36 results about "DHCP snooping" patented technology

Disclosed are mechanisms for facilitating the use of DHCP (dynamic host configuration protocol) binding data. In general, certain applications include mechanisms for intercepting data being sent from a node and then determining whether the data corresponds to a valid IP address and MAC address binding. Embodiments of the present invention provide mechanisms for sharing such DHCP binding data between routers (or other type of network devices) in a redundancy group so that any of the routers may take over the data inspection to validate DHCP bindings. In particular aspects of the invention, the DHCP binding data is validated in procedures related to DHCP snooping, dynamic ARP (address resolution protocol) inspection, and the like.

A network relay device includes a communication unit, an authentication processing unit, a DHCP snooping processing unit, and a terminal search processing unit. The authentication processing unit creates first information specifying an authenticated terminal device according to web authentication, and manages whether relay of communication data between a terminal device and a node on the specified network is permissible based on the first information. The DHCP snooping processing unit executes snooping of DHCP communication data between a terminal device and a DHCP server, and creates second information specifying a layer 3 address allocated to each terminal device. The terminal search processing unit specifies an authenticated terminal device based on the first information, specifies a layer 3 address allocated to the specified authenticated terminal device based on the second information, and causes the communication unit to send, to the specified layer 3 address, confirmation communication data.

The present invention provides a method and device for supporting port migration detection. The method includes: when a MAC address is learned on a first port, querying a Dynamic Host Configuration Protocol (DHCP) Snooping entry according to the MAC address; If the corresponding target DHCP Snooping entry is found, and the second port recorded in the target DHCP Snooping entry is inconsistent with the first port, then detect whether the target client corresponding to the target DHCP Snooping entry is currently connected At the second port; if it is detected that the target client is not currently connected to the second port, it is determined that port migration occurs in the target client, and the port recorded in the target DHCP Snooping entry is replaced by The second port is changed to the first port. The application of the embodiment of the present invention can ensure that the port migration can be carried out normally when the DHCP Snooping security mechanism is applied.

The embodiment of the present invention discloses a method and device for sending a DHCP message. The AP establishes a multi-user multi-input multi-output monitoring table item, wherein the monitoring table item includes an antenna ID, a user terminal ID, and a DHCP-related user terminal MAC. Address mapping relationship: when the AP receives a DHCP message related to a user terminal, the AP only transmits the DHCP message on the antenna corresponding to the user terminal according to the listening entry. Through the method and device of the embodiment of the present invention, the access point realizing the DHCP snooping function can "snooping" (listen) to the antenna.

The invention relates to the technical field of local area network access technologies, in particular to an IP-MAC real-name binding based network access control system and control method. The system comprises a core switch, a DHCP server, an FTP server and an access terminal, wherein the core switch uses a DHCP Snooping function and an ARP Inspection function; and the system further comprises a network access database server, a network access control server, a production network firewall, a server area firewall, an internet firewall and a private firewall. According to the IP-MAC real-name binding based network access control system and control method, Web programs and background programs are built in the network access control server; parameter configuration can be performed on the system through the Web programs; meanwhile, parameters are performed by utilizing the background programs, IP-MAC real-name binding and access authority effective time control can be implemented. Furthermore, due to function configuration of the core switch, shielding on a counterfeit DHCP server and a manually configured IP address can be implemented, so that sequential management of an IP address is facilitated.

The present invention provides a DHCP network protection system and method. The DHCP relay agent information module performs message processing on the DHCP request message of the client terminal equipment, so as to add the location information of the connection intermediate network node equipment to the DHCP relay agent. In the proxy information string information, the DHCP monitoring module receives the DHCP request message added with the DHCP relay agent information string information to generate a corresponding DHCP binding table for locating the network attack source, and the DHCP monitoring module also presets the rate Restriction, can accurately determine and locate the source of network attacks, improve the accuracy and efficiency of DHCP network security protection, and the DHCP relay agent information module and DHCP monitoring module are separated and run on different boards, reducing the number of modules running on the same board. This reduces the pressure of processing a large number of packets, and makes the upstream DHCP request packet carry more information to identify the source of the request packet.

The invention discloses a DHCP monitoring method. When the received user message fails to hit the DHCP binding table, a DHCP blacklist binding table is established, and the frequency information of the DHCP blacklist binding table being hit is recorded, so as to achieve tracking attacker's purpose. The invention also discloses a DHCP monitoring device. Through the invention, the attacker's attack behavior can be tracked and necessary information can be obtained, which is convenient for the network administrator to analyze.

The embodiment of the invention discloses a method for generating dynamic host configuration protocol (DHCP) snooping binding information, and a device thereof, wherein the method comprises: receiving ACK message including target MAC address returned by a DHCP server; querying items corresponding to the target MAC address; according to a first identification position and a second identification position in MAC items, if receiving message discover and message request, generating the DHCP snooping binding information according to input port information in the MAC items, and ensuring source MAC address, the input port information and input VLAN ID in the message discover and the message request to be respectively and correspondingly the same as each other. The embodiment of the invention canavoid the pot corresponding to the MAC address in a MAC table not being shifted caused by MAC address spoofing, and effectively guarantees the accuracy of the DHCP snooping binding information.

Embodiments of the present invention provide a security entry configuration method, device, SDN controller and medium, and relate to the technical field of communications. The embodiment of the present application includes: collecting the DHCP Snooping entry, the ARP Snooping entry and the WLAN Snooping entry of each AP in the controlled network topology; according to the collected DHCP Snooping entry, ARP Snooping entry and WLAN Snooping The table item generates a security table item; receives the information of the terminal to be bound, and statically binds the security table item of each terminal to be bound to the switch or AP connected by the terminal to be bound, so that the switch and AP in the network topology are based on the static The bound security entry performs packet filtering. On the premise of ensuring terminal access security, the configuration workload can be reduced and configuration efficiency can be improved.

The invention discloses a three-layer switching system and method based on two-layer DHCP SNOOPING. The system includes a DHCP user terminal, a two-layer switching device, a three-layer switching device and a DHCP server, and is characterized in that the two-layer switching device includes an enabling The module, by enabling DHCP SNOOPING configured on the Layer 2 switching device, monitors the DHCP request process of the user terminal, creates and saves DHCP binding information; the Layer 2 switching device processes the binding information and uploads it to the Layer 3 switching device, and the third layer According to the DHCP binding information, the layer switching device delivers a routing table entry for processing by the Layer 3 engine, and forwards the network packet processed by the Layer 3 engine to the destination user terminal according to the address of the destination user terminal. The technical scheme of the present invention increases the learning method of the three-layer table entry of the switch in the DHCP environment, and effectively ensures the stability and security of the table entry.

The invention discloses a method and a system for realizing a proxy ARP (Address Resolution Protocol) function based on DHCP (Dynamic Host Configuration Protocol) interception. The method comprises the following steps that: a DHCP interception function is started up in an access layer switch, the proxy ARP function is started up in an aggregation layer switch, and the IP (Internet Protocol) address of the aggregation layer switch is configured in the access layer switch; the access layer switch intercepts a DHCP requesting process of a client-side, creates and stores binding information, and uploads the binding information to the aggregation layer switch; the aggregation layer switch stores the binding information into a binding information table; and the client-side sends an ARP requesting message to the aggregation layer switch, and the aggregation layer switch queries the binding information table, and sends an ARP response message to the client-side when the binding information table contains the destination IP address of the ARP requesting message. With the adoption of the technical scheme provided by the invention, the accessibility in the detection of the destination IP address by using proxy ARP equipment can be achieved, so that the communication between a requesting terminal and a destination terminal is ensured.

An intelligently controlling method for realizing city Ethernet switch-board access safety integrates functions of certificating user legality, exerting illegal agent proof of legal user, controlling P2P flow rate and DHCP SNOOP together in said method for controlling and monitoring user in order to raise safety of network.

This application provides a method and switching equipment for preventing MAC address drift in a DHCP network, which relates to the field of data communication, and can prevent the MAC address of a host bound with an assigned IP address from drifting under the premise that the IP address can be dynamically allocated. . The method includes: after the host obtains the IP address of the Internet protocol, if the switching device has configured a DHCP monitoring function, then the switching device establishes a DHCP monitoring table; if the first port has configured a MAC address static binding function, then the switching device establishes a static MAC address table; the switching device configures the prohibition migration flag for the DHCP snooping table; wherein, the DHCP snooping table includes the IP address of the host, the media access control MAC address and the first port of the host, and the static MAC address table includes the MAC address, the first port, and the static Binding flag, the first port is the port connected to the host in the switching device, the static binding flag prohibits the switching device from modifying the static MAC address table, and the migration prohibition flag prohibits the switching device from modifying the DHCP listening table.