WO2017186181A1 - 网络访问控制 - Google Patents
网络访问控制 Download PDFInfo
- Publication number
- WO2017186181A1 WO2017186181A1 PCT/CN2017/082690 CN2017082690W WO2017186181A1 WO 2017186181 A1 WO2017186181 A1 WO 2017186181A1 CN 2017082690 W CN2017082690 W CN 2017082690W WO 2017186181 A1 WO2017186181 A1 WO 2017186181A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- address
- user
- network segment
- packet
- destination
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
Definitions
- users are usually classified, and all users can be divided into multiple user groups. Users in the same user group can have the same network access rights, and users in different user groups can have different network access rights.
- a VLAN Virtual Local Area Network
- An ACL Access Control List
- Different ACL rules are used to limit the network access rights of different VLANs.
- FIG. 1 is a schematic diagram of a network architecture of an enterprise network shown by an exemplary example of the present disclosure.
- FIG. 2 is a flowchart of processing of an ARP request message by an aggregation switch according to an exemplary example of the present disclosure.
- FIG. 3 is a flowchart of a process in which an aggregation switch performs network access control on a user message according to an exemplary example of the present disclosure.
- FIG. 4 is a schematic diagram of a hardware architecture of a network access control apparatus according to an exemplary example of the present disclosure.
- FIG. 5 is a schematic structural diagram of a network access control apparatus according to an exemplary example of the present disclosure.
- FIG. 6 is another schematic structural diagram of a network access control apparatus according to an exemplary example of the present disclosure.
- FIG. 7 is still another schematic structural diagram of a network access control apparatus according to an exemplary example of the present disclosure.
- the following examples of the present disclosure propose a network access control method, and an apparatus to which the method can be applied.
- an enterprise network can include the following types of devices: an access switch, an aggregation switch, and a core switch.
- the core switch can be connected to an aggregation switch, an aggregation switch can be connected to an access switch, and an access switch. It can be used for user access access, and overlay (overlap virtualization) technology can be applied on the aggregation switch and core switch.
- the enterprise network may include a headquarters network and a branch network.
- the headquarters network includes access switches 101a to 101e, aggregation switches 102a to 102c, and core switches 103a and 103b.
- the branch network includes access switches 201a to 201e, aggregation switches 202a to 202c, and core switches 203a to 203b.
- the overlay technology may be applied to the aggregation switch and the core switch.
- the aggregation switch and the core switch may belong to the same subnet or belong to different subnetworks.
- an access switch refers only to a network device having an information exchange function, and may be an Ethernet switch, a radio access controller (AC), or the like.
- the corporate network provides access to the data center.
- the data center can include data center servers 104a through 104c and data center switch 105a.
- the overlay technology refers to superimposing a virtual network on an existing physical network.
- the virtual network is generally a virtual Layer 2 network, which can bring about many advantages such as configuration simplification and user migration.
- Typical overlay technologies include VXLAN (Virtual eXtensible LAN), NVGRE (Network Virtual Generic Routing Encapsulation), and STT (Stateless Transfer Tunnel).
- the entire network can be constructed into a virtual Layer 2 network.
- the virtual Layer 2 network can cover not only the enterprise network including the headquarters network and the branch network, but also the WAN (Wide Area).
- Network wide area network, can interconnect the headquarters network and branch network across the WAN to form an end-to-end large Layer 2 network.
- VXLAN technology Take VXLAN technology as an example.
- the enterprise network shown in Figure 1 between aggregation switches in the same subnet, between aggregation switches in different subnetworks, between aggregation switches and core switches in the same subnet.
- a VXLAN tunnel can be established between the aggregation switch and the core switch in different subnetworks.
- the EVPN Ethernet VPN, Ethernet Virtual Private Network
- MAC Media Access Control
- the network access control method of the example of the present disclosure may include the following:
- the software defined network (SDN) controller can receive and save configuration information, where the configuration information includes: user group information, resource group information, and various access control policies.
- the above configuration information can be configured on the SDN controller through static configuration.
- the user group information can be as shown in Table 1, and the resource group information can be as shown in Table 2:
- the user group information may include: a user group identifier and its corresponding VLAN (virtual local area network) identifier, a VXLAN identifier, and a network segment. It can be seen that one user group can correspond to one VLAN, one VXLAN, and one network. segment.
- VLAN virtual local area network
- all users can be grouped according to the user identity. Obviously, the grouping may be performed according to the age of the user, the area to which the user belongs, and the like, which is not limited by the examples in the disclosure. Users in the same user group can have the same network access rights, and users in different user groups can have different network access rights.
- the resource group information may include: a resource group identifier and an IP (Internet Protocol) address of the data center server included in the resource group.
- the resource group identifier may correspond to an IP address of at least one data center server.
- the IP addresses may be all IP addresses in one network segment. For example, suppose there are three servers a, b, and c in the data center, resource group 1 may include server a, and resource group 2 may include servers b and c, wherein the IP addresses of servers b and c belong to the same network segment.
- various access control policies may include: access control policies within the same user group, and/or access control policies between different user groups, and/or user group access control policies for resource groups.
- the deny if in the corresponding If the deny is marked in the position of the nth column of the m row, it means that the user group corresponding to the mth row is prohibited from accessing each other with the users in the user group corresponding to the nth column, or is used to indicate that the user corresponding to the mth row is prohibited.
- the group accesses the data center server in the resource group corresponding to the nth column.
- deny is marked in the position corresponding to the fourth row and the second column, and is used to indicate that the users in the user group 1 and the user group 3 are prohibited from accessing each other; corresponding to the position in the third row and the third column.
- the deny is marked to indicate that the users in the user group 2 are prohibited from accessing each other; the deny is marked in the position corresponding to the second row and the sixth column, and is used to prohibit the user in the user group 1 from accessing the data in the resource group 2.
- the central server as shown in Table 2, prohibits access to the data center server whose IP address belongs to the network segment 10.200.0.0/24.
- the SDN controller can send user group information, resource group information, and corresponding content in various access control policies to various devices in the network, such as an access switch, an aggregation switch, a core switch, and a DHCP (Dynamic Host Configuration Protocol, Dynamic Host Configuration Protocol) servers, etc., so that these devices can be configured accordingly.
- the configuration process can be as follows:
- the SDN controller can send the identifiers of the VLANs corresponding to all user groups to all access switches. After the access switch receives the ID of the VLAN, you can configure the VLAN on the local device to configure the uplink port connected to the aggregation switch on the device to allow packets from the VLAN to be sent. The port sends a packet encapsulated with the identifier of the VLAN.
- the SDN controller can send the identifier of the VLAN corresponding to the user group to all the aggregation switches.
- each aggregation switch configures the VLAN on the local device, and configures the downlink port connected to the access switch on the device to allow receiving packets from the VLAN. Therefore, the aggregation switch can receive the downlink port.
- the packet with the identifier of the VLAN is received.
- the VXLAN corresponding to all user groups can be configured on the aggregation switch to establish the mapping between the VLAN, the VXLAN, and the network segment.
- the IP address of the Vxlan gateway can be configured on the aggregation switch. And MAC address.
- the VXLAN virtual interface corresponding to the VXLAN can be configured as the gateway of the corresponding network segment. Therefore, each network segment has a gateway configured for all network segments. In this way, no matter where the user moves, the access switch is connected to the aggregation switch, and the aggregation switch is configured with the gateway of the network segment to which the user corresponding IP address belongs.
- the SDN controller can send the identity of the VXLAN corresponding to all user groups to all core switches. After each core switch receives the VXLAN identity, the VXLAN and its Layer 3 gateway address can be configured on the device. In addition, the core switch can also be configured with a routing protocol to connect to external devices such as data center switches.
- the SDN controller can also send various access control policies as shown in Table 3 to all aggregation switches. Every sink After the switch receives the content, you can configure the corresponding ACL rule on the device.
- the ACL rule includes: a first network segment and a second network segment, where the first network segment and the second network segment correspond to the same user group, or correspond to different user groups, or the first network segment corresponds to The user group and the second network segment correspond to resource groups.
- the ACL rule can be used to prevent users in the same user group from accessing each other.
- the ACL rule can be used to prevent users in different user groups from accessing each other.
- the ACL rule can be used to prohibit user access in the user group.
- the data center server in the resource group is not limited to the resource group.
- the ACL rules configured according to the access control policy shown in Table 3 are as follows:
- ACL1 deny source 10.10.1.1/24 destination 10.200.0.0/24
- ACL2 deny source 10.20.1.1/24 destination 10.20.1.1/24
- ACL3 deny source 10.20.1.1/24 destination 10.30.1.1/24
- ACL4 deny source 10.30.1.1/24 destination 10.20.1.1/24
- ACL5 deny source 10.30.1.1/24 destination 10.10.1.1/24
- ACL6 deny source 10.10.1.1/24 destination 10.30.1.1/24
- ACL7 deny source 10.30.1.1/24 destination 10.100.0.0/24
- ACL1 can be used to prohibit users in user group 1 from accessing data center servers in resource group 2;
- ACL2 can be used to prevent users in user group 2 from accessing each other;
- ACL3 and ACL4 can be used to prohibit user group 2 and user group 3 Users in the user group can access each other;
- ACL5 and ACL6 can be used to prevent users in user group 1 and user group 3 from accessing each other;
- ACL7 can be used to prohibit users in user group 3 from accessing data center servers in resource group 1.
- the SDN controller can configure the correspondence between the user group and the VLAN.
- the authentication server may also be configured with a correspondence between the user and the user group, so that the correspondence between the user, the user group, and the VLAN may be stored on the authentication server.
- the SDN controller can send all the network segments to the DHCP server and configure the mapping between the vlan and the address pool. You can save the IP address of each network segment to an address pool to establish the mapping between VLANs and address pools.
- the user can perform access authentication and access the network after the authentication is passed.
- the authentication server may determine the user group to which the user belongs, and further determine the VLAN corresponding to the user group, and send the identifier of the VLAN to the access switch; the access switch receives the access authentication.
- the ID of the VLAN is specified, the user port for accessing the user on the device can be added to the VLAN. Subsequently, the user will apply for an IP address.
- the aggregation switch can determine the VLAN to which the user port that receives the application for the address belongs. Then, the aggregation switch can encapsulate the identifier of the VLAN in the address request packet, and then send the address request packet to the DHCP server.
- the DHCP server can find the network segment corresponding to the identifier of the VLAN encapsulated in the application packet, and select an unoccupied IP address from the network segment and carry it in the response packet.
- the response packet is sent to the aggregation switch, and the response packet is forwarded to the user by the aggregation switch, so that the user can obtain the IP address in the network segment corresponding to the user group.
- the user can obtain the IP address in the network segment corresponding to the user group regardless of where the user accesses, that is, the user's
- the IP address is always the IP address in the same network segment. Therefore, the packet sent by the user can always hit the ACL rule that contains the network segment.
- the user can obtain the MAC address corresponding to IP1 before sending the user packet to the data center server or another user whose IP address is IP1 (IP1 is the target IP address).
- IP1 is the target IP address
- it can be determined whether IP1 and the IP address of the user belong to the same network segment. If yes, the device can send an ARP request packet with the source IP address being the IP address of the user and the destination IP address being IP1. If it is not on the same network segment, the source IP address can be sent as the IP address and destination IP address of the user.
- the access switch After receiving the ARP request packet, the access switch can determine the VLAN to which the user port that receives the ARP request packet belongs, and encapsulate the identifier of the VLAN in the ARP request packet. The access switch can send the ARP request packet to the aggregation switch because the port isolation function is enabled.
- Step S101 After receiving the ARP request packet sent by the access switch, the gateway of the network segment corresponding to the VLAN may be found according to the identifier of the VLAN encapsulated in the ARP request packet.
- step S102 it is determined whether the destination IP address of the ARP request packet is the IP address of the gateway determined in step S101. If yes, step S103 is performed; otherwise, step S104 is performed.
- Step S103 The MAC address of the gateway is carried in the ARP reply packet and sent to the access switch, and is forwarded to the user through the access switch.
- Step S104 When the ARP proxy function is configured on the gateway, the MAC address of the gateway may be carried in the ARP reply packet and sent to the access switch, and then forwarded to the user through the access switch. Obviously, no response will be made when the gateway is not configured with the ARP proxy function.
- the user After receiving the ARP response packet, the user can establish a correspondence between the IP1 and the MAC address of the gateway. Subsequently, the user can send a user message whose destination IP address is IP1 and the destination MAC address is the MAC address of the gateway.
- the access switch can determine the VLAN to which the user port that receives the user packet belongs, encapsulate the identifier of the VLAN in the user packet, and then forward the packet to the aggregation switch.
- the aggregation switch After receiving the user packet, the aggregation switch performs the following steps:
- Step S201 After receiving the user packet, compare the source IP address of the user packet with the first network segment in the ACL rule, and obtain the destination IP address of the user packet and the ACL rule. The second network segment is compared.
- step S201 if the matching is performed, the user packet hits the ACL rule. Otherwise, if the source IP address of the user packet does not match the first network segment, and/or the destination IP address of the user packet is The packet does not match the second network segment, indicating that the user packet does not hit the ACL rule.
- step S202 it can be determined whether the user packet hits the ACL rule. If yes, step S203 is performed; otherwise, step S204 is performed.
- step S203 the user message can be discarded.
- step S204 the user message can be forwarded.
- the corresponding outbound interface may be searched in the routing table according to the destination IP address of the user packet. If the outbound interface is the downlink port of the device, the user can forward the user packet through the discovered downlink port. If the outbound interface is a VXLAN tunnel interface, the VXLAN identifier corresponding to the VLAN ID encapsulated in the user packet can be searched, and the user packet is VXLAN encapsulated and then forwarded.
- VLANs in the above examples of the present disclosure refer to VLANs corresponding to user groups.
- the overlay technology is applied to the aggregation switch and the core switch, thereby constructing an overlay network architecture, that is, a virtual large Layer 2 network with user-migtable benefits.
- An ACL rule is configured on the aggregation switch.
- the ACL rule includes: a first network segment and a second network segment, where the first network segment and the second network segment may be the network segment corresponding to the same user group or different user groups. Or, the first network segment is a network segment corresponding to the user group, and the second network segment is a network segment corresponding to the resource group.
- the user can be assigned a VLAN corresponding to the user group to which the user belongs, and the user can be assigned an IP address in the network segment corresponding to the VLAN.
- the aggregation switch matches the user packet with the ACL rule. If the ACL rule is hit, the user packet is discarded, so that the data in the resource group can be implemented.
- Network access control of the central server and network access control within the same user group and network access control between different user groups.
- the number of aggregation switches is clear because the ACL rules are configured on the aggregation switch instead of being configured on the access switch.
- the number of ACL rules to be configured is reduced, which reduces the configuration workload.
- the VLAN assigned to the user does not change, and the network segment to which the IP address assigned to the user belongs does not change. Therefore, no matter where the user moves, the user message sent by the user can always hit the ACL rule containing the network segment.
- the ACL rule is not affected by the change of the user access location, and the user access location is avoided.
- only one ACL rule can be implemented. In this case, the first network segment and the second network segment in the ACL rule are the network segments corresponding to the user group. Therefore, the number of ACL rules to be configured is greatly reduced, and ACL resources are saved.
- the overlay Due to the network architecture in which the overlay is built, it can be applied to very large-scale networks and networks across WANs.
- the present disclosure also provides an example of a network access control device.
- An example of the disclosed network access control device can be applied to an aggregation switch.
- the device example can be implemented by software, or can be implemented by hardware or a combination of hardware and software.
- a hardware configuration diagram of the disclosed network access control apparatus includes a processor 10 and a machine readable storage medium 20.
- the machine readable storage medium 20 stores machine readable instructions corresponding to network access control logic.
- the processor 10 is in communication with a machine readable storage medium 20, reads and executes machine readable instructions stored in the machine readable storage medium 20, and implements the network access control method as described above with reference to FIG.
- a machine-readable storage medium may be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and so forth.
- the machine-readable storage medium may be: RAM (Radom Access Memory), volatile memory, non-volatile memory, flash memory, storage drive (such as a hard disk drive), solid state drive, any type of storage disk. (such as a disc, dvd, etc.), or a similar storage medium, or a combination thereof.
- the network access control device 50 includes the following modules.
- the configuration module 501 is configured to configure an ACL rule on the aggregation switch, where the ACL rule includes: a first network segment and a second network segment, where the first network segment and the second network segment correspond to the same user group, or correspond to different users.
- the group, or the first network segment corresponds to the user group and the second network segment corresponding resource group.
- the receiving module 502 is configured to receive a user message from the user terminal sent by the access switch.
- the matching module 503 is configured to compare the source IP address of the user packet with the first network segment in the ACL rule after the receiving module 502 receives the user packet sent by the access switch, and compare the user packet.
- the destination IP address of the packet is compared with the second network segment in the ACL rule.
- the source IP address of the user packet is the IP address of the network segment corresponding to the virtual local area network (VLAN) bound to the user group to which the user belongs. address.
- VLAN virtual local area network
- the processing module 504 is configured to: if the matching module 503 determines that the source IP address of the user packet matches the first network segment, and the destination IP address of the user packet matches the second network segment, The user message.
- the receiving module 502 is further configured to receive an identifier of a VLAN corresponding to the user group sent by the SDN controller.
- the configuration module 501 is further configured to: after the receiving module 502 receives the identifier of the VLAN, configure the VLAN corresponding to the user group, the VXLAN on the aggregation switch; and configure the gateway IP address and the MAC address of the VXLAN.
- the network access control device 50 further includes a relationship establishing module 505, configured to establish a correspondence between a VLAN, a VXLAN, and a network segment.
- the processing module 504 is further configured to: if the matching module 503 determines that the source IP address of the user packet does not match the first network segment, and/or the destination IP address of the user packet does not match the second network segment. Then, the corresponding outbound interface is searched in the routing table according to the destination IP address. If the outbound interface is the downlink port of the device, the user interface is forwarded through the discovered downlink port.
- the VXLAN tunnel interface searches for the VXLAN identifier corresponding to the identifier of the VLAN encapsulated in the user packet, and performs VXLAN encapsulation on the user packet.
- the network access control device 50 further includes a gateway determining module 506 and a sending module 507.
- the receiving module 502 is further configured to receive an ARP request packet sent by the access switch for the target IP address.
- the gateway determining module 506 is configured to determine, according to the identifier of the VLAN encapsulated in the ARP request packet, the gateway of the network segment corresponding to the VLAN, after the receiving module 502 receives the ARP request packet.
- the sending module 507 is configured to: if the destination IP address of the ARP request packet is the determined IP address of the gateway, send the determined MAC address of the gateway in the ARP response packet to the access switch, if If the destination IP address of the ARP request packet is not the determined IP address of the gateway, the MAC address of the determined gateway is carried in the ARP response packet when the determined gateway is configured with the ARP proxy function.
- the access switch is configured to enable the user terminal to receive the ARP response packet forwarded by the access switch, establish a correspondence between the target IP address and the MAC address of the gateway, and send a destination IP address to the access switch. The user packet whose destination IP address and destination MAC address are the determined MAC address of the gateway.
- the gateway determining module 506 determines that the destination IP address of the ARP request packet is the target IP address, when the destination IP address belongs to the same network segment as the source IP address of the ARP request packet. When the destination IP address and the source IP address of the ARP request packet belong to different network segments, the gateway determining module 606 determines that the destination IP address of the ARP request packet is the determined IP address of the gateway.
- the device example since it basically corresponds to the method example, see the section on the method example for the relevant points. Can be.
- the device examples described above are merely illustrative, wherein the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, ie may be located in one Places, or they can be distributed to multiple network elements. Some or all of the modules may be selected according to actual needs to achieve the objectives of the present disclosure. Those of ordinary skill in the art can understand and implement without any creative effort.
- first, second, third, etc. may be used in the present disclosure to describe various information, such information should not be limited to these terms. These terms are only used to distinguish the same type of information from each other.
- first information may also be referred to as second information without departing from the scope of the present disclosure.
- second information may also be referred to as first information.
- word "if” as used herein may be interpreted as "when” or “when” or “in response to a determination.”
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
用户组标识 | VLAN标识 | VXLAN标识 | 网段 |
用户组1 | 10 | 10 | 10.10.1.1/24 |
用户组2 | 20 | 20 | 10.20.1.1/24 |
用户组3 | 30 | 30 | 10.30.1.1/24 |
资源组标识 | 数据中心服务器的IP地址 |
资源组1 | 10.100.0.0/24 |
资源组2 | 10.200.0.0/24 |
用户组1 | 用户组2 | 用户组3 | 资源组1 | 资源组2 | |
用户组1 | deny | ||||
用户组2 | deny | deny | |||
用户组3 | deny | deny |
Claims (12)
- 一种网络访问控制方法,包括:汇聚交换机在本设备上配置访问控制列表(ACL)规则,其中,所述ACL规则中包括第一网段和第二网段,所述第一网段和所述第二网段对应同一用户组,或者对应不同用户组,或者所述第一网段对应用户组、所述第二网段对应资源组;所述汇聚交换机接收接入交换机发来的来自于用户终端的用户报文;所述汇聚交换机将所述用户报文的源互联网协议(IP)地址与所述ACL规则中的所述第一网段进行比较,并将所述用户报文的目的IP地址与所述ACL规则中的所述第二网段进行比较;其中,所述用户报文的源IP地址为与用户所属用户组绑定的虚拟局域网(VLAN)所对应的网段中的IP地址;若所述用户报文的源IP地址与所述第一网段匹配并且所述用户报文的目的IP地址与所述第二网段匹配,则所述汇聚交换机丢弃所述用户报文。
- 根据权利要求1所述的方法,还包括:所述汇聚交换机接收软件定义网络SDN控制器发来的用户组对应的VLAN的标识;所述汇聚交换机在本设备上配置用户组对应的VLAN、VXLAN,建立所述VLAN、VXLAN以及网段之间的对应关系,并配置所述VXLAN的网关IP地址和媒体接入控制(MAC)地址。
- 根据权利要求2所述的方法,还包括:若所述用户报文的源IP地址与所述第一网段不匹配,和/或,所述用户报文的目的IP地址与所述第二网段不匹配,则所述汇聚交换机根据所述目的IP地址在路由表中查找对应的出接口;在查找到的出接口为本设备的下行端口的情况下,所述汇聚交换机通过查找到的下行端口转发所述用户报文;在查找到的出接口为VXLAN隧道接口的情况下,所述汇聚交换机查找与所述用户报文中封装的VLAN的标识对应的VXLAN的标识,并对所述用户报文进行VXLAN封装后进行转发。
- 根据权利要求2所述的方法,还包括:在接收所述接入交换机发来的用户报文之前,所述汇聚交换机接收所述接入交换机发来 的针对目标IP地址的地址解析协议ARP请求报文;所述汇聚交换机根据该ARP请求报文中封装的VLAN的标识确定该VLAN对应的网段的网关;所述汇聚交换机根据所述目标IP地址和所述ARP请求报文的源IP地址,确定所述ARP请求报文的目的IP地址。
- 根据权利要求4所述的方法,还包括:若所述ARP请求报文的目的IP地址是所述确定出的网关的IP地址,则所述汇聚交换机将所述确定出的网关的MAC地址携带在ARP应答报文中发送给所述接入交换机;若所述ARP请求报文的目的IP地址不是所述确定出的网关的IP地址,则在所述确定出的网关配置了ARP代理功能时,所述汇聚交换机将所述确定出的网关的MAC地址携带在ARP应答报文中发送给所述接入交换机,以使所述用户终端接收到所述接入交换机转发来的所述ARP应答报文之后,建立所述目标IP地址与该网关的MAC地址的对应关系,向所述接入交换机发送目的IP地址为所述目标IP地址、目的MAC地址是所述确定出的网关的MAC地址的所述用户报文。
- 根据权利要求4所述的方法,其中,根据所述目标IP地址和所述ARP请求报文的源IP地址,确定所述ARP请求报文的目的IP地址,包括:当所述目标IP地址与所述ARP请求报文的源IP地址属于同一网段时,所述汇聚交换机确定所述ARP请求报文的目的IP地址为所述目标IP地址,当所述目标IP地址与所述ARP请求报文的源IP地址属于不同网段时,所述汇聚交换机确定所述ARP请求报文的目的IP地址为所述确定出的网关的IP地址。
- 一种网络访问控制装置,包括处理器以及机器可读存储介质,所述机器可读存储介质存储有能够被所述处理器执行的机器可读指令,所述处理器被所述机器可读指令促使:在汇聚交换机上配置访问控制列表(ACL)规则,其中,所述ACL规则中包括第一网段和第二网段,所述第一网段和所述第二网段对应同一用户组,或者对应不同用户组,或者所述第一网段对应用户组、所述第二网段对应资源组;接收接入交换机发来的来自于用户终端的用户报文;将所述用户报文的源互联网协议(IP)地址与所述ACL规则中的所述第一网段进行比较,并将所述用户报文的目的IP地址与所述ACL规则中的所述第二网段进行比较;其中,所述 用户报文的源IP地址为与用户所属用户组绑定的虚拟局域网(VLAN)所对应的网段中的IP地址;若所述用户报文的源IP地址与所述第一网段匹配并且所述用户报文的目的IP地址与所述第二网段匹配,则丢弃所述用户报文。
- 根据权利要求7所述的网络访问控制装置,其中,所述机器可读指令还促使所述处理器:接收软件定义网络SDN控制器发来的用户组对应的VLAN的标识;在所述汇聚交换机上配置用户组对应的VLAN、VXLAN,建立所述VLAN、VXLAN以及网段之间的对应关系,并配置所述VXLAN的网关IP地址和媒体接入控制(MAC)地址。
- 根据权利要求8所述的装置,其中,所述机器可读指令还促使所述处理器:若所述用户报文的源IP地址与所述第一网段不匹配,和/或,所述用户报文的目的IP地址与所述第二网段不匹配,则根据所述目的IP地址在路由表中查找对应的出接口;在查找到的出接口为所述汇聚交换机的下行端口的情况下,通过查找到的下行端口转发所述用户报文,在查找到的出接口为VXLAN隧道接口的情况下,查找与所述用户报文中封装的VLAN的标识对应的VXLAN的标识,并对所述用户报文进行VXLAN封装后进行转发。
- 根据权利要求8所述的装置,其中,所述机器可读指令还促使所述处理器:在接收所述接入交换机发来的用户报文之前,接收所述接入交换机发来的针对目标IP地址的地址解析协议ARP请求报文;根据该ARP请求报文中封装的VLAN的标识确定该VLAN对应的网段的网关;根据所述目标IP地址和所述ARP请求报文的源IP地址,确定所述ARP请求报文的目的IP地址。
- 根据权利要求10所述的装置,其中,所述机器可读指令还促使所述处理器:若所述ARP请求报文的目的IP地址是所确定出的网关的IP地址,则将所确定出的网关的MAC地址携带在ARP应答报文中发送给所述接入交换机;若所述ARP请求报文的目的IP地址不是所确定出的网关的IP地址,则在所确定出的网关配置了ARP代理功能时,将所确定出的网关的MAC地址携带在ARP应答报文中发送给 所述接入交换机,以使所述用户终端接收到所述接入交换机转发来的所述ARP应答报文之后,建立所述目标IP地址与该网关的MAC地址的对应关系,向所述接入交换机发送目的IP地址为所述目标IP地址、目的MAC地址是所确定出的网关的MAC地址的所述用户报文。
- 根据权利要求10所述的装置,其中,在根据所述目标IP地址和所述ARP请求报文的源IP地址确定所述ARP请求报文的目的IP地址时,所述机器可读指令还促使所述处理器:当所述目标IP地址与所述ARP请求报文的源IP地址属于同一网段时,确定所述ARP请求报文的目的IP地址为所述目标IP地址,当所述目标IP地址与所述ARP请求报文的源IP地址属于不同网段时,确定所述ARP请求报文的目的IP地址为所确定出的网关的IP地址。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP17788833.6A EP3451612B1 (en) | 2016-04-29 | 2017-05-02 | Network access control |
JP2018556323A JP6648308B2 (ja) | 2016-04-29 | 2017-05-02 | パケット伝送 |
US16/097,154 US11025631B2 (en) | 2016-04-29 | 2017-05-02 | Network access control |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610288688.7A CN107332812B (zh) | 2016-04-29 | 2016-04-29 | 网络访问控制的实现方法及装置 |
CN201610288688.7 | 2016-04-29 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2017186181A1 true WO2017186181A1 (zh) | 2017-11-02 |
Family
ID=60161827
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2017/082690 WO2017186181A1 (zh) | 2016-04-29 | 2017-05-02 | 网络访问控制 |
Country Status (5)
Country | Link |
---|---|
US (1) | US11025631B2 (zh) |
EP (1) | EP3451612B1 (zh) |
JP (1) | JP6648308B2 (zh) |
CN (1) | CN107332812B (zh) |
WO (1) | WO2017186181A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2020005256A (ja) * | 2018-06-26 | 2020-01-09 | 華為技術有限公司Huawei Technologies Co.,Ltd. | Vxlan実装方法、ネットワークデバイス、および通信システム |
Families Citing this family (40)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10454714B2 (en) | 2013-07-10 | 2019-10-22 | Nicira, Inc. | Method and system of overlay flow control |
US10523636B2 (en) * | 2016-02-04 | 2019-12-31 | Airwatch Llc | Enterprise mobility management and network micro-segmentation |
US10999100B2 (en) | 2017-10-02 | 2021-05-04 | Vmware, Inc. | Identifying multiple nodes in a virtual network defined over a set of public clouds to connect to an external SAAS provider |
US10686625B2 (en) | 2017-10-02 | 2020-06-16 | Vmware, Inc. | Defining and distributing routes for a virtual network |
US11115480B2 (en) | 2017-10-02 | 2021-09-07 | Vmware, Inc. | Layer four optimization for a virtual network defined over public cloud |
FR3072529B1 (fr) * | 2017-10-17 | 2019-10-18 | Sagemcom Broadband Sas | Routage de donnees dans une passerelle residentielle mettant en œuvre l'agregation de liens |
US11223514B2 (en) | 2017-11-09 | 2022-01-11 | Nicira, Inc. | Method and system of a dynamic high-availability mode based on current wide area network connectivity |
CN108600170A (zh) * | 2018-03-20 | 2018-09-28 | 大势至(北京)软件工程有限公司 | 一种控制多网段环境下网络设备上网行为的方法及系统 |
CN110401726B (zh) * | 2018-04-24 | 2022-04-15 | 中兴通讯股份有限公司 | 地址解析协议报文的处理方法、装置及设备、存储介质 |
CN108616463B (zh) * | 2018-04-25 | 2021-04-30 | 新华三技术有限公司 | 一种报文处理方法及交换机 |
CN110446214A (zh) * | 2018-05-03 | 2019-11-12 | 中兴通讯股份有限公司 | 管理网络访问进程的方法、装置及设备、存储介质 |
CN110650075B (zh) * | 2018-06-26 | 2022-02-18 | 华为技术有限公司 | 基于vxlan的组策略实现方法、网络设备和组策略实现系统 |
CN109525601B (zh) * | 2018-12-28 | 2021-04-27 | 杭州迪普科技股份有限公司 | 内网中终端间的横向流量隔离方法和装置 |
CN111030970B (zh) * | 2019-03-21 | 2023-04-18 | 安天科技集团股份有限公司 | 一种分布式访问控制方法、装置及存储设备 |
CN111865876B (zh) * | 2019-04-29 | 2021-10-15 | 华为技术有限公司 | 网络的访问控制方法和设备 |
US10999137B2 (en) | 2019-08-27 | 2021-05-04 | Vmware, Inc. | Providing recommendations for implementing virtual networks |
CN110535744B (zh) * | 2019-08-29 | 2021-12-24 | 新华三信息安全技术有限公司 | 报文处理方法、装置及Leaf设备 |
CN116208658A (zh) | 2019-09-06 | 2023-06-02 | 华为云计算技术有限公司 | 混合云环境中的通信方法及网关、管理方法及装置 |
CN112565158B (zh) * | 2019-09-25 | 2022-10-04 | 阿里巴巴集团控股有限公司 | 数据访问方法、装置、系统、电子设备及计算机可读介质 |
CN110691101A (zh) * | 2019-10-28 | 2020-01-14 | 锐捷网络股份有限公司 | 哑终端免认证名单的配置方法及装置 |
CN111130976B (zh) * | 2019-11-15 | 2022-04-22 | 苏州浪潮智能科技有限公司 | 一种配置白盒交换机虚拟局域网的方法、设备及介质 |
CN110838966B (zh) * | 2019-11-20 | 2022-03-01 | 紫光华山科技有限公司 | 一种设备连接控制方法及装置 |
CN112838983B (zh) * | 2019-11-22 | 2023-09-12 | 斑马智行网络(香港)有限公司 | 数据传输方法、系统、设备、代理服务器及存储介质 |
CN110958334B (zh) * | 2019-11-25 | 2022-08-09 | 新华三半导体技术有限公司 | 报文处理方法及装置 |
CN111107142B (zh) * | 2019-12-16 | 2022-07-01 | 新华三大数据技术有限公司 | 业务访问方法和装置 |
CN113132326B (zh) * | 2019-12-31 | 2022-08-09 | 华为技术有限公司 | 一种访问控制方法、装置及系统 |
CN111695149B (zh) * | 2020-05-15 | 2023-07-28 | 浙江信网真科技股份有限公司 | 一种基于云协同的安全过滤方法 |
US11522754B2 (en) * | 2020-09-15 | 2022-12-06 | Arista Networks, Inc. | Systems and methods for Zero-Touch Provisioning of a switch in intermediate distribution frames and main distribution frames |
US11929903B2 (en) | 2020-12-29 | 2024-03-12 | VMware LLC | Emulating packet flows to assess network links for SD-WAN |
US11792127B2 (en) | 2021-01-18 | 2023-10-17 | Vmware, Inc. | Network-aware load balancing |
US11979325B2 (en) | 2021-01-28 | 2024-05-07 | VMware LLC | Dynamic SD-WAN hub cluster scaling with machine learning |
CN112511569B (zh) * | 2021-02-07 | 2021-05-11 | 杭州筋斗腾云科技有限公司 | 网络资源访问请求的处理方法、系统及计算机设备 |
US20220353190A1 (en) * | 2021-04-29 | 2022-11-03 | Vmware, Inc. | Methods for micro-segmentation in sd-wan for virtual networks |
US11595232B1 (en) * | 2021-07-13 | 2023-02-28 | Paul Chang | Switch fabric for a data center network having virtual machines |
US11943146B2 (en) | 2021-10-01 | 2024-03-26 | VMware LLC | Traffic prioritization in SD-WAN |
CN114124896B (zh) * | 2021-11-03 | 2023-08-08 | 中盈优创资讯科技有限公司 | 一种解决客户与服务系统间广播域被隔离方法及装置 |
CN114051246B (zh) * | 2021-11-16 | 2024-02-20 | 酒泉钢铁(集团)有限责任公司 | 基于sdn+vxlan网络与企业5g网络融合的方法 |
CN114520737B (zh) * | 2022-01-26 | 2024-04-02 | 北京华信傲天网络技术有限公司 | 一种无线用户的二层数据访问控制方法及系统 |
US11909815B2 (en) | 2022-06-06 | 2024-02-20 | VMware LLC | Routing based on geolocation costs |
CN115412319B (zh) * | 2022-08-19 | 2024-03-26 | 浪潮思科网络科技有限公司 | 一种基于策略随行的网络权限控制方法、设备及介质 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1878112A (zh) * | 2006-07-20 | 2006-12-13 | 杭州华为三康技术有限公司 | 实现虚拟局域网聚合的方法和汇聚交换机 |
CN101022394A (zh) * | 2007-04-06 | 2007-08-22 | 杭州华为三康技术有限公司 | 一种实现虚拟局域网聚合的方法及汇聚交换机 |
US8675664B1 (en) * | 2011-08-03 | 2014-03-18 | Juniper Networks, Inc. | Performing scalable L2 wholesale services in computer networks using customer VLAN-based forwarding and filtering |
Family Cites Families (36)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7009933B2 (en) * | 2001-01-30 | 2006-03-07 | Broadcom Corporation | Traffic policing of packet transfer in a dual speed hub |
CN100433750C (zh) * | 2003-03-06 | 2008-11-12 | 华为技术有限公司 | 一种基于用户帐号的网络访问控制方法 |
US8045566B2 (en) * | 2003-08-01 | 2011-10-25 | Hewlett-Packard Development Company, L.P. | Automated router load balancing |
CN101827008A (zh) * | 2009-03-04 | 2010-09-08 | 中兴通讯股份有限公司 | 一种控制以太网地址表刷新次数的方法 |
BR112012018762B1 (pt) * | 2010-05-28 | 2022-06-21 | Huawei Technologies Co., Ltd | Sistema, componente de rede e método para promover uma comunicação entre uma pluralidade de domínios de acesso |
CN103262485A (zh) * | 2010-12-16 | 2013-08-21 | 日本电气株式会社 | 交换设备、交换设备的上层设备、网络和分组转发方法 |
US9379975B2 (en) * | 2011-01-05 | 2016-06-28 | Nec Corporation | Communication control system, control server, forwarding node, communication control method, and communication control program |
US8763075B2 (en) * | 2011-03-07 | 2014-06-24 | Adtran, Inc. | Method and apparatus for network access control |
JP5395833B2 (ja) | 2011-03-14 | 2014-01-22 | 株式会社東芝 | 仮想ネットワークシステム及び仮想通信制御方法 |
WO2012133290A1 (ja) * | 2011-03-31 | 2012-10-04 | 日本電気株式会社 | コンピュータシステム、及び通信方法 |
CN102255918A (zh) * | 2011-08-22 | 2011-11-23 | 神州数码网络(北京)有限公司 | 一种基于DHCP Option 82的用户接入权限控制方法 |
JP5484427B2 (ja) | 2011-10-27 | 2014-05-07 | 株式会社日立製作所 | ネットワークシステムの管理方法、ネットワークシステム及び管理サーバ |
CN102404346A (zh) * | 2011-12-27 | 2012-04-04 | 神州数码网络(北京)有限公司 | 一种互联网用户访问权限的控制方法及系统 |
CA2775804C (en) * | 2012-05-08 | 2013-01-29 | Guest Tek Interactive Entertainment Ltd. | Automatically configuring computer network at hospitality establishment with reservation-specific settings |
US8751650B2 (en) | 2012-05-10 | 2014-06-10 | Cisco Technology, Inc. | Method and apparatus for supporting access control lists in a multi-tenant environment |
US9210079B2 (en) * | 2012-08-14 | 2015-12-08 | Vmware, Inc. | Method and system for virtual and physical network integration |
JP6060688B2 (ja) * | 2013-01-10 | 2017-01-18 | 富士通株式会社 | 転送装置、通信システム、および迂遠経路検知方法 |
US20140233569A1 (en) * | 2013-02-15 | 2014-08-21 | Futurewei Technologies, Inc. | Distributed Gateway in Virtual Overlay Networks |
US9325610B2 (en) * | 2013-03-15 | 2016-04-26 | Cisco Technology, Inc. | Extended tag networking |
US9203738B2 (en) * | 2013-05-21 | 2015-12-01 | Cisco Technology, Inc. | Optimal forwarding for trill fine-grained labeling and VXLAN interworking |
CN104380667B (zh) * | 2013-06-14 | 2017-09-12 | 华为技术有限公司 | 一种数据报文的路由方法和设备 |
US9374323B2 (en) * | 2013-07-08 | 2016-06-21 | Futurewei Technologies, Inc. | Communication between endpoints in different VXLAN networks |
CN104869065B (zh) * | 2014-02-26 | 2020-04-21 | 中兴通讯股份有限公司 | 数据报文处理方法及装置 |
CN105471740B (zh) * | 2014-07-09 | 2018-10-12 | 新华三技术有限公司 | 基于软件定义网络的网关迁徙处理方法及装置 |
US9825878B2 (en) * | 2014-09-26 | 2017-11-21 | Cisco Technology, Inc. | Distributed application framework for prioritizing network traffic using application priority awareness |
CN105450532B (zh) * | 2014-09-28 | 2018-10-09 | 新华三技术有限公司 | 软件定义网络中的三层转发方法及装置 |
CN105577548B (zh) * | 2014-10-10 | 2018-10-09 | 新华三技术有限公司 | 一种软件定义网络中报文处理方法和装置 |
US9781004B2 (en) * | 2014-10-16 | 2017-10-03 | Cisco Technology, Inc. | Discovering and grouping application endpoints in a network environment |
CN105656796B (zh) * | 2014-11-25 | 2019-01-22 | 新华三技术有限公司 | 实现虚拟扩展局域网三层转发的方法和装置 |
US9621577B2 (en) * | 2015-05-28 | 2017-04-11 | Microsoft Technology Licensing, Llc | Mitigation of computer network attacks |
WO2017069736A1 (en) * | 2015-10-20 | 2017-04-27 | Hewlett Packard Enterprise Development Lp | Sdn controller assisted intrusion prevention systems |
US10298490B2 (en) * | 2015-12-09 | 2019-05-21 | Cisco Technology, Inc. | Coexistence and migration of legacy ethernet and overlay networks |
US10432628B2 (en) * | 2016-02-23 | 2019-10-01 | Cisco Technology, Inc. | Method for improving access control for TCP connections while optimizing hardware resources |
US10200278B2 (en) * | 2016-03-02 | 2019-02-05 | Arista Networks, Inc. | Network management system control service for VXLAN on an MLAG domain |
US10142163B2 (en) * | 2016-03-07 | 2018-11-27 | Cisco Technology, Inc | BFD over VxLAN on vPC uplinks |
US10270778B2 (en) * | 2016-03-21 | 2019-04-23 | Google Llc | Methods and systems for dynamic creation of access control lists |
-
2016
- 2016-04-29 CN CN201610288688.7A patent/CN107332812B/zh active Active
-
2017
- 2017-05-02 EP EP17788833.6A patent/EP3451612B1/en active Active
- 2017-05-02 US US16/097,154 patent/US11025631B2/en active Active
- 2017-05-02 WO PCT/CN2017/082690 patent/WO2017186181A1/zh active Application Filing
- 2017-05-02 JP JP2018556323A patent/JP6648308B2/ja active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1878112A (zh) * | 2006-07-20 | 2006-12-13 | 杭州华为三康技术有限公司 | 实现虚拟局域网聚合的方法和汇聚交换机 |
CN101022394A (zh) * | 2007-04-06 | 2007-08-22 | 杭州华为三康技术有限公司 | 一种实现虚拟局域网聚合的方法及汇聚交换机 |
US8675664B1 (en) * | 2011-08-03 | 2014-03-18 | Juniper Networks, Inc. | Performing scalable L2 wholesale services in computer networks using customer VLAN-based forwarding and filtering |
Non-Patent Citations (1)
Title |
---|
See also references of EP3451612A4 * |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2020005256A (ja) * | 2018-06-26 | 2020-01-09 | 華為技術有限公司Huawei Technologies Co.,Ltd. | Vxlan実装方法、ネットワークデバイス、および通信システム |
JP2021145345A (ja) * | 2018-06-26 | 2021-09-24 | 華為技術有限公司Huawei Technologies Co., Ltd. | Vxlan実装方法、ネットワークデバイス、および通信システム |
US11271779B2 (en) | 2018-06-26 | 2022-03-08 | Huawei Technologies Co., Ltd. | VXLAN implementation method, network device, and communications system |
US11563603B2 (en) | 2018-06-26 | 2023-01-24 | Huawei Technologies Co., Ltd. | VXLAN implementation method, network device, and communications system |
US11888652B2 (en) | 2018-06-26 | 2024-01-30 | Huawei Technologies Co., Ltd. | VXLAN implementation method, network device, and communications system |
Also Published As
Publication number | Publication date |
---|---|
JP6648308B2 (ja) | 2020-02-14 |
EP3451612B1 (en) | 2021-03-03 |
CN107332812B (zh) | 2020-07-07 |
JP2019516320A (ja) | 2019-06-13 |
US11025631B2 (en) | 2021-06-01 |
EP3451612A1 (en) | 2019-03-06 |
CN107332812A (zh) | 2017-11-07 |
US20190132322A1 (en) | 2019-05-02 |
EP3451612A4 (en) | 2019-03-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2017186181A1 (zh) | 网络访问控制 | |
EP3499799B1 (en) | Forwarding policy configuration | |
US10320838B2 (en) | Technologies for preventing man-in-the-middle attacks in software defined networks | |
US9900263B2 (en) | Non-overlay resource access in datacenters using overlay networks | |
US9374323B2 (en) | Communication between endpoints in different VXLAN networks | |
US9730269B2 (en) | Method and system for partitioning wireless local area network | |
KR102054338B1 (ko) | 개별 관리들을 이용하는 vlan 태깅된 패킷들의 가상 포워딩 인스턴스들의 원단 주소들로의 라우팅 | |
US8718071B2 (en) | Method to pass virtual local area network information in virtual station interface discovery and configuration protocol | |
EP2905930B1 (en) | Processing method, apparatus and system for multicast | |
US20190238508A1 (en) | Unified security policies across virtual private clouds with overlapping ip address blocks | |
US20150124823A1 (en) | Tenant dhcp in an overlay network | |
US11228558B2 (en) | Method and apparatus for isolating transverse communication between terminal devices in intranet | |
EP3282667B1 (en) | Generating a vnf for authorizing service | |
CN106559292A (zh) | 一种宽带接入方法和装置 | |
US9641417B2 (en) | Proactive detection of host status in a communications network | |
EP2584742B1 (en) | Method and switch for sending packet | |
US20160080318A1 (en) | Dynamic host configuration protocol release on behalf of a user | |
US11438268B2 (en) | Server-based local address assignment protocol | |
CN115442184B (zh) | 一种接入系统及方法、接入服务器、系统及存储介质 | |
US20230283589A1 (en) | Synchronizing dynamic host configuration protocol snoop information | |
JP6865266B2 (ja) | 機器検知方法、sdnコントローラ及び記憶媒体 | |
US9438475B1 (en) | Supporting relay functionality with a distributed layer 3 gateway | |
WO2021037358A1 (en) | Virtual local presence based on l3 virtual mapping of remote network nodes | |
US20230006998A1 (en) | Management of private networks over multiple local networks | |
US20220103424A1 (en) | Dynamic User Private Networks of a Shared Virtual Network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
ENP | Entry into the national phase |
Ref document number: 2018556323 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2017788833 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 2017788833 Country of ref document: EP Effective date: 20181129 |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 17788833 Country of ref document: EP Kind code of ref document: A1 |