WO2012013042A1 - Configuration method and system for implementing the port address binding - Google Patents

Configuration method and system for implementing the port address binding Download PDF

Info

Publication number
WO2012013042A1
WO2012013042A1 PCT/CN2011/071834 CN2011071834W WO2012013042A1 WO 2012013042 A1 WO2012013042 A1 WO 2012013042A1 CN 2011071834 W CN2011071834 W CN 2011071834W WO 2012013042 A1 WO2012013042 A1 WO 2012013042A1
Authority
WO
WIPO (PCT)
Prior art keywords
binding
management entity
address
configuration
port
Prior art date
Application number
PCT/CN2011/071834
Other languages
French (fr)
Chinese (zh)
Inventor
支新军
陈琦
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2012013042A1 publication Critical patent/WO2012013042A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting

Definitions

  • the present invention relates to a Gigabit-Capable Passive Optical Network (GPON) technology in the field of communications, and in particular to a configuration method and system for implementing port address binding.
  • GPON Gigabit-Capable Passive Optical Network
  • GPON is a point-to-multipoint optical access technology.
  • Figure 1 shows the GPON system architecture.
  • the GPON system includes an optical line terminal (OLT) and light consisting of passive optical splitting devices.
  • OLT optical line terminal
  • ODN Optical Distribution Network
  • ONU Optical Network Unit
  • ONT Optical Network Terminal
  • the OLT is a central office device in the GPON system, usually placed in the central office of the operator; the ONU or ONT is the terminal device of the GPON system, and the ONU is generally used for fiber to the Curb (FTTC), ONT Generally used for Fiber To The Home (FTTH); OLT and ONU or ONT are connected by ODN; OLT configures ONU or ONT through ONT Management and Control Channel (OMCC); The dotted line in the figure represents the OMCC, and the solid line represents the physical link.
  • FTTC Curb
  • FTTH Fiber To The Home
  • OLT and ONU or ONT are connected by ODN
  • OLT configures ONU or ONT through ONT Management and Control Channel (OMCC);
  • OMCC ONT Management and Control Channel
  • the GPON standard is the G.984 series, in which G.984.4 specifically defines the ONT Management and Control Interface (OMCI), which provides a standard management control protocol and related management entities (Managed Entity, ME), OLT.
  • OMCI ONT Management and Control Interface
  • ME Managed Entity
  • the related MEs are configured through OMCI to implement remote configuration and management of ONUs or ONTs.
  • the MAC bridge port filter table management entity defined in G.984.4 can be used for Ethernet user ports. Destination MAC address filtering.
  • the MAC bridge port filtering table management entity defines a data relationship, a management entity identifier, and a MAC filtering table. Each filtering entry in the MAC filtering table includes an entry number and a filtering byte ( It includes filtering/forwarding, adding/deleting bit information, and destination MAC address.
  • the management entity controls the user's permission to receive services by filtering the destination MAC address of the MAC bridge port.
  • the multicast configuration of the user bridge port multicast MAC address can prevent unauthorized users from acquiring multicast services.
  • the MAC bridge port filtering table management entity in G.984.4 only targets the outgoing service of the MAC bridge port, and does not target the inbound service, in order to further strengthen the control of the user authority and increase the security, the prior art is G.
  • the filter byte of the MAC bridge port filter table management entity in 984.4 is extended, and the filter direction is further defined by the reserved bits in the filter byte, that is, the destination MAC address of the MAC bridge port outgoing data can be filtered.
  • the destination MAC address of the incoming data can also be filtered, thereby further enhancing the control of the user rights and improving the security.
  • the MAC bridge port filtering table management entity defines the destination MAC address filtering of the Ethernet service that is in and out of the MAC bridge port, and controls the user rights.
  • the destination MAC address is filtered, it cannot be used in the user network.
  • the host performs control, for example, the MAC address flood attack initiated by the host in the user network cannot be prevented. It is easy to cause the network security problem caused by the overflow of the MAC address table in the ONU/ONT.
  • the security problem such as IP address theft cannot be prevented, which is easy to cause.
  • the rights of legitimate users in the user network are stolen, and the rights of legitimate users suffer losses. Therefore, the MAC bridge port filter table management entity does not actually have full control of user rights, and the security is low. Summary of the invention
  • the object of the present invention is to provide a method and a system for implementing port address binding, which can better solve the problem that the MAC bridge port filtering table management entity does not completely control the user rights in the user network in the prior art, and the security is low. problem.
  • a configuration method for implementing port address binding includes:
  • the management unit sets a binding message including the user host IP address and MAC address, the Ethernet user port identifier, and sends the binding message to the optical line terminal OLT;
  • the OLT generates a configuration message including the IP address, the MAC address, and the management entity identifier according to the binding message, and sends the configuration message to the optical network unit ONU or the optical network terminal ONT, where the management entity identifier is The Ethernet user port identifier corresponds to
  • the ONU or the ONT writes the IP address and the MAC address into the binding table specified by the management entity identifier of the MAC bridge port binding table management entity according to the received configuration message.
  • the method further includes: the MAC bridge port binding table management entity corresponding to the MAC bridge port configuration management entity that points to the Ethernet user port by using the same management entity identifier as the MAC bridge port configuration management entity.
  • the configuration message includes a configuration message for adding a binding entry obtained by using the binding message, a configuration message for deleting a binding entry, and a configuration message for configuring a binding mode and a binding table size.
  • the method further includes:
  • the Ethernet user port receiving the data frame is received.
  • the binding mode is to forward the data frame when the binding is forward, and the binding mode is to discard the data frame when the binding is reverse.
  • the method further includes:
  • the Ethernet user receiving the data frame The binding mode of the port is to forward the data frame when the binding is reversed.
  • the binding mode is to discard the data frame when the binding is forward.
  • the configuration message received by the ONU or the ONT is a configuration message for adding a binding entry
  • the ONU or the ONT adds an entry number to the MAC bridge port binding table management entity, indicating that the added entry is tied. Binding entries for properties, IP addresses, and MAC addresses.
  • the ONU or the ONT When the configuration message received by the ONU or the ONT is a configuration message for deleting the binding entry, the ONU or the ONT deletes the entry including the entry number and the deleted entry in the MAC bridge port binding table management entity. Binding entries for properties, IP addresses, and MAC addresses.
  • the ONU or the ONT configures binding mode information in the MAC bridge port binding table management entity. And bind table size information.
  • a system for implementing port address binding includes: a management unit, configured to set a binding message including a user host IP address and a MAC address, an Ethernet user port identifier, and bind the binding Sending a message to the optical line terminal OLT;
  • the OLT is configured to generate, according to the binding message, a configuration message that includes the IP address, the MAC address, and the management entity identifier, and send the configuration message to the optical network unit ONU or the optical network terminal ONT, where the management entity identifier Corresponding to the Ethernet user port identifier;
  • the ONU or ONT is used to write the IP address and the MAC address into the binding table specified by the management entity identifier of the MAC bridge port binding table management entity according to the received configuration message.
  • the MAC bridge port binding table management entity corresponds to a MAC bridge port configuration management entity that points to an Ethernet user port by using the same management entity identifier as the MAC bridge port configuration management entity.
  • the present invention defines and uses the MAC bridge port binding table management entity to implement binding of the IP address and MAC address of the host in the user network and the Ethernet user port, thereby realizing the user right. Full control to further improve the security of the user network.
  • 1 is a schematic diagram of a GPON system architecture
  • 2 is a relationship diagram of a MAC bridge port binding table management entity defined by the present invention, a MAC bridge port configuration management entity, and a physical channel endpoint Ethernet user network interface management entity;
  • FIG. 3 is a flowchart of setting a binding table size and a binding mode according to an embodiment of the present invention
  • FIG. 4 is a flowchart of adding a binding table entry according to an embodiment of the present invention
  • FIG. 5 is a flowchart of deleting a binding table entry according to an embodiment of the present invention.
  • FIG. 6 is a flowchart of processing a service flow according to an embodiment of the present invention.
  • FIG. 7 is a block diagram of a system according to an embodiment of the present invention. detailed description
  • FIG. 2 is a relationship diagram of a MAC bridge port binding table management entity defined by the present invention, a MAC bridge port configuration management entity, and a physical channel endpoint Ethernet user network interface management entity.
  • an ONU or an ONT creates a MAC bridge.
  • the MAC bridge port binding table management entity passes the same management entity identifier as the MAC bridge port configuration management entity, and The MAC bridge port configuration management entity is associated; the MAC bridge port configuration management entity is associated with the Ethernet user port by a pointer to the physical channel endpoint Ethernet user network interface management entity, thereby implementing the MAC bridge port binding table management entity and Correspondence of Ethernet user ports.
  • the MAC bridge port binding table management entity and related attributes of the present invention are newly added management entities for binding an IP address, a MAC address, and an Ethernet user port, and the MAC bridge port binding table management entity Each instance includes a management entity identifier, a binding mode, a binding table size, and a binding table.
  • the management entity identifier is a unique identifier of each instance of the MAC bridge port binding table management entity, and is a read-only identifier, which is the same as the management entity identifier in the MAC bridge port configuration management entity, and represents a MAC bridge.
  • the port configuration management entity is associated.
  • the binding mode is a readable and writable port address binding mode, including a forward binding set to "1" and a reverse binding set to "0", wherein the forward binding represents a port Only the data source and the source MAC address in the data frame are allowed to pass through the data frame in the binding table.
  • the reverse binding indicates that the port only allows the source IP address and the source MAC address in the data frame to not exist in the binding.
  • the data frames in the table pass, and in addition, you can set the reserved bits.
  • the binding table size is used to define a maximum number of entries in the binding table that can store an IP address and a MAC address, and the binding table size is readable and writable.
  • the binding table is configured to save the IP address and MAC address of the user host associated with the MAC bridge port, and determine whether to forward the data frame entering the MAC bridge port according to the binding mode. After the configuration is complete, if the source IP address and the source MAC address of the data frame received by the ONU or the ONT through the Ethernet user port are in the binding table, the data frame is forwarded when the binding mode is forward binding. If the source IP address and the source MAC address of the data frame received by the ONU or ONT through the Ethernet user port do not exist in the binding table, the binding mode is forward binding. The data frame is discarded when it is fixed, and the data frame is forwarded when the binding mode is reverse binding.
  • the binding entry in the binding table contains the IP address and MAC address of the user host, and also includes the entry number and the binding nature of the entry.
  • the entry number is an index identifier of a binding entry in a MAC bridge port binding table management entity.
  • the item binding properties include an entry binding property set to "1" indicating addition and an entry binding property indicating deletion of "0".
  • the ONU or ONT sets the binding table to null.
  • FIG. 3 is a flowchart of setting a binding table size and a binding mode according to an embodiment of the present invention. As shown in FIG. 3, the steps include:
  • Step 301 The management unit sets a binding message indicating a binding table size and a binding mode, where the binding message includes an ONT or ONU identifier information, an Ethernet user port identifier information, and a binding table. Size information, binding mode information, and send the binding message to the OLT.
  • Step 302 The binding message received by the OLT 4B generates a configuration message, and sends the configuration message to the ONU or the ONT through the OMCC channel.
  • the configuration message includes management entity identification information, binding table size information, and binding mode information.
  • the management entity identifier information is derived from the Ethernet user port identifier information set by the management unit, and is the same as the identifier of the MAC bridge port configuration management entity instance that points to the Ethernet user port, and is used to correspond to the Ethernet user port.
  • Step 303 The ONU or the ONT sets the binding table size information and the binding mode information of the instance specified by the management entity identifier information in the MAC bridge port binding table management entity according to the configuration message, and returns a configuration response message after the setting is completed.
  • FIG. 4 is a flowchart of adding a binding table entry according to an embodiment of the present invention. As shown in FIG. 4, the steps include:
  • Step 401 The management unit sets a binding message for adding a binding entry, and sends the binding message to the OLT.
  • the binding message includes ONU or ONT identification information, Ethernet user port identification information, binding entry number information, information indicating the binding nature of the added entry, and IP address and MAC address information to be bound.
  • Step 402 The OLT generates a configuration message according to the received binding message, and sends the configuration message to the ONU or the ONT through the OMCC channel.
  • the binding message includes management entity identifier information, and add binding entry information.
  • the management entity identifier information is derived from the Ethernet user port identifier information set by the management unit, and is the same as the identifier of the MAC bridge port configuration management entity instance that points to the Ethernet user port, and is used to correspond to the Ethernet user port;
  • the adding binding entry information includes an item number, an item binding property, an IP address, and a MAC address.
  • Step 403 The ONU or the ONT binds the table to the MAC bridge port according to the received configuration message. Set the management entity identification information to specify the binding table of the instance, and add the binding entry information including the entry number, the added entry binding property, the IP address, and the MAC address in the binding table, and return the configuration response after the setting is completed. Message.
  • FIG. 5 is a flowchart of deleting a binding table entry according to an embodiment of the present invention. As shown in FIG. 5, the steps are as follows:
  • Step 501 The management unit sets a binding message for deleting the binding entry, and sends the binding message to the OLT.
  • the binding message includes an ONT or ONT identification information, an Ethernet user port identification information, a binding entry number information, an entry binding property information indicating deletion, and an IP address and MAC address information to be deleted.
  • Step 502 The OLT generates a configuration message according to the received binding message, and sends the configuration message to the ONU or the ONT through the OMCC channel.
  • the configuration message includes management entity identifier information, and deletion binding entry information.
  • the management entity identifier information is derived from the Ethernet user port identifier information set by the management unit, and is the same as the identifier of the MAC bridge port configuration management entity instance that points to the Ethernet user port, and is used to correspond to the Ethernet user port;
  • the delete binding entry information includes an entry number, an entry binding property, an IP address, and a MAC address.
  • Step 503 The ONU or the ONT sets the binding table of the specified instance of the management entity identification information in the MAC bridge port binding table management entity according to the received configuration message, and deletes the entry binding property including the entry number and the deletion in the binding table. Binding entry information of the IP address and the MAC address, and returning the configuration response message after the setting is completed.
  • FIG. 6 is a flowchart of processing a data frame according to an embodiment of the present invention, as shown in FIG.
  • Step 601 The ONU or the ONT receives the data frame.
  • Step 602 The ONT or the ONU receives the data frame through the Ethernet user port and parses it to obtain After the IP address and MAC address of the data frame, look up the binding table corresponding to the Ethernet user port receiving the data frame in the MAC bridge port binding table management entity to find whether there is an IP address and a MAC address and the received data frame. The binding entry with the same IP address and MAC address, if yes, proceeds to step 603, and if not, proceeds to step 606.
  • Step 603 The ONT or the ONU determines whether the binding mode of the Ethernet user port that receives the data frame is forward binding. If it is forward binding, proceed to step 604. If it is reverse binding, proceed to step 605.
  • Step 604 The ONT or the ONU forwards the data frame.
  • Step 605 The ONT or ONU discards the data frame.
  • Step 606 The ONT or the ONU determines whether the binding mode of the Ethernet user port that receives the data frame is forward binding. If it is forward binding, proceed to step 607. If it is reverse binding, proceed to step 608.
  • Step 607 The ONT or the ONU discards the data frame.
  • Step 608 The ONT or the ONU forwards the data frame.
  • FIG. 7 is a block diagram of a system according to an embodiment of the present invention. As shown in FIG. 7, the system includes a management unit (701), an OLT (702), and an ONU or ONT (703). among them,
  • a management unit (701) configured to set a binding message of the binding port address, and send the binding message to the OLT (702);
  • the OLT (702) is configured to receive a binding message sent by the management unit, generate a configuration message according to the binding message, and send the configuration message to the ONU or the ONT through the OMCC channel;
  • the configuration message includes a configuration message for adding a binding entry obtained by the binding message, a configuration message for deleting a binding entry, and a configuration message for configuring a binding mode and a binding table size.
  • the configuration message for adding the binding entry includes management entity identifier information originating from the Ethernet user port identification information set by the management unit, adding binding entry information;
  • the destination information includes the entry number, the added binding nature of the entry, the IP address, and the MAC address.
  • the configuration message for deleting the binding entry includes management entity identifier information originating from the Ethernet user port identification information set by the management unit, deleting the binding entry information; the deleting binding entry information including the entry number, indicating the deleted entry Binding properties, IP address, and MAC address.
  • the configuration message used to configure the binding mode and binding table size contains management entity identifier information, binding table size information, and binding mode information derived from the Ethernet user port identification information set by the management unit.
  • the ONU or the ONT ( 703 ) is configured to set an instance of the management entity identifier information in the MAC bridge port binding table management entity according to the configuration message, and bind the address binding table and the binding according to the MAC bridge port binding table management entity.
  • the mode forwards or discards the received data frame.
  • the management unit (701) sends the binding message for the port address binding to the OLT through a simple network management protocol (SNMP) message, and the OLT (702) receives the binding sent by the management unit (701).
  • SNMP simple network management protocol
  • the configuration message is sent to the ONU or ONT through the OMCC channel (703), and the ONU or ONT (703) sets the MAC bridge port binding table management entity according to the configuration message.
  • the configuration message is a configuration message for configuring the binding mode and the binding table size, modify the binding mode information and the binding table size information in the MAC bridge port binding table management entity; if the configuration message is the configuration of adding the binding entry The message, in the MAC bridge port binding table management entity instance, adds the binding entry number information, indicates the added entry binding property, the IP address to be added, and the MAC address information; if the configuration message is a configuration message for deleting the binding entry , delete the binding entry of the corresponding binding entry number in the instance of the MAC bridge port binding table management entity.
  • the present invention uses the MAC bridge port binding table management entity to bind the IP address and MAC address of the user host to the Ethernet user port, thereby realizing complete control of user rights in the network and solving the user.
  • the MAC address flood attack and IP address theft in the network enhance the security of the user network; in addition, the MAC bridge port binding table management entity and The IP address and MAC address entries of the user host bound to the Ethernet user port can be freely configured, including freely adding and deleting binding entries, and optionally binding the binding mode of the entry, which is very convenient and flexible.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A configuration method and system for binding and configuring port address are provided in the present invention. The method includes the following steps: setting a binding message which contains the Internet protocol (IP) address and the media access control (MAC) address of the user host and the Ethernet user port identification, and transmitting the binding message to the optical line terminal (OLT); the OLT generates a configuration message which contains the IP address, the MAC address and the management entity identification according to the binding message, and transmits the configuration message to the optical network unit (ONU) or the optical network terminal (ONT), wherein the management entity identification is corresponding to the Ethernet user port identification; the ONU or ONT writes the IP address and the MAC address into a binding table designated by the management entity identification of the MAC bridge port binding table management entity according to the received configuration message. The invention has flexible configuration, and enables the complete control for user authority, thus the safety of the user network is improved.

Description

一种实现端口地址绑定的配置方法和系统 技术领域  Configuration method and system for realizing port address binding
本发明涉及通信领域的吉比特无源光网络 ( Gigabit-Capable Passive Optical Network , GPON )技术, 尤其涉及一种实现端口地址绑定的配置方 法和系统。 背景技术  The present invention relates to a Gigabit-Capable Passive Optical Network (GPON) technology in the field of communications, and in particular to a configuration method and system for implementing port address binding. Background technique
GPON是一种点到多点的光接入技术, 图 1显示了 GPON系统架构, 如图 1所示, GPON系统包括光线路终端 (Optical Line Terminal, OLT ) 、 由无源分光器件组成的光分布网络( Optical Distribution Network , ODN ) , 以及光网络单元 ( Optical Network Unit, ONU ) 或光网络终端 ( Optical Network Terminal, ONT )。 其中, OLT是 GPON系统中的局端设备, 通常 放在运营商的中心局; ONU或 ONT是 GPON系统的终端设备, ONU—般 用于光纤到路边( Fiber To The Curb, FTTC ) , ONT一般用于光纤到户( Fiber To The Home, FTTH ) ; OLT与 ONU或 ONT之间通过 ODN连接; OLT 通过 ONT管理控制通道 ( ONT Management and Control Channel, OMCC ) 对 ONU或 ONT进行配置管理; 其中图中虚线代表 OMCC, 实线代表物理 链路。  GPON is a point-to-multipoint optical access technology. Figure 1 shows the GPON system architecture. As shown in Figure 1, the GPON system includes an optical line terminal (OLT) and light consisting of passive optical splitting devices. Optical Distribution Network (ODN), Optical Network Unit (ONU) or Optical Network Terminal (ONT). The OLT is a central office device in the GPON system, usually placed in the central office of the operator; the ONU or ONT is the terminal device of the GPON system, and the ONU is generally used for fiber to the Curb (FTTC), ONT Generally used for Fiber To The Home (FTTH); OLT and ONU or ONT are connected by ODN; OLT configures ONU or ONT through ONT Management and Control Channel (OMCC); The dotted line in the figure represents the OMCC, and the solid line represents the physical link.
GPON的标准为 G.984系列, 其中 G.984.4具体定义了 ONT管理控制 接口 (ONT Management and Control Interface, OMCI ) , 提供了标准的管 理控制协议和相关的管理实体(Managed Entity, ME ) , OLT通过 OMCI 对相关 ME进行配置 , 从而实现 ONU或 ONT的远程配置和管理。  The GPON standard is the G.984 series, in which G.984.4 specifically defines the ONT Management and Control Interface (OMCI), which provides a standard management control protocol and related management entities (Managed Entity, ME), OLT. The related MEs are configured through OMCI to implement remote configuration and management of ONUs or ONTs.
ONU或 ONT作为 GPON接入网的终端设备, 需要为用户解决好安全 问题。 G.984.4定义的 MAC桥端口过滤表管理实体可用于以太网用户端口 的目的 MAC地址过滤 ,该 MAC桥端口过滤表管理实体中定义了数据关系、 管理实体标识符、 以及 MAC过滤表, 所述 MAC过滤表中的每个过滤条目 均包括条目编号、 过滤字节 (包含过滤 /转发、 添加 /删除等位信息) 、 以及 目的 MAC地址, 该管理实体通过对 MAC桥端口目的 MAC地址的过滤对 用户接收业务的权限进行了控制。 譬如对于组播业务, 通过对用户桥端口 组播 MAC的过滤配置, 可以防止非法用户获取组播业务。 由于 G.984.4中 的 MAC桥端口过滤表管理实体只针对 MAC桥端口的出向业务, 而不针对 入向业务, 因此为了进一步加强对用户权限的控制和增加安全性, 现有技 术中对 G.984.4中的 MAC桥端口过滤表管理实体的过滤字节进行了扩展, 利用过滤字节中的保留比特位进一步定义了过滤方向, 即实现了既可以对 MAC桥端口出向数据的目的 MAC地址进行过滤, 也可以对入向数据的目 的 MAC地址进行过滤,从而进一步增强了对用户权限的控制,提高了安全 性。 As the terminal device of the GPON access network, the ONU or ONT needs to solve the security problem for the user. The MAC bridge port filter table management entity defined in G.984.4 can be used for Ethernet user ports. Destination MAC address filtering. The MAC bridge port filtering table management entity defines a data relationship, a management entity identifier, and a MAC filtering table. Each filtering entry in the MAC filtering table includes an entry number and a filtering byte ( It includes filtering/forwarding, adding/deleting bit information, and destination MAC address. The management entity controls the user's permission to receive services by filtering the destination MAC address of the MAC bridge port. For example, for multicast services, the multicast configuration of the user bridge port multicast MAC address can prevent unauthorized users from acquiring multicast services. Since the MAC bridge port filtering table management entity in G.984.4 only targets the outgoing service of the MAC bridge port, and does not target the inbound service, in order to further strengthen the control of the user authority and increase the security, the prior art is G. The filter byte of the MAC bridge port filter table management entity in 984.4 is extended, and the filter direction is further defined by the reserved bits in the filter byte, that is, the destination MAC address of the MAC bridge port outgoing data can be filtered. The destination MAC address of the incoming data can also be filtered, thereby further enhancing the control of the user rights and improving the security.
现有技术中 MAC桥端口过滤表管理实体定义从 MAC桥端口出入的以 太网业务的目的 MAC 地址过滤, 对用户权限进行控制, 但由于是对目的 MAC地址的过滤, 因此无法对用户网络内的主机进行控制, 譬如对于用户 网络内主机发起的 MAC地址洪水攻击, 无法防范,极易造成 ONU/ONT中 MAC地址表溢出导致网络安全问题, 对 IP地址盗用等安全问题也无法防 范, 极易造成用户网络内的合法用户的权限被盗用, 合法用户的权益蒙受 损失。因此, MAC桥端口过滤表管理实体实际上并没有完全控制用户权限, 安全性较低。 发明内容  In the prior art, the MAC bridge port filtering table management entity defines the destination MAC address filtering of the Ethernet service that is in and out of the MAC bridge port, and controls the user rights. However, because the destination MAC address is filtered, it cannot be used in the user network. The host performs control, for example, the MAC address flood attack initiated by the host in the user network cannot be prevented. It is easy to cause the network security problem caused by the overflow of the MAC address table in the ONU/ONT. The security problem such as IP address theft cannot be prevented, which is easy to cause. The rights of legitimate users in the user network are stolen, and the rights of legitimate users suffer losses. Therefore, the MAC bridge port filter table management entity does not actually have full control of user rights, and the security is low. Summary of the invention
本发明的目的在于提供一种实现端口地址绑定的配置方法和系统, 能 够更好的解决现有技术中 MAC桥端口过滤表管理实体没有完全控制用户 网络中的用户权限, 安全性较低的问题。 根据本发明的一个方面, 提供的一种实现端口地址绑定的配置方法包 括: The object of the present invention is to provide a method and a system for implementing port address binding, which can better solve the problem that the MAC bridge port filtering table management entity does not completely control the user rights in the user network in the prior art, and the security is low. problem. According to an aspect of the present invention, a configuration method for implementing port address binding includes:
管理单元设置包含用户主机 IP地址和 MAC地址、 以太网用户端口标 识的绑定消息, 并将绑定消息发送到光线路终端 OLT;  The management unit sets a binding message including the user host IP address and MAC address, the Ethernet user port identifier, and sends the binding message to the optical line terminal OLT;
OLT根据绑定消息生成包含所述 IP地址和所述 MAC地址、 管理实体 标识的配置消息, 并将配置消息发送至光网络单元 ONU 或光网络终端 ONT, 其中, 所述管理实体标识与所述以太网用户端口标识对应;  The OLT generates a configuration message including the IP address, the MAC address, and the management entity identifier according to the binding message, and sends the configuration message to the optical network unit ONU or the optical network terminal ONT, where the management entity identifier is The Ethernet user port identifier corresponds to
ONU或 ONT根据收到的配置消息, 将所述 IP地址和 MAC地址写入 MAC桥端口绑定表管理实体的管理实体标识符指定的绑定表中。  The ONU or the ONT writes the IP address and the MAC address into the binding table specified by the management entity identifier of the MAC bridge port binding table management entity according to the received configuration message.
其中,所述方法还包括:所述 MAC桥端口绑定表管理实体通过与 MAC 桥端口配置管理实体相同的管理实体标识符, 与指向以太网用户端口的 MAC桥端口配置管理实体对应。  The method further includes: the MAC bridge port binding table management entity corresponding to the MAC bridge port configuration management entity that points to the Ethernet user port by using the same management entity identifier as the MAC bridge port configuration management entity.
其中, 所述配置消息包括通过所述绑定消息得到的用于添加绑定条目 的配置消息、 用于删除绑定条目的配置消息和用于配置绑定模式和绑定表 大小的配置消息。  The configuration message includes a configuration message for adding a binding entry obtained by using the binding message, a configuration message for deleting a binding entry, and a configuration message for configuring a binding mode and a binding table size.
进一步地, 所述方法还包括:  Further, the method further includes:
配置完成后, 若 ONU或 ONT通过以太网用户端口接收的数据帧的 IP 地址和 MAC地址存在于 MAC桥端口绑定表管理实体的绑定表中, 则接收 所述数据帧的以太网用户端口的绑定模式为正向绑定时转发数据帧, 所述 绑定模式为反向绑定时丟弃数据帧。  After the configuration is complete, if the IP address and MAC address of the data frame received by the ONU or the ONT through the Ethernet user port are present in the binding table of the MAC bridge port binding table management entity, the Ethernet user port receiving the data frame is received. The binding mode is to forward the data frame when the binding is forward, and the binding mode is to discard the data frame when the binding is reverse.
进一步地, 所述方法还包括:  Further, the method further includes:
配置完成后, 若 ONU或 ONT通过以太网用户端口接收的数据帧的 IP 地址和 MAC地址不存在于 MAC桥端口绑定表管理实体的绑定表中, 则接 收所述数据帧的以太网用户端口的绑定模式为反向绑定时转发数据帧, 所 述绑定模式为正向绑定时丟弃数据帧。 其中, 当所述 ONU或 ONT收到的配置消息为用于添加绑定条目的配 置消息时 , 所述 ONU或 ONT在 MAC桥端口绑定表管理实体中添加包括 条目编号、 表示添加的条目绑定性质、 IP地址、 MAC地址的绑定条目。 After the configuration is complete, if the IP address and MAC address of the data frame received by the ONU or the ONT through the Ethernet user port do not exist in the binding table of the MAC bridge port binding table management entity, the Ethernet user receiving the data frame The binding mode of the port is to forward the data frame when the binding is reversed. The binding mode is to discard the data frame when the binding is forward. When the configuration message received by the ONU or the ONT is a configuration message for adding a binding entry, the ONU or the ONT adds an entry number to the MAC bridge port binding table management entity, indicating that the added entry is tied. Binding entries for properties, IP addresses, and MAC addresses.
其中, 当所述 ONU或 ONT收到的配置消息为用于删除绑定条目的配 置消息时, 所述 ONU或 ONT在 MAC桥端口绑定表管理实体中删除包括 条目编号、 表示删除的条目绑定性质、 IP地址、 MAC地址的绑定条目。  When the configuration message received by the ONU or the ONT is a configuration message for deleting the binding entry, the ONU or the ONT deletes the entry including the entry number and the deleted entry in the MAC bridge port binding table management entity. Binding entries for properties, IP addresses, and MAC addresses.
其中, 当所述 ONU或 ONT收到的配置消息为用于配置绑定模式和绑 定表大小的配置消息时, 所述 ONU或 ONT在 MAC桥端口绑定表管理实 体中配置绑定模式信息和绑定表大小信息。  When the configuration message received by the ONU or the ONT is a configuration message for configuring a binding mode and a binding table size, the ONU or the ONT configures binding mode information in the MAC bridge port binding table management entity. And bind table size information.
根据本发明的另一个方面, 提供的一种实现端口地址绑定的系统包括: 管理单元, 用于设置包含用户主机 IP地址和 MAC地址、 以太网用户 端口标识的绑定消息, 并将绑定消息发送到光线路终端 OLT;  According to another aspect of the present invention, a system for implementing port address binding includes: a management unit, configured to set a binding message including a user host IP address and a MAC address, an Ethernet user port identifier, and bind the binding Sending a message to the optical line terminal OLT;
OLT , 用于根据绑定消息生成包含所述 IP地址和所述 MAC地址、 管 理实体标识的配置消息,并将配置消息发送至光网络单元 ONU或光网络终 端 ONT, 其中, 所述管理实体标识与所述以太网用户端口标识对应;  The OLT is configured to generate, according to the binding message, a configuration message that includes the IP address, the MAC address, and the management entity identifier, and send the configuration message to the optical network unit ONU or the optical network terminal ONT, where the management entity identifier Corresponding to the Ethernet user port identifier;
ONU或 ONT,用于根据收到的配置消息,将 IP地址和 MAC地址写入 MAC桥端口绑定表管理实体的管理实体标识符指定的绑定表中。  The ONU or ONT is used to write the IP address and the MAC address into the binding table specified by the management entity identifier of the MAC bridge port binding table management entity according to the received configuration message.
其中, 所述 MAC桥端口绑定表管理实体通过与 MAC桥端口配置管理 实体相同的管理实体标识符,与指向以太网用户端口的 MAC桥端口配置管 理实体对应。  The MAC bridge port binding table management entity corresponds to a MAC bridge port configuration management entity that points to an Ethernet user port by using the same management entity identifier as the MAC bridge port configuration management entity.
与现有技术相比, 本发明定义并使用 MAC桥端口绑定表管理实体, 实 现了用户网络中主机的 IP地址和 MAC地址与以太网用户端口三者的绑定, 实现了对用户权限的完全控制, 进一步提高用户网络的安全性。 附图说明  Compared with the prior art, the present invention defines and uses the MAC bridge port binding table management entity to implement binding of the IP address and MAC address of the host in the user network and the Ethernet user port, thereby realizing the user right. Full control to further improve the security of the user network. DRAWINGS
图 1是 GPON系统架构示意图; 图 2是本发明定义的 MAC桥端口绑定表管理实体与 MAC桥端口配置 管理实体、 物理通道端点以太网用户网络接口管理实体的关系图; 1 is a schematic diagram of a GPON system architecture; 2 is a relationship diagram of a MAC bridge port binding table management entity defined by the present invention, a MAC bridge port configuration management entity, and a physical channel endpoint Ethernet user network interface management entity;
图 3是本发明实施例提供设置绑定表大小和绑定模式的流程图; 图 4是本发明实施例提供的添加绑定表条目的流程图;  3 is a flowchart of setting a binding table size and a binding mode according to an embodiment of the present invention; FIG. 4 is a flowchart of adding a binding table entry according to an embodiment of the present invention;
图 5是本发明实施例提供的删除绑定表条目的流程图;  FIG. 5 is a flowchart of deleting a binding table entry according to an embodiment of the present invention;
图 6是本发明实施例提供的业务流的处理流程图;  6 is a flowchart of processing a service flow according to an embodiment of the present invention;
图 7是本发明实施例提供的系统框图。 具体实施方式  FIG. 7 is a block diagram of a system according to an embodiment of the present invention. detailed description
以下结合附图对本发明的优选实施例进行详细说明, 应当理解, 以下 所说明的优选实施例仅用于说明和解释本发明, 并不用于限制本发明。  The preferred embodiments of the present invention are described in detail below with reference to the accompanying drawings.
图 2为了本发明定义的 MAC桥端口绑定表管理实体与 MAC桥端口配 置管理实体、物理通道端点以太网用户网络接口管理实体的关系图, 如图 2 所示, ONU或 ONT在创建 MAC桥端口配置管理实体实例时会自动创建在 本发明中定义的 MAC桥端口绑定表管理实体的实例, MAC桥端口绑定表 管理实体通过与 MAC 桥端口配置管理实体相同的管理实体标识符, 与 MAC桥端口配置管理实体相关联; MAC桥端口配置管理实体通过一个指 向物理通道端点以太网用户网络接口管理实体的指针, 与以太网用户端口 相关联 , 从而实现 MAC桥端口绑定表管理实体与以太网用户端口的对应。 本发明所述 MAC桥端口绑定表管理实体及其相关属性是使 IP地址、 MAC 地址与以太网用户端口三者进行绑定的新增加的管理实体,所述 MAC桥端 口绑定表管理实体各实例均包括管理实体标识符、 绑定模式、 绑定表大小、 绑定表。  2 is a relationship diagram of a MAC bridge port binding table management entity defined by the present invention, a MAC bridge port configuration management entity, and a physical channel endpoint Ethernet user network interface management entity. As shown in FIG. 2, an ONU or an ONT creates a MAC bridge. When the port configuration management entity instance automatically creates an instance of the MAC bridge port binding table management entity defined in the present invention, the MAC bridge port binding table management entity passes the same management entity identifier as the MAC bridge port configuration management entity, and The MAC bridge port configuration management entity is associated; the MAC bridge port configuration management entity is associated with the Ethernet user port by a pointer to the physical channel endpoint Ethernet user network interface management entity, thereby implementing the MAC bridge port binding table management entity and Correspondence of Ethernet user ports. The MAC bridge port binding table management entity and related attributes of the present invention are newly added management entities for binding an IP address, a MAC address, and an Ethernet user port, and the MAC bridge port binding table management entity Each instance includes a management entity identifier, a binding mode, a binding table size, and a binding table.
所述管理实体标识符是 MAC 桥端口绑定表管理实体各实例的唯一标 识,是只读的标识符, 该标识符与 MAC桥端口配置管理实体中的管理实体 标识符相同, 表示与 MAC桥端口配置管理实体相关联。 所述绑定模式是可读可写的端口地址绑定模式, 包括设置为 "1 " 的正 向绑定和设置为 "0" 的反向绑定, 其中, 所述正向绑定表示端口只允许数 据帧中的源 IP地址和源 MAC地址存在于绑定表中的数据帧通过, 所述反 向绑定表示端口只允许数据帧中的源 IP地址和源 MAC地址不存在于绑定 表中的数据帧通过, 此外, 还可以设置保留位。 The management entity identifier is a unique identifier of each instance of the MAC bridge port binding table management entity, and is a read-only identifier, which is the same as the management entity identifier in the MAC bridge port configuration management entity, and represents a MAC bridge. The port configuration management entity is associated. The binding mode is a readable and writable port address binding mode, including a forward binding set to "1" and a reverse binding set to "0", wherein the forward binding represents a port Only the data source and the source MAC address in the data frame are allowed to pass through the data frame in the binding table. The reverse binding indicates that the port only allows the source IP address and the source MAC address in the data frame to not exist in the binding. The data frames in the table pass, and in addition, you can set the reserved bits.
所述绑定表大小用于定义绑定表可以存放 IP地址和 MAC地址的最大 条目数, 绑定表大小可读可写。  The binding table size is used to define a maximum number of entries in the binding table that can store an IP address and a MAC address, and the binding table size is readable and writable.
所述绑定表用于保存与 MAC桥端口相关的用户主机的 IP地址和 MAC 地址, 并配合绑定模式判断是否转发进入 MAC桥端口的数据帧。在配置完 成后,如果 ONU或 ONT通过以太网用户端口接收的数据帧的源 IP地址和 源 MAC地址存在于绑定表中, 则在绑定模式为正向绑定时转发数据帧,在 绑定模式为反向绑定时丟弃数据帧; 如果 ONU或 ONT通过以太网用户端 口接收的数据帧的源 IP和源 MAC地址不存在于绑定表中, 则在绑定模式 为正向绑定的情况下丟弃数据帧, 在绑定模式为反向绑定时转发数据帧。 所述绑定表中的绑定条目包含用户主机的 IP地址和 MAC地址外, 还包含 条目编号、 条目绑定性质。  The binding table is configured to save the IP address and MAC address of the user host associated with the MAC bridge port, and determine whether to forward the data frame entering the MAC bridge port according to the binding mode. After the configuration is complete, if the source IP address and the source MAC address of the data frame received by the ONU or the ONT through the Ethernet user port are in the binding table, the data frame is forwarded when the binding mode is forward binding. If the source IP address and the source MAC address of the data frame received by the ONU or ONT through the Ethernet user port do not exist in the binding table, the binding mode is forward binding. The data frame is discarded when it is fixed, and the data frame is forwarded when the binding mode is reverse binding. The binding entry in the binding table contains the IP address and MAC address of the user host, and also includes the entry number and the binding nature of the entry.
所述条目编号是 MAC桥端口绑定表管理实体中绑定条目的索引标识。 所述条目绑定性质包括设置为 "1" 的表示添加的条目绑定性质和设置 为 "0" 的表示删除的条目绑定性质。  The entry number is an index identifier of a binding entry in a MAC bridge port binding table management entity. The item binding properties include an entry binding property set to "1" indicating addition and an entry binding property indicating deletion of "0".
当 MAC桥端口绑定表管理实体初始化时, ONU或 ONT将所述绑定表 设为空。  When the MAC bridge port binding table management entity is initialized, the ONU or ONT sets the binding table to null.
图 3为本发明实施例提供的设置绑定表大小和绑定模式的流程图, 如 图 3所示, 步骤包括:  FIG. 3 is a flowchart of setting a binding table size and a binding mode according to an embodiment of the present invention. As shown in FIG. 3, the steps include:
步骤 301 : 管理单元设置表示绑定表大小和绑定模式的绑定消息, 该绑 定消息中包含 ONT或 ONU标识信息、 以太网用户端口标识信息、 绑定表 大小信息、 绑定模式信息, 并将所述绑定消息发送到 OLT上。 Step 301: The management unit sets a binding message indicating a binding table size and a binding mode, where the binding message includes an ONT or ONU identifier information, an Ethernet user port identifier information, and a binding table. Size information, binding mode information, and send the binding message to the OLT.
步骤 302: OLT 4巴接收的绑定消息生成配置消息, 并将配置消息通过 OMCC通道发送到 ONU或 ONT。  Step 302: The binding message received by the OLT 4B generates a configuration message, and sends the configuration message to the ONU or the ONT through the OMCC channel.
所述配置消息包括管理实体标识信息、 绑定表大小信息和绑定模式信 息。 其中, 所述管理实体标识信息源于管理单元设置的以太网用户端口标 识信息,与指向以太网用户端口的 MAC桥端口配置管理实体实例的标识符 相同, 用于与以太网用户端口对应。  The configuration message includes management entity identification information, binding table size information, and binding mode information. The management entity identifier information is derived from the Ethernet user port identifier information set by the management unit, and is the same as the identifier of the MAC bridge port configuration management entity instance that points to the Ethernet user port, and is used to correspond to the Ethernet user port.
步骤 303: ONU或 ONT根据配置消息, 在 MAC桥端口绑定表管理实 体中设置管理实体标识信息指定的实例的绑定表大小信息和绑定模式信 息, 设置完成后返回配置响应消息。  Step 303: The ONU or the ONT sets the binding table size information and the binding mode information of the instance specified by the management entity identifier information in the MAC bridge port binding table management entity according to the configuration message, and returns a configuration response message after the setting is completed.
图 4为本发明实施例提供的添加绑定表条目的流程图, 如图 4所示, 步骤包括:  FIG. 4 is a flowchart of adding a binding table entry according to an embodiment of the present invention. As shown in FIG. 4, the steps include:
步骤 401 : 管理单元设置用于添加绑定条目的绑定消息, 并将所述绑定 消息发送到 OLT。  Step 401: The management unit sets a binding message for adding a binding entry, and sends the binding message to the OLT.
所述绑定消息包含 ONU或 ONT标识信息、以太网用户端口标识信息、 绑定条目编号信息、 表示添加的条目绑定性质信息、 待绑定的 IP 地址和 MAC地址信息。  The binding message includes ONU or ONT identification information, Ethernet user port identification information, binding entry number information, information indicating the binding nature of the added entry, and IP address and MAC address information to be bound.
步骤 402: OLT根据接收的绑定消息生成配置消息, 并将配置消息通 过 OMCC通道发送到 ONU或 ONT。  Step 402: The OLT generates a configuration message according to the received binding message, and sends the configuration message to the ONU or the ONT through the OMCC channel.
所述绑定消息包含管理实体标识符信息、 添加绑定条目信息。 其中, 所述管理实体标识符信息源于管理单元设置的以太网用户端口标识信息, 与指向以太网用户端口的 MAC桥端口配置管理实体实例的标识符相同,用 于与以太网用户端口对应; 所述添加绑定条目信息包括条目编号、 条目绑 定性质、 IP地址和 MAC地址。  The binding message includes management entity identifier information, and add binding entry information. The management entity identifier information is derived from the Ethernet user port identifier information set by the management unit, and is the same as the identifier of the MAC bridge port configuration management entity instance that points to the Ethernet user port, and is used to correspond to the Ethernet user port; The adding binding entry information includes an item number, an item binding property, an IP address, and a MAC address.
步骤 403: ONU或 ONT根据接收的配置消息在 MAC桥端口绑定表管 理实体中设置管理实体标识信息指定实例的绑定表, 在绑定表中添加包括 条目编号、 表示添加的条目绑定性质、 IP地址和 MAC地址的绑定条目信 息, 设置完成后返回配置响应消息。 Step 403: The ONU or the ONT binds the table to the MAC bridge port according to the received configuration message. Set the management entity identification information to specify the binding table of the instance, and add the binding entry information including the entry number, the added entry binding property, the IP address, and the MAC address in the binding table, and return the configuration response after the setting is completed. Message.
图 5为了本发明实施例提供的删除绑定表条目的流程图,如图 5所示, 步骤如下:  FIG. 5 is a flowchart of deleting a binding table entry according to an embodiment of the present invention. As shown in FIG. 5, the steps are as follows:
步骤 501 : 管理单元设置用于删除绑定条目的绑定消息, 并将所述绑定 消息发送到 OLT。  Step 501: The management unit sets a binding message for deleting the binding entry, and sends the binding message to the OLT.
所述绑定消息包含 ONT或 ONT标识信息、 以太网用户端口标识信息、 绑定条目编号信息、 表示删除的条目绑定性质信息, 待删除的 IP 地址和 MAC地址信息。  The binding message includes an ONT or ONT identification information, an Ethernet user port identification information, a binding entry number information, an entry binding property information indicating deletion, and an IP address and MAC address information to be deleted.
步骤 502: OLT根据接收的绑定消息生成配置消息, 并将配置消息通 过 OMCC通道发送到 ONU或 ONT。  Step 502: The OLT generates a configuration message according to the received binding message, and sends the configuration message to the ONU or the ONT through the OMCC channel.
所述配置消息包括管理实体标识符信息、 删除绑定条目信息。 其中, 所述管理实体标识符信息源于管理单元设置的以太网用户端口标识信息, 与指向以太网用户端口的 MAC桥端口配置管理实体实例的标识符相同,用 于与以太网用户端口对应; 所述删除绑定条目信息包括条目编号、 条目绑 定性质、 IP地址和 MAC地址。  The configuration message includes management entity identifier information, and deletion binding entry information. The management entity identifier information is derived from the Ethernet user port identifier information set by the management unit, and is the same as the identifier of the MAC bridge port configuration management entity instance that points to the Ethernet user port, and is used to correspond to the Ethernet user port; The delete binding entry information includes an entry number, an entry binding property, an IP address, and a MAC address.
步骤 503: ONU或 ONT根据接收的配置消息在 MAC桥端口绑定表管 理实体中设置管理实体标识信息指定实例的绑定表, 在绑定表中删除包括 条目编号、 表示删除的条目绑定性质、 IP地址和 MAC地址的绑定条目信 息, 设置完成后返回配置响应消息。  Step 503: The ONU or the ONT sets the binding table of the specified instance of the management entity identification information in the MAC bridge port binding table management entity according to the received configuration message, and deletes the entry binding property including the entry number and the deletion in the binding table. Binding entry information of the IP address and the MAC address, and returning the configuration response message after the setting is completed.
图 6为本发明实施例提供的数据帧的处理流程图, 如图 6所示, 步骤 下:  FIG. 6 is a flowchart of processing a data frame according to an embodiment of the present invention, as shown in FIG.
步骤 601: ONU或 ONT接收数据帧;  Step 601: The ONU or the ONT receives the data frame.
步骤 602: ONT或 ONU通过以太网用户端口收到数据帧并解析, 得到 数据帧的 IP地址和 MAC地址后, 在 MAC桥端口绑定表管理实体中的接 收该数据帧的以太网用户端口对应的的绑定表中查找是否存在 IP 地址和 MAC地址与所接收数据帧的 IP地址和 MAC地址相同的绑定条目,若存在 则进行步骤 603 , 若不存在则进行步骤 606。 Step 602: The ONT or the ONU receives the data frame through the Ethernet user port and parses it to obtain After the IP address and MAC address of the data frame, look up the binding table corresponding to the Ethernet user port receiving the data frame in the MAC bridge port binding table management entity to find whether there is an IP address and a MAC address and the received data frame. The binding entry with the same IP address and MAC address, if yes, proceeds to step 603, and if not, proceeds to step 606.
步骤 603: ONT或 ONU判断接收数据帧的以太网用户端口的绑定模式 是否为正向绑定, 如果是正向绑定则进行步骤 604, 如果是反向绑定则进行 步骤 605。  Step 603: The ONT or the ONU determines whether the binding mode of the Ethernet user port that receives the data frame is forward binding. If it is forward binding, proceed to step 604. If it is reverse binding, proceed to step 605.
步骤 604: ONT或 ONU转发所述数据帧。  Step 604: The ONT or the ONU forwards the data frame.
步骤 605: ONT或 ONU丟弃所述数据帧。  Step 605: The ONT or ONU discards the data frame.
步骤 606: ONT或 ONU判断接收数据帧的以太网用户端口的绑定模式 是否为正向绑定, 如果是正向绑定则进行步骤 607, 如果是反向绑定则进行 步骤 608。  Step 606: The ONT or the ONU determines whether the binding mode of the Ethernet user port that receives the data frame is forward binding. If it is forward binding, proceed to step 607. If it is reverse binding, proceed to step 608.
步骤 607: ONT或 ONU丟弃该数据帧;  Step 607: The ONT or the ONU discards the data frame.
步骤 608: ONT或 ONU转发该数据帧。  Step 608: The ONT or the ONU forwards the data frame.
图 7显示了本发明实施例提供的系统框图, 如图 7所示, 系统包括管 理单元( 701 ) 、 OLT ( 702 )和 ONU或 ONT ( 703 ) 。 其中,  FIG. 7 is a block diagram of a system according to an embodiment of the present invention. As shown in FIG. 7, the system includes a management unit (701), an OLT (702), and an ONU or ONT (703). among them,
管理单元(701 ) , 用于设置绑定端口地址的绑定消息, 并将绑定消息 发送到 OLT ( 702 ) ;  a management unit (701), configured to set a binding message of the binding port address, and send the binding message to the OLT (702);
OLT ( 702 ) , 用于接收管理单元下发的绑定消息, 根据绑定消息生成 配置消息, 并将配置消息通过 OMCC通道发送到 ONU或 ONT;  The OLT (702) is configured to receive a binding message sent by the management unit, generate a configuration message according to the binding message, and send the configuration message to the ONU or the ONT through the OMCC channel;
所述配置消息包括通过所述绑定消息得到的用于添加绑定条目的配置 消息、 用于删除绑定条目的配置消息和用于配置绑定模式和绑定表大小的 配置消息。  The configuration message includes a configuration message for adding a binding entry obtained by the binding message, a configuration message for deleting a binding entry, and a configuration message for configuring a binding mode and a binding table size.
用于添加绑定条目的配置消息包含源于管理单元设置的以太网用户端 口标识信息的管理实体标识符信息、 添加绑定条目信息; 所述添加绑定条 目信息包括条目编号、 表示添加的条目绑定性质、 IP地址和 MAC地址。 用于删除绑定条目的配置消息包含源于管理单元设置的以太网用户端 口标识信息的管理实体标识符信息、 删除绑定条目信息; 所述删除绑定条 目信息包括条目编号、 表示删除的条目绑定性质、 IP地址和 MAC地址。 The configuration message for adding the binding entry includes management entity identifier information originating from the Ethernet user port identification information set by the management unit, adding binding entry information; The destination information includes the entry number, the added binding nature of the entry, the IP address, and the MAC address. The configuration message for deleting the binding entry includes management entity identifier information originating from the Ethernet user port identification information set by the management unit, deleting the binding entry information; the deleting binding entry information including the entry number, indicating the deleted entry Binding properties, IP address, and MAC address.
用于配置绑定模式和绑定表大小的配置消息包含源于管理单元设置的 以太网用户端口标识信息的管理实体标识符信息、 绑定表大小信息和绑定 模式信息。  The configuration message used to configure the binding mode and binding table size contains management entity identifier information, binding table size information, and binding mode information derived from the Ethernet user port identification information set by the management unit.
ONU或 ONT ( 703 ) , 用于根据配置消息在 MAC桥端口绑定表管理 实体中设置管理实体标识信息指定实例的信息,并根据 MAC桥端口绑定表 管理实体中的地址绑定表和绑定模式转发或丟弃接收的数据帧。  The ONU or the ONT ( 703 ) is configured to set an instance of the management entity identifier information in the MAC bridge port binding table management entity according to the configuration message, and bind the address binding table and the binding according to the MAC bridge port binding table management entity. The mode forwards or discards the received data frame.
管理单元(701 )将设置的用于端口地址绑定的绑定消息通过简单网络 管理协议 SNMP报文的方式发送到 OLT ( 702 ) , OLT ( 702 )接收管理单 元(701 )下发的绑定消息, 并根据绑定消息生成配置消息后, 将配置消息 通过 OMCC通道发送到 ONU或 ONT ( 703 ) , ONU或 ONT ( 703 )根据 配置消息设置 MAC桥端口绑定表管理实体。若配置消息为配置绑定模式和 绑定表大小的配置消息,则在 MAC桥端口绑定表管理实体中修改绑定模式 信息和绑定表大小信息; 若配置消息为添加绑定条目的配置消息, 则在 MAC桥端口绑定表管理实体实例中添加绑定条目编号信息、 表示添加的条 目绑定性质、 待添加的 IP地址和 MAC地址信息; 若配置消息为删除绑定 条目的配置消息,则在 MAC桥端口绑定表管理实体实例中删除相应绑定条 目编号的绑定条目。  The management unit (701) sends the binding message for the port address binding to the OLT through a simple network management protocol (SNMP) message, and the OLT (702) receives the binding sent by the management unit (701). After the message is generated according to the binding message, the configuration message is sent to the ONU or ONT through the OMCC channel (703), and the ONU or ONT (703) sets the MAC bridge port binding table management entity according to the configuration message. If the configuration message is a configuration message for configuring the binding mode and the binding table size, modify the binding mode information and the binding table size information in the MAC bridge port binding table management entity; if the configuration message is the configuration of adding the binding entry The message, in the MAC bridge port binding table management entity instance, adds the binding entry number information, indicates the added entry binding property, the IP address to be added, and the MAC address information; if the configuration message is a configuration message for deleting the binding entry , delete the binding entry of the corresponding binding entry number in the instance of the MAC bridge port binding table management entity.
综上所述, 本发明通过使用 MAC桥端口绑定表管理实体,把用户主机 的 IP地址和 MAC地址与以太网用户端口三者绑定, 实现了网络中用户权 限的完全控制, 解决了用户网络中的 MAC地址洪水攻击以及 IP地址盗用 等问题, 增强了用户网络的安全性; 此外, MAC桥端口绑定表管理实体与 以太网用户端口绑定的用户主机 IP地址和 MAC地址条目数可以自由配置, 包括自由增加和删除绑定条目, 并可选择绑定条目的绑定模式, 十分方便 灵活。 In summary, the present invention uses the MAC bridge port binding table management entity to bind the IP address and MAC address of the user host to the Ethernet user port, thereby realizing complete control of user rights in the network and solving the user. The MAC address flood attack and IP address theft in the network enhance the security of the user network; in addition, the MAC bridge port binding table management entity and The IP address and MAC address entries of the user host bound to the Ethernet user port can be freely configured, including freely adding and deleting binding entries, and optionally binding the binding mode of the entry, which is very convenient and flexible.
尽管上文对本发明进行了详细说明, 但是本发明不限于此, 本技术领 域技术人员可以根据本发明的原理进行各种修改。 因此, 凡按照本发明原 理所做的修改, 都应当理解为落入本发明的保护范围。  Although the invention has been described in detail above, the invention is not limited thereto, and various modifications may be made by those skilled in the art in accordance with the principles of the invention. Therefore, modifications made in accordance with the principles of the present invention should be construed as falling within the scope of the present invention.

Claims

权利要求书 Claim
1、 一种实现端口地址绑定的配置方法, 其特征在于, 所述方法包括: 设置包含用户主机 IP地址和 MAC地址、 以太网用户端口标识的绑定 消息, 并将绑定消息发送到光线路终端 OLT;  A method for configuring port address binding, the method includes: setting a binding message including a user host IP address, a MAC address, and an Ethernet user port identifier, and sending the binding message to the light Line terminal OLT;
OLT根据绑定消息生成包含所述 IP地址和所述 MAC地址、 管理实体 标识的配置消息, 并将配置消息发送至光网络单元 ONU 或光网络终端 ONT, 其中, 所述管理实体标识与所述以太网用户端口标识对应;  The OLT generates a configuration message including the IP address, the MAC address, and the management entity identifier according to the binding message, and sends the configuration message to the optical network unit ONU or the optical network terminal ONT, where the management entity identifier is The Ethernet user port identifier corresponds to
ONU或 ONT根据收到的配置消息, 将所述 IP地址和 MAC地址写入 MAC桥端口绑定表管理实体的管理实体标识符指定的绑定表中。  The ONU or the ONT writes the IP address and the MAC address into the binding table specified by the management entity identifier of the MAC bridge port binding table management entity according to the received configuration message.
2、 根据权利要求 1所述的配置方法, 其特征在于, 所述方法还包括: 所述 MAC桥端口绑定表管理实体通过与 MAC桥端口配置管理实体相同的 管理实体标识符, 与指向以太网用户端口的 MAC桥端口配置管理实体对 应。  2. The configuration method according to claim 1, wherein the method further comprises: the MAC bridge port binding table management entity, by using the same management entity identifier as the MAC bridge port configuration management entity, and pointing to the Ethernet The MAC bridge port configuration management entity of the network user port corresponds.
3 、 根据权利要求 1或 2所述的配置方法, 其特征在于, 所述配置消 息包括通过所述绑定消息得到的用于添加绑定条目的配置消息、 用于删除 绑定条目的配置消息和用于配置绑定模式和绑定表大小的配置消息。  The configuration method according to claim 1 or 2, wherein the configuration message includes a configuration message for adding a binding entry obtained by using the binding message, and a configuration message for deleting a binding entry. And configuration messages for configuring the binding mode and binding table size.
4、 根据权利要求 3所述的配置方法, 其特征在于, 所述方法还包括: 配置完成后, 若 ONU或 ONT通过以太网用户端口接收的数据帧的 IP 地址和 MAC地址存在于 MAC桥端口绑定表管理实体的绑定表中, 则接收 所述数据帧的以太网用户端口的绑定模式为正向绑定时转发数据帧, 所述 绑定模式为反向绑定时丟弃数据帧。  The configuration method according to claim 3, wherein the method further comprises: after the configuration is completed, if an IP address and a MAC address of the data frame received by the ONU or the ONT through the Ethernet user port are present in the MAC bridge port In the binding table of the binding table management entity, the binding mode of the Ethernet user port that receives the data frame is forwarded when the binding is forwarded, and the binding mode is the data binding in the reverse binding. frame.
5、 根据权利要求 4所述的配置方法, 其特征在于, 所述方法还包括: 配置完成后, 若 ONU或 ONT通过以太网用户端口接收的数据帧的 IP 地址和 MAC地址不存在于 MAC桥端口绑定表管理实体的绑定表中, 则接 收所述数据帧的以太网用户端口的绑定模式为反向绑定时转发数据帧, 所 述绑定模式为正向绑定时丟弃数据帧。 The configuration method according to claim 4, wherein the method further comprises: after the configuration is completed, if the IP address and MAC address of the data frame received by the ONU or the ONT through the Ethernet user port do not exist in the MAC bridge In the binding table of the port binding table management entity, the binding mode of the Ethernet user port that receives the data frame is a data frame that is forwarded when the binding is reversed. The binding mode is to discard data frames when forward binding.
6、根据权利要求 3所述的配置方法,其特征在于,当所述 ONU或 ONT 收到的配置消息为用于添加绑定条目的配置消息时, 所述 ONU或 ONT在 MAC桥端口绑定表管理实体中添加包括条目编号、表示添加的条目绑定性 质、 IP地址、 MAC地址的绑定条目。  The configuration method according to claim 3, wherein when the configuration message received by the ONU or the ONT is a configuration message for adding a binding entry, the ONU or the ONT is bound on the MAC bridge port. A binding entry including an entry number, an added entry binding property, an IP address, and a MAC address is added to the table management entity.
7、根据权利要求 3所述的配置方法,其特征在于,当所述 ONU或 ONT 收到的配置消息为用于删除绑定条目的配置消息时, 所述 ONU或 ONT在 MAC桥端口绑定表管理实体中删除包括条目编号、表示删除的条目绑定性 质、 IP地址、 MAC地址的绑定条目。  The configuration method according to claim 3, wherein when the configuration message received by the ONU or the ONT is a configuration message for deleting a binding entry, the ONU or the ONT is bound on the MAC bridge port. The table management entity deletes the binding entry including the entry number, the binding binding property indicating the deletion, the IP address, and the MAC address.
8、根据权利要求 3所述的配置方法,其特征在于,当所述 ONU或 ONT 收到的配置消息为用于配置绑定模式和绑定表大小的配置消息时, 所述 ONU或 ONT在 MAC桥端口绑定表管理实体中配置绑定模式信息和绑定表 大小信息。  The configuration method according to claim 3, wherein when the configuration message received by the ONU or the ONT is a configuration message for configuring a binding mode and a binding table size, the ONU or the ONT is Binding mode information and binding table size information are configured in the MAC bridge port binding table management entity.
9、 一种实现端口地址绑定的系统, 其特征在于, 所述系统包括: 管理单元, 用于设置包含用户主机 IP地址和 MAC地址、 以太网用户 端口标识的绑定消息, 并将绑定消息发送到光线路终端 OLT;  A system for implementing port address binding, the system includes: a management unit, configured to set a binding message including a user host IP address, a MAC address, and an Ethernet user port identifier, and bind the binding message Sending a message to the optical line terminal OLT;
OLT, 用于根据绑定消息生成包含所述 IP地址和所述 MAC地址、 管 理实体标识的配置消息,并将配置消息发送至光网络单元 ONU或光网络终 端 ONT, 其中, 所述管理实体标识与所述以太网用户端口标识对应;  The OLT is configured to generate, according to the binding message, a configuration message that includes the IP address, the MAC address, and the management entity identifier, and send the configuration message to the optical network unit ONU or the optical network terminal ONT, where the management entity identifier Corresponding to the Ethernet user port identifier;
ONU或 ONT,用于根据收到的配置消息,将 IP地址和 MAC地址写入 MAC桥端口绑定表管理实体的管理实体标识符指定的绑定表中。  The ONU or ONT is used to write the IP address and the MAC address into the binding table specified by the management entity identifier of the MAC bridge port binding table management entity according to the received configuration message.
10、 根据权利要求 9所述的系统, 其特征在于, 所述 MAC桥端口绑定 表管理实体通过与 MAC桥端口配置管理实体相同的管理实体标识符,与指 向以太网用户端口的 MAC桥端口配置管理实体对应。  10. The system according to claim 9, wherein the MAC bridge port binding table management entity has the same management entity identifier as the MAC bridge port configuration management entity, and a MAC bridge port that points to an Ethernet user port. The configuration management entity corresponds.
PCT/CN2011/071834 2010-07-28 2011-03-15 Configuration method and system for implementing the port address binding WO2012013042A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010238888.4A CN101888575B (en) 2010-07-28 2010-07-28 Configuration method and system for realizing port address binding
CN201010238888.4 2010-07-28

Publications (1)

Publication Number Publication Date
WO2012013042A1 true WO2012013042A1 (en) 2012-02-02

Family

ID=43074253

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/071834 WO2012013042A1 (en) 2010-07-28 2011-03-15 Configuration method and system for implementing the port address binding

Country Status (2)

Country Link
CN (1) CN101888575B (en)
WO (1) WO2012013042A1 (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101888575B (en) * 2010-07-28 2015-04-01 中兴通讯股份有限公司 Configuration method and system for realizing port address binding
CN102572617B (en) * 2010-12-17 2015-06-03 中兴通讯股份有限公司 Private network server access method and optical network unit
CN102655459A (en) * 2011-03-04 2012-09-05 中兴通讯股份有限公司 Configuration data updating method and system of optical network unit (ONU)
CN103763119A (en) * 2011-03-09 2014-04-30 成都勤智数码科技股份有限公司 Telnet/SSH-based network terminal management method
CN102739426B (en) * 2011-04-13 2017-05-24 中兴通讯股份有限公司 DPOE system and service auto-configuration method and network based on DPOE system
CN103701940B (en) * 2012-09-27 2018-02-27 深圳市中兴通讯技术服务有限责任公司 Address resolution protocol collocation method and device under a kind of NMS
CN103795816B (en) * 2012-10-30 2018-07-24 上海斐讯数据通信技术有限公司 Passive optical network and its configuration method and access method
CN103095717B (en) * 2013-01-28 2015-11-25 杭州华三通信技术有限公司 Prevent method and the network equipment of mac address table flooding
CN107454198A (en) * 2016-05-31 2017-12-08 上海斐讯数据通信技术有限公司 IP address distribution method, data forwarding method and optical access device
CN113497985B (en) * 2020-04-01 2024-04-05 上海诺基亚贝尔股份有限公司 Method and device for reporting MAC update of user
CN114172753B (en) * 2020-09-10 2023-04-07 华为技术有限公司 Address reservation method, network equipment and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040109688A1 (en) * 2002-12-10 2004-06-10 Chan Kim Apparatus for executing multi-point control protocol in Ethernet passive optical network
CN101252522A (en) * 2008-04-02 2008-08-27 中兴通讯股份有限公司 System and method for medium accessing to control address filtrating collocation
CN101888575A (en) * 2010-07-28 2010-11-17 中兴通讯股份有限公司 Configuration method and system for realizing port address binding

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101193116B (en) * 2007-07-09 2010-07-28 福建星网锐捷网络有限公司 A method, system and router for coordinated prevention from address parsing protocol attack
CN101414955B (en) * 2007-10-16 2011-05-25 中兴通讯股份有限公司 Method for controlling data stream of virtual LAN in Ethernet passive optical network system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040109688A1 (en) * 2002-12-10 2004-06-10 Chan Kim Apparatus for executing multi-point control protocol in Ethernet passive optical network
CN101252522A (en) * 2008-04-02 2008-08-27 中兴通讯股份有限公司 System and method for medium accessing to control address filtrating collocation
CN101888575A (en) * 2010-07-28 2010-11-17 中兴通讯股份有限公司 Configuration method and system for realizing port address binding

Also Published As

Publication number Publication date
CN101888575B (en) 2015-04-01
CN101888575A (en) 2010-11-17

Similar Documents

Publication Publication Date Title
WO2012013042A1 (en) Configuration method and system for implementing the port address binding
US8509115B2 (en) Multicast control method in Ethernet Passive Optical Network
JP4898812B2 (en) Promoting service quality differentiation in Ethernet passive optical networks
JP3805329B2 (en) Security data transmission method in Ethernet (registered trademark) passive optical network system
CN101252522B (en) System and method for medium accessing to control address filtrating collocation
WO2007124660A1 (en) Optical network termination, configuration method for limiting rate property of ports therefor, and message handling method
WO2007076671A1 (en) A multicast flow control method,device and system in passive optical network
KR20190033585A (en) Method and apparatus for controlling data forwarding in a PON
WO2014194760A1 (en) Onu, communications system, and onu communications method
WO2011017986A1 (en) Transmission method and assembling method for physical layer operations, administration and maintenance (ploam) message in a passive optical network
KR101376154B1 (en) Method, system and device for transmitting ipv6 protocol message in passive optical network
JP2004343243A (en) Multicast communication system and station side device in pon system
WO2011150620A1 (en) Method and system for identifying accessing network for home gateway
TW200841643A (en) Communication system, terminating apparatus, and PON virtualization method for use therein
WO2014206144A1 (en) Optical network unit, and communications system and method
WO2010048858A1 (en) Method, system and optical line terminal for message transmission in an optical communication system
CN100505631C (en) Multicast processing method in the GPON system
WO2011026335A1 (en) Method and apparatus for processing broadcast packet/multicast control message
WO2013086808A1 (en) Service issue method and device for a gigabit-capable passive optical network
WO2013000297A1 (en) Method and system for configuring virtual local area network mode
CN101083664A (en) Method for preventing dual-layer multicasting data stream flood
WO2011095023A1 (en) Method and system for implementing multicast
WO2008141505A1 (en) Multicast method and its device for gigabit passive optical network system
WO2014121600A1 (en) Downlink message transmitting method in photo-electric mixed system and optical coaxial unit
WO2012079536A1 (en) Method for accessing private network server and optical network unit

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11811744

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11811744

Country of ref document: EP

Kind code of ref document: A1