CN101980496A - Message processing method and system, exchange board and access server equipment - Google Patents
Message processing method and system, exchange board and access server equipment Download PDFInfo
- Publication number
- CN101980496A CN101980496A CN2010105121150A CN201010512115A CN101980496A CN 101980496 A CN101980496 A CN 101980496A CN 2010105121150 A CN2010105121150 A CN 2010105121150A CN 201010512115 A CN201010512115 A CN 201010512115A CN 101980496 A CN101980496 A CN 101980496A
- Authority
- CN
- China
- Prior art keywords
- message
- mac address
- equipment
- reaching
- access server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Small-Scale Networks (AREA)
Abstract
The embodiment of the invention provides a message processing method, a message processing system, an exchange board and access server equipment. The message processing method comprises: receiving an online verification message transmitted by a source terminal, wherein the online verification message carries the media access control (MAC) address of the source terminal equipment; transmitting the online verification message to the access server equipment; receiving a verification result message transmitted by the access server equipment after the access server equipment verifies the source terminal equipment according to the MAC address; and if the source terminal equipment passes the verification, performing the learning treatment of an MAC forwarding list according to the verification result message. In the embodiment of the invention, all received MAC addresses to be learned are not learned by the exchange board, but only the MAC addresses which pass through the verification of the access server equipment are learned; therefore, the MAC learning capacity can be controlled effectively, and the problem that the exchange board fails to forward the online verification messages transmitted by other normal source terminal equipment when an MAC attack is transmitted is solved.
Description
Technical field
The embodiment of the invention relates to the communication technology, relates in particular to a kind of message processing method and system, switch and access server equipment.
Background technology
Switch is a kind of equipment of finishing information exchange functions in communication network.Safeguard in the existing switch medium access control is arranged (Media Access Control, hereinafter to be referred as: the MAC) mapping table between each transmit port of address and switch also is that MAC transmits.When the MAC message is transmitted through switch, if there is not MAC Address corresponding sending terminal message breath in this mapping table with this MAC message, then switch will be broadcasted this MAC message toward all transmit ports, when target device during from certain transmit port return information, switch is just known corresponding which transmit port of this MAC Address, so during switch can be transmitted the corresponding relation adding MAC of this transmit port and this MAC Address, this process was the learning process that MAC transmits.
At existing double layer network or VPLS (Virtual Private Lan Service, hereinafter to be referred as: VPLS) in the communication network such as network, as long as switch receives the MAC message that MAC does not have corresponding sending terminal message breath transmitting from source end equipment, will be to carrying out mac learning, this learning process can take MAC always and transmit.Therefore, when source end equipment sends the MAC message of the continuous variation of MAC Address mala fide, the MAC attack will occur, thereby exhaust the resource of mapping table, make switch can't transmit processing normally.In order to address this problem, prior art adopt whole virtual switch interface on the restriction switch (Virtual Switch Interface, hereinafter to be referred as: VSI) or the mac learning number on some VSI take precautions against MAC and attack.But prior art is a kind of mode of Passive Defence, when the MAC attack occurring, in case the mac learning number surpasses predetermined threshold value, then the switch MAC message that also can't send other the legal source end equipment that inserts in whole VSI or the same VSI is transmitted processing.
Summary of the invention
The embodiment of the invention provides a kind of message processing method and system, switch and access server equipment.
The embodiment of the invention provides a kind of message processing method, comprising:
The message identifying of reaching the standard grade that reception sources end equipment sends comprises the MAC Address of described source end equipment in the described message identifying of reaching the standard grade;
The described message identifying of reaching the standard grade is sent to access server equipment;
Receive described access server equipment and described source end equipment is authenticated the authentication result message that the back sends according to described MAC Address;
If authentication is passed through, then carry out the study processing that MAC transmits according to described authentication result message.
The embodiment of the invention provides another kind of message processing method, comprising:
The message identifying of reaching the standard grade that desampler sends comprises the MAC Address of the source end equipment that sends the described message identifying of reaching the standard grade in the described message identifying of reaching the standard grade;
According to described MAC Address described source end equipment is carried out authentication processing;
Send authentication result message to described switch.
The embodiment of the invention provides a kind of switch, comprising:
First receiver module is used for the message identifying of reaching the standard grade that reception sources end equipment sends, and comprises the MAC Address of described source end equipment in the described message identifying of reaching the standard grade; Receive access server equipment and described source end equipment is authenticated the authentication result message that the back sends according to described MAC Address;
First sending module is used for the described message identifying of reaching the standard grade that described first receiver module receives is sent to access server equipment;
First processing module when authentication result message ID authentication that is used for receiving at described first receiver module passes through, is carried out the study processing that MAC transmits according to described authentication result message.
The embodiment of the invention provides a kind of access server equipment, comprising:
Second receiver module is used for the message identifying of reaching the standard grade that desampler sends, and comprises the MAC Address of the source end equipment that sends the described message identifying of reaching the standard grade in the described message identifying of reaching the standard grade;
Second processing module is used for according to the MAC Address that the message identifying of reaching the standard grade that described second receiver module receives comprises described source end equipment being carried out authentication processing;
Second sending module is used for sending the authentication result message that the described second processing module authentication processing is obtained to described switch.
The embodiment of the invention provides a kind of message handling system, comprising: the customer edge of Lian Jieing, switch and access server equipment successively;
Described customer edge is used for the message identifying of reaching the standard grade that reception sources end equipment sends, and the described message identifying of reaching the standard grade is transmitted to described switch;
Described switch, be used to receive the message identifying of reaching the standard grade that described customer edge sends, the MAC Address that comprises described source end equipment in the described message identifying of reaching the standard grade, the described message identifying of reaching the standard grade is sent to described access server equipment, receive described access server equipment and described source end equipment is authenticated the authentication result message that the back sends according to described MAC Address, if authentication is passed through, then carry out the study processing that MAC transmits according to described authentication result message;
Described access server equipment is used for the message identifying of reaching the standard grade that desampler sends, and according to described MAC Address described source end equipment is carried out authentication processing, and sends authentication result message to described switch.
In the embodiment of the invention, switch is not that the MAC Address that need carry out mac learning to each that receives is learnt, but the MAC Address that only authentication is passed through to the access server apparatus is learnt, thereby can effectively control mac learning quantity, avoid when sending the MAC attack, occurring switch and can't transmit the problem of processing the message identifying of reaching the standard grade that other normal source end equipment sends.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply, apparently, accompanying drawing in describing below is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart of message processing method embodiment one of the present invention;
Fig. 2 is the flow chart of message processing method embodiment two of the present invention;
Fig. 3 is the flow chart of message processing method embodiment three of the present invention;
Fig. 4 is the flow chart of message processing method embodiment four of the present invention;
Fig. 5 is the structural representation of switch embodiment of the present invention;
Fig. 6 is the structural representation of access server apparatus embodiments of the present invention;
Fig. 7 is the structural representation of message handling system embodiment of the present invention.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer, below in conjunction with the accompanying drawing in the embodiment of the invention, technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
Fig. 1 is the flow chart of message processing method embodiment one of the present invention, and as shown in Figure 1, the method for present embodiment can comprise:
The message identifying of reaching the standard grade that step 101, reception sources end equipment send comprises the MAC Address of described source end equipment in the described message identifying of reaching the standard grade.
Switch can reception sources end equipment, for example message identifying of reaching the standard grade of PC equipment transmission as the forwarding unit of the message identifying of reaching the standard grade.The MAC Address that can comprise source end equipment in this message identifying of reaching the standard grade.
For instance, this switch can (Provider Edge be hereinafter to be referred as PE) equipment for Provider Edge.Source end equipment can pass through customer edge (Customer Edge, hereinafter to be referred as: CE) equipment is connected with PE equipment.Therefore, PE equipment can reception sources end equipment the message identifying of reaching the standard grade by CE equipment transparent transmission.
In the prior art, PE equipment is after receiving this message identifying of reaching the standard grade, if MAC do not exist in transmitting with the message identifying of reaching the standard grade in the MAC Address corresponding sending terminal message breath that comprises, then PE equipment can't know which transmit port this message identifying of reaching the standard grade should send from, then the PE equipment message identifying of this can being reached the standard grade is broadcasted away from each transmit port, thereby carries out mac learning.
By contrast, in the present embodiment, PE equipment is not directly to carry out mac learning, but this message identifying of reaching the standard grade is sent to access server equipment after receiving the message identifying of reaching the standard grade that need carry out mac learning.This access server equipment can authenticate the source end equipment that sends this message identifying of reaching the standard grade.
For instance, the access server equipment in the present embodiment can (Broad Remote Access Server be hereinafter to be referred as BRAS) equipment for Broadband Remote Access Server equipment.This BRAS equipment is a kind of IAD of using towards broadband network.It is the bridge between the backbone network of broadband access network, and the basic access means and the management function of broadband access network are provided.BRAS equipment is mainly finished two aspect functions, and one is network carrying function, and another is that control realizes function.Wherein, this control realizes that function is this BRAS equipment and matches with Verification System, charge system and client management system and service strategy control system and realize authentication, charging and the management function of user's access.Specifically, in the back of BRAS, can be connected with function servers such as the certificate server of operator and accounting server.When the user logined, BRAS can be sent to certificate server with the user name and password of user's input, and after checking is passed through, BRAS will allow user access network.In the present embodiment, this BRAS equipment can carry out authentication processing to the legitimacy of source end equipment according to the MAC Address that comprises in the message identifying of reaching the standard grade.After authentication was finished, this BRAS equipment can feed back to authentication result message PE equipment.
Present embodiment does not limit the specific implementation that access server equipment authenticates source end equipment according to MAC Address, and those skilled in the art can adopt the appropriate authentication processing mode as required.
PE equipment can receive access server equipment, for example the authentication result message of BRAS equipment transmission.
Show the source end equipment corresponding with this MAC Address by authentication as if the authentication result message that receives, then PE equipment just begins to carry out the study processing that MAC transmits at this moment.The study that MAC herein transmits is handled can adopt study processing mode of the prior art, repeats no more herein.
If authentication is not passed through, then PE equipment will be refused the forwarding processing of this network equipment.
As shown in the above, if PE equipment begins promptly to adopt aforesaid way to carry out the study processing that MAC transmits from initial condition, the mac address forwarding table item of storage must pass through through the access server device authentication during then this MAC transmitted, and the MAC Address that authenticates unsanctioned source end equipment can be added into during MAC transmits scarcely.
When existing MAC to attack, be generally non-authenticated user owing to initiate the source end equipment of MAC attack, therefore, when the MAC Address that comprises in the message identifying of reaching the standard grade that access server equipment sends according to this class user authenticates, will obtain authenticating the result who does not pass through.Therefore, PE equipment is learnt with regard to not transmitting MAC after the authentication result message that the authentication that receives the transmission of access server equipment is not passed through.
In the present embodiment, switch is not that the MAC Address that need carry out mac learning to each that receives is learnt, but the MAC Address that only authentication is passed through to the access server apparatus is learnt, thereby can effectively control mac learning quantity, avoid when sending the MAC attack, occurring switch and can't transmit the problem of processing the message identifying of reaching the standard grade that other normal source end equipment sends.
Fig. 2 is the flow chart of message processing method embodiment two of the present invention, and as shown in Figure 2, present embodiment is a kind of specific implementation of method embodiment shown in Figure 1, and the method for present embodiment can comprise:
The message identifying of reaching the standard grade that step 201, reception sources end equipment send comprises the MAC Address of described source end equipment in the described message identifying of reaching the standard grade.
The implementation procedure of step 201 and the implementation procedure of step 101 shown in Figure 1 are similar, repeat no more herein.
Switch, for example PE equipment is after receiving this message identifying of reaching the standard grade, can know this message identifying of reaching the standard grade specifically from which access interface receives, therefore, PE equipment can add this access interface information in this message identifying of reaching the standard grade to before message identifying that this is reached the standard grade sends to access server equipment.
With bridge coil is that the VPLS network is an example, the agreement that the VPLS network can be supported comprises DHCP (Dynamic Host Configuration Protocol, hereinafter to be referred as: DHCP) and Ethernet on point-to-point protocol (point-to-point protocol over Ethernet, hereinafter to be referred as: PPPOE).
For DHCP, source end equipment is DHCP request message (DHCP Request) to the message identifying of reaching the standard grade that PE equipment sends.PE equipment can insert Option information in this DHCP Request, for example this Option information can be 60:PE GE1/0/0.1Tag 100, and this Option information is access interface information.
For PPPOE, the message identifying of reaching the standard grade that source end equipment sends to PE equipment is that PPPOE effectively finds request (PADR) message.PE equipment can insert Vendor-Specific information in this PADR message, for example this Vendor-Specific information can be 0x0105:PE1GE1/0/0.1Tag 100, and this Vendor-Specific information is access interface information.
Access server equipment is after receiving this message identifying of reaching the standard grade, can carry out the legitimacy authentication to source end equipment according to the MAC Address in this message identifying of reaching the standard grade, BRAS equipment is similar to the process that source end equipment authenticates in this process and the step 102 shown in Figure 1, repeats no more herein.Different is, access server equipment can send switch and access interface information in the message identifying of reaching the standard grade that comes after source end device authentication is finished, and is carried in the authentication result message that sends to switch again.Therefore, switch can know that by this access interface information access server equipment is that the source end equipment on which receiving port is carried out authentication processing, this access interface information is carried out record and need not switch receiving when reaching the standard grade message identifying.
In the present embodiment, this authentication result message can provide (DHCP Offer) message for the DHCP in the DHCP agreement, also can confirm (PADS) message for the PPPoE in the PPPOE agreement effectively finds session.
Switch can obtain access interface information from this authentication result message after receiving this authentication result message.Then, switch can generate mac learning information according to this access interface information, and for example this mac learning information can be for the integrated information of this access interface information and MAC Address etc.Switch can carry out the study processing that MAC transmits according to the mac learning information that generates, and this learning processing can adopt existing techniques in realizing, repeats no more herein.
Access server equipment can also comprise the rental period information of MAC Address in the authentication result message that PE equipment sends, also the i.e. term of validity of this MAC Address.Therefore, PE equipment can send to the rental period information of this MAC Address source end equipment so that shown in source end device learns in this rental period information, this MAC Address is available.
In the present embodiment, switch is not that the MAC Address that need carry out mac learning to each that receives is learnt, but the MAC Address that only authentication is passed through to the access server apparatus is learnt, thereby can effectively control mac learning quantity, avoid when sending the MAC attack, occurring switch and can't transmit the problem of processing the message identifying of reaching the standard grade that other normal source end equipment sends.And switch does not need message breath in access side to carry out record when receiving internet message, and only needs this access interface information is added on to transmit in the internet message get final product, so has reduced the complicated operation degree of switch.
Fig. 3 is the flow chart of message processing method embodiment three of the present invention, as shown in Figure 3, the method of present embodiment is on the basis of above-mentioned Fig. 1 or method shown in Figure 2, further the rental period of MAC Address is carried out control and treatment, specifically, present embodiment can further include after described step 104 of Fig. 1 or step 206 shown in Figure 2:
The rental period arrival notice message that step 301, the described access server equipment of reception send comprises described MAC Address in the described rental period arrival notice message.
Access server equipment is according to switch, for example PE equipment send and come reach the standard grade message identifying to source end equipment authenticate and authenticate pass through after, can carry out timing to the rental period of the employed MAC Address of source end equipment, when timing is about to arrive or has arrived, access server equipment can send rental period arrival notice message to PE equipment, comprises the rental period in this rental period arrival notice message to have expired or be about to overdue MAC Address.
PE equipment can know that the rental period of the MAC Address that comprises in this rental period arrival notice message has arrived or be about to arrival after receiving this rental period arrival notice message.
PE equipment can add this MAC Address in the aging tabulation.This process is not to make source end equipment can not re-use this MAC Address, but prepares to allow source end equipment can not re-use this MAC Address.Then, PE equipment should send to source end equipment by rental period arrival notice message, thereby the rental period of informing source its presently used MAC Address of end equipment is about to expire or expire.
Also need to continue to use this MAC Address as source end equipment, then end equipment in source can be re-rented processing to this MAC Address.Specifically, source end equipment can send to switch and re-rent message, and this is re-rented in the message can comprise the MAC Address that need re-rent, also the i.e. current MAC Address of using of this source end equipment.
PE equipment can know that receiving after this re-rents message source end equipment also needs to continue to use this MAC Address.Therefore, switch can be deleted the MAC Address that joins in the step 302 in the aging tabulation, thereby makes this MAC Address by aging, and source end equipment can continue to use this MAC Address.Then, PE equipment can be re-rented this message and send to access server equipment, BRAS equipment for example, and therefore, access server equipment can carry out timing to the rental period of this MAC Address again receiving after this re-rents message.
Above-mentioned implementation procedure is described is to be about to or overdue mode in rental period of its MAC Address of access server equipment notification source end equipment, optionally, source end equipment also can oneself carry out timing to the rental period of MAC Address, when being about to arrive, if this source end equipment does not need to re-use this MAC Address, then end equipment in source can initiatively send aging request message to PE equipment.PE equipment the MAC Address of correspondence can be added into aging tabulation, and the notification message that should wear out sends to access server equipment after receiving the request message that should wear out.
Present embodiment is on the basis of said method embodiment one or embodiment two, further, switch can be according to the message of re-renting of source end equipment transmission, the MAC Address of its current use is re-rented processing or burin-in process, perhaps the aging request message that initiatively sends according to source end equipment carries out burin-in process to the MAC Address of the current use of source end equipment.Therefore, switch can be transmitted MAC according to the demand of source end equipment and safeguard.
Fig. 4 is the flow chart of message processing method embodiment four of the present invention, and as shown in Figure 4, the method for present embodiment is when switch is carried out method shown in Figure 1, the corresponding step of carrying out of access server equipment, and specifically, the method for present embodiment can comprise:
The message identifying of reaching the standard grade that step 401, desampler send comprises the MAC Address of the source end equipment that sends the described message identifying of reaching the standard grade in the described message identifying of reaching the standard grade.
Access server equipment, for example above-mentioned BRAS equipment can desampler, for example message identifying of reaching the standard grade of PE equipment transmission.
Switch can reception sources end equipment, for example message identifying of reaching the standard grade of PC equipment transmission as the forwarding unit of the message identifying of reaching the standard grade.The MAC Address that can comprise source end equipment in this message identifying of reaching the standard grade.PE equipment is not directly to carry out mac learning, but this message identifying of reaching the standard grade is sent to access server equipment after receiving the message identifying of reaching the standard grade that need carry out mac learning.This access server equipment can authenticate the source end equipment that sends this message identifying of reaching the standard grade.
Access server equipment can carry out authentication processing to the legitimacy of source end equipment according to the MAC Address that comprises in the message identifying of reaching the standard grade.The process of this authentication processing can adopt in the prior art any mode to carry out, and repeats no more herein.
Access server equipment can send to switch with authentication result message after source end equipment is carried out authentication processing, thereby makes switch only when receiving the authentication message that expression authentication passes through, and just begins to carry out the study processing that MAC transmits.
Specifically, if sending in the message identifying of reaching the standard grade of access server equipment, switch also comprises the access interface information that source end equipment inserts described source end equipment, then access server equipment also can comprise access interface information in sending to the authentication result message of switch, therefore, switch needn't carry out record by access side message breath.
When existing MAC to attack, be generally non-authenticated user owing to initiate the source end equipment of MAC attack, therefore, when the MAC Address that comprises in the message identifying of reaching the standard grade that access server equipment sends according to this class user authenticates, will obtain authenticating the result who does not pass through.Therefore, PE equipment is learnt with regard to not transmitting MAC after the authentication result message that the authentication that receives the transmission of access server equipment is not passed through.
In above-mentioned steps 404 and the step 405, the rental period of the MAC Address that access server equipment can use source end equipment is monitored processing, when this MAC Address has expired or has been about to expire, can notification source end equipment, so that source end equipment is re-rented or burin-in process this MAC Address; When source end equipment was re-rented this MAC Address, this access server equipment can also carry out timing again to the rental period of this MAC Address to be handled.
In the present embodiment, switch is not that the MAC Address that need carry out mac learning to each that receives is learnt, but only the access server device authentication by the time, just carry out mac learning.Therefore, access server equipment can assist switch effectively to control mac learning quantity in the present embodiment, avoids occurring switch and can't transmit the problem of processing to the message identifying of reaching the standard grade that other normal source end equipment sends when sending the MAC attack.
Fig. 5 is the structural representation of switch embodiment of the present invention, as shown in Figure 5, the switch of present embodiment can comprise: first receiver module 11, first sending module 12 and first processing module 13, wherein, first receiver module 11 is used for the message identifying of reaching the standard grade that reception sources end equipment sends, and comprises the MAC Address of described source end equipment in the described message identifying of reaching the standard grade; Receive access server equipment and described source end equipment is authenticated the authentication result message that the back sends according to described MAC Address; First sending module 12 is used for the described message identifying of reaching the standard grade that first receiver module 11 receives is sent to access server equipment; First processing module 13 is used for carrying out the study processing that MAC transmits according to described authentication result message when the authentication result message ID authentication that first receiver module 11 receives passes through.
The switch of present embodiment can be PE equipment, and the switch of present embodiment can be used to carry out the method for method embodiment shown in Figure 1, and its realization principle and technique effect are similar, repeat no more herein.
In another embodiment of switch of the present invention, the authentication result message that first sending module 12 also is used for comprising the rental period information of described MAC Address sends to described source end equipment.First receiver module 11 also is used to receive the rental period arrival notice message that described access server equipment sends, and comprises described MAC Address in the described rental period arrival notice message; First processing module 13 also is used for described MAC Address is added into aging tabulation; Described first sending module 12 also is used for described rental period arrival notice message is sent to described source end equipment.First receiver module 11 also is used to receive the re-rent message of described source end equipment according to described rental period arrival notice message transmission, and described re-renting comprises described MAC Address in the message; First processing module 13 also is used for deleting the described MAC Address of described aging tabulation; First sending module 12 also is used for the described message of re-renting is sent to described access server equipment.
Perhaps, first receiver module 11 also is used to receive the aging request message that described source end equipment sends, and comprises described MAC Address in the described aging request message; First sending module 12 also is used for described MAC Address is added into aging tabulation; Described first sending module is used for aging notification message is sent to described access server equipment.
The switch of present embodiment can be PE equipment, and the switch of present embodiment can be used to carry out the method for method embodiment shown in Figure 3, and its realization principle and technique effect are similar, repeat no more herein.
Fig. 6 is the structural representation of access server apparatus embodiments of the present invention, as shown in Figure 6, the access server equipment of present embodiment can comprise: second receiver module 21, second processing module 22 and second sending module 23, wherein, second receiver module 21 is used for the message identifying of reaching the standard grade that desampler sends, and comprises the MAC Address of the source end equipment that sends the described message identifying of reaching the standard grade in the described message identifying of reaching the standard grade; Second processing module 22 is used for according to the MAC Address that the message identifying of reaching the standard grade that described second receiver module receives comprises described source end equipment being carried out authentication processing; Second sending module 23 is used for sending the authentication result message that the described second processing module authentication processing is obtained to described switch.
In another embodiment of access server equipment of the present invention, second processing module 22 is used for that also the rental period of described MAC Address is carried out timing and handles; Second sending module 23 also is used for when the rental period arrives, and sends rental period arrival notice message to switch, comprises described MAC Address in the described rental period arrival notice message.Second receiver module 21 also is used to receive the message of re-renting by the transmission of described source end equipment that described switch is transmitted, and second processing module 22 also is used for according to the described message of re-renting the rental period of described MAC Address being carried out the timing processing again.
The described access server equipment of the foregoing description can be BRAS equipment, and this access server equipment can be used to carry out the method for method embodiment shown in Figure 4, and its realization principle and technique effect are similar, repeat no more herein.
Fig. 7 is the structural representation of message handling system embodiment of the present invention, as shown in Figure 7, the message handling system of present embodiment can comprise: the CE equipment 1 of Lian Jieing, switch 2 and access server equipment 3 successively, in the present embodiment, this switch 2 can comprise PE equipment 2a and PE equipment 2b, connects by the VPLS network between this PE equipment 2a and the PE equipment 2b.The VPLS network can be supported DHCP agreement and PPPOE agreement, therefore, source end equipment can be by the VPLS network insertion to Bras equipment, and by DHCP message identifying or the PPPOE message identifying of reaching the standard grade of reaching the standard grade, promptly DHCP Snooping message or PPOE Snooping message are realized the mac learning of switch 2.
Specifically, in the present embodiment, CE equipment 1 can be used for the message identifying of reaching the standard grade that reception sources end equipment sends, and the described message identifying of reaching the standard grade is transmitted to described switch 2, switch 2 is used to receive the message identifying of reaching the standard grade that CE equipment 1 sends, the MAC Address that comprises described source end equipment in the described message identifying of reaching the standard grade, the described message identifying of reaching the standard grade is sent to access server equipment 3, receive access server equipment 3 and described source end equipment is authenticated the authentication result message that the back sends according to described MAC Address, if authentication is passed through, then carry out the study processing that MAC transmits according to described authentication result message; Access server equipment 3 is used for the message identifying of reaching the standard grade that desampler 2 sends, and according to described MAC Address described source end equipment is carried out authentication processing, and sends authentication result message to switch 2.
The switch of present embodiment can be used for the described method of execution graph 1~3 arbitrary embodiment, its structure can adopt structure shown in Figure 5, the access server equipment of present embodiment can be used to carry out method embodiment illustrated in fig. 4, and its structure can adopt structure shown in Figure 6.Concrete realization principle and technique effect are similar, repeat no more herein.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (10)
1. a message processing method is characterized in that, comprising:
The message identifying of reaching the standard grade that reception sources end equipment sends comprises the MAC Address of described source end equipment in the described message identifying of reaching the standard grade;
The described message identifying of reaching the standard grade is sent to access server equipment;
Receive described access server equipment described MAC Address is authenticated the authentication result message that the back sends;
If authentication is passed through, then carry out the study processing that MAC transmits according to described authentication result message.
2. message processing method according to claim 1 is characterized in that, described the described message identifying of reaching the standard grade is sent to before the access server equipment, comprising:
Add to described access interface information in the dynamic host configuration protocol message or on the Ethernet in the point-to-point protocol message;
The described access server equipment of described reception authenticates the authentication result message that the back sends according to described MAC Address to described source end equipment, comprising:
Receive described authentication result message, comprise described access interface information in the described authentication result message;
Describedly carry out the study that MAC transmits according to described authentication result message and handle, comprising:
From described authentication result message, obtain described access interface information, generate mac learning information, and carry out the study processing that MAC transmits according to described mac learning information according to described access interface information.
3. message processing method according to claim 2, it is characterized in that, the rental period information that comprises described MAC Address in the described authentication result message, the described access server equipment of described reception authenticates described source end equipment after the authentication result message of back transmission according to described MAC Address, also comprises:
The authentication result message that will comprise the rental period information of described MAC Address sends to described source end equipment;
Described method also comprises:
Receive the rental period arrival notice message that described access server equipment sends, comprise described MAC Address in the described rental period arrival notice message, described MAC Address is added into aging tabulation, and described rental period arrival notice message sent to described source end equipment, receive the re-rent message of described source end equipment according to described rental period arrival notice message transmission, described re-renting comprises described MAC Address in the message, delete the described MAC Address in the described aging tabulation, and the described message of re-renting is sent to described access server equipment; Perhaps,
Receive the aging request message that described source end equipment sends, comprise described MAC Address in the described aging request message, described MAC Address is added into aging tabulation, and the notification message that will wear out sends to described access server equipment.
4. a message processing method is characterized in that, comprising:
The message identifying of reaching the standard grade that desampler sends comprises the MAC Address of the source end equipment that sends the described message identifying of reaching the standard grade in the described message identifying of reaching the standard grade;
According to described MAC Address described source end equipment is carried out authentication processing;
Send authentication result message to described switch.
5. message processing method according to claim 4 is characterized in that, also comprises:
The rental period of described MAC Address is carried out timing handle, and when the rental period arrives, send rental period arrival notice message, comprise described MAC Address in the described rental period arrival notice message to switch;
Receive the message of re-renting that described switch is transmitted, and the rental period of described MAC Address is carried out the timing processing again according to the described message of re-renting by the transmission of described source end equipment.
6. a switch is characterized in that, comprising:
First receiver module is used for the message identifying of reaching the standard grade that reception sources end equipment sends, and comprises the MAC Address of described source end equipment in the described message identifying of reaching the standard grade; Receive access server equipment and described source end equipment is authenticated the authentication result message that the back sends according to described MAC Address;
First sending module is used for the described message identifying of reaching the standard grade that described first receiver module receives is sent to access server equipment;
First processing module when authentication result message ID authentication that is used for receiving at described first receiver module passes through, is carried out the study processing that MAC transmits according to described authentication result message.
7. switch according to claim 6 is characterized in that, described first receiver module also is used to receive the rental period arrival notice message that described access server equipment sends, and comprises described MAC Address in the described rental period arrival notice message; Described first processing module also is used for described MAC Address is added into aging tabulation; Described first sending module also is used for described rental period arrival notice message is sent to described source end equipment; Perhaps,
Described first receiver module also is used to receive the aging request message that described source end equipment sends, and comprises described MAC Address in the described aging request message; Described first sending module is used for described MAC Address is added into aging tabulation; Described first sending module also is used for aging notification message is sent to described access server equipment; Perhaps,
Described first receiver module also is used to receive the re-rent message of described source end equipment according to described rental period arrival notice message transmission, and described re-renting comprises described MAC Address in the message; Described first processing module also is used for deleting the described MAC Address of described aging tabulation; Described first sending module also is used for the described message of re-renting is sent to described access server equipment.
8. an access server equipment is characterized in that, comprising:
Second receiver module is used for the message identifying of reaching the standard grade that desampler sends, and comprises the MAC Address of the source end equipment that sends the described message identifying of reaching the standard grade in the described message identifying of reaching the standard grade;
Second processing module is used for according to the MAC Address that the message identifying of reaching the standard grade that described second receiver module receives comprises described source end equipment being carried out authentication processing;
Second sending module is used for sending the authentication result message that the described second processing module authentication processing is obtained to described switch.
9. access server equipment according to claim 8, it is characterized in that, described second receiver module also is used to receive the message of re-renting by the transmission of described source end equipment that described switch is transmitted, and described second processing module also is used for according to the described message of re-renting the rental period of described MAC Address being carried out the timing processing again; Described second processing module is used for that also the rental period of described MAC Address is carried out timing and handles; Described second sending module also is used for when the rental period arrives, and sends rental period arrival notice message to switch, comprises described MAC Address in the described rental period arrival notice message.
10. a message handling system is characterized in that, comprising: the customer edge of Lian Jieing, switch and access server equipment successively;
Described customer edge is used for the message identifying of reaching the standard grade that reception sources end equipment sends, and the described message identifying of reaching the standard grade is transmitted to described switch;
Described switch, be used to receive the message identifying of reaching the standard grade that described customer edge sends, the MAC Address that comprises described source end equipment in the described message identifying of reaching the standard grade, the described message identifying of reaching the standard grade is sent to described access server equipment, receive described access server equipment and described source end equipment is authenticated the authentication result message that the back sends according to described MAC Address, if authentication is passed through, then carry out the study processing that MAC transmits according to described authentication result message;
Described access server equipment is used for the message identifying of reaching the standard grade that desampler sends, and according to described MAC Address described source end equipment is carried out authentication processing, and sends authentication result message to described switch.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2010105121150A CN101980496A (en) | 2010-10-13 | 2010-10-13 | Message processing method and system, exchange board and access server equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2010105121150A CN101980496A (en) | 2010-10-13 | 2010-10-13 | Message processing method and system, exchange board and access server equipment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN101980496A true CN101980496A (en) | 2011-02-23 |
Family
ID=43600981
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2010105121150A Pending CN101980496A (en) | 2010-10-13 | 2010-10-13 | Message processing method and system, exchange board and access server equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101980496A (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102316001A (en) * | 2011-10-13 | 2012-01-11 | 杭州华三通信技术有限公司 | Virtual network connection configuration realizing method and network equipment |
CN102413052A (en) * | 2011-11-30 | 2012-04-11 | 华为技术有限公司 | Network access method, device and system |
CN102983968A (en) * | 2011-09-02 | 2013-03-20 | 深圳市快播科技有限公司 | A method and a server for software backend authentication |
CN103685007A (en) * | 2012-08-31 | 2014-03-26 | 杭州华三通信技术有限公司 | Method for MAC address learning during packet forwarding of edge devices and edge device |
WO2014090194A1 (en) * | 2012-12-13 | 2014-06-19 | 华为技术有限公司 | Dialing method of terminal device, and access device |
CN104283858A (en) * | 2013-07-09 | 2015-01-14 | 华为技术有限公司 | Method, device and system for controlling user terminal access |
CN104717216A (en) * | 2015-03-12 | 2015-06-17 | 福建星网锐捷网络有限公司 | Network access control method, device and core equipment |
CN106131066A (en) * | 2016-08-26 | 2016-11-16 | 杭州华三通信技术有限公司 | A kind of authentication method and device |
CN107547431A (en) * | 2017-05-24 | 2018-01-05 | 新华三技术有限公司 | Message processing method and device |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101170515A (en) * | 2007-12-04 | 2008-04-30 | 华为技术有限公司 | A method, system and gateway device for processing packets |
CN101197780A (en) * | 2007-12-19 | 2008-06-11 | 华为技术有限公司 | Method, system and device for updating MAC address |
CN101197785A (en) * | 2008-01-04 | 2008-06-11 | 杭州华三通信技术有限公司 | MAC authentication method and apparatus |
-
2010
- 2010-10-13 CN CN2010105121150A patent/CN101980496A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101170515A (en) * | 2007-12-04 | 2008-04-30 | 华为技术有限公司 | A method, system and gateway device for processing packets |
CN101197780A (en) * | 2007-12-19 | 2008-06-11 | 华为技术有限公司 | Method, system and device for updating MAC address |
CN101197785A (en) * | 2008-01-04 | 2008-06-11 | 杭州华三通信技术有限公司 | MAC authentication method and apparatus |
Cited By (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102983968B (en) * | 2011-09-02 | 2017-03-22 | 深圳市快播科技有限公司 | A method and a server for software backend authentication |
CN102983968A (en) * | 2011-09-02 | 2013-03-20 | 深圳市快播科技有限公司 | A method and a server for software backend authentication |
CN102316001A (en) * | 2011-10-13 | 2012-01-11 | 杭州华三通信技术有限公司 | Virtual network connection configuration realizing method and network equipment |
CN102413052B (en) * | 2011-11-30 | 2015-08-19 | 华为技术有限公司 | A kind of method of access network, Apparatus and system |
CN102413052A (en) * | 2011-11-30 | 2012-04-11 | 华为技术有限公司 | Network access method, device and system |
CN103685007A (en) * | 2012-08-31 | 2014-03-26 | 杭州华三通信技术有限公司 | Method for MAC address learning during packet forwarding of edge devices and edge device |
CN103685007B (en) * | 2012-08-31 | 2016-11-16 | 杭州华三通信技术有限公司 | A kind of mac learning method when edge device message forwards and edge device |
WO2014090194A1 (en) * | 2012-12-13 | 2014-06-19 | 华为技术有限公司 | Dialing method of terminal device, and access device |
CN104283858A (en) * | 2013-07-09 | 2015-01-14 | 华为技术有限公司 | Method, device and system for controlling user terminal access |
WO2015003565A1 (en) * | 2013-07-09 | 2015-01-15 | 华为技术有限公司 | Method, device and system for controlling access of user terminal |
CN104283858B (en) * | 2013-07-09 | 2018-02-13 | 华为技术有限公司 | Control the method, apparatus and system of user terminal access |
EP3001635A4 (en) * | 2013-07-09 | 2016-04-06 | Huawei Tech Co Ltd | Method, device and system for controlling access of user terminal |
KR101768512B1 (en) | 2013-07-09 | 2017-08-17 | 후아웨이 테크놀러지 컴퍼니 리미티드 | Method, apparatus and system for controlling access of user terminal |
US9825950B2 (en) | 2013-07-09 | 2017-11-21 | Huawei Technologies Co., Ltd. | Method, apparatus, and system for controlling access of user terminal |
CN104717216A (en) * | 2015-03-12 | 2015-06-17 | 福建星网锐捷网络有限公司 | Network access control method, device and core equipment |
CN104717216B (en) * | 2015-03-12 | 2018-09-07 | 福建星网锐捷网络有限公司 | A kind of access control method, device and core equipment |
CN106131066A (en) * | 2016-08-26 | 2016-11-16 | 杭州华三通信技术有限公司 | A kind of authentication method and device |
CN106131066B (en) * | 2016-08-26 | 2019-09-17 | 新华三技术有限公司 | A kind of authentication method and device |
CN107547431A (en) * | 2017-05-24 | 2018-01-05 | 新华三技术有限公司 | Message processing method and device |
CN107547431B (en) * | 2017-05-24 | 2020-07-07 | 新华三技术有限公司 | Message processing method and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101980496A (en) | Message processing method and system, exchange board and access server equipment | |
KR101543445B1 (en) | Secure client authentication and network service authorization | |
CN106034104B (en) | Verification method, device and system for network application access | |
US11451614B2 (en) | Cloud authenticated offline file sharing | |
CN102195957B (en) | Resource sharing method, device and system | |
CN106576043B (en) | Virally allocatable trusted messaging | |
WO2014058166A1 (en) | Data transmitting apparatus and method, and recording medium having program recorded thereon for executing said method on computer | |
US20170048260A1 (en) | Method and system for network resource attack detection using a client identifier | |
CN110958272B (en) | Identity authentication method, identity authentication system and related equipment | |
CN109729000B (en) | Instant messaging method and device | |
US20160197921A1 (en) | Secure Data Transmission System | |
CN101834864A (en) | Method and device for preventing attack in three-layer virtual private network | |
CN106453321A (en) | Authentication server, system and method, and to-be-authenticated terminal | |
CN103780389A (en) | Port based authentication method and network device | |
CN107819766A (en) | Safety certifying method, system and computer-readable recording medium | |
US11349818B2 (en) | Secure virtual personalized network | |
CN111314269A (en) | Address automatic allocation protocol security authentication method and equipment | |
CN103841091A (en) | safety login method, device and system | |
CN105025009A (en) | A method for reinforcing mail system access safety and a mail safety access system | |
JPH11331181A (en) | Network terminal authenticating device | |
JP2006025010A (en) | Communication system, service providing method, and computer program | |
CN104468512A (en) | Secure file transmission method and device | |
CN112333214B (en) | Safe user authentication method and system for Internet of things equipment management | |
CN105530687B (en) | A kind of wireless network access controlling method and access device | |
CN107547431A (en) | Message processing method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C53 | Correction of patent of invention or patent application | ||
CB02 | Change of applicant information |
Address after: 100085 Beijing, Haidian District on the road, No. 3 Applicant after: Beijing Huawei Digital Technology Co.,Ltd. Address before: 100085 Beijing, Haidian District on the road, No. 3 Applicant before: Huawei Digit Technology Co., Ltd. |
|
COR | Change of bibliographic data |
Free format text: CORRECT: APPLICANT; FROM: HUAWEI DIGIT TECHNOLOGY CO., LTD. TO: BEIJING HUAWEI DIGITAL TECHNOLOGY CO., LTD. |
|
C12 | Rejection of a patent application after its publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20110223 |