WO2017107871A1 - Access control method and network device - Google Patents

Access control method and network device Download PDF

Info

Publication number
WO2017107871A1
WO2017107871A1 PCT/CN2016/110471 CN2016110471W WO2017107871A1 WO 2017107871 A1 WO2017107871 A1 WO 2017107871A1 CN 2016110471 W CN2016110471 W CN 2016110471W WO 2017107871 A1 WO2017107871 A1 WO 2017107871A1
Authority
WO
WIPO (PCT)
Prior art keywords
host
vlan
network device
access
address
Prior art date
Application number
PCT/CN2016/110471
Other languages
French (fr)
Chinese (zh)
Inventor
谢莹
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2017107871A1 publication Critical patent/WO2017107871A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]

Definitions

  • the present invention relates to the field of communications and, more particularly, to an access control method and a network device.
  • Virtual local area network aggregation (English: virtual aggregation), also known as super-network (super VLAN) technology, is a technology in which multiple VLANs share an IP address segment.
  • a gateway created in a super VLAN can be shared by multiple subnets (English: sub VLAN), and broadcast traffic between different sub VLANs is isolated from each other. If there is a need for traffic exchange between different sub-VLANs, the proxy address resolution protocol (proxy address resolution protocol (PROA) is enabled in the super VLAN or sub-VLAN to implement ARP pickup.
  • proxy address resolution protocol proxy address resolution protocol
  • the gateway needs to respond to the gateway's media access control (MAC) address as the second through the gateway on the super VLAN.
  • MAC media access control
  • the proxy ARP of the super VLAN can only provide the function of supporting ARP pickup. That is, the multiple sub-VLANs in the super VLAN support ARP pickup or neither ARP pickup nor tacticalization. Access control.
  • Embodiments of the present invention provide an access control method and a network device, which are capable of controlling access between hosts.
  • an access control method receives, by the network device, a first address resolution protocol ARP request sent by the first host, where the first ARP request is used to request a media access control MAC address of the second host, and the first ARP request includes the first virtual entity to which the first host belongs.
  • the identifier of the local area network VLAN and the IP address of the second host the network device determines, according to the IP address of the second host, that the second host belongs to the second VLAN; the network device is configured according to the preset first VLAN and the first The access policy between the two VLANs determines whether the MAC address of the network device is sent to the first host.
  • Host A wants to access host B with a known IP address, and first sends a first ARP request to host B to request access.
  • the first ARP request carries the first VLAN to which the host A belongs.
  • the network device can determine the second VLAN to which the host B belongs.
  • the network device may preset an access control relationship between the first VLAN and the second VLAN, for example, allowing the first VLAN to access the second VLAN or the first VLAN from accessing the second VLAN.
  • the network device After the network device enables the ARP proxy function between the sub-VLANs, the first ARP request is received, and the pre-set access control relationship between the first VLAN and the second VLAN is determined, thereby determining whether to the first The host sends the MAC address of the network device.
  • the network device receives an ARP request that is sent by the first host and carries the IP address of the second host and the identifier of the first VLAN to which the first host belongs, to request the MAC address of the second host. And determining, according to the IP address of the second host, that the second host belongs to the second VLAN, and determining whether to send the MAC address of the network device to the first host according to the preset access policy between the first VLAN and the second VLAN, so that The network device can selectively pick up the MAC address of the network device for the host in different VLANs according to the preset access policy, thereby implementing the strategic control of the host access.
  • the network device determines, according to the IP address of the second host, that the second host belongs to the second VLAN, that the network device is configured according to the second host The IP address, the second ARP request is sent; the network device receives an ARP response that is sent by the second host to the second ARP request, where the ARP response includes an identifier of the second VLAN to which the second host belongs; the network device determines The second host belongs to the second VLAN.
  • the network device receives the first ARP request sent by the first host, where the first ARP request carries the IP address of the second host, and the network device can directly learn the second LVAN to which the second host belongs according to the IP address of the second host, for example, The second host may record the belonging second VLAN in the ARP forwarding table of the network device.
  • the network device cannot directly learn the second VLAN to which the second host belongs, send a second ARP request to all the sub VLANs in the super VLAN except the first VLAN to determine the second host according to the IP address of the second host.
  • the second host in the second VLAN replies to the gateway device of the network device with an ARP response for responding to the second ARP request, where the ARP response carries the second VLAN.
  • the network device can determine the second VLAN to which the second host belongs.
  • the network device is configured according to the preset access policy between the first VLAN and the second VLAN Determining whether to send the MAC address of the network device to the first host, including: if the network device presets the access policy to prohibit the first VLAN from accessing the second VLAN, the network device rejects the first Host sends this The MAC address of the network device.
  • the network device presets an access policy between the first VLAN and the second VLAN. For example, the network device allows the first VLAN to access the second VLAN, or the network device prohibits the first VLAN from accessing the second VLAN. According to the access policy, the network device may determine whether to send the MAC address of the network device to the first host instead of the MAC address of the second host. If the network device prohibits the first VLAN from accessing the second VLAN according to the requirement, determining to refuse to send the MAC address of the network device to the first host, so that the first host cannot receive the MAC address of the network device, and then the first The host cannot access the second host.
  • the network device is configured according to a preset between the first VLAN and the second VLAN
  • the access policy determines whether to send the MAC address of the network device to the first host, including:
  • the network device determines to send the MAC address of the network device to the first host.
  • the network device presets an access policy of the first VLAN to access the second VLAN, for example, the network device allows the first VLAN to access the second VLAN, or the network device prohibits the first VLAN from accessing the second VLAN.
  • the network device may determine whether to send the MAC address of the network device to the first host instead of the MAC address of the second host. If the network device is configured to allow the first VLAN to access the second VLAN according to requirements, determine to send the MAC address of the network device to the first host, so that the first host receives the MAC address of the network device, and then treats the MAC address as the MAC address. As the MAC address of the second host, the first host can access the second host through forwarding of the network device.
  • the access control method further includes: the network device receiving an access message sent by the first host; the network device The access message is sent to the second host.
  • the first host receives the MAC address sent by the network device, and the MAC address is sent by the network device instead of the MAC address of the second host, so the first host considers the MAC address to be the MAC address of the second host, and then starts to access the second host. .
  • the first host sends an access message according to the MAC address, and the access message first arrives at the network device, and reaches the second host by forwarding the network device, thereby implementing access by the first host to the second host.
  • the present application provides a network device including a module for performing the access control method in the first aspect.
  • a network device including: a processor and a memory;
  • the memory stores a program, the processor executing the program for performing the first aspect or the first An access control method as described in any of the possible implementations.
  • the network device receives an ARP request that is sent by the first host and carries the IP address of the second host and the identifier of the first VLAN to which the first host belongs, to request the MAC address of the second host. Determining, according to the IP address of the second host, that the second host belongs to the second VLAN, and determining whether to send the MAC address of the network device to the first host according to the preset access policy between the first VLAN and the second VLAN.
  • the network device can selectively select the MAC address of the network device for the host in different VLANs according to the preset access policy, thereby implementing the strategic control of the host access.
  • FIG. 1 is a schematic diagram of an application scenario according to an embodiment of the present invention.
  • FIG. 2 is a schematic flowchart of an access control method according to an embodiment of the present invention.
  • FIG. 3 is a schematic flowchart of a specific embodiment of an access control method according to an embodiment of the present invention.
  • FIG. 4 is a schematic block diagram of a network device in accordance with an embodiment of the present invention.
  • FIG. 5 is a schematic structural diagram of a network device according to an embodiment of the present invention.
  • a super VLAN is configured on a network, and multiple users are classified into different VLANs.
  • the principle of virtual local area network aggregation is that a super VLAN contains multiple sub-VLANs, and each sub-VLAN is a broadcast domain. The two sub-VLANs are isolated from each other.
  • a super VLAN can be configured with a Layer 3 interface.
  • a sub VLAN cannot be configured with a Layer 3 interface.
  • the IP address of the Layer 3 interface of the Super VLAN is used as the gateway address.
  • IP Internet Protocol
  • ARP is a Transmission Control Protocol (TCP)/IP protocol for obtaining physical addresses. After the first ARP request of the IP address of a node is broadcast to the network, the node receives a response confirming its MAC address, and such a packet can be transmitted.
  • TCP Transmission Control Protocol
  • the node receives a response confirming its MAC address, and such a packet can be transmitted.
  • the LAN if you want to communicate between two hosts, you must know the IP address of the destination host, but the physical device network card that transmits data cannot directly identify the IP address, and can only identify its MAC address and MAC address. Is a globally unique order The column number is composed of 12 hexadecimal numbers.
  • the communication between the hosts is generally the communication between the network cards, and the communication between the network cards is based on the MAC address of the other party, and the ARP protocol is to convert the IP address in the data packet into a MAC address. Network protocol.
  • Proxy ARP refers to responding to an ARP request from another device by using one host as the designated device. For example, although device 1 and device 2 belong to different broadcast domains, they are in the same network segment, so device 1 sends an ARP request broadcast packet to device 2, requesting to obtain the MAC address of device 2, because the router does not forward the broadcast packet. Therefore, the ARP request can only reach the router and cannot reach device 2.
  • the router looks at the ARP request and finds that the destination IP address belongs to another network it is connected to. Therefore, the router replaces the MAC address of device 2 with its own interface MAC address and sends an ARP response to device 1. .
  • device 1 After receiving the ARP reply, device 1 considers that the MAC address of device 2 is the interface MAC address of the router and does not sense the existence of the ARP proxy. In the next data communication, device 1 first sends the data to the router, which is forwarded to device 2 by the router.
  • host A compares the IP address of host B (10.1.1.12) with its own network segment 10.1.1.2-10.1.1.11, and finds that host B is on the same subnet as itself, but the ARP table of host A. There is no corresponding entry of host B, so host A sends an ARP request broadcast, requesting the MAC address of host B. Host A cannot receive this ARP request from host A because it is not in the broadcast domain of VLAN 2. However, since the ARP proxy function between the sub-VLANs is enabled on the gateway, and the gateway is in the super VLAN, the sub-VLAN packet is allowed to be received, so when the gateway receives the first ARP request from the host A, the gateway starts.
  • the gateway sends an ARP request broadcast to all other sub VLAN interfaces to request the MAC address of the host B. .
  • Host B After receiving the ARP broadcast sent by the gateway, Host B performs an ARP reply to the request. After the gateway receives the response from Host B, it responds to Host A with its MAC address as the MAC address of B. After receiving the response from the gateway, host A considers that the MAC address of the gateway is the MAC address of host B. Then, the packet to be sent to host B after host A is sent to the gateway first, and the gateway performs Layer 3 forwarding.
  • the proxy ARP function of the VLAN aggregation can only provide the function of supporting ARP pickup for a certain VLAN, and supports the control without the tactical control. Therefore, the MAC address of the peer can be obtained for a certain VLAN. Either you can't get the MAC address of the peer.
  • VLAN 2 supports ARP pickup in Figure 1
  • all other VLANs that VLAN 2 wants to access can get the super VLAN pickup.
  • VLAN 2 can access VLAN 3 or VLAN 4. It is impossible to allow VLAN 2 to access VLAN 3 and VLAN 2 to access VLAN 4.
  • FIG. 2 shows a schematic diagram of an access control method 100 in accordance with an embodiment of the present invention.
  • the access control method 100 can be performed by a network device, where the access control method includes:
  • the network device receives a first address resolution protocol ARP request sent by the first host, where the first ARP request is used to request a media access control MAC address of the second host, and the first ARP request includes the first host to which the first host belongs.
  • the network device determines, according to the IP address of the second host, that the second host belongs to the second VLAN.
  • the network device determines, according to the preset access policy between the first VLAN and the second VLAN, whether to send the MAC address of the network device to the first host.
  • the host A needs to access the host B of the known IP address, and first sends a first ARP request to the host B to request the MAC address of the host B.
  • the first ARP request carries the first VLAN to which the host A belongs.
  • the network device can determine the second VLAN to which the host B belongs.
  • the network device may preset an access control relationship between the first VLAN and the second VLAN, for example, allowing the first VLAN to access the second VLAN or the first VLAN from accessing the second VLAN.
  • the network device After the network device enables the ARP proxy function between the sub-VLANs, the first ARP request is received, and the pre-set access control relationship between the first VLAN and the second VLAN is determined, thereby determining whether to the first The host sends the MAC address of the network device.
  • the network device may be a Layer 3 switch, or may be a router, which is not limited by the present invention.
  • the gateway, the super VLAN, and the Layer 3 switch are on the same device, wherein the gateway and the super VLAN are equivalent to the functional modules of the Layer 3 switch.
  • the following embodiments are described by taking a three-layer switch as an example, but the present invention is not limited thereto.
  • the network device receives an ARP request that is sent by the first host and carries the IP address of the second host and the identifier of the first VLAN to which the first host belongs, to request the MAC address of the second host. And determining, according to the IP address of the second host, that the second host belongs to the second VLAN, and determining whether to send the MAC address of the network device to the first host according to the preset access policy between the first VLAN and the second VLAN, so that The network device can selectively pick up the MAC address of the network device for the host in different VLANs according to the preset access policy, thereby implementing the strategic control of the host access.
  • the network device receives an address resolution protocol first ARP request sent by the first host, where the first ARP request is used to request access to the second host, and the first ARP request includes the first virtual local area network to which the first host belongs. The ID of the VLAN and the IP address of the second host.
  • the first host wants to access the second host with itself in a different broadcast domain, only the IP address of the second host is known, and the MAC address of the second host cannot be known.
  • the first host sends the first message in the manner of a message.
  • the ARP request acquires the MAC address of the second host, and the MAC address in the packet header of the packet is the MAC address of the first host. Since the first host and the second host are in different VLANs, the second host cannot receive the first ARP request of the first host. Therefore, the ARP proxy function between the sub-VLANs is enabled on the network device.
  • the host device can send the first ARP request to the network device because the network device is in the super VLAN and is allowed to receive the packets sent by the sub-sub VLANs. .
  • the network device determines, according to the IP address of the second host, that the second host belongs to the second VLAN.
  • the network device receives the first ARP request from the host A, and can start searching in the ARP forwarding table, so as to directly discover the second in the first ARP request.
  • the second VLAN to which it belongs is not found in the ARP forwarding table.
  • the network device determines, according to the IP address of the second host, that the second host belongs to the second VLAN, and includes:
  • the network device sends a second ARP request according to the IP address of the second host
  • the network device receives an ARP response that is sent by the second host to the second ARP request, where the ARP response includes an identifier of the second VLAN to which the second host belongs;
  • the network device determines that the second host belongs to the second VLAN.
  • the network device receives the first ARP request sent by the first host, where the first ARP request carries the IP address of the second host, and the network device can directly learn the second host according to the IP address of the second host.
  • the second LVAN for example, the second host may record the associated second VLAN in the ARP forwarding table of the network device.
  • the network device cannot directly learn the second VLAN to which the second host belongs, send a second ARP request to all the sub VLANs in the super VLAN except the first VLAN to determine the second host according to the IP address of the second host.
  • the second host in the second VLAN replies to the gateway device of the network device with an ARP response for responding to the second ARP request, where the ARP response carries the second VLAN.
  • the network device can determine the second VLAN to which the second host belongs.
  • the network device is configured according to a preset access policy between the first VLAN and the second VLAN. Slightly, it is determined whether the MAC address of the network device is sent to the first host.
  • the network device may preset an access policy between the virtual local area networks according to user requirements or through access statistics between the networks. For example, VLAN 2 can access VLAN 3, VLAN 3 can access VLAN 4, and VLAN 2 cannot access VLAN 4.
  • the access policy between the virtual local area networks it can be determined whether the MAC address of the network device is sent to the first host. If the first host can receive the MAC address of the network device, the first host sends the access message by using the MAC address of the network device as the MAC address of the second host, that is, the first host to the second host is completed by forwarding the access message through the network device. Access.
  • the access policy can also be directly configured to allow the first VLAN and the second VLAN to access each other, so that it is not necessary to independently set whether the first VLAN allows access to the second VLAN, and further whether the second VLAN is allowed to access.
  • a VLAN is not limited by the present invention.
  • the network device determines, according to the preset access policy between the first VLAN and the second VLAN, whether to send the MAC address of the network device to the first host, including:
  • the network address of the network device is refused to be sent to the first host.
  • the network device presets an access policy between the first VLAN and the second VLAN, for example, the network device allows the first VLAN to access the second VLAN, or the network device prohibits the first VLAN from accessing the second VLAN.
  • the network device may determine whether to send the MAC address of the network device to the first host instead of the MAC address of the second host. If the network device prohibits the first VLAN from accessing the second VLAN according to the requirement, determining to refuse to send the MAC address of the network device to the first host, so that the first host cannot receive the MAC address of the network device, and then the first The host cannot access the second host.
  • the network device determines, according to the preset access policy between the first VLAN and the second VLAN, whether to send the MAC address of the network device to the first host, including:
  • the network device presets an access policy of the first VLAN to access the second VLAN, for example, the network device allows the first VLAN to access the second VLAN, or the network device prohibits the first VLAN from accessing the second VLAN.
  • the network device may determine whether to send the MAC address of the network device to the first host instead of the MAC address of the second host. If the network device is configured to allow the first VLAN to access the second VLAN according to requirements, determine to send the MAC address of the network device to the first host, so that the first host receives the MAC address of the network device, and then treats the MAC address as the MAC address. As the MAC address of the second host, which can be set through the network. The forwarding of the backup completes the access of the first host to the second host.
  • the packet header of the first host that sends the first ARP request packet includes the MAC address of the first host. Therefore, the network device can set the MAC address of the network device according to the MAC address of the first host. Sent to the first host.
  • the access control method further includes:
  • the network device sends the access message to the second host.
  • the first host receives the MAC address sent by the network device, where the MAC address is sent by the network device instead of the MAC address of the second host, so the first host considers the MAC address to be the MAC address of the second host, and thus Access the second host.
  • the first host sends an access message according to the MAC address, and the access message first arrives at the network device, and reaches the second host by forwarding the network device, thereby implementing access by the first host to the second host.
  • the network device can learn the MAC address of the second host according to the ARP forwarding table, or obtain the MAC address of the second host by sending the second ARP request. Therefore, the network device can be configured according to the second host. The MAC address is forwarded to the access message sent by the first host.
  • the network device receives an ARP request that is sent by the first host and carries the IP address of the second host and the identifier of the first VLAN to which the first host belongs, to request the MAC address of the second host. And determining, according to the IP address of the second host, that the second host belongs to the second VLAN, and determining whether to send the MAC address of the network device to the first host according to the preset access policy between the first VLAN and the second VLAN, so that The network device can selectively pick up the MAC address of the network device for the host in different VLANs according to the preset access policy, thereby implementing the strategic control of the host access.
  • the network device receives the first ARP request sent by the first host, where the first ARP request is used to request the MAC address of the second host, and the first ARP request carries the first host to which the first host belongs.
  • the identifier of a VLAN and the IP address of the second host may be determined according to the IP address of the second host, and the second VLAN to which the second host belongs may be determined according to the predetermined access policy between the first VLAN and the second VLAN. Determine whether to send the MAC address of the network device to the first host.
  • the network device sends the MAC address of the network device to the first host, and the first host uses the MAC address of the network device as the second host. MAC address, visit with the second host Ask for communication, the access communication still needs to be forwarded through the network device. If the preset access policy is to prohibit the first VLAN from accessing the second VLAN, the network device refuses to send the MAC address of the network device to the first host, so that the first host cannot access the second host.
  • FIG. 3 is a schematic flowchart diagram of a specific embodiment of an access control method according to an embodiment of the present invention.
  • the meanings of the various terms in the embodiments of the present invention are the same as those of the foregoing embodiments.
  • the network device receives, by the first host, a first ARP request that carries an identifier of the first virtual local area network VLAN to which the first host belongs and an IP address of the second host, where the first ARP request is used to request to access the second host. .
  • the network device determines, according to the IP address of the second host, a second VLAN to which the second host belongs.
  • the network device cannot directly learn the second VLAN to which the second host belongs, send a second ARP request to all the sub VLANs in the super VLAN except the first VLAN to determine the second host according to the IP address of the second host.
  • the second host in the second VLAN replies to the gateway device of the network device with an ARP response for responding to the second ARP request, where the ARP response carries the second VLAN.
  • the network device can determine the second VLAN to which the second host belongs.
  • the network device determines, according to the preset access policy between the first VLAN and the second VLAN, whether to send the MAC address of the network device to the first host.
  • the network device presets an access policy of the first VLAN to access the second VLAN, where the access policy includes the network device allowing the first VLAN to access the second VLAN, or the network device prohibiting the first VLAN from accessing the second VLAN. If the network device allows the first VLAN to access the second VLAN, and sends the MAC address of the network device to the first host, so that the first host can access the second host, step S304 is performed.
  • step S305 is performed.
  • the first host is capable of accessing the second host.
  • Accessing the second host of the first host pair is achieved by forwarding of the network device.
  • the first host cannot access the second host.
  • the network device receives the second host that is sent by the first host.
  • the access policy between the first VLAN and the second VLAN determines whether the MAC address of the network device is sent to the first host, so that the network device can selectively pick up the network device of the host in different VLANs according to a preset access policy.
  • MAC address which enables strategic control of host access.
  • the size of the sequence numbers of the above processes does not mean the order of execution, and the order of execution of each process should be determined by its function and internal logic, and should not be directed to the embodiments of the present invention.
  • the implementation process constitutes any limitation.
  • FIG. 4 shows a schematic block diagram of a network device 500 in accordance with an embodiment of the present invention.
  • the network device 500 includes:
  • the first receiving module 510 is configured to receive a first address resolution protocol ARP request sent by the first host, where the first ARP request is used to request a media access control MAC address of the second host, and the first ARP request includes the first The identifier of the first virtual local area network VLAN to which the host belongs and the internet protocol IP address of the second host;
  • the first determining module 520 is configured to determine, according to the IP address of the second host, that the second host belongs to the second VLAN;
  • the second determining module 530 is configured to determine whether to send the MAC address of the network device to the first host according to the preset access policy between the first VLAN and the second VLAN.
  • the network device in the embodiment of the present invention receives the first ARP request of the second host by the IP address of the second host and the first VLAN to which the first host belongs, and requests the MAC address of the second host according to the The IP address of the second host determines that the second host belongs to the second VLAN, and determines whether to send the MAC address of the network device to the first host instead of the MAC address of the second host according to a preset access policy, so that the network device The host in different VLANs can selectively reply to the ARP pickup according to the preset access policy, thereby implementing the strategic control of the host access.
  • the first determining module 520 is specifically configured to:
  • the second determining module 530 is specifically configured to:
  • the network address of the network device is refused to be sent to the first host.
  • the second determining module 530 is specifically configured to:
  • the network device 500 further includes:
  • a second receiving module configured to receive an access message sent by the first host
  • a sending module configured to send the access message to the second host.
  • the network device of the embodiment of the present invention requests the ARP request of the second host by sending an IP address of the second host and an identifier of the first VLAN to which the first host belongs, and requests the MAC address of the second host according to the The IP address of the second host determines that the second host belongs to the second VLAN, and determines whether to send the MAC address of the network device to the first host according to the preset access policy between the first VLAN and the second VLAN, so that the network device The MAC address of the network device can be selectively picked up by the host in different VLANs according to a preset access policy, thereby implementing centralized control of host access.
  • FIG. 5 shows a structure of a network device according to an embodiment of the present invention, including at least one processor 702 (for example, a CPU), at least one network interface 705 or other communication interface, a memory 706, and at least one communication bus 703 for Achieve connection communication between these devices.
  • the processor 702 is configured to execute executable instructions, such as a computer program, stored in the memory 706.
  • the memory 706 may include a high speed random access memory (RAM), and may also include a non-volatile memory (English: non-volatile memory), such as at least one disk memory.
  • a communication connection with at least one other network element is achieved by at least one network interface 705 (which may be wired or wireless).
  • the memory 706 stores a program 7061, and the processor 702 executes the program 7061 for performing some operations:
  • the first ARP request is used to request a media access control MAC address of the second host, and the first ARP request includes the first virtual local area network VLAN to which the first host belongs The identifier and the internet protocol IP address of the second host;
  • processor 702 is specifically configured to:
  • processor 702 is specifically configured to:
  • the network address of the network device is refused to be sent to the first host.
  • processor 702 is specifically configured to:
  • processor 702 is further configured to:
  • the access message is sent to the second host.
  • the foregoing technical solution provided by the embodiment of the present invention can be used to request the MAC address of the second host by receiving an ARP request that is sent by the first host and carries the IP address of the second host and the identifier of the first VLAN to which the first host belongs.
  • the network device can selectively select the MAC address of the network device for the host in different VLANs according to the preset access policy, thereby implementing the strategic control of the host access.
  • the size of the sequence numbers of the above processes does not mean the order of execution, and the order of execution of each process should be determined by its function and internal logic, and should not be directed to the embodiments of the present invention.
  • the implementation process constitutes any limitation.
  • the disclosed systems, devices, and methods may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the functions may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product.
  • the technical solution of the present invention which is essential or contributes to the prior art, or a part of the technical solution, may be embodied in the form of a software product, which is stored in a storage medium, including
  • the instructions are used to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.

Abstract

Provided are an access control method and a network device. The access control method comprises: a network device receiving a first address resolution protocol (ARP) request sent by a first host, wherein the first ARP request is used to request a media access control (MAC) address of a second host, and the first ARP request comprises an Internet protocol (IP) address of the second host and an identifier of a first virtual local area network (VLAN) to which the first host belongs; the network device determining, according to the IP address of the second host, that the second host belongs to a second VLAN; and the network device determining, according to a pre-set access policy between the first VLAN and the second VLAN, whether to send an MAC address of the network device to the first host. In the embodiments of the present invention, a network device can selectively respond to an MAC address of the network device for a host under different VLANs according to a pre-set access policy, thereby achieving policy control over host access.

Description

访问控制方法和网络设备Access control method and network device
本申请要求于2015年12月25日提交中国专利局、申请号为201510989373.0、发明名称为“访问控制方法和网络设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application No. 201510989373.0, entitled "Access Control Method and Network Equipment", filed on Dec. 25, 2015, the entire disclosure of which is hereby incorporated by reference.
技术领域Technical field
本发明涉及通信领域,并且更具体地,涉及访问控制方法和网络设备。The present invention relates to the field of communications and, more particularly, to an access control method and a network device.
背景技术Background technique
虚拟局域网聚合(英文:virtual local area network aggregation,VLAN Aggregation),也称为超网(英文:super VLAN)技术,是一种多个VLAN共享一个IP地址段的技术。例如,在Super VLAN创建的网关,能被多个子网(英文:sub VLAN)共享,不同Sub VLAN之间的广播流量相互隔离。不同的Sub VLAN之间若有流量互访需求,则在Super VLAN或者Sub VLAN启用代理地址解析协议(英文:proxy Address Resolution Protocol,proxy ARP)实现ARP代答。例如,第一Sub VLAN中的第一主机想要访问第二Sub VLAN中的第二主机,需要通过Super VLAN上的网关回应网关的媒体访问控制(英文:media access control,MAC)地址作为第二主机的MAC地址,最后通过网关的转发完成主机间的访问。Virtual local area network aggregation (English: virtual aggregation), also known as super-network (super VLAN) technology, is a technology in which multiple VLANs share an IP address segment. For example, a gateway created in a super VLAN can be shared by multiple subnets (English: sub VLAN), and broadcast traffic between different sub VLANs is isolated from each other. If there is a need for traffic exchange between different sub-VLANs, the proxy address resolution protocol (proxy address resolution protocol (PROA) is enabled in the super VLAN or sub-VLAN to implement ARP pickup. For example, if the first host in the first sub VLAN wants to access the second host in the second sub VLAN, the gateway needs to respond to the gateway's media access control (MAC) address as the second through the gateway on the super VLAN. The MAC address of the host, and finally the access between the hosts is completed through the forwarding of the gateway.
现有技术中,Super VLAN的代理ARP只能提供是否支持ARP代答的功能,即对Super VLAN内的多个Sub VLAN要么都支持ARP代答,要么都不支持ARP代答,无法实现策略化的访问控制。In the prior art, the proxy ARP of the super VLAN can only provide the function of supporting ARP pickup. That is, the multiple sub-VLANs in the super VLAN support ARP pickup or neither ARP pickup nor tacticalization. Access control.
发明内容Summary of the invention
本发明实施例提供一种访问控制方法和网络设备,能够控制主机间的访问。Embodiments of the present invention provide an access control method and a network device, which are capable of controlling access between hosts.
第一方面,提供了一种访问控制方法。网络设备接收第一主机发送的第一地址解析协议ARP请求,该第一ARP请求用于请求第二主机的媒体访问控制MAC地址,且该第一ARP请求包括该第一主机所属的第一虚拟局域网VLAN的标识和该第二主机的IP地址;该网络设备根据该第二主机的IP地址,确定该第二主机属于第二VLAN;该网络设备根据预先设定的该第一VLAN与该第二VLAN间的访问策略,确定是否向该第一主机发送该网络设备的MAC地址。In a first aspect, an access control method is provided. Receiving, by the network device, a first address resolution protocol ARP request sent by the first host, where the first ARP request is used to request a media access control MAC address of the second host, and the first ARP request includes the first virtual entity to which the first host belongs The identifier of the local area network VLAN and the IP address of the second host; the network device determines, according to the IP address of the second host, that the second host belongs to the second VLAN; the network device is configured according to the preset first VLAN and the first The access policy between the two VLANs determines whether the MAC address of the network device is sent to the first host.
主机A要访问已知IP地址的主机B,先向主机B发送第一ARP请求,以请求获得 主机B的MAC地址,该第一ARP请求中携带该主机A所属的第一VLAN。根据该主机B的IP地址,网络设备可以确定主机B所属的第二VLAN。网络设备可以预先设定第一VLAN和第二VLAN之间的访问控制关系,例如,允许第一VLAN访问第二VLAN或禁止第一VLAN访问第二VLAN。这样,网络设备启用了Sub VLAN间的ARP代理功能后,收到第一ARP请求就可以查找预先设定的该第一VLAN和第二VLAN之间的访问控制关系,进而确定是否向该第一主机发送该网络设备的MAC地址。Host A wants to access host B with a known IP address, and first sends a first ARP request to host B to request access. The MAC address of the host B. The first ARP request carries the first VLAN to which the host A belongs. According to the IP address of the host B, the network device can determine the second VLAN to which the host B belongs. The network device may preset an access control relationship between the first VLAN and the second VLAN, for example, allowing the first VLAN to access the second VLAN or the first VLAN from accessing the second VLAN. In this way, after the network device enables the ARP proxy function between the sub-VLANs, the first ARP request is received, and the pre-set access control relationship between the first VLAN and the second VLAN is determined, thereby determining whether to the first The host sends the MAC address of the network device.
因此,本发明实施例的访问控制方法,网络设备接收第一主机发送的携带第二主机的IP地址和第一主机所属的第一VLAN的标识的ARP请求,以请求第二主机的MAC地址,并根据该第二主机的IP地址确定该第二主机属于第二VLAN,进而根据预先设定的第一VLAN与第二VLAN间的访问策略确定是否向第一主机发送网络设备的MAC地址,使得网络设备能够根据预先设定的访问策略对不同VLAN下的主机选择性代答网络设备的MAC地址,从而实现主机访问的策略化控制。Therefore, in the access control method of the embodiment of the present invention, the network device receives an ARP request that is sent by the first host and carries the IP address of the second host and the identifier of the first VLAN to which the first host belongs, to request the MAC address of the second host. And determining, according to the IP address of the second host, that the second host belongs to the second VLAN, and determining whether to send the MAC address of the network device to the first host according to the preset access policy between the first VLAN and the second VLAN, so that The network device can selectively pick up the MAC address of the network device for the host in different VLANs according to the preset access policy, thereby implementing the strategic control of the host access.
结合第一方面,在第一方面的第一种实现方式中,该网络设备根据该第二主机的IP地址,确定该第二主机属于第二VLAN,包括:该网络设备根据该第二主机的IP地址,发送第二ARP请求;该网络设备接收该第二主机用于响应该第二ARP请求的ARP应答,该ARP应答包括该第二主机所属的该第二VLAN的标识;该网络设备确定该第二主机属于该第二VLAN。With reference to the first aspect, in a first implementation manner of the first aspect, the network device determines, according to the IP address of the second host, that the second host belongs to the second VLAN, that the network device is configured according to the second host The IP address, the second ARP request is sent; the network device receives an ARP response that is sent by the second host to the second ARP request, where the ARP response includes an identifier of the second VLAN to which the second host belongs; the network device determines The second host belongs to the second VLAN.
网络设备接收第一主机发送的第一ARP请求,该第一ARP请求中携带第二主机的IP地址,网络设备可以根据该第二主机的IP地址直接获知第二主机所属的第二LVAN,例如,该第二主机可以将所属的第二VLAN记录在网络设备的ARP转发表中。The network device receives the first ARP request sent by the first host, where the first ARP request carries the IP address of the second host, and the network device can directly learn the second LVAN to which the second host belongs according to the IP address of the second host, for example, The second host may record the belonging second VLAN in the ARP forwarding table of the network device.
如果网络设备无法直接获知第二主机所属的第二VLAN,则根据该第二主机的IP地址,向Super VLAN内的除了第一VLAN的所有Sub VLAN发送第二ARP请求,用于确定第二主机所属的第二VLAN。第二VLAN中的第二主机收到该第二ARP请求时,会向网络设备的网关设备回复用于响应该第二ARP请求的ARP应答,该ARP应答中携带该第二主机所属的第二VLAN。从而,网络设备可以确定第二主机所属于的第二VLAN。If the network device cannot directly learn the second VLAN to which the second host belongs, send a second ARP request to all the sub VLANs in the super VLAN except the first VLAN to determine the second host according to the IP address of the second host. The second VLAN to which it belongs. When receiving the second ARP request, the second host in the second VLAN replies to the gateway device of the network device with an ARP response for responding to the second ARP request, where the ARP response carries the second VLAN. Thus, the network device can determine the second VLAN to which the second host belongs.
结合第一方面或第一方面的第一种可能的实现方式,在第一方面的第二种实现方式中,该网络设备根据预先设定的该第一VLAN与该第二VLAN间的访问策略,确定是否向该第一主机发送该网络设备的MAC地址,包括:若该网络设备预先设定的该访问策略为禁止该第一VLAN访问该第二VLAN,所述网络设备拒绝向该第一主机发送该 网络设备的MAC地址。With reference to the first aspect or the first possible implementation manner of the first aspect, in a second implementation manner of the first aspect, the network device is configured according to the preset access policy between the first VLAN and the second VLAN Determining whether to send the MAC address of the network device to the first host, including: if the network device presets the access policy to prohibit the first VLAN from accessing the second VLAN, the network device rejects the first Host sends this The MAC address of the network device.
网络设备预先设定该第一VLAN与该第二VLAN间的访问策略,例如,网络设备允许第一VLAN访问第二VLAN,或者网络设备禁止第一VLAN访问第二VLAN。根据访问策略,网络设备可以确定是否将网络设备的MAC地址代替第二主机的MAC地址发送给第一主机。若网络设备根据需求,预先设定禁止第一VLAN访问第二VLAN,则确定拒绝向第一主机发送网络设备的MAC地址,使得第一主机无法收到该网络设备的MAC地址,进而该第一主机无法访问该第二主机。The network device presets an access policy between the first VLAN and the second VLAN. For example, the network device allows the first VLAN to access the second VLAN, or the network device prohibits the first VLAN from accessing the second VLAN. According to the access policy, the network device may determine whether to send the MAC address of the network device to the first host instead of the MAC address of the second host. If the network device prohibits the first VLAN from accessing the second VLAN according to the requirement, determining to refuse to send the MAC address of the network device to the first host, so that the first host cannot receive the MAC address of the network device, and then the first The host cannot access the second host.
结合第一方面或第一方面的第一种可能的实现方式,在第一方面的第三种可能的实现方式中,该网络设备根据预先设定的该第一VLAN与该第二VLAN间的访问策略,确定是否向该第一主机发送该网络设备的MAC地址,包括:With reference to the first aspect or the first possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, the network device is configured according to a preset between the first VLAN and the second VLAN The access policy determines whether to send the MAC address of the network device to the first host, including:
若该网络设备预先设定的该访问策略为允许该第一VLAN访问该第二VLAN,所述网络设备确定向该第一主机发送该网络设备的MAC地址。If the access policy preset by the network device is to allow the first VLAN to access the second VLAN, the network device determines to send the MAC address of the network device to the first host.
网络设备预先设定该第一VLAN访问第二VLAN的访问策略,例如,网络设备允许第一VLAN访问第二VLAN,或者网络设备禁止第一VLAN访问第二VLAN。根据访问策略,网络设备可以确定是否将网络设备的MAC地址代替第二主机的MAC地址发送给第一主机。若网络设备根据需求,预先设定允许第一VLAN访问第二VLAN,则确定向第一主机发送网络设备的MAC地址,使得第一主机收到该网络设备的MAC地址后,将该MAC地址当作第二主机的MAC地址,进而可以通过网络设备的转发完成第一主机对第二主机的访问。The network device presets an access policy of the first VLAN to access the second VLAN, for example, the network device allows the first VLAN to access the second VLAN, or the network device prohibits the first VLAN from accessing the second VLAN. According to the access policy, the network device may determine whether to send the MAC address of the network device to the first host instead of the MAC address of the second host. If the network device is configured to allow the first VLAN to access the second VLAN according to requirements, determine to send the MAC address of the network device to the first host, so that the first host receives the MAC address of the network device, and then treats the MAC address as the MAC address. As the MAC address of the second host, the first host can access the second host through forwarding of the network device.
结合第一方面的第三种可能的实现方式,在第一方面的第四种可能的实现方式中,该访问控制方法还包括:该网络设备接收该第一主机发送的访问消息;该网络设备向该第二主机发送该访问消息。In conjunction with the third possible implementation of the first aspect, in a fourth possible implementation of the first aspect, the access control method further includes: the network device receiving an access message sent by the first host; the network device The access message is sent to the second host.
第一主机收到网络设备发送的MAC地址,该MAC地址是网络设备代替第二主机的MAC地址发送的,因此第一主机认为该MAC地址就是第二主机的MAC地址,进而开始访问第二主机。第一主机依照该MAC地址发送访问消息,该访问消息首先到达网络设备,通过网络设备的转发到达第二主机,从而实现第一主机对第二主机的访问。The first host receives the MAC address sent by the network device, and the MAC address is sent by the network device instead of the MAC address of the second host, so the first host considers the MAC address to be the MAC address of the second host, and then starts to access the second host. . The first host sends an access message according to the MAC address, and the access message first arrives at the network device, and reaches the second host by forwarding the network device, thereby implementing access by the first host to the second host.
第二方面,本申请提供了一种网络设备,该网络设备包括用于执行第一方面中的访问控制方法的模块。In a second aspect, the present application provides a network device including a module for performing the access control method in the first aspect.
第三方面,提供了一种网络设备,包括:处理器和存储器;In a third aspect, a network device is provided, including: a processor and a memory;
所述存储器存储了程序,所述处理器执行所述程序,用于执行上述第一方面或第一 方面任一种可能的实现方式所述的访问控制方法。The memory stores a program, the processor executing the program for performing the first aspect or the first An access control method as described in any of the possible implementations.
基于上述技术方案,在本发明实施例中,网络设备接收第一主机发送的携带第二主机的IP地址和第一主机所属的第一VLAN的标识的ARP请求,以请求第二主机的MAC地址,并根据该第二主机的IP地址确定该第二主机属于第二VLAN,进而根据预先设定的第一VLAN与第二VLAN间的访问策略确定是否向第一主机发送网络设备的MAC地址,使得网络设备能够根据预先设定的访问策略对不同VLAN下的主机选择性代答网络设备的MAC地址,从而实现主机访问的策略化控制。Based on the foregoing technical solution, in the embodiment of the present invention, the network device receives an ARP request that is sent by the first host and carries the IP address of the second host and the identifier of the first VLAN to which the first host belongs, to request the MAC address of the second host. Determining, according to the IP address of the second host, that the second host belongs to the second VLAN, and determining whether to send the MAC address of the network device to the first host according to the preset access policy between the first VLAN and the second VLAN. The network device can selectively select the MAC address of the network device for the host in different VLANs according to the preset access policy, thereby implementing the strategic control of the host access.
附图说明DRAWINGS
为了更清楚地说明本发明实施例的技术方案,下面将对本发明实施例中所需要使用的附图作简单地介绍。In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings to be used in the embodiments of the present invention will be briefly described below.
图1是根据本发明实施例的应用场景的示意图。FIG. 1 is a schematic diagram of an application scenario according to an embodiment of the present invention.
图2是根据本发明实施例的访问控制方法的示意性流程图。FIG. 2 is a schematic flowchart of an access control method according to an embodiment of the present invention.
图3是根据本发明实施例的访问控制方法的一个具体实施例的示意性流程图。FIG. 3 is a schematic flowchart of a specific embodiment of an access control method according to an embodiment of the present invention.
图4是根据本发明实施例的网络设备的示意性框图。4 is a schematic block diagram of a network device in accordance with an embodiment of the present invention.
图5是根据本发明实施例的网络设备的结构示意图。FIG. 5 is a schematic structural diagram of a network device according to an embodiment of the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行描述。The technical solutions in the embodiments of the present invention will be described below with reference to the accompanying drawings in the embodiments of the present invention.
如图1为本发明实施例的应用场景,网络部署Super VLAN配置网关,多个用户被划分到不同的VLAN。虚拟局域网聚合的原理是一个Super VLAN包含多个Sub VLAN,每个Sub VLAN是一个广播域,不同Sub VLAN之间二层相互隔离。Super VLAN可以配置三层接口,Sub VLAN不能配置三层接口。当Sub VLAN内的主机(Host)需要进行三层通信时,将使用Super VLAN三层接口的IP地址作为网关地址,这样多个Sub VLAN共用一个网际协议(英文:Internet Protocol,IP)网段,从而节省了IP地址资源,本发明实施例中的第一VLAN和第二VLAN都是Sub VLAN。As shown in FIG. 1 , an application scenario is adopted in the embodiment of the present invention. A super VLAN is configured on a network, and multiple users are classified into different VLANs. The principle of virtual local area network aggregation is that a super VLAN contains multiple sub-VLANs, and each sub-VLAN is a broadcast domain. The two sub-VLANs are isolated from each other. A super VLAN can be configured with a Layer 3 interface. A sub VLAN cannot be configured with a Layer 3 interface. When the host in the sub-VLAN needs to perform Layer 3 communication, the IP address of the Layer 3 interface of the Super VLAN is used as the gateway address. In this way, multiple Sub VLANs share an Internet Protocol (IP) network segment. Therefore, the first VLAN and the second VLAN in the embodiment of the present invention are both Sub VLANs.
ARP是获取物理地址的一个传输控制协议(英文:Transmission Control Protocol,TCP)/IP协议。某节点的IP地址的第一ARP请求被广播到网络上后,这个节点会收到确认其MAC地址的应答,这样的数据包才能被传送出去。在局域网中,如果要在两台主机之间进行通信,就必须要知道目的主机的IP地址,但是起到传输数据的物理设备网卡并不能直接识别IP地址,只能识别其MAC地址,MAC地址是一个全球唯一的序 列号并由12个16进制数构成。主机之间的通信,一般都是网卡之间的通信,而网卡之间的通信都是根据对方的MAC地址来进行工作的,而ARP协议就是一个将数据包中的IP地址转换为MAC地址的网络协议。ARP is a Transmission Control Protocol (TCP)/IP protocol for obtaining physical addresses. After the first ARP request of the IP address of a node is broadcast to the network, the node receives a response confirming its MAC address, and such a packet can be transmitted. In the LAN, if you want to communicate between two hosts, you must know the IP address of the destination host, but the physical device network card that transmits data cannot directly identify the IP address, and can only identify its MAC address and MAC address. Is a globally unique order The column number is composed of 12 hexadecimal numbers. The communication between the hosts is generally the communication between the network cards, and the communication between the network cards is based on the MAC address of the other party, and the ARP protocol is to convert the IP address in the data packet into a MAC address. Network protocol.
代理ARP是指通过使用一个主机作为指定的设备对另一设备的ARP请求做出应答。例如,设备1和设备2虽然属于不同的广播域,但它们处于同一网段中,因此设备1会向设备2发出ARP请求广播包,请求获得设备2的MAC地址,由于路由器不会转发广播包,因此ARP请求只能到达路由器,不能到达设备2。当在路由器上启用ARP代理后,路由器会查看ARP请求,发现目的IP地址属于它连接的另一个网络,因此路由器用自己的接口MAC地址代替设备2的MAC地址,向设备1发送了一个ARP应答。设备1收到ARP应答后,会认为设备2的MAC地址就是路由器的接口MAC地址,不会感知到ARP代理的存在。在接下来的数据通信中,设备1先将数据发送给路由器,由路由器转发给设备2。Proxy ARP refers to responding to an ARP request from another device by using one host as the designated device. For example, although device 1 and device 2 belong to different broadcast domains, they are in the same network segment, so device 1 sends an ARP request broadcast packet to device 2, requesting to obtain the MAC address of device 2, because the router does not forward the broadcast packet. Therefore, the ARP request can only reach the router and cannot reach device 2. When the ARP proxy is enabled on the router, the router looks at the ARP request and finds that the destination IP address belongs to another network it is connected to. Therefore, the router replaces the MAC address of device 2 with its own interface MAC address and sends an ARP response to device 1. . After receiving the ARP reply, device 1 considers that the MAC address of device 2 is the interface MAC address of the router and does not sense the existence of the ARP proxy. In the next data communication, device 1 first sends the data to the router, which is forwarded to device 2 by the router.
例如,图1中主机A将主机B的IP地址(10.1.1.12)和自己所在的网段10.1.1.2-10.1.1.11进行比较,发现主机B和自己在同一个子网,但是主机A的ARP表中没有主机B的对应表项,于是主机A发送ARP请求广播,请求主机B的MAC地址。由于主机B并不在VLAN2的广播域内,无法接收主机A的这个ARP请求。但由于在网关上启用了Sub VLAN间的ARP代理功能,而且网关是在Super VLAN中,是允许接收其下面各Sub VLAN报文的,所以当网关收到主机A的第一ARP请求后,开始在ARP转发表中查找,发现第一ARP请求中的主机B的IP地址(10.1.1.12)为直连接口路由,则网关向所有其他Sub VLAN接口发送一个ARP请求广播,请求主机B的MAC地址。当主机B收到网关发送的ARP广播后,对此请求进行ARP应答。在网关收到主机B的应答后,就把自己的MAC地址当作B的MAC地址回应给主机A。主机A收到网关发来的响应后就认为网关的MAC地址就是主机B的MAC地址,于是,主机A之后要发给主机B的报文都先发送给网关,由网关做三层转发。For example, in Figure 1, host A compares the IP address of host B (10.1.1.12) with its own network segment 10.1.1.2-10.1.1.11, and finds that host B is on the same subnet as itself, but the ARP table of host A. There is no corresponding entry of host B, so host A sends an ARP request broadcast, requesting the MAC address of host B. Host A cannot receive this ARP request from host A because it is not in the broadcast domain of VLAN 2. However, since the ARP proxy function between the sub-VLANs is enabled on the gateway, and the gateway is in the super VLAN, the sub-VLAN packet is allowed to be received, so when the gateway receives the first ARP request from the host A, the gateway starts. If the IP address (10.1.1.12) of the host B in the first ARP request is a direct link route, the gateway sends an ARP request broadcast to all other sub VLAN interfaces to request the MAC address of the host B. . After receiving the ARP broadcast sent by the gateway, Host B performs an ARP reply to the request. After the gateway receives the response from Host B, it responds to Host A with its MAC address as the MAC address of B. After receiving the response from the gateway, host A considers that the MAC address of the gateway is the MAC address of host B. Then, the packet to be sent to host B after host A is sent to the gateway first, and the gateway performs Layer 3 forwarding.
现有技术中,VLAN聚合的代理ARP功能只能提供对某个VLAN是否支持ARP代答的功能,并支持不进行策略化的控制,因此对于某个VLAN要么都能获取到对端的MAC地址,要么都不能获取对端的MAC地址。In the prior art, the proxy ARP function of the VLAN aggregation can only provide the function of supporting ARP pickup for a certain VLAN, and supports the control without the tactical control. Therefore, the MAC address of the peer can be obtained for a certain VLAN. Either you can't get the MAC address of the peer.
例如,如图1中若VLAN2支持ARP代答的功能,则所有VLAN2想要访问的其他VLAN都能够得到Super VLAN的代答。这样VLAN2可以访问VLAN3或VLAN4,无法实现允许VLAN2访问VLAN3且禁止VLAN2访问VLAN4。 For example, if VLAN 2 supports ARP pickup in Figure 1, all other VLANs that VLAN 2 wants to access can get the super VLAN pickup. In this way, VLAN 2 can access VLAN 3 or VLAN 4. It is impossible to allow VLAN 2 to access VLAN 3 and VLAN 2 to access VLAN 4.
图2示出了根据本发明实施例的一种访问控制方法100的示意图。如图2所示,该访问控制方法100可以由网络设备执行,该访问控制方法包括:FIG. 2 shows a schematic diagram of an access control method 100 in accordance with an embodiment of the present invention. As shown in FIG. 2, the access control method 100 can be performed by a network device, where the access control method includes:
S110,网络设备接收第一主机发送的第一地址解析协议ARP请求,该第一ARP请求用于请求第二主机的媒体访问控制MAC地址,且该第一ARP请求包括该第一主机所属的第一虚拟局域网VLAN的标识和该第二主机的网际协议IP地址;S110. The network device receives a first address resolution protocol ARP request sent by the first host, where the first ARP request is used to request a media access control MAC address of the second host, and the first ARP request includes the first host to which the first host belongs. An identifier of a virtual local area network VLAN and an internet protocol IP address of the second host;
S120,该网络设备根据该第二主机的IP地址,确定该第二主机属于第二VLAN;S120. The network device determines, according to the IP address of the second host, that the second host belongs to the second VLAN.
S130,该网络设备根据预先设定的该第一VLAN与该第二VLAN间的访问策略,确定是否向该第一主机发送该网络设备的MAC地址。S130. The network device determines, according to the preset access policy between the first VLAN and the second VLAN, whether to send the MAC address of the network device to the first host.
具体而言,主机A要访问已知IP地址的主机B,先向主机B发送第一ARP请求,以请求获得主机B的MAC地址,该第一ARP请求中携带该主机A所属的第一VLAN。根据该主机B的IP地址,网络设备可以确定主机B所属的第二VLAN。网络设备可以预先设定第一VLAN和第二VLAN之间的访问控制关系,例如,允许第一VLAN访问第二VLAN或禁止第一VLAN访问第二VLAN。这样,网络设备启用了Sub VLAN间的ARP代理功能后,收到第一ARP请求就可以查找预先设定的该第一VLAN和第二VLAN之间的访问控制关系,进而确定是否向该第一主机发送该网络设备的MAC地址。Specifically, the host A needs to access the host B of the known IP address, and first sends a first ARP request to the host B to request the MAC address of the host B. The first ARP request carries the first VLAN to which the host A belongs. . According to the IP address of the host B, the network device can determine the second VLAN to which the host B belongs. The network device may preset an access control relationship between the first VLAN and the second VLAN, for example, allowing the first VLAN to access the second VLAN or the first VLAN from accessing the second VLAN. In this way, after the network device enables the ARP proxy function between the sub-VLANs, the first ARP request is received, and the pre-set access control relationship between the first VLAN and the second VLAN is determined, thereby determining whether to the first The host sends the MAC address of the network device.
应理解,该网络设备可以是三层交换机,或者也可以是路由器,本发明对此不进行限定。还应理解,网关、Super VLAN和三层交换机是在同一设备上,其中,网关、Super VLAN相当于三层交换机的功能模块。为了描述方便,下述实施例以三层交换机为例进行说明,但本发明对此并不限定。It should be understood that the network device may be a Layer 3 switch, or may be a router, which is not limited by the present invention. It should also be understood that the gateway, the super VLAN, and the Layer 3 switch are on the same device, wherein the gateway and the super VLAN are equivalent to the functional modules of the Layer 3 switch. For the convenience of description, the following embodiments are described by taking a three-layer switch as an example, but the present invention is not limited thereto.
因此,本发明实施例的访问控制方法,网络设备接收第一主机发送的携带第二主机的IP地址和第一主机所属的第一VLAN的标识的ARP请求,以请求第二主机的MAC地址,并根据该第二主机的IP地址确定该第二主机属于第二VLAN,进而根据预先设定的第一VLAN与第二VLAN间的访问策略确定是否向第一主机发送网络设备的MAC地址,使得网络设备能够根据预先设定的访问策略对不同VLAN下的主机选择性代答网络设备的MAC地址,从而实现主机访问的策略化控制。Therefore, in the access control method of the embodiment of the present invention, the network device receives an ARP request that is sent by the first host and carries the IP address of the second host and the identifier of the first VLAN to which the first host belongs, to request the MAC address of the second host. And determining, according to the IP address of the second host, that the second host belongs to the second VLAN, and determining whether to send the MAC address of the network device to the first host according to the preset access policy between the first VLAN and the second VLAN, so that The network device can selectively pick up the MAC address of the network device for the host in different VLANs according to the preset access policy, thereby implementing the strategic control of the host access.
在S110中,网络设备接收第一主机发送的地址解析协议第一ARP请求,该第一ARP请求用于请求访问第二主机,且该第一ARP请求包括该第一主机所属的第一虚拟局域网VLAN的标识和该第二主机的IP地址。In S110, the network device receives an address resolution protocol first ARP request sent by the first host, where the first ARP request is used to request access to the second host, and the first ARP request includes the first virtual local area network to which the first host belongs. The ID of the VLAN and the IP address of the second host.
具体而言,第一主机想要访问与自己在不同广播域的第二主机时,只知道第二主机的IP地址,无法获知第二主机的MAC地址。由此,第一主机以报文的方式发送第一 ARP请求,获取第二主机的MAC地址,该报文的报文头中的MAC地址为该第一主机的MAC地址。由于第一主机和第二主机在不同的VLAN中,第二主机无法接收到第一主机的第一ARP请求。因此,在网络设备上启用Sub VLAN间的ARP代理功能,由于网络设备是在Super VLAN中,是允许接收其下面各Sub VLAN发送的报文,所以主机A可以将第一ARP请求发送给网络设备。Specifically, when the first host wants to access the second host with itself in a different broadcast domain, only the IP address of the second host is known, and the MAC address of the second host cannot be known. Thus, the first host sends the first message in the manner of a message. The ARP request acquires the MAC address of the second host, and the MAC address in the packet header of the packet is the MAC address of the first host. Since the first host and the second host are in different VLANs, the second host cannot receive the first ARP request of the first host. Therefore, the ARP proxy function between the sub-VLANs is enabled on the network device. The host device can send the first ARP request to the network device because the network device is in the super VLAN and is allowed to receive the packets sent by the sub-sub VLANs. .
在S120中,该网络设备根据该第二主机的IP地址,确定该第二主机属于第二VLAN。In S120, the network device determines, according to the IP address of the second host, that the second host belongs to the second VLAN.
具体而言,在网络设备上启用Sub VLAN间的ARP代理功能后,网络设备收到主机A的第一ARP请求,可以开始在ARP转发表中查找,以期直接发现第一ARP请求中的第二主机的IP地址所属的第二VLAN以及第二主机的MAC地址。若在ARP转发表中没有找到第二主机所属的第二VLAN和第二主机的MAC地址,可以向所有其他Sub VLAN接口发送第二ARP请求广播,以请求第二主机的MAC地址和第二主机所属的第二VLAN。Specifically, after the ARP proxy function between the sub-VLANs is enabled on the network device, the network device receives the first ARP request from the host A, and can start searching in the ARP forwarding table, so as to directly discover the second in the first ARP request. The second VLAN to which the host's IP address belongs and the MAC address of the second host. If the second VLAN to which the second host belongs and the MAC address of the second host are not found in the ARP forwarding table, the second ARP request broadcast may be sent to all other sub VLAN interfaces to request the MAC address of the second host and the second host. The second VLAN to which it belongs.
可选地,该网络设备根据该第二主机的IP地址,确定该第二主机属于第二VLAN,包括:Optionally, the network device determines, according to the IP address of the second host, that the second host belongs to the second VLAN, and includes:
该网络设备根据该第二主机的IP地址,发送第二ARP请求;The network device sends a second ARP request according to the IP address of the second host;
该网络设备接收该第二主机用于响应该第二ARP请求的ARP应答,该ARP应答包括该第二主机所属的该第二VLAN的标识;The network device receives an ARP response that is sent by the second host to the second ARP request, where the ARP response includes an identifier of the second VLAN to which the second host belongs;
该网络设备确定该第二主机属于该第二VLAN。The network device determines that the second host belongs to the second VLAN.
具体而言,网络设备接收第一主机发送的第一ARP请求,该第一ARP请求中携带第二主机的IP地址,网络设备可以根据该第二主机的IP地址直接获知第二主机所属的第二LVAN,例如,该第二主机可以将所属的第二VLAN记录在网络设备的ARP转发表中。Specifically, the network device receives the first ARP request sent by the first host, where the first ARP request carries the IP address of the second host, and the network device can directly learn the second host according to the IP address of the second host. The second LVAN, for example, the second host may record the associated second VLAN in the ARP forwarding table of the network device.
如果网络设备无法直接获知第二主机所属的第二VLAN,则根据该第二主机的IP地址,向Super VLAN内的除了第一VLAN的所有Sub VLAN发送第二ARP请求,用于确定第二主机所属的第二VLAN。第二VLAN中的第二主机收到该第二ARP请求时,会向网络设备的网关设备回复用于响应该第二ARP请求的ARP应答,该ARP应答中携带该第二主机所属的第二VLAN。从而,网络设备可以确定第二主机所属于的第二VLAN。If the network device cannot directly learn the second VLAN to which the second host belongs, send a second ARP request to all the sub VLANs in the super VLAN except the first VLAN to determine the second host according to the IP address of the second host. The second VLAN to which it belongs. When receiving the second ARP request, the second host in the second VLAN replies to the gateway device of the network device with an ARP response for responding to the second ARP request, where the ARP response carries the second VLAN. Thus, the network device can determine the second VLAN to which the second host belongs.
在S130中,该网络设备根据预先设定的该第一VLAN与该第二VLAN间的访问策 略,确定是否向该第一主机发送该网络设备的MAC地址。In S130, the network device is configured according to a preset access policy between the first VLAN and the second VLAN. Slightly, it is determined whether the MAC address of the network device is sent to the first host.
具体而言,网络设备可以根据用户需求或者通过对各网络间的访问统计预先设定虚拟局域网之间的访问策略。例如,VLAN2可以访问VLAN3,VLAN3可以访问VLAN4,VLAN2不可以访问VLAN4。根据虚拟局域网之间的访问策略,可以确定是否向第一主机发送网络设备的MAC地址。若第一主机能够收到网络设备的MAC地址,第一主机将该网络设备的MAC地址作为第二主机的MAC地址,发送访问消息,即通过网络设备转发访问消息完成第一主机对第二主机的访问。Specifically, the network device may preset an access policy between the virtual local area networks according to user requirements or through access statistics between the networks. For example, VLAN 2 can access VLAN 3, VLAN 3 can access VLAN 4, and VLAN 2 cannot access VLAN 4. According to the access policy between the virtual local area networks, it can be determined whether the MAC address of the network device is sent to the first host. If the first host can receive the MAC address of the network device, the first host sends the access message by using the MAC address of the network device as the MAC address of the second host, that is, the first host to the second host is completed by forwarding the access message through the network device. Access.
应注意,该访问策略还可以直接设置为第一VLAN与第二VLAN可以互相访问,这样就不需要独立设置第一VLAN是否允许访问第二VLAN后,还需要再设置第二VLAN是否允许访问第一VLAN,本发明对此不进行限定。It should be noted that the access policy can also be directly configured to allow the first VLAN and the second VLAN to access each other, so that it is not necessary to independently set whether the first VLAN allows access to the second VLAN, and further whether the second VLAN is allowed to access. A VLAN is not limited by the present invention.
可选地,该网络设备根据预先设定的该第一VLAN与该第二VLAN间的访问策略,确定是否向该第一主机发送该网络设备的MAC地址,包括:Optionally, the network device determines, according to the preset access policy between the first VLAN and the second VLAN, whether to send the MAC address of the network device to the first host, including:
若该网络设备预先设定的该访问策略为禁止该第一VLAN访问该第二VLAN,拒绝向该第一主机发送该网络设备的MAC地址。If the access policy preset by the network device prohibits the first VLAN from accessing the second VLAN, the network address of the network device is refused to be sent to the first host.
具体而言,网络设备预先设定该第一VLAN与该第二VLAN间的访问策略,例如,网络设备允许第一VLAN访问第二VLAN,或者网络设备禁止第一VLAN访问第二VLAN。根据访问策略,网络设备可以确定是否将网络设备的MAC地址代替第二主机的MAC地址发送给第一主机。若网络设备根据需求,预先设定禁止第一VLAN访问第二VLAN,则确定拒绝向第一主机发送网络设备的MAC地址,使得第一主机无法收到该网络设备的MAC地址,进而该第一主机无法访问该第二主机。Specifically, the network device presets an access policy between the first VLAN and the second VLAN, for example, the network device allows the first VLAN to access the second VLAN, or the network device prohibits the first VLAN from accessing the second VLAN. According to the access policy, the network device may determine whether to send the MAC address of the network device to the first host instead of the MAC address of the second host. If the network device prohibits the first VLAN from accessing the second VLAN according to the requirement, determining to refuse to send the MAC address of the network device to the first host, so that the first host cannot receive the MAC address of the network device, and then the first The host cannot access the second host.
可选地,该网络设备根据预先设定的该第一VLAN与该第二VLAN间的访问策略,确定是否向该第一主机发送该网络设备的MAC地址,包括:Optionally, the network device determines, according to the preset access policy between the first VLAN and the second VLAN, whether to send the MAC address of the network device to the first host, including:
若该网络设备预先设定的该访问策略为允许该第一VLAN访问该第二VLAN,确定向该第一主机发送该网络设备的MAC地址。If the access policy preset by the network device is to allow the first VLAN to access the second VLAN, determine to send the MAC address of the network device to the first host.
具体而言,网络设备预先设定该第一VLAN访问第二VLAN的访问策略,例如,网络设备允许第一VLAN访问第二VLAN,或者网络设备禁止第一VLAN访问第二VLAN。根据访问策略,网络设备可以确定是否将网络设备的MAC地址代替第二主机的MAC地址发送给第一主机。若网络设备根据需求,预先设定允许第一VLAN访问第二VLAN,则确定向第一主机发送网络设备的MAC地址,使得第一主机收到该网络设备的MAC地址后,将该MAC地址当作第二主机的MAC地址,进而可以通过网络设 备的转发完成第一主机对第二主机的访问。Specifically, the network device presets an access policy of the first VLAN to access the second VLAN, for example, the network device allows the first VLAN to access the second VLAN, or the network device prohibits the first VLAN from accessing the second VLAN. According to the access policy, the network device may determine whether to send the MAC address of the network device to the first host instead of the MAC address of the second host. If the network device is configured to allow the first VLAN to access the second VLAN according to requirements, determine to send the MAC address of the network device to the first host, so that the first host receives the MAC address of the network device, and then treats the MAC address as the MAC address. As the MAC address of the second host, which can be set through the network. The forwarding of the backup completes the access of the first host to the second host.
应理解,由前述可知,第一主机发送第一ARP请求报文的报文头中包含第一主机的MAC地址,因此,该网络设备可以根据该第一主机的MAC地址将网络设备的MAC地址发送给该第一主机。It should be understood that, as described above, the packet header of the first host that sends the first ARP request packet includes the MAC address of the first host. Therefore, the network device can set the MAC address of the network device according to the MAC address of the first host. Sent to the first host.
可选地,该访问控制方法还包括:Optionally, the access control method further includes:
该网络设备接收该第一主机发送的访问消息;Receiving, by the network device, an access message sent by the first host;
该网络设备向该第二主机发送该访问消息。The network device sends the access message to the second host.
具体而言,第一主机收到网络设备发送的MAC地址,该MAC地址是网络设备代替第二主机的MAC地址发送的,因此第一主机认为该MAC地址就是第二主机的MAC地址,进而可以访问第二主机。第一主机依照该MAC地址发送访问消息,该访问消息首先到达网络设备,通过网络设备的转发到达第二主机,从而实现第一主机对第二主机的访问。Specifically, the first host receives the MAC address sent by the network device, where the MAC address is sent by the network device instead of the MAC address of the second host, so the first host considers the MAC address to be the MAC address of the second host, and thus Access the second host. The first host sends an access message according to the MAC address, and the access message first arrives at the network device, and reaches the second host by forwarding the network device, thereby implementing access by the first host to the second host.
应理解,由前述可知,该网络设备能够根据ARP转发表获知第二主机的MAC地址,或者通过发送第二ARP请求获知第二主机的MAC地址,因此,该网络设备可以根据该第二主机的MAC地址,进行转发该第一主机发送的访问消息。It should be understood that, as described above, the network device can learn the MAC address of the second host according to the ARP forwarding table, or obtain the MAC address of the second host by sending the second ARP request. Therefore, the network device can be configured according to the second host. The MAC address is forwarded to the access message sent by the first host.
因此,本发明实施例的访问控制方法,网络设备接收第一主机发送的携带第二主机的IP地址和第一主机所属的第一VLAN的标识的ARP请求,以请求第二主机的MAC地址,并根据该第二主机的IP地址确定该第二主机属于第二VLAN,进而根据预先设定的第一VLAN与第二VLAN间的访问策略确定是否向第一主机发送网络设备的MAC地址,使得网络设备能够根据预先设定的访问策略对不同VLAN下的主机选择性代答网络设备的MAC地址,从而实现主机访问的策略化控制。Therefore, in the access control method of the embodiment of the present invention, the network device receives an ARP request that is sent by the first host and carries the IP address of the second host and the identifier of the first VLAN to which the first host belongs, to request the MAC address of the second host. And determining, according to the IP address of the second host, that the second host belongs to the second VLAN, and determining whether to send the MAC address of the network device to the first host according to the preset access policy between the first VLAN and the second VLAN, so that The network device can selectively pick up the MAC address of the network device for the host in different VLANs according to the preset access policy, thereby implementing the strategic control of the host access.
下面结合图3详细描述本发明实施例。应注意,这只是为了帮助本领域技术人员更好地理解本发明实施例,而非限制本发明实施例的范围。Embodiments of the present invention are described in detail below in conjunction with FIG. It should be noted that this is only to assist those skilled in the art to better understand the embodiments of the present invention and not to limit the scope of the embodiments of the present invention.
在本发明一个实施例中,网络设备接收第一主机发送的第一ARP请求,该第一ARP请求用于请求第二主机的MAC地址,且该第一ARP请求中携带第一主机所属的第一VLAN的标识和第二主机的IP地址,根据该第二主机的IP地址可以确定第二主机所属的第二VLAN,进而根据预先确定的第一VLAN与第二VLAN之间的访问策略,可以确定是否向第一主机发送该网络设备的MAC地址。若预先设定的该访问策略为允许第一VLAN访问第二VLAN,则网络设备向第一主机发送该网络设备的MAC地址,进而该第一主机将该网络设备的MAC地址当作第二主机的MAC地址,与第二主机进行访 问通信,该访问通信仍然需要通过网络设备的转发。若预先设定的该访问策略为禁止第一VLAN访问第二VLAN,则网络设备拒绝向第一主机发送该网络设备的MAC地址,从而该第一主机无法访问第二主机。In an embodiment of the present invention, the network device receives the first ARP request sent by the first host, where the first ARP request is used to request the MAC address of the second host, and the first ARP request carries the first host to which the first host belongs. The identifier of a VLAN and the IP address of the second host may be determined according to the IP address of the second host, and the second VLAN to which the second host belongs may be determined according to the predetermined access policy between the first VLAN and the second VLAN. Determine whether to send the MAC address of the network device to the first host. If the pre-set access policy is to allow the first VLAN to access the second VLAN, the network device sends the MAC address of the network device to the first host, and the first host uses the MAC address of the network device as the second host. MAC address, visit with the second host Ask for communication, the access communication still needs to be forwarded through the network device. If the preset access policy is to prohibit the first VLAN from accessing the second VLAN, the network device refuses to send the MAC address of the network device to the first host, so that the first host cannot access the second host.
图3是本发明实施例的访问控制方法的一个具体实施例的流程示意图。本发明实施例中的各种术语的含义与前述各实施例相同。FIG. 3 is a schematic flowchart diagram of a specific embodiment of an access control method according to an embodiment of the present invention. The meanings of the various terms in the embodiments of the present invention are the same as those of the foregoing embodiments.
S301,网络设备接收第一主机发送的携带该第一主机所属的第一虚拟局域网VLAN的标识和该第二主机的IP地址的第一ARP请求,该第一ARP请求用于请求访问第二主机。S301. The network device receives, by the first host, a first ARP request that carries an identifier of the first virtual local area network VLAN to which the first host belongs and an IP address of the second host, where the first ARP request is used to request to access the second host. .
S302,该网络设备根据该第二主机的IP地址,可以确定该第二主机所属的第二VLAN。S302. The network device determines, according to the IP address of the second host, a second VLAN to which the second host belongs.
如果网络设备无法直接获知第二主机所属的第二VLAN,则根据该第二主机的IP地址,向Super VLAN内的除了第一VLAN的所有Sub VLAN发送第二ARP请求,用于确定第二主机所属的第二VLAN。第二VLAN中的第二主机收到该第二ARP请求时,会向网络设备的网关设备回复用于响应该第二ARP请求的ARP应答,该ARP应答中携带该第二主机所属的第二VLAN。从而,网络设备可以确定第二主机所属于的第二VLAN。If the network device cannot directly learn the second VLAN to which the second host belongs, send a second ARP request to all the sub VLANs in the super VLAN except the first VLAN to determine the second host according to the IP address of the second host. The second VLAN to which it belongs. When receiving the second ARP request, the second host in the second VLAN replies to the gateway device of the network device with an ARP response for responding to the second ARP request, where the ARP response carries the second VLAN. Thus, the network device can determine the second VLAN to which the second host belongs.
S303,该网络设备根据预先设定的该第一VLAN与该第二VLAN间的访问策略,确定是否向该第一主机发送该网络设备的MAC地址。S303. The network device determines, according to the preset access policy between the first VLAN and the second VLAN, whether to send the MAC address of the network device to the first host.
网络设备预先设定该第一VLAN访问第二VLAN的访问策略,该访问策略包括网络设备允许第一VLAN访问第二VLAN,或者网络设备禁止第一VLAN访问第二VLAN。若网络设备允许第一VLAN访问第二VLAN,向第一主机发送该网络设备的MAC地址,从而该第一主机能够访问该第二主机,即执行步骤S304。The network device presets an access policy of the first VLAN to access the second VLAN, where the access policy includes the network device allowing the first VLAN to access the second VLAN, or the network device prohibiting the first VLAN from accessing the second VLAN. If the network device allows the first VLAN to access the second VLAN, and sends the MAC address of the network device to the first host, so that the first host can access the second host, step S304 is performed.
如果网络设备禁止第一VLAN访问第二VLAN,则拒绝向第一主机发送该网络设备的MAC地址,从而该第一主机不能够访问该第二主机,即执行步骤S305。If the network device prohibits the first VLAN from accessing the second VLAN, the MAC address of the network device is refused to be sent to the first host, so that the first host cannot access the second host, that is, step S305 is performed.
S304,该第一主机能够访问第二主机。S304. The first host is capable of accessing the second host.
通过网络设备的转发,实现第一主机对的第二主机的访问。Accessing the second host of the first host pair is achieved by forwarding of the network device.
S305,该第一主机不能够访问第二主机。S305. The first host cannot access the second host.
应理解,上述相应信息的具体指示方式可参考前述各实施例,为了简洁,在此不再赘述。It should be understood that the foregoing specific manners of the corresponding information may refer to the foregoing embodiments, and are not described herein for brevity.
因此,本发明实施例的访问控制方法,网络设备接收第一主机发送的携带第二主机 的IP地址和第一主机所属的第一VLAN的标识的ARP请求,以请求第二主机的MAC地址,并根据该第二主机的IP地址确定该第二主机属于第二VLAN,进而根据预先设定的第一VLAN与第二VLAN间的访问策略确定是否向第一主机发送网络设备的MAC地址,使得网络设备能够根据预先设定的访问策略对不同VLAN下的主机选择性代答网络设备的MAC地址,从而实现主机访问的策略化控制。Therefore, in the access control method of the embodiment of the present invention, the network device receives the second host that is sent by the first host. The IP address and the ARP request of the identifier of the first VLAN to which the first host belongs to request the MAC address of the second host, and determine that the second host belongs to the second VLAN according to the IP address of the second host, and then according to the preset The access policy between the first VLAN and the second VLAN determines whether the MAC address of the network device is sent to the first host, so that the network device can selectively pick up the network device of the host in different VLANs according to a preset access policy. MAC address, which enables strategic control of host access.
应理解,在本发明的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本发明实施例的实施过程构成任何限定。It should be understood that, in various embodiments of the present invention, the size of the sequence numbers of the above processes does not mean the order of execution, and the order of execution of each process should be determined by its function and internal logic, and should not be directed to the embodiments of the present invention. The implementation process constitutes any limitation.
上文中详细描述了根据本发明实施例的访问控制方法,下面将描述根据本发明实施例的网络设备。The access control method according to an embodiment of the present invention has been described in detail above, and a network device according to an embodiment of the present invention will be described below.
图4示出了根据本发明实施例的网络设备500的示意性框图。如图4所示,该网络设备500,包括:FIG. 4 shows a schematic block diagram of a network device 500 in accordance with an embodiment of the present invention. As shown in FIG. 4, the network device 500 includes:
第一接收模块510,用于接收第一主机发送的第一地址解析协议ARP请求,该第一ARP请求用于请求第二主机的媒体访问控制MAC地址,且该第一ARP请求包括该第一主机所属的第一虚拟局域网VLAN的标识和该第二主机的网际协议IP地址;The first receiving module 510 is configured to receive a first address resolution protocol ARP request sent by the first host, where the first ARP request is used to request a media access control MAC address of the second host, and the first ARP request includes the first The identifier of the first virtual local area network VLAN to which the host belongs and the internet protocol IP address of the second host;
第一确定模块520,用于根据该第二主机的IP地址,确定该第二主机属于第二VLAN;The first determining module 520 is configured to determine, according to the IP address of the second host, that the second host belongs to the second VLAN;
第二确定模块530,用于根据预先设定的该第一VLAN与该第二VLAN间的访问策略,确定是否向该第一主机发送网络设备的MAC地址。The second determining module 530 is configured to determine whether to send the MAC address of the network device to the first host according to the preset access policy between the first VLAN and the second VLAN.
因此,本发明实施例的网络设备,通过接收第一主机发送的携带第二主机的IP地址和第一主机所属的第一VLAN的第一ARP请求,以请求第二主机的MAC地址,并根据该第二主机的IP地址确定该第二主机属于第二VLAN,进而根据预先设定的访问策略确定是否将该网络设备的MAC地址代替第二主机的MAC地址发送给第一主机,使得网络设备能够对不同VLAN下的主机根据预先设定的访问策略选择性的回复ARP代答,从而实现主机访问的策略化控制。Therefore, the network device in the embodiment of the present invention receives the first ARP request of the second host by the IP address of the second host and the first VLAN to which the first host belongs, and requests the MAC address of the second host according to the The IP address of the second host determines that the second host belongs to the second VLAN, and determines whether to send the MAC address of the network device to the first host instead of the MAC address of the second host according to a preset access policy, so that the network device The host in different VLANs can selectively reply to the ARP pickup according to the preset access policy, thereby implementing the strategic control of the host access.
在本发明实施例中,可选地,该第一确定模块520具体用于:In the embodiment of the present invention, the first determining module 520 is specifically configured to:
根据该第二主机的IP地址,发送第二ARP请求;Sending a second ARP request according to the IP address of the second host;
接收该第二主机用于响应该第二ARP请求的ARP应答,该ARP应答包括该第二主机所属的该第二VLAN的标识;Receiving, by the second host, an ARP response in response to the second ARP request, where the ARP response includes an identifier of the second VLAN to which the second host belongs;
确定该第二主机属于该第二VLAN。 It is determined that the second host belongs to the second VLAN.
可选地,在本发明实施例中,该第二确定模块530具体用于:Optionally, in the embodiment of the present invention, the second determining module 530 is specifically configured to:
若该网络设备预先设定的该访问策略为禁止该第一VLAN访问该第二VLAN,拒绝向该第一主机发送该网络设备的MAC地址。If the access policy preset by the network device prohibits the first VLAN from accessing the second VLAN, the network address of the network device is refused to be sent to the first host.
在本发明实施例中,可选地,该第二确定模块530具体用于:In the embodiment of the present invention, the second determining module 530 is specifically configured to:
若该网络设备预先设定的该访问策略为允许该第一VLAN访问该第二VLAN,确定向该第一主机发送该网络设备的MAC地址。If the access policy preset by the network device is to allow the first VLAN to access the second VLAN, determine to send the MAC address of the network device to the first host.
可选地,在本发明实施例中,该网络设备500还包括:Optionally, in the embodiment of the present invention, the network device 500 further includes:
第二接收模块,用于接收该第一主机发送的访问消息;a second receiving module, configured to receive an access message sent by the first host;
发送模块,用于向该第二主机发送该访问消息。And a sending module, configured to send the access message to the second host.
因此,本发明实施例的网络设备,通过接收第一主机发送的携带第二主机的IP地址和第一主机所属的第一VLAN的标识的ARP请求,以请求第二主机的MAC地址,并根据该第二主机的IP地址确定该第二主机属于第二VLAN,进而根据预先设定的第一VLAN与第二VLAN间的访问策略确定是否向第一主机发送网络设备的MAC地址,使得网络设备能够根据预先设定的访问策略对不同VLAN下的主机选择性代答网络设备的MAC地址,从而实现主机访问的策略化控制。Therefore, the network device of the embodiment of the present invention requests the ARP request of the second host by sending an IP address of the second host and an identifier of the first VLAN to which the first host belongs, and requests the MAC address of the second host according to the The IP address of the second host determines that the second host belongs to the second VLAN, and determines whether to send the MAC address of the network device to the first host according to the preset access policy between the first VLAN and the second VLAN, so that the network device The MAC address of the network device can be selectively picked up by the host in different VLANs according to a preset access policy, thereby implementing centralized control of host access.
图5示出了本发明的实施例提供的网络设备的结构,包括至少一个处理器702(例如CPU),至少一个网络接口705或者其他通信接口,存储器706,和至少一个通信总线703,用于实现这些装置之间的连接通信。处理器702用于执行存储器706中存储的可执行指令,例如计算机程序。存储器706可能包含高速随机存取存储器(英文:random access memory,RAM),也可能还包括非不稳定的存储器(英文:non-volatile memory),例如至少一个磁盘存储器。通过至少一个网络接口705(可以是有线或者无线)实现与至少一个其他网元之间的通信连接。FIG. 5 shows a structure of a network device according to an embodiment of the present invention, including at least one processor 702 (for example, a CPU), at least one network interface 705 or other communication interface, a memory 706, and at least one communication bus 703 for Achieve connection communication between these devices. The processor 702 is configured to execute executable instructions, such as a computer program, stored in the memory 706. The memory 706 may include a high speed random access memory (RAM), and may also include a non-volatile memory (English: non-volatile memory), such as at least one disk memory. A communication connection with at least one other network element is achieved by at least one network interface 705 (which may be wired or wireless).
在一些实施方式中,存储器706存储了程序7061,处理器702执行程序7061,用于执行一些操作:In some embodiments, the memory 706 stores a program 7061, and the processor 702 executes the program 7061 for performing some operations:
接收第一主机发送的第一地址解析协议ARP请求,该第一ARP请求用于请求第二主机的媒体访问控制MAC地址,且该第一ARP请求包括该第一主机所属的第一虚拟局域网VLAN的标识和该第二主机的网际协议IP地址;Receiving a first address resolution protocol ARP request sent by the first host, where the first ARP request is used to request a media access control MAC address of the second host, and the first ARP request includes the first virtual local area network VLAN to which the first host belongs The identifier and the internet protocol IP address of the second host;
根据该第二主机的IP地址,确定该第二主机属于第二VLAN;Determining that the second host belongs to the second VLAN according to the IP address of the second host;
根据预先设定的该第一VLAN与该第二VLAN间的访问策略,确定是否向该第一主机发送该网络设备的MAC地址。 And determining, according to the preset access policy between the first VLAN and the second VLAN, whether to send the MAC address of the network device to the first host.
可选地,处理器702具体用于,Optionally, the processor 702 is specifically configured to:
根据该第二主机的IP地址,发送第二ARP请求;Sending a second ARP request according to the IP address of the second host;
接收该第二主机用于响应该第二ARP请求的ARP应答,该ARP应答包括该第二主机所属的该第二VLAN的标识;Receiving, by the second host, an ARP response in response to the second ARP request, where the ARP response includes an identifier of the second VLAN to which the second host belongs;
确定该第二主机属于该第二VLAN。It is determined that the second host belongs to the second VLAN.
可选地,处理器702具体用于,Optionally, the processor 702 is specifically configured to:
若该网络设备预先设定的该访问策略为禁止该第一VLAN访问该第二VLAN,拒绝向该第一主机发送该网络设备的MAC地址。If the access policy preset by the network device prohibits the first VLAN from accessing the second VLAN, the network address of the network device is refused to be sent to the first host.
可选地,处理器702具体用于,Optionally, the processor 702 is specifically configured to:
若该网络设备预先设定的该访问策略为允许该第一VLAN访问该第二VLAN,确定向该第一主机发送该网络设备的MAC地址。If the access policy preset by the network device is to allow the first VLAN to access the second VLAN, determine to send the MAC address of the network device to the first host.
可选地,处理器702还用于,Optionally, the processor 702 is further configured to:
接收该第一主机发送的访问消息;Receiving an access message sent by the first host;
向该第二主机发送该访问消息。The access message is sent to the second host.
从本发明实施例提供的以上技术方案可以看出,通过接收第一主机发送的携带第二主机的IP地址和第一主机所属的第一VLAN的标识的ARP请求,以请求第二主机的MAC地址,并根据该第二主机的IP地址确定该第二主机属于第二VLAN,进而根据预先设定的第一VLAN与第二VLAN间的访问策略确定是否向第一主机发送网络设备的MAC地址,使得网络设备能够根据预先设定的访问策略对不同VLAN下的主机选择性代答网络设备的MAC地址,从而实现主机访问的策略化控制。The foregoing technical solution provided by the embodiment of the present invention can be used to request the MAC address of the second host by receiving an ARP request that is sent by the first host and carries the IP address of the second host and the identifier of the first VLAN to which the first host belongs. An address, and determining, according to the IP address of the second host, that the second host belongs to the second VLAN, and determining whether to send the MAC address of the network device to the first host according to the preset access policy between the first VLAN and the second VLAN. The network device can selectively select the MAC address of the network device for the host in different VLANs according to the preset access policy, thereby implementing the strategic control of the host access.
应理解,本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。It should be understood that the term "and/or" herein is merely an association relationship describing an associated object, indicating that there may be three relationships, for example, A and/or B, which may indicate that A exists separately, and A and B exist simultaneously. There are three cases of B alone. In addition, the character "/" in this article generally indicates that the contextual object is an "or" relationship.
应理解,在本发明的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本发明实施例的实施过程构成任何限定。It should be understood that, in various embodiments of the present invention, the size of the sequence numbers of the above processes does not mean the order of execution, and the order of execution of each process should be determined by its function and internal logic, and should not be directed to the embodiments of the present invention. The implementation process constitutes any limitation.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认 为超出本发明的范围。Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the various examples described in connection with the embodiments disclosed herein can be implemented in electronic hardware or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the solution. Professionals can use different methods to implement the described functions for each specific application, but this implementation should not recognize It is outside the scope of the invention.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。A person skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the system, the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。The functions may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product. Based on such understanding, the technical solution of the present invention, which is essential or contributes to the prior art, or a part of the technical solution, may be embodied in the form of a software product, which is stored in a storage medium, including The instructions are used to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以所述权利要求的保护范围为准。 The above is only a specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the present invention. It should be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the appended claims.

Claims (10)

  1. 一种访问控制方法,其特征在于,包括:An access control method, comprising:
    网络设备接收第一主机发送的第一地址解析协议ARP请求,所述第一ARP请求用于请求第二主机的媒体访问控制MAC地址,且所述第一ARP请求包括所述第二主机的网际协议IP地址和所述第一主机所属的第一虚拟局域网VLAN的标识;Receiving, by the network device, a first address resolution protocol ARP request sent by the first host, where the first ARP request is used to request a media access control MAC address of the second host, and the first ARP request includes the second host a protocol IP address and an identifier of the first virtual local area network VLAN to which the first host belongs;
    所述网络设备根据所述第二主机的IP地址,确定所述第二主机属于第二VLAN;Determining, by the network device, that the second host belongs to the second VLAN according to the IP address of the second host;
    所述网络设备根据预先设定的所述第一VLAN与所述第二VLAN间的访问策略,确定是否向所述第一主机发送所述网络设备的MAC地址。And determining, by the network device, whether to send the MAC address of the network device to the first host according to a preset access policy between the first VLAN and the second VLAN.
  2. 根据权利要求1所述的访问控制方法,其特征在于,所述网络设备根据所述第二主机的IP地址,确定所述第二主机属于第二VLAN,包括:The access control method according to claim 1, wherein the network device determines that the second host belongs to the second VLAN according to the IP address of the second host, and includes:
    所述网络设备根据所述第二主机的IP地址,发送第二ARP请求;The network device sends a second ARP request according to the IP address of the second host;
    所述网络设备接收所述第二主机用于响应所述第二ARP请求的ARP应答,所述ARP应答包括所述第二主机所属的所述第二VLAN的标识;Receiving, by the network device, an ARP response that is sent by the second host in response to the second ARP request, where the ARP response includes an identifier of the second VLAN to which the second host belongs;
    所述网络设备确定所述第二主机属于所述第二VLAN。The network device determines that the second host belongs to the second VLAN.
  3. 根据权利要求1或2所述的访问控制方法,其特征在于,所述网络设备根据预先设定的所述第一VLAN与所述第二VLAN间的访问策略,确定是否向所述第一主机发送所述网络设备的MAC地址,包括:The access control method according to claim 1 or 2, wherein the network device determines whether to go to the first host according to a preset access policy between the first VLAN and the second VLAN. Sending the MAC address of the network device, including:
    若所述网络设备预先设定的所述访问策略为禁止所述第一VLAN访问所述第二VLAN,所述网络设备拒绝向所述第一主机发送所述网络设备的MAC地址。If the access policy preset by the network device is to prohibit the first VLAN from accessing the second VLAN, the network device refuses to send the MAC address of the network device to the first host.
  4. 根据权利要求1或2所述的访问控制方法,其特征在于,所述网络设备根据预先设定的所述第一VLAN与所述第二VLAN间的访问策略,确定是否向所述第一主机发送所述网络设备的MAC地址,包括:The access control method according to claim 1 or 2, wherein the network device determines whether to go to the first host according to a preset access policy between the first VLAN and the second VLAN. Sending the MAC address of the network device, including:
    若所述网络设备预先设定的所述访问策略为允许所述第一VLAN访问所述第二VLAN,所述网络设备确定向所述第一主机发送所述网络设备的MAC地址。If the access policy preset by the network device is to allow the first VLAN to access the second VLAN, the network device determines to send the MAC address of the network device to the first host.
  5. 根据权利要求4所述的访问控制方法,其特征在于,所述访问控制方法还包括:The access control method according to claim 4, wherein the access control method further comprises:
    所述网络设备接收所述第一主机发送的访问消息;Receiving, by the network device, an access message sent by the first host;
    所述网络设备向所述第二主机发送所述访问消息。The network device sends the access message to the second host.
  6. 一种网络设备,其特征在于,包括:A network device, comprising:
    第一接收模块,用于接收第一主机发送的第一地址解析协议ARP请求,所述第一 ARP请求用于请求第二主机的媒体访问控制MAC地址,且所述第一ARP请求包括所述第二主机的网际协议IP地址和所述第一主机所属的第一虚拟局域网VLAN的标识;a first receiving module, configured to receive a first address resolution protocol ARP request sent by the first host, where the first The ARP request is used to request the media access control MAC address of the second host, and the first ARP request includes an Internet Protocol IP address of the second host and an identifier of the first virtual local area network VLAN to which the first host belongs;
    第一确定模块,用于根据所述第二主机的IP地址,确定所述第二主机属于第二VLAN;a first determining module, configured to determine, according to the IP address of the second host, that the second host belongs to the second VLAN;
    第二确定模块,用于根据预先设定的所述第一VLAN与所述第二VLAN间的访问策略,确定是否向所述第一主机发送所述网络设备的MAC地址。And a second determining module, configured to determine, according to the preset access policy between the first VLAN and the second VLAN, whether to send the MAC address of the network device to the first host.
  7. 根据权利要求6所述的网络设备,其特征在于,所述第一确定模块具体用于:The network device according to claim 6, wherein the first determining module is specifically configured to:
    根据所述第二主机的IP地址,发送第二ARP请求;Sending a second ARP request according to the IP address of the second host;
    接收所述第二主机用于响应所述第二ARP请求的ARP应答,所述ARP应答包括所述第二主机所属的所述第二VLAN的标识;Receiving, by the second host, an ARP response in response to the second ARP request, where the ARP response includes an identifier of the second VLAN to which the second host belongs;
    确定所述第二主机属于所述第二VLAN。Determining that the second host belongs to the second VLAN.
  8. 根据权利要求6或7所述的网络设备,其特征在于,所述第二确定模块具体用于:The network device according to claim 6 or 7, wherein the second determining module is specifically configured to:
    若所述网络设备预先设定的所述访问策略为禁止所述第一VLAN访问所述第二VLAN时,拒绝向所述第一主机发送所述网络设备的MAC地址。If the access policy preset by the network device is to prohibit the first VLAN from accessing the second VLAN, the MAC address of the network device is refused to be sent to the first host.
  9. 根据权利要求6或7所述的网络设备,其特征在于,所述第二确定模块具体用于:The network device according to claim 6 or 7, wherein the second determining module is specifically configured to:
    若所述网络设备预先设定的所述访问策略为允许所述第一VLAN访问所述第二VLAN时,确定向所述第一主机发送所述网络设备的MAC地址。And if the access policy preset by the network device is to allow the first VLAN to access the second VLAN, determining to send the MAC address of the network device to the first host.
  10. 根据权利要求9所述的网络设备,其特征在于,所述网络设备还包括:The network device according to claim 9, wherein the network device further comprises:
    第二接收模块,用于接收所述第一主机发送的访问消息;a second receiving module, configured to receive an access message sent by the first host;
    发送模块,用于向所述第二主机发送所述访问消息。 And a sending module, configured to send the access message to the second host.
PCT/CN2016/110471 2015-12-25 2016-12-16 Access control method and network device WO2017107871A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510989373.0 2015-12-25
CN201510989373.0A CN106921610A (en) 2015-12-25 2015-12-25 Access control method and the network equipment

Publications (1)

Publication Number Publication Date
WO2017107871A1 true WO2017107871A1 (en) 2017-06-29

Family

ID=59089094

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/110471 WO2017107871A1 (en) 2015-12-25 2016-12-16 Access control method and network device

Country Status (2)

Country Link
CN (1) CN106921610A (en)
WO (1) WO2017107871A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109347784B (en) * 2018-08-10 2021-10-22 锐捷网络股份有限公司 Terminal access control method, controller, control equipment and system
CN109286690A (en) * 2018-08-29 2019-01-29 博瓦(武汉)科技有限公司 Automatically the method for peer IP is obtained in a kind of local area network
CN110891325B (en) * 2019-12-10 2021-11-23 新华三大数据技术有限公司 Tunnel establishment method and device
CN114520737B (en) * 2022-01-26 2024-04-02 北京华信傲天网络技术有限公司 Two-layer data access control method and system for wireless user
CN116319164B (en) * 2022-12-21 2024-02-02 武汉雨滴科技有限公司 Multi-VLAN aggregated multi-segment IP address hybrid access method and device
CN115842697B (en) * 2023-02-01 2023-05-23 阿里巴巴(中国)有限公司 Access control method of private network, control method of virtual reality equipment and equipment

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020080800A1 (en) * 2000-12-23 2002-06-27 Lg Electronics Inc. VLAN data switching method using ARP packet
KR20050058624A (en) * 2003-12-12 2005-06-17 한국전자통신연구원 Method for routing between different vlans through virtual interface
CN1798080A (en) * 2004-12-29 2006-07-05 华为技术有限公司 Method for controlling accesses of users between virtual local area networks
CN101924707A (en) * 2010-09-27 2010-12-22 杭州华三通信技术有限公司 Method and equipment for processing message of address resolution protocol (ARP)
CN102255903A (en) * 2011-07-07 2011-11-23 广州杰赛科技股份有限公司 Safety isolation method for virtual network and physical network of cloud computing
CN104219340A (en) * 2014-09-25 2014-12-17 杭州华三通信技术有限公司 ARP (Address Resolution Protocol) response proxy method and apparatus
CN104301451A (en) * 2014-10-17 2015-01-21 福建星网锐捷网络有限公司 Cross-network-segment host communication method, device and system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020080800A1 (en) * 2000-12-23 2002-06-27 Lg Electronics Inc. VLAN data switching method using ARP packet
KR20050058624A (en) * 2003-12-12 2005-06-17 한국전자통신연구원 Method for routing between different vlans through virtual interface
CN1798080A (en) * 2004-12-29 2006-07-05 华为技术有限公司 Method for controlling accesses of users between virtual local area networks
CN101924707A (en) * 2010-09-27 2010-12-22 杭州华三通信技术有限公司 Method and equipment for processing message of address resolution protocol (ARP)
CN102255903A (en) * 2011-07-07 2011-11-23 广州杰赛科技股份有限公司 Safety isolation method for virtual network and physical network of cloud computing
CN104219340A (en) * 2014-09-25 2014-12-17 杭州华三通信技术有限公司 ARP (Address Resolution Protocol) response proxy method and apparatus
CN104301451A (en) * 2014-10-17 2015-01-21 福建星网锐捷网络有限公司 Cross-network-segment host communication method, device and system

Also Published As

Publication number Publication date
CN106921610A (en) 2017-07-04

Similar Documents

Publication Publication Date Title
WO2017107871A1 (en) Access control method and network device
US11963242B2 (en) Communication method and apparatus
EP3091696B1 (en) Method and device for implementing virtual machine communication
WO2018028606A1 (en) Forwarding policy configuration
US11451510B2 (en) Method and apparatus for processing service request
EP2819363B1 (en) Method, device and system for providing network traversing service
US20050066035A1 (en) Method and apparatus for connecting privately addressed networks
CN113872845B (en) Method for establishing VXLAN tunnel and related equipment
CN107094110B (en) DHCP message forwarding method and device
WO2015124041A1 (en) Processing method and related device for host route in virtual sub-network, and communication system
EP2584742B1 (en) Method and switch for sending packet
US9118608B2 (en) Communication apparatus, control method therefor, and computer-readable storage medium
JP5826320B2 (en) Network location service
JP4920878B2 (en) Authentication system, network line concentrator, authentication method used therefor, and program thereof
CN110535744A (en) Message processing method, device and Leaf equipment
JP2008066907A (en) Packet communication device
JP3858884B2 (en) Network access gateway, network access gateway control method and program
WO2012126335A1 (en) Access control method, access device and system
US9438475B1 (en) Supporting relay functionality with a distributed layer 3 gateway
US20060193330A1 (en) Communication apparatus, router apparatus, communication method and computer program product
CN106161670B (en) Address translation processing method and address translation processing device
WO2013023465A1 (en) Interconnection and intercommunication method for identity location separated network and traditional network, ilr and asr
JP4750750B2 (en) Packet transfer system and packet transfer method
WO2012088828A1 (en) Method, system and access gateway router for table maintenance
CN106452992B (en) Method and device for realizing remote multi-homing networking

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16877682

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16877682

Country of ref document: EP

Kind code of ref document: A1