Network domain isolation device and method based on SDN (software defined network)

Abstract

The invention relates to a network domain isolation device based on an SDN (software defined network), and is applied to an SDN controller. The network domain isolation device comprises an isolation domain management unit, a message receiving unit and a data processing unit, wherein the isolation domain management unit builds a network domain list according to user requirements; the message receiving unit receives data messages received and transmitted by an SDN switch, and records a target MAC (media access control) address in the data messages and a port, for receiving the data messages, of the SDN switch; the data processing unit finds whether a port matched with the target MAC address exists in an MAC address and port relationship list; if the port matched with the target MAC address exists in the MAC address and port relationship list, whether the port matched with the target MAC address and the port, for receiving the data messages, of the SDN switch exist in the same network domain in the network domain list or not is judged; if the port matched with the target MAC address and the port, for receiving the data messages, of the SDN switch exist in the same network domain in the network domain list, a forwarding flow table is generated and issued according to the port matched with the target MAC address. The invention also provides a network domain isolation method based on the SDN. The network message broadcasting range can be controlled, and meanwhile, the flexibility and the security of the network are improved.

Description

technical field [0001] The present invention relates to the field of network communication, in particular, an SDN-based network domain isolation device and method. Background technique [0002] Network domain isolation refers to the division of two or more computers or networks into independent areas, and can isolate harmful, different security levels, different types, and different purpose network domains to ensure that data information is trusted Perform secure interaction and resource sharing in the network, and control the broadcast range of broadcast messages. The current network domain isolation methods mainly include: access control technology, which is generally an access control instruction applied to the interface of a router or a layer-3 switch. These instructions are used to tell the router which data packets can be received and which data packets need to be rejected. As for whether the data packet is received or rejected, it can be determined by specific indica...

AI Technical Summary

Problems solved by technology

However, the current network domain isolation method has the disadvantages of complex configuration and inflexibility. That is, if the above two technologies realize the general network isolation function, they must be used in conjunction with each other on the access device and aggregation device (usually a layer-3 switch). For configuration, the configuration is complex and error-prone, or in special scenarios, such as the situation where isolation is required between networks in the same VLAN, isolation between the same network segments, etc., it is difficult to achieve with the above method

Images