WO2019238006A1 - Access authentication method for port, terminal, and storage medium - Google Patents

Access authentication method for port, terminal, and storage medium Download PDF

Info

Publication number
WO2019238006A1
WO2019238006A1 PCT/CN2019/090547 CN2019090547W WO2019238006A1 WO 2019238006 A1 WO2019238006 A1 WO 2019238006A1 CN 2019090547 W CN2019090547 W CN 2019090547W WO 2019238006 A1 WO2019238006 A1 WO 2019238006A1
Authority
WO
WIPO (PCT)
Prior art keywords
port
aggregation
access authentication
status
ports
Prior art date
Application number
PCT/CN2019/090547
Other languages
French (fr)
Chinese (zh)
Inventor
杨曦
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2019238006A1 publication Critical patent/WO2019238006A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles

Definitions

  • Embodiments of the present invention relate to port authentication technologies in the field of communication technology, and relate to, but are not limited to, a port access authentication method, terminal, and storage medium.
  • 802.1x as a simple user access authentication protocol, is widely used in switches. 802.1x controls whether users can access the network by setting port authentication or unauthenticated status.
  • the Link Aggregation Control Protocol (LACP) aggregates multiple ports together to form an aggregation group, so as to realize the sharing of the inbound / outbound load among the member ports in the aggregation group, providing more reliable and higher bandwidth. Access.
  • LACP and 802.1x protocols are port-level protocols. On the same device, the two cannot be easily superimposed.
  • optical line terminals can be connected to small devices or optical network units (ONUs).
  • ONUs generally do not support the 802.1x protocol.
  • Small devices connected under the OLT support the 820.1x protocol.
  • operators will choose to enable 802.1x uniformly on the OLT to ensure the consistency of the protocol.
  • the 802.1x protocol and the LACP protocol are used.
  • the protocol supported by the aggregation port formed by the LACP protocol cannot be a simple superposition of the protocols supported by the member ports of the aggregation port, that is, the problem that the 802.1x protocol and the LACP protocol cannot be shared on the OLT, As a result, the access authentication state machine cannot perform overall access authentication on the aggregated port.
  • embodiments of the present invention provide a port access authentication method, terminal, and storage medium.
  • An embodiment of the present invention provides a method for port access authentication.
  • the method includes:
  • the access authentication status of the aggregation port is configured to a member port corresponding to the aggregation port.
  • An embodiment of the present invention provides a device for access authentication of a port.
  • the device at least includes a processor and a storage medium configured to store executable instructions, where:
  • the processor is configured to execute a stored executable instruction configured to perform the method for access authentication of a port described above.
  • An embodiment of the present invention provides a computer-readable storage medium, where the computer-readable storage medium stores computer-executable instructions configured to perform the foregoing method for protecting contact data; or The execution instruction is configured to perform the method of access authentication of the port described above.
  • Embodiments of the present invention provide a port access authentication method, terminal, and storage medium, wherein an aggregation group of ports is created according to link configuration information of at least two ports; wherein one of the aggregation groups corresponds to one aggregation port; Create a corresponding management port entry for the aggregation group of the port; obtain the access authentication status of the aggregation port; configure the access authentication status of the aggregation port to the aggregation port according to the management port entry Corresponding member port; In this way, by completing the online and authentication configuration conversion between the protocol and the user port, the port-level protocol is shared with the device, which improves user access security and provides users with higher access bandwidth.
  • FIG. 1 is a schematic flowchart of implementing access authentication of a port according to an embodiment of the present invention
  • FIG. 2 is a schematic flowchart of an access authentication implementation of another port according to an embodiment of the present invention
  • FIG. 3 is a schematic diagram of a composition result of a device for access authentication of a port according to an embodiment of the invention
  • FIG. 4 is a schematic structural diagram of a three-level management port entry created according to an embodiment of the present invention.
  • 5A is a schematic flowchart of an implementation of adding a new member port according to an embodiment of the invention.
  • 5B is a schematic flowchart of an implementation of deleting a member port according to an embodiment of the invention.
  • FIG. 6 is a schematic flowchart of an implementation of modifying an aggregate port state according to an embodiment of the present invention.
  • FIG. 7 is a schematic flowchart of an implementation of an online and offline state of an aggregate port according to an embodiment of the present invention.
  • FIG. 8 is a schematic flowchart of implementing an access authentication method for another port according to an embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of a terminal according to an embodiment of the present invention.
  • Link Aggregation technology refers to bundling multiple physical ports together to achieve load sharing of inbound and outbound traffic among member ports.
  • the switch determines packets according to the port load sharing policy configured by the user. Which member port is sent to the peer switch. When the switch detects that the link of one of the member ports fails, it stops sending packets on this member port, and reloads the remaining links based on the load sharing strategy. Calculate the message sending port. After the faulty port recovers, recalculate the message sending port again.
  • Link aggregation is a very important technology in terms of increasing link bandwidth and achieving link transmission flexibility and redundancy. Because the state machine of the access authentication protocol in the prior art cannot perform overall access authentication on the aggregated ports obtained through the link set, there is a problem of network access security when the aggregated ports are used for message transmission.
  • the LACP state machine in the terminal can perform link aggregation through the LACP protocol according to the link configuration information of the port to form a corresponding aggregation group.
  • switch A needs to establish an aggregation connection of two lines with switch B. It only needs to enable LACP for two ports on switch A.
  • Switch A only needs to connect with switch B. Two switches between switch A and switch B Link aggregation; then physically link the two links to complete the aggregation of the two links.
  • an aggregation group with two member ports is formed on Switch A.
  • the switch A may be an OLT switch B may be one of a small device connected to the OLT or an ONU connected to the OLT.
  • FIG. 1 is a schematic diagram of a process for implementing port access authentication according to an embodiment of the present invention. As shown in FIG. 1, the method includes the following steps:
  • Step S101 Create a port aggregation group according to the link configuration information of at least two ports.
  • any one of the at least two ports may separately support LACP or 802.1x protocols.
  • the creating an aggregation group of ports according to the link configuration information of at least two ports may be a user according to the link configuration information of the configured ports, the link aggregation controller system in the terminal starts a link aggregation protocol, and the links in the terminal The aggregation controller system automatically performs link aggregation to form a corresponding aggregation group according to the link configuration information of the port configured by the user.
  • Step S102 Create a corresponding management port entry for the port aggregation group.
  • the management port entry is a three-level management port entry, wherein the first-level management port entry is a physical port configured in the aggregation group and is responsible for the state management of the port; the second-level management port table Entry is the activated physical port in the aggregation group and is responsible for message sending; the third-level management port entry is the aggregation port that controls access authentication for the access authentication protocol state machine and is responsible for accessing the authentication protocol state machine. run.
  • the management port entry is used to store the port identifiers of all physical ports included in the aggregation group, the port identifiers of the activated physical ports included in the aggregation group, and the port identifiers of the aggregation ports corresponding to the aggregation group. Mapping relations.
  • the creation of a corresponding management port entry for the aggregation group of the port may be that the link aggregation controller in the terminal automatically performs link aggregation to form a corresponding aggregation group according to the link configuration information of the port configured by the user.
  • the link aggregation controller sends a message to the terminal processor to create a management port.
  • the message contains the port identifiers of all the physical ports included in the aggregation group, and the activated physical port ports included in the aggregation group.
  • the identifier and the port identifier of the aggregation port corresponding to the aggregation group; the processor of the terminal creates a corresponding management port entry according to the message.
  • Step S103 Acquire the access authentication status of the aggregation port.
  • the access authentication status of the aggregation port includes an authentication status and a non-authentication status.
  • the obtaining the access authentication status of the aggregated port may be a process in which the terminal processes and receives a message sent by a user through a physical port to perform access authentication, and the message carries a port identifier of a physical port that sends the message.
  • the processor of the terminal searches for the port identifier of the aggregation port corresponding to the physical port in the management port entry according to the port identifier of the physical port, and the processor of the terminal controls access authentication to the aggregation port ,
  • the processor of the terminal receives the access authentication status of the aggregation port.
  • the obtaining the access authentication status of the aggregated port may also be that the user port of the terminal sends a request to the processor of the terminal for access authentication, and the request carries the port identifier of the user port that sent the request, and the processor of the terminal The request determines a port identifier of an aggregation port corresponding to the user port, the processor of the terminal controls access authentication to the aggregation port, and the processor of the terminal receives the access authentication status of the aggregation port.
  • Step S104 Configure the access authentication status of the aggregation port to a member port corresponding to the aggregation port according to the management port entry.
  • the member ports corresponding to the aggregation port include all physical ports in the aggregation group, and the member ports include all physical ports included in the aggregation group corresponding to the aggregation port.
  • the configuring the access authentication status of the aggregation port to a member port corresponding to the aggregation port according to the management port entry may be after the processor of the terminal receives the access authentication status of the aggregation port.
  • the processor of the terminal By querying the management port entry for a port of a physical port in an aggregation group corresponding to the aggregation port, and the processor of the terminal configures the access authentication status of the aggregation port to an aggregation group corresponding to the aggregation port. Contained on all physical ports.
  • an aggregation group of ports is created according to the link configuration information of at least two ports; wherein one aggregation group corresponds to one aggregation port, and a corresponding management port entry is created for the aggregation group of the ports; Obtain the access authentication status of the aggregation port; configure the access authentication status of the aggregation port to the member port corresponding to the aggregation port according to the management port entry; thus, by completing the protocol with the user port On-line and authentication configuration conversion, the port-level protocol is shared with the device, which improves user access security and provides users with higher access bandwidth.
  • FIG. 2 is a schematic diagram of an implementation process of access authentication of another port according to an embodiment of the present invention. As shown in FIG. 2, the method includes the following steps:
  • Step S201 Create an aggregation group of ports according to the link configuration information of at least two ports.
  • the link configuration information of the port includes information such as link aggregation information, rate, and duplex attributes of the port; the one aggregation group corresponds to one aggregation port, and the aggregation port includes online and offline status, support All protocols supported by all member ports in the aggregation group.
  • the creation of the port aggregation group based on the link configuration information of at least two ports may be that the user starts the link aggregation protocol on the link aggregation controller system in the terminal and the link in the terminal according to the link configuration information of the configured port.
  • the aggregation controller system automatically performs link aggregation to form a corresponding aggregation group according to the link configuration information of the port configured by the user.
  • Step S202 Obtain a packet for access authentication of member ports in the aggregation group.
  • Step S203 Create a management port entry corresponding to the aggregation group of the port according to the message.
  • the management port entry is used to store port identifiers of all physical ports included in the aggregation group, port identifiers of activated physical ports included in the aggregation group, and port identifiers of the aggregation ports corresponding to the aggregation group.
  • the management port table entry may be a three-level management port table entry, wherein the first-level management port table entry is a physical port configured in the aggregation group and is responsible for the state management of the port; The management port entry is an activated physical port in the aggregation group and is responsible for message transmission; the third-level management port entry is an aggregation port for access authentication protocol state machine to control access authentication and is responsible for access authentication protocol Operation of the state machine.
  • the creation of the management port entry corresponding to the aggregation group of the port according to the message may be that the link aggregation controller in the terminal automatically performs link aggregation to form a corresponding one according to the link configuration information of the port configured by the user.
  • the link aggregation controller in the terminal sends a message to the processor of the terminal, and the message carries the port identifier of the member port in the aggregation group and the aggregation corresponding to the aggregation group
  • the port identifier of the port the processor of the terminal creates a first-level management port entry according to the port identifier of the member port in the message, and the processor of the terminal according to the port of the aggregated port in the message It is identified that a first-level management port entry is created; when the link aggregation protocol is enabled and activated and the port is activated, the processor of the terminal creates a corresponding second-level management port entry according to the activated member port.
  • the creation of the management port entry corresponding to the aggregation group of the port according to the message may also be that the link aggregation controller in the terminal automatically performs link aggregation to form a correspondence according to the link configuration information of the port configured by the user
  • An aggregation group of the terminal the link aggregation controller in the terminal sends a request for creating a management port entry to a processor of the terminal, and the request carries a port identifier of a member port in the aggregation group and the The port identifier of the aggregation port corresponding to the aggregation group
  • the processor of the terminal creates a first-level management port entry according to the port identification of the member port in the request, and at the same time, creates a corresponding one of the member ports in the aggregation group.
  • the third-level management port entry of the aggregation port when the link aggregation protocol is enabled to activate and activate the port, the processor of the terminal creates a corresponding second-level management port
  • Step S204 The access authentication protocol state machine is controlled to perform access authentication on the aggregation port to obtain the access authentication status of the aggregation port.
  • control access authentication protocol state machine performs access authentication on the aggregated port to obtain the access authentication state of the aggregated port: the processor of the terminal receives a message sent by a user for access authentication, and The packet carries the port identifier of the first-level port corresponding to the first-level management entry, and the processor of the terminal searches for the corresponding second-level port in the management port entry according to the port identifier of the first-level port. And sending the message for performing access authentication to the access authentication state machine through the second-level port to perform access authentication on a third-level port corresponding to the first-level port.
  • the obtaining the access authentication status of the aggregated port may be that when the access authentication state machine receives the message, the access authentication protocol state machine initializes and starts to the third The first-level port performs access authentication, and at the same time, the result of the access authentication is fed back to the processor of the terminal through the second-level port, and the processor of the terminal receives the access authentication status of the aggregated port.
  • Step S205 The processor of the terminal configures the access authentication status of the aggregation port to a member port corresponding to the aggregation port according to the management port entry.
  • the processor of the terminal receives the modified access authentication state of the aggregation group.
  • the processor of the terminal configures the modified access authentication status of the aggregation group to a member port of the aggregation group.
  • an access authentication state machine is used to perform access authentication on a set aggregation port that meets the requirements of the access authentication protocol, and the access authentication protocol state machine is controlled to perform access authentication on the aggregation port.
  • the method of configuring the access authentication status corresponding to an aggregation port to all member ports corresponding to the aggregation port realizes access authentication of the aggregation port through the access authentication state machine, and implements port-level protocol sharing with devices. While improving user access security, it also provides higher bandwidth for user access.
  • the step S203 that is, "controlling the access authentication protocol state machine to perform access authentication on the aggregation port to obtain the access authentication status of the aggregation port” includes the following steps:
  • Step S231 Determine the online and offline status of the corresponding aggregation port according to the online and offline status of the member ports in the aggregation group.
  • the online state of the member port may be a state where one port is online or offline, or a plurality of ports may be online or offline.
  • the processor of the terminal determines the number of member ports in the aggregation group whose online and offline states are online.
  • the online status determines whether the corresponding aggregation port goes offline or online.
  • Step S232 Control the access authentication protocol state machine to perform access authentication on the aggregation port according to the online and offline status of the aggregation port to obtain the access authentication status of the aggregation port.
  • step S232 that is, "controlling the access authentication protocol state machine to perform access authentication on the aggregation port according to the online and offline status of the aggregation port to obtain the access authentication status of the aggregation port” includes :
  • the access authentication protocol state machine When it is determined that the online and offline status of the aggregation port is an offline state, the access authentication protocol state machine is controlled to terminate access authentication on the aggregation port, and at the same time, the access authentication protocol state machine is controlled to initialize.
  • step S204 that is, "the processor of the terminal configures the access authentication status of the aggregation port to the member port corresponding to the aggregation port according to the management port entry"
  • the method also includes the following two cases:
  • Step S241 The processor of the terminal obtains a first-type port identifier, and updates a management port entry according to the first-type port identifier.
  • the first type of port identifier includes the port identifier of the newly added member port; for example, the aggregation port corresponding to the original aggregation group is composed of three member ports: port 1, port 2 and port 3.
  • the port identifier of the member port 4 is the first type of port identifier.
  • the processor of the terminal obtains the first-type port identifier, and updates the management port entry according to the first-type port identifier.
  • the aggregation support device finds the corresponding 802.1x aggregation port (that is, the aggregation port corresponding to the aggregation group to which port 4 joins); if the corresponding 802.1x aggregation port cannot be found, the aggregation support device assigns a new Aggregation port.
  • Step S242 Acquire the access authentication status of the first aggregation port according to the first-type port identifier.
  • the first-type port identifier may correspond to one newly-added port or multiple newly-added ports; the first aggregation port corresponds to a member port having the first-type port identifier.
  • Aggregation port for example, the aggregation port corresponding to the original aggregation group is composed of three member ports: port 1, port 2, and port 3.
  • the aggregation group includes Four member ports: port 1, port 2, port 3, and port 4.
  • the aggregation port corresponding to the aggregation group is the first aggregation port.
  • Step S243 Configure the access authentication status of the first aggregation port to a member port of the first aggregation group according to the updated management port entry, where the first aggregation group is the one corresponding to the first aggregation port. Aggregation group.
  • the 802.1x state machine corresponding to the aggregation port is in a suspended state; the processor of the terminal is based on the updated Manage port entries, configure the access authentication status of the first aggregation port to the member ports of the first aggregation group, the first aggregation group is the aggregation group corresponding to the first aggregation port, and control the The access authentication protocol state machine abandons access authentication for member ports in the first aggregation port.
  • Step S244 Obtain a second-type port identifier, where the second-type port identifier includes the port identifier of the deleted member port.
  • the second type of port identifier may correspond to one deleted port or multiple deleted ports; for example, the aggregation port corresponding to the original aggregation group is composed of three member ports: port 1, port 2 And port 3, if port 3 is deleted from the aggregated port, the identifier of port 3 is the second type of port identifier.
  • Step S245 Control the access authentication protocol state machine to resume access authentication on the second type of port.
  • the second type of port is a port corresponding to the second type of port identifier; for example, the aggregation port corresponding to the original aggregation group is composed of three member ports: port 1, port 2, and port 3. If port 3 is deleted from the aggregation port, then port 3 is the second type port.
  • the processor of the terminal controls the access authentication protocol state machine to resume access authentication on the second type of port, and at the same time, determines the number of member ports of the second aggregation port, where the second aggregation port is the second
  • the previous aggregation port corresponding to the class port deletes the aggregation port corresponding to the second type port; according to the number of member ports in the second aggregation group, releases the aggregation corresponding to the previous aggregation group corresponding to the second type port port.
  • the method when the link aggregation state machine deletes a member port from the aggregation group, the method further includes the following steps:
  • Step S246 Determine the number of member ports of the second aggregation port.
  • the second aggregation port is an aggregation port corresponding to the second type port before deleting the second type port.
  • the aggregation port corresponding to the original aggregation group is composed of three member ports: port 1, port 2, and port 3. If port 3 is deleted from the aggregation port, the second type of port is that port 3 is not Delete the previous aggregation port (that is, the aggregation port corresponding to the original aggregation group).
  • Step S247 Determine the number of member ports of the third aggregation port according to the second type of port identifier and the number of member ports of the second aggregation port.
  • the third aggregation port is an aggregation port corresponding to the second aggregation port after the second type of port is deleted.
  • the aggregation port corresponding to the original aggregation group is composed of three member ports: port 1, port 2 and port 3. If port 3 is deleted from the aggregation port, after deleting port 3, the members in the aggregation group are Ports 1 and 2 and the aggregated ports corresponding to ports 1 and 2 are the third aggregated ports.
  • Step S248 Release the second aggregation port according to the number of member ports of the third aggregation port.
  • the release of the second aggregation port can be understood as the second aggregation port (for example, port 3) has been deleted from the second aggregation port, so the second aggregation port becomes the third aggregation port. That is, the second aggregation port no longer exists, so there is no need to control the second aggregation port, that is, release the second aggregation port.
  • FIG. 3 is a schematic diagram of a composition result of the port access authentication device according to the embodiment of the present invention, as shown in FIG.
  • the device includes four modules: an aggregation support device module 301, an 802.1x state machine module 302, a LACP state machine module 303, a message transceiver module 304, and a port state configuration module 305, of which:
  • the aggregation support device module 301 is configured to support the 802.1x protocol and provide overall port management for the 802.1x protocol.
  • the aggregation support device module 301 exists between the 802.1x state machine module 302, the LACP state machine 303, and the message transceiver module 304.
  • the port managed by the 802.1x state machine is no longer the actual user port, but the overall port state.
  • the biggest difference between the port managed by the 802.1x state machine and the aggregate port is that the port managed by the 802.1x state machine has online and offline status and protocol-controlled authentication, and the non-authentication status must meet the requirements of the 802.1x protocol management port.
  • the aggregation support device When the port authentication state controlled by the 802.1x protocol is sent to the aggregation support device, the aggregation support device is converted into each actual port state and configured to the actual port. Whether the link state change of each actual port is reflected on the overall port state is determined and notified by the aggregation support device.
  • the 802.1x state machine module 302 is used to manage the authentication status of the 802.1x management port. When not authenticated, the 802.1x management port can still perform LACP protocol interaction, so that the 802.1x protocol and the LACP protocol are shared in the same device.
  • the LACP state machine module 303 is configured to notify the aggregation support device module 301 to create a level 2 port table.
  • the message sending and receiving module 304 is configured to send and receive 802.1x messages and trigger a status update when the 802.1x state machine module 302 runs normally.
  • the aggregation support device module 301 is configured to create an aggregation group of ports according to the link configuration information of at least two ports, and to create a three-level management port entry for each aggregation group.
  • FIG. 4 is a schematic structural diagram of a three-level management port entry created according to an embodiment of the present invention. As shown in FIG. 4, the three-level management port entry includes:
  • the first-level management port entry is used to indicate the LACP configuration port.
  • the first-level management port entry is the physical port configured in the aggregation group and is responsible for the state management of the port. For example, the first-level management port entry controls the port. Enabled and disabled state and user non-protocol message interaction.
  • the second-level management port entry is used to indicate an LACP activation port; the second-level management port entry is an activated physical port in the aggregation group and is responsible for sending packets;
  • the third-level management port entry is used to indicate the overall port used by 802.1x.
  • the third-level management port entry is the aggregation port that controls the access authentication for the access authentication protocol state machine and is responsible for accessing the authentication protocol state machine (that is, , 802.1x state machine).
  • the port status configuration module 305 is configured to receive a notification message from the aggregation support device module 301, and configure a status for each port according to the notification message.
  • LACP's management of user ports includes the first case (see FIG. 5A) and the second case (see FIG. 5B), where:
  • Case 1 When LACP newly manages a user port (that is, when a link aggregation state machine adds a member port to the aggregation group), as shown in FIG. 5A, the method can be implemented by the following steps: :
  • Step S501 When LACP newly manages a certain user port, the aggregation support device searches for the 802.1x aggregation port corresponding to the user port.
  • the aggregation support device is controlled by the processor of the terminal, and the aggregation support device searches for a corresponding 802.1x aggregation port according to the first-type port identifier of the newly added user port.
  • step S502 if there is no 802.1x aggregation port corresponding to the user port, the aggregation support device allocates a new aggregation port to the user port.
  • allocating a new aggregation port to the user port is to update the management port entry according to the first type of port identifier, and obtain the authentication status of the first aggregation port.
  • Step S503 The aggregation support device notifies the 802.1x state machine to perform access authentication on the new aggregation port.
  • the second case When LACP deletes and manages a user port, as shown in FIG. 5B, the method can be implemented by the following steps:
  • step S511 when LACP deletes and manages a certain user port, the aggregation support device obtains the first type of port identifier.
  • Step S512 The aggregation support device deletes the first-type port identifier and its corresponding second-type port identifier, and notifies the 802.1x state machine of the first-type port identifier.
  • step S513 the 802.1x state machine resumes performing access authentication on the first-level port of the user port.
  • the 802.1x state machine resumes performing access authentication on the first-level port of the user port, which can be understood as: first, when a certain user port (for example, port 1) is enabled in the 802.1x protocol and LACP protocol is not enabled The 802.1x state machine performs access authentication on port 1. Second, after LACP is enabled on port 1, the 802.1x state machine no longer performs access authentication on port 1, but performs access authentication on the aggregate port corresponding to port 1. . The 802.1x state machine corresponding to port 1 will not run; finally, when port 1 is deleted from the aggregated port, the 802.1x state machine will perform access authentication on port 1 again.
  • the method further includes:
  • the aggregation support device receives the 802.1x message and finds the aggregation port corresponding to the second-level port that sends the 802.1x message (that is, the aggregation port generated when the LACP protocol activates the port); second, the aggregation support device will find The aggregation port corresponding to the second-level port is notified to the 802.1x state machine. Finally, the 802.1x state machine updates the state of the aggregated port corresponding to the found second-level port.
  • the method further includes:
  • the aggregation support device determines whether there is a first-level user port under the current aggregation port. If there is no first-level user port, it notifies the 802.1x state machine to release the current aggregation port. For example, when an aggregation group joins, several ports can join at the same time. When port 2 is added to the aggregation group where port 1 is located, the first-level user ports in the aggregation group include two: port 1 and port 2. At this time, if port 1 is deleted from the aggregation group, the 802.1x state machine performs access authentication on port 1 and the third-level port corresponding to the aggregation group. At this time, the aggregation port still takes effect. If port 2 is also deleted from the aggregation group, the first-level user ports in the aggregation group will not have any actual ports. At this time, the aggregation port can be deleted to release the aggregation port that has been created.
  • FIG. 6 is a schematic flowchart of an implementation of modifying an aggregate port state according to an embodiment of the present invention. As shown in FIG. 6, the modifying the aggregate port state includes the following steps:
  • Step S601 When the 802.1x state machine needs to modify the state of the aggregation port, the aggregation support device searches for the corresponding first-level user port.
  • Step S602 The aggregation support device configures a corresponding state for the first-level user port according to the 802.1x state machine management port state.
  • the aggregation support device configures the corresponding state for the first-level user port according to the 802.1x state machine management port status. It can be understood that the aggregation support device configures the modified access authentication status of the aggregation group to On the member ports of the aggregation group.
  • FIG. 7 is a schematic flowchart of implementing an online state of an aggregate port according to an embodiment of the present invention. As shown in FIG. 7, the online state of the aggregate port includes the following steps:
  • step S701 the aggregation support device records the online and offline status of the current aggregation port according to the online and offline status of the first-level user port.
  • the first-level user port may be any member port in the aggregation group; when the state of the first-level user port is the first online state or the last offline state of the first-level user port To record the online and offline status of the current aggregation port.
  • step S702 the aggregation support device notifies the 802.1x state machine of the current online and offline status of the aggregated port.
  • Step S703 The 802.1x state machine performs access authentication on the aggregation port to obtain the access authentication status of the aggregation port.
  • FIG. 8 is a schematic flowchart of an access authentication method for another port according to an embodiment of the present invention. As shown in FIG. 8, the method includes the following steps:
  • Step S801 Create an aggregation group of ports according to the link configuration information of at least two ports.
  • LACP instructs the aggregation support device to create a first-level port entry, and simultaneously generates a third-level port entry.
  • the 802.1x state machine is notified to manage the aggregation port corresponding to the aggregation group and suspend the port state machine of the first-level port entry.
  • step S802 the LACP protocol is enabled, and the LACP state machine notifies the aggregation support device to create a second-level port entry of the aggregation port.
  • Step S803 The aggregation support device searches for a third-level port entry corresponding to the aggregation port according to the first-level port entry.
  • the aggregation support device searches for a third-level port entry corresponding to the first-level port entry according to the first-level port entry sent during the 802.1x authentication process.
  • step S804 the aggregation support device notifies the status update when the 802.1x state machine runs normally.
  • the 802.1x message sent during the 802.1x authentication initiated by the user triggers a status update when the 802.1x state machine is running normally.
  • Step S805 The aggregation support device searches for a third-level port entry corresponding to the 802.1x packet according to the 802.1x packet, and then searches for a second-level port entry corresponding to the third-level port entry.
  • Step S806 The aggregation support device configures the states of all the first-level port entries according to the third-level port entries.
  • the aggregation support device configures the state of all the first-level port entries according to the third-level port entry. It can be understood that the user completes 802.1x authentication, and the aggregation support device configures the state of the aggregation port for the current aggregation group.
  • FIG. 9 is a schematic structural diagram of a terminal according to an embodiment of the present invention.
  • the terminal 900 includes at least a controller 901 and a storage device configured to store the terminal.
  • Executable instruction storage medium 902 where:
  • the controller 901 is configured to execute stored executable instructions, where the executable instructions are used to implement the following steps:
  • the access authentication status of the aggregation port is configured to a member port corresponding to the aggregation port.
  • the above-mentioned port access authentication method is implemented in the form of a software functional module and sold or used as an independent product, it may also be stored in a computer-readable storage medium.
  • the computer software product is stored in a storage medium and includes several instructions for A computer device (which may be a personal computer, a server, or a network device) is caused to execute all or part of the methods described in the embodiments of the present invention.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (Read Only Memory, ROM), a magnetic disk, or an optical disk, which can store program codes.
  • ROM Read Only Memory
  • magnetic disk or an optical disk, which can store program codes.
  • optical disk which can store program codes.
  • an embodiment of the present invention provides a computer storage medium, where the computer storage medium stores computer-executable instructions, and the computer-executable instructions are configured to execute a method for access authentication of a port provided by other embodiments of the present invention.
  • the embodiments of the present invention may be provided as a method, a system, or a computer program product. Therefore, the present invention may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Moreover, the present invention may take the form of a computer program product implemented on one or more computer-usable storage media (including, but not limited to, magnetic disk memory, optical memory, etc.) containing computer-usable program code.
  • a computer-usable storage media including, but not limited to, magnetic disk memory, optical memory, etc.
  • These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing device to work in a particular manner such that the instructions stored in the computer-readable memory produce a manufactured article including the instruction device, the instructions
  • the device implements the functions specified in one or more flowcharts and / or one or more blocks of the block diagram.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device, so that a series of steps can be performed on the computer or other programmable device to produce a computer-implemented process, which can be executed on the computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more flowcharts and / or one or more blocks of the block diagrams.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed in the embodiments of the present invention are an access authentication method for a port, a terminal and a storage medium. The method comprises: creating an aggregation group of ports according to link configuration information concerning at least two ports; one said aggregation group corresponding to one aggregation port; creating a corresponding management port table entry for said aggregation group of ports; acquiring an access authentication state of the aggregation port; and configuring, according to the management port table entry, the access authentication state of the aggregation port to member ports corresponding to the aggregation port.

Description

一种端口的接入认证方法、终端及存储介质Port access authentication method, terminal and storage medium
本申请要求享有2018年06月12日提交的名称为“一种端口的接入认证方法、终端及存储介质”的中国专利申请CN201810603272.9的优先权,其全部内容通过引用并入本文中。This application claims priority from Chinese patent application CN201810603272.9 entitled "A port access authentication method, terminal, and storage medium" filed on June 12, 2018, the entire contents of which are incorporated herein by reference.
技术领域Technical field
本发明实施例涉及通信技术领域中的端口认证技术,涉及但不限于一种端口的接入认证方法、终端及存储介质。Embodiments of the present invention relate to port authentication technologies in the field of communication technology, and relate to, but are not limited to, a port access authentication method, terminal, and storage medium.
背景技术Background technique
802.1x作为一种简单的用户接入认证协议,被广泛应用在交换机中,802.1x通过设置端口认证或未认证的状态控制用户是否可以接入网络。链路汇聚控制协议(Link Aggregation Control Protocol,LACP)是将多个端口汇聚在一起形成一个聚合组,以实现出/入负荷在聚合组中各个成员端口中的分担,提供更可靠更高带宽的接入。LACP协议与802.1x协议均为端口级协议,在同一设备上,二者无法简单叠加。802.1x, as a simple user access authentication protocol, is widely used in switches. 802.1x controls whether users can access the network by setting port authentication or unauthenticated status. The Link Aggregation Control Protocol (LACP) aggregates multiple ports together to form an aggregation group, so as to realize the sharing of the inbound / outbound load among the member ports in the aggregation group, providing more reliable and higher bandwidth. Access. Both LACP and 802.1x protocols are port-level protocols. On the same device, the two cannot be easily superimposed.
例如,在相关的光网络接入技术中,光线路终端(Optical Line Terminal,OLT)可以连接小型设备,也可以连接光网络单元(Optical Network Unit,ONU),其中,ONU一般不支持802.1x协议,OLT下连接的小型设备支持820.1x协议。在一般的组网情况下,运营商会选择把802.1x统一启用在OLT上保证协议开启一致性,这种情况下,当OLT下挂的小型设备选择开启LACP协议时,由于802.1x协议与LACP协议均属于端口级协议,因此通过LACP协议形成的聚合端口所支持的协议不能是所述聚合端口的成员端口所支持协议的简单叠加,即存在802.1x协议与LACP协议不能在OLT上共用的问题,导致接入认证状态机无法对所述聚合端口进行整体的接入认证。For example, in related optical network access technologies, optical line terminals (OLT) can be connected to small devices or optical network units (ONUs). Among them, ONUs generally do not support the 802.1x protocol. , Small devices connected under the OLT support the 820.1x protocol. Under normal networking conditions, operators will choose to enable 802.1x uniformly on the OLT to ensure the consistency of the protocol. In this case, when small devices connected to the OLT choose to enable the LACP protocol, the 802.1x protocol and the LACP protocol are used. All belong to the port level protocol, so the protocol supported by the aggregation port formed by the LACP protocol cannot be a simple superposition of the protocols supported by the member ports of the aggregation port, that is, the problem that the 802.1x protocol and the LACP protocol cannot be shared on the OLT, As a result, the access authentication state machine cannot perform overall access authentication on the aggregated port.
发明内容Summary of the Invention
为解决现有存在的技术问题,本发明实施例提供一种端口的接入认证方法、终端及存储介质。In order to solve the existing technical problems, embodiments of the present invention provide a port access authentication method, terminal, and storage medium.
本发明实施例的技术方案是这样实现的:The technical solution of the embodiment of the present invention is implemented as follows:
本发明实施例提供一种端口接入认证的方法,所述方法包括:An embodiment of the present invention provides a method for port access authentication. The method includes:
根据至少两个端口的链路配置信息创建端口的聚合组;其中,一个所述聚合组对应一个聚合端口;Create an aggregation group of ports according to the link configuration information of at least two ports; wherein one of the aggregation groups corresponds to one aggregation port;
对所述端口的聚合组创建对应的管理端口表项;Creating a corresponding management port entry for the port aggregation group;
获取所述聚合端口的接入认证状态;Acquiring the access authentication status of the aggregation port;
根据所述管理端口表项,将所述聚合端口的接入认证状态配置到所述聚合端口对应的成员端口上。According to the management port entry, the access authentication status of the aggregation port is configured to a member port corresponding to the aggregation port.
本发明实施例提供一种端口的接入认证的装置,所述装置至少包括:处理器和配置为存储可执行指令的存储介质,其中:An embodiment of the present invention provides a device for access authentication of a port. The device at least includes a processor and a storage medium configured to store executable instructions, where:
处理器配置为执行存储的可执行指令,所述可执行指令配置为执行上述的端口的接入认证的方法。The processor is configured to execute a stored executable instruction configured to perform the method for access authentication of a port described above.
本发明实施例提供一种计算机可读存储介质,所述计算机可读存储介质中存储有计算机可执行指令,该计算机可执行指令配置为执行上述的保护联系人数据的方法;或者,所述可执行指令配置为执行上述的端口的接入认证的方法。An embodiment of the present invention provides a computer-readable storage medium, where the computer-readable storage medium stores computer-executable instructions configured to perform the foregoing method for protecting contact data; or The execution instruction is configured to perform the method of access authentication of the port described above.
本发明实施例提供了一种端口的接入认证方法、终端及存储介质,其中,根据至少两个端口的链路配置信息创建端口的聚合组;其中,一个所述聚合组对应一个聚合端口;对所述端口的聚合组创建对应的管理端口表项;获取所述聚合端口的接入认证状态;根据所述管理端口表项,将所述聚合端口的接入认证状态配置到所述聚合端口对应的成员端口上;如此,通过完成协议与用户口间的上线及认证配置转换,实现了端口级协议同设备共用,从而提高了用户的接入安全,又为用户提供了更高的接入带宽。Embodiments of the present invention provide a port access authentication method, terminal, and storage medium, wherein an aggregation group of ports is created according to link configuration information of at least two ports; wherein one of the aggregation groups corresponds to one aggregation port; Create a corresponding management port entry for the aggregation group of the port; obtain the access authentication status of the aggregation port; configure the access authentication status of the aggregation port to the aggregation port according to the management port entry Corresponding member port; In this way, by completing the online and authentication configuration conversion between the protocol and the user port, the port-level protocol is shared with the device, which improves user access security and provides users with higher access bandwidth.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
在附图(其不一定是按比例绘制的)中,相似的附图标记可在不同的视图中描述相似的部件。具有不同字母后缀的相似附图标记可表示相似部件的不同示例。附图以示例而非限制的方式大体示出了本文中所讨论的各个实施例。In the drawings, which are not necessarily drawn to scale, similar reference numerals may describe similar components in different views. Similar reference numerals with different letter suffixes may represent different examples of similar components. The drawings generally illustrate various embodiments discussed herein by way of example and not limitation.
图1为本发明实施例端口的接入认证的实现流程示意图;FIG. 1 is a schematic flowchart of implementing access authentication of a port according to an embodiment of the present invention;
图2为本发明实施例另一端口的接入认证的实现流程示意图;FIG. 2 is a schematic flowchart of an access authentication implementation of another port according to an embodiment of the present invention; FIG.
图3为发明实施例端口的接入认证的设备的组成结果示意图;3 is a schematic diagram of a composition result of a device for access authentication of a port according to an embodiment of the invention;
图4为本发明实施例创建的三级管理端口表项的结构示意图;4 is a schematic structural diagram of a three-level management port entry created according to an embodiment of the present invention;
图5A为发明实施例新增成员端口的实现流程示意图;5A is a schematic flowchart of an implementation of adding a new member port according to an embodiment of the invention;
图5B为发明实施例删除成员端口的实现流程示意图;5B is a schematic flowchart of an implementation of deleting a member port according to an embodiment of the invention;
图6为本发明实施例修改聚合端口状态的实现流程示意图;6 is a schematic flowchart of an implementation of modifying an aggregate port state according to an embodiment of the present invention;
图7为本发明实施例聚合端口上下线状态的实现流程示意图;FIG. 7 is a schematic flowchart of an implementation of an online and offline state of an aggregate port according to an embodiment of the present invention; FIG.
图8为本发明实施例再一端口的接入认证方法实现流程示意图;FIG. 8 is a schematic flowchart of implementing an access authentication method for another port according to an embodiment of the present invention; FIG.
图9为本发明实施例所述终端的组成结构示意图。FIG. 9 is a schematic structural diagram of a terminal according to an embodiment of the present invention.
具体实施方式detailed description
一般地,链路聚合(Link Aggregation),技术是指将多个物理端口捆绑在一起,以实现出\入流量在各成员端口中的负荷分担,交换机根据用户配置的端口负荷分担策略决定报文从哪一个成员端口发送到对端的交换机,当交换机检测到其中一个成员端口的链路发生故障时,就停止在此成员端口上发送报文,并根究负荷分担策略在剩下的链路中重新计算报文发送端口,故障端口恢复后再次重新计算报文发送端口。链路聚合在增加链路带款、实现链路传输弹性和冗余方面是一项很重要的技术。由于现有技术中接入认证协议状态机不能对通过链路集合得到的聚合端口进行整体的接入认证,因此,在使用聚合端口进行报文传输时存在网络接入安全的问题。Generally, Link Aggregation technology refers to bundling multiple physical ports together to achieve load sharing of inbound and outbound traffic among member ports. The switch determines packets according to the port load sharing policy configured by the user. Which member port is sent to the peer switch. When the switch detects that the link of one of the member ports fails, it stops sending packets on this member port, and reloads the remaining links based on the load sharing strategy. Calculate the message sending port. After the faulty port recovers, recalculate the message sending port again. Link aggregation is a very important technology in terms of increasing link bandwidth and achieving link transmission flexibility and redundancy. Because the state machine of the access authentication protocol in the prior art cannot perform overall access authentication on the aggregated ports obtained through the link set, there is a problem of network access security when the aggregated ports are used for message transmission.
终端中的LACP在状态机可以根据端口的链路配置信息通过LACP协议进行链路汇聚形成对应的聚合组。例如,交换机A需要与交换机B建立2条线路的聚合连接,只需要在交换机A上开启2个端口的LACP,交换机A只需要与交换机B连接即可,交换机A与交换机B之间的2条链路聚合;然后对2条链路进行物理连接即完成了2条链路的汇聚,此时在交换机A上就对应形成了一个包含2个成员端口的聚合组。这里,所述交换机A可以是OLT交换机B可以是连接于OLT的小型设备或连接于OLT的ONU中的其中一个。The LACP state machine in the terminal can perform link aggregation through the LACP protocol according to the link configuration information of the port to form a corresponding aggregation group. For example, switch A needs to establish an aggregation connection of two lines with switch B. It only needs to enable LACP for two ports on switch A. Switch A only needs to connect with switch B. Two switches between switch A and switch B Link aggregation; then physically link the two links to complete the aggregation of the two links. At this time, an aggregation group with two member ports is formed on Switch A. Here, the switch A may be an OLT switch B may be one of a small device connected to the OLT or an ONU connected to the OLT.
基于此,本发明实施例提供了一种端口的接入认证方法,图1为本发明实施例端口的接入认证的实现流程示意图,如图1所示,所述方法包括以下步骤:Based on this, an embodiment of the present invention provides a port access authentication method. FIG. 1 is a schematic diagram of a process for implementing port access authentication according to an embodiment of the present invention. As shown in FIG. 1, the method includes the following steps:
步骤S101,根据至少两个端口的链路配置信息创建端口的聚合组。Step S101: Create a port aggregation group according to the link configuration information of at least two ports.
这里,所述至少两个端口中的任一个端口都可以单独支持LACP或802.1x协议。所述根据至少两个端口的链路配置信息创建端口的聚合组,可以是用户根据配置端口的链路配置信息,终端中的链路汇聚控制机系统开启链路汇聚协议,终端中的链路汇聚控制 机系统自动根据用户配置的端口的链路配置信息进行链路汇聚形成对应的聚合组。Here, any one of the at least two ports may separately support LACP or 802.1x protocols. The creating an aggregation group of ports according to the link configuration information of at least two ports may be a user according to the link configuration information of the configured ports, the link aggregation controller system in the terminal starts a link aggregation protocol, and the links in the terminal The aggregation controller system automatically performs link aggregation to form a corresponding aggregation group according to the link configuration information of the port configured by the user.
步骤S102,对所述端口的聚合组创建对应的管理端口表项。Step S102: Create a corresponding management port entry for the port aggregation group.
这里,所述管理端口表项,为三级管理端口表项,其中,第一级管理端口表项,为所述聚合组中配置的物理端口,负责端口的状态管理;第二级管理端口表项,为所述聚合组中被激活的物理端口,负责报文发送;第三级管理端口表项,为接入认证协议状态机控制接入认证的聚合端口,负责接入认证协议状态机的运行。所述管理端口表项用于储存所述聚合组中包括的所有物理端口的端口标识,聚合组中包含的被激活的物理端口的端口标识,以及聚合组对应的聚合端口的端口标识之间的映射关系。Here, the management port entry is a three-level management port entry, wherein the first-level management port entry is a physical port configured in the aggregation group and is responsible for the state management of the port; the second-level management port table Entry is the activated physical port in the aggregation group and is responsible for message sending; the third-level management port entry is the aggregation port that controls access authentication for the access authentication protocol state machine and is responsible for accessing the authentication protocol state machine. run. The management port entry is used to store the port identifiers of all physical ports included in the aggregation group, the port identifiers of the activated physical ports included in the aggregation group, and the port identifiers of the aggregation ports corresponding to the aggregation group. Mapping relations.
所述对所述端口的聚合组创建对应的管理端口表项,可以是终端中的链路汇聚控制机自动根据用户配置的端口的链路配置信息进行链路汇聚形成对应的聚合组,终端的链路汇聚控制机向终端的处理器发送创建管理端口的报文,所述报文中含有所述聚合组中包括的所有物理端口的端口标识,聚合组中包含的被激活的物理端口的端口标识,以及聚合组对应的聚合端口的端口标识;所述终端的处理器根据所述报文创建对应的管理端口表项。The creation of a corresponding management port entry for the aggregation group of the port may be that the link aggregation controller in the terminal automatically performs link aggregation to form a corresponding aggregation group according to the link configuration information of the port configured by the user. The link aggregation controller sends a message to the terminal processor to create a management port. The message contains the port identifiers of all the physical ports included in the aggregation group, and the activated physical port ports included in the aggregation group. The identifier and the port identifier of the aggregation port corresponding to the aggregation group; the processor of the terminal creates a corresponding management port entry according to the message.
步骤S103,获取所述聚合端口的接入认证状态。Step S103: Acquire the access authentication status of the aggregation port.
这里,所述聚合端口的接入认证状态包括,认证状态和非认证状态。Here, the access authentication status of the aggregation port includes an authentication status and a non-authentication status.
所述获取所述聚合端口的接入认证状态,可以是终端的处理接收用户通过物理端口发送的进行接入认证的报文,所述报文中携带发送所述报文的物理端口的端口标识,终端的处理器根据所述物理端口的端口标识在所述管理端口表项中查找所述物理端口对应的聚合端口的端口标识,所述终端的处理器控制对所述聚合端口进行接入认证,所述终端的处理器接收所述聚合端口的接入认证状态。The obtaining the access authentication status of the aggregated port may be a process in which the terminal processes and receives a message sent by a user through a physical port to perform access authentication, and the message carries a port identifier of a physical port that sends the message. The processor of the terminal searches for the port identifier of the aggregation port corresponding to the physical port in the management port entry according to the port identifier of the physical port, and the processor of the terminal controls access authentication to the aggregation port , The processor of the terminal receives the access authentication status of the aggregation port.
所述获取所述聚合端口的接入认证状态,还可以是终端的用户端口向终端的处理器发送请求进行接入认证,所述请求携带发送请求的用户端口的端口标识,终端的处理器根据所述请求确定所述用户端口对应的聚合端口的端口标识,终端的处理器控制对所述聚合端口进行接入认证,终端的处理器接收所述聚合端口的接入认证状态。The obtaining the access authentication status of the aggregated port may also be that the user port of the terminal sends a request to the processor of the terminal for access authentication, and the request carries the port identifier of the user port that sent the request, and the processor of the terminal The request determines a port identifier of an aggregation port corresponding to the user port, the processor of the terminal controls access authentication to the aggregation port, and the processor of the terminal receives the access authentication status of the aggregation port.
步骤S104,根据所述管理端口表项,将所述聚合端口的接入认证状态配置到所述聚合端口对应的成员端口上。Step S104: Configure the access authentication status of the aggregation port to a member port corresponding to the aggregation port according to the management port entry.
这里,所述聚合端口对应的成员端口包括,所述聚合组中的全部物理端口,所述成员端口包括所述聚合端口对应的聚合组所包含的所有物理端口。Here, the member ports corresponding to the aggregation port include all physical ports in the aggregation group, and the member ports include all physical ports included in the aggregation group corresponding to the aggregation port.
所述根据所述管理端口表项,将所述聚合端口的接入认证状态配置到所述聚合端口对应的成员端口上,可以是终端的处理器接收到所述聚合端口的接入认证状态之后,在所述管理端口表项中查询所述聚合端口对应的聚合组中的物理端口的端口,终端的处理器将所述聚合端口的接入认证状态配置到所述聚合端口对应的聚合组所包含的所有物理端口上。The configuring the access authentication status of the aggregation port to a member port corresponding to the aggregation port according to the management port entry may be after the processor of the terminal receives the access authentication status of the aggregation port. By querying the management port entry for a port of a physical port in an aggregation group corresponding to the aggregation port, and the processor of the terminal configures the access authentication status of the aggregation port to an aggregation group corresponding to the aggregation port. Contained on all physical ports.
在本发明实施例中,根据至少两个端口的链路配置信息创建端口的聚合组;其中,一个所述聚合组对应一个聚合端口,对所述端口的聚合组创建对应的管理端口表项;获取所述聚合端口的接入认证状态;根据所述管理端口表项,将所述聚合端口的接入认证状态配置到所述聚合端口对应的成员端口上;如此,通过完成协议与用户口间的上线及认证配置转换,实现了端口级协议同设备共用,从而提高了用户的接入安全,又为用户提供了更高的接入带宽。In the embodiment of the present invention, an aggregation group of ports is created according to the link configuration information of at least two ports; wherein one aggregation group corresponds to one aggregation port, and a corresponding management port entry is created for the aggregation group of the ports; Obtain the access authentication status of the aggregation port; configure the access authentication status of the aggregation port to the member port corresponding to the aggregation port according to the management port entry; thus, by completing the protocol with the user port On-line and authentication configuration conversion, the port-level protocol is shared with the device, which improves user access security and provides users with higher access bandwidth.
本发明实施例提供了一种端口的接入认证方法,图2为本发明实施例另一端口的接入认证的实现流程示意图,如图2所示,所述方法包括以下步骤:An embodiment of the present invention provides a method for access authentication of a port. FIG. 2 is a schematic diagram of an implementation process of access authentication of another port according to an embodiment of the present invention. As shown in FIG. 2, the method includes the following steps:
步骤S201,根据至少两个端口的链路配置信息创建端口的聚合组。Step S201: Create an aggregation group of ports according to the link configuration information of at least two ports.
这里,所述端口的链路配置信息包括,端口的链路汇聚信息、速率、双工属性等信息;所述一个所述聚合组对应一个聚合端口,所述聚合端口包括上下线的状态、支持所述聚合组中所有成员端口所支持的所有协议。Here, the link configuration information of the port includes information such as link aggregation information, rate, and duplex attributes of the port; the one aggregation group corresponds to one aggregation port, and the aggregation port includes online and offline status, support All protocols supported by all member ports in the aggregation group.
所述根据至少两个端口的链路配置信息创建端口的聚合组可以是,用户根据配置端口的链路配置信息,终端中的链路汇聚控制机系统开启链路汇聚协议,终端中的链路汇聚控制机系统自动根据用户配置的端口的链路配置信息进行链路汇聚形成对应的聚合组。The creation of the port aggregation group based on the link configuration information of at least two ports may be that the user starts the link aggregation protocol on the link aggregation controller system in the terminal and the link in the terminal according to the link configuration information of the configured port. The aggregation controller system automatically performs link aggregation to form a corresponding aggregation group according to the link configuration information of the port configured by the user.
步骤S202,获取所述聚合组中的成员端口进行接入认证的报文。Step S202: Obtain a packet for access authentication of member ports in the aggregation group.
步骤S203,根据所述报文创建所述端口的聚合组对应的管理端口表项。Step S203: Create a management port entry corresponding to the aggregation group of the port according to the message.
这里,所述管理端口表项用于储存所述聚合组中包括的所有物理端口的端口标识,聚合组中包含的被激活的物理端口的端口标识,以及聚合组对应的聚合端口的端口标识之间的映射关系;所述管理端口表项可以为三级管理端口表项,其中,第一级管理端口表项,为所述聚合组中配置的物理端口,负责端口的状态管理;第二级管理端口表项,为所述聚合组中被激活的物理端口,负责报文发送;第三级管理端口表项,为接入认证 协议状态机控制接入认证的聚合端口,负责接入认证协议状态机的运行。Here, the management port entry is used to store port identifiers of all physical ports included in the aggregation group, port identifiers of activated physical ports included in the aggregation group, and port identifiers of the aggregation ports corresponding to the aggregation group. The management port table entry may be a three-level management port table entry, wherein the first-level management port table entry is a physical port configured in the aggregation group and is responsible for the state management of the port; The management port entry is an activated physical port in the aggregation group and is responsible for message transmission; the third-level management port entry is an aggregation port for access authentication protocol state machine to control access authentication and is responsible for access authentication protocol Operation of the state machine.
所述,根据所述报文创建所述端口的聚合组对应的管理端口表项可以是,终端中的链路汇聚控制机自动根据用户配置的端口的链路配置信息进行链路汇聚形成对应的聚合组,所述终端中的链路汇聚控制机向所述终端的处理器发送报文,所述报文中携带有所述聚合组中的成员端口的端口标识和所述聚合组对应的聚合端口的端口标识,所述终端的处理器根据所述报文中的所述成员端口的端口标识创建第一级管理端口表项,所述终端的处理器根据所述报文中聚合端口的端口标识创建第一级管理端口表项;当链路汇聚协议启用激活并激活端口时,所述终端的处理器根据被激活的成员端口,创建对应的第二级管理端口表项。The creation of the management port entry corresponding to the aggregation group of the port according to the message may be that the link aggregation controller in the terminal automatically performs link aggregation to form a corresponding one according to the link configuration information of the port configured by the user. Aggregation group, the link aggregation controller in the terminal sends a message to the processor of the terminal, and the message carries the port identifier of the member port in the aggregation group and the aggregation corresponding to the aggregation group The port identifier of the port, the processor of the terminal creates a first-level management port entry according to the port identifier of the member port in the message, and the processor of the terminal according to the port of the aggregated port in the message It is identified that a first-level management port entry is created; when the link aggregation protocol is enabled and activated and the port is activated, the processor of the terminal creates a corresponding second-level management port entry according to the activated member port.
所述,根据所述报文创建所述端口的聚合组对应的管理端口表项还可以是,终端中的链路汇聚控制机自动根据用户配置的端口的链路配置信息进行链路汇聚形成对应的聚合组,所述终端中的链路汇聚控制机向所述终端的处理器发送创建管理端口表项的请求,所述请求中携带有所述聚合组中的成员端口的端口标识和所述聚合组对应的聚合端口的端口标识,所述终端的处理器根据所述请求中的所述成员端口的端口标识创建第一级管理端口表项,同时,创建所述聚合组中成员端口对应的聚合端口的第三级管理端口表项;当链路汇聚协议启用激活并激活端口时,所述终端的处理器根据被激活的成员端口,创建对应的第二级管理端口表项。The creation of the management port entry corresponding to the aggregation group of the port according to the message may also be that the link aggregation controller in the terminal automatically performs link aggregation to form a correspondence according to the link configuration information of the port configured by the user An aggregation group of the terminal, the link aggregation controller in the terminal sends a request for creating a management port entry to a processor of the terminal, and the request carries a port identifier of a member port in the aggregation group and the The port identifier of the aggregation port corresponding to the aggregation group, the processor of the terminal creates a first-level management port entry according to the port identification of the member port in the request, and at the same time, creates a corresponding one of the member ports in the aggregation group. The third-level management port entry of the aggregation port; when the link aggregation protocol is enabled to activate and activate the port, the processor of the terminal creates a corresponding second-level management port entry according to the activated member port.
步骤S204,控制接入认证协议状态机对所述聚合端口进行接入认证,得到所述聚合端口的接入认证状态。Step S204: The access authentication protocol state machine is controlled to perform access authentication on the aggregation port to obtain the access authentication status of the aggregation port.
这里,所述控制接入认证协议状态机对所述聚合端口进行接入认证,得到所述聚合端口的接入认证状态:终端的处理器接收用户发送的进行接入认证的报文,所述报文携带第一级管理表项对应的第一级端口的端口标识,所述终端的处理器根据所述第一级端口的端口标识在所述管理端口表项中查找对应的第二级端口,并通过所述第二级端口发送所述进行接入认证的报文给所述接入认证状态机,对所述第一级端口对应的第三级端口进行接入认证。Here, the control access authentication protocol state machine performs access authentication on the aggregated port to obtain the access authentication state of the aggregated port: the processor of the terminal receives a message sent by a user for access authentication, and The packet carries the port identifier of the first-level port corresponding to the first-level management entry, and the processor of the terminal searches for the corresponding second-level port in the management port entry according to the port identifier of the first-level port. And sending the message for performing access authentication to the access authentication state machine through the second-level port to perform access authentication on a third-level port corresponding to the first-level port.
所述得到所述聚合端口的接入认证状态可以是,当所述接入认证状态机在收到所述报文后,所述接入认证协议状态机进行初始化,并开始对所述第三级端口进行接入认证,同时,将接入认证的结果通过所述第二级端口反馈给所述终端的处理器,所述终端的处理器接收所述聚合端口的接入认证状态。The obtaining the access authentication status of the aggregated port may be that when the access authentication state machine receives the message, the access authentication protocol state machine initializes and starts to the third The first-level port performs access authentication, and at the same time, the result of the access authentication is fed back to the processor of the terminal through the second-level port, and the processor of the terminal receives the access authentication status of the aggregated port.
步骤S205,所述终端的处理器根据所述管理端口表项,将所述聚合端口的接入认证 状态配置到所述聚合端口对应的成员端口上。Step S205: The processor of the terminal configures the access authentication status of the aggregation port to a member port corresponding to the aggregation port according to the management port entry.
这里,当接入认证状态机修改所述聚合端口的接入认证状态时,终端的处理器接收修改后的所述聚合组的接入认证状态。终端的处理器将修改后的所述聚合组的接入认证状态配置到所述聚合组的成员端口上。Here, when the access authentication state machine modifies the access authentication state of the aggregation port, the processor of the terminal receives the modified access authentication state of the aggregation group. The processor of the terminal configures the modified access authentication status of the aggregation group to a member port of the aggregation group.
本发明实施例通过接入认证状态机对设定的符合接入认证协议要求的聚合端口进行接入认证,并控制接入认证协议状态机对所述聚合端口进行接入认证,之后将所述聚合端口对应的接入认证状态配置到所述聚合端口对应的所有成员端口上的方法,实现了通过接入认证状态机对聚合端口的接入认证,实现了端口级协议的同设备共用,在提高了用户接入安全的同时,又为用户接入提供了更高的带宽。In the embodiment of the present invention, an access authentication state machine is used to perform access authentication on a set aggregation port that meets the requirements of the access authentication protocol, and the access authentication protocol state machine is controlled to perform access authentication on the aggregation port. The method of configuring the access authentication status corresponding to an aggregation port to all member ports corresponding to the aggregation port realizes access authentication of the aggregation port through the access authentication state machine, and implements port-level protocol sharing with devices. While improving user access security, it also provides higher bandwidth for user access.
在其它实施例中,所述步骤S203,即“控制接入认证协议状态机对所述聚合端口进行接入认证,得到所述聚合端口的接入认证状态”,包括以下步骤:In other embodiments, the step S203, that is, "controlling the access authentication protocol state machine to perform access authentication on the aggregation port to obtain the access authentication status of the aggregation port" includes the following steps:
步骤S231,根据所述聚合组中成员端口的上下线状态确定对应的聚合端口的上下线状态。Step S231: Determine the online and offline status of the corresponding aggregation port according to the online and offline status of the member ports in the aggregation group.
这里,所述成员端口的上下线状态可以是1个端口上下线的状态,也可以是多个端口的上下线状态。所述终端的处理器判断所述聚合组中上下线状态为上线状态的成员端口的数量。Here, the online state of the member port may be a state where one port is online or offline, or a plurality of ports may be online or offline. The processor of the terminal determines the number of member ports in the aggregation group whose online and offline states are online.
如果所述聚合组中上下线状态为上线状态的成员端口的数量大于0,确定对应的聚合端口的上下线状态为上线状态;如果所述聚合组中所有的成员端口的上下线状态均为下线状态,确定对应的聚合端口的上下线状态为下线状态。If the number of the member ports in the aggregation group whose online status is online is greater than 0, determine that the online status of the corresponding aggregation port is online; if all the member ports in the aggregation group are offline, The online status determines whether the corresponding aggregation port goes offline or online.
步骤S232,根据所述聚合端口的上下线状态控制所述接入认证协议状态机对所述聚合端口进行接入认证,得到所述聚合端口的接入认证状态。Step S232: Control the access authentication protocol state machine to perform access authentication on the aggregation port according to the online and offline status of the aggregation port to obtain the access authentication status of the aggregation port.
这里,所述步骤S232,即“根据所述聚合端口的上下线状态控制所述接入认证协议状态机对所述聚合端口进行接入认证,得到所述聚合端口的接入认证状态”,包括:Here, the step S232, that is, "controlling the access authentication protocol state machine to perform access authentication on the aggregation port according to the online and offline status of the aggregation port to obtain the access authentication status of the aggregation port" includes :
当确定所述聚合端口的上下线状态为上线状态时,控制所述接入认证协议状态机对所述聚合端口进行接入认证,得到所述聚合端口的接入认证状态;When it is determined that the online and offline status of the aggregation port is online, controlling the access authentication protocol state machine to perform access authentication on the aggregation port to obtain the access authentication status of the aggregation port;
当确定所述聚合端口的上下线状态为下线状态时,控制所述接入认证协议状态机终止对所述聚合端口进行接入认证,同时,控制所述接入认证协议状态机进行初始化。When it is determined that the online and offline status of the aggregation port is an offline state, the access authentication protocol state machine is controlled to terminate access authentication on the aggregation port, and at the same time, the access authentication protocol state machine is controlled to initialize.
在其他实施例中,在所述步骤S204,即“所述终端的处理器根据所述管理端口表 项,将所述聚合端口的接入认证状态配置到所述聚合端口对应的成员端口上”之后,所述方法还包括以下两种情况:In other embodiments, in step S204, that is, "the processor of the terminal configures the access authentication status of the aggregation port to the member port corresponding to the aggregation port according to the management port entry" After that, the method also includes the following two cases:
第一种情况:当链路汇聚状态机在所述聚合组中新增成员端口时,可以通过以下步骤实现:The first case: when a link aggregation state machine adds a member port to the aggregation group, the following steps can be implemented:
步骤S241,终端的处理器获取第一类端口标识,根据所述第一类端口标识更新管理端口表项。Step S241: The processor of the terminal obtains a first-type port identifier, and updates a management port entry according to the first-type port identifier.
这里,所述第一类端口标识包括新增的成员端口的端口标识;比如,原有的聚合组对应的聚合端口由三个成员端口组成:端口1、端口2和端口3,当将另一个新的成员端口4加入该聚合组时,该成员端口4的端口标识即为第一类端口标识。所述步骤S241,终端的处理器获取第一类端口标识,根据所述第一类端口标识更新管理端口表项,可以理解为:聚合支持装置根据该新增用户端口的第一类端口标识(即端口4的标识)查找对应的802.1x聚合端口(即,端口4加入的聚合组对应的聚合端口);如果查不到对应的802.1x聚合端口,聚合支持装置为该用户端口分配一个新的聚合端口。Here, the first type of port identifier includes the port identifier of the newly added member port; for example, the aggregation port corresponding to the original aggregation group is composed of three member ports: port 1, port 2 and port 3. When a new member port 4 joins the aggregation group, the port identifier of the member port 4 is the first type of port identifier. In step S241, the processor of the terminal obtains the first-type port identifier, and updates the management port entry according to the first-type port identifier. It can be understood that the aggregation support device according to the first-type port identifier of the newly added user port ( That is, the identifier of port 4) finds the corresponding 802.1x aggregation port (that is, the aggregation port corresponding to the aggregation group to which port 4 joins); if the corresponding 802.1x aggregation port cannot be found, the aggregation support device assigns a new Aggregation port.
步骤S242,根据所述第一类端口标识获取第一聚合端口的接入认证状态。Step S242: Acquire the access authentication status of the first aggregation port according to the first-type port identifier.
这里,所述第一类端口标识对应的可以是1个新增的端口,也可以是多个新增的端口;所述第一聚合端口为具有所述第一类端口标识的成员端口对应的聚合端口;比如,原有的聚合组对应的聚合端口由三个成员端口组成:端口1、端口2和端口3,当将另一个新的成员端口4加入该聚合组时,该聚合组就包括四个成员端口:端口1、端口2、端口3和端口4,该聚合组对应的聚合端口即为第一聚合端口。Here, the first-type port identifier may correspond to one newly-added port or multiple newly-added ports; the first aggregation port corresponds to a member port having the first-type port identifier. Aggregation port; for example, the aggregation port corresponding to the original aggregation group is composed of three member ports: port 1, port 2, and port 3. When another new member port 4 is added to the aggregation group, the aggregation group includes Four member ports: port 1, port 2, port 3, and port 4. The aggregation port corresponding to the aggregation group is the first aggregation port.
步骤S243,根据更新后的管理端口表项,将所述第一聚合端口的接入认证状态配置到第一聚合组的成员端口上,所述第一聚合组为所述第一聚合端口对应的聚合组。Step S243: Configure the access authentication status of the first aggregation port to a member port of the first aggregation group according to the updated management port entry, where the first aggregation group is the one corresponding to the first aggregation port. Aggregation group.
这里,当将所述第一聚合端口的接入认证状态配置到第一聚合组的成员端口上时,将该聚合端口对应的802.1x状态机处于挂起状态;终端的处理器根据更新后的管理端口表项,将所述第一聚合端口的接入认证状态配置到第一聚合组的成员端口上,所述第一聚合组为所述第一聚合端口对应的聚合组,同时,控制所述接入认证协议状态机放弃对第一聚合端口中的成员端口进行接入认证。Here, when the access authentication state of the first aggregation port is configured on a member port of the first aggregation group, the 802.1x state machine corresponding to the aggregation port is in a suspended state; the processor of the terminal is based on the updated Manage port entries, configure the access authentication status of the first aggregation port to the member ports of the first aggregation group, the first aggregation group is the aggregation group corresponding to the first aggregation port, and control the The access authentication protocol state machine abandons access authentication for member ports in the first aggregation port.
第二种情况:当链路汇聚状态机在所述聚合组中删除成员端口时,可以通过以下步骤实现:Case 2: When the link aggregation state machine deletes a member port from the aggregation group, the following steps can be implemented:
步骤S244,获取第二类端口标识,所述第二类端口标识包括删除的成员端口的端口 标识。Step S244: Obtain a second-type port identifier, where the second-type port identifier includes the port identifier of the deleted member port.
这里,所述第二类端口标识对应的可以是1个删除的端口,也可以多个删除的端口;比如,原有的聚合组对应的聚合端口由三个成员端口组成:端口1、端口2和端口3,如果将端口3从该聚合端口中删除,端口3的标识即为第二类端口标识。Here, the second type of port identifier may correspond to one deleted port or multiple deleted ports; for example, the aggregation port corresponding to the original aggregation group is composed of three member ports: port 1, port 2 And port 3, if port 3 is deleted from the aggregated port, the identifier of port 3 is the second type of port identifier.
步骤S245,控制所述接入认证协议状态机恢复对所述第二类端口进行接入认证。Step S245: Control the access authentication protocol state machine to resume access authentication on the second type of port.
这里,所述第二类端口为具有所述第二类端口标识对应的端口;比如,原有的聚合组对应的聚合端口由三个成员端口组成:端口1、端口2和端口3,如果将端口3从该聚合端口中删除,那么端口3即为第二类端口。终端的处理器控制所述接入认证协议状态机恢复对所述第二类端口进行接入认证,同时,确定第二聚合端口的成员端口的数量,所述第二聚合端口为所述第二类端口对应的之前的聚合端口删除所述第二类端口后对应的聚合端口;根据所述第二聚合组中成员端口的数量,释放所述第二类端口对应的之前的聚合组对应的聚合端口。Here, the second type of port is a port corresponding to the second type of port identifier; for example, the aggregation port corresponding to the original aggregation group is composed of three member ports: port 1, port 2, and port 3. If port 3 is deleted from the aggregation port, then port 3 is the second type port. The processor of the terminal controls the access authentication protocol state machine to resume access authentication on the second type of port, and at the same time, determines the number of member ports of the second aggregation port, where the second aggregation port is the second The previous aggregation port corresponding to the class port deletes the aggregation port corresponding to the second type port; according to the number of member ports in the second aggregation group, releases the aggregation corresponding to the previous aggregation group corresponding to the second type port port.
在其他实施例中,当链路汇聚状态机在所述聚合组中删除成员端口时,还包括以下步骤:In other embodiments, when the link aggregation state machine deletes a member port from the aggregation group, the method further includes the following steps:
步骤S246,确定第二聚合端口的成员端口的数量。Step S246: Determine the number of member ports of the second aggregation port.
这里,所述第二聚合端口为在删除第二类端口之前所述第二类端口对应的聚合端口。比如,原有的聚合组对应的聚合端口由三个成员端口组成:端口1、端口2和端口3,如果将端口3从该聚合端口中删除,即第二类端口为即为端口3没被删除之前对应的聚合端口(即,原有的聚合组对应的聚合端口)。Here, the second aggregation port is an aggregation port corresponding to the second type port before deleting the second type port. For example, the aggregation port corresponding to the original aggregation group is composed of three member ports: port 1, port 2, and port 3. If port 3 is deleted from the aggregation port, the second type of port is that port 3 is not Delete the previous aggregation port (that is, the aggregation port corresponding to the original aggregation group).
步骤S247,根据所述第二类端口标识和所述第二聚合端口的成员端口的数量确定第三聚合端口的成员端口的数量。Step S247: Determine the number of member ports of the third aggregation port according to the second type of port identifier and the number of member ports of the second aggregation port.
这里,所述第三聚合端口为在所述第二聚合端口中删除所述第二类端口之后对应的聚合端口。比如,原有的聚合组对应的聚合端口由三个成员端口组成:端口1、端口2和端口3,如果将端口3从该聚合端口中删除,删除端口3之后,该聚合组中的成员为端口1和端口2,端口1和端口2对应的聚合端口即为第三聚合端口。Here, the third aggregation port is an aggregation port corresponding to the second aggregation port after the second type of port is deleted. For example, the aggregation port corresponding to the original aggregation group is composed of three member ports: port 1, port 2 and port 3. If port 3 is deleted from the aggregation port, after deleting port 3, the members in the aggregation group are Ports 1 and 2 and the aggregated ports corresponding to ports 1 and 2 are the third aggregated ports.
步骤S248,根据所述第三聚合端口的成员端口的数量,释放所述第二聚合端口。Step S248: Release the second aggregation port according to the number of member ports of the third aggregation port.
这里,所述释放所述第二聚合端口,可以理解为,由于在第二聚合端口中已经删除了第二类端口(比如,端口3),那么第二聚合端口即变成了第三聚合端口,即第二聚合端口已经不存在了,所以必然不需要在控制第二聚合端口,即释放所述第二聚合端口。Here, the release of the second aggregation port can be understood as the second aggregation port (for example, port 3) has been deleted from the second aggregation port, so the second aggregation port becomes the third aggregation port. That is, the second aggregation port no longer exists, so there is no need to control the second aggregation port, that is, release the second aggregation port.
本发明实施例提供一种端口的接入认证方法(本发明实施例的操作过程均基于802.1x协议),图3为本发明实施例端口的接入认证的设备的组成结果示意图,如图3所示,所述设备包括四个模块:聚合支持装置模块301、802.1x状态机模块302、LACP状态机模块303、报文收发模块304和端口状态配置模块305,其中:An embodiment of the present invention provides a port access authentication method (the operations of the embodiments of the present invention are based on the 802.1x protocol). FIG. 3 is a schematic diagram of a composition result of the port access authentication device according to the embodiment of the present invention, as shown in FIG. As shown, the device includes four modules: an aggregation support device module 301, an 802.1x state machine module 302, a LACP state machine module 303, a message transceiver module 304, and a port state configuration module 305, of which:
聚合支持装置模块301,用于支持802.1x协议,为802.1x协议提供整体端口管理。聚合支持装置模块301存在于802.1x状态机模块302、LACP状态机303和报文收发模块304之间。The aggregation support device module 301 is configured to support the 802.1x protocol and provide overall port management for the 802.1x protocol. The aggregation support device module 301 exists between the 802.1x state machine module 302, the LACP state machine 303, and the message transceiver module 304.
在所述聚合支持装置模块301中,802.1x状态机管理的端口不再是实际用户端口,而是整体端口状态。该802.1x状态机管理的端口与聚合端口最大的区别在于:该802.1x状态机管理的端口存在上线、下线状态及协议控制的认证,非认证状态,需要符合802.1x协议管理端口的要求。In the aggregation support device module 301, the port managed by the 802.1x state machine is no longer the actual user port, but the overall port state. The biggest difference between the port managed by the 802.1x state machine and the aggregate port is that the port managed by the 802.1x state machine has online and offline status and protocol-controlled authentication, and the non-authentication status must meet the requirements of the 802.1x protocol management port.
当802.1x协议控制的端口认证状态下发到聚合支持装置时,由聚合支持装置转化成各实际端口状态配置到实际端口。各实际端口的链路状态变化是否反应到整体端口状态上,由聚合支持装置判断并通知。When the port authentication state controlled by the 802.1x protocol is sent to the aggregation support device, the aggregation support device is converted into each actual port state and configured to the actual port. Whether the link state change of each actual port is reflected on the overall port state is determined and notified by the aggregation support device.
802.1x状态机模块302,用于管理802.1x管理端口认证状态,在未认证时,802.1x管理端口仍能进行LACP协议交互,从而实现802.1x协议与LACP协议在同一个设备中共用。The 802.1x state machine module 302 is used to manage the authentication status of the 802.1x management port. When not authenticated, the 802.1x management port can still perform LACP protocol interaction, so that the 802.1x protocol and the LACP protocol are shared in the same device.
LACP状态机模块303,用于通知聚合支持装置模块301创建2级端口表。The LACP state machine module 303 is configured to notify the aggregation support device module 301 to create a level 2 port table.
报文收发模块304,用于,收发802.1x报文,并触发802.1x状态机模块302正常运行时的状态更新。The message sending and receiving module 304 is configured to send and receive 802.1x messages and trigger a status update when the 802.1x state machine module 302 runs normally.
聚合支持装置模块301,用于根据至少两个端口的链路配置信息创建端口的聚合组,并且对每一个聚合组,创建三级管理端口表项。图4为本发明实施例创建的三级管理端口表项的结构示意图,如图4所示,所述三级管理端口表项包括:The aggregation support device module 301 is configured to create an aggregation group of ports according to the link configuration information of at least two ports, and to create a three-level management port entry for each aggregation group. FIG. 4 is a schematic structural diagram of a three-level management port entry created according to an embodiment of the present invention. As shown in FIG. 4, the three-level management port entry includes:
第一级管理端口表项:用于表示LACP配置端口,第一级管理端口表项为所述聚合组中配置的物理端口,负责端口的状态管理;比如,第一级管理端口表项控制端口的使能禁能状态以及用户非协议报文交互。The first-level management port entry is used to indicate the LACP configuration port. The first-level management port entry is the physical port configured in the aggregation group and is responsible for the state management of the port. For example, the first-level management port entry controls the port. Enabled and disabled state and user non-protocol message interaction.
第二级管理端口表项:用于表示LACP激活端口;第二级管理端口表项,为所述聚合组中被激活的物理端口,负责报文发送;The second-level management port entry is used to indicate an LACP activation port; the second-level management port entry is an activated physical port in the aggregation group and is responsible for sending packets;
第三级管理端口表项:用于表示802.1x使用的整体端口,第三级管理端口表项,为接入认证协议状态机控制接入认证的聚合端口,负责接入认证协议状态机(即,802.1x状态机)的运行。The third-level management port entry is used to indicate the overall port used by 802.1x. The third-level management port entry is the aggregation port that controls the access authentication for the access authentication protocol state machine and is responsible for accessing the authentication protocol state machine (that is, , 802.1x state machine).
端口状态配置模块305,用于接收聚合支持装置模块301的通知消息,并根据通知消息对各个端口配置状态。The port status configuration module 305 is configured to receive a notification message from the aggregation support device module 301, and configure a status for each port according to the notification message.
在实现端口的接入认证方法的过程,LACP对于用户端口的管理,包括第一种情况(参见图5A所示)和第二种情况(参见图5B所示),其中:In the process of implementing the port access authentication method, LACP's management of user ports includes the first case (see FIG. 5A) and the second case (see FIG. 5B), where:
第一种情况:当LACP新增管理某用户端口时(即,当链路汇聚状态机在所述聚合组中新增成员端口时),如图5A所示,所述方法可以通过以下步骤实现:Case 1: When LACP newly manages a user port (that is, when a link aggregation state machine adds a member port to the aggregation group), as shown in FIG. 5A, the method can be implemented by the following steps: :
步骤S501,当LACP新增管理某用户端口时,聚合支持装置查找该用户口对应的802.1x聚合端口。Step S501: When LACP newly manages a certain user port, the aggregation support device searches for the 802.1x aggregation port corresponding to the user port.
这里,所述聚合支持装置由终端的处理器控制,聚合支持装置根据该新增用户端口的第一类端口标识查找对应的802.1x聚合端口。Here, the aggregation support device is controlled by the processor of the terminal, and the aggregation support device searches for a corresponding 802.1x aggregation port according to the first-type port identifier of the newly added user port.
步骤S502,如果没有该用户口对应的802.1x聚合端口,聚合支持装置为该用户端口分配一个新的聚合端口。In step S502, if there is no 802.1x aggregation port corresponding to the user port, the aggregation support device allocates a new aggregation port to the user port.
这里,所述为该用户端口分配一个新的聚合端口即是根据所述第一类端口标识更新管理端口表项,并获取第一聚合端口的认证状态。Here, allocating a new aggregation port to the user port is to update the management port entry according to the first type of port identifier, and obtain the authentication status of the first aggregation port.
步骤S503,聚合支持装置通知802.1x状态机对所述新的聚合端口进行接入认证。Step S503: The aggregation support device notifies the 802.1x state machine to perform access authentication on the new aggregation port.
第二种情况:当LACP删除管理某用户端口时,如图5B所示,所述方法,可以通过以下步骤实现:The second case: When LACP deletes and manages a user port, as shown in FIG. 5B, the method can be implemented by the following steps:
步骤S511,当LACP删除管理某用户端口时,聚合支持装置获取第一类端口标识。In step S511, when LACP deletes and manages a certain user port, the aggregation support device obtains the first type of port identifier.
步骤S512,聚合支持装置删除第一类端口标识及其对应的第二类端口标识,将第一类端口标识通知802.1x状态机。Step S512: The aggregation support device deletes the first-type port identifier and its corresponding second-type port identifier, and notifies the 802.1x state machine of the first-type port identifier.
步骤S513,802.1x状态机恢复对用户端口的第一级端口进行接入认证。In step S513, the 802.1x state machine resumes performing access authentication on the first-level port of the user port.
这里,所述802.1x状态机恢复对用户端口的第一级端口进行接入认证,可以理解为:首先,当某一个用户端口(比如,端口1)在802.1x协议启用,LACP协议未启用时,802.1x状态机会对端口1进行接入认证;其次,在端口1启用LACP协议后,802.1x状态机不再对端口1进行接入认证,而是对端口1对应的聚合端口进行接入认证。端口1对应的802.1x状态机也不会运行;最后,当从聚合端口中将端口1删除后,802.1x状态 机会重新对端口1进行接入认证。Here, the 802.1x state machine resumes performing access authentication on the first-level port of the user port, which can be understood as: first, when a certain user port (for example, port 1) is enabled in the 802.1x protocol and LACP protocol is not enabled The 802.1x state machine performs access authentication on port 1. Second, after LACP is enabled on port 1, the 802.1x state machine no longer performs access authentication on port 1, but performs access authentication on the aggregate port corresponding to port 1. . The 802.1x state machine corresponding to port 1 will not run; finally, when port 1 is deleted from the aggregated port, the 802.1x state machine will perform access authentication on port 1 again.
在其他实施例中,在为用户端口分配完成一个新的聚合端口之后,所述方法还包括:In other embodiments, after allocating a new aggregation port to the user port, the method further includes:
首先,聚合支持装置接收到802.1x报文,并查找发送该802.1x报文的第二级端口对应的聚合端口(即LACP协议激活端口时生成的聚合端口);其次,聚合支持装置将查找到的第二级端口对应的聚合端口通知给802.1x状态机。最后,802.1x状态机对查找到的第二级端口对应的聚合端口状态进行更新。First, the aggregation support device receives the 802.1x message and finds the aggregation port corresponding to the second-level port that sends the 802.1x message (that is, the aggregation port generated when the LACP protocol activates the port); second, the aggregation support device will find The aggregation port corresponding to the second-level port is notified to the 802.1x state machine. Finally, the 802.1x state machine updates the state of the aggregated port corresponding to the found second-level port.
在其他实施例中,在步骤S513,802.1x状态机恢复对用户端口的1级端口管理之后,所述方法还包括:In other embodiments, after step S513, the 802.1x state machine resumes level 1 port management of the user port, the method further includes:
聚合支持装置判断当前聚合端口下是否还有第一级用户端口,如过没有第一级用户端口,通知802.1x状态机释放当前聚合端口。比如,聚合组加入时,可以是几个端口同时加入。当端口2加入端口1位于的聚合组时,该聚合组中的第一级用户端口包含两个:端口1和端口2。此时如果将端口1从该聚合组中删除,那么802.1x状态机对端口1及聚合组对应的第三级端口要进行接入认证。此时该聚合端口仍然生效。如果将端口2也从该聚合组中删除,那么该聚合组中的第一级用户端口就没有任何实际的端口了,此时可以将该聚合端口删除,目的就是释放已经创建的该聚合端口。The aggregation support device determines whether there is a first-level user port under the current aggregation port. If there is no first-level user port, it notifies the 802.1x state machine to release the current aggregation port. For example, when an aggregation group joins, several ports can join at the same time. When port 2 is added to the aggregation group where port 1 is located, the first-level user ports in the aggregation group include two: port 1 and port 2. At this time, if port 1 is deleted from the aggregation group, the 802.1x state machine performs access authentication on port 1 and the third-level port corresponding to the aggregation group. At this time, the aggregation port still takes effect. If port 2 is also deleted from the aggregation group, the first-level user ports in the aggregation group will not have any actual ports. At this time, the aggregation port can be deleted to release the aggregation port that has been created.
图6为本发明实施例修改聚合端口状态的实现流程示意图,如图6所示,所述修改聚合端口状态包括以下步骤:FIG. 6 is a schematic flowchart of an implementation of modifying an aggregate port state according to an embodiment of the present invention. As shown in FIG. 6, the modifying the aggregate port state includes the following steps:
步骤S601,当802.1x状态机需要修改聚合端口状态时,由聚合支持装置查找对应的第一级用户端口。Step S601: When the 802.1x state machine needs to modify the state of the aggregation port, the aggregation support device searches for the corresponding first-level user port.
步骤S602,聚合支持装置根据802.1x状态机管理端口状态为所述第一级用户端口配置对应的状态。Step S602: The aggregation support device configures a corresponding state for the first-level user port according to the 802.1x state machine management port state.
这里,所述聚合支持装置根据802.1x状态机管理端口状态为所述第一级用户端口配置对应的状态,可以理解为:聚合支持装置将修改后的所述聚合组的接入认证状态配置到所述聚合组的成员端口上。Here, the aggregation support device configures the corresponding state for the first-level user port according to the 802.1x state machine management port status. It can be understood that the aggregation support device configures the modified access authentication status of the aggregation group to On the member ports of the aggregation group.
图7为本发明实施例聚合端口上下线状态的实现流程示意图,如图7所示,所述聚合端口上下线状态包括以下步骤:FIG. 7 is a schematic flowchart of implementing an online state of an aggregate port according to an embodiment of the present invention. As shown in FIG. 7, the online state of the aggregate port includes the following steps:
步骤S701,聚合支持装置根据第一级用户端口上下线状态,记录当前聚合端口的上下线状态。In step S701, the aggregation support device records the online and offline status of the current aggregation port according to the online and offline status of the first-level user port.
这里,所述第一级用户端口可以为聚合组中任意的成员端口;当该第一级用户端口的状态是该第一级用户端口中第一个上线的状态或最后一个下线的状态时,记录当前聚合端口的上下线状态。Here, the first-level user port may be any member port in the aggregation group; when the state of the first-level user port is the first online state or the last offline state of the first-level user port To record the online and offline status of the current aggregation port.
步骤S702,聚合支持装置将记录的当前聚合端口的上下线状态,通知给802.1x状态机。In step S702, the aggregation support device notifies the 802.1x state machine of the current online and offline status of the aggregated port.
步骤S703,802.1x状态机对所述聚合端口进行接入认证,得到所述聚合端口的接入认证状态。Step S703: The 802.1x state machine performs access authentication on the aggregation port to obtain the access authentication status of the aggregation port.
图8为本发明实施例再一端口的接入认证方法实现流程示意图,如图8所示,所述方法包括以下步骤:FIG. 8 is a schematic flowchart of an access authentication method for another port according to an embodiment of the present invention. As shown in FIG. 8, the method includes the following steps:
步骤S801,根据至少两个端口的链路配置信息创建端口的聚合组。Step S801: Create an aggregation group of ports according to the link configuration information of at least two ports.
这里,所述创建端口的聚合组,由LACP通知聚合支持装置创建第一级端口表项,并同时生成第三级端口表项。此时通知802.1x状态机管理所述聚合组对应的聚合端口并将所述第一级端口表项的端口状态机挂起。Here, in the aggregation group for creating a port, LACP instructs the aggregation support device to create a first-level port entry, and simultaneously generates a third-level port entry. At this time, the 802.1x state machine is notified to manage the aggregation port corresponding to the aggregation group and suspend the port state machine of the first-level port entry.
步骤S802,启用LACP协议,由LACP状态机通知聚合支持装置创建该聚合端口的第二级端口表项。In step S802, the LACP protocol is enabled, and the LACP state machine notifies the aggregation support device to create a second-level port entry of the aggregation port.
步骤S803,聚合支持装置根据第一级端口表项查找该聚合端口对应的第三级端口表项。Step S803: The aggregation support device searches for a third-level port entry corresponding to the aggregation port according to the first-level port entry.
这里,当用户发起802.1x认证时,聚合支持装置根据802.1x认证过程中发送的第一级端口表项,查找该第一级端口表项对应的第三级端口表项。Here, when the user initiates 802.1x authentication, the aggregation support device searches for a third-level port entry corresponding to the first-level port entry according to the first-level port entry sent during the 802.1x authentication process.
步骤S804,聚合支持装置通知802.1x状态机正常运行时的状态更新。In step S804, the aggregation support device notifies the status update when the 802.1x state machine runs normally.
这里,由用户发起802.1x认证的过程中发送的802.1x报文,触发802.1x状态机正常运行时的状态更新。Here, the 802.1x message sent during the 802.1x authentication initiated by the user triggers a status update when the 802.1x state machine is running normally.
步骤S805,聚合支持装置根据802.1x报文查找802.1x报文对应的第三级端口表项,再根据第三级端口表项查找对应第二级端口表项。Step S805: The aggregation support device searches for a third-level port entry corresponding to the 802.1x packet according to the 802.1x packet, and then searches for a second-level port entry corresponding to the third-level port entry.
步骤S806,聚合支持装置根据第三级端口表项配置所有第一级端口表项的状态。Step S806: The aggregation support device configures the states of all the first-level port entries according to the third-level port entries.
这里,所述,聚合支持装置根据第三级端口表项配置所有第一级端口表项的状态,可以理解为,用户完成802.1x认证,聚合支持装置为当前的聚合组配置聚合端口状态。Here, the aggregation support device configures the state of all the first-level port entries according to the third-level port entry. It can be understood that the user completes 802.1x authentication, and the aggregation support device configures the state of the aggregation port for the current aggregation group.
本发明实施例提供一种端口的接入认证的终端,图9为本发明实施例所述终端的组成结构示意图,如图9所示,所述终端900至少包括:控制器901和配置为存储可执行指令的存储介质902,其中:An embodiment of the present invention provides a terminal for port access authentication. FIG. 9 is a schematic structural diagram of a terminal according to an embodiment of the present invention. As shown in FIG. 9, the terminal 900 includes at least a controller 901 and a storage device configured to store the terminal. Executable instruction storage medium 902, where:
控制器901配置为执行存储的可执行指令,所述可执行指令用于实现下面的步骤:The controller 901 is configured to execute stored executable instructions, where the executable instructions are used to implement the following steps:
根据至少两个端口的链路配置信息创建端口的聚合组;其中,一个所述聚合组对应一个聚合端口;Create an aggregation group of ports according to the link configuration information of at least two ports; wherein one of the aggregation groups corresponds to one aggregation port;
对所述端口的聚合组创建对应的管理端口表项;Creating a corresponding management port entry for the port aggregation group;
获取所述聚合端口的接入认证状态;Acquiring the access authentication status of the aggregation port;
根据所述管理端口表项,将所述聚合端口的接入认证状态配置到所述聚合端口对应的成员端口上。According to the management port entry, the access authentication status of the aggregation port is configured to a member port corresponding to the aggregation port.
需要说明的是,本发明实施例中,如果以软件功能模块的形式实现上述的端口的接入认证方法,并作为独立的产品销售或使用时,也可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明实施例的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机、服务器、或者网络设备等)执行本发明各个实施例所述方法的全部或部分。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read Only Memory,ROM)、磁碟或者光盘等各种可以存储程序代码的介质。这样,本发明实施例不限制于任何特定的硬件和软件结合。It should be noted that, in the embodiment of the present invention, if the above-mentioned port access authentication method is implemented in the form of a software functional module and sold or used as an independent product, it may also be stored in a computer-readable storage medium. . Based on such an understanding, the technical solution of the embodiments of the present invention that is essentially or contributes to the existing technology can be embodied in the form of a software product. The computer software product is stored in a storage medium and includes several instructions for A computer device (which may be a personal computer, a server, or a network device) is caused to execute all or part of the methods described in the embodiments of the present invention. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (Read Only Memory, ROM), a magnetic disk, or an optical disk, which can store program codes. In this way, the embodiments of the present invention are not limited to any specific combination of hardware and software.
对应地,本发明实施例提供一种计算机存储介质,所述计算机存储介质中存储有计算机可执行指令,该计算机可执行指令配置为执行本发明其他实施例提供的端口的接入认证方法。Correspondingly, an embodiment of the present invention provides a computer storage medium, where the computer storage medium stores computer-executable instructions, and the computer-executable instructions are configured to execute a method for access authentication of a port provided by other embodiments of the present invention.
本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用硬件实施例、软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present invention may be provided as a method, a system, or a computer program product. Therefore, the present invention may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Moreover, the present invention may take the form of a computer program product implemented on one or more computer-usable storage media (including, but not limited to, magnetic disk memory, optical memory, etc.) containing computer-usable program code.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程 序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的设备。The present invention is described with reference to flowcharts and / or block diagrams of methods, devices (systems), and computer program products according to embodiments of the present invention. It should be understood that each process and / or block in the flowcharts and / or block diagrams, and combinations of processes and / or blocks in the flowcharts and / or block diagrams can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing device to produce a machine, so that instructions generated by the processor of the computer or other programmable data processing device may be used to A device for implementing the functions specified in one or more flowcharts and / or one or more blocks of the block diagrams.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令设备的制造品,该指令设备实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing device to work in a particular manner such that the instructions stored in the computer-readable memory produce a manufactured article including the instruction device, the instructions The device implements the functions specified in one or more flowcharts and / or one or more blocks of the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, so that a series of steps can be performed on the computer or other programmable device to produce a computer-implemented process, which can be executed on the computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more flowcharts and / or one or more blocks of the block diagrams.
以上所述,仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。The above description is only the preferred embodiments of the present invention, and is not intended to limit the protection scope of the present invention.

Claims (13)

  1. 一种端口的接入认证方法,其中,所述方法包括:A port access authentication method, wherein the method includes:
    根据至少两个端口的链路配置信息创建端口的聚合组;其中,一个所述聚合组对应一个聚合端口;Create an aggregation group of ports according to the link configuration information of at least two ports; wherein one of the aggregation groups corresponds to one aggregation port;
    对所述端口的聚合组创建对应的管理端口表项;Creating a corresponding management port entry for the port aggregation group;
    获取所述聚合端口的接入认证状态;Acquiring the access authentication status of the aggregation port;
    根据所述管理端口表项,将所述聚合端口的接入认证状态配置到所述聚合端口对应的成员端口上。According to the management port entry, the access authentication status of the aggregation port is configured to a member port corresponding to the aggregation port.
  2. 根据权利要求1所述的方法,其中,所述获取所述聚合端口的接入认证状态,包括:The method according to claim 1, wherein the obtaining the access authentication status of the aggregation port comprises:
    控制接入认证协议状态机对所述聚合端口进行接入认证,得到所述聚合端口的接入认证状态。Control the access authentication protocol state machine to perform access authentication on the aggregation port to obtain the access authentication state of the aggregation port.
  3. 根据权利要求1所述的方法,其中,所述对所述端口的聚合组创建对应的管理端口表项,包括:The method according to claim 1, wherein the creating a corresponding management port entry for the aggregation group of the ports comprises:
    获取所述聚合组中的成员端口进行接入认证的报文;Obtaining a packet for access authentication of a member port in the aggregation group;
    根据所述报文创建所述端口的聚合组对应的管理端口表项。Create a management port entry corresponding to the aggregation group of the port according to the message.
  4. 根据权利要求2所述的方法,其中,所述利用接入认证协议状态机对所述聚合端口进行接入认证,得到所述聚合端口的接入认证状态,包括:The method according to claim 2, wherein the performing access authentication on the aggregation port by using an access authentication protocol state machine to obtain the access authentication status of the aggregation port comprises:
    根据所述聚合组中成员端口的上下线状态确定对应的聚合端口的上下线状态;Determining the online and offline status of the corresponding aggregation port according to the online and offline status of the member ports in the aggregation group;
    根据所述聚合端口的上下线状态控制所述接入认证协议状态机对所述聚合端口进行接入认证,得到所述聚合端口的接入认证状态。Controlling the access authentication protocol state machine to perform access authentication on the aggregation port according to the online and offline status of the aggregation port to obtain the access authentication state of the aggregation port.
  5. 根据权利要求4所述的方法,其中,所述根据所述聚合组中成员端口的上下线状态确定对应的聚合端口的上下线状态,包括:The method according to claim 4, wherein determining the online and offline status of the corresponding aggregation port according to the online and offline status of the member ports in the aggregation group comprises:
    如果所述聚合组中所有的成员端口的上下线状态均为下线状态,确定对应的聚合端口的上下线状态为下线状态;If the online and offline states of all member ports in the aggregation group are offline, determine that the online and offline states of the corresponding aggregate port are offline;
    或者,or,
    获取所述聚合组中上下线状态为上线状态的成员端口的数量;如果所述聚合组中上下线状态为上线状态的成员端口的数量大于0,确定对应的聚合端口的上下线状态为上 线状态。Obtain the number of member ports in the aggregation group that are online or offline; if the number of member ports in the aggregation group that are online or offline is greater than 0, determine that the corresponding aggregation port is online or offline .
  6. 根据权利要求4所述的方法,其中,所述根据所述聚合端口的上下线状态控制所述接入认证协议状态机对所述聚合端口进行接入认证,得到所述聚合端口的接入认证状态,包括:The method according to claim 4, wherein the controlling the access authentication protocol state machine to perform access authentication on the aggregation port according to the online and offline status of the aggregation port to obtain access authentication of the aggregation port Status, including:
    当确定所述聚合端口的上下线状态为上线状态时,控制所述接入认证协议状态机对所述聚合端口进行接入认证,得到所述聚合端口的接入认证状态;When it is determined that the online and offline status of the aggregation port is online, controlling the access authentication protocol state machine to perform access authentication on the aggregation port to obtain the access authentication status of the aggregation port;
    当确定所述聚合端口的上下线状态为下线状态时,控制所述接入认证协议状态机终止对所述聚合端口进行接入认证,同时,控制所述接入认证协议状态机进行初始化。When it is determined that the online and offline status of the aggregation port is an offline state, the access authentication protocol state machine is controlled to terminate access authentication on the aggregation port, and at the same time, the access authentication protocol state machine is controlled to initialize.
  7. 根据权利要求1所述的方法,其中,所述方法还包括:The method of claim 1, further comprising:
    获取第一类端口标识,根据所述第一类端口标识更新管理端口表项;其中,所述第一类端口标识包括新增的成员端口的端口标识;Acquiring a first-type port identifier, and updating a management port entry according to the first-type port identifier; wherein the first-type port identifier includes a port identifier of a newly added member port;
    根据所述第一类端口标识获取第一聚合端口的接入认证状态,所述第一聚合端口为具有所述第一类端口标识的成员端口对应的聚合端口;Obtaining the access authentication status of the first aggregation port according to the first-type port identifier, where the first aggregation port is an aggregation port corresponding to a member port having the first-type port identifier;
    根据更新后的管理端口表项,将所述第一聚合端口的接入认证状态配置到第一聚合组的成员端口上,所述第一聚合组为所述第一聚合端口对应的聚合组。According to the updated management port entry, the access authentication status of the first aggregation port is configured to a member port of the first aggregation group, and the first aggregation group is an aggregation group corresponding to the first aggregation port.
  8. 根据权利要求7所述的方法,其中,所述方法还包括:The method according to claim 7, wherein the method further comprises:
    根据所述新增的成员端口的端口标识和更新后的管理端口表项,控制所述接入认证协议状态机放弃对第一聚合端口中的成员端口进行接入认证。And controlling the access authentication protocol state machine to abandon the access authentication of the member port in the first aggregation port according to the port identifier of the newly added member port and the updated management port entry.
  9. 根据权利要求1所述的方法,其中,所述方法还包括:The method of claim 1, further comprising:
    获取第二类端口标识,所述第二类端口标识包括删除的成员端口的端口标识;Obtaining a second-type port identifier, where the second-type port identifier includes a port identifier of a deleted member port;
    控制所述接入认证协议状态机恢复对第二类端口进行接入认证,其中,所述第二类端口为具有所述第二类端口标识对应的端口。Controlling the access authentication protocol state machine to resume access authentication on a second type of port, where the second type of port is a port corresponding to the second type of port identifier.
  10. 根据权利要求9所述的方法,其中,所述方法还包括:The method according to claim 9, wherein the method further comprises:
    确定第二聚合端口的成员端口的数量,所述第二聚合端口为在删除第二类端口之前所述第二类端口对应的聚合端口;Determining the number of member ports of the second aggregation port, where the second aggregation port is an aggregation port corresponding to the second type port before deleting the second type port;
    根据所述第二类端口标识和所述第二聚合端口的成员端口的数量确定第三聚合端口的成员端口的数量,所述第三聚合端口为在所述第二聚合端口中删除所述第二类端口之后对应的聚合端口;Determining the number of member ports of the third aggregation port according to the second type of port identifier and the number of member ports of the second aggregation port, and the third aggregation port is to delete the first aggregation port from the second aggregation port. Corresponding aggregation port after type 2 port;
    根据所述第三聚合端口的成员端口的数量,释放所述第二聚合端口。Release the second aggregation port according to the number of member ports of the third aggregation port.
  11. 根据权利要求1、3、8和9任一项所述的方法,其中,所述管理端口表项,为三级管理端口表项,其中,第一级管理端口表项,为所述聚合组中配置的物理端口,负责端口的状态管理;第二级管理端口表项,为所述聚合组中被激活的物理端口,负责报文发送;第三级管理端口表项,为接入认证协议状态机控制接入认证的聚合端口,负责接入认证协议状态机的运行。The method according to any one of claims 1, 3, 8 and 9, wherein the management port entry is a three-level management port entry, and wherein the first-level management port entry is the aggregation group The configured physical port is responsible for the state management of the port; the second-level management port entry is the activated physical port in the aggregation group and is responsible for message transmission; the third-level management port entry is the access authentication protocol The state machine controls the aggregation port for access authentication and is responsible for the operation of the access authentication protocol state machine.
  12. 一种端口的接入认证的终端,其中,所述终端至少包括:处理器和配置为存储可执行指令的存储介质,其中:A terminal for port access authentication, wherein the terminal includes at least: a processor and a storage medium configured to store executable instructions, wherein:
    处理器配置为执行存储的可执行指令,所述可执行指令配置为执行上述权利要求1至11任一项提供的端口的接入认证的方法。The processor is configured to execute stored executable instructions configured to perform a method for access authentication of a port provided by any one of claims 1 to 11 above.
  13. 一种计算机可读存储介质,其中,所述计算机可读存储介质中存储有计算机可执行指令,该计算机可执行指令配置为执行上述权利要求1至11任一项提供的端口的接入认证的方法。A computer-readable storage medium, wherein computer-executable instructions are stored in the computer-readable storage medium, and the computer-executable instructions are configured to perform access authentication of a port provided by any one of the preceding claims 1 to 11. method.
PCT/CN2019/090547 2018-06-12 2019-06-10 Access authentication method for port, terminal, and storage medium WO2019238006A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810603272.9 2018-06-12
CN201810603272.9A CN110602022A (en) 2018-06-12 2018-06-12 Access authentication method of port, terminal and storage medium

Publications (1)

Publication Number Publication Date
WO2019238006A1 true WO2019238006A1 (en) 2019-12-19

Family

ID=68842734

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/090547 WO2019238006A1 (en) 2018-06-12 2019-06-10 Access authentication method for port, terminal, and storage medium

Country Status (2)

Country Link
CN (1) CN110602022A (en)
WO (1) WO2019238006A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113572695A (en) * 2020-04-28 2021-10-29 中国移动通信集团浙江有限公司 Link aggregation method and device, computing equipment and computer storage medium

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112637234B (en) * 2020-12-30 2023-03-21 锐捷网络股份有限公司 Security rule updating method and device based on port change
CN114024756B (en) * 2021-11-09 2024-04-09 迈普通信技术股份有限公司 Access authentication method, device, electronic equipment and computer readable storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101252459A (en) * 2008-03-24 2008-08-27 中兴通讯股份有限公司 Method for setting protocol state of chain circuit terminal port and supervising method thereof
US20080298236A1 (en) * 2007-06-01 2008-12-04 Cisco Technology, Inc. Dynamic link aggregation
CN103905326A (en) * 2012-12-28 2014-07-02 迈普通信技术股份有限公司 Ethernet link aggregation packet forwarding control method and network equipment
CN103944776A (en) * 2014-03-26 2014-07-23 杭州华三通信技术有限公司 Self-loop link aggregation method and device
CN105791257A (en) * 2014-12-26 2016-07-20 上海斐讯数据通信技术有限公司 Method for acquiring aggregation port authentication configuration through port

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9319299B2 (en) * 2008-01-25 2016-04-19 Alcatel Lucent Method and apparatus for link aggregation using links having different link speeds
EP3041173B1 (en) * 2010-05-03 2022-01-26 Avago Technologies International Sales Pte. Limited Virtual cluster switching
CN103384164A (en) * 2013-05-10 2013-11-06 上海斐讯数据通信技术有限公司 Optical line terminal service interruption resistant system and service interruption resistant method
CN107948063B (en) * 2017-12-07 2021-01-15 锐捷网络股份有限公司 Method for establishing aggregation link and access equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080298236A1 (en) * 2007-06-01 2008-12-04 Cisco Technology, Inc. Dynamic link aggregation
CN101252459A (en) * 2008-03-24 2008-08-27 中兴通讯股份有限公司 Method for setting protocol state of chain circuit terminal port and supervising method thereof
CN103905326A (en) * 2012-12-28 2014-07-02 迈普通信技术股份有限公司 Ethernet link aggregation packet forwarding control method and network equipment
CN103944776A (en) * 2014-03-26 2014-07-23 杭州华三通信技术有限公司 Self-loop link aggregation method and device
CN105791257A (en) * 2014-12-26 2016-07-20 上海斐讯数据通信技术有限公司 Method for acquiring aggregation port authentication configuration through port

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113572695A (en) * 2020-04-28 2021-10-29 中国移动通信集团浙江有限公司 Link aggregation method and device, computing equipment and computer storage medium
CN113572695B (en) * 2020-04-28 2023-11-14 中国移动通信集团浙江有限公司 Link aggregation method, device, computing equipment and computer storage medium

Also Published As

Publication number Publication date
CN110602022A (en) 2019-12-20

Similar Documents

Publication Publication Date Title
US10069630B2 (en) Synchronizing credential hashes between directory services
WO2019238006A1 (en) Access authentication method for port, terminal, and storage medium
EP2993838B1 (en) Methods for setting a member identity of gateway device and corresponding management gateway devices
EP3435606B1 (en) Message processing method, computing device, and message processing apparatus
US10466933B1 (en) Establishing a persistent connection with a remote secondary storage system
EP3337097B1 (en) Network element upgrading method and device
US8654630B2 (en) Techniques for link redundancy in layer 2 networks
CN110896371B (en) Virtual network equipment and related method
US9935848B2 (en) System and method for supporting subnet manager (SM) level robust handling of unkown management key in an infiniband (IB) network
US8891516B2 (en) Extended link aggregation (LAG) for use in multiple switches
CN108667575B (en) Backup method and device for BRAS transfer control separation
US8472311B2 (en) Systems, methods, and computer readable media for providing instantaneous failover of packet processing elements in a network
CN111638957B (en) Method for realizing cluster sharing type public cloud load balance
US8364948B2 (en) System and method for supporting secured communication by an aliased cluster
CN105262667A (en) Method and device for controlling multicast transmission in Overlay network
WO2018076765A1 (en) Content distribution method and device for cloud computing system, computing node and system
WO2018210148A1 (en) Migration method for virtual machine, sdn controller, and computer readable storage medium
PH12014502594B1 (en) Service node switching method and system
CN108011754B (en) Transfer control separation system, backup method and device
WO2017114234A1 (en) Method for establishing lsp, server, and router
CN110336730B (en) Network system and data transmission method
WO2020057445A1 (en) Communication system, method, and device
US11356448B1 (en) Device and method for tracking unique device and user network access across multiple security appliances
CN108366087B (en) ISCSI service realization method and device based on distributed file system
WO2020003386A1 (en) Block chain system, block chain management device, network control device, method, and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19818746

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 16/04/2021)

122 Ep: pct application non-entry in european phase

Ref document number: 19818746

Country of ref document: EP

Kind code of ref document: A1