CN117201178A - Network access control method, device, equipment and readable storage medium - Google Patents
Network access control method, device, equipment and readable storage medium Download PDFInfo
- Publication number
- CN117201178A CN117201178A CN202311316815.6A CN202311316815A CN117201178A CN 117201178 A CN117201178 A CN 117201178A CN 202311316815 A CN202311316815 A CN 202311316815A CN 117201178 A CN117201178 A CN 117201178A
- Authority
- CN
- China
- Prior art keywords
- network access
- access control
- policy
- port
- mac address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network access control method, a device, equipment and a readable storage medium, which are applied to the field of computer network communication and comprise the following steps: acquiring a network access control strategy configured based on an input port, an output port, a source MAC address, a destination MAC address, a source IP address, a destination port and a protocol type; acquiring a black-and-white list policy based on execution action configuration; and forwarding the data center traffic according to the black-and-white list policy and the network access control policy. The network access control strategies are finely classified, flexible flow control strategies are provided for users, the flow can be more finely controlled on the basis of meeting the diversified demands of the users, unnecessary network access is refused, the pressure of a data center gateway is dispersed, the east-west and north-south flow forwarding is controlled, redundancy and loop flow are reduced, and the flexibility, the running performance, the safety, the reliability and the stability of the data center are improved.
Description
Technical Field
The present invention relates to the field of computer network communications, and in particular, to a method, apparatus, device, and readable storage medium for controlling network access.
Background
Besides the virtual super storage server, the distributed data center also forms a multi-center service network by networking a plurality of data centers, the distributed service center solves the problem of high gateway pressure of the centralized data center, changes the originally centralized access control implementation into the distributed access control, and disperses the pressure of the gateway of the data center, but simultaneously, the east-west flow increase brings pressure to the network, so that the pressure of network internal communication is caused. Therefore, the distributed data center needs to introduce network access control, but the network access control of the commonly adopted triples is not accurate enough to realize network access, and invalid messages or messages with potential safety hazards can be caused to carry out network access, so that safety risks exist.
Therefore, the distributed data center is based on the problem that the internal communication pressure of the network is high and the safety cannot be guaranteed.
Disclosure of Invention
In view of the above, the present invention aims to provide a network access control method, a device and a readable storage medium, which solve the problem that in the prior art, a distributed data center faces a large communication pressure in the network and the security cannot be ensured.
In order to solve the above technical problems, the present invention provides a network access control method, including:
acquiring a network access control strategy configured based on an input port, an output port, a source MAC address, a destination MAC address, a source IP address, a destination port and a protocol type;
acquiring a black-and-white list policy based on execution action configuration;
and forwarding data center traffic according to the black-and-white list policy and the network access control policy.
Optionally, the acquiring the network access control policy configured based on the ingress port, the egress port, the source MAC address, the destination MAC address, the source IP address, the destination port, and the protocol type includes:
acquiring the network access control strategy obtained by the configuration of a programmable configuration interface of a central controller of a user;
the policy attributes of the network access control policy include the ingress port, the egress port, the source MAC address, the destination MAC address, the source IP address, the destination port, and the protocol type.
Optionally, the method further comprises:
acquiring a network, a subnet, a port and a routing table from the programmable configuration interface;
issuing the network access control policy based on the network, the subnet, and the port;
the forwarding data center traffic according to the black-and-white list policy and the network access control policy includes:
and forwarding the data center flow according to the black-and-white list strategy, the network access control strategy and the routing table.
Optionally, after the acquiring the network access control policy configured based on the ingress port, the egress port, the source MAC address, the destination MAC address, the source IP address, the destination port, and the protocol type, the method further includes:
and storing the network access control strategy in a database, and recovering configuration according to the network access control strategy after the central controller is restarted.
Optionally, the forwarding the data center traffic according to the black-and-white list policy includes:
releasing data center traffic conforming to the protocol port number source purpose; data center traffic that does not conform to the protocol port number source destination is discarded.
Optionally, the acquiring a network access control policy configured based on an ingress port, the egress port, the source MAC address, the destination MAC address, the source IP address, the destination port, and the protocol type includes:
when the self-defined strategy exists, acquiring a network access control strategy to acquire the self-defined strategy;
when the custom strategy does not exist, acquiring a network access control strategy to acquire the predefined strategy;
the custom policy is a policy obtained by configuration based on the input port, the output port, the source MAC address, the destination MAC address, the source IP address, the destination port and the protocol type during initialization;
the predefined policy is a policy that is reconfigured based on the predefined policy.
The invention also provides a network access control device, which comprises:
the first acquisition module is used for acquiring a network access control strategy configured based on an input port, an output port, a source MAC address, a destination MAC address, a source IP address, a destination port and a protocol type;
the second acquisition module is used for acquiring a black-and-white list policy configured based on the execution action;
and the forwarding module is used for forwarding the data center flow according to the black-and-white list policy and the network access control policy.
Optionally, the first acquisition module includes:
the first acquisition unit is used for acquiring a network access control policy when a custom policy exists, wherein the network access control policy is to acquire the custom policy;
the second acquisition unit is used for acquiring a network access control policy when the custom policy does not exist, wherein the network access control policy is acquired; the custom policy is a policy obtained by configuration based on the input port, the output port, the source MAC address, the destination MAC address, the source IP address, the destination port and the protocol type during initialization; the predefined policy is a policy that is reconfigured based on the predefined policy.
The invention also provides a network access control device, comprising:
a memory for storing a computer program;
and the processor is used for realizing the steps of the network access control method when executing the computer program.
The present invention also provides a readable storage medium having stored therein a computer program which when executed by a processor implements the steps of the network access control method described above.
It can be seen that the present invention obtains the network access control policy configured based on the ingress port, egress port, source MAC address, destination MAC address, source IP address, destination port, and protocol type; acquiring a black-and-white list policy based on execution action configuration; and forwarding the data center traffic according to the black-and-white list policy and the network access control policy. According to the method, the network access control strategies are finely classified, so that flexible flow control strategies are provided for users, the flow can be controlled more finely on the basis of meeting the diversified demands of the users, unnecessary network access is refused, the pressure of a data center gateway is dispersed, the east-west and north-south flow forwarding is controlled, redundancy and loop flow are reduced, and the flexibility, the running performance, the safety, the reliability and the stability of the data center are improved.
In addition, the invention also provides a network access control device, equipment and a storage medium, which have the same beneficial effects.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a network access control method according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating an exemplary architecture of a data center according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a message matching method according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a network access control device according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a network access control device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
With the rapid development of the global internet, the data storage amount increases exponentially, and the conventional internet has failed to satisfy the increasing information exchange pattern. In a centralized data center, a service is usually deployed on one physical server and is physically isolated from other systems, so that east-west traffic is low, and the majority of the traffic is north-south traffic; in the distributed data center service architecture, the single architecture is gradually changed into a Web-APP-DB (Web server-APP server-DB server, a presentation layer-application layer-data layer), services are usually deployed in a plurality of virtual machines or containers, and distributed storage servers are connected and combined to form a virtual super storage server, so that the ultra-large scale data processing capability which cannot be achieved by a single server is achieved. Because the distributed data center is not operated by one physical server any more and is operated by a plurality of servers in a cooperative way, the east-west flow is rapidly increased, the pressure of network internal communication is increased, and the safety of the module and external communication is relatively weakened.
Therefore, the invention provides a network access control method which can effectively reduce redundancy and loop flow, improve the operation performance of a data center, provide a flexible flow control strategy for users and ensure the safety of communication.
Referring to fig. 1 specifically, fig. 1 is a flowchart of a network access control method according to an embodiment of the present invention. The method may include:
s101: a network access control policy configured based on the ingress port, the egress port, the source MAC address, the destination MAC address, the source IP address, the destination port, and the protocol type is obtained.
Specifically, the network access control method provided in this embodiment is based on a distributed data center network. The network access control (Network Access Control) limits the traffic communication of the data center according to the protocol type, port number, access direction and the like for the traffic in the network, so that the data message is communicated according to a preset track, and the safety and the controllability of the data packet are achieved. The protocol type, port number and access direction are specifically: ingress port, egress port, source MAC address, destination MAC address, source IP address, destination port, and protocol type. And configuring according to the eight attributes to obtain a network access control strategy. The source MAC address is the own MAC address, and the destination MAC address is the MAC address of the opposite party during communication; the mac address is a physical address of the network card, and is a unique address. The source IP address refers to the IP address of the computer that sent the packet, and the destination IP address is the IP address of the computer that it is desired to send to.
Further, in order to facilitate the user to operate the complex control rule, simplify the operation flow of the data center, reduce the threshold used by the user, and improve the high availability of the system, the acquiring the network access control policy configured based on the ingress port, the egress port, the source MAC address, the destination MAC address, the source IP address, the destination port and the protocol type may include the following steps:
acquiring the network access control strategy obtained by the configuration of a programmable configuration interface of a central controller of a user;
the policy attributes of the network access control policy include an ingress port, an egress port, a source MAC address, a destination MAC address, a source IP address, a destination port, and a protocol type.
Specifically, the distributed data center network provides an interface capable of configuring the network access control strategy, facilitates the user to operate complex control rules, simplifies the operation flow of the data center, reduces the use threshold of the user, and improves the high availability of the system.
Further, to facilitate recovery of the user-configured network access control policy upon restart of the central controller; after the network access control policy configured based on the ingress port, the egress port, the source MAC address, the destination MAC address, the source IP address, the destination port, and the protocol type is obtained, the method may further include the following steps:
the network access control policy is stored in a database for restoring configuration according to the network access control policy after the central controller is restarted.
Specifically, the data is saved in the database to restore the history configuration after the central controller is restarted.
Further, in order to better manage the network access control policy, the acquiring the network access control policy configured based on the ingress port, the egress port, the source MAC address, the destination MAC address, the source IP address, the destination port, and the protocol type may include the following steps:
when the self-defined strategy exists, acquiring a network access control strategy to acquire the self-defined strategy; when the custom strategy does not exist, acquiring a network access control strategy to acquire the predefined strategy; the self-defined strategy is a strategy which is obtained by configuration based on an input port, an output port, a source MAC address, a destination MAC address, a source IP address, a destination port and a protocol type during initialization; the predefined policy is a policy that is reconfigured based on the predefined policy.
Specifically, the network access control policy is divided into a predefined policy and a custom policy based on whether the predefined policy is preset, wherein the predefined policy is defined in advance when a user initializes according to the communication habit of a user system, the default priority of the policy is lowest, the custom policy is defined in the later use process of the user, and the user can customize the priority level of the policy according to the requirement, so that traffic can be matched according to the priority. The custom policy and the predefined policy are both policies configured based on an ingress port, an egress port, a source MAC address, a destination MAC address, a source IP address, a destination port, and a protocol type. The predefined strategy and the custom strategy are one of a black-and-white list strategy, the black-and-white list strategy can also be one of the predefined strategy and the custom strategy, and the four strategies can be configured in a crossing way, but the custom strategy has higher priority than the predefined strategy. If the traffic matches the high priority blacklist policy in the communication, the traffic is terminated and the subsequent network control policy is not executed.
S102: a black and white list policy based on the execution of the action configuration is obtained.
Specifically, the network access control policy is classified into a white list policy and a black list policy based on whether the policy is discarded. If the traffic is matched with the white list, releasing the traffic; and discarding the traffic if the traffic matches the blacklist.
Further, the forwarding the data center traffic according to the black-and-white list policy may include the following steps:
releasing data center traffic conforming to the protocol port number source purpose; data center traffic that does not conform to the protocol port number source destination is discarded.
Specifically, the white list policy, i.e. the source destination traffic matching the protocol port number, is released (accept), whereas the black list policy, i.e. the source destination traffic configuring the protocol port number, is discarded (dense).
S103: and forwarding the data center traffic according to the black-and-white list policy and the network access control policy.
The user manages traffic in the distributed data center network based on the configured black-and-white list policy and the network access control policy.
Further, the method can further comprise the following steps:
acquiring a network, a subnet, a port and a routing table from a programmable configuration interface;
issuing a network access control policy based on the network, the subnet and the port;
and forwarding the data center flow according to the black-and-white list strategy, the network access control strategy and the routing table.
Specifically, the programmable configuration interface of the distributed data center network is utilized to perform adding, deleting and checking operations on a network (network), a subnet, a port and a routing table (router), and the routing strategy provided by the routing table is guided and forwarded based on network, subnet and port issuing network control strategies. The two-layer traffic of the instance can be achieved under the same network in the distributed data network center, the three-layer traffic of the default instance can be achieved under different networks in the same routing table, and the trend of the instance traffic under different networks can be limited through the routing strategy of the routing table.
By applying the network access control method provided by the embodiment of the invention, the network access control strategy configured based on the input port, the output port, the source MAC address, the destination MAC address, the source IP address, the destination port and the protocol type is obtained; acquiring a black-and-white list policy based on execution action configuration; and forwarding the data center traffic according to the black-and-white list policy and the network access control policy. According to the method, the network access control strategies are finely classified, so that flexible flow control strategies are provided for users, the flow can be controlled more finely on the basis of meeting the diversified demands of the users, unnecessary network access is refused, the pressure of a data center gateway is dispersed, the east-west and north-south flow forwarding is controlled, redundancy and loop flow are reduced, and the flexibility, the running performance, the safety, the reliability and the stability of the data center are improved. In addition, a programmable configuration interface is provided, so that a user can conveniently operate complex control rules, the operation flow of a data center is simplified, the use threshold of the user is reduced, and the high availability of the system is improved; the configured strategy is stored in the database, so that the network access control strategy configured by the user can be recovered immediately after the central controller is restarted; in addition, the priority of the predefined strategy and the custom strategy is set, so that the network access control strategy is better managed; and the black-and-white list, the network access control strategy and the data table are used for managing the flow, so that the management efficiency is improved.
For better understanding of the present invention, please refer to fig. 2, fig. 2 is a diagram illustrating an example of a data center architecture according to an embodiment of the present invention, which may include:
the distributed data center provides functions of a file storage server, a database server, a domain name resolution server, a mail server, a web page server, an FTP server and the like. The distributed data center network is based on a spine-leaf architecture networking, a traditional three-layer network architecture is abandoned, a flattened network architecture is provided, the scalability of the network scale is improved, and three-hop accessibility is realized for east-west traffic under the spine-leaf architecture, so that time delay is reduced. The data center controller provides a programmable control system, provides issuing and adjusting of a basic network and a network control strategy, connects a spine node (connected with a switch) and a leaf node (connected with a device or a server) based on openflow (a network communication protocol), issues the network control strategy, and performs configuration issuing through netconf (an XML-based network configuration protocol) to realize full connection management of the spine-leaf.
The central controller provides a function of configuring a network control policy, and issues the policy in the form of a flow table to a Virtual Switch (Virtual Switch or Virtual network Switch) Switch to control communication between Virtual machines. Firstly, a pre-configuration policy is a globally unique policy which is configured by a user in an initialization mode, a custom policy is a policy which is added by the user according to the subsequent communication requirement, a black-and-white list policy is defined based on whether traffic is discarded or not, a pre-defined policy and the custom policy are one of the black-and-white list policy, the black-and-white list policy is also one of the pre-defined policy and the custom policy, the four policies can be configured in a crossing mode, the custom policy priority is higher than the pre-configuration policy, if the traffic is matched with the black list policy with high priority, the traffic is discarded, and the downward configuration is not performed any more. In which, table 1 is a basic item of access flow configuration policy, and fig. 3 is a flowchart illustrating a message matching method according to an embodiment of the present invention. The network access control method provided by the invention is utilized to match the message and determine the message flow direction. When a message is received, the message is firstly matched with a custom strategy, if the message is not matched successfully, the message is matched with the predefined strategy, and if the message is not matched successfully, the flow is released according to a default rule; the message Wen Re is successfully matched with the custom policy, and is executed according to the custom policy, whether the message is successfully matched with the blacklist policy is judged, if so, the message is discarded, and if not, the message is executed according to the custom policy until the custom policy is matched. And if the message is not successfully matched with the predefined strategy, the message is executed according to the predefined strategy, whether the message is successfully matched with the blacklist strategy is judged, if the message is successfully matched with the predefined strategy, the message is discarded, and if the message is not successfully matched with the predefined strategy, the message is executed according to the predefined strategy until the predefined strategy is matched.
Table 1 Access to essential items of traffic configuration policy
The following describes a network access control device provided by an embodiment of the present invention, and the network access control device described below and the network access control method described above may be referred to correspondingly.
Referring to fig. 4 specifically, fig. 4 is a schematic structural diagram of a network access control device according to an embodiment of the present invention, which may include:
a first obtaining module 100, configured to obtain a network access control policy configured based on an ingress port, an egress port, a source MAC address, a destination MAC address, a source IP address, a destination port, and a protocol type;
a second obtaining module 200, configured to obtain a black-and-white list policy configured based on the execution action;
and the forwarding module 300 is configured to forward data center traffic according to the black-and-white list policy and the network access control policy.
Based on the above embodiment, the first obtaining module 100 may include:
the third acquisition unit is used for acquiring the network access control strategy obtained by the configuration of the programmable configuration interface of the central controller; the policy attributes of the network access control policy include the ingress port, the egress port, the source MAC address, the destination MAC address, the source IP address, the destination port, and the protocol type.
Based on the above embodiment, the network access control device may further include:
a third obtaining module, configured to obtain a network, a subnet, a port and a routing table from the programmable configuration interface;
the issuing module is used for issuing the network access control strategy based on the network, the subnet and the port;
correspondingly, the forwarding module 300 is specifically configured to forward the data center traffic according to the black-and-white list policy, the network access control policy, and the routing table.
Based on the above embodiment, the network access control device may further include:
and the storage module is used for storing the network access control strategy in a database after the network access control strategy configured based on the input port, the output port, the source MAC address, the destination MAC address, the source IP address, the destination port and the protocol type is acquired, and is used for recovering the configuration according to the network access control strategy after the central controller is restarted.
Based on the above embodiment, the forwarding module 300 may include:
the release discarding unit is used for releasing the data center flow conforming to the protocol port number source; data center traffic that does not conform to the protocol port number source destination is discarded.
Based on any of the above embodiments, the first obtaining module 100 may include:
the first acquisition unit is used for acquiring a network access control policy when a custom policy exists, wherein the network access control policy is to acquire the custom policy;
the second acquisition unit is used for acquiring a network access control policy when the custom policy does not exist, wherein the network access control policy is acquired; the custom policy is a policy obtained by configuration based on the input port, the output port, the source MAC address, the destination MAC address, the source IP address, the destination port and the protocol type during initialization; the predefined policy is a policy that is reconfigured based on the predefined policy.
The network access control device provided by the embodiment of the invention is applied to obtain the network access control strategy configured based on the input port, the output port, the source MAC address, the destination MAC address, the source IP address, the destination port and the protocol type through the first obtaining module 100; a second obtaining module 200, configured to obtain a black-and-white list policy configured based on the execution action; and the forwarding module 300 is used for forwarding the data center traffic according to the black-and-white list policy and the network access control policy. The device performs refinement classification on the network access control strategy, provides a flexible flow control strategy for users, can control the flow more finely on the basis of meeting the diversified demands of the users, refuses unnecessary network access, disperses the pressure of the gateway of the data center, controls the forwarding of east-west and north-south flow, reduces redundancy and loop flow, and improves the flexibility, the running performance, the safety, the reliability and the stability of the data center.
The following describes a network access control device provided by an embodiment of the present invention, where the network access control device described below and the network access control method described above may be referred to correspondingly.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a network access control device according to an embodiment of the present invention, which may include:
a memory 10 for storing a computer program;
a processor 20 for executing a computer program for implementing the above-described network access control method.
The memory 10, the processor 20, and the communication interface 31 all communicate with each other via a communication bus 32.
In the embodiment of the present invention, the memory 10 is used for storing one or more programs, the programs may include program codes, the program codes include computer operation instructions, and in the embodiment of the present invention, the memory 10 may store programs for implementing the following functions:
acquiring a network access control strategy configured based on an input port, an output port, a source MAC address, a destination MAC address, a source IP address, a destination port and a protocol type;
acquiring a black-and-white list policy based on execution action configuration;
and forwarding the data center traffic according to the black-and-white list policy and the network access control policy.
In one possible implementation, the memory 10 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, and at least one application program required for functions, etc.; the storage data area may store data created during use.
In addition, memory 10 may include read only memory and random access memory and provide instructions and data to the processor. A portion of the memory may also include NVRAM. The memory stores an operating system and operating instructions, executable modules or data structures, or a subset thereof, or an extended set thereof, where the operating instructions may include various operating instructions for performing various operations. The operating system may include various system programs for implementing various basic tasks as well as handling hardware-based tasks.
The processor 20 may be a central processing unit (Central Processing Unit, CPU), an asic, a dsp, a fpga or other programmable logic device, and the processor 20 may be a microprocessor or any conventional processor. The processor 20 may call a program stored in the memory 10.
The communication interface 31 may be an interface of a communication module for connecting with other devices or systems.
Of course, it should be noted that the structure shown in fig. 5 does not limit the network access control device in the embodiment of the present invention, and the network access control device may include more or less components than those shown in fig. 5 or may be combined with some components in practical applications.
The following describes a readable storage medium provided in an embodiment of the present invention, where the readable storage medium described below and the network access control method described above may be referred to correspondingly.
The invention also provides a readable storage medium, on which a computer program is stored, which when being executed by a processor implements the steps of the above-mentioned network access control method.
The readable storage medium may include: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
Finally, it is further noted that, in this document, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
The foregoing has described in detail a method, apparatus, device and readable storage medium for controlling network access, and specific examples have been applied to illustrate the principles and embodiments of the present invention, and the above examples are only used to help understand the method and core idea of the present invention; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present invention, the present description should not be construed as limiting the present invention in view of the above.
Claims (10)
1. A network access control method, comprising:
acquiring a network access control strategy configured based on an input port, an output port, a source MAC address, a destination MAC address, a source IP address, a destination port and a protocol type;
acquiring a black-and-white list policy based on execution action configuration;
and forwarding data center traffic according to the black-and-white list policy and the network access control policy.
2. The network access control method according to claim 1, wherein the acquiring the network access control policy configured based on the ingress port, the egress port, the source MAC address, the destination MAC address, the source IP address, the destination port, and the protocol type, comprises:
acquiring the network access control strategy obtained by the configuration of a programmable configuration interface of a central controller of a user;
the policy attributes of the network access control policy include the ingress port, the egress port, the source MAC address, the destination MAC address, the source IP address, the destination port, and the protocol type.
3. The network access control method according to claim 2, further comprising:
acquiring a network, a subnet, a port and a routing table from the programmable configuration interface;
issuing the network access control policy based on the network, the subnet, and the port;
the forwarding data center traffic according to the black-and-white list policy and the network access control policy includes:
and forwarding the data center flow according to the black-and-white list strategy, the network access control strategy and the routing table.
4. The network access control method according to claim 1, further comprising, after the acquiring the network access control policy configured based on the ingress port, the egress port, the source MAC address, the destination MAC address, the source IP address, the destination port, and the protocol type:
and storing the network access control strategy in a database, and recovering configuration according to the network access control strategy after the central controller is restarted.
5. The network access control method according to claim 1, wherein forwarding data center traffic according to the black-and-white list policy comprises:
releasing data center traffic conforming to the protocol port number source purpose; data center traffic that does not conform to the protocol port number source destination is discarded.
6. The network access control method according to any one of claims 1 to 5, wherein the acquiring the network access control policy configured based on the ingress port, the egress port, the source MAC address, the destination MAC address, the source IP address, the destination port, and the protocol type, comprises:
when the self-defined strategy exists, acquiring a network access control strategy to acquire the self-defined strategy;
when the custom strategy does not exist, acquiring a network access control strategy to acquire the predefined strategy;
the custom policy is a policy obtained by configuration based on the input port, the output port, the source MAC address, the destination MAC address, the source IP address, the destination port and the protocol type during initialization;
the predefined policy is a policy that is reconfigured based on the predefined policy.
7. A network access control device, comprising:
the first acquisition module is used for acquiring a network access control strategy configured based on an input port, an output port, a source MAC address, a destination MAC address, a source IP address, a destination port and a protocol type;
the second acquisition module is used for acquiring a black-and-white list policy configured based on the execution action;
and the forwarding module is used for forwarding the data center flow according to the black-and-white list policy and the network access control policy.
8. The network access control device of claim 7, wherein the first acquisition module comprises:
the first acquisition unit is used for acquiring a network access control policy when a custom policy exists, wherein the network access control policy is to acquire the custom policy;
the second acquisition unit is used for acquiring a network access control policy when the custom policy does not exist, wherein the network access control policy is acquired; the custom policy is a policy obtained by configuration based on the input port, the output port, the source MAC address, the destination MAC address, the source IP address, the destination port and the protocol type during initialization; the predefined policy is a policy that is reconfigured based on the predefined policy.
9. A network access control device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the network access control method according to any one of claims 1 to 6 when executing said computer program.
10. A readable storage medium, characterized in that the readable storage medium has stored therein a computer program which, when executed by a processor, implements the steps of the network access control method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311316815.6A CN117201178A (en) | 2023-10-12 | 2023-10-12 | Network access control method, device, equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311316815.6A CN117201178A (en) | 2023-10-12 | 2023-10-12 | Network access control method, device, equipment and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117201178A true CN117201178A (en) | 2023-12-08 |
Family
ID=89001758
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311316815.6A Pending CN117201178A (en) | 2023-10-12 | 2023-10-12 | Network access control method, device, equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117201178A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119155089A (en) * | 2024-09-18 | 2024-12-17 | 北京天融信网络安全技术有限公司 | Internet of things terminal access control method, system, equipment, medium and program product |
-
2023
- 2023-10-12 CN CN202311316815.6A patent/CN117201178A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119155089A (en) * | 2024-09-18 | 2024-12-17 | 北京天融信网络安全技术有限公司 | Internet of things terminal access control method, system, equipment, medium and program product |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8693344B1 (en) | Systems and methods for generating packet forwarding rules based on network policy | |
| KR101572771B1 (en) | System and methods for controlling network traffic through virtual switches | |
| US8923296B2 (en) | System and methods for managing network packet forwarding with a controller | |
| US7227838B1 (en) | Enhanced internal router redundancy | |
| JP4515441B2 (en) | Single logical network interface for improved load balancing and failover capabilities | |
| US9178812B2 (en) | Stacking metadata contexts for service chains | |
| US8755382B2 (en) | Intelligent adjunct network device | |
| CN105871719B (en) | Method and device for processing routing state and/or policy information | |
| US8572284B2 (en) | Method and apparatus for registering a mobile object on a foreign network | |
| EP3229413B1 (en) | Cross-domain cooperative method, cooperative device and control device for network as a service business | |
| CN108270690A (en) | The method and apparatus for controlling message flow | |
| CN111010340A (en) | Data message forwarding control method and device and computing device | |
| WO2021213185A1 (en) | Routing processing method and apparatus | |
| EP1142202B1 (en) | System and method for providing flexible management of a network | |
| CN117201178A (en) | Network access control method, device, equipment and readable storage medium | |
| US10439877B2 (en) | Systems and methods for enabling wide area multicast domain name system | |
| US20210111925A1 (en) | Systems and methods for providing network connectors | |
| CN107046568B (en) | Authentication method and device | |
| US10382274B2 (en) | System and method for wide area zero-configuration network auto configuration | |
| US20080049643A1 (en) | Method, system and computer program product for routing information across firewalls | |
| CN114978563B (en) | Method and device for blocking IP address | |
| CN113055195B (en) | Multi-domain controller cluster and SDON system based on SDON | |
| US12278842B2 (en) | Method and system for virtual machine aware policy management | |
| CN119697623A (en) | Method for providing subscriber-aware network traffic routing in a 5G core network | |
| WO2025051027A1 (en) | Traffic policy determination method, electronic device, and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |