Method and device of lateral traffic isolation between terminals in intranet

Abstract

The invention provides a method and a device of lateral traffic isolation between terminals in an intranet. The method includes: when access equipment receives an ARP message, determining whether lateral isolation-operation is carried out on the ARP message according to a pre-stored horizontal-isolation strategy, wherein the horizontal-isolation operation includes at least one part of the following parts: discarding the ARP message sent by a terminal, sending an ARP response message to the terminal of the ARP request message for replying with a gateway MAC address, and modifying a destinationMAC address of the gratuitous ARP message, which is sent by the terminal, as the gateway MAC address and sending the same to gateway equipment; and if the gateway equipment receives the message, determining, by the gateway equipment according to the pre-stored horizontal-isolation strategy, whether the horizontal-isolation operation is carried out on the message. Therefore, isolation of horizontaltraffic between the terminals in the intranet is realized, a shared environment of the intranet is broken, and wide-range propagation of viruses in the intranet is reduced or even avoided; and operation of configuring different VLANs (Virtual Local Area Networks) for all terminals does not need to be carried out, and configuring operation simplification is facilitated.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to a method and device for isolating horizontal traffic between terminals in an intranet. Background technique [0002] Since the traditional enterprise intranet is a shared network, in this shared network, mutual access between terminals under the same VLAN (Virtual Local Area Network, Virtual Local Area Network) is not controlled, thus preventing the spread of viruses or other attacks Provides great convenience. Once an intranet security incident occurs, it will be impossible to locate and control the source of the attack in the first place. [0003] Therefore, in order to solve the potential safety hazards of the intranet, the traditional solution is to assign different VLANs and related IP subnets to each user terminal, thereby linking each user terminal from the second layer in the network architecture through VLAN to Isolated to prevent any malicious behavior and Et...

AI Technical Summary

Problems solved by technology

[0004] 1) Since the number of VLAN resources available to the switch is limited, if a VLAN is allocated to each terminal, the number of accessible terminals is limited and cannot meet the access requirements of more terminals;

[0005] 2) The topology of each relevant Spanning Tree of each VLAN needs to be managed, and STP (Spanning Tree Protocol, Spanning Tree Protocol) is relatively complicated, and each IP subnet needs to be configured with a corresponding default gateway, resulting in more complex management;

[0006] 3) Due to the need to allocate relevant IP subnets for each terminal, the division of IP subnets will inevitably cause some waste of IP addresses, which will easily lead to a shortage of IP addresses

Images