[go: up one dir, main page]

CN114221928A - Method, system, device and storage medium for defending IP conflict of management network - Google Patents

Method, system, device and storage medium for defending IP conflict of management network Download PDF

Info

Publication number
CN114221928A
CN114221928A CN202111308691.8A CN202111308691A CN114221928A CN 114221928 A CN114221928 A CN 114221928A CN 202111308691 A CN202111308691 A CN 202111308691A CN 114221928 A CN114221928 A CN 114221928A
Authority
CN
China
Prior art keywords
node
virtualization
mac
cloud platform
virtualized
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111308691.8A
Other languages
Chinese (zh)
Inventor
郭旭亮
冯振
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Jinan data Technology Co ltd
Original Assignee
Inspur Jinan data Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Jinan data Technology Co ltd filed Critical Inspur Jinan data Technology Co ltd
Priority to CN202111308691.8A priority Critical patent/CN114221928A/en
Publication of CN114221928A publication Critical patent/CN114221928A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0823Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability
    • H04L41/0836Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability to enhance reliability, e.g. reduce downtime
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/30Peripheral units, e.g. input or output ports
    • H04L49/3009Header conversion, routing tables or routing tags
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/70Virtual switches
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a management network IP conflict defense method, a system, a device and a storage medium, which comprises the steps that firstly, a cloud platform records the MAC address of a managed virtualized node to form a virtualized node MAC credible list, then the cloud platform issues the MAC credible list to an agent module of each node, the agent module stores the MAC credible list in a memory cache, and if the MAC credible list is updated, the cloud platform can issue a new MAC credible list in time. After the virtualized node initiates access, the agent module intercepts the ARP response message, if the sender MAC address in the three-layer header of the ARP response message is not in the MAC list, the agent module regards the response node as a conflict node and discards the ARP response message. The invention can defend IP conflict, even if IP conflict occurs, the conflicted virtualization node can be normally accessed by other virtualization nodes, and the normal communication of all the virtualization nodes managed by the cloud platform can be ensured.

Description

Method, system, device and storage medium for defending IP conflict of management network
Technical Field
The present invention relates to the field of network communication technologies, and in particular, to a method, a system, an apparatus, and a storage medium for defending against IP collisions in a management network.
Background
Cloud Computing (english: Cloud Computing) is an internet-based Computing approach by which shared software and hardware resources and information can be provided to computers and other devices on demand. Typical cloud computing providers often offer general-purpose Web services applications that can be accessed through software such as a browser or other Web service, with both the software and data stored on the server. Cloud computing services typically provide common online business applications that are accessed through a browser, and software and data may be stored in a data center. The narrow-sense cloud computing refers to a delivery and use mode of an IT infrastructure, and refers to acquiring required resources in an on-demand and easily-extensible mode through a network; the generalized cloud computing refers to a delivery and use mode of a service, and refers to obtaining a required service in an on-demand and easily-extensible manner through a network. Such services may be IT and software, internet related, or other services. It means that computing power can also be circulated as a commodity over the internet.
The cloud computing architecture is divided into two parts, namely service and management. In terms of services, various services based on a cloud provided by a user are mainly provided, and the service comprises 3 levels: in management, the infrastructure as a service IaaS, the platform as a service PaaS, and the software as a service saas are mainly based on a management layer of the cloud, and the functions of the management layer are to ensure that the entire cloud computing center can safely and stably operate and can be effectively managed.
In a cloud computing data center scene, a management network of a virtualization node transmits some control flow information, once the node generates an IP conflict of the management network, an IP address between the virtualization nodes cannot be accessed, a serious consequence is caused by control flow interruption, and the problem of the IP conflict is solved through manual investigation under most conditions.
Disclosure of Invention
In view of the above problems, an object of the present invention is to provide a method, a system, an apparatus, and a storage medium for defending against an IP conflict in a management network, which can defend against an IP conflict, so that even if an IP conflict occurs in a node, the conflicted virtualized node can be normally accessed by other virtualized nodes, thereby ensuring normal communication of all virtualized nodes managed by a cloud platform.
In order to achieve the purpose, the invention is realized by the following technical scheme: a defense method for managing network IP conflict comprises the following steps:
performing virtualization processing on a physical machine to generate a virtualization node, and adding the virtualization node into a cloud platform;
the cloud platform manages the MAC addresses of all the virtualization nodes by establishing a virtualization node MAC trusted list;
the virtualization node interacts with a virtual node MAC credible list through a built-in agent module;
when any virtualization node under the management of the cloud platform initiates access in the management network, sending an address resolution protocol request message to the management network;
after the transmission is finished, the virtualization node intercepts all address resolution protocol response messages through the proxy module; acquiring a sender MAC address in an address resolution protocol response message;
judging whether the MAC address of the sender is in a MAC credible list of the virtualization nodes, if so, taking the corresponding virtualization node as the accessed virtualization node; if not, the corresponding virtualization node is determined to be a conflict node, and the corresponding address resolution protocol response message is discarded.
Further, the virtualizing the physical machine to generate a virtualized node, and adding the virtualized node to the cloud platform includes:
installing a virtualization system on a physical machine and generating a virtual switch;
setting a physical network card and a management network interface of a virtual switch;
taking a physical network card as an uplink, wherein the flow of the access node passes through the physical network card;
the management network interface is used as a virtual interface of the virtual switch, and the management network interface is communicated with the cloud platform and other virtualization nodes by setting an IP address on the virtual interface.
Further, the cloud platform manages the MAC addresses of all the virtualized nodes by establishing a virtualized node MAC trusted list, including:
when a virtual node is added, the cloud platform acquires the MAC address of a management port of the virtual node, collects corresponding information and records the information in a database;
and forming a virtualized node MAC credible list according to the recorded information.
Further, the method for the virtualization node to interact with the cloud platform through the built-in agent module to form the virtualized node MAC trusted list comprises the following steps:
when the virtualized node MAC trusted list is updated, the cloud platform issues the updated virtualized node MAC trusted list to all virtualized nodes;
the virtualization node receives the virtualization node MAC trusted list through the built-in agent module and stores the virtualization node MAC trusted list in the memory cache.
Further, acquiring the sender MAC address in the response packet of the address resolution protocol includes: and acquiring the MAC address of the sender in the three-layer header of the response message of the address resolution protocol.
Correspondingly, the invention also discloses a defense system for managing network IP conflict, which comprises:
the virtual unit is used for performing virtualization processing on the physical machine, generating a virtualization node and adding the virtualization node into the cloud platform; the management unit is used for controlling the cloud platform to manage the MAC addresses of all the virtualization nodes by establishing a virtualization node MAC trusted list;
the interaction unit is used for controlling the virtualization node to interact with the virtual node MAC trusted list through the built-in agent module;
the access initiating unit is used for sending an address resolution protocol request message to the management network when any virtualization node under the management of the cloud platform initiates access in the management network;
the message interception unit is used for controlling the virtualization node to intercept all address resolution protocol response messages through the proxy module;
the address acquisition unit is used for acquiring the MAC address of the sender in the response message of the address resolution protocol;
the defense unit is used for judging whether the MAC address of the sender is in the MAC credible list of the virtualization nodes, and if so, taking the corresponding virtualization node as the accessed virtualization node; if not, the corresponding virtualization node is determined to be a conflict node, and the corresponding address resolution protocol response message is discarded.
Further, the virtual unit includes:
the installation module is used for installing the virtualization system on the physical machine and generating a virtual switch;
the network port setting module is used for setting a physical network card and a management network interface of the virtual switch; taking a physical network card as an uplink, wherein the flow of the access node passes through the physical network card; the management network interface is used as a virtual interface of the virtual switch, and the management network interface is communicated with the cloud platform and other virtualization nodes by setting an IP address on the virtual interface.
Further, the management unit includes:
the recording module is used for acquiring the MAC address of the management port of the virtualization node when the virtualization node is added by the cloud platform, collecting corresponding information and recording the information in the database;
and the table building module is used for forming a virtualized node MAC trusted list according to the recorded information.
Further, the interaction unit includes:
the issuing module is used for issuing the updated virtualized node MAC trusted list to all the virtualized nodes by the cloud platform when the virtualized node MAC trusted list is updated;
and the storage module is used for receiving the virtualized node MAC trusted list by the virtualized node through the built-in agent module and storing the virtualized node MAC trusted list in the memory cache.
Correspondingly, the invention discloses a defense device for managing IP conflict of a network, which comprises:
the memory is used for storing a defense program for managing IP conflict of the network;
a processor, configured to implement the steps of the method for defending against IP conflicts in a management network as described in any one of the above when executing the program for defending against IP conflicts in the management network.
Correspondingly, the invention discloses a readable storage medium, wherein the readable storage medium stores a defense program for managing network IP conflict, and the defense program for managing network IP conflict realizes the steps of the defense method for managing network IP conflict as described in any one of the above when being executed by a processor.
Compared with the prior art, the invention has the beneficial effects that: the invention discloses a method, a system, a device and a storage medium for defending IP conflicts of a management network. After the virtualized node initiates access, the agent module intercepts the ARP response message, if the sender MAC address in the three-layer header of the ARP response message is not in the MAC list, the agent module regards the response node as a conflict node and discards the ARP response message.
The invention can defend IP conflict, even if IP conflict occurs, the conflicted virtualization node can be normally accessed by other virtualization nodes, and the normal communication of all the virtualization nodes managed by the cloud platform can be ensured.
The invention effectively saves the operation and maintenance cost for checking the IP conflict and greatly improves the stability of the virtualized network environment.
Therefore, compared with the prior art, the invention has prominent substantive features and remarkable progress, and the beneficial effects of the implementation are also obvious.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a flow chart of a method according to a first embodiment of the present invention.
Fig. 2 is a system configuration diagram of the second embodiment of the present invention.
Fig. 3 is a schematic diagram of the operation of the third embodiment of the present invention.
The core of the invention is to provide a method for defending IP conflict of a management network, in the prior art, under the scene of a cloud computing data center, the management network of a virtualization node transmits some control flow information, once the IP conflict of the management network occurs at the node, the IP address between the virtualization nodes cannot be accessed, the serious consequence can be caused by the interruption of the control flow, most of the situations solve the problem of IP conflict through manual investigation, and the method is time-consuming, labor-consuming and high in operation and maintenance cost.
The method for defending the IP conflict of the management network comprises the steps that firstly, when a virtualized node is added, the cloud platform obtains the MAC information of a management port of the virtualized node, and maintains the MAC list of the managed virtualized node. And deploying agent modules at the virtualization nodes, wherein the agent modules are uniformly controlled by the cloud platform. At this time, the cloud platform issues the MAC trusted list of the managed virtualized node to the agent module of each node, the agent module keeps the MAC trusted list in the memory cache, and if the MAC trusted list is updated, the cloud platform can issue a new MAC trusted list in time. When a virtualized node initiates access, the agent module intervenes in the message receiving process of the address resolution protocol, the agent module intercepts the response message of the address resolution protocol, and if the sender MAC address in the three-layer header of the response message of the address resolution protocol is not in the MAC list, the agent module discards the ARP response messages. Therefore, the mapping relation between the IP and the MAC in the ARP cache table of the virtualization node can be prevented from being interfered by illegal equipment, and the IP address of the target virtualization node can still be correctly accessed by other virtualization nodes managed by the cloud platform under the condition that the IP of the target virtualization node conflicts. Therefore, the method and the system can defend IP conflict, even if the IP conflict occurs to the node, the conflicted virtualization node can be normally accessed by other virtualization nodes, and the normal communication of all the virtual nodes managed by the cloud platform is guaranteed.
In order that those skilled in the art will better understand the disclosure, the invention will be described in further detail with reference to the accompanying drawings and specific embodiments. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The first embodiment is as follows:
as shown in fig. 1, the present embodiment provides a method for defending against IP collisions in a management network, including the following steps:
s1: and performing virtualization processing on the physical machine to generate a virtualization node, and adding the virtualization node into the cloud platform.
The method specifically comprises the following steps:
installing a virtualization system for a physical machine, and after the installation is finished, generating a virtual switch, wherein the virtual switch comprises a physical network card and a management network interface, the physical network card is used as an uplink, and the flow of an inlet node and an outlet node passes through the physical network card; the management network interface is a virtual interface, and the interface can communicate with the cloud platform and other virtual nodes after being provided with an IP address. The virtualization nodes are managed after being added into the cloud platform, and the virtualization nodes are communicated with the cloud platform or other virtualization nodes through the management network IP addresses.
S2: the cloud platform manages the MAC addresses of all the virtualization nodes by establishing a virtualization node MAC trusted list.
When the virtualized node is added, the cloud platform acquires the MAC address of the management port of the virtualized node, collects the information and records the information in the database, and forms a virtualized node MAC credible list. After all the virtualized nodes are managed by the cloud platform, the MAC trusted list records the MAC addresses of all the virtualized nodes managed by the cloud platform.
S3: the virtualization node interacts with a cloud platform through a built-in agent module to form a virtualization node MAC trusted list.
The proxy module of the virtualization node is part of the virtual switch, and the function of the proxy module is to interact a MAC list with the cloud platform. The cloud platform issues the MAC credible list to the agent modules of all the nodes, the agent modules keep the MAC list in the memory cache, and if the MAC credible list is updated, the cloud platform can issue a new MAC list in time.
S4: when any virtualization node under the management of the cloud platform initiates access in the management network, an address resolution protocol request message is sent to the management network.
When the virtualization node accesses other nodes, the node sends out an ARP (address resolution protocol) request message, the message is a broadcast message, the sending flow is a normal ARP sending flow, and the broadcast message can be received by equipment in the same VLAN.
S5: after the transmission is finished, the virtualization node intercepts all address resolution protocol response messages through the proxy module.
S6: and acquiring the MAC address of the sender in the response message of the address resolution protocol.
S7: judging whether the MAC address of the sender is in a MAC credible list of the virtualization nodes, if so, taking the corresponding virtualization node as the accessed virtualization node; if not, the corresponding virtualization node is determined to be a conflict node, and the corresponding address resolution protocol response message is discarded.
Through the three steps, the proxy module is used for intervening in the receiving process, the proxy module intercepts the ARP response message, if the MAC address of the sender in the three-layer header of the ARP response message is not in the MAC list, the proxy module identifies the sending node of the ARP response message and discards the ARP response messages. Therefore, the mapping relation between the IP and the MAC in the ARP cache table of the virtualization node can not be interfered by illegal equipment, and the IP address of the target virtualization node can still be correctly accessed by other nodes under the condition that the IP of the target virtualization node conflicts.
The embodiment provides a method for defending IP conflicts of a management network, which can defend the IP conflicts, and even if the IP conflicts occur, conflicted virtualization nodes can be normally accessed by other virtualization nodes, so that the normal communication of all the virtualization nodes managed by a cloud platform can be ensured. The embodiment effectively saves the operation and maintenance cost for checking the IP conflict, and greatly improves the stability of the virtualized network environment.
Example two:
based on the first embodiment, as shown in fig. 2, the present invention also discloses a defense system for managing IP conflicts, comprising: the system comprises a virtual unit, a management unit, an interaction unit, an access initiating unit, a message intercepting unit, an address acquiring unit and a defense unit.
And the virtual unit is used for performing virtualization processing on the physical machine, generating a virtualization node and adding the virtualization node into the cloud platform. The virtual unit specifically includes: the installation module is used for installing the virtualization system on the physical machine and generating a virtual switch; the network port setting module is used for setting a physical network card and a management network interface of the virtual switch; taking a physical network card as an uplink, wherein the flow of the access node passes through the physical network card; the management network interface is used as a virtual interface of the virtual switch, and the management network interface is communicated with the cloud platform and other virtualization nodes by setting an IP address on the virtual interface.
And the management unit is used for controlling the cloud platform to manage the MAC addresses of all the virtualization nodes by establishing a virtualization node MAC trusted list. The management unit specifically includes: the recording module is used for acquiring the MAC address of the management port of the virtualization node when the virtualization node is added by the cloud platform, collecting corresponding information and recording the information in the database; and the table building module is used for forming a virtualized node MAC trusted list according to the recorded information.
And the interaction unit is used for controlling the virtualization node to interact the virtualization node MAC trusted list with the cloud platform through the built-in agent module. The interaction unit specifically comprises: the issuing module is used for issuing the updated virtualized node MAC trusted list to all the virtualized nodes by the cloud platform when the virtualized node MAC trusted list is updated; and the storage module is used for receiving the virtualized node MAC trusted list by the virtualized node through the built-in agent module and storing the virtualized node MAC trusted list in the memory cache.
And the access initiating unit is used for sending an address resolution protocol request message to the management network when any virtualization node under the management of the cloud platform initiates access in the management network.
And the message interception unit is used for controlling the virtualization node to intercept all the address resolution protocol response messages through the proxy module.
And the address acquisition unit is used for acquiring the sender MAC address in the response message of the address resolution protocol. The method is specifically used for: and acquiring the MAC address of the sender in the three-layer header of the response message of the address resolution protocol.
The defense unit is used for judging whether the MAC address of the sender is in the MAC credible list of the virtualization nodes, and if so, taking the corresponding virtualization node as the accessed virtualization node; if not, the corresponding virtualization node is determined to be a conflict node, and the corresponding address resolution protocol response message is discarded.
The embodiment provides a defense system for managing network IP conflicts, which can defend the IP conflicts, so that even if an IP conflict occurs in a node, the conflicted virtualized node can be normally accessed by other virtualized nodes, and the normal communication of all the virtualized nodes managed by the cloud platform is ensured.
Example three:
based on the above embodiments, this embodiment provides a specific implementation process of the defense method for managing network IP conflicts:
as shown in fig. 3, the cloud platform hosts 2 virtualization nodes, and the management network IP addresses of the 2 virtualization nodes are IP1 and IP2, respectively, and the MAC addresses thereof are MAC1 and MAC2, respectively.
The IP address of the conflict device X is the same as that of the virtualized node B, and is IP2, at this time, an IP conflict has occurred, and if a method for defending against the IP conflict of the management network is not introduced, the virtualized node a cannot normally access the IP address of the management network of the virtualized node B.
After introducing the defense method for managing network IP collision, if the node a in fig. 3 accesses the IP2 address, the node a sends an ARP request broadcast message, and both the node B and the collision device X receive the broadcast message, because the IP addresses of both devices are IP2, both devices will do ARP reply, so the node a will receive 2 ARP reply messages, the ARP reply messages are intercepted by the proxy module of the node a, the proxy module extracts the sender MAC addresses in the three headers of the reply messages, i.e., MAC2 and MAC3, obviously, MAC3 is not in the MAC trusted list, the proxy module will discard the ARP reply message from the collision device X, and finally the node a receives the ARP reply message of the node B, so the node a determines that the MAC address of the destination IP2 is MAC2 instead of MAC3, and based on this, the node a can normally access the node B.
It can be seen that, after the defense method for managing network IP collision is used, even if the same IP address as the node B exists in the data center, the virtualized node a always accesses the correct node B, and no network communication abnormality occurs.
Example four:
the embodiment discloses a defense device for managing network IP conflict, which comprises a processor and a memory; wherein, the processor implements the following steps when executing the defending program of the management network IP conflict stored in the memory:
1. and performing virtualization processing on the physical machine to generate a virtualization node, and adding the virtualization node into the cloud platform.
2. The cloud platform manages the MAC addresses of all the virtualization nodes by establishing a virtualization node MAC trusted list.
3. The virtualization node interacts with a cloud platform through a built-in agent module to form a virtualization node MAC trusted list.
4. When any virtualization node under the management of the cloud platform initiates access in the management network, an address resolution protocol request message is sent to the management network.
5. After the transmission is finished, the virtualization node intercepts all address resolution protocol response messages through the proxy module.
6. And acquiring the MAC address of the sender in the response message of the address resolution protocol.
7. Judging whether the MAC address of the sender is in a MAC credible list of the virtualization nodes, if so, taking the corresponding virtualization node as the accessed virtualization node; if not, the corresponding virtualization node is determined to be a conflict node, and the corresponding address resolution protocol response message is discarded.
Further, the defense apparatus for managing IP collisions in the present embodiment may further include:
the input interface is used for acquiring an externally introduced defense program for managing network IP conflict, storing the acquired defense program for managing network IP conflict into the memory, and also used for acquiring various instructions and parameters transmitted by external terminal equipment and transmitting the instructions and parameters into the processor, so that the processor performs corresponding processing by using the instructions and the parameters. In this embodiment, the input interface may specifically include, but is not limited to, a USB interface, a serial interface, a voice input interface, a fingerprint input interface, a hard disk reading interface, and the like.
And the output interface is used for outputting various data generated by the processor to the terminal equipment connected with the output interface, so that other terminal equipment connected with the output interface can acquire various data generated by the processor. In this embodiment, the output interface may specifically include, but is not limited to, a USB interface, a serial interface, and the like.
And the communication unit is used for establishing remote communication connection between the defense device for managing network IP conflict and the external server so that the defense device for managing network IP conflict can mount the mirror image file into the external server. In this embodiment, the communication unit may specifically include, but is not limited to, a remote communication unit based on a wireless communication technology or a wired communication technology.
And the keyboard is used for acquiring various parameter data or instructions input by a user through real-time key cap knocking.
And the display is used for displaying relevant information in the short circuit positioning process of the power supply line of the running server in real time.
The mouse can be used for assisting a user in inputting data and simplifying the operation of the user.
Example four:
the present embodiments also disclose a readable storage medium, where the readable storage medium includes Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, a hard disk, a removable hard disk, a CD-ROM, or any other form of storage medium known in the art. The readable storage medium stores a defense program for managing network IP conflict, and the defense program for managing network IP conflict realizes the following steps when being executed by a processor:
1. and performing virtualization processing on the physical machine to generate a virtualization node, and adding the virtualization node into the cloud platform.
2. The cloud platform manages the MAC addresses of all the virtualization nodes by establishing a virtualization node MAC trusted list.
3. The virtualization node interacts with a cloud platform through a built-in agent module to form a virtualization node MAC trusted list.
4. When any virtualization node under the management of the cloud platform initiates access in the management network, an address resolution protocol request message is sent to the management network.
5. After the transmission is finished, the virtualization node intercepts all address resolution protocol response messages through the proxy module.
6. And acquiring the MAC address of the sender in the response message of the address resolution protocol.
7. Judging whether the MAC address of the sender is in a MAC credible list of the virtualization nodes, if so, taking the corresponding virtualization node as the accessed virtualization node; if not, the corresponding virtualization node is determined to be a conflict node, and the corresponding address resolution protocol response message is discarded.
The embodiment provides a readable storage medium, which can defend against an IP conflict, and even if an IP conflict occurs, a conflicted virtualization node can be normally accessed by other virtualization nodes, so that normal communication of all virtual nodes managed by a cloud platform can be guaranteed.
In conclusion, the invention effectively saves the operation and maintenance cost for checking the IP conflict and greatly improves the stability of the virtualized network environment.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The method disclosed by the embodiment corresponds to the system disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the description of the method part.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the embodiments provided by the present invention, it should be understood that the disclosed system, system and method can be implemented in other ways. For example, the above-described system embodiments are merely illustrative, and for example, the division of the units is only one logical functional division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, systems or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional modules in the embodiments of the present invention may be integrated into one processing unit, or each module may exist alone physically, or two or more modules are integrated into one unit.
Similarly, each processing unit in the embodiments of the present invention may be integrated into one functional module, or each processing unit may exist physically, or two or more processing units are integrated into one functional module.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The method, system, device and readable storage medium for defending against IP conflict of management network provided by the present invention are described in detail above. The principles and embodiments of the present invention are explained herein using specific examples, which are presented only to assist in understanding the method and its core concepts. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.

Claims (10)

1. A defense method for managing IP conflict of a network is characterized by comprising the following steps:
performing virtualization processing on a physical machine to generate a virtualization node, and adding the virtualization node into a cloud platform;
the cloud platform manages the MAC addresses of all the virtualization nodes by establishing a virtualization node MAC trusted list;
the virtualization node interacts with a virtual node MAC credible list through a built-in agent module;
when any virtualization node under the management of the cloud platform initiates access in the management network, sending an address resolution protocol request message to the management network;
after the transmission is finished, the virtualization node intercepts all address resolution protocol response messages through the proxy module;
acquiring a sender MAC address in an address resolution protocol response message;
judging whether the MAC address of the sender is in a MAC credible list of the virtualization nodes, if so, taking the corresponding virtualization node as the accessed virtualization node; if not, the corresponding virtualization node is determined to be a conflict node, and the corresponding address resolution protocol response message is discarded.
2. The method for defending against IP conflicts in a management network according to claim 1, wherein virtualizing the physical machine, generating a virtualized node, and joining the virtualized node to the cloud platform comprises:
installing a virtualization system on a physical machine and generating a virtual switch;
setting a physical network card and a management network interface of a virtual switch;
taking a physical network card as an uplink, wherein the flow of the access node passes through the physical network card;
the management network interface is used as a virtual interface of the virtual switch, and the management network interface is communicated with the cloud platform and other virtualization nodes by setting an IP address on the virtual interface.
3. The method for defending against management network IP collision of claim 1, wherein the cloud platform manages the MAC addresses of all the virtualized nodes by establishing a virtualized node MAC trusted list, comprising:
when a virtual node is added, the cloud platform acquires the MAC address of a management port of the virtual node, collects corresponding information and records the information in a database;
and forming a virtualized node MAC credible list according to the recorded information.
4. The method for defending against management network IP conflict of claim 1, wherein the virtualized node interacts with the cloud platform through the built-in agent module to form a virtualized node MAC trusted list, comprising:
when the virtualized node MAC trusted list is updated, the cloud platform issues the updated virtualized node MAC trusted list to all virtualized nodes;
the virtualization node receives the virtualization node MAC trusted list through the built-in agent module and stores the virtualization node MAC trusted list in the memory cache.
5. A defense system for managing IP collisions in a network, comprising:
the virtual unit is used for performing virtualization processing on the physical machine, generating a virtualization node and adding the virtualization node into the cloud platform; the management unit is used for controlling the cloud platform to manage the MAC addresses of all the virtualization nodes by establishing a virtualization node MAC trusted list;
the interaction unit is used for controlling the virtualization node to interact with the virtual node MAC trusted list through the built-in agent module;
the access initiating unit is used for sending an address resolution protocol request message to the management network when any virtualization node under the management of the cloud platform initiates access in the management network;
the message interception unit is used for controlling the virtualization node to intercept all address resolution protocol response messages through the proxy module;
the address acquisition unit is used for acquiring the MAC address of the sender in the response message of the address resolution protocol;
the defense unit is used for judging whether the MAC address of the sender is in the MAC credible list of the virtualization nodes, and if so, taking the corresponding virtualization node as the accessed virtualization node; if not, the corresponding virtualization node is determined to be a conflict node, and the corresponding address resolution protocol response message is discarded.
6. The system of claim 5, wherein the virtual unit comprises:
the installation module is used for installing the virtualization system on the physical machine and generating a virtual switch;
the network port setting module is used for setting a physical network card and a management network interface of the virtual switch; taking a physical network card as an uplink, wherein the flow of the access node passes through the physical network card; the management network interface is used as a virtual interface of the virtual switch, and the management network interface is communicated with the cloud platform and other virtualization nodes by setting an IP address on the virtual interface.
7. The defense system for managing network IP collisions as claimed in claim 5, wherein the management unit comprises:
the recording module is used for acquiring the MAC address of the management port of the virtualization node when the virtualization node is added by the cloud platform, collecting corresponding information and recording the information in the database;
and the table building module is used for forming a virtualized node MAC trusted list according to the recorded information.
8. The defense system for managing network IP conflicts of claim 5, wherein the interaction unit comprises:
the issuing module is used for issuing the updated virtualized node MAC trusted list to all the virtualized nodes by the cloud platform when the virtualized node MAC trusted list is updated;
and the storage module is used for receiving the virtualized node MAC trusted list by the virtualized node through the built-in agent module and storing the virtualized node MAC trusted list in the memory cache.
9. A defense apparatus for managing IP collisions in a network, comprising:
the memory is used for storing a defense program for managing IP conflict of the network;
a processor for implementing the steps of the method for defending against IP conflicts of a management network as claimed in any one of claims 1 to 4 when executing the defending program for IP conflicts of the management network.
10. A readable storage medium, characterized by: the readable storage medium stores a defending program for managing network IP conflict, and the defending program for managing network IP conflict realizes the steps of the defending method for managing network IP conflict according to any claim from 1 to 4 when being executed by a processor.
CN202111308691.8A 2021-11-05 2021-11-05 Method, system, device and storage medium for defending IP conflict of management network Pending CN114221928A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111308691.8A CN114221928A (en) 2021-11-05 2021-11-05 Method, system, device and storage medium for defending IP conflict of management network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111308691.8A CN114221928A (en) 2021-11-05 2021-11-05 Method, system, device and storage medium for defending IP conflict of management network

Publications (1)

Publication Number Publication Date
CN114221928A true CN114221928A (en) 2022-03-22

Family

ID=80696572

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111308691.8A Pending CN114221928A (en) 2021-11-05 2021-11-05 Method, system, device and storage medium for defending IP conflict of management network

Country Status (1)

Country Link
CN (1) CN114221928A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114884922A (en) * 2022-04-28 2022-08-09 济南浪潮数据技术有限公司 IP conflict detection method, equipment and storage medium in data center

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1466341A (en) * 2002-06-22 2004-01-07 ��Ϊ�������޹�˾ A Method of Preventing IP Address Spoofing in Dynamic Address Assignment
CN101094236A (en) * 2007-07-20 2007-12-26 华为技术有限公司 Method for processing message in address resolution protocol, communication system, and forwarding planar process portion
CN101415012A (en) * 2008-11-06 2009-04-22 杭州华三通信技术有限公司 Method and system for defending address analysis protocol message aggression
CN102546658A (en) * 2012-02-20 2012-07-04 神州数码网络(北京)有限公司 Method and system for preventing address resolution protocol (ARP) gateway spoofing
CN104468746A (en) * 2014-11-23 2015-03-25 国云科技股份有限公司 A distributed virtual network implementation method suitable for cloud platform
CN104717212A (en) * 2014-10-21 2015-06-17 中华电信股份有限公司 Protection method and system for cloud virtual network security
CN104853001A (en) * 2015-04-21 2015-08-19 杭州华三通信技术有限公司 Address resolution protocol (ARP) message processing method and device
CN107612843A (en) * 2017-09-27 2018-01-19 国云科技股份有限公司 A method to prevent cloud platform IP and MAC forgery
CN108134856A (en) * 2017-12-25 2018-06-08 杭州叙简科技股份有限公司 A kind of virtualization MAC Address anti-collision method and device based on network tree
CN112351116A (en) * 2020-10-12 2021-02-09 苏州浪潮智能科技有限公司 Protection method and system for untrusted DHCP server
EP3787264A1 (en) * 2019-08-30 2021-03-03 Nutanix, Inc. Handling ip network addresses in a virtualization system

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1466341A (en) * 2002-06-22 2004-01-07 ��Ϊ�������޹�˾ A Method of Preventing IP Address Spoofing in Dynamic Address Assignment
CN101094236A (en) * 2007-07-20 2007-12-26 华为技术有限公司 Method for processing message in address resolution protocol, communication system, and forwarding planar process portion
CN101415012A (en) * 2008-11-06 2009-04-22 杭州华三通信技术有限公司 Method and system for defending address analysis protocol message aggression
CN102546658A (en) * 2012-02-20 2012-07-04 神州数码网络(北京)有限公司 Method and system for preventing address resolution protocol (ARP) gateway spoofing
CN104717212A (en) * 2014-10-21 2015-06-17 中华电信股份有限公司 Protection method and system for cloud virtual network security
CN104468746A (en) * 2014-11-23 2015-03-25 国云科技股份有限公司 A distributed virtual network implementation method suitable for cloud platform
CN104853001A (en) * 2015-04-21 2015-08-19 杭州华三通信技术有限公司 Address resolution protocol (ARP) message processing method and device
CN107612843A (en) * 2017-09-27 2018-01-19 国云科技股份有限公司 A method to prevent cloud platform IP and MAC forgery
CN108134856A (en) * 2017-12-25 2018-06-08 杭州叙简科技股份有限公司 A kind of virtualization MAC Address anti-collision method and device based on network tree
EP3787264A1 (en) * 2019-08-30 2021-03-03 Nutanix, Inc. Handling ip network addresses in a virtualization system
CN112351116A (en) * 2020-10-12 2021-02-09 苏州浪潮智能科技有限公司 Protection method and system for untrusted DHCP server

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114884922A (en) * 2022-04-28 2022-08-09 济南浪潮数据技术有限公司 IP conflict detection method, equipment and storage medium in data center
CN114884922B (en) * 2022-04-28 2024-10-01 济南浪潮数据技术有限公司 Method, equipment and storage medium for detecting IP conflict in data center

Similar Documents

Publication Publication Date Title
US8767737B2 (en) Data center network system and packet forwarding method thereof
US6249814B1 (en) Method and apparatus for identifying devices on a network
US20080192648A1 (en) Method and system to create a virtual topology
CN107360184B (en) Terminal equipment authentication method and device
US20080195756A1 (en) Method and system to access a service utilizing a virtual communications device
US20110185055A1 (en) System and method for correlating network identities and addresses
WO2017054526A1 (en) Arp entry generation method and device
TWI439091B (en) Network communication system with protecting phishing attacks and method of protecting phishing attacks using the seme
CN105959282A (en) Protection method and device for DHCP attack
WO2021197292A1 (en) Method for detecting dhcp hijacking, and device
WO2021043062A1 (en) Cross-network wake-up method and related device
CN104969515A (en) Methods and gateways for handling DNS requests
CN110012118B (en) Method and controller for providing Network Address Translation (NAT) service
US20140189343A1 (en) Secure internet protocol (ip) front-end for virtualized environments
CN114221928A (en) Method, system, device and storage medium for defending IP conflict of management network
US20140380038A1 (en) Secure internet protocol (ip) front-end for virtualized environments
CN110943962B (en) Authentication method, network equipment, authentication server and forwarding equipment
US10432580B2 (en) Message processing method, apparatus, and system
CN112511440B (en) Message forwarding method, system, storage medium and electronic equipment
EP4178172A1 (en) Entry information processing method and device
CN113014682B (en) Method, system, terminal equipment and storage medium for realizing network dynamic property
CN115190107A (en) Multi-subsystem management method based on extensive domain name, management terminal and readable storage medium
CN114363902A (en) 5G private network service security assurance method, device, equipment and storage medium
US20230269236A1 (en) Automatic proxy system, automatic proxy method and non-transitory computer readable medium
CN111866005A (en) ARP spoofing attack defense method, system and device based on block chain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination