CN102571603B - Ethernet port controlling apparatus and method thereof - Google Patents
Ethernet port controlling apparatus and method thereof Download PDFInfo
- Publication number
- CN102571603B CN102571603B CN201210032478.3A CN201210032478A CN102571603B CN 102571603 B CN102571603 B CN 102571603B CN 201210032478 A CN201210032478 A CN 201210032478A CN 102571603 B CN102571603 B CN 102571603B
- Authority
- CN
- China
- Prior art keywords
- message
- ether
- port
- authentication parameter
- layer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Small-Scale Networks (AREA)
Abstract
The invention discloses an ethernet port controlling apparatus and a method thereof. The apparatus comprises: an etheric switch chip of a physical link layer, an etheric driving program module and a port control module of an etheric driving layer, and an authentication service program module of an application layer. The etheric switch chip sends all received messages to the etheric driving layer. The port control module of the etheric driving layer belongs to a software module in the etheric driving layer as well as is used to arrange a message authentication parameter according to a configuration command of the authentication service program module and decide whether the etheric driving layer receives a message from the etheric switch chip and uploads the message to an upper layer according to the arranged message authentication parameter. Therefore, ethernet port control can be realized independent of the etheric switch chip; hardware cost for realizing ethernet port control is reduced; and when a port control mode is updated or modified, it is only necessary to modify a software program in the etheric driving layer, so that expansibility is enhanced.
Description
Technical field
The present invention relates to the data processing technique of Ethernet, particularly relate to a kind of ethernet port control device and method.
Background technology
IEEE (IEEE) 802.1x agreement is access control based on client/server (Client/Server) and authentication protocol.It can limit unwarranted user/equipment and access local area network (LAN) (LAN) by access interface (access port).Before the miscellaneous service that acquisition switch or LAN provide, 802.1x agreement carries out certification and port controlling to the user/equipment be connected on switch ports themselves.Before certification is passed through, 802.1x agreement only allows Extensible Authentication Protocol (EAPoL) data authentication authorization and accounting message based on local area network (LAN) by the ethernet port of equipment connection; Message, after certification is passed through, just can be smoothly through ethernet port.The ethernet port that this control mode is called as IEEE802.1x agreement controls.
The ethernet port realizing IEEE802.1x agreement at present controls to have been come by hardware.It is the hierarchical chart of the ethernet port control device of existing support IEEE802.1x agreement as Fig. 1.See Fig. 1, described physical link layer comprises ether exchange chip, controls, belong to hardware for the exchanges data of Ethernet and the ethernet port of IEEE802.1x agreement; Described ether drives layer to comprise ether driver, for driving Ethernet protocol, described kernel protocol stack is the general name that application layer and ether drive each agreement between layer, for transmitting the interactive information between application layer and ether driving layer, described application layer is for running various upper level applications; Described ether drives the various application programs in layer, kernel protocol stack and application layer to be run by the central processing unit (CPU) of equipment, belongs to software program.
In prior art, the message identifying that the authentication service program of application layer is used for sending according to the client in Ethernet carries out certification in early stage to the MAC Address of client and/or ethernet switch port information, by message authentication optimum configurations in the register of the ether exchange chip of physical link layer, after ether exchange chip receives message, the ethernet port realizing IEEE802.1x by this ether exchange chip controls, that is, whether ether exchange chip determines to receive according to the message authentication parameter that arranges in register and uploads the message that physical link layer receives to CPU, when receiving the unverified message passed through, ether exchange chip can directly abandon this message, and not on give CPU process.
But the mode that this hardware implementing IEEE802.1x agreement ethernet port by Ethernet switching chip of prior art controls has following shortcoming:
IEEE802.1x authentication protocol has direct dependence to hardware, in the process of equipment application IEEE802.1x authentication protocol, need hardware and Ethernet switching chip to control to realize IEEE802.1x agreement ethernet port, not only hardware is with high costs, and autgmentability is poor, often need when upgrading to port control mode or revise to change whole Ethernet switching chip.On the other hand, the ethernet port of this IEEE802.1x agreement controls, therefore so hinder the extensive use of IEEE802.1x authentication protocol to have considerable ether exchange chip with low cost but not support.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of ethernet port control device and method, reduces the hardware cost realizing ethernet port and control, improves autgmentability.
Technical scheme of the present invention is achieved in that
A kind of ethernet port control device, comprising:
Ether drives the ether driver module of layer, for determining the type of this message and source media access control layer MAC Address and receive the port of ether exchange chip of this message after receiving the message from the ether exchange chip of physical link layer, by determined information input terminal mouth control module, determine whether receive this message according to the information that port control modules returns;
Ether drives the port control modules of layer, and the configuration order for the authentication service program module according to application layer arranges message authentication parameter, the MAC Address passed through comprising certification and/or port authentication information, and carry out port controlling according to the input information of described ether driver module and described message authentication parameter, described port controlling comprises: if the type of message that ether driver module receives is message identifying, then notify that ether driver module receives this message and uploads to the authentication service program module on upper strata, if non-authentication message, whether the port of the MAC Address then judging this message or the ether exchange chip that receives this message is the MAC Address passed through of the certification arranged in described message authentication parameter or port, if it is notify that ether driver module receives this message and uploads to corresponding upper level applications, otherwise abandon this message,
The authentication service program module of application layer, carries out certification for the message identifying driving layer to upload according to ether to MAC Address and/or port information, sends the configuration-direct arranging message authentication parameter to port control modules.
Preferably, described port control modules specifically comprises two external interfaces:
The configuration interface of a message authentication parameter called for the described authentication service program module of confession, comprising the data structure for storing described message authentication parameter, described authentication service program module is conducted interviews by this configuration interface to the message authentication parameter in this data structure and revises;
Another verification function interface for calling for ether driver module, for carrying out described port controlling according to the input information of described ether driver module and described message authentication parameter.
Preferably, the described data structure for storing described message authentication parameter is: Proc node tree.
Preferably, the certification control protocol that described ethernet port control device uses is IEEE802.1x agreement.
A kind of ethernet port control method, comprising:
The message received is uploaded to ether and drives layer by ether exchange chip;
Ether drives layer to determine type from the described message of ether exchange chip and source MAC, and receives the port of ether exchange chip of this message; If described type of message is message identifying, then receives and upload to the authentication service program on upper strata;
The authentication service program on described upper strata carries out certification according to message identifying to MAC Address and/or port information, drives layer to send the configuration-direct arranging message authentication parameter to ether;
Described ether drives layer to arrange message authentication parameter according to the configuration order of described authentication service program, and set message authentication parameter comprises the MAC Address and/or port authentication information that certification passes through;
If the type of the message from ether exchange chip that described ether drives layer to receive is non-message identifying, whether the port of the MAC Address then judging this message or the ether exchange chip that receives this message is the MAC Address passed through of the certification arranged in described message authentication parameter or port, if it is receive this message and upload to corresponding upper level applications, otherwise abandoning this message.
Preferably, comprise further:
Set message authentication parameter comprises the mac address table that acquiescence accepts, described ether drives layer after determining the source MAC from the message of ether exchange chip, judge whether the source MAC of this message is given tacit consent in the mac address table accepted described, if it is receives this message and uploads to corresponding upper level applications;
And/or, set message authentication parameter comprises the mac address table of acquiescence refusal, described ether drives layer after determining the source MAC from the message of ether exchange chip, judge whether the source MAC of this message is given tacit consent in the mac address table of refusal described, if it is abandons this message.
Preferably, arrange further in described message authentication parameter and start mark, for representing that whether enabling ethernet port controls; After the message from ether exchange chip that described ether drives layer to receive, first whether enable ethernet port by this startup marker for judgment and control, if so, then perform follow-up described ethernet port control flow; Otherwise receive this message and upload to corresponding upper level applications.
Preferably, arranging certification mode mark in described message authentication parameter further, is MAC certification mode or port authentication pattern for representing;
After the message from ether exchange chip that described ether drives layer to receive, be MAC certification mode or port authentication pattern by this certification mode marker for judgment;
If MAC certification mode then judges whether the MAC Address of this message is the MAC Address that the certification arranged in described message authentication parameter is passed through, and if it is receives this message and uploads to corresponding upper level applications, otherwise abandoning this message;
If port authentication pattern then judges whether the port receiving this message is the port that the certification arranged in described message authentication parameter is passed through, and if it is receives this message and uploads to corresponding upper level applications, otherwise abandoning this message.
Preferably, the concrete mode that described ether drives layer to arrange message authentication parameter is:
Ether drives layer create in operating system nucleus and safeguard the data structure of the Proc node tree for storing described message authentication parameter, and described authentication service program is directly conducted interviews and revises the message authentication parameter in this Proc node tree by configuration order.
Preferably, described ethernet port control method is use IEEE802.1x agreement to carry out the method controlled.
Compared with prior art, described ether exchange chip of the present invention all can send to ether to drive layer after receiving all messages, layer is driven to add a port control modules at ether, belong to the software module in ether driving layer, for arranging message authentication parameter according to the configuration order of described authentication service program, determine that ether drives layer whether receive and upload the message from ether exchange chip to upper strata according to the message authentication parameter arranged, thus disobey too exchange chip of relying just can realize ethernet port control, reduce the hardware cost realizing ethernet port and control, only the software program in layer need be driven to modify to ether when upgrading to port control mode or revise, improve autgmentability.
The present invention solves the dependence of IEEE802.1x authentication protocol to hardware well, the ethernet port adopting Ethernet switching chip with low cost just can realize IEEE802.1x agreement controls, reduce the hardware cost of the ethernet port control realizing IEEE802.1x agreement, simultaneously, only the software program in layer need be driven to modify to ether when upgrading to port control mode or revise, improve the autgmentability of the ethernet port control realizing IEEE802.1x agreement.So after application the present invention, supporting the equipment of IEEE802.1x authentication protocol, can more go when selecting hardware consider other favourable factors such as cost and ignore this factor of port controlling whether supporting IEEE802.1x certification.
Accompanying drawing explanation
Fig. 1 is the hierarchical chart of the ethernet port control device of existing support IEEE802.1x agreement;
Fig. 2 is the hierarchical chart of ethernet port control device of the present invention;
The interface diagram that Fig. 3 externally provides for port control modules of the present invention;
Fig. 4 is a kind of flow chart of ethernet port control method of the present invention;
Fig. 5 is the structure chart of a kind of Proc node tree in a kind of specific embodiment;
Fig. 6 is the concrete handling process schematic diagram after described verification function interface is called.
Embodiment
Below in conjunction with drawings and the specific embodiments, the present invention is further described in more detail.
Fig. 2 is the hierarchical chart of ethernet port control device of the present invention.See Fig. 2, ethernet port control device of the present invention comprises:
The ether exchange chip of physical link layer, what distinguish with prior art is that this ether exchange chip does not carry out ethernet port control, but all messages received all are passed to ether drives layer.
Ether drives the ether driver module of layer, for determining the type of this message and source media access control layer (MAC) address and receive the port of ether exchange chip of this message after receiving the message from ether exchange chip, by determined information input terminal mouth control module, determine whether receive this message according to the information that port control modules returns;
Ether drives the port control modules of layer, and the configuration order for the authentication service program module according to application layer arranges message authentication parameter, the MAC Address passed through comprising certification and/or port information, and carry out port controlling according to the input information of described ether driver module and described message authentication parameter, described port controlling comprises: if the type of message that ether driver module receives is message identifying, then notify that ether driver module receives this message and uploads to the authentication service program module on upper strata, if non-authentication message, whether the port of the MAC Address then judging this message or the ether exchange chip that receives this message is the MAC Address passed through of the certification arranged in described message authentication parameter or port, if it is notify that ether driver module receives this message and uploads to corresponding upper level applications, otherwise abandon this message,
The authentication service program module of application layer, carries out certification for the message identifying driving layer to upload according to ether to MAC Address and/or port information, sends the configuration-direct arranging message authentication parameter to port control modules.
Described kernel protocol stack is the general name that application layer and ether drive each agreement between layer, for transmitting the interactive information between application layer and ether driving layer, identical with existing kernel protocol stack, therefore repeats no more herein.
In embodiment of the present invention, the certification control protocol that described ethernet port control device uses is IEEE802.1x agreement.Described port control modules is a port control modules for IEEE802.1x agreement specifically.
The interface diagram that Fig. 3 externally provides for port control modules of the present invention.See Fig. 3, described ether drives the port control modules of layer specifically to comprise two external interfaces:
The configuration interface 301 of a message authentication parameter called for the described authentication service program module of confession, comprising the data structure for storing described message authentication parameter, described authentication service program module is conducted interviews by this configuration interface 301 to the message authentication parameter in this data structure and revises; In the embodiment shown in fig. 3, the described data structure for storing described message authentication parameter is specially and creates and the data structure of the Proc node tree safeguarded in operating system nucleus, described authentication service program module is conducted interviews by configuration order to the message authentication parameter in this Proc node tree and revises, thus the state information of parameters for authentication and collection certification can be configured, such as can by realizing the configuration of parameters for authentication to the write operation of corresponding Proc node, by realizing the collection of authentication information to the read operation of corresponding Proc node.
Another verification function interface 302 called for supplying ether driver module, for carrying out described port controlling according to the input information of described ether driver module and described message authentication parameter, namely, when ether driver module receives the message from ether exchange chip, call this verification function interface 302 and judge whether to receive this message.The type (usually identify with Ether frame agreement, mainly comprise message identifying type and non-authentication type of message) that the information being input to verification function interface 302 of described ether driver module is current the received message of ether driver module and source media access control layer (i.e. MAC) address and receive the port of ether exchange chip of this message.
Fig. 4 is a kind of flow chart of ethernet port control method of the present invention.Ethernet port control method of the present invention is use IEEE802.1x agreement to carry out the method controlled.See Fig. 4, the method mainly comprises:
The message received is uploaded to ether and drives layer by step 401, ether exchange chip;
Step 402, ether drive layer to determine type from the described message of ether exchange chip and source MAC, and receive the port of ether exchange chip of this message;
Step 403, judge whether described type of message is message identifying, if it is perform step 404, otherwise perform step 406;
Step 404, receive this message and upload to the authentication service program on upper strata, the authentication service program on described upper strata carries out certification according to message identifying to MAC Address and/or port information, drives layer to send the configuration-direct arranging message authentication parameter to ether;
Step 405, described ether drive layer to arrange message authentication parameter according to the configuration order of described authentication service program, and set message authentication parameter comprises the MAC Address and/or port information that certification passes through;
If the type of the message from ether exchange chip that the described ether of step 406 drives layer to receive is non-message identifying, whether the port of the MAC Address then judging this message or the ether exchange chip that receives this message is the MAC Address passed through of the certification arranged in described message authentication parameter or port, if it is receive this message and upload to corresponding upper level applications, otherwise abandoning this message.
In a kind of specific embodiment, described message authentication parameter set by the configuration order of authentication service program comprises the mac address table that acquiescence accepts, described ether drives layer after determining the source MAC from the message of ether exchange chip, need the source MAC judging this message whether to give tacit consent in the mac address table accepted described, if it is receive this message and upload to corresponding upper level applications;
And/or, the mac address table of acquiescence refusal also can be comprised in described message authentication parameter set by the configuration order of authentication service program, described ether drives layer after determining the source MAC from the message of ether exchange chip, need the source MAC judging this message whether to give tacit consent in the mac address table of refusal described, if it is abandon this message.
In a kind of specific embodiment, can also arrange further in described message authentication parameter and start mark, for representing that whether enabling ethernet port controls; After the message from ether exchange chip that described ether drives layer to receive, first whether enable ethernet port by this startup marker for judgment to control, if, then perform follow-up described ethernet port control flow, that is: if described type of message is message identifying, then receives and upload to the authentication service program on upper strata; If non-authentication message, whether the port of the MAC Address then judging this message or the ether exchange chip that receives this message is the MAC Address passed through of the certification arranged in described message authentication parameter or port, if it is receive this message and upload to corresponding upper level applications, otherwise abandoning this message; If judge that not needing to enable ethernet port controls, then receive described message and upload to corresponding upper level applications by described startup mark.
In another kind of specific embodiment, can also arrange certification mode mark in described message authentication parameter further, be MAC certification mode or port authentication pattern for representing; After the message from ether exchange chip that described ether drives layer to receive, be MAC certification mode or port authentication pattern by this certification mode marker for judgment:
If MAC certification mode then judges whether the MAC Address of this message is the MAC Address that the certification arranged in described message authentication parameter is passed through, and if it is receives this message and uploads to corresponding upper level applications, otherwise abandoning this message;
If port authentication pattern then judges whether the port receiving this message is the port that the certification arranged in described message authentication parameter is passed through, and if it is receives this message and uploads to corresponding upper level applications, otherwise abandoning this message.
In method of the present invention, the concrete mode of one that described ether drives layer to arrange message authentication parameter is: ether drives layer create in operating system nucleus and safeguard the data structure of the Proc node tree for storing described message authentication parameter, and described authentication service program is directly conducted interviews and revises the message authentication parameter in this Proc node tree by configuration order.
The Proc node tree of the described configuration interface for upper strata authentication service routine call is a kind of bibliographic structure of Proc file system of correspondence.This Proc node tree is created by described port control modules, and this Proc node tree is configured by the authentication service software on upper strata, realizes the configuration to message authentication parameter particular by the node writing correspondence.Described authentication service software arranges interface, and keeper can be arranged as required.
Fig. 5 is the structure chart of a kind of Proc node tree in a kind of specific embodiment.See Fig. 5, wherein the value of each node is introduced with effect is following:
Enable: whether enable the startup mark that 802.1x agreement ethernet port controls, can control to this node write 1 or 0 the ethernet port control whether starting 802.1x.Being wherein the ethernet port control that 1 expression starts 802.1x, is that 0 expression does not start.Such as in a particular application: when upper strata authentication service software startup, to this node write 1, represent that opening ethernet port controls.Representing to this node write 0 when upper layer software (applications) exits stops ethernet port controlling, and when after stopping ether port controlling, just receives all messages.
The mark of Mode:802.1x protocol authentication pattern, can to the certification mode of this node write 0 or 1 control 802.1x agreement.1 is expressed as port authentication pattern, and 0 represents it is MAC certification mode.This certification mode is configured according to concrete business need by keeper.
AcceptMAC: for storing the mac address table that acquiescence accepts, can give tacit consent to receiving portion MAC Address to this node write mac address table.The MAC Address accepted for acquiescence can not by certification directly by this port.The value of this node is also configured by keeper.
DenyMAC: for storing the mac address table of acquiescence refusal, can give tacit consent to refusal Section MAC address to this node write mac address table.MAC Address for acquiescence refusal cannot pass through certification, and data also cannot pass through this port.The value of this node is also configured by keeper.
AuthMAC: for storing the authenticated MAC Address passed through, when certification mode is based on MAC pattern, each MAC Address by certification can exist in this node.After the message identifying of a client transmission have passed the certification of upper strata authentication service software, the MAC Address of this client (i.e. the source MAC of the message of this client transmission) can write in this node by upper strata authentication service software.
Ports: deposit the Proc node that each existing port is corresponding under this catalogue.Often open ether exchange chip and have multiple port, hypothesis has n port herein, is P0 ~ Pn respectively, the port mark whether certification is passed through of what the node of described P0 ~ Pn was deposited is each ether exchange chip of correspondence.The value of such as, node P1 in Fig. 5 is the port one mark whether certification is passed through.1 represents that this port is authenticated passes through, and 0 this port of expression not certification passes through.After the port of an ether exchange chip have passed the certification of upper strata authentication service software, upper strata authentication service software can in Proc node corresponding for the write of this mark.
In addition, in the present embodiment, why partial node deposits the port of certification, and first is because the port number of an ether exchange chip is limited, generally needs the port controlled to be 4.Second is because of for convenience of expansion, conveniently can store the privately owned attribute of each port.3rd is because more meet programmed logic.
Described verification function interface 302 calls for ether driver, the concrete opportunity of calling is: ether exchange chip often receives a message all can report the ether driver that ether drives layer by this message, after ether driver receives a message from ether exchange chip, determine type (whether being namely message identifying) and the source MAC (namely sending the MAC Address of the client of this message) of this message, and receive the port of ether exchange chip of this message, then described verification function interface is called, aforementioned determined information is input in verification function interface, verification function interface performs concrete handling process, the result whether receiving this message is returned to ether driver, the return value of such as verification function is 1 or 0.Wherein 1 represents this message of reception, and 0 expression abandons this message.
Described Fig. 6 is the concrete handling process schematic diagram after described verification function interface is called.See Fig. 6, this flow process comprises:
Step 601, first inquire about the value of Enable node that described Proc sets, judge whether that the ethernet port starting 802.1x controls, if it is perform step 602, otherwise verification function interface returns 1, namely notify that ether driver receives current message and is reported to corresponding upper level applications.
Step 602, inquire about the value of AcceptMAC node that described Proc sets, judge, in the mac address table that the acquiescence whether source MAC that inputs records at this AcceptMAC node accepts, if it is to return 1, otherwise execution step 603.
Step 603, inquire about the value of DenyMAC node that described Proc sets, judge, in the mac address table of the acquiescence the refusal whether source MAC that inputs records at this DenyMAC node, if it is to return 0, otherwise execution step 604.
Step 604, judge input type of message (i.e. Ether frame protocol-identifier) whether be EAPOL message authentication authorization and accounting message, if so, then perform step 605, otherwise execution step 606.
Step 605, determine whether EAPOL-Start message (the beginning message of authentication authorization and accounting message), if it is the port information of the ether exchange chip receiving this message is hidden in the afterbody of this message, then returns 1; Otherwise directly return 1.
The effect of this step is: for message identifying, the authentication service program on upper strata does not know the port accepts of this message by which ether exchange chip usually, therefore in the beginning message of message identifying, need the port information increasing the ether exchange chip receiving this message, authentication service program for upper strata carries out authentication processing, pass through if this port is certified, then the value of node corresponding for this port of the Ports catalogue set by described Proc by configuration order is written as 1 by authentication service program.
Step 606, inquire about the value of Mode node that described Proc sets, judge that current 802.1x protocol authentication pattern is port authentication pattern or MAC certification mode, if port authentication pattern, then inquire about the nodal value (namely 0 or 1) corresponding with the port source information of input under described Ports catalogue, and return this nodal value; If MAC certification mode, then perform step 607.
Step 607, inquire about the value of AuthMAC node that described Proc sets, judge, in the mac address table that the certification whether source MAC of input records at this AuthMAC node is passed through, if it is to return 1, otherwise return 0.
By above-mentioned process, described verification function interface returns to 0 or 1 to ether driver.If what return is 0, then represent and receive this message, ether driver then receives this message and uploads to corresponding program corresponding to this message of upper strata; If what return is 1, then represent and abandon this message, then ether driver abandons received corresponding message.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment made, equivalent replacement, improvement etc., all should be included within the scope of protection of the invention.
Claims (10)
1. an ethernet port control device, is characterized in that, comprising:
Ether drives the ether driver module of layer, for determining the type of this message and source media access control layer MAC Address and receive the port of ether exchange chip of this message after receiving the message from the ether exchange chip of physical link layer, by determined information input terminal mouth control module, determine whether receive this message according to the information that port control modules returns;
Ether drives the port control modules of layer, and the configuration order for the authentication service program module according to application layer arranges message authentication parameter, the MAC Address passed through comprising certification and/or port authentication information, and carry out port controlling according to the input information of described ether driver module and described message authentication parameter, described port controlling comprises: if the type of message that ether driver module receives is message identifying, then notify that ether driver module receives this message and uploads to the authentication service program module on upper strata, if non-authentication message, whether the port of the MAC Address then judging this message or the ether exchange chip that receives this message is the MAC Address passed through of the certification arranged in described message authentication parameter or port, if it is notify that ether driver module receives this message and uploads to corresponding upper level applications, otherwise abandon this message,
The authentication service program module of application layer, carries out certification for the message identifying driving layer to upload according to ether to MAC Address and/or port information, sends the configuration-direct arranging message authentication parameter to port control modules.
2. device according to claim 1, is characterized in that, described port control modules specifically comprises two external interfaces:
The configuration interface of a message authentication parameter called for the described authentication service program module of confession, comprising the data structure for storing described message authentication parameter, described authentication service program module is conducted interviews by this configuration interface to the message authentication parameter in this data structure and revises;
Another verification function interface for calling for ether driver module, for carrying out described port controlling according to the input information of described ether driver module and described message authentication parameter.
3. device according to claim 2, is characterized in that, the described data structure for storing described message authentication parameter is: Proc node tree.
4. the device according to any one of claims 1 to 3, is characterized in that, the certification control protocol that described ethernet port control device uses is IEEE802.1x agreement.
5. an ethernet port control method, is characterized in that, comprising:
The message received is uploaded to ether and drives layer by ether exchange chip;
Ether drives layer to determine type from the described message of ether exchange chip and source MAC, and receives the port of ether exchange chip of this message; If described type of message is message identifying, then receives and upload to the authentication service program on upper strata;
The authentication service program on described upper strata carries out certification according to message identifying to MAC Address and/or port information, drives layer to send the configuration-direct arranging message authentication parameter to ether;
Described ether drives layer to arrange message authentication parameter according to the configuration order of described authentication service program, and set message authentication parameter comprises the MAC Address and/or port authentication information that certification passes through;
If the type of the message from ether exchange chip that described ether drives layer to receive is non-message identifying, whether the port of the MAC Address then judging this message or the ether exchange chip that receives this message is the MAC Address passed through of the certification arranged in described message authentication parameter or port, if it is receive this message and upload to corresponding upper level applications, otherwise abandoning this message.
6. method according to claim 5, is characterized in that, comprises further:
Set message authentication parameter comprises the mac address table that acquiescence accepts, described ether drives layer after determining the source MAC from the message of ether exchange chip, judge whether the source MAC of this message is given tacit consent in the mac address table accepted described, if it is receives this message and uploads to corresponding upper level applications;
And/or, set message authentication parameter comprises the mac address table of acquiescence refusal, described ether drives layer after determining the source MAC from the message of ether exchange chip, judge whether the source MAC of this message is given tacit consent in the mac address table of refusal described, if it is abandons this message.
7. method according to claim 5, is characterized in that, arranges further and start mark in described message authentication parameter, for representing that whether enabling ethernet port controls; After the message from ether exchange chip that described ether drives layer to receive, first whether enable ethernet port by this startup marker for judgment and control, if so, then perform follow-up described ethernet port control flow; Otherwise receive this message and upload to corresponding upper level applications.
8. method according to claim 5, is characterized in that, arranging certification mode mark in described message authentication parameter further, is MAC certification mode or port authentication pattern for representing;
After the message from ether exchange chip that described ether drives layer to receive, be MAC certification mode or port authentication pattern by this certification mode marker for judgment;
If MAC certification mode then judges whether the MAC Address of this message is the MAC Address that the certification arranged in described message authentication parameter is passed through, and if it is receives this message and uploads to corresponding upper level applications, otherwise abandoning this message;
If port authentication pattern then judges whether the port receiving this message is the port that the certification arranged in described message authentication parameter is passed through, and if it is receives this message and uploads to corresponding upper level applications, otherwise abandoning this message.
9. method according to claim 5, is characterized in that, the concrete mode that described ether drives layer to arrange message authentication parameter is:
Ether drives layer create in operating system nucleus and safeguard the data structure of the Proc node tree for storing described message authentication parameter, and described authentication service program is directly conducted interviews and revises the message authentication parameter in this Proc node tree by configuration order.
10. the method according to any one of claim 5 to 9, is characterized in that, described ethernet port control method is use IEEE802.1x agreement to carry out the method controlled.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210032478.3A CN102571603B (en) | 2012-02-14 | 2012-02-14 | Ethernet port controlling apparatus and method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210032478.3A CN102571603B (en) | 2012-02-14 | 2012-02-14 | Ethernet port controlling apparatus and method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102571603A CN102571603A (en) | 2012-07-11 |
| CN102571603B true CN102571603B (en) | 2014-12-17 |
Family
ID=46416104
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210032478.3A Active CN102571603B (en) | 2012-02-14 | 2012-02-14 | Ethernet port controlling apparatus and method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102571603B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104283714A (en) * | 2014-10-22 | 2015-01-14 | 上海斐讯数据通信技术有限公司 | Exchanger and system and method for achieving multiple management VLANs |
| CN105391634B (en) * | 2015-12-08 | 2018-11-09 | 福建星网锐捷网络有限公司 | A kind of message processing method, device and interchanger |
| CN110311815B (en) * | 2019-06-25 | 2021-12-14 | 厦门四信通信科技有限公司 | Method, device, equipment and storage medium for realizing switching of Ethernet working mode |
| CN111355778B (en) * | 2020-02-17 | 2022-07-05 | 威马智慧出行科技(上海)有限公司 | Diagnostic device, vehicle-end device and diagnostic method |
| CN113098877A (en) * | 2021-04-02 | 2021-07-09 | 博为科技有限公司 | Access authentication method, device, equipment and medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1522000A (en) * | 2003-01-27 | 2004-08-18 | 华为技术有限公司 | A method for controlling Ethernet port authority by 802.1X |
| CN101360020A (en) * | 2008-09-28 | 2009-02-04 | 西安电子科技大学 | Simulation platform and method based on IEEE802.1X security protocol of EAP |
| CN101534250A (en) * | 2009-04-15 | 2009-09-16 | 杭州华三通信技术有限公司 | Network access control method and access control device |
| CN201479143U (en) * | 2009-09-17 | 2010-05-19 | 北京鼎普科技股份有限公司 | Intranet safety management system |
| CN102244863A (en) * | 2010-05-13 | 2011-11-16 | 华为技术有限公司 | 802.1x-based access authentication method, access equipment and aggregation equipment |
-
2012
- 2012-02-14 CN CN201210032478.3A patent/CN102571603B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1522000A (en) * | 2003-01-27 | 2004-08-18 | 华为技术有限公司 | A method for controlling Ethernet port authority by 802.1X |
| CN101360020A (en) * | 2008-09-28 | 2009-02-04 | 西安电子科技大学 | Simulation platform and method based on IEEE802.1X security protocol of EAP |
| CN101534250A (en) * | 2009-04-15 | 2009-09-16 | 杭州华三通信技术有限公司 | Network access control method and access control device |
| CN201479143U (en) * | 2009-09-17 | 2010-05-19 | 北京鼎普科技股份有限公司 | Intranet safety management system |
| CN102244863A (en) * | 2010-05-13 | 2011-11-16 | 华为技术有限公司 | 802.1x-based access authentication method, access equipment and aggregation equipment |
Non-Patent Citations (1)
| Title |
|---|
| "802.1x 协议认证技术分析";王春晓;《天津成人高等学校联合学报》;20050331;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102571603A (en) | 2012-07-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102426594B (en) | Method and system for operating database | |
| CN103795602B (en) | Network strategy configuration method and device of virtual network | |
| CN113114498B (en) | Architecture system of trusted block chain service platform and construction method thereof | |
| CN101083537B (en) | Method, apparatus and system for realizing device management | |
| CN102571603B (en) | Ethernet port controlling apparatus and method thereof | |
| JP2017513123A (en) | Secure element management method and terminal | |
| CN101860534B (en) | Method and system for switching network, access equipment and authentication server | |
| CN102025535A (en) | Virtual machine management method and device and network equipment | |
| JP4722641B2 (en) | Connection management system, connection management program, and connection management method | |
| JP7510429B2 (en) | Cloud-enable legacy trusted network devices for zero-touch provisioning and enterprise-as-a-service | |
| WO2011085698A1 (en) | Method for controlling resources on shared network element, shared network element and relevant device | |
| CN102316043A (en) | Port virtualization method, switch and communication system | |
| CN108833979A (en) | The provisioning file introduction method and dual system convergent terminal of dual system convergent terminal | |
| CN102196306A (en) | Method and device for writing sequence number and media access control (MAC) address into Internet protocol television | |
| CN110166277A (en) | A kind of method of order line order tree constructing method and order line dynamically load | |
| CN102833102B (en) | Customer premise equipment system of set-card separated type gateway and data configuration management method | |
| CN106558126B (en) | A kind of gate inhibition's key code management method and system | |
| CN102263679B (en) | Source role information processing method and forwarding chip | |
| CN101621526B (en) | iSCSI method and apparatus for preventing useless connection from occupying system resources | |
| CN103297515A (en) | Mobile office system | |
| WO2024198818A1 (en) | Device configuration method and system, and device and storage medium | |
| CN102480472A (en) | Application program integration login method of enterprise internal network and verification server thereof | |
| CN107708142A (en) | A kind of access device AP group technology, equipment and system | |
| CN101754132B (en) | White list management system and method as well as business operation support system proxy server | |
| CN101453730A (en) | Apparatus and method for supporting multiple operation support system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220125 Address after: 610041 floors 15-24, Maipu building, No. 288, Tianfu Third Street, high tech Zone, Chengdu, Sichuan Patentee after: MAIPU COMMUNICATION TECHNOLOGY Co.,Ltd. Address before: 610041 nine Xing Xing Road 16, hi tech Zone, Sichuan, Chengdu Patentee before: CHENGDU XINDIAN TECHNOLOGY Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| CP02 | Change in the address of a patent holder |
Address after: 610041 nine Xing Xing Road 16, hi tech Zone, Sichuan, Chengdu Patentee after: MAIPU COMMUNICATION TECHNOLOGY Co.,Ltd. Address before: 610041 floors 15-24, Maipu building, No. 288, Tianfu Third Street, high tech Zone, Chengdu, Sichuan Patentee before: MAIPU COMMUNICATION TECHNOLOGY Co.,Ltd. |
|
| CP02 | Change in the address of a patent holder |