JP2015164293A - Network connection device and network connection method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a network connection device which continues a communication between devices without an IP routing function nor an IP relay function even when a disconnection occurs in a local network.SOLUTION: A network connection device of layer 2 which communicates to either of a plurality of router devices positioned at a boundary between a local network and a backbone network comprises: a packet analysis section which monitors continuity test packets by which a plurality of router devices confirm the continuity of each other and notifies of a disconnection occurrence in the local network if no continuity test packet is received; a node search section which searches for a node capable of communicating in the local network when being informed from the packet analysis section that a disconnection occurred in the local network; and a route information notification section which notifies a router to be communicated of the route information of a node searched by the node search section.

Description

  The present invention relates to a network connection device that performs redundant connection between a backbone network that is controlled by a routing protocol and a local network, and that relieves communication of the device connected to the local network when the local network is divided.

  The wide area network is composed of a plurality of local networks and a backbone network that connects the plurality of local networks to each other. Devices and various devices are connected to the local network. The local network and the backbone network are separated by a router. In the backbone network, route control using routing protocols such as OSPF (Open Shortest Path First) and RIP (Routing Information Protocol) is performed. Communication via a router is performed between a device connected to a local network and a device connected to another local network.

  However, when a router fails, the communication path from the local network to the outside is blocked, and a device connected in the local network cannot communicate with a device connected to another local network. As a solution to this problem, there is a general technique in which a plurality of routers are arranged in one local network and the route to the backbone network is made redundant. Even when a failure occurs in a part of the routers in the local network, a connection with another local network can be ensured by passing through another normal router. An example of this technique is VRRP (Virtual Router Redundancy Protocol). (See Non-Patent Document 1 below)

  In VRRP, a virtual router is constructed by a plurality of routers connected to the same local network. A plurality of routers constituting the virtual router share one or a plurality of virtual IP addresses and a virtual MAC address. When sharing a plurality of virtual IP addresses and virtual MAC addresses, a VLAN (Virtual Local Area Network) or the like is used. One working router and other spare routers are selected from among a plurality of routers. The active router handles communication within and outside the local network and communications addressed to the virtual router including PING. The working router periodically sends VRRP packets to notify all spare routers that it is operating normally.

  When the VRRP packet from the working router is interrupted for a certain time or more, one of the backup routers takes over the virtual IP address and the virtual MAC address and operates as the working router. When a plurality of virtual IP addresses and virtual MAC addresses are shared by one local network, different routers may be used for each virtual IP address and virtual MAC address, or may be the same router.

  On the other hand, in a network that is made redundant using VRRP, when a local network is divided due to a failure or the like, a mutual route through the backbone network is physically present, There was a problem that communication was impossible.

  For example, when a failure occurs on the communication path between the devices A and B in the local network, the devices A and B cannot communicate in the local network. At this time, if the devices A and B are connected to the backbone network C via different routers, the devices A and B can communicate via the backbone network C. However, there is a problem that communication fails because the route through the backbone network cannot be recognized. For example, there is a case where an appropriate route is not set in the backbone network C or a case where ARP (Address Resolution Protocol) cannot be resolved.

  Solutions to this problem are disclosed in Patent Document 1 and Patent Document 2. A router connecting the local network and the backbone network sets up a management path on the backbone network between other routers connected to the same local network and monitors the continuity state on the local network. When it is detected that a disconnection has occurred in the local network, the router acquires connection permission information with each device in the local network. The router notifies the connection availability information to each device constituting the backbone network by the routing protocol, and exchanges the connection availability information with another router connected to the same local network using the management path. In this way, communication can be performed via the backbone even when the local network is divided.

  Also, Patent Document 3 discloses a solution. When a failure occurs and a detour path is set, the two routers connected to the local network and the backbone network exchange IP address / MAC address correspondence information. The two routers set a detour route by rewriting the MAC address learning table based on the association information. In this way, the relay operation can be normally performed even when the local network is divided.

“Virtual Router Redundancy Protocol” RFC2338, Internet Engineering Task Force

JP 2002-232463 A JP 2002-232448 A JP 2008-172636 A

  However, in order to realize the conventional technology, a device having an IP routing function and an IP relay function at the boundary between the backbone network and the local network is required. Since the layer 2 switch does not have an IP routing function and an IP relay function, communication cannot be performed via the backbone network when the local network is divided.

  The present invention has been made in view of the above, and an object of the present invention is to provide a network connection device that can continue communication between devices without having an IP routing function and an IP relay function when a local network is divided. To do.

  A layer 2 network connection device that communicates with one of a plurality of router devices located at a boundary between a local network and a backbone network, and the plurality of router devices monitor a continuity confirmation packet for confirming each other's continuity and When the confirmation packet is not received, communication within the local network is possible when the packet analysis unit that notifies that a division has occurred within the local network and when the packet analysis unit notifies that a division has occurred within the local network A node search unit for searching for a new node, and a route information notification unit for notifying the route information of the node discovered by the node search unit to the communicating router device.

  According to the present invention, communication between devices can be continued when a division occurs in the local network.

1 is a block diagram illustrating a configuration of a network connection device according to a first embodiment. 1 is a diagram illustrating an example of a network system using a network connection device according to Embodiment 1. FIG. 3 is a flowchart showing a flow of processing of the network connection device according to the first embodiment. FIG. 3 shows a configuration of an information packet according to the first embodiment. 3 is a flowchart showing a flow of processing of the network connection device according to the first embodiment. FIG. 3 is a block diagram illustrating a configuration of a network connection device according to a second embodiment. FIG. 5 is a diagram showing a configuration of an information packet according to Embodiment 2. FIG. 4 is a block diagram showing a configuration of a network connection device according to a third embodiment. FIG. 6 is a diagram illustrating an example of a network system using a network connection device according to a third embodiment. FIG. 6 is a diagram illustrating an example of a network system using a network connection device according to a third embodiment. FIG. 6 is a block diagram illustrating a configuration of a network connection device according to a fifth embodiment. FIG. 6 is a block diagram showing a configuration of a node search unit according to Embodiment 5.

Embodiment 1 FIG.
Embodiments will be described with reference to the drawings.
FIG. 1 is a block diagram showing a configuration of network connection apparatus 100 according to the first embodiment. The network connection device 100 includes a packet analysis unit 110, a node search unit 120, a route information notification unit 130, a terminal information table 140, and physical ports 150 to 151.

  The packet analysis unit 110 analyzes the continuity confirmation packet received from the physical ports 150 to 151 and notifies the node search unit 120 when the network is disconnected. Further, when the network division is resolved, the packet analysis unit 110 notifies the route information notification unit 130. The node search unit 120 searches for a device that can communicate via the physical port 150 and registers information of the found device in the terminal information table 140. The route information notification unit 130 notifies the route information through the physical port 151 with reference to the terminal information table 140 when the network is divided. In addition, when the network division is resolved, the route information notification unit 130 deletes the terminal information table 140 and notifies the route information via the physical port 151 to be deleted.

  The terminal information table 140 holds the IP addresses of communicable devices discovered by the node search unit 120. The terminal information table 140 may hold information other than the IP address. The physical port 151 is a port directly connected to the router, and the physical port 150 is other ports. Although not shown, the network connection device 100 holds a layer 2 function unit that realizes basic functions of the layer 2 switch, such as MAC address learning and a spanning tree. The layer 2 functional unit receives packets other than those for continuity confirmation from the physical ports 150 to 151 and performs processing. The layer 2 functional unit may be realized by either hardware or software, or may be realized by a combination of both.

  FIG. 2 is a diagram illustrating an example of a network system using the network connection device 100 according to the first embodiment. The network connection devices 100a and 100b are the network connection device 100 of FIG. The network connection devices 100a and 100b are connected to the routers 200a and 200b, respectively. A device 300a is connected to the network connection device 100a. The device 300b is connected to the network connection device 100b. The network connection device 100a and the network connection device 100b are connected via the switch 400. A monitoring camera 500 is further connected to the switch 400.

  The routers 200a and 200b are located at the boundary between the backbone network 600 and the local network 700. The local network 700 includes network connection devices 100a and 100b, devices 300a and 300b, a switch 400, and a monitoring camera 500. The backbone network 600 is connected to the device 300c of another local network via the router 200c. FIG. 2 shows that the network is divided between the network connection device 100b and the switch 400. The monitoring camera 500 may be replaced with the device 300.

  The router 200a and the router 200b regularly monitor whether or not they can conduct each other by exchanging continuity confirmation packets through a path in the local network 700. In the case of normal conduction, the router 200a and the router 200b determine that the network is not divided in the local network 700. One of the routers 200a and 200b is in an active state, and the other is in a standby state.

FIG. 3 is a flowchart showing a process flow of the network connection apparatus 100 according to the first embodiment. The network connection apparatus 100 starts processing from step S31.
The packet analysis unit 110 monitors continuity confirmation packets exchanged between the routers 100a and 100b (step S31). If the packet analysis unit 110 does not receive the continuity confirmation packet even after a time equal to or greater than the threshold value has elapsed (step S32), the packet analysis unit 110 determines that a division has occurred in the local network 700 and notifies the node search unit 120 (step S32). S33). When the continuity confirmation packet is periodically received, the packet analysis unit 110 continues monitoring.

  The node search unit 120 searches for an IP address of a device that can communicate within the local network 700 (step S34). The node search unit 120 stores the discovered device IP address in the terminal information table 140 (step S35). The route information notification unit 130 refers to the terminal information table 140, flows the route information into the directly connected router (step S36), and ends the process. Details of the processing of each step will be described later.

  Next, a method for monitoring continuity between the routers 200a and 200b will be described. This is the process of step S31 in FIG. VRRP will be described as an example. Other methods may be used as long as equivalent functions can be realized.

  In VRRP, packets called VRRP Advertise are exchanged between two or more routers set in the same group, and one router is selected as an active router. Other routers are in standby state. Only the router in the active state transmits VRRP Advertise to the router in the standby state at regular intervals. When the VRRP advertisement from the active router is interrupted, the standby router determines that the network is disconnected or a failure has occurred in the active router. Since only the router in the active state periodically transmits VRRP Advertise, only the router in the standby state can detect whether or not an abnormality has occurred in continuity with other routers.

  By the way, in VRRP, for example, by using a VLAN function, an active router and a standby router can share two or more virtual IP addresses. Different routers can be active routers depending on the virtual IP address. By setting each router to be an active router at at least one virtual IP address, it is possible to detect whether or not an abnormality has occurred in all routers.

  For example, in the configuration of FIG. 2, two or more VLANs and virtual IP addresses are set in the local network 700. Of these, one or more virtual IP addresses set the active router to 200a. In another one or more virtual IP addresses, the active router is set to 200b. By setting in this way, it is possible to detect whether or not an abnormality has occurred for all routers.

  The packet analysis unit 110 of the network connection devices 100a and 100b snoops the VRRP packet exchanged between the router 200a and the router 200b, and detects whether or not the local network 700 has been divided. This is the process of step S32 in FIG. Specifically, the packet analysis unit 110 determines that the routers 100a and 100b are operating normally when VRRP packets are periodically input from both the physical ports 150 to 151. When the VRRP packet is input only from any one of the physical ports 150 to 151, the network connection apparatus 100 determines that a division has occurred somewhere in the local network 700.

  The time from when the router in the standby state lastly receives VRRP Advertise until it is determined that the network has been divided is defined in RFC (Request For Communicate). The network connection device 100 may determine that the local network 700 has been divided when the time specified in the RFC has elapsed since the last reception of the VRRP advertisement. However, the present invention is not limited to this, and it may be determined that the local network 700 has been divided when a uniquely set time has elapsed.

  When it is determined that the local network 700 has been divided, the routers 200a and 200b are both in an active state. However, the route information for the local network 700 notified from the routers 200a to 200b to the backbone network 600 does not change even when the division occurs. Therefore, even if the routers 200a and 200b are both in the active state, the route is not changed to avoid the division.

  A case where devices in the local network 700 are communicating with an external device via the backbone network 600 will be described as an example where the devices 300b and 300c are communicating. When the router 200a is in the active state, the data transmitted from the device 300b reaches the device 300c via the network connection device 100b, the layer 2 switch 400, the network connection device 100a, the router 200a, and the router 200c.

  Here, it is assumed that a disconnection occurs between the network connection device 100b and the switch 400. The routers 200a and 200b detect the continuity abnormality and both become active. The data transmitted from the device 300b reaches the device 300c via the network connection device 100b, the router 200b, and the router 200c. Thus, when communicating with an external apparatus via the backbone network 600 from the local network 700, communication can be restored by a new route.

  On the other hand, in communication from the device 300c to the device 300b, the route through the router 200a or the router 200b does not necessarily match the communication path from the inside of the local network 700 to the outside. Generally, in the backbone network 600, path control is performed by a routing protocol. The routers 200a and 200b advertise the route information for the devices in the local network 700 connected thereto to the devices in the backbone network 600. As a result, the device 300c communicates with a route having a lower path cost to the device 300b. When the path cost from the router 200c to the router 200a is smaller than the path cost from the router 200c to the router 200b, communication is performed via the router 200a.

  Even when a division occurs between the network connection device 100b and the switch 400, the route information for the local network 700 advertised to the backbone network 600 by the routers 200a and 200b is the same as before the division occurs. For example, when communication from the device 300c to the device 300b is performed via the router 200a before the division occurs, the backbone network 600 continues to transfer to the router 200a even after the division occurs. Therefore, the device 300c fails to communicate with the device 300b. Although the device 300c can communicate by changing to the route via the router 200b, the route is not changed because the VRRP protocol does not have a mechanism for changing.

Therefore, in the present invention, by changing to a route that passes through the backbone network 600, communication can be continued even if a division occurs.
Hereinafter, a specific procedure will be described.

When the packet analysis unit 110 of the network connection apparatus 100 detects the division, the packet analysis unit 110 notifies the node search unit 120 of the information. This is the process of step S33 in FIG.
The node search unit 120 searches for a device capable of communication from the physical port 150. This is the process of step S34 in FIG.

  As a method of searching for a communicable device, for example, there is a method in which the node search unit 120 transmits an ARP Request to each IP address of the local network 700 via the physical port 150. If there is a communicable device, the node search unit 120 receives a response packet from the device. A method other than the exemplified method may be used.

  Regarding the order of searching for communicable devices, the simplest method is to sequentially execute all IP addresses belonging to the subnet assigned to the local network. Further, the node search unit 120 may monitor all or a part of the packets flowing through the network before severing, for example, by snooping, and may grasp the devices that are communicating. Based on the grasped information, the node search unit 120 preferentially searches for a device that is clearly communicated before the division occurs. Thereby, the node search part 120 can discover the apparatus which can communicate earlier than the case where it searches for all the IP addresses in order.

The node search unit 120 stores information on the discovered device in the terminal information table 140. This is the process of step S35 in FIG.
The node search unit 120 stores the IP address of the discovered device in the terminal information table 140. The node search unit 120 may store information other than the IP address as necessary.

  When new information is stored in the terminal information table 140, the route information notification unit 130 flows the route information into the routers 200a and 200b directly connected from the physical port 151. Even when the information in the terminal information table 140 is updated or deleted, the route information notification unit 130 flows the route information into the routers 200a to 200b directly connected from the physical port 151. This is the process of step S36 in FIG. In this embodiment, when the route information is notified from the network connection devices 100a-b, which are layer 2 devices, to the routers 200a-b, which are layer 3 devices, the term “flow” is used. The first to fourth methods will be described below as a method for introducing the route information.

  A first method for introducing the route information is a method using an information packet that simulates a RIP (Routing Information Protocol) packet format.

  FIG. 4 is a diagram showing a configuration of the information packet 41 according to the first embodiment. The processing code is Response (= 2) so that the routers 200a and 200b can recognize the route information. The version is 2 or more. This is because the version 1 RIP packet does not include the subnet mask information, and the routing information about the address of the host itself required in this embodiment cannot be poured. Versions 3 and later may be used as long as they are compatible with version 2.

  One route information includes an address family, a route tag, an IP address, a subnet mask, a next hop, and a metric. The address family is 2 indicating IP. Since the usage of the route tag is not particularly defined, it is set to 0 here, but is not limited thereto. The IP address is an IP address of a device that the network connection devices 100a and 100b can communicate in the local network 700. The subnet mask is 0xFFFFFFFF. The next hop is an IP address of a communicable device. The metric is the number of hops of the router. An integer smaller than 16 is set as the metric.

  In RIP, a maximum of 25 route information can be stored in one packet. By setting a plurality of pieces of route information in one packet, the number of packets can be reduced.

When the router 200 receives the information packet 41, the router 200 processes the route information based on the RIP protocol. In the RIP protocol, it is necessary to notify once registered information every predetermined time. The route information notification unit 130 transmits the information packet 41 to the routers 200a and 200b at regular intervals according to the processing frequency of the RIP protocol in the destination routers 200a and 200b. RIP generally transmits every 30 seconds. Further, the route information notification unit 130 may be configured to change the transmission cycle of the information packet in consideration of the case where the processing frequency of the RIP protocol is changed in the router.

  A second method for introducing the route information is a method for setting the route information in the routers 200a and 200b using SNMP (Simple Network Management Protocol). In this method, the routers 200a and 200b register route information as static routes. The route information notification unit 130 registers route information with respect to an object standardized as an MIB (Management Information Base) using SNMP. The MIB object for setting the static route can be set by a general-purpose method by using the one specified by RFC. In this method, since the set information is retained until registration is deleted, it is not necessary to perform resetting every predetermined time unlike the method using RIP.

  A third method for introducing the route information is a method in which the user performs remote login from the network connection devices 100a to 100b to the routers 200a to 200b for setting. The user registers the route information as a static route using the setting user interface of the routers 200a and 200b. An example of the setting user interface is CLI (Command Line Interface). As a remote login method, for example, Telnet is used. In this method, since the set information is retained until registration is deleted, it is not necessary to perform resetting every predetermined time unlike a method using RIP.

  A fourth method for introducing the route information is a method using an information packet simulating a packet of a routing protocol other than RIP such as OSPF. However, these protocols require more complicated processing than RIP, and have no particular advantage compared to the case of using RIP. Therefore, it is preferable to use RIP when routing information can be poured by an information packet simulating RIP, and to use another protocol only when an information packet simulating RIP cannot be used. Which protocol can be used to simulate an information packet depends on the protocol operating in the router 200. An appropriate one is selected from the protocols of the router 200 and used.

  In general, a router for industrial use has at least RIP and OSPF functions, and can route information by RIP.

  Next, a case where network division is eliminated will be described. When the division is resolved, the routers 200a to 200b switch back to the state before the division occurs due to the operation of the VRRP protocol. As a result, the routers 200a and 200b become active routers in different subnets, and transmit VRRP packets to devices belonging to the subnet.

FIG. 5 is a flowchart showing an operation flow of the network connection apparatus 100 according to the first embodiment. The network connection apparatus 100 starts processing from step S71.
When the local network 700 is divided, the packet analysis unit 110 monitors continuity confirmation packets exchanged between the routers 100a and 100b (step S51). When the packet analysis unit 110 receives VRRP packets at both the physical ports 150 and 151 (step S52), the packet analysis unit 110 detects that the network division has been resolved. The packet analysis unit 110 can receive the VRRP packet transmitted from the routers 200a and 200b only when continuity is ensured in the entire local network 700.

  When the packet analysis unit 110 detects the cancellation of the division, the packet analysis unit 110 notifies the route information notification unit 130 (step S53). The route information notification unit 130 notifies the routers 200a and 200b to delete the route information notified to the routers 200a and 200b via the physical port 151 when the division occurs (step S54). The route information notifying unit 130 deletes the previously set route information by transmitting the metric of the information packet 41 to the routers 200a and 200b as 16 indicating unreachable meaning. When SNMP or CLI is used, previously set route information is deleted by a procedure corresponding to each.

  When the route information is deleted, the route information notification unit 130 deletes all the information stored in the terminal information table 140 (step S55). However, in consideration of the case where the network is divided again, the terminal information table 140 may keep the information with an invalid flag. In this case, the node search unit 120 preferentially searches for an IP address held in the terminal information table 140 when searching for a communicable device when the network is divided. The IP address held in the terminal information table 140 is likely to be found, and the effect of shortening the communication disconnection time can be obtained.

  In the present embodiment, the network connection devices 100a and 100b are configured to be directly connected to the routers 200a and 200b, respectively, but may be configured to have another layer 2 device interposed therebetween. However, in this configuration, when a failure occurs between the network device 100a and the router 200a or between the network device 100b and the router 200b, the communication of the device connected to the other layer 2 device is not relieved.

  Therefore, in the present embodiment, a layer 2 network connection device that communicates with any of a plurality of router devices located at the boundary between the local network and the backbone network, and the plurality of router devices confirm the continuity of each other. When the confirmation packet is monitored and the continuity confirmation packet is not received, the packet analysis unit that notifies that the fragmentation has occurred in the local network and the packet analysis unit that is notified that the fragmentation has occurred in the local network A node search unit for searching for a communicable node in the local network, and a route information notification unit for notifying the router device for communication of the route information of the node discovered by the node search unit. IP routing function and IP repeater when disconnection occurs It is possible to continue the communication between devices without a.

  In addition, since the IP routing function and the IP relay function have a high processing load, an apparatus that implements the IP routing function and the IP relay function is generally expensive. In this embodiment, since the IP routing function and the IP relay function are not required, communication between apparatuses can be continued with an inexpensive apparatus when the local network is divided.

  Further, in the conventional technology, when a local network is added to an existing backbone network, a router is installed at the boundary between the backbone network and the local network. It is necessary to change the subnet with the router as a boundary, and it is necessary to redesign the network including the backbone network. Furthermore, route information increases in a routing protocol such as OSPF, which may adversely affect the convergence time when changing the route. In the present embodiment, even when a local network is added to an existing backbone network, it is not necessary to redesign the network including the backbone network.

Embodiment 2. FIG.
In the first embodiment described above, when the local network is divided, communication between devices is continued via the backbone network. In the present embodiment, RIP information An embodiment in which a case where a RIP information packet is treated as abnormal data will be described with respect to a first method in which route information is flown by a packet.
In the present embodiment, all the configurations described in the first embodiment as shown in FIG. 1 are provided, and further additional configurations will be described.

  In the first embodiment, as a first method for introducing route information, both the IP address of the RIP information packet and the next hop are set to the IP address of a device capable of communication. However, since this is route information that cannot be generated by the normal RIP protocol, some routers may handle it as abnormal data. In consideration of such a possibility, IP addresses are assigned to the network connection devices 100a and 100b, and the route information notification unit 130 may set the IP addresses of the network connection devices 100a and 100b as the next hop. Good. Since the network connection devices 100a and 100b are not layer 3 devices, IP addresses are not normally assigned.

  FIG. 6 is a block diagram showing a configuration of the network connection apparatus 101 according to the second embodiment. A MAC address rewriting unit 160 is added to the network connection apparatus 100 of FIG. The address rewriting unit 160 rewrites the destination MAC address of the frame received from the physical port 151. The network system has a configuration in which the network connection devices 100a and 100b in FIG. 2 are replaced with network connection devices 101a and 101b.

  FIG. 7 is a diagram showing a configuration of the information packet 42 according to the second embodiment. The difference from the information packet 41 in FIG. 4 is that one of the IP addresses of the network connection devices 101a and 101b is set as the next hop.

  When the node searching unit 120 finds a communicable device, the node searching unit 120 stores the MAC address together with the IP address in the terminal information table 140.

  A case will be described as an example where the network connection apparatus 101a flows into the router 200a route information in which the IP address of the network connection apparatus 101a is set as the next hop.

  The router 200a sets the IP address d3 of the device 300a as the destination IP address of the packet addressed to the device 300a. The router 200a sets the MAC address m1 of the network connection device 101a to the destination MAC address of the frame generated from the packet and transmits it. The address rewriting unit 160 of the network connection apparatus 101a that has received this frame refers to the terminal information table 140 and searches for the MAC address m3 corresponding to the destination IP address d3. The address rewriting unit 160 rewrites the destination MAC address of the frame with the MAC address m3 of the device 300a and transmits the frame via the physical port 150. As described above, even if the IP address and the IP address of a device capable of communication are set as the next hop, the router can be prevented from handling as abnormal data.

  Therefore, in this embodiment, when a packet is received whose destination MAC address is its own device and whose destination IP address is a communicable node in the local network, the terminal information table is referred to and associated with the IP address of the node. An address rewriting unit for setting the received MAC address as the destination MAC address, and the route information notifying unit sets the IP address of a communicable node in the local network as the network address of the RIP request packet, and sets the subnet mask to 32. Since the IP address assigned to the local device is set as the next hop, even if the router that causes abnormal data if the IP address of the device that can communicate with both the IP address and the next hop is set, Can be poured.

Embodiment 3 FIG.
In the second embodiment described above, the case where the RIP information packet is treated as abnormal data is considered for the first method of flowing the route information using the RIP information packet. An embodiment will be described in which the occurrence of a broadcast storm is suppressed when network division is resolved in a local network during communication.

  FIG. 8 is a block diagram showing a configuration of the network connection apparatus 102 according to the third embodiment. A multicast control data monitoring unit 170 is added to the network connection apparatus 100 of FIG. The multicast control data monitoring unit 170 processes multicast packets received from the physical ports 150 to 151. In addition, when notified from the packet analysis unit 110 that the network has been divided, the multicast control data monitoring unit 170 monitors the physical port 150 and controls the physical port 151 to receive multicast packets.

  Next, the operation of the network connection apparatus 102 will be described. The following is an example of a network apparatus and system realized by the present embodiment, and the embodiment is not limited.

FIG. 9 is a diagram illustrating an example of a network system using the network connection device 102 according to the third embodiment. The configuration of the network system is the same as the configuration of FIG. The routers 201a to 201c are routers corresponding to the multicast routing protocol.
The arrows in FIG. 9 show an example of the operation when performing multicast communication. In this embodiment, it is assumed that a protocol for performing multicast path control operates and multicast transfer is performed. As the multicast routing protocol, there are, for example, IGMP (Internet Group Management Protocol) and PIM (Protocol Independent Multicast).

  For example, the surveillance camera 500 distributes multicast data, and the devices 300b and 300c receive the data. The multicast route control protocol determines the route, and in the example of FIG. 6, the route is indicated by a dotted line. The route does not loop. Note that the monitoring camera 500 may be replaced with a device.

The PIM controls a relay route in a range relayed by layer 3, and operates in the routers 200a to 200c connected to the backbone network 600 in FIG.
The IGMP controls a relay route in a range relayed by layer 2, and operates in the routers 200a to 200c, the network connection device 100, and the layer 2 switch 400 connected to the local network 700 in FIG.

  FIG. 10 is a diagram illustrating an example of a network system using the network connection device 102 according to the third embodiment. FIG. 10 shows a case where a failure occurs between the network connection apparatus 102b and the switch 400, resulting in a network partition. When the network is divided, the relay route in the backbone network 600 is changed by the same operation as in the first embodiment. IGMP and PIM change the multicast path following the changed relay path. The multicast route from the monitoring camera 500 to the device 300b is changed to a route via the backbone network 600 as shown by a solid line, for example.

  When the network division is resolved, each device performs an operation of relaying multicast packets to all ports other than each reception port in the local network. This operation is generally called flooding. When the network division is resolved, the network connection apparatus 102b relays to the adjacent switch 400, and a loop around the path of the network connection apparatus 102a, the router 201a, and the router 201b occurs. As a result, a phenomenon that a multicast packet called a broadcast storm consumes a large amount of bandwidth may occur.

  Since switching of the multicast relay route takes time, the broadcast storm continues for a long time. For example, when both IGMP and PIM are executed with default parameters, there is a possibility that the broadcast storm may continue for a maximum of several minutes after the division of the network is resolved.

  The multicast control data monitoring unit 170 monitors whether a broadcast storm has occurred by monitoring a control packet for the multicast routing control protocol. Therefore, the occurrence of a broadcast storm can be suppressed, and when a broadcast storm occurs, it can be converged early.

  The multicast control data monitoring unit 170 monitors the reception of the PIM Hello packet and the PIM Assert packet at the physical port 150 connected to the local network 700. These packets are all transmitted from a router having a PIM function. When the network is divided, it is considered that these packets are not received from the physical port 150 connected to the local network 700. In other words, when these packets are received, it can be determined that network division has been resolved.

  When the multicast control data monitoring unit 170 determines that the network division has been resolved, the multicast control data monitoring unit 170 discards the reception of the multicast packet to the physical port 151. Thereby, a multicast storm can be suppressed. At this time, if reception of any multicast packet is blocked, for example, the multicast packet transmitted from the device 300 c outside the local network 700 does not reach the local network 700. Therefore, the multicast control data monitoring unit 170 blocks only multicast packets that need not be relayed by the router 201 directly connected to the physical port 151 when the network is not divided.

  The multicast packet to be blocked is a packet that satisfies at least one of the following two conditions. The first condition is a packet whose source IP address is included in the network address range assigned to the local network 700 among the packets received from the physical port 151. The second condition is when the network is not divided and when the router 201a or 201b directly connected to the network connection apparatuses 102a and 102b via the physical port 151 is not the representative router of the local network 700. , A packet received from the physical port 151. The designated router refers to a designated router (designated router) for multicast relay defined in the standard of the PIM protocol.

  By discarding the target packet, the circulation loop of the multicast packet is broken and the occurrence of the broadcast storm can be stopped. Note that a packet discarded under the first condition is transmitted from a device in the local network 700 to each device in the local network 700 by flooding. A packet discarded under the second condition is transmitted from each representative router existing in the local network 700 to each device in the local network 700. The reason why the multicast control data monitoring unit 170 discards these multicast packets is to prevent a device connected to the local network 700 from receiving a packet already received many times by forming a loop. It is.

  The multicast control data monitoring unit 170 is described as discarding a packet that satisfies the first or second condition, but the same effect can be obtained even if it is not received.

  Further, the network connection apparatus 102 may be provided with a MAC address rewriting unit for rewriting the MAC address like the network connection apparatus 101 in FIG. 5 of the second embodiment.

  Therefore, in this embodiment, whether or not a broadcast storm has occurred is monitored by snooping the control packet of the multicast control protocol, and if a broadcast storm has occurred, it is relayed on a relay route in which a loop is formed Since the multicast packet is discarded, the occurrence of a broadcast storm can be suppressed when the network division is resolved in the local network during the multicast communication. Moreover, when a broadcast storm occurs, it can be converged early.

Embodiment 4 FIG.
In the third embodiment described above, the occurrence of a broadcast storm is suppressed when the network division is resolved in the local network when multicast communication is performed. In the present embodiment, An embodiment in which a network connection apparatus holds information on a representative router is shown.

  In the present embodiment, the network connection device has the configuration 102 shown in FIG. The network system has the configuration shown in FIG. FIG. 10 shows an example when the network is divided.

  In the local network 700, the representative router is determined by exchanging PIM protocol packets between the router 201a and the router 201b. Which of the two or more routers is the representative router is determined by priority. However, when there are a plurality of routers having the highest priority, the router with the largest IP address is the representative router. In the local network 700, when the network is divided, the exchange of the PIM protocol packet between the router 201a and the router 201b is stopped, so that the routers 201a and 201b are both designated routers. Unless the priority and the IP address of the routers 201a and 201b are changed, the representative router after the network division is recovered is the same as that before the division occurs.

  The representative router information indicating which router is the representative router is information necessary for the network connection apparatuses 102a and 102b to determine a multicast packet to be blocked as described in the third embodiment. What is necessary for determining the multicast packet to be blocked is representative router information after the network division is recovered, and is not information indicating that the routers 201a and 201b are both representative routers during the network division. The network connection apparatuses 102a and 102b cannot determine the multicast packet to be blocked until just after any one of the routers is determined as the representative router immediately after the network division is recovered. As a result, there is a problem that it takes time from the restoration of the division of the network until the occurrence of the loop loop is suppressed.

  Therefore, the multicast control data monitoring unit 170 of the network connection apparatuses 102a and 102b collects and holds representative router information before the network is divided. As a result, when the network division occurs and is resolved thereafter, the multicast control data monitoring unit 170 immediately determines the designated router from the held representative router information without waiting for the designated router to become one. Can be determined. The multicast control data monitoring unit 170 can determine the multicast packet to be blocked immediately after the network division is resolved. Therefore, it is possible to suppress the occurrence of the loop loop.

  The multicast control data monitoring unit 170 monitors reception of PIM Hello packets periodically transmitted from the routers 201 a and 201 b at the physical port 150 connected to the local network 700. The multicast control data monitoring unit 170 collects representative router information by snooping the PIM Hello packet. When the network is not divided, the multicast control data monitoring unit 170 holds the held representative router information for a valid period, and discards the information when the next PIM Hello packet is not received within the valid period. (Hereinafter referred to as aging). When the next PIM Hello packet is received within the valid period, the multicast control data monitoring unit 170 resets the valid period from the time of reception and updates the representative router information. The valid period of the representative router information may be matched with the holding time of the PIM Hello packet defined in the PIM protocol. By aging the representative router information, the representative router recognized by each router and the representative router information held by the multicast control data monitoring unit 170 can always be matched.

  If the division of the local network 700 is resolved, the multicast control data monitoring unit 170 receives the PIM Hello packet from the physical port 150 before the PIM Hello packet holding time elapses. The multicast control data monitoring unit 170 updates the representative router information by snooping the PIM Hello packet.

  The multicast control data monitoring unit 170, when notified from the packet analysis unit 110 that the network has been divided, prevents the representative router information from aging. When the count of time is stopped for the effective period so as not to age, the effective period does not expire, and the multicast control data monitoring unit 170 keeps holding the representative router information before the division occurs until the network division is resolved. become.

  If the priority or IP address of the routers 201a and 201b is changed while the network is divided, the representative router information held by the multicast control data monitoring unit 170 and the representative router information after recovery from the network division There is a problem that does not match. However, the priority or IP address of the routers 201a to 201b is not changed unless the user intentionally changes the setting when the network design is changed. Therefore, this problem can be avoided by preventing the user from changing the priority or IP address of the routers 201a-b while the network is divided.

  Therefore, the multicast control data monitoring unit stores information on the representative router for each subnet in advance by snooping the PIM Hello packet, and after the packet analysis unit is notified that the fragmentation has occurred in the local network, the PIM Assert packet Alternatively, when a PIM Hello packet is received, whether or not to discard the packet is determined based on the information of the representative router, so that it is possible to immediately suppress the occurrence of a loop around when the division of the local network is resolved.

  In addition, the multicast control data monitoring unit sets the effective period of the representative router information, and when the packet analysis unit is notified that the fragmentation has occurred in the local network, it stops counting the time for the effective period, and then When the PIM Assert packet or the PIM Hello packet is received, the counting of the time is resumed, so that the representative router recognized by each router and the representative router information held by the multicast control data monitoring unit 170 can always be matched.

Embodiment 5
In the fourth embodiment described above, the network connection device holds the information of the representative router. In this embodiment, the node search unit preferentially searches when the network is divided. 1 shows an embodiment in which information of a device to hold is held.

  FIG. 11 is a block diagram showing a configuration of network connection apparatus 103 according to the fifth embodiment. The network connection device 103 includes the configuration of the network connection device 100 described in the first embodiment, and further includes an additional configuration. The difference from the network connection device 100 in FIG. 1 is a packet analysis unit 111 and a node search unit 121. When the network division is resolved, the packet analysis unit 111 notifies the node search unit 121 in addition to the route information notification unit 130. The node search unit 121 collects and holds in advance information on devices to be preferentially searched when a network division occurs.

  In the present embodiment, the network system will be described by taking as an example a configuration in which the network connection devices 100a and 100b in FIG.

  FIG. 12 is a block diagram showing a configuration of node search section 121 according to the fifth embodiment. The node search unit 121 includes a search means selection unit 1201, a pre-partition search control unit 1202, a search control unit 1203 during break, and a prior search address table 1204.

  Search means selection section 1201 instructs pre-partition search control section 1202 or on-partition search control section 1203 to search for a communicable device according to the state of division of local network 700 notified from packet analysis section 111. The pre-partition search control unit 1202 searches for a communicable device and registers the address of the discovered device in the pre-search address table 1204. The parting search control unit 1203 searches for a communicable device with reference to the pre-search address table 1204. Further, the network connection apparatus 103 may include a setting user interface 1205. The node search unit 121 registers an address input by the user via the setting user interface 1205 in the pre-search address table 1204.

Next, the detail of each part is demonstrated.
The search means selection unit 1201 instructs the pre-partition search control unit 1202 to search for a communicable device at the time of initial activation and when the packet analysis unit 111 is notified that the division of the local network 700 has been resolved. In addition, when the packet analysis unit 111 notifies that the local network 700 has been divided, the search unit selection unit 1201 instructs the search control unit 1203 to search for a communicable device.

  When the search control unit 1202 before dividing is instructed to search for a communicable device from the search means selection unit 1201, the communicable device from the IP address belonging to the subnet assigned to the local network 700 via the physical port 150. Explore. The pre-partition search control unit 1202 transmits, for example, ARP Request as a search packet. The pre-partition search control unit 1202 registers the IP address of the device that transmitted the response packet in the pre-search address table 1204.

  A user such as a device administrator may register in advance the address to be searched when the network is divided through the setting user interface 1205 in the prior search address table 1204. One or a plurality of addresses may be registered in the pre-search address table 1204.

  When the search control unit 1203 at the time of division is instructed to search for a communicable device from the search means selection unit 1201, the pre-search address table 1204 is referred to. First, the search control unit 1203 at the time of transmission transmits a search packet to an address registered in the pre-search address table 1204. Thereafter, the search control unit 1203 at the time of disconnection further transmits a search packet to another address belonging to the subnet assigned to the local network 700. When the disconnection search control unit 1203 finds a communicable device, it stores information on the device in the terminal information table 140. The parting search control unit 1203 may newly register a device that is found to be communicable if it is not registered in the pre-search address table 1204. If registered, the search is preferentially performed when the next and subsequent divisions occur.

  Knowing the addresses of devices that can communicate with the local network 700 in a state where no fragmentation has occurred, and preferentially search for addresses where there is a high possibility that the device will be present when the network is divided. Is possible. In addition, when a user explicitly designates a communicable device, it becomes possible to preferentially search for an address where the device is likely to exist when the network is divided. Therefore, since a communicable device can be discovered at an early stage and communication can be restored at an early stage, the communication disconnection time can be shortened. In addition, when there is a device that is required to shorten the average time of communication interruption or a device that requires quick recovery in the network, the communication interruption time can be reduced by applying this embodiment. .

  In the first embodiment, the node search unit 120 may grasp devices that are communicating by snooping packets flowing through the network before the division occurs, and may preferentially search for these devices. It is described. However, in this method, the node search unit 120 cannot grasp the presence of a receiving device that only receives a packet, and cannot be a target to be searched preferentially. According to the present embodiment, the node search unit 121 searches for an IP address belonging to the subnet assigned to the local network 700 in advance, so that the receiving device can also be found if communication is possible. You can preferentially search by registering with. Further, the user may register the receiving device in the prior search address table 1204.

  Furthermore, since the network connection apparatus 103 does not have an IP routing function, it is necessary to perform the packet snooping process described in the first embodiment by software. In this case, the load on the CPU that controls the software is increased, which is inefficient. In this embodiment, since the address registered in the pre-search address table 1204 is searched preferentially, the node search unit 121 can search for a device that can efficiently communicate while suppressing an increase in CPU load. It becomes possible.

Further, the network connection apparatus 103 may include a MAC address rewriting unit 160 that rewrites the destination MAC address of the frame received from the physical port 151.
Further, the network connection apparatus 103 may include a multicast control data monitoring unit 170 that processes multicast packets received from the physical ports 150 to 151.

  Therefore, when the node search unit searches for a communicable node in the local network, the pre-search address table that holds the address of the node to be searched preferentially, and the packet analysis unit generates a division in the local network. And a search control unit at the time of disconnection that references the address and searches for the node preferentially, so that it is preferential for the address that the device is likely to exist when the network disconnection occurs To explore.

  In addition, since the pre-search address table registers address information input via the user interface, it is possible to preferentially search for addresses that are likely to exist when a network partition occurs. it can.

  In addition, when the packet analysis unit receives the continuity confirmation packet after notifying the node search unit that the division has occurred in the local network, the packet analysis unit notifies the node search unit that the division in the local network has been resolved, The node search unit searches for a communicable node in the local network at the time of initial start-up and when the packet analysis unit is notified that the division has been resolved, and the address information of the found node is pre-searched address Since the pre-division search control unit registered in the table is provided, a communicable device can be discovered early and communication can be restored early, so that the time for communication interruption can be shortened.

  Further, the search control unit at the time of division refers to the address information of the node held in the pre-search address table, searches for the node preferentially, and then is an address in the local network and is not held in the pre-search address table When searching for an address in the local network and finding a communicable node, the address of the node is registered in the pre-search address table, so that a communicable device can be discovered early and communication can be restored early. Therefore, it is possible to shorten the communication disconnection time.

100, 100a-b, 101, 101a-b, 102 Network connection device 110 Packet analysis unit 120 Node search unit 130 Route information notification unit 140 Terminal information table 150, 151 Physical port 160 Address rewriting unit 170 Multicast control data monitoring unit 200, 200a-b, 201, 201a-b router 300a-c device 400 layer 2 switch 500 surveillance camera 600 backbone network 700 local network 41, 42 information packet 103 network connection device 111 packet analysis unit 121 node search unit 1201 search means selection unit 1202 Pre-partition search control unit 1203 Part-time search control unit 1204 Pre-search address table 1205 User interface for setting

Claims (21)

A layer 2 network connection device that communicates with one of a plurality of router devices located at a boundary between a local network and a backbone network,
A plurality of router devices monitor continuity confirmation packets for confirming mutual continuity, and when not receiving the continuity confirmation packet, a packet analysis unit for notifying that a division has occurred in the local network;
When notified by the packet analysis unit that a division has occurred in the local network, a node search unit for searching for a communicable node in the local network;
A route information notification unit for notifying the router device that communicates the route information of the node discovered by the node search unit;
A network connection device comprising: A terminal information table that holds path information of nodes that can be communicated within the local network discovered by the node search unit;
The network connection device according to claim 1, wherein the route information notification unit notifies the router device that communicates the route information of the node with reference to the terminal information table.   The packet analysis unit snooping a VRRP packet as the continuity confirmation packet, and when a time equal to or greater than a threshold value has elapsed after receiving the VRRP packet, notifies that a fragmentation has occurred in the local network. The network connection device according to claim 1 or 2.   The route information notifying unit notifies the communicating router device of route information of a communicable node in the local network by an information packet corresponding to a routing protocol for transmitting route information used in the router device. The network connection device according to any one of claims 1 to 3.   The network connection device according to claim 4, wherein the route information notification unit is a packet corresponding to RIP as the information packet.   The route information notifying unit sets the information packet as a RIP request packet, sets an IP address of a communicable node in the local network as a network address, sets a subnet mask as 32 bits, and sets the IP address of the node as a next hop. 6. The network connection device according to claim 5, wherein an address is set.   The network connection device according to claim 6, wherein the terminal information table holds an IP address and a MAC address in association with each other as the route information. When a packet whose destination MAC address is its own device and whose destination IP address is a communicable node in the local network is received, the MAC address associated with the IP address of the node is obtained by referring to the terminal information table. Provided with an address rewriting unit for setting the destination MAC address,
The route information notifying unit sets the IP address of a communicable node in the local network to the network address of the RIP request packet, sets the subnet mask to 32 bits, and sets the IP address assigned to the own device to the next hop. The network connection device according to claim 5, wherein the network connection device is set.   The network connection device according to claim 3, wherein the route information notification unit is a packet corresponding to OSPF as the information packet.   The network connection device according to claim 1, wherein the route information notification unit remotely logs in to a communicating router device and registers the route information as a static route.   The network connection device according to claim 1, wherein the route information notification unit notifies a router device that communicates the route information as a static route using an SNMP Set Request packet. When the packet analysis unit receives the continuity confirmation packet after notifying the node search unit that a division has occurred in the local network, the route information notification that the division in the local network has been resolved Notify the department,
The route information notifying unit notifies the router that communicates to delete the route information notified when a division occurs in the local network and deletes the route information held in the terminal information table. The network connection device according to claim 1, wherein the network connection device is a network connection device.   Monitors whether or not a broadcast storm has occurred by snooping multicast control protocol control packets, and if a broadcast storm has occurred, discards multicast packets that are relayed on a relay route in which a loop is formed The network connection device according to claim 1.   When a PIM Assert packet or a PIM Hello packet is received after snooping a PIM control packet that is a multicast control protocol and fragmentation occurs in the local network, the source IP of the multicast packets received from the communicating router device A multicast control data monitoring unit for discarding a packet whose address belongs to any of the subnets assigned to the local network and a packet received when a communicating router device is not a representative router of the local network; The network connection device according to claim 1. A layer 2 network connection method for communicating with any of a plurality of router devices located at a boundary between a local network and a backbone network,
A packet analysis step of monitoring a continuity confirmation packet in which a plurality of router devices confirm each other's continuity and not receiving the continuity confirmation packet, and notifying that a division has occurred in the local network; and
When notified from the packet analysis step that a division has occurred in the local network, a node search step for searching for a communicable node in the local network;
A route information notification step of notifying the router device that communicates the route information of the node discovered by the node search step;
A network connection method.   The multicast control data monitoring unit stores information on the representative router for each subnet in advance by snooping the PIM Hello packet, and after receiving notification from the packet analysis unit that the fragmentation has occurred in the local network, the PIM Assert 15. The network connection device according to claim 14, wherein when a packet or a PIM Hello packet is received, whether or not to discard the packet is determined based on information of the representative router.   The multicast control data monitoring unit sets an effective period of information of the representative router, and stops counting time for the effective period when notified by the packet analysis unit that a division has occurred in the local network. The network connection device according to claim 16, wherein, when a PIM Assert packet or a PIM Hello packet is subsequently received, the time counting is restarted. The node search unit
A pre-search address table that holds addresses of nodes to be preferentially searched when searching for communicable nodes in the local network;
When notified from the packet analysis unit that a division has occurred in the local network, the division search control unit that references the address and searches for the node preferentially;
The network connection device according to any one of claims 1 to 14, 16, and 17, further comprising:   19. The network connection device according to claim 18, wherein the pre-search address table registers address information input via a user interface. When the packet analysis unit receives the continuity confirmation packet after notifying the node search unit that a division has occurred in the local network, the node search unit indicates that the division in the local network has been resolved. Notify
The node search unit
When it is notified at the time of initial startup and from the packet analysis unit that the division has been resolved in the local network, it searches for a communicable node in the local network, and finds the address information of the found node in the pre-search address The network connection device according to claim 18, further comprising a pre-breaking search control unit registered in the table.   The divided search control unit refers to address information of a node held in the pre-search address table, searches for the node preferentially, and then is an address in the local network, the pre-search address table The address of the node is registered in the pre-search address table when a node capable of communication is found by searching for an address in the local network that is not held in the local network. The network connection device according to claim 1.

Images