20, the switch device may find the FID corresponding to the VLAN ID in the VLAN mapping table to be 0x200.
In summary, the FID corresponding to the VLAN ID can be obtained. Of course, other methods known to those skilled in the art may be used, and are not particularly limited herein.
In addition, according to the obtained FID and the source MAC address, the data corresponding to the FID and the source MAC address is queried in the MAC entry, and the following method may be adopted: and combining the source MAC address and the FID to form a unique identifier, performing HASH operation on the identifier to generate a unique HASH value, and searching data corresponding to the FID and the source MAC address in an MAC table entry by using the HASH value.
Thus, the MAC table entry is queried based on the FID and the source MAC address to determine whether the data corresponding to the FID and the source MAC address exists in the MAC table entry.
In some embodiments, the MAC entry further includes an ingress port of a switch device;
the method further comprises the steps of:
inquiring an inlet port of the switch equipment corresponding to the source MAC address from the MAC table item when the data corresponding to the FID and the source MAC address are inquired in the MAC table item;
determining an inlet port of the switch equipment for receiving the message;
and determining that the query is not hit when the queried input port is inconsistent with the determined input port.
The following is a specific description by way of two examples.
In example 1, if it is determined that the ingress port of the switch device receiving the packet is port 1, the ingress port of the switch device corresponding to the source MAC address queried from the MAC entry is port 1, that is, the queried ingress port is consistent with the determined ingress port, then it is determined as a query hit.
In example 2, if it is determined that the ingress port of the switch device receiving the packet is port 1, the ingress port of the switch device corresponding to the source MAC address queried from the MAC entry is port 2, that is, the queried ingress port is inconsistent with the determined ingress port, it is determined as a query miss.
In this way, the queried ingress port is compared with the determined ingress port to determine whether the query hits, enabling the switch device to dynamically adjust its subsequent execution policy. Specifically, when the query hit is determined, the switch device forwards the received message to the corresponding port according to the queried ingress port, so that the data frame can be ensured to be transmitted according to the expected path; when a query miss is determined, a subsequent procedure of learning the source MAC address is performed.
In some embodiments, the obtaining the learned number and the maximum allowed learned number of the source MAC addresses corresponding to the VLAN IDs in the VLAN learning restriction table includes:
calculating an index value according to the FID corresponding to the VLAN ID and a preset offset value;
and reading the content corresponding to the index value in the MAC table item according to the index value, wherein the content comprises the learned number and the maximum allowed learning number of the source MAC address.
It is noted that the maximum allowable learning number in the VLAN learning restriction table is 4095, that is, the range of the VLAN learning restriction table is 1 to 4095, which is specified by the international standard.
When the maximum allowable learning number in the VLAN learning limit table is set to 4095, which means that each VLAN needs to allocate a certain logic resource to record related data, the occupied logic resource is large. However, in practical applications, all the data in the VLAN learning restriction table may not be used, so the user may set the maximum allowable learning number (the number is smaller than 4095) of the VLAN learning restriction table according to the actual requirement, so that the resources required by the 4095 number are not required to be allocated, and the VLAN learning restriction table is compressed. For example, the maximum allowable learning number in the VLAN learning restriction table is directly configured according to the number of VLANs that may be used, for example, as configured as 512, 256, or the like, and compression of the VLAN learning restriction table is directly achieved.
In addition, assuming that the maximum allowable learning number is configured to 512, but the VLAN start number is not 0, the VLAN start number may be adjusted according to the start value (i.e., the minimum number) of the VLAN number by the offset value, that is, the offset value determines the start value of the VLAN number in the VLAN learning restriction table, and the maximum allowable learning number in the VLAN learning restriction table is configured to 512 in the following example:
if the offset is set to 0, the VLAN number ranges from 1 to 512, that is, the switch device may learn and manage the data of the VLAN with the number from 1 to 512, that is, the table 1 of the VLAN learning restriction table records the relevant information corresponding to VLAN 1, and the table 512 records the relevant information corresponding to VLAN 512.
If the offset is set to 1, the VLAN number ranges from 2 to 513, that is, the switch device may learn and manage the data of the VLAN with the number from 2 to 513, that is, the table 1 of the VLAN learning restriction table records the related information corresponding to VLAN 2, and the table 512 records the related information corresponding to VLAN 513.
If the offset is set to 512, the VLAN number ranges from 513 to 1024, that is, the switch device may learn and manage the data of the VLANs with numbers 513 to 1024, that is, the table 1 of the VLAN learning restriction table records the relevant information corresponding to the VLAN 513, and the table 512 records the relevant information corresponding to the VLAN 1024.
In the prior art, when the VLAN ID is the maximum VLAN 1024, the relevant information corresponding to the VLAN 1024 needs to be recorded with the 1024 th table entry, that is, 1024 entries are required for the VLAN learning restriction table even if the starting VLAN ID is the VLAN 513, and the 1 st to 512 th entries are made blank. When the offset is used, a VLAN learning restriction table containing 512 entries can be used to record a VLAN
513-VLAN 1024, thereby achieving compression of the VLAN learning restriction table.
From the above, the table entry storing the VLAN ID and the VLAN ID establish a relationship by the offset, and it should be noted that, for convenience of understanding, the above description is given taking the VLAN ID as an example, in this application, the FID corresponding to the VLAN ID is actually used, that is, the table entry storing the VLAN ID and the FID have a relationship of offset, in other words, based on the FID and the offset value, an index of the VLAN learning restriction table may be determined, where the position of the VLAN ID corresponding to the FID in the VLAN learning restriction table (that is, the table entry storing the VLAN ID) is used to locate, so as to obtain the learned number of source MAC addresses corresponding to the VLAN ID and the maximum allowable learning number in the VLAN learning restriction table.
The value of the index may be obtained by subtracting the offset value from the FID value.
For example, the FID value is 513 and the offset value is 1, then the index value is 513-1=512. Based on this index value, a corresponding entry may be queried in the VLAN learning restriction table, which may contain the learned number and the maximum allowed learned number of source MAC addresses corresponding to the VLAN ID.
In some embodiments, the learning the source MAC address includes:
and writing the source MAC address, the input port of the switch equipment corresponding to the source MAC address at present and the FID corresponding to the VLAN ID into the MAC table entry.
Therefore, the update of the MAC table entry is realized, and the searching efficiency and accuracy are improved when the following exchanger equipment queries the data of the corresponding VLAN ID and the source MAC address in the MAC table entry.
In some embodiments, the updating the learned number includes:
the learned number in the VLAN learning restriction table is increased by 1.
Thus, when the switch device learns a new source MAC address, the learned number needs to be added by 1 to reflect the number of source MAC addresses that the switch device has learned, until the number of source MAC addresses that have learned is equal to or greater than the maximum allowable learning number, at this time, the learned number is not updated any more, and data overflow is prevented.
In some embodiments, the method further comprises:
inquiring the VLAN table to obtain the state of a VLAN learning switch corresponding to the VLAN ID;
and when the state of the VLAN learning switch is enabled, acquiring the learned number and the maximum allowed learned number of the source MAC address corresponding to the VLAN ID in the VLAN learning restriction table.
Thus, when the state of the VLAN learning switch is enabled, an accurate basis is provided for the subsequent execution of learning the source MAC address by the acquired learned number and the maximum allowed learning number of the source MAC address corresponding to the VLAN ID.
For an illustration of the above method, the present application provides an embodiment, refer to fig. 2.
The method is applied to the switch equipment, and the switch equipment is configured with a MAC table item, a VLAN table and a VLAN learning restriction table, as shown in the accompanying figure 2.
Wherein, the MAC table entry includes: the source MAC address, the FID corresponding to the VLAN ID and the inlet port of the switch equipment;
the VLAN table includes: the VLAN ID and the state of the VLAN learning switch corresponding to the VLAN ID, specifically, the state of the VLAN learning switch includes VLAN learning switch enable and VLAN learning switch disable.
The VLAN learning restriction table includes: the learned number and maximum allowed learned number of source MAC addresses corresponding to VLAN IDs.
The method specifically comprises the following steps:
s201, receiving a message sent by a terminal, and determining a source MAC address and VLAN ID in the message;
s202, acquiring FIDs corresponding to VLAN IDs one by one;
s203, judging whether the data corresponding to the FID and the source MAC address can be found in the MAC table entry according to the acquired FID and the source MAC address; if yes, go to step S204; if not, executing step S208;
s204, inquiring an inlet port of the switch equipment corresponding to the source MAC address from the MAC table item;
s205, determining an inlet port of the switch equipment for receiving the message;
s206, judging whether the queried inlet port is consistent with the determined inlet port; if yes, go to step S207; if not, executing step S208;
s207, sending the received message to a corresponding port;
s208, inquiring and judging whether the state of the VLAN learning switch corresponding to the VLAN ID is enabled or not; if yes, go to step S209; if not, executing step S212;
s209, acquiring the learned number and the maximum allowed learned number of the source MAC address corresponding to the VLAN ID in the VLAN learning limit table;
s210, judging whether the learned number is smaller than the maximum allowable learning number; if yes, go to step S211; if not, executing step S212;
s211, writing a source MAC address, an input port of switch equipment for receiving the message, and an FID corresponding to the VLAN ID into an MAC table item;
s212, discarding the received message.
Therefore, the application provides a learning limiting method of the source MAC address, which prevents a hacker from consuming resources of an MAC table item by forging a large number of source MAC addresses of the same VLAN by limiting the maximum allowable learning number in a VLAN learning limiting table, so that the problem that network traffic cannot be normally processed due to the exhaustion of the resources of the MAC table item is caused, and ensures the normal use of switch equipment; and when the number of the learned source MAC addresses does not reach the maximum allowable learning number, the new source MAC addresses can be continuously learned, the space of the MAC table entry is fully utilized, and the subsequent data transmission and routing are also convenient.
Fig. 3 is a schematic structural diagram of a source MAC address learning restriction device provided in an embodiment of the present application, and an embodiment of the present application provides a source MAC address learning restriction device 300, including:
a receiving unit 301, configured to receive a packet sent by a terminal, and determine a source MAC address and a VLAN ID in the packet;
an obtaining unit 302, configured to query the MAC entry for data corresponding to the VLAN ID and the source MAC address, and obtain, when the query is missed, a learned number and a maximum allowed learned number of source MAC addresses corresponding to the VLAN ID in the VLAN learning restriction table;
a learning unit 303 for learning the source MAC address and updating the learned number when the learned number is smaller than the maximum allowable learning number.
In this way, the present application proposes a learning limiting device for source MAC addresses, which prevents a hacker from consuming resources of MAC entries by forging a large number of source MAC addresses of the same VLAN by limiting the maximum allowable learning number in the VLAN learning limiting table, so as to cause a problem that network traffic cannot be handled normally due to resource exhaustion of the MAC entries, and ensure normal use of switch devices; and when the number of the learned source MAC addresses does not reach the maximum allowable learning number, the new source MAC addresses can be continuously learned, the space of the MAC table entry is fully utilized, and the subsequent data transmission and routing are also convenient.
Fig. 4 is a schematic structural diagram of a computing device provided in an embodiment of the present application. The computing device executes the abnormality detection recovery method of the switch port. As shown in fig. 4, the computing device 400 includes: processor 410, memory 420, and communication interface 430.
It should be appreciated that the communication interface 430 in the computing device 400 shown in fig. 4 may be used to communicate with other devices, and may include, in particular, one or more transceiver circuits or interface circuits.
Wherein the processor 410 may be coupled to a memory 420. The memory 420 may be used to store the program codes and data. Accordingly, the memory 420 may be a storage unit internal to the processor 410, an external storage unit independent of the processor 410, or a component including a storage unit internal to the processor 410 and an external storage unit independent of the processor 410.
Optionally, computing device 400 may also include a bus. The memory 420 and the communication interface 430 may be connected to the processor 410 through buses. The bus may be a peripheral component interconnect (Peripheral Component Interconnect, PCI) bus, or an extended industry standard architecture (Extended Industry StandardArchitecture, EISA) bus, among others. The buses may be classified as address buses, data buses, control buses, etc. For ease of illustration, an unbiased line is shown in FIG. 4, but does not represent only one bus or one type of bus.
It should be appreciated that in embodiments of the present application, the processor 410 may employ a central processing unit (central processing unit, CPU). The processor may also be other general purpose processors, digital signal processors (digital signal processor, DSP), application specific integrated circuits (application specific integrated circuit, ASIC), off-the-shelf programmable gate arrays (fieldprogrammable gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. Or the processor 410 may employ one or more integrated circuits for executing associated programs to carry out the techniques provided in embodiments of the present application.
The memory 420 may include read only memory and random access memory and provides instructions and data to the processor 410. A portion of the processor 410 may also include non-volatile random access memory. For example, the processor 410 may also store information of the device type.
When the computing device 400 is running, the processor 410 executes computer-executable instructions in the memory 420 to perform any of the operational steps of the methods described above, as well as any of the alternative embodiments.
It should be understood that the computing device 400 according to the embodiments of the present application may correspond to a respective subject performing the methods according to the embodiments of the present application, and that the above and other operations and/or functions of the respective modules in the computing device 400 are respectively for implementing the respective flows of the methods of the embodiments, and are not described herein for brevity.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Embodiments of the present application also provide a computer-readable storage medium having stored thereon a computer program for performing the above-described method when executed by a processor, the method comprising at least one of the aspects described in the above-described embodiments.
Any combination of one or more computer readable media may be employed as the computer storage media of the embodiments herein. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations of the present application may be written in one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
In addition, the terms "first, second, third, etc." or module a, module B, module C, etc. in the description and the claims are used solely for distinguishing between similar objects and not necessarily for a specific ordering of objects, it being understood that a specific order or sequence may be interchanged if allowed to enable the embodiments of the application described herein to be practiced otherwise than as specifically illustrated and described herein.
In the above description, reference numerals indicating steps such as S110, S120, … …, etc. do not necessarily indicate that the steps are performed in this order, and the order of the steps may be interchanged or performed simultaneously as the case may be.
The term "comprising" as used in the description and claims should not be interpreted as being limited to what is listed thereafter; it does not exclude other elements or steps. Thus, it should be interpreted as specifying the presence of the stated features, integers, steps or components as referred to, but does not preclude the presence or addition of one or more other features, integers, steps or components, or groups thereof. Thus, the expression "a device comprising means a and B" should not be limited to a device consisting of only components a and B.
Reference in the specification to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the application. Thus, appearances of the phrases "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment, but may. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments as would be apparent to one of ordinary skill in the art from this disclosure.
Note that the above is only a preferred embodiment of the present application and the technical principle applied. Those skilled in the art will appreciate that the present application is not limited to the particular embodiments described herein, but is capable of numerous obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the present application. Thus, while the present application has been described in terms of the foregoing embodiments, the present application is not limited to the foregoing embodiments, but may include many other equivalent embodiments without departing from the spirit of the present application, all of which fall within the scope of the present application.
Claims (10)
1. The learning limiting method of the source MAC address is applied to the switch equipment, and is characterized in that the switch equipment is configured with a MAC table item, a VLAN table and a VLAN learning limiting table, and the method comprises the following steps:
receiving a message sent by a terminal, and determining a source MAC address and a VLAN ID in the message;
inquiring data corresponding to the VLAN ID and the source MAC address in the MAC table item, and acquiring the learned number and the maximum allowed learned number of the source MAC address corresponding to the VLAN ID in the VLAN learning restriction table when inquiring the miss;
when the learned number is less than the maximum allowed number of learns, learn the source MAC address and update the learned number.
2. The learning restriction method according to claim 1, wherein the MAC entry includes a FID corresponding to a source MAC address and a VLAN ID;
the querying the data corresponding to the VLAN ID and the source MAC address in the MAC entry includes:
acquiring the FID corresponding to the VLAN ID;
and according to the obtained FID and the source MAC address, inquiring data corresponding to the FID and the source MAC address in the MAC table entry.
3. The learning restriction method according to claim 2, wherein the MAC entry further includes an ingress port of a switch device;
the method further comprises the steps of:
inquiring an inlet port of the switch equipment corresponding to the source MAC address from the MAC table item when the data corresponding to the FID and the source MAC address are inquired in the MAC table item;
determining an inlet port of the switch equipment for receiving the message;
and determining that the query is not hit when the queried input port is inconsistent with the determined input port.
4. The learning restriction method according to claim 1, wherein the obtaining the learned number and the maximum allowable learned number of the source MAC addresses corresponding to the VLAN IDs in the VLAN learning restriction table includes:
calculating an index value according to the FID corresponding to the VLAN ID and a preset offset value;
and reading the content corresponding to the index value in the MAC table item according to the index value, wherein the content comprises the learned number and the maximum allowed learning number of the source MAC address.
5. A learning restriction method according to claim 3, wherein said learning said source MAC address comprises:
and writing the source MAC address, the input port of the switch equipment receiving the message and the FID corresponding to the VLANID into the MAC table entry.
6. The learning restriction method according to claim 1, characterized in that the updating the learned number includes:
the learned number in the VLAN learning restriction table is increased by 1.
7. The learning restriction method according to claim 1, characterized in that the method further comprises:
inquiring the VLAN table to obtain the state of a VLAN learning switch corresponding to the VLAN ID;
and when the state of the VLAN learning switch is enabled, acquiring the learned number and the maximum allowed learned number of the source MAC address corresponding to the VLAN ID in the VLAN learning restriction table.
8. A learning restriction device for a source MAC address, the learning restriction device being configured with a MAC table entry, a VLAN table, and a VLAN learning restriction table, comprising:
the receiving unit is used for receiving the message sent by the terminal and determining a source MAC address and VLAN ID in the message;
an obtaining unit, configured to query the MAC entry for data corresponding to the VLAN id and the source MAC address, and obtain a learned number and a maximum allowed learning number of source MAC addresses corresponding to the VLAN id in the VLAN learning restriction table when the query is not hit;
a learning unit configured to learn the source MAC address and update the learned number when the learned number is smaller than the maximum allowable learning number.
9. A computing device, comprising:
processor and method for controlling the same
A memory having stored thereon program instructions that, when executed by the processor, cause the processor to perform the learning restriction method of any of claims 1 to 7.
10. A storage medium having stored thereon program instructions which, when executed by a computer, cause the computer to perform the learning restriction method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311835248.5A CN117792751A (en) | 2023-12-28 | 2023-12-28 | Learning limiting method and device for source MAC address, computing equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311835248.5A CN117792751A (en) | 2023-12-28 | 2023-12-28 | Learning limiting method and device for source MAC address, computing equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117792751A true CN117792751A (en) | 2024-03-29 |
Family
ID=90379777
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311835248.5A Pending CN117792751A (en) | 2023-12-28 | 2023-12-28 | Learning limiting method and device for source MAC address, computing equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117792751A (en) |
-
2023
- 2023-12-28 CN CN202311835248.5A patent/CN117792751A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6430190B1 (en) | Method and apparatus for message routing, including a content addressable memory | |
| CN112965824B (en) | Message forwarding method and device, storage medium and electronic equipment | |
| US8555374B2 (en) | High performance packet processing using a general purpose processor | |
| CN112333169B (en) | Message processing method, device, electronic equipment and computer readable medium | |
| CN103220255B (en) | It is a kind of to realize the method and device that reversal path of unicast forwarding URPF is checked | |
| CN104468401A (en) | Message processing method and device | |
| CN112333099B (en) | Routing method, device and storage medium of local multipath message | |
| CN111064804B (en) | Network access method and device | |
| CN115996203B (en) | Network traffic domain division method, device, equipment and storage medium | |
| CN114079634B (en) | Message forwarding method and device and computer readable storage medium | |
| US20130013888A1 (en) | Method and Appartus For Index-Based Virtual Addressing | |
| CN117792751A (en) | Learning limiting method and device for source MAC address, computing equipment and storage medium | |
| CN112532610B (en) | Intrusion prevention detection method and device based on TCP segmentation | |
| CN110704419A (en) | Data structure, data indexing method, device and equipment, and storage medium | |
| US10228852B1 (en) | Multi-stage counters | |
| CN106302259B (en) | Method and router for processing message in network on chip | |
| CN113918504A (en) | Method and device for realizing isolation group | |
| CN109672665B (en) | Access control method, device and system and computer readable storage medium | |
| CN113328948A (en) | Resource management method, device, network equipment and computer readable storage medium | |
| CN112291212A (en) | Static rule management method and device, electronic equipment and storage medium | |
| CN107196981A (en) | Access record retransmission method, equipment and system | |
| WO2023130953A1 (en) | Data search method and apparatus, and network device | |
| CN116600031B (en) | Message processing method, device, equipment and storage medium | |
| CN114143083B (en) | Blacklist policy matching method and device, electronic equipment and storage medium | |
| US12079136B1 (en) | Cache look up during packet processing by uniformly caching non-uniform lengths of payload data in a dual-stage cache of packet processors |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |