Embodiment
Below in conjunction with embodiment, more detailed description is further done to technical scheme of the present invention.Obviously, described embodiment is only a part of embodiment of the present invention, instead of whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art obtain under the prerequisite of not making creative work, all should belong to the scope of protection of the invention.
Consult Fig. 1, Fig. 1 is the structural representation of the first execution mode of the device of main frame isolation in a kind of VLAN provided by the invention.In this VLAN, the device 100 of main frame isolation comprises: receiver module 110, configuration module 120, deployment module 130.
Wherein, receiver module 110, for being received in VLAN the request that given host is isolated mutually.This request can be network manager by configuring in real time thus the request sent switch, or perform the instruction of existing configuration file on switches thus the request triggered.Concrete, the hardware identifier of the main frame needing isolation mutually will be carried in request, be generally MAC Address, employing hexadecimal number represents, totally six bytes (48), show as the form of " * *-* *-* *-* *-* *-* * ", each " * " represents a hexadecimal number, such as, need the host identification of isolating to be " 44-37-E6-0C-45-DE " and " 11-22-E6-0C-45-33 ".
Configuration module 120 connects receiver module 110, trigger according to the request that receiver module 110 receives, the auxiliary vlan distributing primary vlan and associate with described primary vlan in this VLAN, described auxiliary vlan comprises isolated vlan, main frame in described primary vlan allows and any other main-machine communication, and the main frame in described isolated vlan only allows and the main-machine communication in described primary vlan.In network system, the IP address being " * .*.*.* " by form identifies VLAN, each " * " represents a decimal number (length is an octet), such as " 10.10.10.0 ", described VLAN and the primary vlan distributed in this VLAN and auxiliary vlan have identical IP address and different ports, therefore it seems from external system, they belong to identical VLAN.
The result that deployment module 130 configures according to configuration module 120, by the server disposition in VLAN in described primary vlan, and is deployed to described given host in described isolated vlan, to isolate mutually between described given host.
Be different from prior art, the device of main frame isolation in VLAN of the present invention, according in VLAN to the request that given host is isolated mutually, for this VLAN distributes primary vlan and auxiliary vlan, auxiliary vlan comprises isolated vlan, main frame wherein in primary vlan allows and any other main-machine communication, main frame in auxiliary vlan only allows and the host identification in primary vlan, and the host deployments that will isolate mutually is in isolated vlan, thus achieve and just can isolate mutually given host in a VLAN, without the need to by host deployments to different VLAN, thus achieve information security with less management cost and resource.
Consult Fig. 2, Fig. 2 is the structural representation of the second execution mode of the device of main frame isolation in a kind of VLAN provided by the invention.This device 200 comprises: receiver module 210, configuration module 220, deployment module 230.
Wherein, receiver module 210 is for being received in VLAN the request that given host is isolated mutually.Concrete, can be deployed server and main frame in existing VLAN, network manager will carry out communication isolating to given host in this VLAN according to real network deployment requirements; Also can be that network manager needs a newly-built VLAN, and in this VLAN deployment server and mutually isolated main frame.Concrete, this request can be network manager by configuring in real time thus the request sent switch, or perform the instruction of existing configuration file on switches thus the request of triggering.Concrete, by carrying the hardware identifier of the main frame needing isolation mutually in request, be generally MAC Address, such as, need the host identification of isolating to be " 44-37-E6-0C-45-DE " and " 11-22-E6-0C-45-33 ".
Configuration module 220 comprises and comprises dispensing unit 221 and record cell 222.Dispensing unit 221 triggers for the request received according to receiver module 210, the designated port of described VLAN is distributed to primary vlan respectively, and isolated vlan designated port distributed in the auxiliary vlan that associates with described primary vlan, main frame in described primary vlan allows and any other main-machine communication, and the main frame in described isolated vlan only allows and the main-machine communication in described primary vlan.In network system, the IP address being " * .*.*.* " by form identifies VLAN, such as " 10.10.10.0 ", and a VLAN can have multiple port, usual employing integer carrys out identification port, such as 1,2,3 ... such as, port one, 2,3 is distributed to primary vlan, port 7 ~ 20 is distributed to isolated vlan, VLAN and the primary vlan distributed in this VLAN and auxiliary vlan have identical IP address and different ports, and therefore it seems from external system, they belong to identical VLAN.When dispensing unit 221 has carried out described port assignment operation, record cell 222 will record described port assignment information, and namely which port often kind of VLAN comprises.Concrete, described port assignment information can be recorded in the register of switch.Further, " main frame in primary vlan allows and any other main-machine communication, and the main frame in isolated vlan only allows and the main-machine communication in described primary vlan " this policy information will be kept in VLAN, concrete, can be in the preserving existence intersection property register of changing planes.
The result that deployment module 230 configures according to configuration module 220, by the server disposition in VLAN in described primary vlan, and described given host is deployed in described isolated vlan, concrete, deployment module 230 recording configuration module 220 is the port of described primary vlan distribution and the incidence relation of server, and recording configuration module 220 is the port of described isolated vlan distribution and the incidence relation of given host, to isolate mutually between described given host.
Optionally, in another example of the present embodiment, receiver module 210 further receives the request that the main frame that can communicate at least two mutually and described given host are isolated, such as, can communicate mutually between the main frame being designated " 33-33-33-33-33-33 " and " 44-44-44-44-44-44 ", but need to isolate between other main frames.Configuration module 220 distribute auxiliary vlan associate with primary vlan, comprise group VLAN further, the main frame in described group VLAN only allow internal mutual to communicate and with described primary vlan in main-machine communication; Concrete, the designated port of described VLAN is distributed to described group VLAN by dispensing unit 221 respectively; And record cell 222 records described port assignment information; Deployment module 230, further by the host deployments of described at least two communications mutually to described group VLAN, concrete, deployment module 230 is further recorded as the port of described group VLAN distribution and the incidence relation of described at least two main frames communicated mutually.In this example, achieve deployment and other main frames in same VLAN and isolate but the multiple main frames allowing internal mutual to communicate.
Be different from prior art, the device of main frame isolation in VLAN of the present invention, according in VLAN to the request that given host is isolated mutually, for this VLAN distributes primary vlan and auxiliary vlan, auxiliary vlan comprises isolated vlan, main frame wherein in primary vlan allows and any other main-machine communication, main frame in auxiliary vlan only allows and the host identification in primary vlan, and the host deployments that will isolate mutually is in isolated vlan, thus achieve and just can isolate mutually given host in a VLAN, without the need to by host deployments to different VLAN, thus achieve information security with less management cost and resource.
Consult Fig. 3, Fig. 3 is the schematic flow sheet of the first execution mode of main frame partition method in a kind of VLAN provided by the invention.The step of the method comprises:
S301: receive in assigned vlan the request that given host is isolated mutually.
Concrete, can be deployed server and main frame in existing VLAN, network manager will carry out communication isolating to given host in this VLAN according to real network deployment requirements; Also can be that network manager needs a newly-built VLAN, and in this VLAN deployment server and mutually isolated main frame.
Concrete, this request can be network manager by configuring in real time thus the request sent switch, or perform the instruction of existing configuration file on switches thus the request of triggering.Concrete, by carrying the hardware identifier of the main frame needing isolation mutually in request, be generally MAC Address, such as, need the host identification of isolating to be " 44-37-E6-0C-45-DE " and " 11-22-E6-0C-45-33 ".
S302: the auxiliary vlan distributing primary vlan and associate with described primary vlan in described VLAN, described auxiliary vlan comprises isolated vlan, main frame in described primary vlan allows and any other main-machine communication, and the main frame in described isolated vlan only allows and the main-machine communication in described primary vlan.
Concrete, the auxiliary vlan distributing primary vlan and associate with described primary vlan in described VLAN, described auxiliary vlan comprises isolated vlan: the designated port of described VLAN is distributed to primary vlan respectively, and designated port is distributed to the isolated vlan in the auxiliary vlan that associates with described primary vlan; And record described port assignment information, namely which port often kind of VLAN comprises.
In network system, the IP address being " * .*.*.* " by form identifies VLAN, such as " 10.10.10.0 ", and a VLAN can have multiple port, usual employing integer carrys out identification port, such as 1,2,3 ... such as, can be that port one, 2,3 is distributed to primary vlan, port 7 ~ 20 is distributed to isolated vlan, VLAN and the primary vlan distributed in this VLAN and auxiliary vlan have identical IP address and different ports, and therefore it seems from external system, they belong to identical VLAN.Described port assignment information can be recorded in the register of switch.Further, " main frame in primary vlan allows and any other main-machine communication, and the main frame in isolated vlan only allows and the main-machine communication in described primary vlan " this policy information will be kept in VLAN, such as, can be in the preserving existence intersection property register of changing planes.
S303: by the server disposition in described VLAN in described primary vlan, and described given host be deployed in described isolated vlan, to isolate mutually between described given host.
Concrete, changing step can be: be recorded as the port of described primary vlan distribution and the incidence relation of described server, is recorded as the port of described isolated vlan distribution and the incidence relation of described given host.
Optionally, in another example of the present embodiment, step s301 further receives the request that the main frame that can communicate at least two mutually and described given host are isolated, such as, can communicate mutually between the main frame being designated " 33-33-33-33-33-33 " and " 44-44-44-44-44-44 ", but need to isolate between other main frames.The auxiliary vlan associated with primary vlan distributed in step s302, also comprises group VLAN further, the main frame in described group VLAN only allow internal mutual to communicate and and described primary vlan in main-machine communication; Concrete, this step can be that the designated port of described VLAN is distributed to described group VLAN respectively; And record described port assignment information; Step s303, further by the host deployments of described at least two mutual communications to described group VLAN, concrete, this step can for being further recorded as the incidence relation of port that described group VLAN distributes and described at least two mutual main frames communicated.In this example, achieve deployment and other main frames in same VLAN and isolate but the multiple main frames allowing internal mutual to communicate.
Be different from prior art, the method of main frame isolation in VLAN of the present invention, according in VLAN to the request that given host is isolated mutually, for this VLAN distributes primary vlan and auxiliary vlan, auxiliary vlan comprises isolated vlan, main frame wherein in primary vlan allows and any other main-machine communication, main frame in auxiliary vlan only allows and the host identification in primary vlan, and the host deployments that will isolate mutually is in isolated vlan, thus achieve and just can isolate mutually given host in a VLAN, without the need to by host deployments to different VLAN, thus achieve information security with less management cost and resource.
The foregoing is only embodiments of the present invention; not thereby the scope of the claims of the present invention is limited; every utilize specification of the present invention and accompanying drawing content to do equivalent structure or equivalent flow process conversion; or be directly or indirectly used in other relevant technical fields, be all in like manner included in scope of patent protection of the present invention.