[go: up one dir, main page]

WO2017045574A1 - Ip source guard access control method and apparatus - Google Patents

Ip source guard access control method and apparatus Download PDF

Info

Publication number
WO2017045574A1
WO2017045574A1 PCT/CN2016/098726 CN2016098726W WO2017045574A1 WO 2017045574 A1 WO2017045574 A1 WO 2017045574A1 CN 2016098726 W CN2016098726 W CN 2016098726W WO 2017045574 A1 WO2017045574 A1 WO 2017045574A1
Authority
WO
WIPO (PCT)
Prior art keywords
acl
ipsg
entry
software
software entry
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2016/098726
Other languages
French (fr)
Chinese (zh)
Inventor
刘民
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Publication of WO2017045574A1 publication Critical patent/WO2017045574A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • This document relates to, but is not limited to, the field of communication technologies, and in particular, to a method and apparatus for source protection access control.
  • the source guard (IPSG) function is used to filter the data packets received by the port to prevent unauthorized user data packets from passing. If an IPSG is configured on a port of a device (such as a switch or a router), the device checks the IPSG entry when the data packet reaches the port. The data packets matching the entry can be forwarded or enter the subsequent process. Data packets matching the entry will be discarded.
  • IPSG IP Security
  • IPSG entries can be generated by manual configuration and dynamic acquisition.
  • the matching conditions of the IPSG are: protocol (IP) address, source physical (MAC) address, and virtual local area network (VLAN) label of the interconnection between the source networks.
  • IP protocol
  • MAC source physical
  • VLAN virtual local area network
  • the general combination methods include: IP, MAC, IP plus MAC, IP plus VLAN, MAC plus VLAN, and IP plus MAC plus VLAN.
  • the IPSG function is
  • the ACL is used to form an ACL (Access Control List).
  • the ACL is used to bind the ACL. (explicit occupancy), here called implicit occupancy.
  • an ACL resource is reserved for IPSG to use. Obviously, the number of users supported by the device is limited because of the reserved ACL resources, and the number of entries supported by the normal ACL is also reduced. In addition, in the scenario where the IPSG and the common ACL are not required to be configured at the same time, or the scenario where one of the functions needs to be maximized, the ACL resource may be wasted and the requirement cannot be met.
  • the embodiments of the present invention provide a source protection access control method and device, which can utilize ACL resources to maximize the simultaneous implementation of IPSG and ACL.
  • Embodiments of the present invention provide a method for source guard access control, the method comprising:
  • IPSG match condition to each rule in the ACL software entry, and add the first rule that includes only the IPSG match condition and the data message that does not contain the IPSG match condition.
  • the second rule is to obtain a new ACL software entry;
  • the new ACL software entry is sent to the hardware used to generate the hardware entry, so that the hardware generates a hardware entry based on the new ACL software entry.
  • the method further includes:
  • the IPSG software entry is deleted and the IPSG matching condition is added to each rule in the ACL software entry.
  • the method further includes:
  • the IPSG entry is deleted. Perform the steps to add an IPSG match condition to each rule in the ACL software entry.
  • the method further includes:
  • IPSG software entry exists on the second port, determine whether the ACL software entry conflicts with the IPSG software entry.
  • the IPSG entry is deleted and the IPSG matching condition is added to each rule in the ACL software entry.
  • the method further includes:
  • the user is prompted to re-configure the ACL software entry for the second port.
  • An embodiment of the present invention further provides an apparatus for IPSG access control, the apparatus comprising:
  • Add a module set the IPSG match condition to be added to each rule in the ACL software entry, and add the first rule that contains only the IPSG match condition and the data packet that does not contain the IPSG match condition.
  • the second rule is to get a new ACL software entry;
  • the issuing module is configured to send a new ACL software entry to the hardware used to generate the hardware entry, so that the hardware generates a hardware entry according to the new ACL software entry.
  • the device further includes:
  • the first check module is configured to check whether the ACL software entry and the IPSG software entry exist on the first port of the data packet, and the ACL software entry and the IPSG software entry exist simultaneously on the first port. , triggering the first deletion module;
  • the first deletion module is configured to delete an IPSG software entry according to the trigger of the first check module, and trigger the add module to add an IPSG matching condition in each rule in the ACL software entry.
  • the device further includes:
  • the first configuration module is configured to configure an IPSG software entry for the second port for receiving the data packet
  • the second checking module is configured to check whether an ACL software entry exists in the second port, and when the ACL software entry exists in the second port, the first determining module is triggered;
  • the first determining module is configured to determine, according to the triggering of the second checking module, whether the ACL software entry conflicts with the IPSG software entry, and triggers the second deleting module when the ACL software entry does not conflict with the IPSG software entry. ;
  • the second deletion module is configured to delete an IPSG entry according to the trigger of the first determining module, and trigger the adding module to add an IPSG matching condition in each rule in the ACL software entry.
  • the device further includes:
  • the second configuration module is configured to configure an ACL software entry for the second port for receiving the data packet
  • the third checking module is configured to check whether an IPSG software entry exists in the second port, and when the IPSG software entry exists in the second port, triggering the second determining module;
  • the second determining module is configured to determine, according to the triggering of the third checking module, whether the ACL software entry conflicts with the IPSG software entry, and triggers the third deleting module when the ACL software entry does not conflict with the IPSG software entry. ;
  • the third deletion module is configured to delete an IPSG entry according to the triggering of the second determining module, and trigger the adding module to add an IPSG matching condition in each rule in the ACL software entry.
  • the device further includes:
  • the prompting module is configured to prompt the user to reconfigure the ACL software entry for the second port when the ACL software entry conflicts with the IPSG software entry.
  • the technical solution provided by the embodiment of the present invention includes: adding an IPSG matching condition to each rule in the ACL software entry, and adding a first rule that includes only the IPSG matching condition in the ACL software entry. And the second rule of the data packet that does not contain the IPSG matching condition is discarded, the new ACL software entry is obtained, and the new ACL software entry is sent to the hardware used to generate the hardware entry, so that the hardware is new.
  • the ACL software entry generates a hardware entry. The problem that the ACL resources are wasted, the IPSG and the ACL cannot be valid at the same time is solved, and the effect that the ACL resources can be maximized and the IPSG and the ACL can be simultaneously effective is achieved.
  • FIG. 1 is a flowchart of a method for source guard access control in a first embodiment of the present invention
  • FIG. 2 is a flowchart of modifying a ACL software entry to obtain a new ACL software entry when configuring an IPSG software entry (or an ACL software entry) in the first embodiment of the present invention
  • FIG. 3 is a schematic structural diagram of an apparatus for source protection access control according to a second embodiment of the present invention.
  • a first embodiment of the present invention provides a method for source guard access control, where the method includes:
  • Step 11 Add a source guard (IPSG) match condition to each rule in the access control list (ACL) software entry, and add a new rule that includes only the IPSG match condition and the discard does not include the ACL software entry.
  • the second rule of the data packet matching the IPSG condition is obtained, and a new ACL software entry is obtained.
  • the IPSG matching condition includes the following six forms: a source IP address, a source MAC address, a source IP address plus a source MAC address, a source IP address plus a VLAN tag, a source MAC address plus a VLAN tag, and a source. IP address plus source MAC address plus VLAN tag. Which form of IPSG matching condition to use can be determined by the device that receives the data message.
  • Step 12 The new ACL software entry is sent to the hardware used to generate the hardware entry, so that the hardware generates a hardware entry according to the new ACL software entry.
  • the IPSG matching condition is added to each rule in the ACL software entry, and the first rule that only includes the IPSG matching condition is added to the ACL software entry, and the discarding does not include the IPSG.
  • the second rule of the data packet matching the condition is such that the ACL resource is not reserved for the IPSG, but is reused with the ACL to fully utilize the ACL resource.
  • the new ACL software entry is sent to the hardware for generating the hardware entry, so that the hardware generates a hardware entry according to the new ACL software entry, and generates a new ACL software entry according to the first rule and the second rule.
  • the IPSG and the common ACL are recombined in the software table, and then the hardware is delivered, which can achieve the effect that both the IPSG and the ACL are effective at the same time. Therefore, the problem that the IPSG and the ACL cannot be simultaneously effective is effectively avoided, so that it can be better. Access control of data packets. It should be noted that when the device receives other data packets (that is, data packets that do not contain the IPSG matching condition), the device discards the data packets.
  • the method further includes: checking whether the ACL software entry and the IPSG software entry exist simultaneously on the first port for receiving the data packet, when When the ACL software entry and the IPSG software entry exist on the first port, the IPSG software entry is deleted. After the IPSG software entry is deleted, the process proceeds to Step 11 and Step 12 to generate hardware entries that can be used to maximize the use of ACL resources. If the ACL software entry and the IPSG software entry are not found on the first port, the ACL software entry and the IPSG software entry are not required to be deleted. For the steps of the IPSG software entry, simply write the software entry in the traditional way.
  • the generation process of a new ACL software entry is illustrated by an example.
  • the content of the IPSG software entry is: the data packet that meets the source IP address plus the source MAC address can pass (the relevant pseudo code can be: Rule 1 permit sip smac); discard other data packets (the relevant pseudo code can be: Rule 2 deny all), the content of the ACL software entry is: the data packet that meets the destination IP address can pass (the relevant pseudo code can be: Rule 1 permit sip).
  • the content of the new ACL software entry formed after the execution of step 11 is: the data packet satisfying the destination IP address plus the source IP address plus the source MAC address can pass (the relevant pseudo code can be: Rule 1permit sip smac) ; Discard other data packets (the relevant pseudo code can be: Rule 2 deny all).
  • the foregoing method further includes:
  • Step 201 Configure an IPSG software entry for the second port that is used to receive the data packet.
  • Step 202 After the IPSG software entry is configured, check whether an ACL exists on the second port. If the ACL software entry is found on the second port, go to step 2030. If the ACL software entry does not exist on the second port, go to step 2040.
  • Step 2030 Determine whether the ACL software entry conflicts with the IPSG software entry. When the ACL software entry does not conflict with the IPSG software entry, go to step 20310. When the ACL software entry conflicts with the IPSG software entry, Go to step 20320;
  • step 20310 the IPSG entry is deleted, and after the IPSG software entry is deleted, the ACL software entry is modified (ie, step 11 and step 12 are continued);
  • Step 20311 Generate a hardware entry according to the modified ACL software entry.
  • the hardware entry can not only utilize the ACL resource but also make the IPSG and the ACL take effect at the same time.
  • Step 20320 The user is prompted to re-configure an ACL software entry for the second port.
  • Step 2040 Write the IPSG software entry in a conventional manner.
  • the method may further include: configuring the ACL software entry for the second port for receiving the data packet, after the ACL software entry is configured, according to the process flow of FIG.
  • the user when it is determined that the ACL software entry conflicts with the IPSG software entry, when the ACL software entry conflicts with the IPSG software entry, the user is prompted to re-send The ACL software entry is configured on the second port so that the reconfigured ACL software entries do not conflict with the IPSG software entries.
  • a data packet that meets a source IP address (for example, IP1) can be passed in the IPSG software entry, and a data packet that meets a source IP address (for example, IP1) in the ACL software entry cannot pass.
  • the ACL software entry conflicts with the IPSG software entry.
  • the method of the embodiment of the present invention can be implemented by a computer loading based on a LINUX kernel.
  • the embodiment of the invention further provides a computer storage medium, wherein the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute the foregoing IPSG control method.
  • a second embodiment of the present invention provides a device for source protection access control, the device comprising:
  • the adding module 31 is configured to add an IPSG matching condition to each rule in the ACL software entry, and add a first rule that includes only the IPSG matching condition and a datagram that does not include the IPSG matching condition in the ACL software entry.
  • the second rule of the text obtains a new ACL software entry;
  • the sending module 32 is configured to send a new ACL software entry to the hardware used to generate the hardware entry, so that the hardware generates a hardware entry according to the new ACL software entry.
  • the device further includes:
  • the first check module is configured to check whether the ACL software entry and the IPSG software entry exist on the first port of the data packet, and the ACL software entry and the IPSG software entry exist simultaneously on the first port. , triggering the first deletion module;
  • the first deleting module is configured to delete the IPSG software entry according to the triggering of the first checking module, and trigger the adding module 31 to add an IPSG matching condition in each rule in the access control list ACL software entry.
  • the device further includes:
  • the first configuration module is configured to configure an IPSG software entry for the second port for receiving the data packet
  • the second checking module is configured to check whether an ACL software entry exists in the second port, and when the ACL software entry exists in the second port, the first determining module is triggered;
  • the first determining module is configured to determine, according to the triggering of the second checking module, that the ACL software entry is
  • the second deletion module is triggered when the ACL software entry conflicts with the IPSG software entry.
  • the second deleting module is configured to delete the IPSG entry according to the triggering of the first determining module, and trigger the adding module 31 to add an IPSG matching condition in each rule in the access control list ACL software entry.
  • the device further includes:
  • the second configuration module is configured to configure an ACL software entry for the second port for receiving the data packet
  • the third checking module is configured to check whether an IPSG software entry exists in the second port, and when the IPSG software entry exists in the second port, triggering the second determining module;
  • the second determining module is configured to determine, according to the triggering of the third checking module, whether the ACL software entry conflicts with the IPSG software entry, and triggers the third deleting module when the ACL software entry does not conflict with the IPSG software entry. ;
  • the third deleting module is configured to delete the IPSG entry according to the triggering of the second determining module, and trigger the adding module 31 to add an IPSG matching condition in each rule in the access control list ACL software entry.
  • the device further includes:
  • the prompting module is configured to prompt the user to reconfigure the ACL software entry for the second port when the ACL software entry conflicts with the IPSG software entry.
  • the foregoing apparatus adds an IPSG matching condition to each rule in the ACL software entry, and adds a first rule that includes only the IPSG matching condition and discards the ACL software entry.
  • the second rule of the data packet that does not contain the IPSG matching condition is used to multiplex the IPSG and the ACL to fully utilize the ACL resource.
  • the new ACL software entries are sent to the hardware used to generate the hardware entries, so that the hardware generates hardware entries based on the new ACL software entries, effectively avoiding the problem that IPSG and ACL cannot be valid at the same time. Better access control of data packets.
  • the apparatus for controlling IPSG access provided by the second embodiment of the present invention is the apparatus applying the foregoing method, that is, all the embodiments of the foregoing methods are applicable to the apparatus, and both can achieve the same Or similar benefits.
  • each module/unit in the foregoing embodiment may be implemented in the form of hardware, for example, by implementing an integrated circuit to implement its corresponding function, or may be implemented in the form of a software function module, for example, being executed by a processor and stored in a memory. Programs/instructions to implement their respective functions.
  • the invention is not limited to any specific form of combination of hardware and software.
  • the foregoing technical solution implements the simultaneous implementation of IPSG and ACL when maximizing the utilization of ACL resources.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An IP source guard (IPSG) access control method and apparatus, comprising: adding an IPSG matching condition to every rule in access control list (ACL) software entries, adding to the ACL software entries a first rule including only the IPSG matching conditions in the ACL software entries and a second rule to discard data packets that do not comprise the IPSG matching conditions, to obtain new ACL software entries; and sending the new ACL software entries to a hardware used for generating hardware entries, such that the hardware generates hardware entries on the basis of the ACL software entries; the embodiments of the present invention implement simultaneous IPSG and ACL validity whilst maximising ACL resource utilisation.

Description

一种源防护接入控制的方法及装置Method and device for source protection access control 技术领域Technical field

本文涉及但不限于通信技术领域,尤其涉及一种源防护接入控制的方法及装置。This document relates to, but is not limited to, the field of communication technologies, and in particular, to a method and apparatus for source protection access control.

背景技术Background technique

源防护(IPSG,IP Source Guard)功能用于对端口收到的数据报文进行过滤控制,以防止非法用户数据报文通过。如果一个设备(例如交换机、路由器等)的端口配置了IPSG,则当数据报文到达该端口时,设备会检查IPSG的表项,符合表项的数据报文则可以转发或者进入后续流程,不符合表项的数据报文将被丢弃。The source guard (IPSG) function is used to filter the data packets received by the port to prevent unauthorized user data packets from passing. If an IPSG is configured on a port of a device (such as a switch or a router), the device checks the IPSG entry when the data packet reaches the port. The data packets matching the entry can be forwarded or enter the subsequent process. Data packets matching the entry will be discarded.

IPSG的表项可以通过手工配置和动态获取两种方式生成。其中IPSG的匹配条件有:源网络之间互连的协议(IP)地址、源物理(MAC)地址、虚拟局域网(VLAN)标签。在不同的设备上,支持的组合方式不同,大体的组合方式包括:IP、MAC、IP加MAC、IP加VLAN、MAC加VLAN以及IP加MAC加VLAN 6种方式;一般来说,IPSG功能是通过将软件表项下发形成访问控制列表(ACL,Access Control List)硬件表项来实现的,需要占用底层的ACL资源,相当于直接在端口下绑定ACL(普通ACL)规则来占用ACL资源(显式占用),这里称为隐式占用。IPSG entries can be generated by manual configuration and dynamic acquisition. The matching conditions of the IPSG are: protocol (IP) address, source physical (MAC) address, and virtual local area network (VLAN) label of the interconnection between the source networks. On different devices, the supported combinations are different. The general combination methods include: IP, MAC, IP plus MAC, IP plus VLAN, MAC plus VLAN, and IP plus MAC plus VLAN. In general, the IPSG function is The ACL is used to form an ACL (Access Control List). The ACL is used to bind the ACL. (explicit occupancy), here called implicit occupancy.

上述实现方式,为了与普通ACL区别,会专门预留一块ACL资源给IPSG来使用。显然地,设备支持的用户数因为预留的ACL资源受到限制,同时也减少了普通ACL所支持的条目数。另外,对于不需要同时配置IPSG和普通ACL的场景,或者对其中一个功能需要最大化支持等场景,可能会出现ACL资源浪费而又无法满足需求的情况。In order to distinguish from the common ACL, an ACL resource is reserved for IPSG to use. Obviously, the number of users supported by the device is limited because of the reserved ACL resources, and the number of entries supported by the normal ACL is also reduced. In addition, in the scenario where the IPSG and the common ACL are not required to be configured at the same time, or the scenario where one of the functions needs to be maximized, the ACL resource may be wasted and the requirement cannot be met.

目前,有的设备厂商为了提高ACL资源利用率,采用IPSG与普通ACL复用同一块ACL资源来实现IPSG功能。使用划分优先级的方式,将IPSG优先级设高,普通ACL优先级设低,或者相反。但是也存在需要同时配置IPSG和普通ACL的场景,比如需要对满足IPSG的数据报文进一步匹配不同数据 报文字段来达到流限速的目的,就出现了二者无法同时生效的问题,显然无法真正满足需求。Currently, some device vendors use the same ACL resource to implement IPSG functions by using IPSG and common ACLs to improve the ACL resource utilization. Use the prioritization mode to set the IPSG priority to high, the normal ACL priority to be low, or vice versa. However, there are also scenarios where you need to configure both IPSG and common ACLs. For example, you need to match different data to the data packets that meet the IPSG. The purpose of the message field to achieve the rate limit is that the two cannot be effective at the same time. Obviously, the requirements cannot be met.

发明内容Summary of the invention

以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics detailed in this document. This Summary is not intended to limit the scope of the claims.

本发明实施例提供一种源防护接入控制的方法及装置,能够在最大化地利用ACL资源使,实现IPSG和ACL的同时生效。The embodiments of the present invention provide a source protection access control method and device, which can utilize ACL resources to maximize the simultaneous implementation of IPSG and ACL.

本发明的实施例提供了一种源防护接入控制的方法,该方法包括:Embodiments of the present invention provide a method for source guard access control, the method comprising:

在访问控制列表ACL软件表项中的每条规则中添加IPSG匹配条件,并在ACL软件表项中新增只包含IPSG匹配条件的第一规则和丢弃不包含IPSG匹配条件的数据报文的第二规则,得到新的ACL软件表项;Add an IPSG match condition to each rule in the ACL software entry, and add the first rule that includes only the IPSG match condition and the data message that does not contain the IPSG match condition. The second rule is to obtain a new ACL software entry;

将新的ACL软件表项下发给用于生成硬件表项的硬件,以使硬件根据新的ACL软件表项生成硬件表项。The new ACL software entry is sent to the hardware used to generate the hardware entry, so that the hardware generates a hardware entry based on the new ACL software entry.

可选的,在ACL软件表项中的每条规则中添加IPSG匹配条件之前,方法还包括:Optionally, before the IPSG matching condition is added to each rule in the ACL software entry, the method further includes:

检查用于接收数据报文的第一端口下是否同时存在ACL软件表项和IPSG软件表项;Check whether the ACL software entry and the IPSG software entry exist on the first port of the data packet.

当第一端口下同时存在ACL软件表项和IPSG软件表项时,删除IPSG软件表项,并执行在ACL软件表项中的每条规则中添加IPSG匹配条件的步骤。When the ACL software entry and the IPSG software entry exist on the first port, the IPSG software entry is deleted and the IPSG matching condition is added to each rule in the ACL software entry.

可选的,在ACL软件表项中的每条规则中添加IPSG匹配条件之前,方法还包括:Optionally, before the IPSG matching condition is added to each rule in the ACL software entry, the method further includes:

给用于接收数据报文的第二端口配置IPSG软件表项;Configuring an IPSG software entry for the second port for receiving data packets;

检查第二端口下是否存在ACL软件表项;Check whether an ACL software entry exists on the second port.

当第二端口下存在ACL软件表项时,判断ACL软件表项是否与IPSG软件表项发生冲突;If the ACL software entry exists on the second port, determine whether the ACL software entry conflicts with the IPSG software entry.

当ACL软件表项与IPSG软件表项不发生冲突时,删除IPSG表项,并 执行在ACL软件表项中的每条规则中添加IPSG匹配条件的步骤。If the ACL software entry does not conflict with the IPSG software entry, the IPSG entry is deleted. Perform the steps to add an IPSG match condition to each rule in the ACL software entry.

可选的,在ACL软件表项中的每条规则中添加IPSG匹配条件之前,方法还包括:Optionally, before the IPSG matching condition is added to each rule in the ACL software entry, the method further includes:

给用于接收数据报文的第二端口配置ACL软件表项;Configuring an ACL software entry for the second port for receiving data packets;

检查第二端口下是否存在IPSG软件表项;Check whether an IPSG software entry exists on the second port.

当第二端口下存在IPSG软件表项时,判断ACL软件表项是否与IPSG软件表项发生冲突;If the IPSG software entry exists on the second port, determine whether the ACL software entry conflicts with the IPSG software entry.

当ACL软件表项与IPSG软件表项不发生冲突时,删除IPSG表项,并执行在ACL软件表项中的每条规则中添加IPSG匹配条件的步骤。When the ACL software entry does not conflict with the IPSG software entry, the IPSG entry is deleted and the IPSG matching condition is added to each rule in the ACL software entry.

可选的,方法还包括:Optionally, the method further includes:

当ACL软件表项与IPSG软件表项发生冲突时,提示用户重新给第二端口配置ACL软件表项。When the ACL software entry conflicts with the IPSG software entry, the user is prompted to re-configure the ACL software entry for the second port.

本发明的实施例还提供了一种IPSG接入控制的装置,该装置包括:An embodiment of the present invention further provides an apparatus for IPSG access control, the apparatus comprising:

添加模块,设置为在ACL软件表项中的每条规则中添加IPSG匹配条件,并在ACL软件表项中新增只包含IPSG匹配条件的第一规则和丢弃不包含IPSG匹配条件的数据报文的第二规则,得到新的ACL软件表项;Add a module, set the IPSG match condition to be added to each rule in the ACL software entry, and add the first rule that contains only the IPSG match condition and the data packet that does not contain the IPSG match condition. The second rule is to get a new ACL software entry;

下发模块,设置为将新的ACL软件表项下发给用于生成硬件表项的硬件,以使硬件根据新的ACL软件表项生成硬件表项。The issuing module is configured to send a new ACL software entry to the hardware used to generate the hardware entry, so that the hardware generates a hardware entry according to the new ACL software entry.

可选的,装置还包括:Optionally, the device further includes:

第一检查模块,设置为检查用于接收数据报文的第一端口下是否同时存在ACL软件表项和IPSG软件表项,并当第一端口下同时存在ACL软件表项和IPSG软件表项时,触发第一删除模块;The first check module is configured to check whether the ACL software entry and the IPSG software entry exist on the first port of the data packet, and the ACL software entry and the IPSG software entry exist simultaneously on the first port. , triggering the first deletion module;

第一删除模块,设置为根据第一检查模块的触发,删除IPSG软件表项,并触发添加模块在ACL软件表项中的每条规则中添加IPSG匹配条件。The first deletion module is configured to delete an IPSG software entry according to the trigger of the first check module, and trigger the add module to add an IPSG matching condition in each rule in the ACL software entry.

可选的,装置还包括:Optionally, the device further includes:

第一配置模块,设置为给用于接收数据报文的第二端口配置IPSG软件表项; The first configuration module is configured to configure an IPSG software entry for the second port for receiving the data packet;

第二检查模块,设置为检查第二端口下是否存在ACL软件表项,并当第二端口下存在ACL软件表项时,触发第一判断模块;The second checking module is configured to check whether an ACL software entry exists in the second port, and when the ACL software entry exists in the second port, the first determining module is triggered;

第一判断模块,设置为根据第二检查模块的触发,判断ACL软件表项是否与IPSG软件表项发生冲突,并当ACL软件表项与IPSG软件表项不发生冲突时,触发第二删除模块;The first determining module is configured to determine, according to the triggering of the second checking module, whether the ACL software entry conflicts with the IPSG software entry, and triggers the second deleting module when the ACL software entry does not conflict with the IPSG software entry. ;

第二删除模块,设置为根据第一判断模块的触发,删除IPSG表项,并触发添加模块在ACL软件表项中的每条规则中添加IPSG匹配条件。The second deletion module is configured to delete an IPSG entry according to the trigger of the first determining module, and trigger the adding module to add an IPSG matching condition in each rule in the ACL software entry.

可选的,装置还包括:Optionally, the device further includes:

第二配置模块,设置为给用于接收数据报文的第二端口配置ACL软件表项;The second configuration module is configured to configure an ACL software entry for the second port for receiving the data packet;

第三检查模块,设置为检查第二端口下是否存在IPSG软件表项,并当第二端口下存在IPSG软件表项时,触发第二判断模块;The third checking module is configured to check whether an IPSG software entry exists in the second port, and when the IPSG software entry exists in the second port, triggering the second determining module;

第二判断模块,设置为根据第三检查模块的触发,判断ACL软件表项是否与IPSG软件表项发生冲突,并当ACL软件表项与IPSG软件表项不发生冲突时,触发第三删除模块;The second determining module is configured to determine, according to the triggering of the third checking module, whether the ACL software entry conflicts with the IPSG software entry, and triggers the third deleting module when the ACL software entry does not conflict with the IPSG software entry. ;

第三删除模块,设置为根据第二判断模块的触发,删除IPSG表项,并触发添加模块在ACL软件表项中的每条规则中添加IPSG匹配条件。The third deletion module is configured to delete an IPSG entry according to the triggering of the second determining module, and trigger the adding module to add an IPSG matching condition in each rule in the ACL software entry.

可选的,装置还包括:Optionally, the device further includes:

提示模块,设置为当ACL软件表项与IPSG软件表项发生冲突时,提示用户重新给第二端口配置ACL软件表项。The prompting module is configured to prompt the user to reconfigure the ACL software entry for the second port when the ACL software entry conflicts with the IPSG software entry.

与相关技术相比,本发明实施例提供的技术方案,包括:在ACL软件表项中的每条规则中添加IPSG匹配条件,并在ACL软件表项中增加只包含IPSG匹配条件的第一规则和丢弃不包含IPSG匹配条件的数据报文的第二规则的方式,得到新的ACL软件表项,并将新的ACL软件表项下发给用于生成硬件表项的硬件,使硬件根据新的ACL软件表项生成硬件表项。解决了可能会出现ACL资源浪费、IPSG和ACL不能同时生效的问题,达到了既能最大化地利用ACL资源,又能使IPSG和ACL同时生效的效果。Compared with the related art, the technical solution provided by the embodiment of the present invention includes: adding an IPSG matching condition to each rule in the ACL software entry, and adding a first rule that includes only the IPSG matching condition in the ACL software entry. And the second rule of the data packet that does not contain the IPSG matching condition is discarded, the new ACL software entry is obtained, and the new ACL software entry is sent to the hardware used to generate the hardware entry, so that the hardware is new. The ACL software entry generates a hardware entry. The problem that the ACL resources are wasted, the IPSG and the ACL cannot be valid at the same time is solved, and the effect that the ACL resources can be maximized and the IPSG and the ACL can be simultaneously effective is achieved.

在阅读并理解了附图和详细描述后,可以明白其他方面。 Other aspects will be apparent upon reading and understanding the drawings and detailed description.

附图概述BRIEF abstract

图1为本发明第一实施例中源防护接入控制的方法的流程图;1 is a flowchart of a method for source guard access control in a first embodiment of the present invention;

图2为本发明第一实施例中在配置IPSG软件表项(或ACL软件表项)时,对ACL软件表项进行修改得到新的ACL软件表项的流程图;2 is a flowchart of modifying a ACL software entry to obtain a new ACL software entry when configuring an IPSG software entry (or an ACL software entry) in the first embodiment of the present invention;

图3为本发明第二实施例中源防护接入控制的装置的结构示意图。FIG. 3 is a schematic structural diagram of an apparatus for source protection access control according to a second embodiment of the present invention.

本发明的实施方式Embodiments of the invention

下文中将结合附图对本申请的实施例进行详细说明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互任意组合。Embodiments of the present application will be described in detail below with reference to the accompanying drawings. It should be noted that, in the case of no conflict, the features in the embodiments and the embodiments in the present application may be arbitrarily combined with each other.

第一实施例First embodiment

如图1所示,本发明的第一实施例提供了一种源防护接入控制的方法,该方法包括:As shown in FIG. 1, a first embodiment of the present invention provides a method for source guard access control, where the method includes:

步骤11,在访问控制列表(ACL)软件表项中的每条规则中添加源防护(IPSG)匹配条件,并在ACL软件表项中新增只包含IPSG匹配条件的第一规则和丢弃不包含IPSG匹配条件的数据报文的第二规则,得到新的ACL软件表项;Step 11: Add a source guard (IPSG) match condition to each rule in the access control list (ACL) software entry, and add a new rule that includes only the IPSG match condition and the discard does not include the ACL software entry. The second rule of the data packet matching the IPSG condition is obtained, and a new ACL software entry is obtained.

在本发明的第一实施例中,IPSG匹配条件包括以下6种形式:源IP地址、源MAC地址、源IP地址加源MAC地址、源IP地址加VLAN标签、源MAC地址加VLAN标签以及源IP地址加源MAC地址加VLAN标签。使用哪种形式的IPSG匹配条件,可以由接收数据报文的设备决定。In the first embodiment of the present invention, the IPSG matching condition includes the following six forms: a source IP address, a source MAC address, a source IP address plus a source MAC address, a source IP address plus a VLAN tag, a source MAC address plus a VLAN tag, and a source. IP address plus source MAC address plus VLAN tag. Which form of IPSG matching condition to use can be determined by the device that receives the data message.

步骤12,将新的ACL软件表项下发给用于生成硬件表项的硬件,以使硬件根据新的ACL软件表项生成硬件表项。Step 12: The new ACL software entry is sent to the hardware used to generate the hardware entry, so that the hardware generates a hardware entry according to the new ACL software entry.

在本发明的第一实施例中,将IPSG匹配条件添加至ACL软件表项中的每条规则中,并且在ACL软件表项中新增只包含IPSG匹配条件的第一规则和丢弃不包含IPSG匹配条件的数据报文的第二规则,这样就不需要为IPSG预留ACL资源,而是使其与ACL复用,从而充分利用ACL资源。In the first embodiment of the present invention, the IPSG matching condition is added to each rule in the ACL software entry, and the first rule that only includes the IPSG matching condition is added to the ACL software entry, and the discarding does not include the IPSG. The second rule of the data packet matching the condition is such that the ACL resource is not reserved for the IPSG, but is reused with the ACL to fully utilize the ACL resource.

需要说明的是,新增第一规则和第二规则之后,如何得到新的ACL软件表项,以及如何根据得到的新的ACL软件表项进行硬件表项的生成可以根据 相关技术中生成ACL软件表项和硬件表项的方式实现,在此不做赘述。It should be noted that after the first rule and the second rule are added, how to obtain a new ACL software entry and how to generate a hardware entry according to the obtained new ACL software entry may be The method for generating ACL software entries and hardware entries in the related art is implemented, and details are not described herein.

此外,将新的ACL软件表项下发给用于生成硬件表项的硬件,使硬件根据新的ACL软件表项生成硬件表项,根据第一规则和第二规则生成新的ACL软件表项,将IPSG和普通ACL进行软件表的重新组合,然后再下发硬件,可以达到IPSG和ACL同时生效的效果,因此,有效地避免了IPSG和ACL不能同时生效的问题,使其能更好地对数据报文进行接入控制。当然需要说明的是,当设备接收到其他数据报文(即不包含IPSG匹配条件的数据报文)时,会直接将该数据报文丢弃。In addition, the new ACL software entry is sent to the hardware for generating the hardware entry, so that the hardware generates a hardware entry according to the new ACL software entry, and generates a new ACL software entry according to the first rule and the second rule. The IPSG and the common ACL are recombined in the software table, and then the hardware is delivered, which can achieve the effect that both the IPSG and the ACL are effective at the same time. Therefore, the problem that the IPSG and the ACL cannot be simultaneously effective is effectively avoided, so that it can be better. Access control of data packets. It should be noted that when the device receives other data packets (that is, data packets that do not contain the IPSG matching condition), the device discards the data packets.

可选的,在本发明实施例中,在执行步骤11之前,上述方法还包括:检查用于接收数据报文的第一端口下是否同时存在ACL软件表项和IPSG软件表项,当检查到第一端口下同时存在ACL软件表项和IPSG软件表项时,删除IPSG软件表项。在删除IPSG软件表项之后,继续执行步骤11和步骤12,从而生成既能最大化地利用ACL资源,又能使IPSG和ACL同时生效的硬件表项。需要说明的是,如果在检查第一端口下是否同时存在ACL软件表项和IPSG软件表项时,检查到第一端口下不同时存在ACL软件表项和IPSG软件表项,则不需要执行删除IPSG软件表项的步骤,只需按照传统的方式写入软件表项即可。Optionally, in the embodiment of the present invention, before the step 11 is performed, the method further includes: checking whether the ACL software entry and the IPSG software entry exist simultaneously on the first port for receiving the data packet, when When the ACL software entry and the IPSG software entry exist on the first port, the IPSG software entry is deleted. After the IPSG software entry is deleted, the process proceeds to Step 11 and Step 12 to generate hardware entries that can be used to maximize the use of ACL resources. If the ACL software entry and the IPSG software entry are not found on the first port, the ACL software entry and the IPSG software entry are not required to be deleted. For the steps of the IPSG software entry, simply write the software entry in the traditional way.

在本发明实施例中,以一个实例阐述新的ACL软件表项的生成过程。假设IPSG软件表项中的内容为:满足源IP地址加源MAC地址的数据报文可以通过(相关伪代码可以为:Rule 1 permit sip smac);丢弃其他数据报文(相关伪代码可以为:Rule 2 deny all),ACL软件表项中的内容为:满足目的IP地址的数据报文可以通过(相关伪代码可以为:Rule 1 permit sip)。这样在执行完步骤11后形成的新的ACL软件表项中的内容为:满足目的IP地址加源IP地址加源MAC地址的数据报文可以通过(相关伪代码可以为:Rule 1permit sip smac);丢弃其他数据报文(相关伪代码可以为:Rule 2 deny all)。In the embodiment of the present invention, the generation process of a new ACL software entry is illustrated by an example. Assume that the content of the IPSG software entry is: the data packet that meets the source IP address plus the source MAC address can pass (the relevant pseudo code can be: Rule 1 permit sip smac); discard other data packets (the relevant pseudo code can be: Rule 2 deny all), the content of the ACL software entry is: the data packet that meets the destination IP address can pass (the relevant pseudo code can be: Rule 1 permit sip). Thus, the content of the new ACL software entry formed after the execution of step 11 is: the data packet satisfying the destination IP address plus the source IP address plus the source MAC address can pass (the relevant pseudo code can be: Rule 1permit sip smac) ; Discard other data packets (the relevant pseudo code can be: Rule 2 deny all).

可选的,在本发明实施例中,如图2所示,在执行步骤11之前,上述方法还包括:Optionally, in the embodiment of the present invention, as shown in FIG. 2, before performing step 11, the foregoing method further includes:

步骤201、给用于接收数据报文的第二端口配置IPSG软件表项;Step 201: Configure an IPSG software entry for the second port that is used to receive the data packet.

步骤202、当配置完IPSG软件表项后,检查第二端口下是否存在ACL 软件表项;当检查到第二端口下存在ACL软件表项时,执行步骤2030,当检查到第二端口下不存在ACL软件表项时,执行步骤2040;Step 202: After the IPSG software entry is configured, check whether an ACL exists on the second port. If the ACL software entry is found on the second port, go to step 2030. If the ACL software entry does not exist on the second port, go to step 2040.

步骤2030、判断ACL软件表项是否与IPSG软件表项发生冲突;当ACL软件表项与IPSG软件表项不发生冲突时,执行步骤20310;当ACL软件表项与IPSG软件表项发生冲突时,执行步骤20320;Step 2030: Determine whether the ACL software entry conflicts with the IPSG software entry. When the ACL software entry does not conflict with the IPSG software entry, go to step 20310. When the ACL software entry conflicts with the IPSG software entry, Go to step 20320;

步骤20310、删除IPSG表项,并在删除IPSG软件表项之后,对ACL软件表项进行修改(即继续执行步骤11和步骤12);In step 20310, the IPSG entry is deleted, and after the IPSG software entry is deleted, the ACL software entry is modified (ie, step 11 and step 12 are continued);

步骤20311、根据修改的ACL软件表项生成硬件表项;硬件表项既能最大化地利用ACL资源,又能使IPSG和ACL同时生效。Step 20311: Generate a hardware entry according to the modified ACL software entry. The hardware entry can not only utilize the ACL resource but also make the IPSG and the ACL take effect at the same time.

步骤20320、提示用户重新给第二端口配置ACL软件表项;Step 20320: The user is prompted to re-configure an ACL software entry for the second port.

步骤2040、按照传统的方式写入IPSG软件表项即可。Step 2040: Write the IPSG software entry in a conventional manner.

可选地,按照上述图2中的处理流程,在执行步骤11之前,上述方法还可以包括:给用于接收数据报文的第二端口配置ACL软件表项,当配置完ACL软件表项之后,检查第二端口下是否存在IPSG软件表项,当检查到第二端口下存在IPSG软件表项时,继续判断ACL软件表项是否与IPSG软件表项发生冲突,当ACL软件表项与IPSG软件表项不发生冲突时,删除IPSG表项。在删除IPSG软件表项之后,对ACL软件表项进行修改(即继续执行步骤11和步骤12),从而生成既能最大化地利用ACL资源,又能使IPSG和ACL同时生效的硬件表项。其中,如果检查到第二端口下不存在IPSG软件表项时,只需按照传统的方式写入ACL软件表项即可。Optionally, the method may further include: configuring the ACL software entry for the second port for receiving the data packet, after the ACL software entry is configured, according to the process flow of FIG. Check whether the IPSG software entry exists on the second port. When the IPSG software entry exists on the second port, check whether the ACL software entry conflicts with the IPSG software entry. The ACL software entry and the IPSG software are used. When an entry does not conflict, the IPSG entry is deleted. After the IPSG software entry is deleted, the ACL software entries are modified (that is, the steps 11 and 12 are continued), so that hardware entries that can utilize the ACL resources and make the IPSG and the ACLs take effect at the same time are generated. If the IPSG software entry does not exist in the second port, you only need to write the ACL software entry in the traditional way.

可选的,在本发明实施例中,当在判断ACL软件表项是否与IPSG软件表项发生冲突的过程中,判断出ACL软件表项与IPSG软件表项发生冲突时,会提示用户重新给第二端口配置ACL软件表项,使重新配置后的ACL软件表项与IPSG软件表项不会发生冲突。Optionally, in the embodiment of the present invention, when it is determined that the ACL software entry conflicts with the IPSG software entry, when the ACL software entry conflicts with the IPSG software entry, the user is prompted to re-send The ACL software entry is configured on the second port so that the reconfigured ACL software entries do not conflict with the IPSG software entries.

在本发明实施例中,以一个实例阐述上述冲突的含义。例如IPSG软件表项中规定满足某一个源IP地址(例如IP1)的数据报文可以通过,而ACL软件表项中规定满足某一个源IP地址(例如IP1)的数据报文不可以通过,这样就认为ACL软件表项与IPSG软件表项发生冲突。 In the embodiment of the present invention, the meaning of the above conflict is explained by an example. For example, a data packet that meets a source IP address (for example, IP1) can be passed in the IPSG software entry, and a data packet that meets a source IP address (for example, IP1) in the ACL software entry cannot pass. The ACL software entry conflicts with the IPSG software entry.

需要说明的是,本发明实施例方法可以通过基于LINUX内核的计算机加载实现。It should be noted that the method of the embodiment of the present invention can be implemented by a computer loading based on a LINUX kernel.

本发明实施例还提供一种计算机存储介质,计算机存储介质中存储有计算机可执行指令,计算机可执行指令用于执行上述IPSG控制的方法。The embodiment of the invention further provides a computer storage medium, wherein the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute the foregoing IPSG control method.

第二实施例Second embodiment

如图3所示,本发明的第二实施例提供了一种源防护接入控制的装置,该装置包括:As shown in FIG. 3, a second embodiment of the present invention provides a device for source protection access control, the device comprising:

添加模块31,设置为在ACL软件表项中的每条规则中添加IPSG匹配条件,并在ACL软件表项中新增只包含IPSG匹配条件的第一规则和丢弃不包含IPSG匹配条件的数据报文的第二规则,得到新的ACL软件表项;The adding module 31 is configured to add an IPSG matching condition to each rule in the ACL software entry, and add a first rule that includes only the IPSG matching condition and a datagram that does not include the IPSG matching condition in the ACL software entry. The second rule of the text obtains a new ACL software entry;

下发模块32,设置为将新的ACL软件表项下发给用于生成硬件表项的硬件,以使硬件根据新的ACL软件表项生成硬件表项。The sending module 32 is configured to send a new ACL software entry to the hardware used to generate the hardware entry, so that the hardware generates a hardware entry according to the new ACL software entry.

可选的,装置还包括:Optionally, the device further includes:

第一检查模块,设置为检查用于接收数据报文的第一端口下是否同时存在ACL软件表项和IPSG软件表项,并当第一端口下同时存在ACL软件表项和IPSG软件表项时,触发第一删除模块;The first check module is configured to check whether the ACL software entry and the IPSG software entry exist on the first port of the data packet, and the ACL software entry and the IPSG software entry exist simultaneously on the first port. , triggering the first deletion module;

第一删除模块,设置为根据第一检查模块的触发,删除IPSG软件表项,并触发添加模块31在访问控制列表ACL软件表项中的每条规则中添加IPSG匹配条件。The first deleting module is configured to delete the IPSG software entry according to the triggering of the first checking module, and trigger the adding module 31 to add an IPSG matching condition in each rule in the access control list ACL software entry.

可选的,装置还包括:Optionally, the device further includes:

第一配置模块,设置为给用于接收数据报文的第二端口配置IPSG软件表项;The first configuration module is configured to configure an IPSG software entry for the second port for receiving the data packet;

第二检查模块,设置为检查第二端口下是否存在ACL软件表项,并当第二端口下存在ACL软件表项时,触发第一判断模块;The second checking module is configured to check whether an ACL software entry exists in the second port, and when the ACL software entry exists in the second port, the first determining module is triggered;

第一判断模块,设置为根据第二检查模块的触发,判断ACL软件表项是 否与IPSG软件表项发生冲突,并当ACL软件表项与IPSG软件表项不发生冲突时,触发第二删除模块;The first determining module is configured to determine, according to the triggering of the second checking module, that the ACL software entry is The second deletion module is triggered when the ACL software entry conflicts with the IPSG software entry.

第二删除模块,设置为根据第一判断模块的触发,删除IPSG表项,并触发添加模块31在访问控制列表ACL软件表项中的每条规则中添加IPSG匹配条件。The second deleting module is configured to delete the IPSG entry according to the triggering of the first determining module, and trigger the adding module 31 to add an IPSG matching condition in each rule in the access control list ACL software entry.

可选的,装置还包括:Optionally, the device further includes:

第二配置模块,设置为给用于接收数据报文的第二端口配置ACL软件表项;The second configuration module is configured to configure an ACL software entry for the second port for receiving the data packet;

第三检查模块,设置为检查第二端口下是否存在IPSG软件表项,并当第二端口下存在IPSG软件表项时,触发第二判断模块;The third checking module is configured to check whether an IPSG software entry exists in the second port, and when the IPSG software entry exists in the second port, triggering the second determining module;

第二判断模块,设置为根据第三检查模块的触发,判断ACL软件表项是否与IPSG软件表项发生冲突,并当ACL软件表项与IPSG软件表项不发生冲突时,触发第三删除模块;The second determining module is configured to determine, according to the triggering of the third checking module, whether the ACL software entry conflicts with the IPSG software entry, and triggers the third deleting module when the ACL software entry does not conflict with the IPSG software entry. ;

第三删除模块,设置为根据第二判断模块的触发,删除IPSG表项,并触发添加模块31在访问控制列表ACL软件表项中的每条规则中添加IPSG匹配条件。The third deleting module is configured to delete the IPSG entry according to the triggering of the second determining module, and trigger the adding module 31 to add an IPSG matching condition in each rule in the access control list ACL software entry.

可选的,装置还包括:Optionally, the device further includes:

提示模块,设置为当ACL软件表项与IPSG软件表项发生冲突时,提示用户重新给第二端口配置ACL软件表项。The prompting module is configured to prompt the user to reconfigure the ACL software entry for the second port when the ACL software entry conflicts with the IPSG software entry.

在本发明的第二实施例中,上述装置通过将IPSG匹配条件添加至ACL软件表项中的每条规则中,并且在ACL软件表项中新增只包含IPSG匹配条件的第一规则和丢弃不包含IPSG匹配条件的数据报文的第二规则的方式,使IPSG与ACL复用,从而充分利用ACL资源。此外,将新的ACL软件表项下发给用于生成硬件表项的硬件,使硬件根据新的ACL软件表项生成硬件表项,有效地避免了IPSG和ACL不能同时生效的问题,使其能更好地对数据报文进行接入控制。In the second embodiment of the present invention, the foregoing apparatus adds an IPSG matching condition to each rule in the ACL software entry, and adds a first rule that includes only the IPSG matching condition and discards the ACL software entry. The second rule of the data packet that does not contain the IPSG matching condition is used to multiplex the IPSG and the ACL to fully utilize the ACL resource. In addition, the new ACL software entries are sent to the hardware used to generate the hardware entries, so that the hardware generates hardware entries based on the new ACL software entries, effectively avoiding the problem that IPSG and ACL cannot be valid at the same time. Better access control of data packets.

需要说明的是,本发明第二实施例提供的IPSG接入控制的装置是应用上述方法的装置,即上述方法的所有实施例均适用于该装置,且均能达到相同 或相似的有益效果。It should be noted that the apparatus for controlling IPSG access provided by the second embodiment of the present invention is the apparatus applying the foregoing method, that is, all the embodiments of the foregoing methods are applicable to the apparatus, and both can achieve the same Or similar benefits.

以上所述是本发明的可选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明所述原理的前提下,还可以作出若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。The above is an alternative embodiment of the present invention, and it should be noted that those skilled in the art can make several improvements and retouchings without departing from the principles of the present invention. It should also be considered as the scope of protection of the present invention.

本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序来指令相关硬件(例如处理器)完成,所述程序可以存储于计算机可读存储介质中,如只读存储器、磁盘或光盘等。可选地,上述实施例的全部或部分步骤也可以使用一个或多个集成电路来实现。相应地,上述实施例中的每个模块/单元可以采用硬件的形式实现,例如通过集成电路来实现其相应功能,也可以采用软件功能模块的形式实现,例如通过处理器执行存储于存储器中的程序/指令来实现其相应功能。本发明不限制于任何特定形式的硬件和软件的结合。One of ordinary skill in the art will appreciate that all or a portion of the above steps may be performed by a program to instruct related hardware, such as a processor, which may be stored in a computer readable storage medium, such as a read only memory, disk or optical disk. Wait. Alternatively, all or part of the steps of the above embodiments may also be implemented using one or more integrated circuits. Correspondingly, each module/unit in the foregoing embodiment may be implemented in the form of hardware, for example, by implementing an integrated circuit to implement its corresponding function, or may be implemented in the form of a software function module, for example, being executed by a processor and stored in a memory. Programs/instructions to implement their respective functions. The invention is not limited to any specific form of combination of hardware and software.

虽然本申请所揭露的实施方式如上,但所述的内容仅为便于理解本申请而采用的实施方式,并非用以限定本申请,如本发明实施方式中的具体的实现方法。任何本申请所属领域内的技术人员,在不脱离本申请所揭露的精神和范围的前提下,可以在实施的形式及细节上进行任何的修改与变化,但本申请的专利保护范围,仍须以所附的权利要求书所界定的范围为准。The embodiments disclosed in the present application are as described above, but the descriptions are only for the purpose of understanding the present application, and are not intended to limit the present application, such as the specific implementation method in the embodiments of the present invention. Any modifications and changes in the form and details of the embodiments may be made by those skilled in the art without departing from the spirit and scope of the disclosure. The scope defined by the appended claims shall prevail.

工业实用性Industrial applicability

上述技术方案实现了在最大化地利用ACL资源时IPSG和ACL的同时生效。 The foregoing technical solution implements the simultaneous implementation of IPSG and ACL when maximizing the utilization of ACL resources.

Claims (10)

一种源防护IPSG接入控制的方法,所述方法包括:A method for source protection IPSG access control, the method comprising: 在访问控制列表ACL软件表项中的每条规则中添加IPSG匹配条件,并在所述ACL软件表项中新增只包含所述IPSG匹配条件的第一规则和丢弃不包含所述IPSG匹配条件的数据报文的第二规则,得到新的ACL软件表项;An IPSG matching condition is added to each rule in the ACL software entry, and a first rule that includes only the IPSG matching condition is added to the ACL software entry, and the discarding does not include the IPSG matching condition. The second rule of the data packet obtains a new ACL software entry; 将所述新的ACL软件表项下发给用于生成硬件表项的硬件,以使所述硬件根据新的ACL软件表项生成硬件表项。And sending the new ACL software entry to the hardware used to generate the hardware entry, so that the hardware generates a hardware entry according to the new ACL software entry. 如权利要求1所述的方法,所述在ACL软件表项中的每条规则中添加IPSG匹配条件之前,所述方法还包括:The method of claim 1, before the adding an IPSG matching condition in each rule in the ACL software entry, the method further includes: 检查用于接收数据报文的第一端口下是否同时存在ACL软件表项和IPSG软件表项;Check whether the ACL software entry and the IPSG software entry exist on the first port of the data packet. 当所述第一端口下同时存在ACL软件表项和IPSG软件表项时,删除所述IPSG软件表项,并执行所述在ACL软件表项中的每条规则中添加IPSG匹配条件的步骤。When the ACL software entry and the IPSG software entry are both configured on the first port, the IPSG software entry is deleted, and the step of adding an IPSG matching condition in each rule in the ACL software entry is performed. 如权利要求1所述的方法,所述在ACL软件表项中的每条规则中添加IPSG匹配条件之前,所述方法还包括:The method of claim 1, before the adding an IPSG matching condition in each rule in the ACL software entry, the method further includes: 给用于接收数据报文的第二端口配置IPSG软件表项;Configuring an IPSG software entry for the second port for receiving data packets; 检查所述第二端口下是否存在ACL软件表项;Check whether an ACL software entry exists on the second port. 当所述第二端口下存在ACL软件表项时,判断所述ACL软件表项是否与所述IPSG软件表项发生冲突;When the ACL software entry exists in the second port, it is determined whether the ACL software entry conflicts with the IPSG software entry. 当所述ACL软件表项与所述IPSG软件表项不发生冲突时,删除所述IPSG表项,并执行所述在ACL软件表项中的每条规则中添加IPSG匹配条件的步骤。When the ACL software entry does not conflict with the IPSG software entry, the IPSG entry is deleted, and the step of adding an IPSG matching condition in each rule in the ACL software entry is performed. 如权利要求1所述的方法,所述在ACL软件表项中的每条规则中添加IPSG匹配条件之前,所述方法还包括:The method of claim 1, before the adding an IPSG matching condition in each rule in the ACL software entry, the method further includes: 给用于接收数据报文的第二端口配置ACL软件表项;Configuring an ACL software entry for the second port for receiving data packets; 检查所述第二端口下是否存在IPSG软件表项; Check whether an IPSG software entry exists on the second port. 当所述第二端口下存在IPSG软件表项时,判断所述ACL软件表项是否与所述IPSG软件表项发生冲突;When the IPSG software entry exists on the second port, it is determined whether the ACL software entry conflicts with the IPSG software entry. 当所述ACL软件表项与所述IPSG软件表项不发生冲突时,删除所述IPSG表项,并执行所述在ACL软件表项中的每条规则中添加IPSG匹配条件的步骤。When the ACL software entry does not conflict with the IPSG software entry, the IPSG entry is deleted, and the step of adding an IPSG matching condition in each rule in the ACL software entry is performed. 如权利要求3或4所述的方法,所述方法还包括:The method of claim 3 or 4, the method further comprising: 当所述ACL软件表项与所述IPSG软件表项发生冲突时,提示用户重新给所述第二端口配置ACL软件表项。When the ACL software entry conflicts with the IPSG software entry, the user is prompted to reconfigure the ACL software entry for the second port. 一种源防护IPSG接入控制的装置,所述装置包括:A device for source protection IPSG access control, the device comprising: 添加模块,设置为在访问控制列表ACL软件表项中的每条规则中添加IPSG匹配条件,并在所述ACL软件表项中新增只包含所述IPSG匹配条件的第一规则和丢弃不包含所述IPSG匹配条件的数据报文的第二规则,得到新的ACL软件表项;Adding a module, adding an IPSG matching condition to each rule in the ACL software entry, and adding a first rule that includes only the IPSG matching condition in the ACL software entry, and discarding does not include The second rule of the data packet of the IPSG matching condition obtains a new ACL software entry; 下发模块,设置为将所述新的ACL软件表项下发给用于生成硬件表项的硬件,以使所述硬件根据新的ACL软件表项生成硬件表项。The issuing module is configured to send the new ACL software entry to the hardware used to generate the hardware entry, so that the hardware generates a hardware entry according to the new ACL software entry. 如权利要求6所述的装置,所述装置还包括:The apparatus of claim 6 further comprising: 第一检查模块,设置为检查用于接收数据报文的第一端口下是否同时存在ACL软件表项和IPSG软件表项,并当所述第一端口下同时存在ACL软件表项和IPSG软件表项时,触发第一删除模块;The first check module is configured to check whether the ACL software entry and the IPSG software entry exist simultaneously on the first port for receiving the data packet, and the ACL software entry and the IPSG software table exist simultaneously on the first port. When the item is triggered, the first deletion module is triggered; 第一删除模块,设置为根据所述第一检查模块的触发,删除所述IPSG软件表项,并触发所述添加模块在ACL软件表项中的每条规则中添加IPSG匹配条件。The first deleting module is configured to delete the IPSG software entry according to the triggering of the first checking module, and trigger the adding module to add an IPSG matching condition in each rule in the ACL software entry. 如权利要求6所述的装置,所述装置还包括:The apparatus of claim 6 further comprising: 第一配置模块,设置为给用于接收数据报文的第二端口配置IPSG软件表项;The first configuration module is configured to configure an IPSG software entry for the second port for receiving the data packet; 第二检查模块,设置为检查所述第二端口下是否存在ACL软件表项,并当所述第二端口下存在ACL软件表项时,触发第一判断模块; The second checking module is configured to check whether an ACL software entry exists in the second port, and when the ACL software entry exists in the second port, triggering the first determining module; 第一判断模块,设置为根据所述第二检查模块的触发,判断所述ACL软件表项是否与所述IPSG软件表项发生冲突,并当所述ACL软件表项与所述IPSG软件表项不发生冲突时,触发第二删除模块;The first determining module is configured to determine, according to the triggering of the second checking module, whether the ACL software entry conflicts with the IPSG software entry, and the ACL software entry and the IPSG software entry When no conflict occurs, the second deletion module is triggered; 第二删除模块,设置为根据所述第一判断模块的触发,删除所述IPSG表项,并触发所述添加模块在ACL软件表项中的每条规则中添加IPSG匹配条件。The second deleting module is configured to delete the IPSG entry according to the triggering of the first determining module, and trigger the adding module to add an IPSG matching condition in each rule in the ACL software entry. 如权利要求6所述的装置,所述装置还包括:The apparatus of claim 6 further comprising: 第二配置模块,设置为给用于接收数据报文的第二端口配置ACL软件表项;The second configuration module is configured to configure an ACL software entry for the second port for receiving the data packet; 第三检查模块,设置为检查所述第二端口下是否存在IPSG软件表项,并当所述第二端口下存在IPSG软件表项时,触发第二判断模块;The third checking module is configured to check whether an IPSG software entry exists in the second port, and when the IPSG software entry exists in the second port, triggering the second determining module; 第二判断模块,设置为根据所述第三检查模块的触发,判断所述ACL软件表项是否与所述IPSG软件表项发生冲突,并当所述ACL软件表项与所述IPSG软件表项不发生冲突时,触发第三删除模块;The second determining module is configured to determine, according to the triggering of the third checking module, whether the ACL software entry conflicts with the IPSG software entry, and the ACL software entry and the IPSG software entry The third deletion module is triggered when no conflict occurs; 第三删除模块,设置为根据所述第二判断模块的触发,删除所述IPSG表项,并触发所述添加模块在表ACL软件表项中的每条规则中添加IPSG匹配条件。The third deleting module is configured to delete the IPSG entry according to the triggering of the second determining module, and trigger the adding module to add an IPSG matching condition in each rule in the table ACL software entry. 如权利要求8或9所述的装置,所述装置还包括:The device of claim 8 or 9, the device further comprising: 提示模块,设置为当所述ACL软件表项与所述IPSG软件表项发生冲突时,提示用户重新给所述第二端口配置ACL软件表项。 The prompting module is configured to prompt the user to reconfigure the ACL software entry for the second port when the ACL software entry conflicts with the IPSG software entry.
PCT/CN2016/098726 2015-09-17 2016-09-12 Ip source guard access control method and apparatus Ceased WO2017045574A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510595553.0 2015-09-17
CN201510595553.0A CN106549910A (en) 2015-09-17 2015-09-17 One introduces a collection protects the method and device of IPSG Access Controls

Publications (1)

Publication Number Publication Date
WO2017045574A1 true WO2017045574A1 (en) 2017-03-23

Family

ID=58288118

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/098726 Ceased WO2017045574A1 (en) 2015-09-17 2016-09-12 Ip source guard access control method and apparatus

Country Status (2)

Country Link
CN (1) CN106549910A (en)
WO (1) WO2017045574A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115589389A (en) * 2022-09-23 2023-01-10 苏州浪潮智能科技有限公司 A method, system, device and storage medium for processing ACL
CN118282696A (en) * 2022-12-31 2024-07-02 华为技术有限公司 ACL processing device and method, forwarding chip and network equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141304A (en) * 2007-09-18 2008-03-12 杭州华三通信技术有限公司 Management method and equipment of ACL regulation
CN101146026A (en) * 2006-09-13 2008-03-19 中兴通讯股份有限公司 Packet filtering method, system and device
CN101651623A (en) * 2009-09-07 2010-02-17 中兴通讯股份有限公司 Generation method and device for access control list application
CN101667965A (en) * 2009-09-29 2010-03-10 华为技术有限公司 Method and routing equipment for generating access control list
US20120082048A1 (en) * 2010-10-05 2012-04-05 Cisco Technology, Inc. System and method for providing smart grid communications and management

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101146026A (en) * 2006-09-13 2008-03-19 中兴通讯股份有限公司 Packet filtering method, system and device
CN101141304A (en) * 2007-09-18 2008-03-12 杭州华三通信技术有限公司 Management method and equipment of ACL regulation
CN101651623A (en) * 2009-09-07 2010-02-17 中兴通讯股份有限公司 Generation method and device for access control list application
CN101667965A (en) * 2009-09-29 2010-03-10 华为技术有限公司 Method and routing equipment for generating access control list
US20120082048A1 (en) * 2010-10-05 2012-04-05 Cisco Technology, Inc. System and method for providing smart grid communications and management

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115589389A (en) * 2022-09-23 2023-01-10 苏州浪潮智能科技有限公司 A method, system, device and storage medium for processing ACL
CN118282696A (en) * 2022-12-31 2024-07-02 华为技术有限公司 ACL processing device and method, forwarding chip and network equipment

Also Published As

Publication number Publication date
CN106549910A (en) 2017-03-29

Similar Documents

Publication Publication Date Title
US12218956B2 (en) Providing a virtual security appliance architecture to a virtual cloud infrastructure
CN107332812B (en) Method and device for realizing network access control
US11146551B2 (en) Access control
US9729578B2 (en) Method and system for implementing a network policy using a VXLAN network identifier
US20140230044A1 (en) Method and Related Apparatus for Authenticating Access of Virtual Private Cloud
WO2019037775A1 (en) Issuance of service configuration file
KR101948049B1 (en) Enhancing network controls in mandatory access control computing environments
CN108322467B (en) OVS-based virtual firewall configuration method, electronic device and storage medium
WO2016067165A1 (en) Content filtering for information centric networks
CN106453409B (en) Message processing method and access device
WO2017143903A1 (en) Method, device and system for access control
WO2018113591A1 (en) Scheduling method, system, controller and computer storage medium
US12177313B2 (en) Captive portal redirection by devices with no internet protocol connectivity in the host virtual local area network
US8887237B2 (en) Multimode authentication
WO2016138845A1 (en) Method and device realizing upload of protocol packet to cpu
WO2019024844A1 (en) User authentication of bras under architecture of mutually separated forwarding and control
WO2017045574A1 (en) Ip source guard access control method and apparatus
CN108076459B (en) Network access control method, related equipment and system
US11658976B2 (en) Captive portal redirection and network access restriction of device using a single access control list
WO2017063578A1 (en) Data packet processing method and apparatus
US10341259B1 (en) Packet forwarding using programmable feature prioritization
US12143381B2 (en) Multiple host web authentication on the same port using segment security
CN108259420B (en) Message processing method and device
CN104852923A (en) User-based route isolating method and system
CN118353832B (en) Stream table processing method, stream table processing device, stream table processing computer, stream table processing storage medium and stream table processing program product

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16845688

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16845688

Country of ref document: EP

Kind code of ref document: A1