CN101980496A - Message processing method and system, exchange board and access server equipment - Google Patents

Message processing method and system, exchange board and access server equipment Download PDF

Info

Publication number
CN101980496A
CN101980496A CN2010105121150A CN201010512115A CN101980496A CN 101980496 A CN101980496 A CN 101980496A CN 2010105121150 A CN2010105121150 A CN 2010105121150A CN 201010512115 A CN201010512115 A CN 201010512115A CN 101980496 A CN101980496 A CN 101980496A
Authority
CN
China
Prior art keywords
message
mac address
equipment
reaching
access server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2010105121150A
Other languages
Chinese (zh)
Inventor
陈艺彪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Digital Technologies Chengdu Co Ltd
Huawei Digital Technologies Co Ltd
Original Assignee
Huawei Digital Technologies Chengdu Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Digital Technologies Chengdu Co Ltd filed Critical Huawei Digital Technologies Chengdu Co Ltd
Priority to CN2010105121150A priority Critical patent/CN101980496A/en
Publication of CN101980496A publication Critical patent/CN101980496A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Small-Scale Networks (AREA)

Abstract

The embodiment of the invention provides a message processing method, a message processing system, an exchange board and access server equipment. The message processing method comprises: receiving an online verification message transmitted by a source terminal, wherein the online verification message carries the media access control (MAC) address of the source terminal equipment; transmitting the online verification message to the access server equipment; receiving a verification result message transmitted by the access server equipment after the access server equipment verifies the source terminal equipment according to the MAC address; and if the source terminal equipment passes the verification, performing the learning treatment of an MAC forwarding list according to the verification result message. In the embodiment of the invention, all received MAC addresses to be learned are not learned by the exchange board, but only the MAC addresses which pass through the verification of the access server equipment are learned; therefore, the MAC learning capacity can be controlled effectively, and the problem that the exchange board fails to forward the online verification messages transmitted by other normal source terminal equipment when an MAC attack is transmitted is solved.

Description

Message processing method and system, switch and access server equipment
Technical field
The embodiment of the invention relates to the communication technology, relates in particular to a kind of message processing method and system, switch and access server equipment.
Background technology
Switch is a kind of equipment of finishing information exchange functions in communication network.Safeguard in the existing switch medium access control is arranged (Media Access Control, hereinafter to be referred as: the MAC) mapping table between each transmit port of address and switch also is that MAC transmits.When the MAC message is transmitted through switch, if there is not MAC Address corresponding sending terminal message breath in this mapping table with this MAC message, then switch will be broadcasted this MAC message toward all transmit ports, when target device during from certain transmit port return information, switch is just known corresponding which transmit port of this MAC Address, so during switch can be transmitted the corresponding relation adding MAC of this transmit port and this MAC Address, this process was the learning process that MAC transmits.
At existing double layer network or VPLS (Virtual Private Lan Service, hereinafter to be referred as: VPLS) in the communication network such as network, as long as switch receives the MAC message that MAC does not have corresponding sending terminal message breath transmitting from source end equipment, will be to carrying out mac learning, this learning process can take MAC always and transmit.Therefore, when source end equipment sends the MAC message of the continuous variation of MAC Address mala fide, the MAC attack will occur, thereby exhaust the resource of mapping table, make switch can't transmit processing normally.In order to address this problem, prior art adopt whole virtual switch interface on the restriction switch (Virtual Switch Interface, hereinafter to be referred as: VSI) or the mac learning number on some VSI take precautions against MAC and attack.But prior art is a kind of mode of Passive Defence, when the MAC attack occurring, in case the mac learning number surpasses predetermined threshold value, then the switch MAC message that also can't send other the legal source end equipment that inserts in whole VSI or the same VSI is transmitted processing.
Summary of the invention
The embodiment of the invention provides a kind of message processing method and system, switch and access server equipment.
The embodiment of the invention provides a kind of message processing method, comprising:
The message identifying of reaching the standard grade that reception sources end equipment sends comprises the MAC Address of described source end equipment in the described message identifying of reaching the standard grade;
The described message identifying of reaching the standard grade is sent to access server equipment;
Receive described access server equipment and described source end equipment is authenticated the authentication result message that the back sends according to described MAC Address;
If authentication is passed through, then carry out the study processing that MAC transmits according to described authentication result message.
The embodiment of the invention provides another kind of message processing method, comprising:
The message identifying of reaching the standard grade that desampler sends comprises the MAC Address of the source end equipment that sends the described message identifying of reaching the standard grade in the described message identifying of reaching the standard grade;
According to described MAC Address described source end equipment is carried out authentication processing;
Send authentication result message to described switch.
The embodiment of the invention provides a kind of switch, comprising:
First receiver module is used for the message identifying of reaching the standard grade that reception sources end equipment sends, and comprises the MAC Address of described source end equipment in the described message identifying of reaching the standard grade; Receive access server equipment and described source end equipment is authenticated the authentication result message that the back sends according to described MAC Address;
First sending module is used for the described message identifying of reaching the standard grade that described first receiver module receives is sent to access server equipment;
First processing module when authentication result message ID authentication that is used for receiving at described first receiver module passes through, is carried out the study processing that MAC transmits according to described authentication result message.
The embodiment of the invention provides a kind of access server equipment, comprising:
Second receiver module is used for the message identifying of reaching the standard grade that desampler sends, and comprises the MAC Address of the source end equipment that sends the described message identifying of reaching the standard grade in the described message identifying of reaching the standard grade;
Second processing module is used for according to the MAC Address that the message identifying of reaching the standard grade that described second receiver module receives comprises described source end equipment being carried out authentication processing;
Second sending module is used for sending the authentication result message that the described second processing module authentication processing is obtained to described switch.
The embodiment of the invention provides a kind of message handling system, comprising: the customer edge of Lian Jieing, switch and access server equipment successively;
Described customer edge is used for the message identifying of reaching the standard grade that reception sources end equipment sends, and the described message identifying of reaching the standard grade is transmitted to described switch;
Described switch, be used to receive the message identifying of reaching the standard grade that described customer edge sends, the MAC Address that comprises described source end equipment in the described message identifying of reaching the standard grade, the described message identifying of reaching the standard grade is sent to described access server equipment, receive described access server equipment and described source end equipment is authenticated the authentication result message that the back sends according to described MAC Address, if authentication is passed through, then carry out the study processing that MAC transmits according to described authentication result message;
Described access server equipment is used for the message identifying of reaching the standard grade that desampler sends, and according to described MAC Address described source end equipment is carried out authentication processing, and sends authentication result message to described switch.
In the embodiment of the invention, switch is not that the MAC Address that need carry out mac learning to each that receives is learnt, but the MAC Address that only authentication is passed through to the access server apparatus is learnt, thereby can effectively control mac learning quantity, avoid when sending the MAC attack, occurring switch and can't transmit the problem of processing the message identifying of reaching the standard grade that other normal source end equipment sends.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply, apparently, accompanying drawing in describing below is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart of message processing method embodiment one of the present invention;
Fig. 2 is the flow chart of message processing method embodiment two of the present invention;
Fig. 3 is the flow chart of message processing method embodiment three of the present invention;
Fig. 4 is the flow chart of message processing method embodiment four of the present invention;
Fig. 5 is the structural representation of switch embodiment of the present invention;
Fig. 6 is the structural representation of access server apparatus embodiments of the present invention;
Fig. 7 is the structural representation of message handling system embodiment of the present invention.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer, below in conjunction with the accompanying drawing in the embodiment of the invention, technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
Fig. 1 is the flow chart of message processing method embodiment one of the present invention, and as shown in Figure 1, the method for present embodiment can comprise:
The message identifying of reaching the standard grade that step 101, reception sources end equipment send comprises the MAC Address of described source end equipment in the described message identifying of reaching the standard grade.
Switch can reception sources end equipment, for example message identifying of reaching the standard grade of PC equipment transmission as the forwarding unit of the message identifying of reaching the standard grade.The MAC Address that can comprise source end equipment in this message identifying of reaching the standard grade.
For instance, this switch can (Provider Edge be hereinafter to be referred as PE) equipment for Provider Edge.Source end equipment can pass through customer edge (Customer Edge, hereinafter to be referred as: CE) equipment is connected with PE equipment.Therefore, PE equipment can reception sources end equipment the message identifying of reaching the standard grade by CE equipment transparent transmission.
Step 102, the described message identifying of reaching the standard grade is sent to access server equipment.
In the prior art, PE equipment is after receiving this message identifying of reaching the standard grade, if MAC do not exist in transmitting with the message identifying of reaching the standard grade in the MAC Address corresponding sending terminal message breath that comprises, then PE equipment can't know which transmit port this message identifying of reaching the standard grade should send from, then the PE equipment message identifying of this can being reached the standard grade is broadcasted away from each transmit port, thereby carries out mac learning.
By contrast, in the present embodiment, PE equipment is not directly to carry out mac learning, but this message identifying of reaching the standard grade is sent to access server equipment after receiving the message identifying of reaching the standard grade that need carry out mac learning.This access server equipment can authenticate the source end equipment that sends this message identifying of reaching the standard grade.
For instance, the access server equipment in the present embodiment can (Broad Remote Access Server be hereinafter to be referred as BRAS) equipment for Broadband Remote Access Server equipment.This BRAS equipment is a kind of IAD of using towards broadband network.It is the bridge between the backbone network of broadband access network, and the basic access means and the management function of broadband access network are provided.BRAS equipment is mainly finished two aspect functions, and one is network carrying function, and another is that control realizes function.Wherein, this control realizes that function is this BRAS equipment and matches with Verification System, charge system and client management system and service strategy control system and realize authentication, charging and the management function of user's access.Specifically, in the back of BRAS, can be connected with function servers such as the certificate server of operator and accounting server.When the user logined, BRAS can be sent to certificate server with the user name and password of user's input, and after checking is passed through, BRAS will allow user access network.In the present embodiment, this BRAS equipment can carry out authentication processing to the legitimacy of source end equipment according to the MAC Address that comprises in the message identifying of reaching the standard grade.After authentication was finished, this BRAS equipment can feed back to authentication result message PE equipment.
Present embodiment does not limit the specific implementation that access server equipment authenticates source end equipment according to MAC Address, and those skilled in the art can adopt the appropriate authentication processing mode as required.
Step 103, the described access server equipment of reception authenticate the authentication result message that the back sends according to described MAC Address to described source end equipment.
PE equipment can receive access server equipment, for example the authentication result message of BRAS equipment transmission.
Step 104, if authentication is passed through, then carry out the study that MAC transmits and handle according to described authentication result message.
Show the source end equipment corresponding with this MAC Address by authentication as if the authentication result message that receives, then PE equipment just begins to carry out the study processing that MAC transmits at this moment.The study that MAC herein transmits is handled can adopt study processing mode of the prior art, repeats no more herein.
If authentication is not passed through, then PE equipment will be refused the forwarding processing of this network equipment.
As shown in the above, if PE equipment begins promptly to adopt aforesaid way to carry out the study processing that MAC transmits from initial condition, the mac address forwarding table item of storage must pass through through the access server device authentication during then this MAC transmitted, and the MAC Address that authenticates unsanctioned source end equipment can be added into during MAC transmits scarcely.
When existing MAC to attack, be generally non-authenticated user owing to initiate the source end equipment of MAC attack, therefore, when the MAC Address that comprises in the message identifying of reaching the standard grade that access server equipment sends according to this class user authenticates, will obtain authenticating the result who does not pass through.Therefore, PE equipment is learnt with regard to not transmitting MAC after the authentication result message that the authentication that receives the transmission of access server equipment is not passed through.
In the present embodiment, switch is not that the MAC Address that need carry out mac learning to each that receives is learnt, but the MAC Address that only authentication is passed through to the access server apparatus is learnt, thereby can effectively control mac learning quantity, avoid when sending the MAC attack, occurring switch and can't transmit the problem of processing the message identifying of reaching the standard grade that other normal source end equipment sends.
Fig. 2 is the flow chart of message processing method embodiment two of the present invention, and as shown in Figure 2, present embodiment is a kind of specific implementation of method embodiment shown in Figure 1, and the method for present embodiment can comprise:
The message identifying of reaching the standard grade that step 201, reception sources end equipment send comprises the MAC Address of described source end equipment in the described message identifying of reaching the standard grade.
The implementation procedure of step 201 and the implementation procedure of step 101 shown in Figure 1 are similar, repeat no more herein.
Step 202, the access interface information of described source end equipment is added in the described message identifying of reaching the standard grade.
Switch, for example PE equipment is after receiving this message identifying of reaching the standard grade, can know this message identifying of reaching the standard grade specifically from which access interface receives, therefore, PE equipment can add this access interface information in this message identifying of reaching the standard grade to before message identifying that this is reached the standard grade sends to access server equipment.
With bridge coil is that the VPLS network is an example, the agreement that the VPLS network can be supported comprises DHCP (Dynamic Host Configuration Protocol, hereinafter to be referred as: DHCP) and Ethernet on point-to-point protocol (point-to-point protocol over Ethernet, hereinafter to be referred as: PPPOE).
For DHCP, source end equipment is DHCP request message (DHCP Request) to the message identifying of reaching the standard grade that PE equipment sends.PE equipment can insert Option information in this DHCP Request, for example this Option information can be 60:PE GE1/0/0.1Tag 100, and this Option information is access interface information.
For PPPOE, the message identifying of reaching the standard grade that source end equipment sends to PE equipment is that PPPOE effectively finds request (PADR) message.PE equipment can insert Vendor-Specific information in this PADR message, for example this Vendor-Specific information can be 0x0105:PE1GE1/0/0.1Tag 100, and this Vendor-Specific information is access interface information.
Step 203, the described message identifying of reaching the standard grade is sent to access server equipment.
Step 204, the described access server equipment of reception authenticate the authentication result message that the back sends according to described MAC Address to described source end equipment, comprise described access interface information in this authentication result message.
Access server equipment is after receiving this message identifying of reaching the standard grade, can carry out the legitimacy authentication to source end equipment according to the MAC Address in this message identifying of reaching the standard grade, BRAS equipment is similar to the process that source end equipment authenticates in this process and the step 102 shown in Figure 1, repeats no more herein.Different is, access server equipment can send switch and access interface information in the message identifying of reaching the standard grade that comes after source end device authentication is finished, and is carried in the authentication result message that sends to switch again.Therefore, switch can know that by this access interface information access server equipment is that the source end equipment on which receiving port is carried out authentication processing, this access interface information is carried out record and need not switch receiving when reaching the standard grade message identifying.
In the present embodiment, this authentication result message can provide (DHCP Offer) message for the DHCP in the DHCP agreement, also can confirm (PADS) message for the PPPoE in the PPPOE agreement effectively finds session.
Step 205, from described authentication result message, obtain described access interface information, generate mac learning information, and carry out the study that MAC transmits according to described mac learning information and handle according to described access interface information.
Switch can obtain access interface information from this authentication result message after receiving this authentication result message.Then, switch can generate mac learning information according to this access interface information, and for example this mac learning information can be for the integrated information of this access interface information and MAC Address etc.Switch can carry out the study processing that MAC transmits according to the mac learning information that generates, and this learning processing can adopt existing techniques in realizing, repeats no more herein.
Step 206, the authentication result message that will comprise the rental period information of described MAC Address send to described source end equipment.
Access server equipment can also comprise the rental period information of MAC Address in the authentication result message that PE equipment sends, also the i.e. term of validity of this MAC Address.Therefore, PE equipment can send to the rental period information of this MAC Address source end equipment so that shown in source end device learns in this rental period information, this MAC Address is available.
In the present embodiment, switch is not that the MAC Address that need carry out mac learning to each that receives is learnt, but the MAC Address that only authentication is passed through to the access server apparatus is learnt, thereby can effectively control mac learning quantity, avoid when sending the MAC attack, occurring switch and can't transmit the problem of processing the message identifying of reaching the standard grade that other normal source end equipment sends.And switch does not need message breath in access side to carry out record when receiving internet message, and only needs this access interface information is added on to transmit in the internet message get final product, so has reduced the complicated operation degree of switch.
Fig. 3 is the flow chart of message processing method embodiment three of the present invention, as shown in Figure 3, the method of present embodiment is on the basis of above-mentioned Fig. 1 or method shown in Figure 2, further the rental period of MAC Address is carried out control and treatment, specifically, present embodiment can further include after described step 104 of Fig. 1 or step 206 shown in Figure 2:
The rental period arrival notice message that step 301, the described access server equipment of reception send comprises described MAC Address in the described rental period arrival notice message.
Access server equipment is according to switch, for example PE equipment send and come reach the standard grade message identifying to source end equipment authenticate and authenticate pass through after, can carry out timing to the rental period of the employed MAC Address of source end equipment, when timing is about to arrive or has arrived, access server equipment can send rental period arrival notice message to PE equipment, comprises the rental period in this rental period arrival notice message to have expired or be about to overdue MAC Address.
PE equipment can know that the rental period of the MAC Address that comprises in this rental period arrival notice message has arrived or be about to arrival after receiving this rental period arrival notice message.
Step 302, described MAC Address is added into aging tabulation, and described rental period arrival notice message is sent to described source end equipment.
PE equipment can add this MAC Address in the aging tabulation.This process is not to make source end equipment can not re-use this MAC Address, but prepares to allow source end equipment can not re-use this MAC Address.Then, PE equipment should send to source end equipment by rental period arrival notice message, thereby the rental period of informing source its presently used MAC Address of end equipment is about to expire or expire.
Step 303, receive the message of re-renting that described source end equipment sends, described re-renting comprises described MAC Address in the message.
Also need to continue to use this MAC Address as source end equipment, then end equipment in source can be re-rented processing to this MAC Address.Specifically, source end equipment can send to switch and re-rent message, and this is re-rented in the message can comprise the MAC Address that need re-rent, also the i.e. current MAC Address of using of this source end equipment.
Step 304, the described MAC Address of deletion in the described aging tabulation, and the described message of re-renting sent to described access server equipment.
PE equipment can know that receiving after this re-rents message source end equipment also needs to continue to use this MAC Address.Therefore, switch can be deleted the MAC Address that joins in the step 302 in the aging tabulation, thereby makes this MAC Address by aging, and source end equipment can continue to use this MAC Address.Then, PE equipment can be re-rented this message and send to access server equipment, BRAS equipment for example, and therefore, access server equipment can carry out timing to the rental period of this MAC Address again receiving after this re-rents message.
Above-mentioned implementation procedure is described is to be about to or overdue mode in rental period of its MAC Address of access server equipment notification source end equipment, optionally, source end equipment also can oneself carry out timing to the rental period of MAC Address, when being about to arrive, if this source end equipment does not need to re-use this MAC Address, then end equipment in source can initiatively send aging request message to PE equipment.PE equipment the MAC Address of correspondence can be added into aging tabulation, and the notification message that should wear out sends to access server equipment after receiving the request message that should wear out.
Present embodiment is on the basis of said method embodiment one or embodiment two, further, switch can be according to the message of re-renting of source end equipment transmission, the MAC Address of its current use is re-rented processing or burin-in process, perhaps the aging request message that initiatively sends according to source end equipment carries out burin-in process to the MAC Address of the current use of source end equipment.Therefore, switch can be transmitted MAC according to the demand of source end equipment and safeguard.
Fig. 4 is the flow chart of message processing method embodiment four of the present invention, and as shown in Figure 4, the method for present embodiment is when switch is carried out method shown in Figure 1, the corresponding step of carrying out of access server equipment, and specifically, the method for present embodiment can comprise:
The message identifying of reaching the standard grade that step 401, desampler send comprises the MAC Address of the source end equipment that sends the described message identifying of reaching the standard grade in the described message identifying of reaching the standard grade.
Access server equipment, for example above-mentioned BRAS equipment can desampler, for example message identifying of reaching the standard grade of PE equipment transmission.
Switch can reception sources end equipment, for example message identifying of reaching the standard grade of PC equipment transmission as the forwarding unit of the message identifying of reaching the standard grade.The MAC Address that can comprise source end equipment in this message identifying of reaching the standard grade.PE equipment is not directly to carry out mac learning, but this message identifying of reaching the standard grade is sent to access server equipment after receiving the message identifying of reaching the standard grade that need carry out mac learning.This access server equipment can authenticate the source end equipment that sends this message identifying of reaching the standard grade.
Step 402, described source end equipment is carried out authentication processing according to described MAC Address.
Access server equipment can carry out authentication processing to the legitimacy of source end equipment according to the MAC Address that comprises in the message identifying of reaching the standard grade.The process of this authentication processing can adopt in the prior art any mode to carry out, and repeats no more herein.
Step 403, send authentication result message to described switch.
Access server equipment can send to switch with authentication result message after source end equipment is carried out authentication processing, thereby makes switch only when receiving the authentication message that expression authentication passes through, and just begins to carry out the study processing that MAC transmits.
Specifically, if sending in the message identifying of reaching the standard grade of access server equipment, switch also comprises the access interface information that source end equipment inserts described source end equipment, then access server equipment also can comprise access interface information in sending to the authentication result message of switch, therefore, switch needn't carry out record by access side message breath.
When existing MAC to attack, be generally non-authenticated user owing to initiate the source end equipment of MAC attack, therefore, when the MAC Address that comprises in the message identifying of reaching the standard grade that access server equipment sends according to this class user authenticates, will obtain authenticating the result who does not pass through.Therefore, PE equipment is learnt with regard to not transmitting MAC after the authentication result message that the authentication that receives the transmission of access server equipment is not passed through.
Step 404, the rental period of described MAC Address is carried out timing handle, and when the rental period arrives,, comprise described MAC Address in the described rental period arrival notice message to switch transmission rental period arrival notice message.
Step 405, receive that described switch transmits re-rent message by what described source end equipment sent, and the rental period of described MAC Address carried out timing again handle according to the described message of re-renting.
In above-mentioned steps 404 and the step 405, the rental period of the MAC Address that access server equipment can use source end equipment is monitored processing, when this MAC Address has expired or has been about to expire, can notification source end equipment, so that source end equipment is re-rented or burin-in process this MAC Address; When source end equipment was re-rented this MAC Address, this access server equipment can also carry out timing again to the rental period of this MAC Address to be handled.
In the present embodiment, switch is not that the MAC Address that need carry out mac learning to each that receives is learnt, but only the access server device authentication by the time, just carry out mac learning.Therefore, access server equipment can assist switch effectively to control mac learning quantity in the present embodiment, avoids occurring switch and can't transmit the problem of processing to the message identifying of reaching the standard grade that other normal source end equipment sends when sending the MAC attack.
Fig. 5 is the structural representation of switch embodiment of the present invention, as shown in Figure 5, the switch of present embodiment can comprise: first receiver module 11, first sending module 12 and first processing module 13, wherein, first receiver module 11 is used for the message identifying of reaching the standard grade that reception sources end equipment sends, and comprises the MAC Address of described source end equipment in the described message identifying of reaching the standard grade; Receive access server equipment and described source end equipment is authenticated the authentication result message that the back sends according to described MAC Address; First sending module 12 is used for the described message identifying of reaching the standard grade that first receiver module 11 receives is sent to access server equipment; First processing module 13 is used for carrying out the study processing that MAC transmits according to described authentication result message when the authentication result message ID authentication that first receiver module 11 receives passes through.
The switch of present embodiment can be PE equipment, and the switch of present embodiment can be used to carry out the method for method embodiment shown in Figure 1, and its realization principle and technique effect are similar, repeat no more herein.
In another embodiment of switch of the present invention, the authentication result message that first sending module 12 also is used for comprising the rental period information of described MAC Address sends to described source end equipment.First receiver module 11 also is used to receive the rental period arrival notice message that described access server equipment sends, and comprises described MAC Address in the described rental period arrival notice message; First processing module 13 also is used for described MAC Address is added into aging tabulation; Described first sending module 12 also is used for described rental period arrival notice message is sent to described source end equipment.First receiver module 11 also is used to receive the re-rent message of described source end equipment according to described rental period arrival notice message transmission, and described re-renting comprises described MAC Address in the message; First processing module 13 also is used for deleting the described MAC Address of described aging tabulation; First sending module 12 also is used for the described message of re-renting is sent to described access server equipment.
Perhaps, first receiver module 11 also is used to receive the aging request message that described source end equipment sends, and comprises described MAC Address in the described aging request message; First sending module 12 also is used for described MAC Address is added into aging tabulation; Described first sending module is used for aging notification message is sent to described access server equipment.
The switch of present embodiment can be PE equipment, and the switch of present embodiment can be used to carry out the method for method embodiment shown in Figure 3, and its realization principle and technique effect are similar, repeat no more herein.
Fig. 6 is the structural representation of access server apparatus embodiments of the present invention, as shown in Figure 6, the access server equipment of present embodiment can comprise: second receiver module 21, second processing module 22 and second sending module 23, wherein, second receiver module 21 is used for the message identifying of reaching the standard grade that desampler sends, and comprises the MAC Address of the source end equipment that sends the described message identifying of reaching the standard grade in the described message identifying of reaching the standard grade; Second processing module 22 is used for according to the MAC Address that the message identifying of reaching the standard grade that described second receiver module receives comprises described source end equipment being carried out authentication processing; Second sending module 23 is used for sending the authentication result message that the described second processing module authentication processing is obtained to described switch.
In another embodiment of access server equipment of the present invention, second processing module 22 is used for that also the rental period of described MAC Address is carried out timing and handles; Second sending module 23 also is used for when the rental period arrives, and sends rental period arrival notice message to switch, comprises described MAC Address in the described rental period arrival notice message.Second receiver module 21 also is used to receive the message of re-renting by the transmission of described source end equipment that described switch is transmitted, and second processing module 22 also is used for according to the described message of re-renting the rental period of described MAC Address being carried out the timing processing again.
The described access server equipment of the foregoing description can be BRAS equipment, and this access server equipment can be used to carry out the method for method embodiment shown in Figure 4, and its realization principle and technique effect are similar, repeat no more herein.
Fig. 7 is the structural representation of message handling system embodiment of the present invention, as shown in Figure 7, the message handling system of present embodiment can comprise: the CE equipment 1 of Lian Jieing, switch 2 and access server equipment 3 successively, in the present embodiment, this switch 2 can comprise PE equipment 2a and PE equipment 2b, connects by the VPLS network between this PE equipment 2a and the PE equipment 2b.The VPLS network can be supported DHCP agreement and PPPOE agreement, therefore, source end equipment can be by the VPLS network insertion to Bras equipment, and by DHCP message identifying or the PPPOE message identifying of reaching the standard grade of reaching the standard grade, promptly DHCP Snooping message or PPOE Snooping message are realized the mac learning of switch 2.
Specifically, in the present embodiment, CE equipment 1 can be used for the message identifying of reaching the standard grade that reception sources end equipment sends, and the described message identifying of reaching the standard grade is transmitted to described switch 2, switch 2 is used to receive the message identifying of reaching the standard grade that CE equipment 1 sends, the MAC Address that comprises described source end equipment in the described message identifying of reaching the standard grade, the described message identifying of reaching the standard grade is sent to access server equipment 3, receive access server equipment 3 and described source end equipment is authenticated the authentication result message that the back sends according to described MAC Address, if authentication is passed through, then carry out the study processing that MAC transmits according to described authentication result message; Access server equipment 3 is used for the message identifying of reaching the standard grade that desampler 2 sends, and according to described MAC Address described source end equipment is carried out authentication processing, and sends authentication result message to switch 2.
The switch of present embodiment can be used for the described method of execution graph 1~3 arbitrary embodiment, its structure can adopt structure shown in Figure 5, the access server equipment of present embodiment can be used to carry out method embodiment illustrated in fig. 4, and its structure can adopt structure shown in Figure 6.Concrete realization principle and technique effect are similar, repeat no more herein.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.

Claims (10)

1. a message processing method is characterized in that, comprising:
The message identifying of reaching the standard grade that reception sources end equipment sends comprises the MAC Address of described source end equipment in the described message identifying of reaching the standard grade;
The described message identifying of reaching the standard grade is sent to access server equipment;
Receive described access server equipment described MAC Address is authenticated the authentication result message that the back sends;
If authentication is passed through, then carry out the study processing that MAC transmits according to described authentication result message.
2. message processing method according to claim 1 is characterized in that, described the described message identifying of reaching the standard grade is sent to before the access server equipment, comprising:
Add to described access interface information in the dynamic host configuration protocol message or on the Ethernet in the point-to-point protocol message;
The described access server equipment of described reception authenticates the authentication result message that the back sends according to described MAC Address to described source end equipment, comprising:
Receive described authentication result message, comprise described access interface information in the described authentication result message;
Describedly carry out the study that MAC transmits according to described authentication result message and handle, comprising:
From described authentication result message, obtain described access interface information, generate mac learning information, and carry out the study processing that MAC transmits according to described mac learning information according to described access interface information.
3. message processing method according to claim 2, it is characterized in that, the rental period information that comprises described MAC Address in the described authentication result message, the described access server equipment of described reception authenticates described source end equipment after the authentication result message of back transmission according to described MAC Address, also comprises:
The authentication result message that will comprise the rental period information of described MAC Address sends to described source end equipment;
Described method also comprises:
Receive the rental period arrival notice message that described access server equipment sends, comprise described MAC Address in the described rental period arrival notice message, described MAC Address is added into aging tabulation, and described rental period arrival notice message sent to described source end equipment, receive the re-rent message of described source end equipment according to described rental period arrival notice message transmission, described re-renting comprises described MAC Address in the message, delete the described MAC Address in the described aging tabulation, and the described message of re-renting is sent to described access server equipment; Perhaps,
Receive the aging request message that described source end equipment sends, comprise described MAC Address in the described aging request message, described MAC Address is added into aging tabulation, and the notification message that will wear out sends to described access server equipment.
4. a message processing method is characterized in that, comprising:
The message identifying of reaching the standard grade that desampler sends comprises the MAC Address of the source end equipment that sends the described message identifying of reaching the standard grade in the described message identifying of reaching the standard grade;
According to described MAC Address described source end equipment is carried out authentication processing;
Send authentication result message to described switch.
5. message processing method according to claim 4 is characterized in that, also comprises:
The rental period of described MAC Address is carried out timing handle, and when the rental period arrives, send rental period arrival notice message, comprise described MAC Address in the described rental period arrival notice message to switch;
Receive the message of re-renting that described switch is transmitted, and the rental period of described MAC Address is carried out the timing processing again according to the described message of re-renting by the transmission of described source end equipment.
6. a switch is characterized in that, comprising:
First receiver module is used for the message identifying of reaching the standard grade that reception sources end equipment sends, and comprises the MAC Address of described source end equipment in the described message identifying of reaching the standard grade; Receive access server equipment and described source end equipment is authenticated the authentication result message that the back sends according to described MAC Address;
First sending module is used for the described message identifying of reaching the standard grade that described first receiver module receives is sent to access server equipment;
First processing module when authentication result message ID authentication that is used for receiving at described first receiver module passes through, is carried out the study processing that MAC transmits according to described authentication result message.
7. switch according to claim 6 is characterized in that, described first receiver module also is used to receive the rental period arrival notice message that described access server equipment sends, and comprises described MAC Address in the described rental period arrival notice message; Described first processing module also is used for described MAC Address is added into aging tabulation; Described first sending module also is used for described rental period arrival notice message is sent to described source end equipment; Perhaps,
Described first receiver module also is used to receive the aging request message that described source end equipment sends, and comprises described MAC Address in the described aging request message; Described first sending module is used for described MAC Address is added into aging tabulation; Described first sending module also is used for aging notification message is sent to described access server equipment; Perhaps,
Described first receiver module also is used to receive the re-rent message of described source end equipment according to described rental period arrival notice message transmission, and described re-renting comprises described MAC Address in the message; Described first processing module also is used for deleting the described MAC Address of described aging tabulation; Described first sending module also is used for the described message of re-renting is sent to described access server equipment.
8. an access server equipment is characterized in that, comprising:
Second receiver module is used for the message identifying of reaching the standard grade that desampler sends, and comprises the MAC Address of the source end equipment that sends the described message identifying of reaching the standard grade in the described message identifying of reaching the standard grade;
Second processing module is used for according to the MAC Address that the message identifying of reaching the standard grade that described second receiver module receives comprises described source end equipment being carried out authentication processing;
Second sending module is used for sending the authentication result message that the described second processing module authentication processing is obtained to described switch.
9. access server equipment according to claim 8, it is characterized in that, described second receiver module also is used to receive the message of re-renting by the transmission of described source end equipment that described switch is transmitted, and described second processing module also is used for according to the described message of re-renting the rental period of described MAC Address being carried out the timing processing again; Described second processing module is used for that also the rental period of described MAC Address is carried out timing and handles; Described second sending module also is used for when the rental period arrives, and sends rental period arrival notice message to switch, comprises described MAC Address in the described rental period arrival notice message.
10. a message handling system is characterized in that, comprising: the customer edge of Lian Jieing, switch and access server equipment successively;
Described customer edge is used for the message identifying of reaching the standard grade that reception sources end equipment sends, and the described message identifying of reaching the standard grade is transmitted to described switch;
Described switch, be used to receive the message identifying of reaching the standard grade that described customer edge sends, the MAC Address that comprises described source end equipment in the described message identifying of reaching the standard grade, the described message identifying of reaching the standard grade is sent to described access server equipment, receive described access server equipment and described source end equipment is authenticated the authentication result message that the back sends according to described MAC Address, if authentication is passed through, then carry out the study processing that MAC transmits according to described authentication result message;
Described access server equipment is used for the message identifying of reaching the standard grade that desampler sends, and according to described MAC Address described source end equipment is carried out authentication processing, and sends authentication result message to described switch.
CN2010105121150A 2010-10-13 2010-10-13 Message processing method and system, exchange board and access server equipment Pending CN101980496A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2010105121150A CN101980496A (en) 2010-10-13 2010-10-13 Message processing method and system, exchange board and access server equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010105121150A CN101980496A (en) 2010-10-13 2010-10-13 Message processing method and system, exchange board and access server equipment

Publications (1)

Publication Number Publication Date
CN101980496A true CN101980496A (en) 2011-02-23

Family

ID=43600981

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010105121150A Pending CN101980496A (en) 2010-10-13 2010-10-13 Message processing method and system, exchange board and access server equipment

Country Status (1)

Country Link
CN (1) CN101980496A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102316001A (en) * 2011-10-13 2012-01-11 杭州华三通信技术有限公司 Virtual network connection configuration realizing method and network equipment
CN102413052A (en) * 2011-11-30 2012-04-11 华为技术有限公司 Network access method, device and system
CN102983968A (en) * 2011-09-02 2013-03-20 深圳市快播科技有限公司 A method and a server for software backend authentication
CN103685007A (en) * 2012-08-31 2014-03-26 杭州华三通信技术有限公司 Method for MAC address learning during packet forwarding of edge devices and edge device
WO2014090194A1 (en) * 2012-12-13 2014-06-19 华为技术有限公司 Dialing method of terminal device, and access device
CN104283858A (en) * 2013-07-09 2015-01-14 华为技术有限公司 Method, device and system for controlling user terminal access
CN104717216A (en) * 2015-03-12 2015-06-17 福建星网锐捷网络有限公司 Network access control method, device and core equipment
CN106131066A (en) * 2016-08-26 2016-11-16 杭州华三通信技术有限公司 A kind of authentication method and device
CN107547431A (en) * 2017-05-24 2018-01-05 新华三技术有限公司 Message processing method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101170515A (en) * 2007-12-04 2008-04-30 华为技术有限公司 A method, system and gateway device for processing packets
CN101197780A (en) * 2007-12-19 2008-06-11 华为技术有限公司 Method, system and device for updating MAC address
CN101197785A (en) * 2008-01-04 2008-06-11 杭州华三通信技术有限公司 MAC authentication method and apparatus

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101170515A (en) * 2007-12-04 2008-04-30 华为技术有限公司 A method, system and gateway device for processing packets
CN101197780A (en) * 2007-12-19 2008-06-11 华为技术有限公司 Method, system and device for updating MAC address
CN101197785A (en) * 2008-01-04 2008-06-11 杭州华三通信技术有限公司 MAC authentication method and apparatus

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102983968B (en) * 2011-09-02 2017-03-22 深圳市快播科技有限公司 A method and a server for software backend authentication
CN102983968A (en) * 2011-09-02 2013-03-20 深圳市快播科技有限公司 A method and a server for software backend authentication
CN102316001A (en) * 2011-10-13 2012-01-11 杭州华三通信技术有限公司 Virtual network connection configuration realizing method and network equipment
CN102413052B (en) * 2011-11-30 2015-08-19 华为技术有限公司 A kind of method of access network, Apparatus and system
CN102413052A (en) * 2011-11-30 2012-04-11 华为技术有限公司 Network access method, device and system
CN103685007A (en) * 2012-08-31 2014-03-26 杭州华三通信技术有限公司 Method for MAC address learning during packet forwarding of edge devices and edge device
CN103685007B (en) * 2012-08-31 2016-11-16 杭州华三通信技术有限公司 A kind of mac learning method when edge device message forwards and edge device
WO2014090194A1 (en) * 2012-12-13 2014-06-19 华为技术有限公司 Dialing method of terminal device, and access device
CN104283858A (en) * 2013-07-09 2015-01-14 华为技术有限公司 Method, device and system for controlling user terminal access
WO2015003565A1 (en) * 2013-07-09 2015-01-15 华为技术有限公司 Method, device and system for controlling access of user terminal
CN104283858B (en) * 2013-07-09 2018-02-13 华为技术有限公司 Control the method, apparatus and system of user terminal access
EP3001635A4 (en) * 2013-07-09 2016-04-06 Huawei Tech Co Ltd Method, device and system for controlling access of user terminal
KR101768512B1 (en) 2013-07-09 2017-08-17 후아웨이 테크놀러지 컴퍼니 리미티드 Method, apparatus and system for controlling access of user terminal
US9825950B2 (en) 2013-07-09 2017-11-21 Huawei Technologies Co., Ltd. Method, apparatus, and system for controlling access of user terminal
CN104717216A (en) * 2015-03-12 2015-06-17 福建星网锐捷网络有限公司 Network access control method, device and core equipment
CN104717216B (en) * 2015-03-12 2018-09-07 福建星网锐捷网络有限公司 A kind of access control method, device and core equipment
CN106131066A (en) * 2016-08-26 2016-11-16 杭州华三通信技术有限公司 A kind of authentication method and device
CN106131066B (en) * 2016-08-26 2019-09-17 新华三技术有限公司 A kind of authentication method and device
CN107547431A (en) * 2017-05-24 2018-01-05 新华三技术有限公司 Message processing method and device
CN107547431B (en) * 2017-05-24 2020-07-07 新华三技术有限公司 Message processing method and device

Similar Documents

Publication Publication Date Title
CN101980496A (en) Message processing method and system, exchange board and access server equipment
KR101543445B1 (en) Secure client authentication and network service authorization
CN106034104B (en) Verification method, device and system for network application access
US11451614B2 (en) Cloud authenticated offline file sharing
CN102195957B (en) Resource sharing method, device and system
CN106576043B (en) Virally allocatable trusted messaging
WO2014058166A1 (en) Data transmitting apparatus and method, and recording medium having program recorded thereon for executing said method on computer
US20170048260A1 (en) Method and system for network resource attack detection using a client identifier
CN110958272B (en) Identity authentication method, identity authentication system and related equipment
CN109729000B (en) Instant messaging method and device
US20160197921A1 (en) Secure Data Transmission System
CN101834864A (en) Method and device for preventing attack in three-layer virtual private network
CN106453321A (en) Authentication server, system and method, and to-be-authenticated terminal
CN103780389A (en) Port based authentication method and network device
CN107819766A (en) Safety certifying method, system and computer-readable recording medium
US11349818B2 (en) Secure virtual personalized network
CN111314269A (en) Address automatic allocation protocol security authentication method and equipment
CN103841091A (en) safety login method, device and system
CN105025009A (en) A method for reinforcing mail system access safety and a mail safety access system
JPH11331181A (en) Network terminal authenticating device
JP2006025010A (en) Communication system, service providing method, and computer program
CN104468512A (en) Secure file transmission method and device
CN112333214B (en) Safe user authentication method and system for Internet of things equipment management
CN105530687B (en) A kind of wireless network access controlling method and access device
CN107547431A (en) Message processing method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C53 Correction of patent of invention or patent application
CB02 Change of applicant information

Address after: 100085 Beijing, Haidian District on the road, No. 3

Applicant after: Beijing Huawei Digital Technology Co.,Ltd.

Address before: 100085 Beijing, Haidian District on the road, No. 3

Applicant before: Huawei Digit Technology Co., Ltd.

COR Change of bibliographic data

Free format text: CORRECT: APPLICANT; FROM: HUAWEI DIGIT TECHNOLOGY CO., LTD. TO: BEIJING HUAWEI DIGITAL TECHNOLOGY CO., LTD.

C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20110223