Implementation method and equipment of one-way access control

Abstract

The embodiment of the invention provides implementation method and equipment of one-way access control. The method is used for a network comprising a first VPN (virtual private network) and a second VPN, wherein the safety level of the first VPN is greater than that of the second VPN; an ASPF (application specific packet filter) function is configured on a PE (provider edge) connected with the first VPN in advance, and at least one group attribute value for identifying the second VPN route as the group attribute value of the controlled route is designated. The method comprises the following steps: A, the PE learns the route information, and when the learnt route information contains the designated group attribute value, automatically stores the prefix information contained by the route information; and B, when the PE receives a data message, and if the ASPF function is enabled currently, the PE performs forwarding control on the data message according to the information carried by thereceived data message and the stored prefix information. By adopting the invention, the configuration can be simplified when solving the information security risk and the network development can be adapted.

Description

technical field [0001] The invention relates to network management technology, in particular to a method and equipment for realizing one-way access control. Background technique [0002] In order to solve the needs of isolation between different departments in a large cross-regional enterprise and the need for some terminals or servers to communicate with each other, the existing technology proposes a multi-protocol label switching (MPLS: Multi-Protocol Label Switching) virtual private network (VPN: Virtual Private Network) Network) technology, that is, different departments are planned in different VPNs, which can realize mutual isolation between departments; and a shared VPN is independently planned, and the servers used for collaborative business in each department are placed in the shared VPN, and then , so that the routes of the shared VPN and the departmental VPN can be introduced into each other, and the mutual visits between the departments can be realized through th...

AI Technical Summary

Problems solved by technology

It can be seen that the existing one-way access control method mainly solves the above-mentioned security risks by controlling the server in the shared VPN to only provide external services and cannot actively initiate external access.

[0006] However, the one-way access control method in the prior art needs to manually configure the prefix information corresponding to the shared VPN on the PE connected to the departmental VPN, such as all network segment addresses contained in the shared VPN. Obviously, there are a large number of network segment addresses in the shared VPN The configuration will be very complicated in the case of

Moreover, when the network address of the shared VPN changes, it needs to be reconfigured or modified on the PE, which cannot well adapt to the development of the network.

Images