Port based network access control method

Abstract

The invention relates to a network access controlling method based on network access device port: according to message address information, configuring the processing mode of message passing through the network access device; obtaining the address information of the massage and processing the message according to the obtained address information and corresponding configuration information. It binds user-source MAC address and source IP address with the corresponding port and binds exchanger-supported VLAN ID and the member corresponding to the VLAN ID, thus effectively preventing the illegal user which uses counterfeit source MAC address, source IP address and VLAN ID from viciously accessing or attacking the network. It also makes access limitations on the message entering in the network through the network access device port in view of the destination address of the message, including the network access control of broadcast message, unicast message, multicast message, the message transmitted to the server and the message with specific destination MAC address, and effectively prevents legal user from viciously attacking the network by counterfeiting some destination MAC addresses.

Description

technical field [0001] The invention relates to the technical field of network communication, in particular to a port-based network access control method. Background technique [0002] With the development of network communication technology, Ethernet has been widely used in people's lives. The network provides great convenience for people's work and life, especially the application of some large and medium-sized enterprise networks, which greatly facilitates the internal users of enterprises. time, and information interaction between internal users and external users. [0003] In the enterprise network, if the Ethernet switch that the user accesses to the network does not provide corresponding security protection functions, the user can access the equipment and resources on the Internet (Internet) as long as the user accesses the Ethernet switch, and constitutes the TCP / IP protocol of the Internet. IP (Transmission Control Protocol / Internet Protocol) itself lacks security ...

AI Technical Summary

Problems solved by technology

[0009] 4. Support broadcast message forwarding switch: configure on the port to prohibit the forwarding of messages with the destination address as the broadcast address from the port to prevent Smurf attacks. The Smurf attack described is a network-level attack: hackers broadcast to the network The address sends a large number of IP echo (IP response) requests, all of which use the victim's IP address, so that all computers on the network will respond to these requests, and send IP echo request response messages to the victim computer, resulting in network congestion

[0010] The above-mentioned prior art has played a corresponding role in network access control to a certain extent, however, in the specific application process, the above-mentioned various methods still cannot meet the various requirements of network access control, so the above-mentioned prior art still has the following disadvantages:

[0015] This solution supports the binding of IP addresses, MAC addresses and VLAN IDs, but it cannot meet the requirement that the same user on the same port have different VLAN IDs. For example, the same user on a certain port may belong to different companies or different companies. Generally, the VLAN IDs of different companies or different project teams are different, so the same user may send data packets with different VLAN IDs. If the VLAN ID is bound to the IP address and MAC address, the normal operation of such users cannot be guaranteed. use the internet

Moreover, this scheme can only be applied to frames with IP addresses (IP packets and ARP packets). When sending frames without IP addresses (such as protocol packets), the source IP address cannot be obtained, so Such frames are dropped

In addition, the configuration of this solution is not flexible, and the processing method is single, which cannot meet the needs of different customers. If the customer only requires the binding of the source MAC address, this solution cannot be realized.

[0016] It can also be seen from the description of the above prior art that the prior art cannot prevent malicious attacks initiated by users, including malicious attack data packets sent by legal source MAC addresses, especially for attack data packets sent to the server, if not effectively Controlling it will cause the corresponding server to fail to provide corresponding services normally, which will bring great losses to users and network operators; at the same time, the existing technology cannot restrain a specific MAC address from sending and receiving data packets, for example, it is necessary to prohibit If an unpaid user continues to send and receive data, the existing technology cannot restrict the data sending and receiving of the unpaid user

Images