CN108429823B - Method for preventing MAC address drift in DHCP network and switching equipment - Google Patents

Method for preventing MAC address drift in DHCP network and switching equipment Download PDF

Info

Publication number
CN108429823B
CN108429823B CN201810168845.XA CN201810168845A CN108429823B CN 108429823 B CN108429823 B CN 108429823B CN 201810168845 A CN201810168845 A CN 201810168845A CN 108429823 B CN108429823 B CN 108429823B
Authority
CN
China
Prior art keywords
mac address
port
dhcp
host
static
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810168845.XA
Other languages
Chinese (zh)
Other versions
CN108429823A (en
Inventor
张隆伟
景咸刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Maipu Communication Technology Co Ltd
Original Assignee
Maipu Communication Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Maipu Communication Technology Co Ltd filed Critical Maipu Communication Technology Co Ltd
Priority to CN201810168845.XA priority Critical patent/CN108429823B/en
Publication of CN108429823A publication Critical patent/CN108429823A/en
Application granted granted Critical
Publication of CN108429823B publication Critical patent/CN108429823B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5053Lease time; Renewal aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5076Update or notification mechanisms, e.g. DynDNS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/622Layer-2 addresses, e.g. medium access control [MAC] addresses

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)

Abstract

The application provides a method for preventing MAC address from drifting in a DHCP network and exchange equipment, relates to the field of data communication, and can prevent the MAC address of a host bound with an allocated IP address from drifting on the premise of keeping the IP address dynamically allocatable. The method comprises the following steps: after the host computer obtains the IP address of the Internet protocol, if the exchange equipment is configured with a DHCP monitoring function, the exchange equipment establishes a DHCP monitoring table; if the first port is configured with the MAC address static binding function, the switching equipment establishes a static MAC address table; the switching equipment configures a migration prohibition identifier for the DHCP monitoring table; the DHCP monitoring table comprises an IP address of the host, a Media Access Control (MAC) address of the host and a first port, the static MAC address table comprises an MAC address, the first port and a static binding identifier, the first port is a port connected with the host in the switching equipment, the static binding identifier prohibits the switching equipment from modifying the static MAC address table, and the migration identifier prohibits the switching equipment from modifying the DHCP monitoring table.

Description

Method for preventing MAC address drift in DHCP network and switching equipment
Technical Field
The present application relates to the field of data communications, and in particular, to a method and a switching device for preventing MAC address drift in a DHCP network.
Background
As shown in fig. 1, in a network (hereinafter referred to as a DHCP network) established by using a Dynamic Host Configuration Protocol (DHCP) snooping (snooping) technique, a switching device is connected to a legitimate host through a port 1 and connected to a server through a port 2. After a legal host acquires an Internet Protocol (IP) address from a server through a switching device, the switching device may establish a DHCP snooping binding table including the allocated IP address, a port 1, and a Media Access Control (MAC) address of the legal host, so that the switching device forwards a signaling message and a traffic message (for carrying service data) between the server and the legal host. And when the legal host computer is offline, the server recovers the allocated IP address according to a DHCP Release (Release) message sent by the legal host computer. Therefore, the server can dynamically allocate and recycle the IP address owned by the online legal host to improve the utilization rate of the assignable IP address in the DHCP network, thereby improving the network capacity of the DHCP network.
However, the MAC addresses of the legitimate hosts carried in the signaling messages and the traffic messages may be monitored by other hosts connected to the switching device. For example, after monitoring the MAC address of the legitimate host, the illegitimate host connected to the port 3 of the switching device may forge the signaling packet and the traffic packet carrying the MAC address, and send the signaling packet and the traffic packet to the switching device through the port 3. Because the DHCP monitoring binding table is dynamic, when the switching device receives the forged signaling message and flow message, the port 1 in the DHCP monitoring binding table is updated to be the port 3, that is, the MAC address of the legal host is migrated from the port 1 to the port 3. Then, the exchange equipment can forward the signaling message and the flow message of the legal host between the illegal host and the server according to the updated DHCP monitoring binding table, so that the illegal host login person can steal the private information of the legal host login person, or the MAC address of the legal host is used as a mask to launch network attack.
In practical application, the MAC address of the legal host and the port connected to the legal host in the switching device may be bound manually, so as to avoid the MAC address of the legal host from drifting. However, when the number of the legal hosts is large, the workload of binding the MAC addresses in a manual manner is large, and when one or more legal hosts go off-line, the IP addresses bound to the off-line legal hosts cannot be recovered in time, which results in a low utilization rate of the IP addresses of the DHCP network. Therefore, how to prevent the MAC address of the host bound to the allocated IP address from drifting while maintaining the dynamic allocation of the IP address in the DHCP network, so as to improve the security of transmitting the signaling message and the traffic message of the host, is a problem to be solved urgently.
Disclosure of Invention
The application provides a method and a switching device for preventing MAC address drift in a DHCP network, which can prevent the MAC address of a host bound with an allocated IP address from drifting on the premise of keeping the IP address dynamically allocated, and improve the safety of transmitting signaling messages and flow messages of the host.
In order to achieve the purpose, the technical scheme is as follows:
in a first aspect, the present application provides a method for preventing MAC address drift in a DHCP network, where the method may include: after the host acquires the IP address of the Internet protocol, if the exchange equipment is configured with a DHCP monitoring function, the exchange equipment establishes a DHCP monitoring table of a dynamic host configuration protocol; the DHCP monitoring table comprises an IP address of a host, a Media Access Control (MAC) address of the host and a first port, wherein the first port is a port connected with the host in the switching equipment; if the first port is configured with the MAC address static binding function, the switching equipment establishes a static MAC address table; the static MAC address table comprises an MAC address, a first port and a static binding identifier, and the static binding identifier prohibits the switching equipment from modifying the static MAC address table; the switching equipment configures a migration prohibition identifier for the DHCP monitoring table; wherein the migration forbidden identifier forbids the switching device to modify the DHCP snooping table.
In a second aspect, the present application provides a switch device, applied in a DHCP network, the switch device including: the system comprises a Dynamic Host Configuration Protocol (DHCP) monitoring module, an MAC address binding module and a storage module. The DHCP monitoring module is used for establishing a dynamic host configuration protocol DHCP monitoring table if the exchange equipment is configured with a DHCP monitoring function after the host acquires the IP address of the Internet protocol; the DHCP monitoring table comprises an IP address of a host, a Media Access Control (MAC) address of the host and a first port, wherein the first port is a port connected with the host in the switching equipment; the MAC address binding module is used for establishing a static MAC address table if the first port is configured with an MAC address static binding function; the static MAC address table comprises an MAC address, a first port and a static binding identifier, and the static binding identifier prohibits the switching equipment from modifying the static MAC address table; the DHCP monitoring module is also used for configuring migration prohibition identification for the DHCP monitoring table; wherein the migration forbidden identifier forbids the switching device to modify the DHCP snooping table.
In a third aspect, the present application provides a switching device, comprising: a processor and a memory. Wherein the memory is used to store one or more programs. The one or more programs include computer executable instructions which, when executed by the switch, cause the switch to perform the method for preventing MAC address drift in a DHCP network as described in the first aspect and any one of its various alternative implementations.
In a fourth aspect, the present application provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when a switch device executes the instructions, the switch device executes the method for preventing a MAC address from drifting in a DHCP network according to any one of the first aspect and various optional implementations thereof.
In a fifth aspect, the present application provides a DHCP network comprising a host, a server and the switching device of any one of the second aspect and its various alternative implementations.
According to the method for preventing the MAC address from drifting in the DHCP network and the switching equipment, after the host acquires the IP address, and under the condition that the switching equipment is configured with the DHCP monitoring function, a DHCP monitoring table containing the IP address and the MAC address of the host and a first port connected with the host in the switching equipment can be established; if the first port has configured the MAC address static binding function, a static MAC address table containing the first port, the MAC address of the host and a static binding identifier is established, and a migration prohibition identifier is configured for the DHCP monitoring table. The static binding identifier prohibits the switching equipment from modifying a static MAC address table, and the migration identifier prohibits the switching equipment from modifying a DHCP monitoring table, so as to avoid the switching equipment from modifying a port corresponding to the MAC address of the host in the DHCP monitoring table and the MAC address table from a first port to another port according to a flow message and/or a DHCP message which are sent by another host through another port and carry the MAC address of the host, i.e. the MAC address of the host can be prevented from drifting, so as to avoid the other host from stealing the flow message of the host, or the MAC address of the host is used as a shield identity to initiate a network attack, and the security of transmitting the signaling message and the flow message of the host can be improved on the premise of keeping IP address resources dynamically distributed and recycled.
Drawings
Fig. 1 is a schematic view of a communication network structure applied by a method for preventing a MAC address from drifting in a DHCP network and a switching device according to an embodiment of the present disclosure;
fig. 2 is a first schematic diagram of a method for preventing a MAC address from drifting in a DHCP network according to an embodiment of the present disclosure;
fig. 3 is a schematic diagram illustrating a second method for preventing a MAC address from drifting in a DHCP network according to an embodiment of the present application;
fig. 4 is a third schematic diagram of a method for preventing a MAC address from drifting in a DHCP network according to an embodiment of the present application;
fig. 5 is a fourth schematic diagram of a method for preventing a MAC address from drifting in a DHCP network according to an embodiment of the present application;
fig. 6 is a fifth schematic diagram of a method for preventing a MAC address from drifting in a DHCP network according to an embodiment of the present application;
fig. 7 is a sixth schematic diagram of a method for preventing a MAC address from drifting in a DHCP network according to an embodiment of the present application;
fig. 8 is a first schematic structural diagram of a switching device according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of a switching device according to an embodiment of the present application;
fig. 10 is a schematic structural diagram of a switching device according to an embodiment of the present application.
Detailed Description
The following describes in detail a method and a switching device for preventing MAC address drift in a DHCP network according to an embodiment of the present application with reference to the accompanying drawings.
The term "and/or" herein is merely an association describing an associated object, meaning that three relationships may exist, e.g., a and/or B, may mean: a exists alone, A and B exist simultaneously, and B exists alone.
The terms "first" and "second" and the like in the description and drawings of the present application are used for distinguishing different objects or for distinguishing different processes for the same object, and are not used for describing a specific order of the objects.
Furthermore, the terms "including" and "having," and any variations thereof, as referred to in the description of the present application, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements but may alternatively include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that in the embodiments of the present application, words such as "exemplary" or "for example" are used to indicate examples, illustrations or explanations. Any embodiment or design described herein as "exemplary" or "e.g.," is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion.
In the description of the present application, the meaning of "a plurality" means two or more unless otherwise specified.
The method for preventing the MAC address from drifting in the DHCP network provided by the embodiment of the present application can be applied to the DHCP network shown in fig. 1. As shown in fig. 1, the DHCP network may include: host, switching device and server. The host in fig. 1 may be connected to the server through the switching device, where the server is mainly used to allocate a dynamic IP address to any host in the DHCP network, and the switching device is mainly used to forward a signaling message and a traffic message between any host and the server. Specifically, the switching device establishes a DHCP monitoring table and an MAC address table for the host, and forwards a signaling message and a traffic message between the host and the server according to the DHCP monitoring table and the MAC address table. It should be noted that fig. 1 is only an exemplary architecture diagram, and the network architecture may include other functional units besides the functional units shown in fig. 1, which is not limited in this application.
The host may be any terminal that can access the DHCP network shown in fig. 1 by wire or wirelessly, such as: a mobile phone, a computer, a Personal Digital Assistant (PDA), a laptop computer, etc., which are not limited in the embodiments of the present application.
In practical application, when a host goes online, the host requests a server in the DHCP network to allocate an IP address for the host, and the specific process is as follows:
a discovery phase: the host broadcasts (Broadcast) a Discovery (DISCOVER) message to all servers in the DHCP network. The discovery packet carries the MAC address of the host with the purpose of requesting the server to assign an IP address to the host.
A providing stage: all servers that receive the discovery message broadcast an OFFER (OFFER) message. The provided message carries the MAC address of the host, the IP address pre-allocated to the host, and the information such as the domain name, the IP address, the default gateway and the IP address of the DNS server for sending the provided message.
A request phase: the host confirms whether the provided message is sent to the host according to whether the MAC address carried by the provided message is the same as the MAC address of the host. After the host receives the provide message (usually the first one), it broadcasts a REQUEST message. The request message carries an IP address pre-allocated for the host by the server sending the provided message, an MAC address of the host, and an IP address of the server sending the provided message. In practical applications, the request message is used to notify the server sending the providing message that the host intends to receive the IP address allocated to the host by the server, and notify other servers to recover the IP address pre-allocated to the host.
And (3) confirmation stage: all the servers receiving the request message determine whether the request message is sent to the server according to whether the IP address of the server carried by the request message is the same as the IP address of the server. If so, the server broadcasts an Acknowledgement (ACK) message, otherwise, broadcasts a Negative Acknowledgement (NACK) message. The confirmation message carries the IP address of the server, the default gateway, the IP address of the DNS server, the IP address, lease period, and lease time allocated by the server to the host, and the MAC address of the host.
A detection stage: in order to avoid IP Address collision, after receiving the acknowledgement message, the host broadcasts an Address Resolution Protocol (ARP) message on the DHCP network. If no other host responds within the specified time, the host sets the IP address allocated by the server as the own IP address, and automatically starts a renewal process according to the lease period and the renewal time of the IP address.
And IP address recovery stage: when the lease expires, the host automatically abandons the use of the IP address and re-initiates the IP address acquisition process. Or before the lease period expires, the host sends a RELEASE message to the server to actively relinquish the IP address assigned to the host. In any scenario, the server can recover the IP address allocated to the host, and allocate the IP address to other hosts for use, so as to improve the utilization rate of the IP address resource of the server.
In practical application, as shown in fig. 1, the message forwarding at each stage is completed by the switching device connected to the server and the host at the same time. If the switching device has configured the DHCP monitoring function, the switching device establishes a DHCP monitoring binding table for each host, and is configured to manage a correspondence between an IP address allocated by the server to the host, an MAC address of the host, and a port connected to the host in the switching device, and record the correspondence between the MAC address of the host and the port connected to the host in the switching device in an MAC address forwarding table of the switching device, so as to forward a signaling message and a traffic message between the host and the server.
However, in the DHCP snooping binding table and the MAC address forwarding table, the correspondence between the MAC address of the host and the port connected to the host in the switching device is dynamic, and the switching device modifies the port corresponding to the MAC address of the host according to the signaling message and/or the traffic message that carries the MAC address of the host and is received through the port by the switching device. If the current receiving port of the switching device is different from the port recorded in the DHCP monitoring binding table and the MAC address forwarding table, the port recorded in the DHCP monitoring binding table and the MAC address forwarding table is modified to be the current port, so that the MAC address of the host drifts.
The embodiment of the application provides a method for preventing a MAC address from drifting in a DHCP network, which can be applied to a switching device of the DHCP network shown in fig. 1. Specifically, as shown in fig. 2, the method may include S201-S203:
s201, after the host acquires the IP address of the Internet protocol, if the exchange equipment is configured with the DHCP monitoring function, the exchange equipment establishes a DHCP monitoring table of the dynamic host configuration protocol.
The DHCP monitoring table comprises an IP address of the host, a Media Access Control (MAC) address of the host and a first port, and the first port is a port connected with the host in the switching equipment.
In practical application, the host broadcasts the ARP message and does not receive the response from other hosts within a specified time, and the host is regarded as successful in acquiring the IP address. However, the host does not notify the switching device after successfully acquiring the IP address. Therefore, in this embodiment of the present application, the host acquires the IP address, which may be that the host receives an acknowledgement message sent by the server, or that a preset time (for example, the time may be determined according to a historical response time of the ARP message) is exceeded after the host receives the acknowledgement message sent by the server. Of course, for the former, if the final result of the host obtaining the IP address this time is failed, for example, the IP address conflicts, in the embodiment of the present application, the static binding identifier described in S202 and the migration prohibition identifier described in S203 below need to be cleared, and the method flow provided in the embodiment of the present application may be executed again from S201.
S202, if the first port is configured with the MAC address static binding function, the exchange equipment establishes a static MAC address table.
The static MAC address table comprises the MAC address of the host, a first port and a static binding identifier, and the static binding identifier prohibits the switching equipment from modifying the static MAC address table.
In the embodiment of the application, if the MAC address carried by the traffic message is the same as the MAC address of the host, but the port receiving the traffic message is different from the port corresponding to the MAC address of the host, the traffic message can be determined to be a traffic attack message, and the MAC address is prevented from drifting by discarding the traffic message, so as to ensure that private information of a user logged in through the host is not stolen, thereby improving the security of a legal traffic message. Therefore, optionally, in conjunction with fig. 2, as shown in fig. 3, after performing S202, the method may further include S301-S302:
s301, the switching device receives the flow message through the second port of the switching device.
Wherein, the flow message comprises the MAC address of the host;
and S302, if the second port is different from the first port, the exchange equipment discards the flow message.
In practical applications, the MAC address static binding function is a port configuration attribute of the switching device. Therefore, if the MAC address static binding function of one or more ports (hereinafter referred to as designated ports) in the switching device needs to be closed, the migration prohibition identifier corresponding to the designated ports in the DHCP snooping table and the static binding identifiers of all MAC addresses corresponding to the designated ports need to be cleared in a targeted manner. Therefore, optionally, in conjunction with fig. 2, as shown in fig. 4, after performing S202, the method may further include S401:
s401, if the MAC address static binding function of the appointed port is closed, the switching equipment clears the static binding identifiers of all the MAC addresses corresponding to the appointed port in the static MAC address table.
Wherein the designated port is any port in the switching device.
S203, the switching equipment configures a migration prohibition identifier for the DHCP snooping table.
Wherein the migration forbidden identifier forbids the switching device to modify the DHCP snooping table.
In the embodiment of the application, if the MAC address carried by the DHCP message is the same as the MAC address of the host, but the port receiving the DHCP message is different from the port corresponding to the MAC address of the host in the DHCP monitoring table, the DHCP message can be confirmed as a DHCP attack message, and the MAC address is prevented from drifting in a manner of discarding the DHCP message, so as to ensure that an illegal host forges the MAC address of the host and applies for an IP address to a server, thereby establishing a channel through which the illegal host accesses a DHCP network, and initiating a network attack with the MAC address of the host as a shielding identity, which can improve the security of the legal DHCP message. Therefore, optionally, in conjunction with fig. 2, as shown in fig. 5, after performing S203, the method may further include S501-S502:
s501, the switching equipment receives the DHCP message through a third port of the switching equipment.
The DHCP message includes the MAC address of the host.
And S502, if the third port is different from the first port, the exchange equipment discards the DHCP message.
In practical application, the DHCP snooping function is an overall configuration attribute of the switching device. Therefore, if the DHCP snooping function of the switch device needs to be closed, migration prohibition identifiers of all DHCP snooping tables of the switch device and static binding identifiers of all static MAC address tables need to be cleared. Optionally, in conjunction with fig. 2, as shown in fig. 6, after performing S203, the method may further include S601-S602:
s601, if the DHCP monitoring function of the switching equipment is closed, the switching equipment clears the migration prohibition identifications of all the DHCP monitoring tables in the switching equipment.
S602, the exchange equipment clears the static binding identifiers of all the static MAC address tables in the exchange equipment.
When one or more host computers are offline, the IP addresses distributed to the offline host computers need to be recovered so as to be distributed to other new online host computers, and the utilization rate of the IP address resource capable of being distributed is improved. Therefore, optionally, in conjunction with fig. 2, as shown in fig. 7, after performing S203, the method may further include S701-S702:
s701, if the off-line host exists, the exchange equipment clears the migration prohibition identification of the DHCP monitoring table containing the MAC address of the off-line host.
The off-line host is any host connected with the switching equipment.
S702, the exchange equipment clears the static binding identification corresponding to the MAC address of the offline host in the static MAC address table.
It can be understood that, in order to avoid adverse effects on communication of the host that is not offline, in the embodiment of the present application, only the migration prohibition identifier and the static binding identifier corresponding to the host that is offline are cleared.
According to the method for preventing the MAC address from drifting in the DHCP network, after the host acquires the IP address and under the condition that the switching equipment is configured with the DHCP monitoring function, a DHCP monitoring table containing the IP address and the MAC address of the host and a first port connected with the host in the switching equipment can be established; if the first port has configured the MAC address static binding function, a static MAC address table containing the first port, the MAC address of the host and a static binding identifier is established, and a migration prohibition identifier is configured for the DHCP monitoring table. The static binding identifier prohibits the switching equipment from modifying a static MAC address table, and the migration identifier prohibits the switching equipment from modifying a DHCP monitoring table, so as to avoid the switching equipment from modifying a port corresponding to the MAC address of the host in the DHCP monitoring table and the MAC address table from a first port to another port according to a flow message and/or a DHCP message which are sent by another host through another port and carry the MAC address of the host, i.e. the MAC address of the host can be prevented from drifting, so that the other host can be prevented from stealing service data of the host, or the MAC address of the host is used as a shield identity to initiate a network attack, and the safety of transmitting a signaling message and the flow message of the host can be improved on the premise of keeping IP address resources dynamically distributed and recycled.
In the embodiment of the present application, the switching device may be divided into the functional modules or the functional units according to the above method examples, for example, each functional module or functional unit may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated module may be implemented in a form of hardware, or may be implemented in a form of a software functional module or a functional unit. The division of the modules or units in the embodiment of the present application is schematic, and is only a logic function division, and there may be another division manner in actual implementation.
Fig. 8 shows a schematic diagram of a possible structure of the switching device involved in the above embodiment. The switching device is applied to a Dynamic Host Configuration Protocol (DHCP) network, and may include a DHCP snooping module 81, a MAC address binding module 82, and a storage module 83.
The DHCP monitoring module 81 is configured to establish a dynamic host configuration protocol DHCP monitoring table if the switching device has configured a DHCP monitoring function after the host acquires the internet protocol IP address; the DHCP monitoring table comprises an IP address of a host, a Media Access Control (MAC) address of the host and a first port, wherein the first port is a port connected with the host in the switching equipment;
the MAC address binding module 82 is configured to establish a static MAC address table if the first port has configured a MAC address static binding function; the static MAC address table comprises an MAC address, a first port and a static binding identifier, and the static binding identifier prohibits the switching equipment from modifying the static MAC address table;
the DHCP monitoring module 81 is further configured to configure a migration prohibition identifier for the DHCP monitoring table; wherein, the forbidding migration identifier forbids the exchange equipment to modify the DHCP monitoring table;
and the storage module 83 is used for storing the instruction and the message.
Optionally, in conjunction with fig. 8, as shown in fig. 9, the switching device may further include a receiving module 84 and a forwarding module 85, wherein,
a receiving module 84, configured to receive the traffic message through the second port of the switching device; wherein, the flow message comprises an MAC address;
and the forwarding module 85 is configured to discard the flow packet if the second port is different from the first port.
Optionally, the receiving module 84 is further configured to receive a DHCP message through a third port of the switching device; wherein, the DHCP message comprises an MAC address;
the DHCP monitoring module 81 is further configured to discard the DHCP message if the third port is different from the first port.
Optionally, the DHCP monitoring module 81 is further configured to clear migration prohibition identifiers of all DHCP monitoring tables in the switching device if the DHCP monitoring function of the switching device is turned off;
the MAC address binding module 82 is further configured to clear static binding identifiers of all static MAC address tables in the switching device.
Optionally, the DHCP monitoring module 81 is further configured to clear the migration prohibition identifier of the DHCP monitoring table containing the MAC address of the offline host if the offline host exists; the off-line host is any host connected with the switching equipment;
the MAC address binding module 82 is further configured to clear the static binding identifier corresponding to the MAC address of the offline host in the static MAC address table.
Optionally, the MAC address binding module 82 is further configured to clear the static binding identifiers of all MAC addresses corresponding to the designated port in the static MAC address table if the MAC address static binding function of the designated port is turned off; wherein the designated port is any port in the switching device.
The switching device provided by the embodiment of the application can establish a DHCP monitoring table which comprises the IP address and the MAC address of the host and a first port connected with the host in the switching device after the host acquires the IP address and under the condition that the switching device is configured with a DHCP monitoring function; if the first port has configured the MAC address static binding function, a static MAC address table containing the first port, the MAC address of the host and a static binding identifier is established, and a migration prohibition identifier is configured for the DHCP monitoring table. The static binding identifier prohibits the switching equipment from modifying a static MAC address table, and the migration identifier prohibits the switching equipment from modifying a DHCP monitoring table, so as to avoid the switching equipment from modifying a port corresponding to the MAC address of the host in the DHCP monitoring table and the MAC address table from a first port to another port according to a flow message and/or a DHCP message which are sent by another host through another port and carry the MAC address of the host, i.e. the MAC address of the host can be prevented from drifting, so that the other host can be prevented from stealing service data of the host, or the MAC address of the host is used as a shield identity to initiate a network attack, and the safety of transmitting a signaling message and the flow message of the host can be improved on the premise of keeping IP address resources dynamically distributed and recycled.
Fig. 10 shows a schematic diagram of another possible structure of the switching device involved in the above embodiment. The switching device includes: a processing unit 1001. The processing unit 1001 is configured to control and manage the actions of the switching device, for example, perform the steps performed by the DHCP snooping module 81, the MAC address binding module 82, the forwarding module 85, and/or other processes for performing the techniques described herein. The switching device may further include a communication unit 1002, a storage unit 1003, and a bus 1004. The communication unit 1002 is configured to support communication between the switching device and other network entities, for example, perform the steps performed by the receiving module 84. The storage unit 1003 is used to store program codes and messages of the switching device.
The processing unit 1001 may be a processor or a controller in a switching device, which may implement or execute various exemplary logical blocks, modules, and circuits described in connection with the disclosure of the present application. The processor or controller may be a central processing unit, general purpose processor, digital signal processor, application specific integrated circuit, field programmable gate array or other programmable logic device, transistor logic device, hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. The processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, DSPs, and microprocessors, among others.
The communication unit 1002 may be a transceiver, a transceiving circuit, a communication interface, or the like in a switching device.
The storage unit 1003 may be a memory in a switching device or the like, and the memory may include a volatile memory such as a random access memory; the memory may also include non-volatile memory, such as read-only memory, flash memory, a hard disk, or a solid state disk; the memory may also comprise a combination of memories of the kind described above.
The bus 1004 may be an Extended Industry Standard Architecture (EISA) bus or the like. The bus 1004 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 10, but this is not intended to represent only one bus or type of bus.
The embodiment of the present application provides a DHCP network, which may include a host, a switch device, and a server, where the switch device is configured to forward a traffic packet and a signaling packet between the host and the server, so as to execute the method for preventing a MAC address from drifting in the DHCP network provided in the embodiment of the present application. For the description of the host, the switching device and the server, reference may be made to the related description in the above method embodiment and apparatus embodiment, and details are not described here again.
Through the above description of the embodiments, it is clear to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device may be divided into different functional modules to complete all or part of the above described functions. For the specific working processes of the system, the apparatus and the unit described above, reference may be made to the corresponding processes in the foregoing method embodiments, and details are not described here again.
An embodiment of the present application further provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the switching device executes the instructions, the switching device executes each step executed by the switching device in the method flow shown in the foregoing method embodiment.
The computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a Read-Only Memory (ROM), an Erasable Programmable Read-Only Memory (EPROM), a register, a hard disk, an optical fiber, a portable Compact Disc Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, any suitable combination of the above, or any other form of computer readable storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be integral to the processor. The processor and the storage medium may reside in an Application Specific Integrated Circuit (ASIC). In embodiments of the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The above description is only an embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions within the technical scope of the present disclosure should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (12)

1. A method for preventing MAC address drift in a DHCP network is characterized by comprising the following steps:
after a host acquires an Internet Protocol (IP) address, if the exchange equipment is configured with a DHCP monitoring function, the exchange equipment establishes a Dynamic Host Configuration Protocol (DHCP) monitoring table; the DHCP monitoring table comprises an IP address of the host, a Media Access Control (MAC) address of the host and a first port, wherein the first port is a port connected with the host in the switching equipment;
if the first port is configured with the MAC address static binding function, the switching equipment establishes a static MAC address table; wherein the static MAC address table includes the MAC address, the first port, and a static binding identifier, and the static binding identifier prohibits the switching device from modifying the static MAC address table;
the switching equipment configures a migration prohibition identifier for the DHCP monitoring table; wherein the migration prohibition identifier prohibits the switching device from modifying the DHCP snooping table.
2. The method of claim 1, wherein after the switching device establishes a static MAC address table if the first port has configured a MAC address static binding function, the method further comprises:
the switching equipment receives the flow message through a second port of the switching equipment; wherein the flow message comprises the MAC address;
and if the second port is different from the first port, the switching equipment discards the flow message.
3. The method of claim 1, wherein after the switching device configures a migration forbidden identifier for the DHCP snooping table, the method further comprises:
the switching equipment receives a DHCP message through a third port of the switching equipment; wherein the DHCP message comprises the MAC address;
and if the third port is different from the first port, the switching equipment discards the DHCP message.
4. The method according to any of claims 1-3, wherein after the switching device configures a migration forbidden identifier for the DHCP snooping table, the method further comprises:
if the DHCP monitoring function of the switching equipment is closed, the switching equipment clears the migration prohibition identifications of all DHCP monitoring tables in the switching equipment;
and the switching equipment clears the static binding identifiers of all the static MAC address tables in the switching equipment.
5. The method according to any of claims 1-3, wherein after the switching device configures a migration forbidden identifier for the DHCP snooping table, the method further comprises:
if the off-line host exists, the exchange equipment removes the migration prohibition identification of the DHCP monitoring table containing the MAC address of the off-line host; the off-line host is any host connected with the switching equipment;
and the switching equipment clears the static binding identifier corresponding to the MAC address of the offline host in the static MAC address table.
6. The method according to any of claims 1-3, wherein after the switching device establishes a static MAC address table if the first port has configured a MAC address static binding function, the method further comprises:
if the MAC address static binding function of the appointed port is closed, the switching equipment clears the static binding identifiers of all MAC addresses corresponding to the appointed port in the static MAC address table; wherein the designated port is any one port in the switching device.
7. A switching device, for use in a DHCP network, the switching device comprising:
the dynamic host configuration protocol DHCP monitoring module is used for establishing a dynamic host configuration protocol DHCP monitoring table if the exchange equipment is configured with a DHCP monitoring function after the host acquires the Internet protocol IP address; the DHCP monitoring table comprises an IP address of the host, a Media Access Control (MAC) address of the host and a first port, wherein the first port is a port connected with the host in the switching equipment;
the MAC address binding module is used for establishing a static MAC address table if the first port is configured with an MAC address static binding function; wherein the static MAC address table includes the MAC address, the first port, and a static binding identifier, and the static binding identifier prohibits the switching device from modifying the static MAC address table;
the DHCP monitoring module is also used for configuring migration prohibition identification for the DHCP monitoring table; wherein the migration prohibition identifier prohibits the switching device from modifying the DHCP snooping table.
8. The switching device of claim 7, further comprising a receive module and a forward module, wherein,
the receiving module is configured to receive a traffic packet through a second port of the switching device; wherein the flow message comprises the MAC address;
the forwarding module is configured to discard the traffic packet if the second port is different from the first port.
9. The switching device of claim 7,
the receiving module is further configured to receive a DHCP message through a third port of the switching device; wherein the DHCP message comprises the MAC address;
the DHCP monitoring module is further configured to discard the DHCP packet if the third port is different from the first port.
10. Switching device according to any of claims 7-9,
the DHCP monitoring module is further configured to clear migration prohibition identifiers of all DHCP monitoring tables in the switching equipment if the DHCP monitoring function of the switching equipment is closed;
the MAC address binding module is further configured to clear static binding identifiers of all static MAC address tables in the switching device.
11. Switching device according to any of claims 7-9,
the DHCP monitoring module is also used for clearing the migration prohibition identification of the DHCP monitoring table containing the MAC address of the off-line host if the off-line host exists; the off-line host is any host connected with the switching equipment;
the MAC address binding module is further configured to clear a static binding identifier corresponding to the MAC address of the offline host in the static MAC address table.
12. Switching device according to any of claims 7-9,
the MAC address binding module is also used for clearing the static binding identifiers of all MAC addresses corresponding to the appointed port in the static MAC address table if the MAC address static binding function of the appointed port is closed; wherein the designated port is any one port in the switching device.
CN201810168845.XA 2018-02-28 2018-02-28 Method for preventing MAC address drift in DHCP network and switching equipment Active CN108429823B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810168845.XA CN108429823B (en) 2018-02-28 2018-02-28 Method for preventing MAC address drift in DHCP network and switching equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810168845.XA CN108429823B (en) 2018-02-28 2018-02-28 Method for preventing MAC address drift in DHCP network and switching equipment

Publications (2)

Publication Number Publication Date
CN108429823A CN108429823A (en) 2018-08-21
CN108429823B true CN108429823B (en) 2021-06-29

Family

ID=63157304

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810168845.XA Active CN108429823B (en) 2018-02-28 2018-02-28 Method for preventing MAC address drift in DHCP network and switching equipment

Country Status (1)

Country Link
CN (1) CN108429823B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101098291A (en) * 2006-06-29 2008-01-02 中兴通讯股份有限公司 Method for preventing disturbance of medium accessing control address table on access equipment
CN101834870A (en) * 2010-05-13 2010-09-15 中兴通讯股份有限公司 Method and device for preventing deceptive attack of MAC (Medium Access Control) address
CN104980526A (en) * 2014-04-04 2015-10-14 中兴通讯股份有限公司 Control method of media access control (MAC) address drift, control device of MAC address drift and network device
CN102843440B (en) * 2011-06-24 2017-04-26 中兴通讯股份有限公司 Method of preventing media access control address drifting and network processing device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101098291A (en) * 2006-06-29 2008-01-02 中兴通讯股份有限公司 Method for preventing disturbance of medium accessing control address table on access equipment
CN101834870A (en) * 2010-05-13 2010-09-15 中兴通讯股份有限公司 Method and device for preventing deceptive attack of MAC (Medium Access Control) address
CN102843440B (en) * 2011-06-24 2017-04-26 中兴通讯股份有限公司 Method of preventing media access control address drifting and network processing device
CN104980526A (en) * 2014-04-04 2015-10-14 中兴通讯股份有限公司 Control method of media access control (MAC) address drift, control device of MAC address drift and network device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
DHCP 服务安全策略;郑秀琴;《电脑知识与技术》;20170930;第13卷(第26期);正文第2.2.4节 *

Also Published As

Publication number Publication date
CN108429823A (en) 2018-08-21

Similar Documents

Publication Publication Date Title
US9116736B2 (en) Virtualized movement of enhanced network services associated with a virtual machine
US9729501B2 (en) System and data card for stateless automatic configuration of IPv6 address and method for implementing the same
CN108777722B (en) Multi-system networking communication method and device, mobile terminal and storage medium
US9313171B2 (en) Path selection in a multi-service and multi-tenant secure cloud environment
US20130024553A1 (en) Location independent dynamic IP address assignment
CN107800743B (en) Cloud desktop system, cloud management system and related equipment
CN106533973B (en) Method, equipment and system for distributing service message
CN107733808B (en) Flow transmission method and device
KR102392120B1 (en) Processing method, device and system for nf component abnormality
WO2021057348A1 (en) Server security defense method and system, communication device, and storage medium
WO2015196755A1 (en) Address allocation method in subscriber identifier and locator separation network, and access service router
WO2012174914A1 (en) Method and device for controlling address configuration manner
WO2017107871A1 (en) Access control method and network device
EP3267633B1 (en) Information processing system, proxy server, address duplication prevention method, and computer-readable recording medium
US11171927B2 (en) Method for enabling establishment of a direct connection
CN107342972B (en) Method and device for realizing remote access
CN112771833A (en) Method of assigning an identifier to a client node, method of recording an identifier, corresponding device, client node, server and computer program
JP2014093772A (en) Method and device for allocating and acquiring ip address
Bi et al. Source address validation improvement (SAVI) solution for DHCP
CN113014680B (en) Broadband access method, device, equipment and storage medium
CN108429823B (en) Method for preventing MAC address drift in DHCP network and switching equipment
CN111669309B (en) VxLAN establishing method, wireless controller and switch
WO2014090022A1 (en) Method and apparatus for recognizing dhcp server
WO2017124231A1 (en) Internet protocol (ip) address allocation method, control plane gateway and user plane gateway
CN113556337A (en) Terminal address identification method, network system, electronic device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant