Invention content
In view of this, the technical problem to be solved in the present invention is to provide a kind of online of control multisegment environment lower network equipmentThe method and system of behavior can be avoided because installing ARP fire walls by control computer or to being led after gateway progress ARP static bindingsThe case where cause can not carry out ARP deceptions and network log-in management is caused to fail.
The technical proposal of the invention is realized in this way:
A method of control multisegment environment lower network equipment internet behavior includes the following steps:
S1:Packet filtering driving is installed on the gateway of net control device;
S2:The network segment VLAN1 net control device being connected to where three-tier switch first line of a couplet egress gateways;By instituteThe IP address for stating net control device is configured to the IP address of VLAN1, and the gateway ip address of net control device is configured to exportThe IP address of gateway;
S3:The port that three-tier switch is connected to three-tier switch egress gateways sends ARP deception messages, this port is made to depositThe gateway MAC address of storage becomes the MAC Address of net control device;
S4:Network equipment online is controlled in the packet filtering driving installed on gateway by the net control deviceSystem.
Preferably, further include:
Configuration refers to route on the three-tier switch first line of a couplet egress gateways in advance.
Preferably, after the S4, further include:
The port that three-tier switch is connected to three-tier switch egress gateways sends the correct message of gateway A RP.
Preferably, further include:
Network message in operational process is intercepted into daily record and database is written in internet behavior management and control situation.
Preferably, further include:
SNMP access rights are opened for net control device on the three-tier switch, net control device passes through SNMPNetwork management protocol reads the correspondence of the IP address and MAC Address for each network segment network equipment that three-tier switch is stored, andListed Host List.
Preferably, further include:
The establishment monitoring network segment, the IP address for the three-tier switch port that three-tier switch egress gateways are connected and MACLocation is inserted in the monitoring network segment.
The invention also provides a kind of systems of multisegment environment lower network equipment online processed, including:
Module is installed, for installing packet filtering driving on the gateway of net control device;
Configuration module, the network segment for being connected to the net control device where three-tier switch first line of a couplet egress gatewaysVLAN1;The IP address of the net control device is configured to the IP address of VLAN1, the gateway ip address of net control deviceIt is configured to the IP address of egress gateways;
Sending module, the port for connecting three-tier switch to three-tier switch egress gateways send ARP and cheat message,The gateway MAC address that this port stores is set to become the MAC Address of net control device;
Control module, the packet filtering installed on the gateway by the net control device drive to the network equipmentOnline is controlled.
Preferably, further include:
Routing module is referred to, for configuration to refer to route on the three-tier switch first line of a couplet egress gateways in advance.
Preferably, further include:
Recovery module, the port for connecting three-tier switch to three-tier switch egress gateways are sending gateway A RP justTrue message.
Preferably, further include:
Journal module, for network message in operational process to be intercepted daily record and internet behavior management and control situation write-in dataLibrary.
The method and system of control multisegment environment lower network equipment internet behavior proposed by the present invention, for L3 SwitchingThe three-tier switch port that machine egress gateways are connected carries out ARP deceptions, rather than directly local area network computer carries out gatewayARP is cheated, so as to avoid because installing ARP fire walls by control computer or to leading to nothing after gateway progress ARP static bindingsThe case where method carries out ARP deceptions, and thus network log-in management fails.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, completeSite preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based onEmbodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every otherEmbodiment shall fall within the protection scope of the present invention.
As shown in Figure 1, the embodiment of the present invention proposes a kind of side of control multisegment environment lower network equipment internet behaviorMethod includes the following steps:
S101:Packet filtering driving is installed on the gateway of net control device;
S102:The network segment VLAN1 net control device being connected to where three-tier switch first line of a couplet egress gateways;It willThe IP address of the net control device is configured to the IP address of VLAN1, and the gateway ip address of net control device is configured to outThe IP address of mouth gateway;
S103:The port that three-tier switch is connected to three-tier switch egress gateways sends ARP deception messages, makes this portThe gateway MAC address of storage becomes the MAC Address of net control device;
S104:The packet filtering driving installed on gateway by the net control device, which surfs the Internet to the network equipment, to be carried outControl.
As it can be seen that the method and system for the control multisegment environment lower network equipment internet behavior that the embodiment of the present invention proposes,ARP deceptions are carried out for the three-tier switch port that three-tier switch egress gateways are connected, rather than directly local area network is electricBrain carries out the ARP deceptions of gateway, so as to avoid static because carrying out ARP by control computer installation ARP fire walls or to gatewayLead to not carry out ARP deceptions after binding, thus the case where network log-in management failure.
In a preferred embodiment of the invention, the method further includes:
Configuration refers to route on the three-tier switch first line of a couplet egress gateways in advance.
In a preferred embodiment of the invention, the method further includes:
The port that three-tier switch is connected to three-tier switch egress gateways sends the correct message of gateway A RP.
In a preferred embodiment of the invention, the method further includes:
Network message in operational process is intercepted into daily record and database is written in internet behavior management and control situation.
In a preferred embodiment of the invention, the method further includes:
SNMP access rights are opened for net control device on the three-tier switch, net control device passes through SNMPNetwork management protocol reads the correspondence of the IP address and MAC Address for each network segment network equipment that three-tier switch is stored, andListed Host List.
In a preferred embodiment of the invention, the method further includes:
The establishment monitoring network segment, the IP address for the three-tier switch port that three-tier switch egress gateways are connected and MACLocation is inserted in the monitoring network segment.
As shown in Fig. 2, further embodiment of this invention proposes a kind of control multisegment environment lower network equipment internet behaviorMethod, include the following steps:
S201:Packet filtering driving is installed on the gateway of net control device.
In the present embodiment, installation personnel can pre-set network behavior filtering rule to carry out crawl and mistake to messageFilter.
S202::The network segment VLAN1 net control device being connected to where three-tier switch first line of a couplet egress gateways;The IP address of the net control device is configured to the IP address of VLAN1, the gateway ip address of net control device is configured toThe IP address of egress gateways.
In the present embodiment, it is also necessary to which configuration refers to route on the three-tier switch first line of a couplet egress gateways in advance.
The network message of passback will be transmitted directly to the computer of each network segment by this egress gateways in this way, without passing through againCross the computer or device forwards of installation this system.
Since the public network downlink message without being returned to three-tier switch egress gateways is captured and is filtered, but by going outMouth gateway is transmitted directly to the computer of each network segment by way of referring to routing, so as to avoid because being grabbed to downlink messageTake, filter and forward and caused by network message delay, speed loss risk so that downlink message can directly with linear speed intoRow forwarding, to significantly reduce because network speed is slack-off caused by deployment network log-in management system, network performance declinesIt happens.
S203:SNMP access rights are opened for net control device on the three-tier switch, net control device is logicalIt crosses SNMP network management protocols and reads the IP address for each network segment network equipment that three-tier switch is stored and the corresponding pass of MAC AddressSystem, and listed Host List.
In order to accurately identify the computer of each network segment of three-tier switch, need on three-tier switch for installation this systemComputer or opening of device SNMP access rights, this sample system can read three layers in real time by SNMP Simple Network Management ProtocolsThe correspondence of the IP address and MAC Address of each network segment computer that interchanger is stored, and listed the master of this systemMachine list, consequently facilitating administrator can accurately identify this computer and configure internet policy for it.
S204:Create monitoring the network segment, the IP address for the three-tier switch port that three-tier switch egress gateways are connected andMAC Address is inserted in the monitoring network segment.
S205:The port that three-tier switch is connected to three-tier switch egress gateways sends ARP deception messages, makes this portThe gateway MAC address of storage becomes the MAC Address of net control device.
In the present embodiment, the port that three-tier switch is connected to three-tier switch egress gateways sends the ARP deceptions of gatewayThe IP address of the MAC Address of message namely net control device+three-tier switch egress gateways so that the net of this port storageClosing MAC Address becomes the MAC Address of net control device, then when this port receives each network segment computer uplink of three-tier switchIt will be sent directly on net control device, be driven by the network message filtering of net control device network interface card to grab after messageNetwork message is taken, and the network behavior filtering rule that administrator is previously set is installed to capture and filter to message, is metThe internet behavior control rule of administrator's setting is just directly let pass and is forwarded, and otherwise directly abandons message, is realized to three with thisThe management of each network segment online computing behavior of layer switch.
S206:The packet filtering driving installed on gateway by the net control device, which surfs the Internet to the network equipment, to be carried outControl.
S207:The port that three-tier switch is connected to three-tier switch egress gateways sends the correct message of gateway A RP.
When needing to stop controlling, the port that three-tier switch can be connected to three-tier switch egress gateways sends gatewayThe MAC Address of the correct message of ARP namely IP address+gateway of gateway, in this way this port can be by each network segments of three-tier switchThe uplink message that computer sends over is sent directly to the egress gateways of three-tier switch, to restore normal network messageCommunication.
S208:Network message in operational process is intercepted into daily record and database is written in internet behavior management and control situation.
In the present embodiment, write-in database can be in order to subsequent for future reference and audit.
As shown in figure 3, the invention also provides a kind of systems of multisegment environment lower network equipment online processed, including:
Module 301 is installed, for installing packet filtering driving on the gateway of net control device;
Configuration module 302, for the net control device to be connected to where three-tier switch first line of a couplet egress gatewaysNetwork segment VLAN1;The IP address of the net control device is configured to the IP address of VLAN1, the gateway IP of net control deviceAddress configuration is the IP address of egress gateways;
Sending module 303, the port for connecting three-tier switch to three-tier switch egress gateways send ARP deception reportsText makes the gateway MAC address that this port stores become the MAC Address of net control device;
Control module 304, the packet filtering installed on the gateway by the net control device drive to networkEquipment online is controlled.
In a preferred embodiment of the invention, this system further includes referring to routing module, in advance described threeConfiguration refers to route on layer switch first line of a couplet egress gateways.
In a preferred embodiment of the invention, this system further includes recovery module, for being exported to three-tier switchGateway connects the correct message of the port transmission gateway A RP of three-tier switch.
In a preferred embodiment of the invention, this system further includes journal module, is used for network in operational processMessage intercepts daily record and database is written in internet behavior management and control situation.
The method and system of control multisegment environment lower network equipment internet behavior proposed by the present invention, for L3 SwitchingThe three-tier switch port that machine egress gateways are connected carries out ARP deceptions, rather than directly local area network computer carries out gatewayARP is cheated, so as to avoid because installing ARP fire walls by control computer or to leading to nothing after gateway progress ARP static bindingsThe case where method carries out ARP deceptions, and thus network log-in management fails.
In conclusion following effect at least may be implemented in the embodiment of the present invention:
1, this system is due to being the network segment where being directly connected to three-tier switch upper outlet gateway, rather than passes through concatenationOr the mode of bridge joint is disposed, and the Single Point of Faliure for being easy to occur is disposed so as to avoid passing through concatenation or bridge mode, toAvoid the risk of network interruption.
2, this system carries out ARP deceptions for the three-tier switch port that three-tier switch egress gateways are connected, withoutIt is the ARP deceptions that direct local area network computer carries out gateway, so as to avoid because installing ARP fire walls or right by control computerThe case where gateway leads to not carry out ARP deceptions after carrying out ARP static bindings, and thus network log-in management fails.
3, this system is only captured, filtered and is controlled to the uplink message of each network segment computer of three-tier switch, is accorded withClosing the message of administrator's default access allows to pass through, and the message for violating administrator's default access rule directly abandons, just with thisThe management to online computing behavior may be implemented.Simultaneously as without the public network downlink returned to three-tier switch egress gatewaysMessage is captured and is filtered, but is transmitted directly to the computer of each network segment by way of referring to routing by egress gateways,So as to avoid because to the crawl of downlink message, filtering and forwarding and caused by network message delay, speed loss risk,Downlink message is directly forwarded with linear speed, is led because of deployment network log-in management system to significantly reduceThe case where network speed of cause is slack-off, network performance declines.
4, when where this system computer or the network equipment break down when, on the one hand can pass through the subsidiary network of systemRecovery tool sends the three-tier switch port that the correct IP of gateway and mac address information are connected to egress gateways in real time, fromAnd it can be with real-time recovery network communication.In addition, the egress gateways of three-tier switch can also be sent out to the port of connection three-tier switchThe IP and mac address information for giving itself update the IP and mac address information of the gateway cached in this port ARP entry, toRealize it is unattended in the case of the automatic function of restoring network communication, to realize safer internet behavior pipeReason.
5, in addition, the deployment of this system need not adjust existing network structure, it is only necessary to export net in three-tier switchThe network segment where closing need not adjust the other configurations of egress gateways and three-tier switch there are one port more than needed, fromAnd the workload and complexity of deployment this system are reduced, it is easy to implement more quick and efficient network management.
Finally, it should be noted that:The foregoing is merely presently preferred embodiments of the present invention, is merely to illustrate the skill of the present inventionArt scheme, is not intended to limit the scope of the present invention.Any modification for being made all within the spirits and principles of the present invention,Equivalent replacement, improvement etc., are included within the scope of protection of the present invention.