CN118075235A - Address allocation method, device, equipment and storage medium - Google Patents

Address allocation method, device, equipment and storage medium Download PDF

Info

Publication number
CN118075235A
CN118075235A CN202311314651.3A CN202311314651A CN118075235A CN 118075235 A CN118075235 A CN 118075235A CN 202311314651 A CN202311314651 A CN 202311314651A CN 118075235 A CN118075235 A CN 118075235A
Authority
CN
China
Prior art keywords
terminal
address
switch
access
port
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311314651.3A
Other languages
Chinese (zh)
Inventor
朱宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruijie Networks Co Ltd
Original Assignee
Ruijie Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruijie Networks Co Ltd filed Critical Ruijie Networks Co Ltd
Priority to CN202311314651.3A priority Critical patent/CN118075235A/en
Publication of CN118075235A publication Critical patent/CN118075235A/en
Pending legal-status Critical Current

Links

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The application provides an address allocation method, an address allocation device, address allocation equipment and a storage medium. The method comprises the following steps: determining an identity of a first terminal accessing a first access switch, wherein the first access switch accesses a core switch; determining a first port label corresponding to the first terminal under the condition that the identity comprises a first IP address of the first terminal and the first IP address of the first terminal conflicts with the IP address of the second terminal which is accessed into the core switch; distributing a second IP address for the first terminal according to the first port label of the first terminal; wherein the first port label comprises: the first terminal is connected with a first access port label corresponding to the access port of the first access switch. The method solves the problem that the terminal cannot access the ad hoc network due to IP conflict, and improves the compatibility of the ad hoc network.

Description

Address allocation method, device, equipment and storage medium
Technical Field
The present application relates to the field of communications technologies, and in particular, to an address allocation method, apparatus, device, and storage medium.
Background
The park ad hoc network is a network constructed after the park network is optimized according to the wireless ad hoc network, the park ad hoc network can be connected with a plurality of terminals, data interaction can be carried out among the terminals, and the terminals can access data in the park ad hoc network.
When a plurality of terminals with the same internet protocol (Internet Protocol, IP) address access the campus ad hoc network respectively, one of the terminals cannot access the campus ad hoc network due to the problem of the collision of the IP addresses, or the connection is unstable after the terminal accesses the campus ad hoc network.
Disclosure of Invention
The application provides an address allocation method, an address allocation device, address allocation equipment and a storage medium, which are used for solving the technical problems that one terminal cannot access an ad hoc network or the connection is unstable after the terminal accesses the ad hoc network due to the problem of IP address conflict when the terminals with the same IP address access the ad hoc network.
In a first aspect, the present application provides an address allocation method, the method being applied to a core switch, the method comprising:
Determining an identity of a first terminal accessing a first access switch, wherein the first access switch accesses the core switch;
Determining a first port label corresponding to the first terminal when the identity comprises a first IP address of the first terminal and the first IP address of the first terminal conflicts with an IP address of a second terminal which is accessed into the core switch;
Distributing a second IP address to the first terminal according to the first port label of the first terminal; wherein the first port tag comprises: the first terminal is connected with a first access port label corresponding to the access port of the first access switch.
The allocating a second IP address to the first terminal according to the first port tag of the first terminal includes:
if the first port label of the first terminal is different from the second port label of the second terminal, a second IP address is allocated to the first terminal;
Wherein the second port label includes: the second terminal is connected with a second access port label corresponding to an access port of a second access switch, and the second access switch is accessed to the core switch.
An aggregation switch is arranged between the core switch and the first access switch, and each port of the aggregation switch is configured with an aggregation port label;
The determining the first port label corresponding to the first terminal includes:
And determining the first port label according to the aggregation port label of the aggregation switch and the first access port label.
In one possible implementation, the method further comprises:
Determining the authority of the first terminal according to the identity of the first terminal;
and controlling the first terminal according to the authority of the first terminal.
The determining the authority of the first terminal comprises the following steps:
And under the condition that the first terminal is not accessed to the core switch for the first time, the corresponding authority when the first terminal is accessed to the core switch for the previous time is allocated to the first terminal.
After the determining of the rights of the first terminal, the method further comprises:
Performing security detection on the first terminal according to the behavior image of the first terminal to obtain a security detection result;
and updating the authority of the first terminal according to the security detection result.
The method further comprises the steps of:
acquiring service flow in a first duration of the first terminal;
and obtaining the behavior portraits of the first terminal according to the service flow.
The security detection result includes normal and abnormal, and the updating the authority of the first terminal by using the security detection result includes:
and under the condition that the safety detection result is abnormal, interrupting the data interaction between the first terminal and other terminals in the ad hoc network.
In one possible implementation, the method further comprises:
And under the condition that the first IP address is not included in the identity, the IP address is allocated to the terminal.
In a second aspect, the present application provides an address allocation apparatus applied to a core switch, the core switch corresponding to at least one access switch, the apparatus comprising:
The identity acquisition module is used for determining the identity of a first terminal accessed into a first access switch, wherein the first access switch is accessed into the core switch;
The tag acquisition module is used for determining a first port tag corresponding to the first terminal when the identity comprises a first IP address of the first terminal and the first IP address of the first terminal conflicts with an IP address of a second terminal which is accessed into the core switch;
The address allocation module is used for allocating a second IP address to the first terminal according to the first port label of the first terminal; wherein the first port tag comprises: the first terminal is connected with a first access port label corresponding to the access port of the first access switch.
In a third aspect, the present application provides a core switch comprising: a processor, and a memory communicatively coupled to the processor;
the memory stores computer-executable instructions;
The processor executes computer-executable instructions stored in the memory to implement the method of any one of the first aspects.
In a fourth aspect, the present application provides a computer-readable storage medium having stored therein computer-executable instructions for performing the method of any of the first aspects when executed by a processor.
The address allocation method provided by the application determines the identity of a first terminal accessed into a first access switch, and determines a first port label corresponding to the first terminal under the condition that the identity comprises a first IP address of the first terminal and the first IP address of the first terminal conflicts with the IP address of a second terminal accessed into a core switch, and allocates a second IP address for the first terminal according to the first port label of the first terminal. The core switch can configure a second IP address for the first terminal with the IP address conflict through the first port label, so that the problem that the first terminal cannot access the core switch due to the IP conflict is solved, and the compatibility of the core switch is improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
FIG. 1 is a schematic illustration of a campus ad hoc network model in accordance with an exemplary embodiment of the present application;
FIG. 2 is a flow chart of an address assignment method in an exemplary embodiment of the application;
FIG. 3 is a flowchart of another address assignment method in an exemplary embodiment of the present application;
FIG. 4 is a block diagram of a port configuration in an exemplary embodiment of the application;
fig. 5 is a flowchart of controlling a first terminal according to an exemplary embodiment of the present application;
FIG. 6 is a flowchart of a method for updating a first terminal according to an exemplary embodiment of the present application;
FIG. 7 is a flowchart of yet another address assignment method in an exemplary embodiment of the present application;
FIG. 8 is a schematic diagram showing the composition of an address assignment device in an exemplary embodiment of the present application;
fig. 9 is a schematic diagram of a core switch to which embodiments of the present application may be applied.
Specific embodiments of the present application have been shown by way of the above drawings and will be described in more detail below. The drawings and the written description are not intended to limit the scope of the inventive concepts in any way, but rather to illustrate the inventive concepts to those skilled in the art by reference to the specific embodiments.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the accompanying claims.
A mobile ad hoc network (mobile ad hoc network for short) is a network combining mobile communication and a computer network, is a multi-hop mobile peer-to-peer network of a mobile computer network, and is composed of several to tens of nodes and adopts a wireless communication mode to dynamically group the network. The information exchange of the network adopts a packet switching mechanism in a computer network, and the user terminal is a portable terminal which can move freely in the network to keep communication. Each user terminal in the mobile ad hoc network has two functions of a router and a host. As a host, the terminal needs to run various user-oriented applications such as an editor, a browser, etc.; as a router, the terminal needs to run a corresponding routing protocol, and completes the forwarding and routing maintenance work of the data packet according to the routing policy and the routing table, so that the node is required to realize a proper routing protocol.
The mobile ad hoc network has the advantages of being capable of quickly searching accurate available route information, adapting to rapid change of network topology, reducing extra time delay generated when the terminal is introduced and maintaining control information of the route, and adapting to change of the network topology and joining or leaving of equipment.
The advantages of mobile ad hoc networks can be applied to campus networks, which are structured as campus ad hoc networks. The plurality of devices in the campus network may be connected by wire or by wireless connection, i.e., not only the ad hoc network of wireless connection but also the ad hoc network of wire connection is included in the constructed campus ad hoc network. The wires in the ad hoc network connected by the wires are relatively fixed, port isolation is not arranged among ports of each switch, data interaction can be directly carried out among ports on the same switch, loop problems can occur among the wires, and the data interaction is abnormal. Meanwhile, if the terminal accesses through the static IP address, two terminals having the same IP address may also access the network, resulting in an internet protocol (Internet Protocol, IP) address collision. If devices with the same media access Control Address (MEDIA ACCESS Control Address, MAC) pass through different access switches, there may be problems such as MAC Address collision, so that some terminals cannot normally access the ad hoc network. Wherein, the occurrence of a loop between the above-mentioned wired lines means that a plurality of lines form a closed loop line.
The solutions of the ad hoc networks in the related art are mainly concentrated in two fields, namely a wireless ad hoc network (i.e. a mobile ad hoc network) and an internet of things ad hoc network. Compared with a wired network, the wireless terminal can freely select a connection object to finish wireless ad hoc network. In addition, the IP addresses of the devices accessed to the wireless network are dynamically allocated, and the problems of loop formation, IP address conflict and the like are avoided. But the wireless network can only form a wireless ad hoc network, and can not be directly applied to a wired ad hoc network to solve the problem that IP address conflicts and a wired line has a loop. The system has the advantages that the single function in the Internet of things ad hoc network is more, such as temperature control of a refrigerator, on-off of a television and the like, the complex large service requirement does not exist, the software implementation difficulty is low, wireless connection is usually adopted among a plurality of terminals in the Internet of things, data interaction does not exist among a plurality of accessed terminals, IP addresses of the terminals in the Internet of things are dynamically distributed, the problems of IP address conflict and loop occurrence of a wired line are solved, and therefore the Internet of things ad hoc network scheme cannot be directly applied to the whole park network ad hoc network.
Based on the above, the above problem is solved by adopting the ad hoc network virtualization, and the ad hoc network virtualization means that all services deployment and maintenance of the ad hoc network are realized by software control by utilizing the SDN technology. The self-organizing network virtualization realizes centralized control of other devices in the self-organizing network through one core device, data transmission is controlled by the core device, other devices cannot directly perform data interaction, and the transmission path of the data in a wired line can be controlled, so that the problem of a loop of the wired line is avoided. But still cannot solve the problem that a plurality of terminals access through static IP addresses, and two terminals having the same IP address access to a network, resulting in an internet protocol (Internet Protocol, IP) address collision.
Fig. 1 is a schematic diagram of a campus network ad hoc network model according to the present application, as shown in fig. 1, the campus network ad hoc network model is generally configured as a three-layer network, the first layer is an access switch, the second layer is a convergence switch, the third layer is a core switch, and the campus network ad hoc network includes a wired ad hoc network portion and a wireless ad hoc network portion. Aiming at the wired ad hoc network part, the first layer is an access switch, and a terminal access port is arranged on the access switch and is used for connecting a terminal, and the terminal is connected to the access switch through a wire. The second layer may be a convergence switch for connecting the access switches, the plurality of access switches being connected to the convergence switch, the convergence switch may function as a convergence line. The third layer may be a core switch for connecting a plurality of aggregation switches. The service configuration in the wired ad hoc network has strong coupling with the line connection, and the wiring configuration needs to be modified when the service configuration is modified.
For wireless ad hoc networks, the first layer may be an Access switch, and a wireless Access Point (AP) is generally used to connect to a terminal, where the terminal accesses the AP in a wireless manner. The second tier may be a convergence switch, commonly employing an access controller (Access Controller, AC) for interfacing with a plurality of wireless access points. The third layer may be a core switch for connecting a plurality of the above-mentioned access controllers. The core switch in the wireless ad hoc network and the core switch in the wired ad hoc network are the same core switch and are used for providing a local area network for equipment accessing the ad hoc network.
In the related art, when two terminals having the same IP address access to a network, a collision between the two terminals may occur because the core switch cannot distinguish the two IP addresses. The above conflict includes that two identical IP addresses cannot access the core switch or that network connection is unstable after simultaneous access.
In the application, when two terminals with the same IP address are accessed simultaneously, the two terminals are accessed to the network through two different access ports. Therefore, as long as the access ports are distinguished, the core switch can identify that two terminals with the same IP address are different terminals and configure different IPs for them, so as to avoid the technical problem of IP collision.
The technical scheme of the application is described in detail below through specific examples. It should be noted that different embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments.
As shown in fig. 1, the ad hoc network in the present application is the above-mentioned campus network ad hoc network, and the following ad hoc networks all represent the above-mentioned campus network ad hoc network, where the ad hoc network includes a core switch and at least one access switch, and the access switch includes at least one access port. In one possible implementation, at least one aggregation switch may also be included between the access switch and the core switch. The specific structure of the ad hoc network has been described in detail above, and thus, will not be described in detail herein.
The address allocation method of the present application is applied to a core switch, and fig. 2 is a flowchart of an address allocation method in an exemplary embodiment of the present application. As shown in fig. 2, the method includes:
S210, determining an identity of a first terminal accessing a first access switch, wherein the first access switch accesses a core switch.
In this example embodiment, the identity of the first terminal may be customized according to the user requirement. For example, the identity may include at least one of an IP address of the first terminal, a MAC address of the first terminal, an administrator identity, a general user identity, and the like. The identity may also include other information, not specifically limited in this example embodiment.
S220, determining a first port label corresponding to the first terminal under the condition that the identity comprises the first IP address of the first terminal and the first IP address of the first terminal conflicts with the IP address of the second terminal which is accessed into the core switch.
In an exemplary embodiment of the present disclosure, fig. 3 is a flowchart of another address allocation method in an exemplary embodiment of the present application. As shown in fig. 3, the above steps may include steps S310 to S330.
S310, judging whether the identity mark comprises a first IP address of the first terminal.
In this example embodiment, after receiving the identity of the first terminal, the core switch may parse the identity information to determine whether the first IP address of the first terminal is included therein. The first IP address is a static IP address carried by the first terminal before the first terminal accesses the access switch. If the first IP address is included, step S320 is performed.
S320, it is determined whether the first IP address of the first terminal conflicts with the IP address of the second terminal that has been accessed in the core switch.
In this exemplary embodiment, after the first IP address of the above-mentioned terminal is acquired, the core switch first acquires the IP addresses of all the terminals that have been accessed, and then detects whether there is the same IP address as the first IP address, that is, whether there is a second terminal having the same IP address as the first terminal, and if so, performs step S330.
S330, a first port label corresponding to the first terminal is obtained.
In this example embodiment, the core switch may obtain a first port tag corresponding to the terminal, where the first port tag includes at least a first access port tag corresponding to an access port of the first access switch.
For example, if the ad hoc network includes a core switch and a first access switch, the first port label is a first access port label of the first access switch. If the ad hoc network includes a core switch, a convergence switch and an access switch, the first port label may include a first access port label of the first access switch, and a convergence port label corresponding to a port of the convergence switch to which the first access switch is connected.
And S230, distributing a second IP address to the first terminal according to the first port label of the first terminal.
In this example embodiment, when the first port label of the first terminal is different from the second port label of the second terminal, a second IP address is allocated to the terminal, where the second terminal is connected to a second access port label corresponding to an access port of the second access switch, and the second access switch accesses the core switch.
Note that, the first access switch may be the same access switch as the second access switch, or may be a different access switch, and in this example embodiment, the first access switch and the second access switch are not specifically limited.
Because the access port labels of the terminals with two identical IP addresses are different, a second IP address can be configured for the terminal accessed later, and the technical problem of IP conflict can be solved.
The method comprises the steps of determining an identity of a first terminal accessed into a first access switch, determining a first port label corresponding to the first terminal under the condition that the identity comprises a first IP address of the first terminal and the first IP address of the first terminal conflicts with an IP address of a second terminal accessed into a core switch, and distributing a second IP address for the first terminal according to the first port label of the first terminal. The core switch can configure a second IP address for the first terminal with the IP address conflict through the first port label, so that the problem that the first terminal cannot access the core switch due to the IP conflict is solved, and the compatibility of the core switch is improved.
In an example embodiment of the present disclosure, after two terminals having the same MAC address access to the access switch, since there is no IP conflict, the corresponding terminal may be found directly through the IP address, that is, the tag corresponding to the MAC is found, which can solve the problem of the MAC conflict.
In one example embodiment, the access port label of the access switch and the aggregation port label of the aggregation switch may be configured by the core switch described above. The access port label of the access switch and the aggregation port label of the aggregation switch may be labels used for distinguishing different ports, or may be port isolation labels for isolating ports on the switch. The port isolation labels are not only used for distinguishing ports, but also can isolate all ports on the switch, namely, all ports of the switch cannot directly carry out data interaction. The port label is described in detail below as an example of the port isolation label.
It should be noted that, port isolation labels are set for the aggregation switch and the access switch, so that the accessed terminals are controlled by the core switch directly, which is equivalent to the connection of the terminals with the core switch, i.e. the core switch directly controls the terminals, thereby avoiding the problem of loop occurrence of the wired circuit.
In an example embodiment, the ad hoc network may include only a core switch and an access switch, where the core switch needs to configure a different port isolation tag for the access switch, and the port isolation tag of the access switch may be used as the first port tag.
In another exemplary embodiment, the ad hoc network further includes at least one layer of aggregation switches, and the present application describes the above steps in the case that the ad hoc network includes an aggregation switch.
In this example embodiment, the aggregation switch may be provided with port isolation, where a manner of setting port isolation may be VLAN (Virtual Local Area Network ), QINQ (802.1Q-in-802.1Q), VXLAN (Virtual eXtensible Local Area Network ), or the like, and may also be other manners, which are not specifically limited in this example embodiment, and the ports on the aggregation switch are also configured with different aggregation port labels.
Further, the plurality of ports in the access switch are also provided with port isolation, and the manner of setting the port isolation may refer to the aggregation switch, which is not described herein. For example, the ad hoc network includes 2 access switches, namely, an access switch a and a second access switch B, and different port isolation labels may be set for the ports of each access switch, that is, the port isolation label of the access switch a may be VLAN10-VLAN20. The port isolation label of access switch B may be different from the port isolation label of access switch a, such as VLAN21-VLAN31. The port isolation label of access switch B may also be the same as the port isolation label of access switch a, i.e., the port isolation label of access switch B is also VLAN10-VLAN20. Because the ports of the two access switches accessing the same aggregation switch are different, for the core switch, the first port label corresponding to each terminal is different, and the first port label is the port isolation label of the access switch and the port isolation label of the aggregation switch.
The configuration process of the port tag will be described in detail with reference to fig. 4, and fig. 4 is a structural diagram of the port configuration of the present application. The core switch first discovers the aggregation switch and then discovers the access switch connected under the aggregation switch, and the core switch configures a different port isolation label for each port. For example, taking the port isolation tag as a VLAN tag, CVLANs 10-33 (port isolation tags of the aggregation switch, i.e., aggregation port tags) are respectively configured for 24 ports of the aggregation switch, and PVLANs 10-33 (port isolation tags of the access switch, i.e., access port tags) are respectively configured for 24 ports of the access switch. For the core switch, the first port label corresponding to the terminal accessing the first port of the access switch is PVLAN10, CVLAN10. If the terminal accesses from the first port of the access switch and accesses the core switch through the first port of the aggregation switch, the terminal identity comprises an IP address and a MAC address, wherein the IP address may be IPA, and the MAC address may be MACA. The identity and first port tag received by the core switch is (IPA, MACA, PVLAN, CVLAN 10).
In an example embodiment of the present application, if the identity of the first terminal does not carry the first IP address, the core switch may allocate an IP address that is not duplicated by other terminals accessing the ad hoc network to the first terminal.
In an exemplary embodiment of the present application, fig. 5 is a flowchart of the present application for controlling a terminal, and referring to fig. 5, the method further includes steps S510 to S520.
S510, determining the authority of the first terminal according to the identity of the first terminal.
In this example embodiment, the core switch may store permission settings corresponding to multiple types of identifiers, and configure different permissions for the identifiers of different terminals. The specific configuration manner may be customized according to the user requirement, and is not specifically limited in this example embodiment. For example, the common user configures the first level authority, the administrator configures the second level authority, the super administrator configures the third level authority, and the core switch may configure the corresponding authority for the terminal according to the terminal identity.
The specific setting of the authority can be customized according to the user requirement. For example, the rights may include, but are not limited to, access rights, data interaction rights, and the like. The access authority is the authority of the terminal to access the data or the equipment in the ad hoc network. For example, access rights may include access to a warehouse system, access to a door access system, connection to a printer, and the like. The data interaction authority is the authority of the terminal to perform data interaction with the equipment in the ad hoc network. For example, the interaction right may include whether data interaction with other terminals is possible, how many terminals may be interacted with at the same time, and the like, and is not particularly limited in this example embodiment. After determining the identity of the first terminal, the authority of the first terminal can be determined.
S520, controlling the first terminal according to the authority of the first terminal.
In an example embodiment of the present disclosure, after the rights are obtained, the first terminal may be controlled based on the rights. Specifically, the first terminal may be controlled to acquire data, send data, connect with other devices, and so on. The present exemplary embodiment is not particularly limited. The first terminal is directly controlled by the core switch, the aggregation switch and the access switch cannot interfere the authority of the first terminal, the first terminal cannot be directly controlled by the aggregation switch or the access switch, the problem of a wire line loop can be prevented, and the core switch sets the authority to the first terminal and controls the authority, so that the safety of the data in the ad hoc network can be ensured.
In an exemplary embodiment of the present application, after the first terminal accesses the ad hoc network, the core switch may determine whether the first terminal is connected to the ad hoc network for the first time (i.e., accesses the core switch) according to the identity of the first terminal. Specifically, whether the terminal is connected to the ad hoc network for the first time may be determined by the unique identifier of the first terminal. For example, the unique identifier of the first terminal may be a MAC address of the terminal, a device code, or the like, which is not specifically limited in this exemplary embodiment.
If the first terminal is the first connection ad hoc network, steps S220 to S250 are executed, and if the first terminal is not the first access ad hoc network, the core switch obtains the authority of the first terminal when accessing the ad hoc network last time, and distributes the authority to the first terminal.
After the permission is assigned to the first terminal, whether the identity of the first terminal is changed can be detected in real time, and after the occurrence of the identity of the first terminal is detected, the permission corresponding to the first terminal is updated according to the changed identity, so that the data security in the ad hoc network is further improved.
In an example embodiment of the present disclosure, fig. 6 is a flowchart of performing authority update on a first terminal according to the present application, and may specifically include steps S610 to S620.
And S610, carrying out security detection on the first terminal according to the behavior image of the first terminal so as to obtain a security detection result.
In this example embodiment, the core memory may store a behavior image of the first terminal using the ad hoc network, where the behavior image may be obtained according to a traffic flow of the first terminal in a first duration of the ad hoc network, and a process of obtaining the behavior image may be obtained at intervals of a preset time, where the preset time may be customized according to a user requirement, and in this example embodiment, the method is not specifically limited.
It should be noted that the first duration may be 10 days, 15 days, or longer, or may be one month or longer, or may be customized according to the user requirement. The traffic flow is a flow generated when the first terminal processes the traffic in the ad hoc network, for example, a flow of the first terminal accessing data, a flow of the first terminal performing data interaction, and the like, which are not specifically limited in this exemplary embodiment.
After obtaining the service flow in the first duration of the first terminal, a behavior portrait of the first terminal using the ad hoc network can be established based on the service flow. The specific form of the behavior portrayal can be customized according to the requirements of users. For example, a behavioral portrayal may include a time period and a traffic type and traffic characteristics corresponding to the time period. Specifically, a day may be divided into 12 periods, and the traffic type and traffic characteristics of the first terminal in each period may be determined. The service type may be as follows, the first terminal accesses the database in a first period; the first terminal performs data transmission in a second period; the first terminal is connected to an external device or the like in a third period. Traffic characteristics may include traffic rank, transmission address in traffic, traffic transmission port, data transmission time interval, etc., not specifically defined in this example embodiment.
The specific acquisition mode of the behavior portraits can be customized according to the requirements of users. For example, the behavior representation may be obtained from a behavior representation determination model. Specifically, the traffic flow is input to a pre-trained behavior representation determination model to obtain the behavior representation. The period and the lookup table of the traffic type and the traffic characteristics may also be directly built in the storage area of the core switch as the above-mentioned behavior portraits, which is not particularly limited in this exemplary embodiment.
The above-described security detection result may be set to different levels according to the user's needs, or may be set to be abnormal and normal, and is not particularly limited in this example embodiment.
In the following, the above-mentioned security detection result is taken as a normal or abnormal example for explanation, and the normal and abnormal judgment modes can be customized according to the user's requirement. For example, the safety factor may be used to determine that the safety detection result is abnormal or normal. The determination manner of the safety coefficient may also be customized according to the user requirement, which is not specifically limited in this exemplary embodiment.
In an exemplary embodiment, the above-described security coefficient may be determined by way of similarity. Specifically, the behavior portrayal may include a service type and/or a traffic characteristic corresponding to each period of time of the first terminal.
Specifically, after the first terminal accesses the ad hoc network, the core switch may first determine a current period, and determine a target service type of the current period of the first terminal based on the current period and the behavior representation. And then comparing the target service type of the current period of the first terminal with the service type of the current period in the behavior representation to obtain a first similarity between the target service type and the service type of the current period in the behavior representation. The manner of obtaining the first similarity may refer to the related art, and is not particularly limited in the present exemplary embodiment.
Furthermore, the core switch is internally provided with characteristic information of abnormal traffic. After the first terminal is accessed into the ad hoc network, the core switch may first determine a current period, determine a target traffic characteristic of the first terminal in the current period based on the current period and the behavior representation, and then compare the target traffic characteristic of the first terminal in the current period with a second similarity of the characteristic information. The more similar the target feature flow is to the feature information of the abnormal flow, the higher the probability that the service flow corresponding to the target flow feature is the abnormal flow, and the second similarity may be obtained by referring to a related technology, which is not described herein.
It should be noted that the traffic characteristics can be used to determine whether the traffic is abnormal, for example, if the IP address corresponding to the first terminal sends a packet with a large number of destination IP addresses, it means that the first terminal tries to establish a connection with a device in the ad hoc network, but does not get any response, and the time interval for sending out the packet is very short, which is in the millisecond order, and it can be determined that the packet is not artificially sent out, and the traffic is abnormal. The flow characteristics may be obtained by referring to the prior art, and will not be described in detail herein. The specific form of the abnormal traffic may be customized according to the user requirement, for example, the abnormal traffic may include, but is not limited to, a Trojan attack traffic, an illegal access traffic, and the like, which is not specifically limited in this example embodiment.
In this exemplary embodiment, the first similarity may be used as the safety coefficient, the target value obtained by subtracting the second similarity from 1 may be used as the safety coefficient, the weighted average of the first similarity and the target value may be used as the safety coefficient, and the determination manner of the safety coefficient may be customized according to the user requirement, which is not specifically limited in this exemplary embodiment.
In this example embodiment, when the safety coefficient is greater than or equal to a preset threshold, the safety detection result is determined to be normal, and when the safety coefficient is less than the preset threshold, the safety detection result is determined to be abnormal.
S620, updating the authority of the first terminal by using the security detection result.
In this example embodiment, the authority of the first terminal in the ad hoc network may be updated according to the security detection result. The security detection result may include multiple types, or may correspond to different authorities, and a specific setting manner may be customized according to a user requirement, which is not specifically limited in this example embodiment.
In the following, description will be made by taking the case that the security detection result includes a normal and an abnormal as examples, if the security detection result is abnormal, the data interaction between the first terminal and other first terminals in the ad hoc network is interrupted, so that the security of the data in the ad hoc network can be ensured under the condition that the first terminal is connected to the ad hoc network continuously, the transmission of abnormal traffic is blocked together, and the security inside the ad hoc network is improved. If the security detection result is normal, setting authority for the first terminal according to the identity of the first terminal.
Fig. 7 is a flowchart of still another address allocation method according to an exemplary embodiment of the present application, and the address allocation method according to the present application will be described in detail with reference to fig. 7. The method specifically comprises the following steps:
s710, the identity of the first terminal in the access ad hoc network is obtained.
The specific process of obtaining the identity is described in detail above, and therefore, will not be described in detail here.
S720, judging whether the identity mark comprises a first IP address of the first terminal.
In this example embodiment, if the identity does not include the first IP address of the first terminal, step S730 is performed.
And S730, the IP address is allocated for the first terminal.
In this example embodiment, the core switch may assign a different IP address to the first terminal than to the other first terminals.
If the identity includes the first IP address of the first terminal, step S740 is executed.
S740, determining whether the first IP address of the first terminal conflicts with the IP address of the accessed second terminal in the ad hoc network.
If so, step S750 is performed. If not, step S770 is performed.
S750, obtaining a first port label corresponding to an access port of an access switch connected with the first terminal, and distributing a second IP address to the first terminal according to the first IP address and the first port label of the first terminal, and updating the identity of the first terminal.
In the present exemplary embodiment, the detailed process of step S750 may refer to step S230, which is not described herein.
After S750 is performed, step S770 may be performed.
S760, determining the authority of the first terminal in the ad hoc network according to the identity of the first terminal.
In this exemplary embodiment, the detailed process of step S750 may refer to step S510, which is not described herein.
S770, the first terminal is controlled according to the authority of the first terminal in the ad hoc network.
In the present exemplary embodiment, the detailed process of step S750 may refer to step S520, which is not described herein.
The address allocation method in the application determines the identity of a first terminal accessed into a first access switch, and determines a first port label corresponding to the first terminal under the condition that the identity comprises a first IP address of the first terminal and the first IP address of the first terminal conflicts with the IP address of a second terminal accessed into a core switch, and allocates a second IP address for the first terminal according to the first port label of the first terminal. The core switch can configure a second IP address for the first terminal with the IP address conflict through the first port label, so that the problem that the first terminal cannot access the core switch due to the IP conflict is solved, and the compatibility of the core switch is improved. Furthermore, after the first terminal is accessed to the ad hoc network, the first terminal is subjected to authority allocation, and the first terminal is controlled according to the authority, so that the security of the ad hoc network is enhanced. Still further, after the two first terminals with the same MAC address are accessed, since there is no IP conflict, the corresponding first terminal can be found directly through the IP address, that is, the tag corresponding to the MAC is found, so that the problem of MAC conflict can be solved. Furthermore, the port isolation is configured between each port of the aggregation switch and each port of the access switch, so that the problem of a wired loop can be effectively prevented.
It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present application is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present application. Further, those skilled in the art will also appreciate that the embodiments described in the specification are alternative embodiments, and that the acts and modules referred to are not necessarily required for the present application.
It should be further noted that, although the steps in the flowchart are sequentially shown as indicated by arrows, the steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least a portion of the steps in the flowcharts may include a plurality of sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, the order in which the sub-steps or stages are performed is not necessarily sequential, and may be performed in turn or alternately with at least a portion of the sub-steps or stages of other steps or other steps.
Fig. 8 shows an address allocation apparatus 800 according to the present application, where the address allocation apparatus 800 is applied to a core switch, and the apparatus includes an identity acquisition module 810, a tag acquisition module 820, and an address allocation module 830, where,
The identity acquisition module 810 may be configured to determine an identity of a first terminal accessing a first access switch, where the first access switch accesses a core switch.
The tag obtaining module 820 may be configured to determine a first port tag corresponding to the first terminal when the identity includes a first IP address of the first terminal and the first IP address of the first terminal conflicts with an IP address of a second terminal that has been accessed into the core switch.
The address allocation module 830 may be configured to allocate a second IP address to the first terminal according to a first port tag of the first terminal; wherein the first port label comprises: the first terminal is connected with a first access port label corresponding to the access port of the first access switch.
In an exemplary embodiment, the address allocation module 830 may be further configured to allocate a second IP address to the first terminal if the first port label of the first terminal is different from the second port label of the second terminal; wherein the second port label comprises: the second terminal is connected with a second access port label corresponding to the access port of the second access switch, and the second access switch is accessed to the core switch.
In an example embodiment, the tag acquisition module 820 may be further configured to determine the first port tag from the aggregation port tag and the first access port tag of the aggregation switch.
In an exemplary embodiment, the address allocation apparatus 800 may be further configured to determine the authority of the first terminal according to the identity of the first terminal, and control the first terminal according to the authority of the first terminal.
In an exemplary embodiment, the address allocation apparatus 800 may be further configured to allocate, in a case where the first terminal is not the first access to the core switch, a right corresponding to the first terminal when the first terminal previously accessed to the core switch.
In an exemplary embodiment, the address allocation apparatus 800 may be further configured to perform security detection on the first terminal according to the behavioral image of the first terminal, so as to obtain a security detection result, and update the authority of the first terminal according to the security detection result.
In an exemplary embodiment, the address allocation apparatus 800 may be further configured to obtain a traffic flow in a first duration of the first terminal; and obtaining the behavior portraits of the first terminal according to the service flow.
In an example embodiment, the security detection result includes normal and abnormal, and the address allocation apparatus 800 may be further configured to interrupt the data interaction between the first terminal and the other terminals in the ad hoc network if the security detection result is abnormal
In one possible implementation, the conflict determination module 830 may be configured to assign an IP address to the terminal when the identity does not include the first IP address.
It will be appreciated that the device embodiments described above are merely illustrative and that the device of the application may be implemented in other ways. For example, the division of the units/modules in the above embodiments is merely a logic function division, and there may be another division manner in actual implementation. For example, multiple units, modules, or components may be combined, or may be integrated into another system, or some features may be omitted or not performed.
In addition, each functional unit/module in each embodiment of the present application may be integrated into one unit/module, or each unit/module may exist alone physically, or two or more units/modules may be integrated together, unless otherwise specified. The integrated units/modules described above may be implemented either in hardware or in software program modules.
The integrated units/modules, if implemented in hardware, may be digital circuits, analog circuits, etc. Physical implementations of hardware structures include, but are not limited to, transistors, memristors, and the like. The processor may be any suitable hardware processor, such as CPU, GPU, FPGA, DSP and an ASIC, etc., unless otherwise specified. Unless otherwise indicated, the storage elements may be any suitable magnetic or magneto-optical storage medium, such as resistive Random Access Memory RRAM (Resistive Random Access Memory), dynamic Random Access Memory DRAM (Dynamic Random Access Memory), static Random Access Memory SRAM (Static Random-Access Memory), enhanced dynamic Random Access Memory EDRAM (ENHANCED DYNAMIC Random Access Memory), high-Bandwidth Memory HBM (High-Bandwidth Memory), hybrid storage cube HMC (Hybrid Memory Cube), etc.
The integrated units/modules may be stored in a computer readable memory if implemented in the form of software program modules and sold or used as a stand-alone product. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in whole or in part in the form of a software product stored in a memory, comprising several instructions for causing a computer device (which may be a personal computer, a server or a network device, etc.) to perform all or part of the steps of the method of the various embodiments of the present application. And the aforementioned memory includes: a usb disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Fig. 9 is a schematic diagram of a core switch 900 according to the present application. As shown in fig. 9, the core switch 900 may include: at least one processor 910, a memory 920, and a communication interface 930.
A memory 920 for storing programs. In particular, the program may include program code including computer-operating instructions.
Memory 920 may include high-speed RAM memory or may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The processor 910 is configured to execute computer-executable instructions stored in the memory 920 to implement the monitoring method described in the foregoing method embodiment. The processor 910 may be a central processing unit (Central Processing Unit, abbreviated as CPU), or an Application SPECIFIC INTEGRATED Circuit (ASIC), or one or more integrated circuits configured to implement embodiments of the present application.
The core switch 900 may also include a communication interface 930 such that communication interactions with external devices may be performed through the communication interface 930. In a specific implementation, if the communication interface 930, the memory 920 and the processor 910 are implemented independently, the communication interface 930, the memory 920 and the processor 910 may be connected to each other and perform communication with each other through buses. The bus may be an industry standard architecture (Industry Standard Architecture, abbreviated ISA) bus, an external device interconnect (PERIPHERAL COMPONENT, abbreviated PCI) bus, or an extended industry standard architecture (Extended Industry Standard Architecture, abbreviated EISA) bus, among others. Buses may be divided into address buses, data buses, control buses, etc., but do not represent only one bus or one type of bus.
In a practical implementation, if the communication interface 930, the memory 920 and the processor 910 are integrated on a chip, the communication interface 930, the memory 920 and the processor 910 may complete communication through internal interfaces.
The present application also provides a computer-readable storage medium, which may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory random access memory, a magnetic disk or an optical disk, and the like, specifically, the computer readable storage medium stores program instructions, and the program instructions are used for the monitoring method in the above embodiment.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to related descriptions of other embodiments. The technical features of the above embodiments may be combined in any way, and for brevity, all of the possible combinations of the technical features of the above embodiments are not described, but should be considered as the scope of the description
Other embodiments of the application will be apparent to those skilled in the art from consideration of the specification and practice of the application disclosed herein. This application is intended to cover any variations, uses, or adaptations of the application following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the application pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It is to be understood that the application is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (12)

1. An address allocation method applied to a core switch, the method comprising:
Determining an identity of a first terminal accessing a first access switch, wherein the first access switch accesses the core switch;
Determining a first port label corresponding to the first terminal when the identity comprises a first IP address of the first terminal and the first IP address of the first terminal conflicts with an IP address of a second terminal which is accessed into the core switch;
Distributing a second IP address to the first terminal according to the first port label of the first terminal; wherein the first port tag comprises: the first terminal is connected with a first access port label corresponding to the access port of the first access switch.
2. The method of claim 1, wherein the assigning a second IP address to the first terminal based on the first port tag of the first terminal comprises:
if the first port label of the first terminal is different from the second port label of the second terminal, a second IP address is allocated to the first terminal;
Wherein the second port label includes: the second terminal is connected with a second access port label corresponding to an access port of a second access switch, and the second access switch is accessed to the core switch.
3. The method of claim 1, comprising a converged switch between the core switch and the first access switch, each port of the converged switch configured with a converged port label;
The determining the first port label corresponding to the first terminal includes:
And determining the first port label according to the aggregation port label of the aggregation switch and the first access port label.
4. A method according to any of claims 1-3, characterized in that after said assigning a second IP address to said first terminal, the method further comprises:
Determining the authority of the first terminal according to the identity of the first terminal;
and controlling the first terminal according to the authority of the first terminal.
5. The method of claim 4, wherein the determining the rights of the first terminal comprises:
And under the condition that the first terminal is not accessed to the core switch for the first time, the corresponding authority when the first terminal is accessed to the core switch for the previous time is allocated to the first terminal.
6. The method of claim 4, wherein after said determining the rights of the first terminal, the method further comprises:
Performing security detection on the first terminal according to the behavior image of the first terminal to obtain a security detection result;
and updating the authority of the first terminal according to the security detection result.
7. The method of claim 6, wherein prior to the security detection of the first terminal from the behavioral image of the first terminal, the method further comprises:
Acquiring the service flow of the first terminal in a first duration;
and obtaining the behavior portraits of the first terminal according to the service flow.
8. The method of claim 6, wherein updating the rights of the first terminal based on the security detection result comprises:
and under the condition that the safety detection result is abnormal, interrupting the data interaction between the first terminal and the second terminal.
9. The method according to claim 1, wherein the method further comprises:
And under the condition that the first IP address is not included in the identity, the IP address is allocated to the terminal.
10. An address allocation apparatus for use in a core switch, said core switch corresponding to at least one access switch, said apparatus comprising:
The identity acquisition module is used for determining the identity of a first terminal accessed into a first access switch, wherein the first access switch is accessed into the core switch;
The tag acquisition module is used for determining a first port tag corresponding to the first terminal when the identity comprises a first IP address of the first terminal and the first IP address of the first terminal conflicts with an IP address of a second terminal which is accessed into the core switch;
The address allocation module is used for allocating a second IP address to the first terminal according to the first port label of the first terminal; wherein the first port tag comprises: the first terminal is connected with a first access port label corresponding to the access port of the first access switch.
11. A switch, comprising: a processor, and a memory communicatively coupled to the processor;
the memory stores computer-executable instructions;
The processor executes computer-executable instructions stored in the memory to implement the method of any one of claims 1 to 9.
12. A computer readable storage medium having stored therein computer executable instructions which when executed by a processor are adapted to carry out the method of any one of claims 1 to 9.
CN202311314651.3A 2023-10-11 2023-10-11 Address allocation method, device, equipment and storage medium Pending CN118075235A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311314651.3A CN118075235A (en) 2023-10-11 2023-10-11 Address allocation method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311314651.3A CN118075235A (en) 2023-10-11 2023-10-11 Address allocation method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN118075235A true CN118075235A (en) 2024-05-24

Family

ID=91099845

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311314651.3A Pending CN118075235A (en) 2023-10-11 2023-10-11 Address allocation method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN118075235A (en)

Similar Documents

Publication Publication Date Title
US11689925B2 (en) Controlled guest access to Wi-Fi networks
CN107733670B (en) Forwarding strategy configuration method and device
US10063470B2 (en) Data center network system based on software-defined network and packet forwarding method, address resolution method, routing controller thereof
EP2192725B1 (en) Packet switch being partitioned into virtual LANs (VLANs)
CN111404753B (en) Flat network configuration method, computer equipment and storage medium
JP2019516320A (en) Packet transmission
Li et al. Radio access network virtualization for the social Internet of Things
EP3310025A1 (en) User migration
CN107809386B (en) IP address translation method, routing device and communication system
US20180359134A1 (en) System and method of a centralized gateway that coordinates between multiple external controllers without explicit awareness
CN107819776B (en) Message processing method and device
CN107517129B (en) Method and device for configuring uplink interface of equipment based on OpenStack
CN104734930B (en) Method and device for realizing access of Virtual Local Area Network (VLAN) to Variable Frequency (VF) network and Fiber Channel Frequency (FCF)
CN108234270B (en) Method and system for realizing multi-domain coexistence of virtual extensible local area network
KR20170076064A (en) Method, apparatus and computer program for subnetting of software defined network
WO2024078634A1 (en) Service management method, system and apparatus, and electronic device and storage medium
CN111953599B (en) Terminal authority control method and device, electronic equipment and storage medium
CN111314394A (en) Resource publishing method, device, equipment and storage medium of Internet of things
US20060212560A1 (en) Systems and methods for denying rogue DHCP services
CN109889421B (en) Router management method, device, terminal, system and storage medium
US20180206116A1 (en) Wireless network authentication control
CN118075235A (en) Address allocation method, device, equipment and storage medium
CN111464443A (en) Message forwarding method, device, equipment and storage medium based on service function chain
JP5937563B2 (en) Communication base station and control method thereof
CN107172229B (en) Router configuration method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination