JP2000041064A - Connectionless switching device and access check circuit - Google Patents

Abstract

PROBLEM TO BE SOLVED: To decrease the number of registrations, to provide an individual check function, and to enable detailed setting, by making an inclusive check according to address information in group units. SOLUTION: When there is a communication request from a terminal 1 to a terminal 2, a sending source address check associative memory CAM:11 outputs the address SA1' of the terminal 1. Inclusive and individual permission/ inhibition mode indication parts 12 and 13 output permission and inhibition according to their internal tables, and an inclusive check address indication part 14 outputs a group address RA1 corresponding to the SA1'. A corresponding check CAM:15 outputs information of matching with the address of a terminal 2 which can be connected by destination addresses DA and RA1, and an individual correspondence check CAM 16 generates no output. A decision circuit 17 inputs inclusive permission and the information of matching and individual disallowance and no match to permit access by a decision logical expression. Consequently, the registration number can be reduced to three even in the case of an interconnection of three terminals.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a connectionless switching device and an access check circuit, and can be applied to, for example, a data switching system requiring a high speed and a wide band.

[0002]

2. Description of the Related Art A Study on High-Speed and Wide-Band Data Exchange System Using ATM (SSE90-128) In today's data communication field, advanced security technology is indispensable. For example, firewall technology is essential to protecting computer systems from unauthorized access. Also, in connection between Internet connection providers (providers), peering technology is being introduced.

[0003] The requirements for security technology are the same in connectionless communication, and SMDS (Sw
In the case of the itched Multi-megabit Data Service, an access check method called address screening is also specified. The above-mentioned document describes an access check function based on this rule.

Before explaining the prior art, general matters necessary for the explanation will be described.

FIG. 2 shows a general structure of a connectionless communication message. In the communication message, a header for storing a destination or the like is added to a communication message body such as data. In the header, the destination address (DA: Dest
ination Address), source address (SA: Source A)
ddress). In the SMDS, 64 bits are allocated to both the destination address and the source address.

Hereinafter, an outline of the access check by the SMDS will be described.

(1) The SMDS checks whether the source address (SA) of the arriving message is a previously registered and permitted address. Furthermore, SMD
S checks whether the destination address (DA) of the message is a permitted address or not included in a prohibited address group. If the check result is negative (NG), the SMDS discards the message. Here, whether the SMDS checks the destination address (DA) in the permission mode or the prohibition mode is set for each source address (SA).

(2) At the time of sending a message, the SMDS changes the source address (SA) attached to the message to the destination address (D
It is checked whether the address is permitted for A) or not included in the prohibited address group. If the check result is negative (NG), SM
The DS discards the message. Where SMDS
Determines whether the destination address (DA) is to be checked in the permission mode or the prohibition mode depending on the source address (D
A) Set for each.

Note that the above access check generally uses hardware processing using a table. There are generally two processing methods. one,
In this method, input information is directly input to an address of a RAM. However, in this method, when the number of bits of the input information is large, the table becomes large and management becomes complicated. Therefore,
Generally, associative memory (CAM: Content Addressa)
ble Memory).

FIG. 3 shows a search operation using a content addressable memory (CAM). The CAM searches for a plurality of data registered in advance that match the input collation data. Then, when there is matching data, the CAM outputs a matching output (MATCH) and a registration address (MATCT Address) of the matching information.

Next, the prior art will be described.

FIG. 4 shows a functional configuration of a conventional apparatus. The conventional device includes a source address check CAM1, a permission / prohibition mode instruction unit 2, a correspondence check CAM3, and a determination circuit 4.

Here, source address check CAM1
, A source address to which transmission is permitted is registered. The source address check CAM1 checks the presence or absence of a matching address for the source address of the received message. When there is a matching address, the source address check CAM1 sets the registration address SA ′ (M
ATCH Address). On the other hand, when there is no matching address, the source address check CAM1
Outputs information indicating that the message is discarded.

The permission / prohibition mode instructing section 2 is a means for instructing whether the correspondence between the pair of the registration address SA ′ and the destination address DA is to be performed in the permission mode or the prohibition mode. Here, the permission / prohibition mode instruction unit 2
Such an instruction is sent to the registration address SA ′ (MATCH Addre
ss).

A pair of a registered address SA 'and a destination address DA is registered in the correspondence check CAM3. Here, when the registered address SA 'is in the permission mode, a pair of the registered address SA' to which access is permitted and the destination address DA are registered in the correspondence check CAM3. On the other hand, when the registration address SA 'is in the prohibition mode, the correspondence check CAM3 includes the registration address SA' prohibiting access.
And a destination address DA are registered.

The correspondence check CAM 3 checks whether a set of addresses attached to the received message matches a registered set of addresses. Registration address SA '
When the set of the address and the destination address DA is registered, the correspondence check CAM3 outputs a match output (MATCH).

The determination circuit 4 includes a permission / prohibition mode instruction unit 2
The access check is determined based on the output result of the permission / prohibition output output by the CAM and the output result of the match output (MATCH) output by the correspondence check CAM3.

The determination circuit 4 outputs access permission (OK) when the destination address DA is an address for which transmission is permitted, or when the destination address DA is not included in the address for which transmission is prohibited. . That is, the permission / prohibition output is “permitted” and the coincidence output (MAT
CH) is output, or when the permission / prohibition output is “prohibited” and the coincidence output (MATCH) is not output, the access permission (OK) is output. In other cases, the determination circuit 4 outputs an access impossibility (NG).

[0019]

However, such an apparatus has the following problems. Here, the contents of the problem will be described with reference to FIG. FIG.
As shown in (A), it is assumed that three terminals 1 to 3 are connected to the switching device including the access check circuit having the above configuration. The addresses of the terminals 1 to 3 are A1 to A3
And In addition, the terminals 1 to 3 permit each other's transmission in the permission mode.

In this case, the registered contents of the correspondence check CAM3 are as shown in FIG. That is, when m terminals are interconnected, the number of registrations of the correspondence check CAM3 is mX (m-1). Thus, the number of terminals m
When the number of registrations increases, the number of registrations becomes considerable.

However, the capacity of a content addressable memory (CAM) is smaller than that of a normal memory. Therefore, it is a problem of the conventional method to reduce the number of data to be registered in the content addressable memory (CAM).

In general, the terminals can be grouped, and the terminals in the group are set so that they can communicate with each other. However, in the case of the conventional method, the combination of all terminals in the group is registered in the corresponding check CAM, and the registration work becomes large. In particular, when a terminal is added to or deleted from a group, a combination of all terminals is changed, and a complicated operation is required.

[0023]

According to an aspect of the present invention, there is provided an access check circuit for determining whether a message can be accessed based on address information attached to the message. A comprehensive check function unit that determines whether access is possible based on the address information of (2), an individual check function unit that determines whether access is possible based on address information on a terminal basis, and (3) a comprehensive check function unit and individual And a determination unit for finally determining whether or not the determination is possible based on the determination result of both or one of the check function units.

As described above, in the present invention, a comprehensive access check can be performed based on the address information on a group basis. Therefore, a necessary access check can be realized with a small number of registrations. In addition, by having an individual check function, if the function is used together, more detailed settings can be made.

[0025]

DESCRIPTION OF THE PREFERRED EMBODIMENTS (A) First Embodiment (A-1) Circuit Configuration Hereinafter, a first embodiment of an access check circuit according to the present invention and a connectionless switching apparatus to which the access check circuit is applied will be described.
This will be described in detail with reference to the drawings.

FIG. 1 shows the configuration of the access check circuit according to the first embodiment. The feature of the access check circuit shown in FIG. 1 is that, in addition to being able to perform an access check for each terminal, a comprehensive access check can be made for each group.

Therefore, this access check circuit
Source address check CAM 11, permission / inhibition mode instructing units 12 and 13, comprehensive check address instructing unit 14, correspondence check CAMs 15 and 16, and determination circuit 1
7.

Here, the source address check CAM1
Reference numeral 1 denotes a storage unit in which a source address to which transmission is permitted is registered. Source address check CAM11
Checks whether there is a matching address for the source address of the received message. If a matching address is registered, the source address check CAM1
1 outputs a registration address SA ′ (MATCH Address). On the other hand, if the matching address is not registered, the source address check CAM 11 discards the message.

The comprehensive check permission / prohibition mode instructing section 12 is means for instructing whether to perform the correspondence check on the set of the group address RA and the destination address DA in the permission mode or the prohibition mode. Here, the permission / prohibition mode instruction unit 12 sends the instruction to the registration address S
This is performed for each A '(MATCH Address).

Permission / prohibition mode instruction unit 13 for individual setting
Is means for instructing whether to perform a correspondence check on a set of a registered address SA 'and a destination address DA in a permission mode or a prohibition mode. Here, the permission / prohibition mode instruction unit 13 transmits the instruction to the registration address SA ′.
(MATCH Address).

The comprehensive check address designating unit 14 assigns the registration address SA 'corresponding to each terminal to the address of the group to which each terminal belongs, that is, the group address RA.
It is a means to convert to.

Correspondence check CAM15 for comprehensive check
Is storage means in which a set of a group address RA and a destination address DA is registered in advance. Here, when the comprehensive check is performed in the permission mode, a set of a group address RA and a destination address DA to which access is permitted is registered in the correspondence check CAM 15. On the other hand, when the comprehensive check is performed in the prohibition mode, the group address RA and the destination address DA for which access is prohibited are included in the correspondence check CAM 15.
Is registered.

The correspondence check CAM 15 checks whether the set of addresses obtained from the received message matches the set of registered addresses. Group address R
When a pair of A and the destination address DA is registered, the correspondence check CAM 15 outputs a match output (MATCH).

Similarly, corresponding check C for individual check
The AM 16 is a storage unit in which a pair of a registration address SA ′ and a destination address DA is registered in advance. Here, when the individual check is performed in the permission mode, the corresponding check CAM
16 is registered with a set of a registered address SA 'and a destination address DA to which access is permitted. On the other hand, when the individual check is performed in the prohibition mode, the correspondence check CAM 16 has the registration address SA ′ for which access is prohibited and the destination address D
A set is registered.

The correspondence check CAM 16 checks whether the set of addresses given to the received message matches the set of registered addresses. Registration address S
When a pair of A 'and the destination address DA is registered, the correspondence check CAM 16 outputs a match output (MATCH).

The judgment circuit 17 determines whether or not the permission for the comprehensive check /
The permission / prohibition output output by the prohibition mode instruction section 12, the permission / prohibition output output by the permission / prohibition mode instruction section 13 for individual check, and the correspondence check CA for comprehensive check
An access check is determined based on the output result of the match output (MATCH) output by M15 and the match output (MATCH) output by the corresponding check CAM 16 for individual check.

The determination circuit 17 outputs an access permission (OK) when the destination address DA is an address for which transmission is permitted, or when the destination address DA is not included in an address for which transmission is prohibited. . The determination circuit 17 determines whether access is possible based on the following equation.

Access permitted (OK) = ｛[Permitted (inclusive) &
Match (Inclusive)] OR [Prohibited (Inclusive) & No Match (Inclusive)]
｝ & ｛[Permission (individual) & match (individual)] OR [prohibited (individual) & no match (individual)]｝ where “&” means logical product and “OR” means logical sum. Also, “permitted” or “prohibited” means the output of the permission / prohibition mode instructing units 12 and 13. Also,"
"Match" or "no match" means the output of the correspondence check CAMs 15 and 16.

Here, the decision circuit 17 decides whether or not the final access is possible based on the logical product of the comprehensive check result for each group and the check result for each individual address. This is the corresponding check CAM
This is to reduce the number of addresses registered in 15 and 16.

For example, in a group including 100 terminals, basically, 100 units mutually allow access, but from one terminal (A) to one specific terminal (B) in the group. When the access is prohibited, the terminal (B) whose access is prohibited is registered as DA and the terminal (A) as SA is registered in the prohibition mode, and the access as a group is registered as being permitted.

In this case, only the terminal A takes a special access mode, but the registration contents of the terminal A (9 except for B)
The number of registrations can be reduced by 98 as compared with the case of separately registering (communication with eight devices).

(A-2) Check Operation Next, a check operation of the access check circuit according to the first embodiment will be described. Here, description will be made with reference to FIG. As shown in FIG. 6 (A), the switching device including the above-described access check circuit has three switches as in the case of FIG. 5 (A).
Terminals 1 to 3 are connected. The addresses of the terminals 1 to 3 are A1 to A3. In addition, the terminals 1 to 3 permit each other's transmission in the permission mode.

In this case, the registration contents of the tables provided in the permission / prohibition mode instruction units 12 and 13, the comprehensive check address instruction unit 14, and the corresponding check CAMs 15 and 16 are as shown in FIGS. 6B to 6F. become. Although the registered contents of the source address check CAM11 are not shown in the figure, SA1 'is assigned to the address A1 of the terminal 1.
However, for address A2, SA2 'is used for address A3.
It is assumed that SA3 'is registered for.

In this state, a case where transmission is requested from terminal 1 to terminal 2 will be considered. In this case, the source address SA is A1, and the destination address DA is A2. When the source address SA is input to the source address check CAM 11, the source address SA is A1, and therefore SA1 'is output as the registered address SA'.

At this time, upon inputting the registration address SA1 ', the comprehensive check permission / prohibition mode instructing unit 12 accesses the internal table (FIG. 6B) and, in accordance with the registered contents, enters the registered registration. The permission / prohibition output for the address SA1 'is set to "permission".

Similarly, the individual check permission / prohibition mode instructing section 13 receives the registration address SA1 ',
The internal table (FIG. 6C) is accessed, and the permission / prohibition output for the input registration address SA1 'is set to "prohibited" according to the registered contents.

The comprehensive check address designating section 14
Receives the registration address SA1 ', accesses the internal table (FIG. 6D), and outputs RA1 as the group address RA corresponding to the registration address SA1' according to the registered contents.

[0048] Corresponding check CAM for comprehensive check
15 is a group address RA1 and a destination address DA
, The internal table (FIG. 6E) is accessed. Here, the internal table contains the group address R
A2 is registered as a terminal address connectable to A1. Therefore, the correspondence check CAM 15 outputs a match output (MATCH).

On the other hand, corresponding check CA for individual check
Upon inputting the registration address SA1 ′ and the destination address DA, M16 accesses the internal table (FIG. 6F). Here, no terminal address is registered in the internal table. Therefore, there is no address that matches the set of input addresses in the internal table, and the correspondence check CAM 16 does not output a match output (MATCH).

Thus, the determination circuit 17 outputs "permitted" as the permitted / inhibited output (inclusive) and outputs the coincidence output (MATCH)
(Comprehensive) "match", Permitted / prohibited output (individual) "disabled (prohibited)", coincident output (MATCH)
Enter (No output (No match)) as (Individual).

This input condition is obtained from the above-mentioned decision logical expression.
It matches the condition of access permission (OK). As a result, the determination circuit 17 permits the access request.

(A-3) Effect of Embodiment (1) As described above, by adopting the configuration according to the first embodiment, registration in the corresponding check CAM necessary for realizing a predetermined check operation is performed. The number of cases can be reduced.
For example, even when the three terminals are interconnected as in the above-described operation example, the access check circuit according to the present embodiment allows the number of registrations in the corresponding check CAM to be the same for both the comprehensive and the individual. You can do it in three cases.

On the other hand, in the case of the conventional apparatus (FIG. 5), it is necessary to register 6 (= 3 × (3-1)) pieces of information. The area can be used more effectively. This tendency is more remarkable as the number of terminals to be interconnected is larger. For example, when 100 terminals are interconnected, 9900 (= 100
× (100-1)) information needs to be registered,
In the case of the present embodiment, 100 data may be used.

As described above, in the case of the present embodiment, the connection between a very large number of terminals can be managed even by using the existing CAM. Conversely, when managing connections between terminals in a system of the same scale, CA required in comparison with the related art is required.
The size of M can be significantly reduced.

(2) Further, according to the configuration of the first embodiment, the connection between the terminals can be managed on a group basis, and the management can be simplified as compared with the related art. For example,
Even in the case where the terminal in the group can communicate with each other, but the communication with the terminal outside the group is restricted, the group address is set to RA and the correspondence between the group address and each terminal in the group is set. Correspondence check CAM
Communication can be managed only by registering in (for comprehensive check) 15.

At this time, when a terminal is added to the group or a terminal is deleted from the group, the corresponding check C
Only by changing the registered contents of the AM (for comprehensive check) 15, specifically, by adding or deleting one address of the corresponding terminal, management can be easily performed.

(3) According to the configuration of the first embodiment, communication with a terminal outside the group is basically restricted, but communication between a specific terminal and a terminal outside the group is restricted. In the case of settings such as permitting, the corresponding check CAM
It can be dealt with only by changing the registered contents of 16 (for individual check), and management can be simplified.

(B) Second Embodiment (B-1) Circuit Configuration Hereinafter, a second embodiment of an access check circuit according to the present invention and a connectionless switching apparatus to which the access check circuit is applied will be described.
This will be described in detail with reference to the drawings.

FIG. 7 shows a configuration of an access check circuit according to the second embodiment. In FIG. 7, the same parts as those in FIG. 1 are indicated by the same reference numerals. Second
The difference between this embodiment and the first embodiment is that the selector 21
Are newly provided, the CAM for comprehensive check and the CAM for individual check are shared by using a single correspondence check CAM 22, and the partial judgment operation of the judgment circuit 17 'is changed. Is a point. Therefore, in the following description, only such differences will be described.

The selector 21 is a means for selectively outputting one of the group address RA and the registered address SA '. For example, the selector 21 selects the group address RA at the time of the first check of the correspondence check CAM 22, and selects the registered address S at the time of the second check.
Select A '. Of course, the registration address SA 'may be selected at the first check, and the group address RA may be selected at the second check.

The selector 21 outputs an RA / SA ′ identifier indicating whether the address is the group address RA or the registered address SA ′, together with the address. The selector 21 has, for example, a group address R
When "A" is selected, "1" is output and the registration address SA '
"0" is output when is selected. FIG. 7 illustrates this case. Also in this case, of course, the group address RA
When "1" is selected, "0" is output, and when "1" is selected, the registered address SA 'is output.

The correspondence check CAM 22 has RA / SA '
Identifier, group address RA, destination address DA
And the RA / SA 'identifier and the registration address S
This is storage means in which a set of A 'and a destination address DA is registered in advance. Here, the correspondence check CAM22 is
It is configured to check whether a set corresponding to the RA / SA ′ identifier given from the selector 21 at the preceding stage matches an input address, and output a check result.

In the case of FIG. 7, the correspondence check CAM 22
When the RA / SA 'identifier 209 is "1", it is checked whether a pair of the group address RA and the destination address DA is registered. When the RA / SA' identifier is "0", the registration address SA 'and the destination address DA are checked. Check if the set is registered. When the set of checked data is registered, the correspondence check CAM 22 outputs the match output (M
ATCH).

The determination logic of the determination circuit 17 'is basically the same as that of the first embodiment described with reference to FIG. However, in the case of this embodiment, the correspondence check CAM 22
Is performed in two separate steps,
The determination circuit 17 'handles one of the two check results provided from the correspondence check CAM 22 as a result for the comprehensive check and the other as a result for the individual check. In the case of FIG. 7, the determination circuit 17 '
Treats the first check result as a check between the group address RA and the destination address DA, and treats the second check result as the registration address SA ′ and the destination address DA.
Treated as a check result.

(B-2) Check Operation Next, a check operation of the access check circuit according to the first embodiment will be described. Here, a description will be given with reference to FIG. As shown in FIG. 8A, three terminals 1 to 3 are connected to the switching device including the above-described access check circuit, as in the case of FIG. Also here, the addresses of the terminals 1 to 3 are A1 to A3. In addition, it is assumed that the terminals 1 to 3 permit each other's transmission in the permission mode.

In this case, the registration contents of the tables provided in the permission / prohibition mode instructing sections 12 and 13, the comprehensive check address instructing section 14, and the corresponding check CAM 22 are as follows:
8 (B) to 8 (E). Although the registration contents of the source address check CAM11 are not shown in the figure, SA1 'is assigned to the address A1 of the terminal 1, SA2' is assigned to the address A2, and SA3 'is assigned to the address A3. Shall be registered.

In this setting state, a case is considered where transmission is requested from terminal 1 to terminal 2. In this case, the source address SA is A1, and the destination address DA is A2.
Source address check CAM 11 sends source address S
When A is input, the source address SA is A1, and therefore SA1 'is output as the registered address SA'.

At this time, upon inputting the registration address SA1 ', the comprehensive check permission / prohibition mode instructing unit 12 accesses the internal table (FIG. 8B), and according to the registered contents, enters the registered registration. The permission / prohibition output for the address SA1 'is set to "permission".

Similarly, when the individual check permission / prohibition mode instruction unit 13 inputs the registration address SA1 ',
The internal table (FIG. 8C) is accessed, and the permission / prohibition output for the input registration address SA1 'is set to "prohibition" according to the registered contents.

The comprehensive check address designating section 14
Receives the registration address SA1 ', accesses the internal table (FIG. 8D), and outputs RA1 as the group address RA corresponding to the registration address SA1' according to the registered contents.

In this state, the selector 21 first sets the group address RA1 and the S of the value “1” to correspond to the first check operation in the correspondence check CAM 22.
A '/ RA identifier is output.

At this time, the correspondence check CAM 22 includes
As shown in FIG. 8E, the group address RA1 and the destination address A2 are assigned to the SA '/ RA identifier having the value "1".
Are registered, the correspondence check CAM 22 outputs a match output (MATCH).

As a result, the judgment circuit 17 'determines that the permission / prohibition output (inclusive) is "permitted" and the coincidence output (MATC
H) It is determined that (inclusive) is “match”.

When the first check operation is completed, the selector 21 next outputs the registration address SA ′ and the SA ′ / RA identifier of the value “0” for the second check operation of the corresponding check CAM 22. I do.

At this time, the correspondence check CAM 22 includes
As shown in FIG. 8E, the registration address SA1 ′ corresponding to the SA ′ / RA identifier having the value “0” and the destination address A2
Is not registered, the correspondence check CAM22
Does not output a match output (MATCH).

As a result, the determination circuit 17 'determines that the permission / prohibition output (individual) is "non-permission (inhibition)" and the coincidence output (MATCH) (individual) is "no output (no coincidence)". judge.

Thus, the judgment circuit 17 'determines that the permission / prohibition output (inclusive) is "permitted" and its coincidence output (MATCH)
(Inclusive) is determined to be “match”, permitted / inhibited output (individual) is “not permitted (inhibited)”, and its matched output (MATCH) (individual) is determined to be “no output (no match)”. From the formula, it is finally determined that this access request matches the condition of access permission (OK). And the determination circuit 1
7 'permits the access request.

(B-3) Effects of the Embodiment As described above, also in the case of the second embodiment, the same effects as those of the first embodiment can be obtained. In the case of the second embodiment, the corresponding check CAM (for comprehensive check) and the corresponding check CAM in the first embodiment are used.
(For individual check) can be handled as a physically identical CAM, so that the corresponding check CAM can be used without waste.

(C) Other Embodiments (1) In the first and second embodiments described above, the permission /
The case where each of the prohibition mode instruction unit (for comprehensive check) 12, the permission / prohibition mode instruction unit (for individual check) 13, and the comprehensive check address instruction unit 14 is configured by different tables has been described. It may be constituted by one table.

(2) In the first and second embodiments,
Although both the comprehensive check and the individual check are executed for one access request, the present invention can be applied to a case where only one of them is checked. It should be noted that only one check operation may be executed for all access requests depending on the setting, or may be individually set for each access.

(3) In the first and second embodiments,
After checking whether the source address SA is registered or not, it has been described that the check mode for the address is determined to be the permission mode or the prohibition mode. However, the same processing may be performed based on the destination address DA. . Also, for other processes, the source address S
The relationship between the AA and the destination address DA may be switched and executed.

(4) In the first and second embodiments,
Although the case where the access check circuit is applied to a connectionless exchange has been described, the invention can be applied to other devices provided that they have the same type of exchange function.

[0083]

As described above, according to the present invention, an access check circuit that determines whether or not an access to a message can be performed based on address information attached to the message includes:
(1) a comprehensive check function unit that determines whether access is possible based on address information in group units, (2) an individual check function unit that determines whether access is possible based on address information in terminal units, and (3) a comprehensive check function unit. A required access check is realized with a smaller number of registrations than before by providing a judgment unit that makes a final judgment on the judgment based on the judgment result of both or one of the check function unit and the individual check function unit. it can. In addition, by having an individual check function, more detailed setting can be performed by using the function together.

[Brief description of the drawings]

FIG. 1 is a block diagram illustrating a configuration of a first embodiment.

FIG. 2 is a diagram showing a configuration of a connection message.

FIG. 3 is a diagram showing a conceptual configuration of an associative memory.

FIG. 4 is a block diagram showing a configuration of a conventional device.

FIG. 5 is a diagram for explaining a problem of a conventional device.

FIG. 6 is a diagram which is used for describing the operation of the first embodiment.

FIG. 7 is a block diagram illustrating a configuration of a second embodiment.

FIG. 8 is a diagram provided to explain the operation of the second embodiment.

[Explanation of symbols]

11: Source address check CAM, 12, 13: Permission / prohibition mode instruction unit, 14: Comprehensive check address instruction unit, 15: Correspondence check CAM, 17, 17 '... Judgment circuit, 21: Selector, 22: Correspondence check CAM.

 ──────────────────────────────────────────────────続 き Continuing on the front page (72) Inventor Katsura Noritake 3-19-2 Nishishinjuku, Shinjuku-ku, Tokyo Japan Telegraph and Telephone Corporation (72) Inventor Shigehiko Ushijima 3-19, Nishishinjuku, Shinjuku-ku, Tokyo No. 2 Nippon Telegraph and Telephone Corporation

Claims (4)

[Claims] An access check circuit for determining whether or not the message is accessible based on address information attached to the message, a comprehensive check function unit for determining whether or not access is possible based on address information on a group basis; An individual check function unit that determines whether access is possible based on the address information of the unit; and a determination unit that finally determines whether the determination is possible based on the determination result of both or one of the comprehensive check function unit and the individual check function unit. An access check circuit, comprising: 2. The access check circuit according to claim 1, wherein the comprehensive check function unit and the individual check function unit include:
An access check circuit, wherein an associative memory storing the correspondence of addresses corresponding to the respective addresses is stored. 3. The access check circuit according to claim 2, wherein each associative memory is physically constituted by one memory means. 4. A connectionless switching apparatus for selecting a communication path for each link based on address information attached to a message, wherein whether or not each message can be accessed is determined.
A connectionless switching device, wherein the determination is performed using the access check circuit according to any one of the above.