Address allocation method, apparatus, device, and storage medium

By assigning different port labels to terminals with the same IP address in the core switch of the campus self-organizing network, the problem of IP address conflict was solved, enabling normal access and stable connection of terminals, and improving the compatibility and network security of the core switch.

CN118075235BActive Publication Date: 2026-07-03RUIJIE NETWORKS CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
RUIJIE NETWORKS CO LTD
Filing Date
2023-10-11
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

In the self-organizing network of the park, multiple terminals have the same IP address, which causes IP address conflicts, resulting in some terminals being unable to access the network or having unstable connections.

Method used

The IP address conflict problem can be resolved by determining the port label of the terminal in the core switch and assigning different IP addresses to the terminal according to the port label.

Benefits of technology

The compatibility of the core switch has been improved, ensuring that all terminals can access the network normally and maintain a stable network connection, preventing wired loop problems.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN118075235B_ABST
    Figure CN118075235B_ABST
Patent Text Reader

Abstract

The application provides an address allocation method, device, equipment and storage medium. The method comprises the following steps: determining the identity of a first terminal accessing a first access switch, wherein the first access switch accesses a core switch; including a first IP address of the first terminal in the identity, and determining a first port label corresponding to the first terminal in the case that the first IP address of the first terminal conflicts with an IP address of a second terminal having accessed the core switch; allocating a second IP address for the first terminal according to the first port label of the first terminal; wherein the first port label comprises a first access port label corresponding to an access port of the first terminal connecting the first access switch. The method of the application solves the problem that a terminal cannot access an ad hoc network due to IP conflict, and improves the compatibility of the ad hoc network.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of communication technology, and in particular to an address allocation method, apparatus, device and storage medium. Background Technology

[0002] A campus self-organizing network is a network built by optimizing the campus network based on a wireless self-organizing network. A campus self-organizing network can connect to multiple terminals, and multiple terminals can interact with each other and access the data in the campus self-organizing network.

[0003] When multiple terminals with the same Internet Protocol (IP) address access the campus self-organizing network, IP address conflicts may cause one terminal to be unable to access the campus self-organizing network, or the connection to the campus self-organizing network may be unstable after the terminal accesses the campus self-organizing network. Summary of the Invention

[0004] This application provides an address allocation method, apparatus, device, and storage medium to solve the technical problem that when terminals with the same IP address access a self-organizing network, IP address conflicts may cause one terminal to be unable to access the self-organizing network, or the connection of the terminal after accessing the self-organizing network may be unstable.

[0005] In a first aspect, this application provides an address allocation method, which is applied to a core switch, and the method includes:

[0006] Determine the identity of the first terminal accessing the first access switch, wherein the first access switch is connected to the core switch;

[0007] If the identity identifier includes the first IP address of the first terminal, and the first IP address of the first terminal conflicts with the IP address of the second terminal already connected to the core switch, then the first port label corresponding to the first terminal is determined.

[0008] A second IP address is assigned to the first terminal based on the first port label of the first terminal; wherein, the first port label includes: the first access port label corresponding to the access port of the first terminal connected to the first access switch.

[0009] The step of allocating a second IP address to the first terminal based on the first port label of the first terminal includes:

[0010] If the first port label of the first terminal is different from the second port label of the second terminal, a second IP address shall be assigned to the first terminal.

[0011] The second port label includes: the second access port label corresponding to the access port of the second terminal connected to the second access switch, and the second access switch is connected to the core switch.

[0012] An aggregation switch is included between the core switch and the first access switch, and each port of the aggregation switch is configured with an aggregation port label.

[0013] Determining the first port tag corresponding to the first terminal includes:

[0014] The first port label is determined based on the aggregation port label of the aggregation switch and the first access port label.

[0015] In one possible implementation, the method further includes:

[0016] Determine the permissions of the first terminal based on its identity identifier;

[0017] Control the first terminal according to its permissions.

[0018] Determining the permissions of the first terminal includes:

[0019] If the first terminal is not accessing the core switch for the first time, the permissions corresponding to the first terminal's previous access to the core switch shall be assigned to the first terminal.

[0020] After determining the permissions of the first terminal, the method further includes:

[0021] The security detection of the first terminal is performed based on the behavioral profile of the first terminal to obtain the security detection result;

[0022] Update the permissions of the first terminal based on the security detection results.

[0023] The method further includes:

[0024] Obtain the service traffic of the first terminal within a first time period;

[0025] The behavioral profile of the first terminal is obtained based on the business traffic.

[0026] The security detection results include normal and abnormal, and updating the permissions of the first terminal using the security detection results includes:

[0027] If the security detection result is abnormal, the data interaction between the first terminal and other terminals in the self-organizing network will be interrupted.

[0028] In one possible implementation, the method further includes:

[0029] If the first IP address is not included in the identity identifier, an IP address is assigned to the terminal.

[0030] Secondly, this application provides an address allocation device applied to a core switch, wherein the core switch corresponds to at least one access switch, and the device includes:

[0031] The identity acquisition module is used to determine the identity identifier of the first terminal accessing the first access switch, wherein the first access switch is connected to the core switch;

[0032] The tag acquisition module is used to determine the first port tag corresponding to the first terminal when the identity identifier includes the first IP address of the first terminal and the first IP address of the first terminal conflicts with the IP address of the second terminal that has been connected to the core switch.

[0033] The address allocation module is used to allocate a second IP address to the first terminal based on the first port label of the first terminal; wherein, the first port label includes: the first access port label corresponding to the access port of the first terminal connected to the first access switch.

[0034] Thirdly, this application provides a core switch, including: a processor, and a memory communicatively connected to the processor;

[0035] The memory stores computer-executed instructions;

[0036] The processor executes computer execution instructions stored in the memory to implement the method as described in any of the first aspects.

[0037] Fourthly, this application provides a computer-readable storage medium storing computer-executable instructions, which, when executed by a processor, are used to implement the method as described in any of the first aspects.

[0038] The address allocation method provided in this application determines the identity identifier of a first terminal accessing a first access switch. This identity identifier includes the first terminal's first IP address. If the first terminal's first IP address conflicts with the IP address of a second terminal already connected to the core switch, the method determines the first port label corresponding to the first terminal and allocates a second IP address to the first terminal based on this first port label. The core switch can configure a second IP address for a first terminal with an IP address conflict using the first port label, resolving the problem of a first terminal being unable to access the core switch due to IP conflicts and improving the core switch's compatibility. Attached Figure Description

[0039] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this application and, together with the description, serve to explain the principles of this application.

[0040] Figure 1 This is a schematic diagram of a campus self-organizing network model in an example embodiment of this application;

[0041] Figure 2 This is a flowchart of an address allocation method in an example embodiment of this application;

[0042] Figure 3 This is a flowchart of another address allocation method in the example implementation of this application;

[0043] Figure 4 This is a structural diagram of a port configuration in an example embodiment of this application;

[0044] Figure 5 This is a flowchart illustrating the control of a first terminal in an example embodiment of this application;

[0045] Figure 6 This is a flowchart illustrating an example embodiment of updating permissions on a first terminal in this application.

[0046] Figure 7 This is a flowchart of another address allocation method in the example implementation of this application;

[0047] Figure 8 This is a schematic diagram illustrating the composition of the address allocation device in an exemplary embodiment of this application;

[0048] Figure 9 This is a schematic diagram of a core switch that can be applied to embodiments of this application.

[0049] The accompanying drawings illustrate specific embodiments of this application, which will be described in more detail below. These drawings and descriptions are not intended to limit the scope of the concept in any way, but rather to illustrate the concept of this application to those skilled in the art through reference to particular embodiments. Detailed Implementation

[0050] Exemplary embodiments will now be described in detail, examples of which are illustrated in the accompanying drawings. When the following description relates to the drawings, unless otherwise indicated, the same numbers in different drawings denote the same or similar elements. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with this application. Rather, they are merely examples of apparatuses and methods consistent with some aspects of this application as detailed in the appended claims.

[0051] A mobile ad hoc network (MAN) is a type of mobile computer network that combines mobile communication and computer networks. It consists of several to dozens of nodes, employing wireless communication, and is a dynamically networked, multi-hop, mobile peer-to-peer network. Information exchange in the network uses packet switching mechanisms similar to those in computer networks. User terminals are portable and can move freely within the network while maintaining communication. Each user terminal in a MAN functions as both a router and a host. As a host, the terminal needs to run various user-facing applications, such as editors and browsers; as a router, the terminal needs to run appropriate routing protocols and perform data packet forwarding and route maintenance based on routing policies and routing tables. Therefore, nodes are required to implement suitable routing protocols.

[0052] The advantages of mobile ad hoc networks are that they can quickly find accurate and available routing information and adapt to rapid changes in network topology. They also reduce the additional latency and control information for maintaining routes when terminals are introduced, and can adapt to changes in network topology and the addition or removal of devices.

[0053] The advantages of mobile ad hoc networks can be applied to campus networks, thus constructing a campus ad hoc network. However, multiple devices in a campus network can be connected via wired or wireless connections. That is, the constructed campus ad hoc network includes not only wireless ad hoc networks but also wired ad hoc networks. In wired ad hoc networks, the lines are relatively fixed, and there is no port isolation between the ports of different switches. Ports on the same switch can directly exchange data. Loop problems may occur between wired lines, leading to abnormal data exchange. Furthermore, if terminals access the network via static IP addresses, two terminals with the same IP address may access the network, resulting in Internet Protocol (IP) address conflicts. If devices with the same Media Access Control Address (MAC) are accessed through different switches, MAC address conflicts may occur, preventing some terminals from accessing the ad hoc network normally. The aforementioned loops between wired lines refer to multiple lines forming a closed loop.

[0054] In related technologies, ad hoc network solutions mainly focus on two areas: wireless ad hoc networks (i.e., mobile ad hoc networks) and IoT ad hoc networks. Compared to wired networks, wireless terminals can freely choose which devices to connect to, thus forming a wireless ad hoc network. Furthermore, the IP addresses of devices accessing the wireless network are dynamically assigned, eliminating issues such as loops and IP address conflicts. However, wireless networks can only form wireless ad hoc networks and cannot be directly applied to wired ad hoc networks to solve the problems of IP address conflicts and loops in wired lines. IoT ad hoc networks typically involve many single functions, such as refrigerator temperature control and television power on / off, without complex large-scale business requirements. Software implementation is relatively simple. Multiple terminals in an IoT network usually connect wirelessly, and there is no data exchange between the multiple connected terminals. Moreover, the IP addresses of the terminals in an IoT network are dynamically assigned, eliminating IP address conflicts and loops in wired lines. Therefore, IoT ad hoc network solutions cannot be directly applied to complete campus ad hoc networks.

[0055] Therefore, ad hoc network virtualization is adopted to solve the above problems. Ad hoc network virtualization refers to using SDN technology to achieve software control over the deployment and maintenance of all services within the ad hoc network. Ad hoc network virtualization uses a core device to centrally control other devices in the ad hoc network. Data transmission is controlled by the core device, and other devices cannot directly interact with each other. It can control the data transmission path in wired lines, thus avoiding wired loop problems. However, it still cannot solve the problem of Internet Protocol (IP) address conflicts caused by multiple terminals accessing the network via static IP addresses, and the occurrence of two terminals with the same IP address accessing the network.

[0056] Figure 1 This is a schematic diagram of the self-organizing network model of the campus network in this application, as shown below. Figure 1 As shown, a typical campus network self-organizing model is a three-layer network: the first layer consists of access switches, the second layer of aggregation switches, and the third layer of core switches. The campus network self-organizing model includes both wired and wireless self-organizing network components. For the wired self-organizing network, the first layer consists of access switches, which have terminal access ports for connecting terminals via wired connections. The second layer can be aggregation switches, connecting multiple access switches to an aggregation switch, which aggregates the lines. The third layer can be core switches, connecting multiple aggregation switches. In a wired self-organizing network, service configuration and line connections are strongly coupled; modifying service configuration requires modifying the wiring configuration.

[0057] For wireless ad hoc networks, the first layer can be access switches, typically wireless access points (APs), used to connect terminals, which connect wirelessly to these APs. The second layer can be aggregation switches, generally access controllers (ACs), used to connect multiple wireless access points. The third layer can be a core switch, used to connect multiple of the aforementioned access controllers. The core switch in the above wireless ad hoc network is the same as the core switch in the wired ad hoc network, used to provide a local area network for devices accessing the ad hoc network.

[0058] In related technologies, when two terminals with the same IP address access the network, a conflict can occur because the core switch cannot distinguish between the two IP addresses. This conflict can manifest as two identical IP addresses being unable to access the core switch, or simultaneous access leading to network instability.

[0059] In this application, when two terminals with the same IP address are connected simultaneously, since the two terminals access the network through two different access ports, the core switch can identify that the two terminals with the same IP address are different terminals by distinguishing the access ports, and configure different IPs for them to avoid the technical problem of IP conflict.

[0060] The technical solution of this application will be described in detail below through specific embodiments. It should be noted that different embodiments can be combined with each other, and the same or similar concepts or processes may not be described again in some embodiments.

[0061] like Figure 1 As shown, the self-organizing network in this application refers to the aforementioned campus network self-organizing network. The self-organizing network described below also refers to the aforementioned campus network self-organizing network. The self-organizing network includes a core switch and at least one access switch, with each access switch including at least one access port. In one possible implementation, at least one aggregation switch may also be included between the access switch and the core switch. The specific structure of the self-organizing network has been described in detail above, and therefore will not be repeated here.

[0062] The address allocation method in this application is applied to the core switch. Figure 2 This is a flowchart illustrating an address allocation method in an example embodiment of this application. Figure 2 As shown, the method includes:

[0063] S210, determine the identity of the first terminal accessing the first access switch, wherein the first access switch is connected to the core switch.

[0064] In this example implementation, the identity identifier of the first terminal can be customized according to user needs. For example, the identity identifier may include at least one of the following: the IP address of the first terminal, the MAC address of the first terminal, an administrator identifier, and a regular user identifier. The identity identifier may also include other information, which is not specifically limited in this example implementation.

[0065] S220, if the identity identifier includes the first IP address of the first terminal, and the first IP address of the first terminal conflicts with the IP address of the second terminal already connected to the core switch, determine the first port label corresponding to the first terminal.

[0066] In one exemplary embodiment of this disclosure, Figure 3 This is a flowchart illustrating another address allocation method in an example embodiment of this application. For example... Figure 3 As shown, the above steps may include steps S310 to S330.

[0067] S310, determine whether the identity identifier includes the first IP address of the first terminal.

[0068] In this example implementation, after receiving the identity identifier of the first terminal, the core switch can parse the identity information to determine whether it includes the first terminal's first IP address. The first IP address is the static IP address that the first terminal carries before connecting to the access switch. If the first IP address is included, step S320 is executed.

[0069] S320, determine whether the first IP address of the first terminal conflicts with the IP address of the second terminal already connected in the core switch.

[0070] In this example implementation, after obtaining the first IP address of the aforementioned terminal, the core switch will first obtain the IP addresses of all connected terminals, and then detect whether there is an IP address that is the same as the first IP address, that is, detect whether there is a second terminal that has the same IP address as the first terminal. If there is, then step S330 is executed.

[0071] S330, obtain the first port label corresponding to the first terminal.

[0072] In this example implementation, the core switch can obtain the first port tag corresponding to the terminal, wherein the first port tag includes at least the first access port tag corresponding to the access port of the first access switch.

[0073] For example, if the aforementioned self-organizing network includes a core switch and a first access switch, then the aforementioned first port label is the first access port label of the first access switch. If the aforementioned self-organizing network includes a core switch, an aggregation switch, and an access switch, then the aforementioned first port label may include the first access port label of the first access switch and the aggregation port label corresponding to the port of the aggregation switch to which the first access switch is connected.

[0074] S230: Assign a second IP address to the first terminal based on the first port label of the first terminal.

[0075] In this example implementation, if the first port label of the first terminal is different from the second port label of the second terminal, a second IP address is assigned to the terminal. The second terminal is connected to the second access port label corresponding to the access port of the second access switch, and the second access switch is connected to the core switch.

[0076] It should be noted that the first access switch mentioned above may be the same access switch as the second access switch mentioned above, or they may be different access switches. No specific limitation is made in this example implementation.

[0077] Since two terminals with the same IP address have different access port labels, configuring a second IP address for the latter terminal can resolve the technical issue of IP conflict.

[0078] The system identifies the first terminal accessing the first access switch, including its first IP address. If the first IP address conflicts with the IP address of a second terminal already connected to the core switch, the system determines the first port label corresponding to the first terminal and assigns a second IP address to it based on this label. The core switch can configure a second IP address for the first terminal with the conflicting IP address using the first port label, resolving the issue of the first terminal being unable to access the core switch due to IP conflicts and improving the core switch's compatibility.

[0079] In one example implementation of this disclosure, after two terminals with the same MAC address access the access switch, since there is no IP conflict, the corresponding terminal can be found directly by IP address, that is, by finding the tag corresponding to the MAC address, which can solve the MAC conflict problem.

[0080] In one example implementation, the access port labels of the access switch and the aggregation port labels of the aggregation switch can be configured by the core switch. These labels can be used simply to distinguish different ports, or they can be port isolation labels to isolate ports on the switch. Furthermore, the port isolation labels not only distinguish ports but also isolate the ports on the switch, preventing direct data exchange between them. The following detailed explanation uses the port isolation label as an example.

[0081] It should be noted that setting port isolation tags for both aggregation switches and access switches allows all connected terminals to be directly controlled by the core switch. This is equivalent to the terminals being directly connected to the core switch, meaning the core switch directly controls the terminals, thus avoiding loop problems in wired lines.

[0082] In one example implementation, the self-organizing network may consist of only a core switch and access switches. In this case, the core switch needs to configure different port isolation labels for the access switches, and the port isolation label of the access switch can be used as the first port label.

[0083] In another example implementation, the self-organizing network further includes at least one aggregation switch. This application describes the above steps with the case that the self-organizing network includes an aggregation switch.

[0084] In this example implementation, the aggregation switch can be configured with port isolation. The port isolation method can be VLAN (Virtual Local Area Network), QinQ (802.1Q-in-802.1Q), VXLAN (Virtual eXtensible Local Area Network), or other methods. In this example implementation, no specific limitation is made. The ports on the aggregation switch are also configured with different aggregation port labels.

[0085] Furthermore, multiple ports in the aforementioned access switches are also configured with port isolation. The method for configuring port isolation is similar to that of the aggregation switch described above, and will not be repeated here. For example, the aforementioned self-organizing network includes two access switches, access switch A and access switch B. Different port isolation labels can be set for multiple ports on each access switch. That is, the port isolation labels for access switch A can be VLAN 10-VLAN 20. The port isolation labels for access switch B can be different from those for access switch A, such as VLAN 21-VLAN 31. Alternatively, the port isolation labels for access switch B can be the same as those for access switch A, i.e., VLAN 10-VLAN 20 for access switch B as well. Since the two access switches connect to the same aggregation switch via different ports, for the core switch, the first port label corresponding to each terminal is different. Here, the first port label is the sum of the port isolation labels of the access switches and the port isolation labels of the aggregation switches.

[0086] The following reference Figure 4 The configuration process for the aforementioned port labels will be described in detail. Figure 4 This is a diagram illustrating the port configuration for this application. The core switch first discovers the aggregation switch, then the access switches connected to the aggregation switch. The core switch configures a different port isolation label for each port. For example, using VLAN labels as port isolation labels, CVLAN10-33 (port isolation labels for the aggregation switch, i.e., aggregation port labels) is configured for each of the 24 ports of the aggregation switch, and PVLAN10-33 (port isolation labels for the access switches, i.e., access port labels) is configured for each of the 24 ports of the access switches. For the core switch, the first port label corresponding to the terminal connected to the first port of the access switch is PVLAN10, CVLAN10. If a terminal connects from the first port of the access switch and then connects to the core switch through the first port of the aggregation switch, and the terminal's identity includes an IP address and a MAC address, where the IP address can be IPA and the MAC address can be MACA, then the identity and first port label received by the core switch will be (IPA, MACA, PVLAN10, CVLAN10).

[0087] In one example implementation of this application, if the identity identifier of the first terminal does not carry a first IP address, the core switch can assign the first terminal an IP address that is not duplicated with other terminals accessing the ad hoc network.

[0088] In one exemplary embodiment of this application, Figure 5 This is a flowchart of the terminal control process in this application, see reference. Figure 5 The above method also includes steps S510 to S520.

[0089] S510 determines the permissions of the first terminal based on the identity identifier of the first terminal.

[0090] In this example implementation, the core switch can store permission settings corresponding to various identity identifiers, configuring different permissions for different terminal identity identifiers. The specific configuration method can be customized according to user needs and is not specifically limited in this example implementation. For example, ordinary users are configured with first-level permissions, administrators with second-level permissions, and super administrators with third-level permissions. The core switch can configure corresponding permissions for each terminal based on its identity identifier.

[0091] The specific settings of the aforementioned permissions can be customized according to user needs. For example, the permissions may include, but are not limited to, access permissions and data interaction permissions. Access permissions refer to the terminal's permission to access data or devices in the ad hoc network. For example, access permissions may include accessing a warehouse system, accessing an access control system, or connecting to a printer. Data interaction permissions refer to the terminal's permission to interact with devices in the ad hoc network. For example, interaction permissions may include whether it can interact with other terminals and how many terminals it can interact with simultaneously; these are not specifically limited in this example implementation. After determining the identity of the first terminal, the permissions of the first terminal can be determined.

[0092] S520 controls the first terminal according to the permissions of the first terminal.

[0093] In one exemplary embodiment of this disclosure, after obtaining the aforementioned permissions, the first terminal can be controlled based on those permissions. Specifically, the first terminal can be controlled to acquire data, send data, connect to other devices, etc. No specific limitations are made in this exemplary embodiment. The first terminal is directly controlled by the core switch; neither the aggregation switch nor the access switch can interfere with the permissions of the first terminal, nor can the first terminal be directly controlled by the aggregation switch or the access switch. This prevents wired loop problems, and the core switch's setting and control of permissions for the first terminal ensures the security of data within the ad hoc network.

[0094] In one exemplary embodiment of this application, after the first terminal accesses the aforementioned self-organizing network, the core switch can determine whether the first terminal is connecting to the self-organizing network for the first time (i.e., accessing the core switch) based on the first terminal's identity identifier. Specifically, this can be determined by the first terminal's unique identifier. For example, the unique identifier of the first terminal could be the terminal's MAC address, device code, etc., and is not specifically limited in this exemplary embodiment.

[0095] If the first terminal is connecting to the ad hoc network for the first time, then steps S220 to S250 are executed. If the first terminal is not accessing the ad hoc network for the first time, then the core switch obtains the permissions of the first terminal when it last accessed the ad hoc network and assigns them to the first terminal.

[0096] It should be noted that after permissions are assigned to the first terminal, the system can detect in real time whether the identity of the first terminal has changed. Once the identity of the first terminal is detected to have changed, the permissions corresponding to the first terminal are updated according to the changed identity, thereby further improving data security in the ad hoc network.

[0097] In one exemplary embodiment of this disclosure, Figure 6 This is a flowchart of updating permissions for a first terminal according to the present application, which may specifically include steps S610 to S620.

[0098] S610 performs security detection on the first terminal based on the behavioral profile of the first terminal to obtain the security detection result.

[0099] In this example embodiment, the core memory can store the behavior profile of the first terminal using the self-organizing network. The behavior profile can be obtained based on the service traffic of the first terminal in the self-organizing network within a first time period. The process of obtaining the behavior profile can be done at preset time intervals. The preset time can be customized according to user needs and is not specifically limited in this example embodiment.

[0100] It should be noted that the aforementioned first duration can be 10 days, 15 days, or even a month or longer, and can be customized according to user needs. The aforementioned service traffic refers to the traffic generated when the first terminal processes services in the self-organizing network, such as the traffic when the first terminal accesses data, the traffic when the first terminal performs data interaction, etc., which are not specifically limited in this example implementation.

[0101] After obtaining the service traffic of the first terminal within a first time period, a behavioral profile of the first terminal's use of the ad hoc network can be established based on this service traffic. The specific form of the behavioral profile can be customized according to user needs. For example, the behavioral profile can include time periods and the corresponding service types and traffic characteristics for each time period. Specifically, a day can be divided into 12 time periods, and the service types and traffic characteristics of the first terminal in each time period can be determined. Service types can be as follows: in the first time period, the first terminal accesses a database; in the second time period, the first terminal performs data transmission; in the third time period, the first terminal connects to external devices, etc. Traffic characteristics can include traffic ranking, sending addresses in the traffic, traffic sending ports, data sending time intervals, etc., which are not specifically limited in this example implementation.

[0102] The specific method for obtaining the aforementioned behavioral profile can be customized according to user needs. For example, it can be obtained based on a behavioral profile determination model. Specifically, the aforementioned business traffic is input into a pre-trained behavioral profile determination model to obtain the aforementioned behavioral profile. Alternatively, a query table of time periods, business types, and traffic characteristics can be directly established in the storage area of ​​the core switch as the aforementioned behavioral profile, which is not specifically limited in this example implementation.

[0103] The above security test results can be set to different levels according to user needs, or they can be set to abnormal and normal. In this example implementation, no specific limitation is made.

[0104] The following explanation uses the example of the security test results being normal or abnormal. The method for determining normal and abnormal can be customized according to user needs. For example, a security factor can be used to determine whether the security test results are normal or abnormal. The method for determining the security factor can also be customized according to user needs, and is not specifically limited in this example implementation.

[0105] In one example implementation, the aforementioned security factor can be determined using a similarity method. Specifically, the aforementioned behavioral profile may include the service type and / or traffic characteristics of the first terminal in each time period.

[0106] Specifically, after the first terminal accesses the ad hoc network, the core switch can first determine the current time period and, based on the current time period and behavioral profile, determine the target service type of the first terminal in the current time period. Then, it compares the target service type of the first terminal in the current time period with the service type in the behavioral profile for the current time period to obtain the first similarity between the two. The method for obtaining the first similarity can refer to relevant technologies and is not specifically limited in this example implementation.

[0107] Furthermore, the core switch is also configured with characteristic information of abnormal traffic. After the first terminal accesses the ad hoc network, the core switch can first determine the current time period, and based on the current time period and behavioral profile, determine the target traffic characteristics of the first terminal in the current time period. Then, it compares the target traffic characteristics of the first terminal in the current time period with the second similarity of the aforementioned characteristic information. The more similar the target traffic characteristics are to the characteristic information of abnormal traffic, the higher the probability that the service traffic corresponding to the target traffic characteristics is abnormal traffic. The method for obtaining the second similarity can refer to relevant technologies, which will not be elaborated here.

[0108] It should be noted that traffic characteristics can be used to determine whether the aforementioned traffic is abnormal. For example, if the IP address corresponding to the first terminal sends data packets to a large number of target IP addresses, it indicates that the first terminal attempted to establish a connection with devices in the ad hoc network but received no response. Furthermore, if the time interval between sending data packets is very short, on the order of milliseconds, it can be determined that the data packets were not sent manually, and the traffic is abnormal. The method for obtaining traffic characteristics can refer to existing technologies and will not be elaborated here. The specific form of abnormal traffic can be customized according to user needs. For example, abnormal traffic may include, but is not limited to, Trojan attack traffic, unauthorized access traffic, etc., but is not specifically limited in this example implementation.

[0109] In this example implementation, the first similarity can be used as the aforementioned safety coefficient, or the target value obtained by subtracting the second similarity from 1 can be used as the safety coefficient, or the weighted average of the first similarity and the target value can be used as the aforementioned safety coefficient. The method of determining the safety coefficient can also be customized according to user needs, and is not specifically limited in this example implementation.

[0110] In this example implementation, when the security factor is greater than or equal to a preset threshold, the security detection result is determined to be normal; when the security factor is less than the preset threshold, the security detection result is determined to be abnormal.

[0111] S620 updates the permissions of the first terminal using the security detection results.

[0112] In this example implementation, the permissions of the first terminal in the ad hoc network can be updated based on the security detection results. These security detection results can include various types and correspond to different permissions. The specific settings can be customized according to user needs and are not specifically limited in this example implementation.

[0113] The following explanation uses the above security detection results, including normal and abnormal, as an example. If the security detection result is abnormal, the data interaction between the first terminal and other first terminals in the ad hoc network is interrupted. This ensures the security of data in the ad hoc network without interrupting the network connection of the connected first terminals, and together blocks the transmission of abnormal traffic, thus improving the internal security of the ad hoc network. If the security detection result is normal, permissions are set for the first terminal based on its identity identifier.

[0114] Figure 7 Here is a flowchart of another address allocation method in the example implementation of this application, referred to below. Figure 7 This application details the address allocation method. Specifically, it may include the following steps:

[0115] S710 obtains the identity identifier of the first terminal accessing the ad hoc network.

[0116] The specific process of obtaining identity information has been explained in detail above, so it will not be repeated here.

[0117] S720 determines whether the identity identifier includes the first IP address of the first terminal.

[0118] In this example implementation, if the first IP address of the first terminal is not included in the above identity identifier, then step S730 is executed.

[0119] The S730 assigns an IP address to the first terminal.

[0120] In this example implementation, the core switch will assign a different IP address to the first terminal than to other first terminals.

[0121] If the aforementioned identity identifier includes the first IP address of the first terminal, then proceed to step S740.

[0122] S740, determine whether the first IP address of the first terminal conflicts with the IP address of the second terminal already connected in the self-organizing network.

[0123] If there is a conflict, proceed to step S750. If there is no conflict, proceed to step S770.

[0124] S750: Obtain the first port tag corresponding to the access port of the access switch to which the first terminal is connected, and assign a second IP address to the first terminal based on the first IP address and the first port tag, and update the identity of the first terminal.

[0125] In this example implementation, the detailed process of step S750 can be referred to step S230, and will not be repeated here.

[0126] After S750 is executed, step S770 can be executed.

[0127] S760 determines the permissions of the first terminal in the ad hoc network based on the identity identifier of the first terminal.

[0128] In this example implementation, the detailed process of step S750 can be referred to step S510, and will not be repeated here.

[0129] The S770 controls the first terminal based on its permissions within the ad hoc network.

[0130] In this example implementation, the detailed process of step S750 can be referred to step S520, and will not be repeated here.

[0131] The address allocation method in this application determines the identity identifier of the first terminal accessing the first access switch. This identity identifier includes the first IP address of the first terminal. If the first IP address of the first terminal conflicts with the IP address of a second terminal already connected to the core switch, the method determines the first port label corresponding to the first terminal and allocates a second IP address to it based on this label. The core switch can configure a second IP address for the first terminal with IP address conflicts using the first port label, resolving the problem of the first terminal being unable to access the core switch due to IP conflicts and improving the core switch's compatibility. Furthermore, after the first terminal accesses the aforementioned self-organizing network, permissions are assigned to the first terminal, and control is exercised based on these permissions, enhancing the security of the self-organizing network. Even further, after two first terminals with the same MAC address access the network, since there is no IP conflict, the corresponding first terminal can be found directly through its IP address, i.e., by finding the label corresponding to the MAC address, thus resolving the MAC conflict problem. Still further, port isolation is configured between each port of the aggregation switch and access switch in this application, effectively preventing wired loop problems.

[0132] It should be noted that, for the sake of simplicity, the foregoing method embodiments are all described as a series of actions. However, those skilled in the art should understand that this application is not limited to the described order of actions, as some steps may be performed in other orders or simultaneously according to this application. Furthermore, those skilled in the art should also understand that the embodiments described in the specification are all optional embodiments, and the actions and modules involved are not necessarily essential to this application.

[0133] It should be further noted that although the steps in the flowchart are shown sequentially according to the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some steps in the flowchart may include multiple sub-steps or multiple stages. These sub-steps or stages are not necessarily completed at the same time, but can be executed at different times. The execution order of these sub-steps or stages is not necessarily sequential, but can be performed alternately or in turn with other steps or at least some of the sub-steps or stages of other steps.

[0134] Figure 8 This application provides an address allocation device 800, which is applied to a core switch. The device includes an identity acquisition module 810, a tag acquisition module 820, and an address allocation module 830.

[0135] The identity acquisition module 810 can be used to determine the identity of the first terminal accessing the first access switch, wherein the first access switch is connected to the core switch.

[0136] The tag acquisition module 820 can be used to determine the first port tag corresponding to the first terminal when the identity identifier includes the first IP address of the first terminal and the first IP address of the first terminal conflicts with the IP address of the second terminal that has been connected to the core switch.

[0137] The address allocation module 830 can be used to allocate a second IP address to the first terminal based on the first port label of the first terminal; wherein, the first port label includes: the first access port label corresponding to the access port of the first terminal connected to the first access switch.

[0138] In one example implementation, the address allocation module 830 can also be used to allocate a second IP address to the first terminal when the first port label of the first terminal is different from the second port label of the second terminal; wherein, the second port label includes: the second access port label corresponding to the access port of the second terminal connected to the second access switch, and the second access switch is connected to the core switch.

[0139] In one example implementation, the tag acquisition module 820 can also be used to determine the first port tag based on the aggregation port tag of the aggregation switch and the first access port tag.

[0140] In one example implementation, the address allocation device 800 can also be used to determine the permissions of the first terminal based on the identity identifier of the first terminal, and control the first terminal based on the permissions of the first terminal.

[0141] In one example implementation, the address allocation device 800 can also be used to allocate the permissions corresponding to the first terminal when the first terminal previously accessed the core switch, if the first terminal is not accessing the core switch for the first time.

[0142] In one example implementation, the address allocation device 800 can also be used to perform security detection on the first terminal based on the behavioral profile of the first terminal, so as to obtain the security detection result and update the permissions of the first terminal based on the security detection result.

[0143] In one example implementation, the address allocation device 800 can also be used to obtain the service traffic of the first terminal within a first duration; and to obtain a behavioral profile of the first terminal based on the service traffic.

[0144] In one example implementation, the security detection result includes normal and abnormal. The address allocation device 800 can also be used to interrupt data interaction between the first terminal and other terminals in the ad hoc network when the security detection result is abnormal.

[0145] In one possible implementation, the conflict determination module 830 described above can be used to assign an IP address to the terminal when the first IP address is not included in the identity identifier.

[0146] It should be understood that the above-described device embodiments are merely illustrative, and the device of this application can also be implemented in other ways. For example, the division of units / modules in the above embodiments is only a logical functional division, and there may be other division methods in actual implementation. For example, multiple units, modules, or components may be combined, or integrated into another system, or some features may be ignored or not executed.

[0147] Furthermore, unless otherwise specified, the functional units / modules in the various embodiments of this application can be integrated into one unit / module, or each unit / module can exist physically separately, or two or more units / modules can be integrated together. The integrated units / modules described above can be implemented in hardware or as software program modules.

[0148] When integrated units / modules are implemented in hardware, the hardware can be digital circuits, analog circuits, etc. The physical implementation of the hardware structure includes, but is not limited to, transistors, memristors, etc. Unless otherwise specified, the processor can be any suitable hardware processor, such as a CPU, GPU, FPGA, DSP, and ASIC, etc. Unless otherwise specified, the storage unit can be any suitable magnetic or magneto-optical storage medium, such as Resistive Random Access Memory (RRAM), Dynamic Random Access Memory (DRAM), Static Random Access Memory (SRAM), Enhanced Dynamic Random Access Memory (EDRAM), High-Bandwidth Memory (HBM), Hybrid Memory Cube (HMC), etc.

[0149] If the integrated unit / module is implemented as a software program module and sold or used as an independent product, it can be stored in a computer-readable storage device (CMD). Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a memory and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods of the various embodiments of this application. The aforementioned memory includes various media capable of storing program code, such as a USB flash drive, read-only memory (ROM), random access memory (RAM), portable hard drive, magnetic disk, or optical disk.

[0150] Figure 9 This is a structural schematic diagram of a core switch 900 provided in this application. Figure 9 As shown, the core switch 900 may include at least one processor 910, a memory 920, and a communication interface 930.

[0151] The memory 920 is used to store programs. Specifically, the program may include program code, which includes computer operation instructions.

[0152] The memory 920 may include high-speed RAM memory, and may also include non-volatile memory, such as at least one disk storage device.

[0153] The processor 910 is used to execute computer execution instructions stored in the memory 920 to implement the monitoring method described in the foregoing method embodiments. The processor 910 may be a central processing unit (CPU), an application-specific integrated circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of this application.

[0154] The core switch 900 may also include a communication interface 930, through which it can communicate and interact with external devices. In specific implementations, if the communication interface 930, memory 920, and processor 910 are implemented independently, they can be interconnected via a bus to complete communication. The bus can be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, or an Extended Industry Standard Architecture (EISA) bus, etc. Buses can be categorized as address buses, data buses, control buses, etc., but this does not imply that there is only one bus or one type of bus.

[0155] In one implementation, if the communication interface 930, memory 920, and processor 910 are integrated on a single chip, then the communication interface 930, memory 920, and processor 910 can communicate through an internal interface.

[0156] This application also provides a computer-readable storage medium, which may include various media capable of storing program code, such as a USB flash drive, a portable hard drive, a read-only memory, a random access memory, a disk, or an optical disk. Specifically, the computer-readable storage medium stores program instructions, which are used in the monitoring method described in the above embodiments.

[0157] In the above embodiments, the descriptions of each embodiment have their own emphasis. For parts not described in detail in a certain embodiment, please refer to the relevant descriptions of other embodiments. The technical features of the above embodiments can be combined arbitrarily. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as these combinations of technical features do not contradict each other, they should be considered within the scope of this specification.

[0158] Other embodiments of this application will readily occur to those skilled in the art upon consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of this application that follow the general principles of this application and include common knowledge or customary techniques in the art not disclosed herein. The specification and examples are to be considered exemplary only, and the true scope and spirit of this application are indicated by the following claims.

[0159] It should be understood that this application is not limited to the precise structure described above and shown in the accompanying drawings, and various modifications and changes can be made without departing from its scope. The scope of this application is limited only by the appended claims.

Claims

1. An address allocation method, the method being applied to a core switch, characterized in that, The method includes: Determine the identity of the first terminal accessing the first access switch, wherein the first access switch is connected to the core switch; If the identity identifier includes the first IP address of the first terminal, and the first IP address of the first terminal conflicts with the IP address of the second terminal already connected to the core switch, the first port label corresponding to the first terminal is determined, and the first port label is a label including a port isolation label. A second IP address is assigned to the first terminal based on the first port label of the first terminal; wherein, the first port label includes: the first access port label corresponding to the access port of the first terminal connected to the first access switch; The step of allocating a second IP address to the first terminal based on the first port label of the first terminal includes: If the first port label of the first terminal is different from the second port label of the second terminal, a second IP address shall be assigned to the first terminal. After assigning a second IP address to the first terminal, the method further includes: Determine the permissions of the first terminal based on its identity identifier; Control the first terminal according to its permissions.

2. The method of claim 1, wherein, The second port label includes: a second access port label corresponding to the access port of the second terminal connected to the second access switch, wherein the second access switch is connected to the core switch.

3. The method of claim 1, wherein, An aggregation switch is included between the core switch and the first access switch, and each port of the aggregation switch is configured with an aggregation port label. Determining the first port tag corresponding to the first terminal includes: The first port label is determined based on the aggregation port label of the aggregation switch and the first access port label.

4. The method of claim 1, wherein, Determining the permissions of the first terminal includes: If the first terminal is not accessing the core switch for the first time, the permissions corresponding to the first terminal's previous access to the core switch shall be assigned to the first terminal.

5. The method of claim 4, wherein, After determining the permissions of the first terminal, the method further includes: The security detection of the first terminal is performed based on the behavioral profile of the first terminal to obtain the security detection result; Update the permissions of the first terminal based on the security detection results.

6. The method of claim 5, wherein, Before performing security detection on the first terminal based on its behavioral profile, the method further includes: Obtain the service traffic of the first terminal within a first time period; The behavioral profile of the first terminal is obtained based on the business traffic.

7. The method of claim 5, wherein, The step of updating the permissions of the first terminal based on the security detection result includes: If the security detection result is abnormal, the data interaction between the first terminal and the second terminal will be interrupted.

8. The method of claim 1, wherein, The method further includes: If the first IP address is not included in the identity identifier, an IP address is assigned to the terminal.

9. An address allocation apparatus applied to a core switch corresponding to at least one access switch, characterized in that, The device includes: The identity acquisition module is used to determine the identity identifier of the first terminal accessing the first access switch, wherein the first access switch is connected to the core switch; The tag acquisition module is used to determine the first port tag corresponding to the first terminal when the identity identifier includes the first IP address of the first terminal and the first IP address of the first terminal conflicts with the IP address of the second terminal that has been connected to the core switch. The first port tag is a tag that includes a port isolation tag. The address allocation module is used to allocate a second IP address to the first terminal based on the first port label of the first terminal; wherein, the first port label includes: the first access port label corresponding to the access port of the first terminal connected to the first access switch; The address allocation module is specifically used for: If the first port label of the first terminal is different from the second port label of the second terminal, a second IP address shall be assigned to the first terminal. The device is also used for: Determine the permissions of the first terminal based on its identity identifier; Control the first terminal according to its permissions.

10. A switch, characterized in that, include: A processor, and a memory communicatively connected to the processor; The memory stores computer-executed instructions; The processor executes computer execution instructions stored in the memory to implement the method as described in any one of claims 1 to 8.

11. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer-executable instructions, which, when executed by a processor, are used to implement the method as described in any one of claims 1 to 8.