Background technology
Development along with the metropolitan area network technology, traditional Ethernet transparent transmission technology can't satisfy the MAN transmission network demands of applications, therefore multiple layer 2 ethernet switch based on the metropolitan area transmission has appearred, Layer 2 switch belongs to data link layer device, MAC (medium access control) address information in can the recognition data bag, transmit according to MAC Address, and these MAC Address and corresponding port are recorded in the routing table, this routing table has been indicated the corresponding relation of MAC Address and switch ports themselves.Receive a packet when switch from certain port, it reads the source MAC in the packet header earlier, and which port it is connected on regard to the machine of knowing source MAC like this; Remove to read the target MAC (Media Access Control) address in the packet header again, and in routing table, search corresponding ports; As having and this target MAC (Media Access Control) address corresponding port in the table, packet is directly copied on this port; Then packet is broadcast on all of the port as can not find corresponding ports in the table, when the purpose machine is responded source machine, it is corresponding with which port that switch can be learnt a target MAC (Media Access Control) address again, with regard to no longer needing all of the port broadcasted when transmitting data next time.
Constantly the circulation said process can be learnt for the mac address information of the whole network, and its address table can be set up and safeguard to Layer 2 switch.
Traditional layer 2 ethernet switch is to the message forwarding flow process as shown in Figure 1:
Routing table can static configuration, also can dynamically set up, promptly by switch according to receive in the message MAC Address constantly study set up.
After switch is received message,,, set up the corresponding relation of source MAC and switch ports themselves then according to the source MAC+port study of message if there is not corresponding route; This corresponding relation also will carry out searching of outbound port according to the target MAC (Media Access Control) address of message after setting up.
Have following several situation:
(1) target MAC (Media Access Control) address in the message is a unicast address, and does not have corresponding route in the routing table;
(2) target MAC (Media Access Control) address in the message is a multicast address, and does not have corresponding route in the routing table;
(3) target MAC (Media Access Control) address in the message is a broadcast address.
Under above-mentioned three kinds of situations, all need message is broadcasted processing, message is copied on all of the port.Learn corresponding output port according to back message using, thereby in routing table, set up corresponding route.
As seen, layer 2 ethernet switch only merely utilizes MAC Address to search route, can have following potential safety hazard thus:
A, port are attacked, be that the message that network hacker utilizes switch to be broadcast to another user of the port obtains MAC Address, send a large amount of rubbish messages by one or more ports to certain port of this user, cause and attacked that the user bandwidth resource is taken in a large number even depleted, network is in paralyzed state.
B, hacker can utilize the MAC Address personation to steal the message information by the attacker.
As shown in Figure 2: port A and port C belong to VLAN1, port B and port D belong to VLAN2, there is route between port A and the port C, send source MAC and the identical message of port A institute connection device MAC Address at port B, then the message of port C will mail to port B, so the convenient information of having stolen port C with port B of network hacker.
C, when MAC Address is shared different VLAN (VLAN) with user/VB (virtual bridge)/Stack VLAN (nested VLAN)/QinQ (multilayer 802.1Q label encapsulated message form), because the link of list item is too much, cause search efficiency to reduce, thereby message forwarding efficient also can be along with reduction.
And, also there is potential hidden danger in the broadcast mechanism of layer 2 ethernet switch: then packet is broadcast on all of the port when switch can not find corresponding ports in route table items, the assailant just can receive the message that other port broadcasting is come on some ports, so also information security hidden danger can occur.
Summary of the invention
The purpose of this invention is to provide a kind of method that guarantees layer 2 ethernet switch data security in the city area transmission equipment, the potential safety hazard that adopts broadcast mechanism to exist when utilizing MAC Address to search route and search route in the prior art merely to overcome improves safety of data in the city area transmission equipment.
The objective of the invention is to be achieved through the following technical solutions:
A kind of method that guarantees layer 2 ethernet switch data security in the city area transmission equipment comprises:
A, set up the packet filtering table;
B, the message that described switch receives is carried out ports filter according to described packet filtering table;
C, set up routing table, described routing table comprises: MAC Address and switch ports themselves, user profile, the VLAN ID corresponding with it;
D1, obtain routing table inbound port index according to two tuples " source MAC+VLAN ID or user profile ";
D2, according to the described routing table of described routing table inbound port index search;
D3, when list item not corresponding in the described routing table with described routing table inbound port index, the corresponding relation of the source MAC of the message after described switch inbound port and the described filtration, VLAN ID, user profile is learnt in the described routing table;
D4, when described routing table has the list item corresponding with described routing table inbound port index, obtain routing table outbound port index;
D5, according to the described routing table of described routing table outbound port index search;
D6, transmit according to the lookup result of the step D5 message after to described filtration.
Described steps A is specially: set up described packet filtering table according to the configuration information of described switch, described packet filtering table comprises: VLAN ID and user profile under switch inbound port, the described switch inbound port.
Described step B comprises:
B1, obtain the message relevant information that described switch receives, described message relevant information comprises: the VLAN ID in the message, the inbound port that receives message, the inbound port user information corresponding of described message.
B2, search described packet filtering table according to the described message relevant information of obtaining;
B3, the VLAN ID under switch inbound port in described message relevant information and the described filter table and user profile abandon described message not simultaneously.
Alternatively, described step D1 is specially: obtain routing table inbound port index according to the source MAC in the message after the described filtration.Corresponding therewith, described step D4 is specially: obtain routing table outbound port index according to the target MAC (Media Access Control) address in the message after the described filtration.
Alternatively, described step D1 is specially: obtain routing table inbound port index according to two tuples " source MAC+VLAN ID or user profile ".Corresponding therewith, described step D4 is specially: obtain routing table outbound port index according to two tuples " target MAC (Media Access Control) address+VLAN ID or user profile ".
Alternatively, described step D1 is specially: obtain routing table inbound port index according to tlv triple " source MAC+VLAN ID+user profile ".Corresponding therewith, described step D4 is specially: obtain routing table outbound port index according to tlv triple " target MAC (Media Access Control) address+VLAN ID+user profile ".
Described step D6 comprises:
D61, when the list item corresponding with described routing table outbound port index arranged in the described routing table, then the message after the described filtration is sent on the corresponding switch outbound port;
D62, when list item not corresponding in the described routing table with described routing table outbound port index, then the message after the described filtration is broadcast to message after the described filtration with on all of the port under the VLAN ID.
Described user profile is specially: user ID or virtual bridge sign or nested VLAN or multilayer 802.1Q label encapsulated message form.
By above technical scheme provided by the invention as can be seen, the present invention utilizes strobe utility to isolate different VLAN and user/VB/Stack VLAN/QinQ, has avoided the port of personation MAC Address to attack effectively, has ensured the safety of data in the switch; Utilize the different modes of searching: only by MAC Address, by MAC Address and VLAN and/or user ID/VBID/Stack VLAN/QinQ constitutes two tuples or tlv triple is searched route, thereby make and search the route support and distinguish the application that the different user ID/VBID/Stack VLAN/QinQ in the same VLAN has identical MAC Address, further strengthened filtering function, improved the fail safe of network message.Utilize preferred mode: user ID/VBID/StackVLAN/QinQ+VLAN+MAC tlv triple is searched route and can also be shortened the routing table list item and search the degree of depth, the list item search efficiency when improving MAC Address and sharing VLAN, user/VB/Stack VLAN/QinQ.
Embodiment
Core of the present invention is to set up expression switch inbound port in advance and the packet filtering table of VLAN (VLAN) and user ID/VBID/Stack VLAN/QinQ corresponding relation under it according to the configuration information of switch, after switch receives message, at first the message of receiving is carried out ports filter, the packet loss that this switch inbound port receives will do not belonged to, in case port data safety is attacked and guaranteed to the not-go-end mouth; Simultaneously, utilize that MAC Address and user ID/VBID/Stack VLAN/QinQ, VLAN form two tuples or tlv triple is searched route, to improve search efficiency.
In order to make those skilled in the art person understand the present invention program better, the present invention is described in further detail below in conjunction with drawings and embodiments.
With reference to Fig. 3, Fig. 3 shows the realization flow of the inventive method, may further comprise the steps:
Step 301: set up the packet filtering table according to the configuration information of switch, described packet filtering table comprises: VLAN ID and user profile under switch inbound port, the described switch inbound port.Described user profile is specially: user ID or virtual bridge sign or nested VLAN or multilayer 802.1Q label encapsulated message form.
The present technique field personnel know, the user is the affiliated territory of message in the Layer 2 switch, generally divides according to port, and promptly each port can only belong to a user, and each user has a complete VLAN (VLAN) territory.User ID (identification code) is exactly to be used for identifying user in the Layer 2 switch, on principle, VBID (virtual bridge sign), Stack VLAN (nested VLAN) is identical in Layer 2 switch role and user ID, VB (virtual bridge) marks off a plurality of different virtual Domain in Layer 2 switch, these virtual Domain are isolated when message is handled fully, VBID identifies these VB, in fact Stack VLAN is exactly the expansion to VLAN (VLAN), when two layers of exchange, can play the buffer action identical with VB, and may there be multilayer in QinQ (multilayer 802.1Q label encapsulated message form) label in message, just be equivalent to StackVLAN when having only one deck, two-layer when above when existing, just be equivalent to expansion, when two layers of exchange, also play a part information and isolate Stack VLAN.
These four notions generally can not exist in same Layer 2 switch simultaneously.Therefore, for convenience, only illustrate below with the user.
Step 302: the message that switch receives is filtered according to the packet filtering table.Concrete filter process is:
At first, switch receives message and obtains the relevant information of message, that is: the VLAN ID in the message, the inbound port that receives message, the inbound port user information corresponding of described message.Wherein, VLAN ID be message itself with; The inbound port that receives message is that switch oneself can be known; The ingress port information that receives message has been arranged, then just can know this inbound port user information corresponding according to the configuration information of switch.
Then, search the packet filtering table according to the VLAN ID in the message that obtains, ingress port information.
If VLAN ID and user profile under VLAN ID in the message and the switch inbound port are inequality, then lose this message; Otherwise, with this message as legal message, the message after promptly filtering.
Like this, can get rid of the invalid packet that switch receives.
Step 303: set up routing table, described routing table comprises: MAC Address and switch ports themselves, user profile, the VLAN ID corresponding with it.
Step 304: the message after filtering is transmitted according to routing table.
By above-mentioned flow process as seen,, switch is filtered to the message that receives, utilize filter table to isolate different VLAN and user, can avoid the port in the network to attack effectively according to the configuration information of network actual needs and switch.Then, according to routing table the message after filtering is transmitted again.
In the present invention, can adopt multiple different route search mode, support to distinguish the application that the different user in the same VLAN has identical MAC Address.
Respectively different retrieval forwarding processes is described in detail below.
The realization flow of first embodiment that reference packet filtering shown in Figure 4 is transmitted in this embodiment, is only searched route by MAC Address, specifically may further comprise the steps:
At first, in step 401: the source MAC according to message obtains routing table inbound port index search routing table, such as utilization hash algorithm commonly used, but is not limited to this algorithm.
Step 402: judge to search whether hit, that is to say, whether have in the routing table to list item that should routing table inbound port index.
If do not have, then enter step 403: with the source MAC of switch inbound port and message, the VLAN sign, the corresponding relation of user ID is learnt in the described routing table, that is to say the source MAC that in routing table, increases switch inbound port and message, the VLAN sign, the list item of the corresponding relation of user ID, because this message is the message after filtering, the inbound port that switch is described has been allocated to corresponding to VLAN in the message and corresponding user, just also do not set up corresponding to this message forwarding route, therefore can be with the source MAC of switch inbound port and message, VLAN, the route learning of user ID is set up the route of inbound port in routing table.Then, again by broadcast mode described later, message is sent to outbound port, there is message to respond the back at outbound port by setting up the route of outbound port with top identical step, routing table not only can be set up by the mode of static configuration, also can safeguard by the mode of dynamic learning.
Hit if search, then directly enter step 404: the target MAC (Media Access Control) address according to message obtains routing table outbound port index search routing table, uses the algorithm identical with step 401.
Then, enter step 405: judge to search whether hit, that is to say, whether have in the routing table to list item that should routing table outbound port index.
If have, then enter step 406: the message after will filtering sends on the corresponding switch outbound port, and the difference according to the target MAC (Media Access Control) address of message has two kinds of situations: clean culture or multicast.
If clean culture then sends to message on the corresponding output port; If multicast then copies to message on the outbound ports all in this multicast group.
If no, then enter step 407: the message after will filtering be broadcast to message after the described filtration with on all of the port under the VLAN.
The realization flow of second embodiment that reference message shown in Figure 5 is transmitted in this embodiment, is searched route by " MAC Address+user ID " two tuples, specifically may further comprise the steps:
At first, in step 501: obtain routing table inbound port index search routing table according to " source MAC+user ID " of message,, but be not limited to this algorithm such as utilization hash algorithm commonly used.
Step 502: judge to search whether hit, that is to say, whether have in the routing table to list item that should routing table inbound port index.
If do not have, then enter step 503: with the source MAC of switch inbound port and message, the VLAN sign, the corresponding relation of user ID is learnt in the routing table, that is to say the source MAC that in routing table, increases switch inbound port and message, the VLAN sign, the list item of the corresponding relation of user ID, because this message is the message after filtering, the inbound port that switch is described has been allocated to corresponding to VLAN in the message and corresponding user, just also do not set up corresponding to this message forwarding route, therefore can be with the source MAC of switch inbound port and message, VLAN, the corresponding relation of user ID is learnt in the routing table, sets up the route of inbound port.Then, by broadcast mode described later message is sent to outbound port again, there is message to respond the back at outbound port by setting up the route of outbound port with top identical step, routing table not only can be set up by the mode of static configuration, also can safeguard by the mode of dynamic learning.
Hit if search, then directly enter step 504: obtain routing table outbound port index search routing table according to " target MAC (Media Access Control) address+user ID " of message, use the algorithm identical with step 501.
Then, enter step 505: judge to search whether hit, that is to say, whether have in the routing table to list item that should routing table outbound port index.
If have, then enter step 506: the message after will filtering sends on the corresponding switch outbound port, and the difference according to the target MAC (Media Access Control) address of message has two kinds of situations: clean culture or multicast.
If clean culture then sends to message on the corresponding output port; If multicast then copies to message on the outbound ports all in this multicast group.
If no, then enter step 507: the message after will filtering be broadcast to message after the described filtration with on all of the port under the VLAN.
Equally, can also search route by " MAC Address+VLAN " two tuples, implementation procedure is similar with flow process shown in Figure 5, does not repeat them here.
In above-mentioned route querying process, utilized hash algorithm or other similar algorithms to calculate the route querying index.The present technique field personnel know, according to hash algorithm, when MAC Address was shared VLAN, user, list item may produce conflict, at this moment just need strengthen the list item degree of depth by modes such as chained lists, and just a MAC Address can corresponding a plurality of lookup results.In order in these a plurality of lookup results, to find correct result, will travel through these a plurality of results, when the list item conflict more for a long time search efficiency can reduce.
Therefore, in order to shorten the degree of depth of searching of this list item, improve route querying efficient, thereby further improve message forwarding efficient, the present invention also provides the route querying mode of more optimizing, and promptly utilizes " MAC Address+VLAN+ user ID " tlv triple to search route.
Fig. 6 shows the detailed process of this mode, may further comprise the steps:
At first, in step 601: " source MAC+VLAN+ user ID " according to message obtains routing table inbound port index search routing table, and be same, can utilize hash algorithm, but be not limited to this algorithm.
Step 602: judge to search whether hit.
If do not have, then enter step 603: with the source MAC of switch inbound port and message, the VLAN sign, the corresponding relation of user ID is learnt in the routing table, that is to say the source MAC that in routing table, increases switch inbound port and message, the VLAN sign, the list item of the corresponding relation of user ID, because this message is the message after filtering, the inbound port that switch is described has been allocated to corresponding to VLAN in the message and corresponding user, just also do not set up corresponding to this message forwarding route, therefore can be with the source MAC of switch inbound port and message, VLAN, the route learning of user ID is set up the route of inbound port in routing table.Then, by broadcast mode described later message is sent to outbound port again, there is message to respond the back at outbound port by setting up the route of outbound port with top identical step, routing table not only can be set up by the mode of static configuration, also can safeguard by the mode of dynamic-configuration.
Hit if search, then directly enter step 604: " target MAC (Media Access Control) address+VLAN+ user ID " according to message obtains routing table outbound port index search routing table.
Then, enter step 605: judge to search whether hit, that is to say, whether have in the routing table to list item that should routing table outbound port index.
If have, then enter step 606: the message after will filtering sends on the corresponding switch outbound port, and the difference according to the target MAC (Media Access Control) address of message has two kinds of situations: clean culture or multicast.
If clean culture then sends to message on the corresponding output port; If multicast then copies to message on the outbound ports all in this multicast group.
If no, then enter step 607: the message after will filtering be broadcast to message after the described filtration with on all of the port under the VLAN.
By above-mentioned description to different embodiment as seen, mostly searching route according to MAC Address with layer 2 ethernet switch in the prior art compares, the present invention utilizes MAC Address and user ID/VBID/StackVLAN/QinQ, VLAN forms two, tlv triple is searched route, network just can support the different user/VB/Stack VLAN/QinQ that distinguishes in the same VLAN to have the application of identical MAC Address like this, mainly can strengthen simultaneously the security performance of the layer 2 ethernet switch in the city area transmission equipment by the isolation between different user/VB/Stack VLAN/QiniQ, carry out ports filter and prevent the attack of malice MAC Address, also search the shared VLAN of degree of depth solution MAC Address simultaneously by shortening list item, the efficient that user/VB/StackVLAN/QinQ causes is crossed low problem.
Though described the present invention by embodiment, those of ordinary skills know, the present invention has many distortion and variation and do not break away from spirit of the present invention, wish that appended claim comprises these distortion and variation and do not break away from spirit of the present invention.