JP2002077216A - Two-layer protocol transfer equipment - Google Patents

Abstract

PROBLEM TO BE SOLVED: To reduce management load of a network manager and ensure higher network security as compared to the conventional system. SOLUTION: This transfer equipment is provided with plural ports for connecting communications equipment; a first storage means for storing correspondence of each port to a two-layer address of the communications equipment connected with the ports; a second storage means for storing couples of a three- layer address of a router and the two-layer address; and a means which performs (a) responding with the previously registered two-layer address of the router instead, concerning address solution requirement to the router from a terminal by address solution protocol, and (b) using the filtering function in the router by permitting all communications and performing the communications with a three-layer protocol between all terminals through the router, concerning the communications by the two-layer protocol toward terminals from the router.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

The present invention relates to a two-layer protocol transfer device, and more particularly to a two-layer protocol transfer device having a function of protecting network security.

[0002]

2. Description of the Related Art Generally, a layer 2 network has been often used by a specific person. However, in recent years, with the development of layer 2 protocol technology, a two-layer network has been constructed in public facilities and the like. An environment in which an unspecified number of people can use the network is being improved. Under such an environment, there are the following problems.

[0003] 1. Information on the terminal used by each individual is unintentionally disclosed (for example, if you click on a Windows network computer of Microsoft Corporation in the United States, you may be able to see the files on the terminal of another person, conversely, There is a possibility that the files in the terminal of this may be peeped, and further, these files may be rewritten.) Depending on the settings of the terminals such as the second and third layer addresses used by each individual, the network may be adversely affected (for example, if the same three-layer address is found in the two-layer network, the three-layer address is set) It is possible that the normal communication of the terminal performing the communication may be disturbed), which is a security problem.
Therefore, it is desirable that security can be ensured as a function of the network.

Conventional security measures include: Is a multi-layer switch, which protects security by performing filtering for each of the four layer protocols that are likely to pose a security problem, such as communication using a shared resource notification protocol issued from a user terminal. Also, 2. About "IP address / M
Information Outlet Unauthorized Access Prevention Method for AC Address Forgery (Information Processing Society of Japan vol.40 No.12 1999
)), Permit only legitimate communication based on the combination of the port of the layer 2 switch to which the user terminal is connected, the IP address of the user terminal, and the MAC address of the user terminal. By doing so, security was protected.

[0005]

However, the above-mentioned prior art has the following problems. First,
1. In a two-layer network assumed (for example, a network provided by public facilities such as a library or a public transportation system such as a bullet train), communication between user terminals closed in the two-layer network is almost unnecessary. It is natural to communicate with the server on the external network beyond the router. In the case of such a network utilization form, security measures are generally performed centrally at a router which is an exit of a two-layer network. In the case of using the above-mentioned multilayer switch, it is currently possible to observe information of a plurality of switches with one management device,
When setting information is reflected on each switch, it cannot be performed on all switches at once, so the network administrator must perform the complicated task of setting security functions separately for each switch on the network. Therefore, there is a problem that a setting error is likely to occur and a security level may be reduced.

Next, 2. About 3 in a two-layer network
When performing layer protocol communication, a protocol for acquiring a two-layer address based on a three-layer address of a communication target device (hereinafter referred to as an address resolution protocol) in order to associate a three-layer address of a communication partner with a two-layer address. ) Must be used. At present, it is not checked whether the communication content based on the address resolution protocol is appropriate, and therefore, it responds to the address resolution request for the third-layer address of another device with its own two-layer address, If an address resolution request for the third layer address is sent to a device other than the second layer address unique to the own device, there is a risk that normal communication of terminals other than the user using the network may be interrupted. By the way, even if a countermeasure for filtering based on the combination of the connection port, the three-layer address, and the two-layer address is used, the use of the illegal second-layer address cannot be prevented.

SUMMARY OF THE INVENTION The present invention has been made to solve such a problem, and provides a two-layer protocol transfer device capable of reducing the management burden on a network administrator and securing network security more than before. The purpose is to:

[0008]

In order to achieve such an object, a two-layer protocol transfer device according to the present invention comprises:
A communication network is configured by a plurality of terminals and routers, which are communication devices using a layer protocol, and obtains a two-layer address from a three-layer address of the communication device in order to transfer the three-layer protocol via a two-layer network. In a two-layer protocol transfer device in a two-layer network using a communication protocol (hereinafter, referred to as an address resolution protocol), a plurality of ports for connecting each of the communication devices and two of the communication devices connected to each of the ports are provided. First storage means for storing a correspondence between a layer address and a port, second storage means for storing a set of a three-layer address and a two-layer address of the router, and (a) from the terminal according to the address resolution protocol. As for the address resolution request to the router, the layer 2 address of the router registered in advance is responded by proxy, b) blocking communication between the terminals according to the two-layer protocol, and (c) permitting all communication between the terminals to the terminal according to the two-layer protocol to permit all communication between terminals according to the three-layer protocol to the router. And a means for using a filtering function in the router.

Further, the present invention includes the following configuration as another embodiment. That is, a communication network is configured by a plurality of terminals and routers, which are communication devices using a three-layer protocol, and has a network part and a host part in a three-layer address, and further divides the host part as a network address ( In the case where the three-layer broadcast uses a common address for communication devices in the subnet, the terminals belong to different subnets, and each terminal communicates with a communication device outside the subnet for each subnet. A three-layer address of a communication device (hereinafter referred to as a default gateway) to which a packet is to be transmitted is set in each terminal, and the router belongs to a subnet including all subnets of each terminal, and the three-layer protocol is transmitted via a two-layer network. Three-layer address of the communication device to transfer In a two-layer protocol transfer device in a two-layer network using a protocol for acquiring a two-layer address from the network (hereinafter, referred to as an address resolution protocol), a plurality of ports for connecting the communication devices and a plurality of ports connected to the ports are provided. First storage means for storing a correspondence between a second-layer address and a port of the communication device, and second storage means for storing a set of a third-layer address and a second-layer address of the default gateway;
(A) For an address resolution request from the terminal to the default gateway by the address resolution protocol, a proxy responds with a two-layer address of a router registered in advance, and (b) communication between the terminals by a two-layer protocol. (C) With respect to the communication by the two-layer protocol from the router to the terminal, by permitting all the communication between the terminals by the three-layer protocol via the router, the filtering function of the router is used. Means.

Further, a communication network is constituted by a plurality of terminals and routers, which are communication devices using a three-layer protocol, and a three-layer address of the communication device is used to transfer the three-layer protocol through a two-layer network. In a two-layer protocol transfer device in a two-layer network using a protocol (hereinafter, referred to as an address resolution protocol) for acquiring a two-layer address from a plurality of ports for connecting each of the communication devices, First storage means for storing a correspondence between a two-layer address and a port of the communication device, second storage means for storing a set of a three-layer address and a two-layer address of the router, and (a) a terminal For communication using a two-layer protocol, a terminal other than the three-layer address of the terminal registered in advance for the port to which a frame is input Only three types of addresses, namely, an address resolution request to the communication device, an address resolution response from the terminal registered in advance, and communication by a three-layer protocol having a source of the three-layer address of the terminal registered in advance are passed. Other than these, discard the other. (B) Regarding communication to the terminal by the two-layer protocol, an address resolution request for the three-layer address of the terminal registered in advance for the port to which a frame is output, and According to the above-described 2nd, only three types, that is, an address resolution response from a communication device other than the terminal and a communication by a three-layer protocol destined to a three-layer address of the terminal registered in advance are passed and the others are discarded. To all terminals in the layer network, and (c) permit all communication by the layer 2 protocol on the port to which the router is connected. That and means.

In addition, a communication network is constituted by a plurality of terminals and routers, which are communication devices using the three-layer protocol, and the three-layer address of the communication device is transferred to transfer the three-layer protocol via the two-layer network. In a two-layer protocol transfer device in a two-layer network using a protocol (hereinafter, referred to as an address resolution protocol) for acquiring a two-layer address from a plurality of ports for connecting each of the communication devices, (A) first storage means for storing a correspondence between a two-layer address and a port of the communication device, and second storage means for storing a set of a three-layer address and a two-layer address of the communication device; Of the two-layer broadcast to the outside, and the address resolution request from the communication device connected to the port to another communication device is 2 of pre-registered the communication device
And (b) that all address resolution responses issued from each communication terminal are blocked.
Means for performing operations on all communication devices connected to the port.

According to the first and second aspects of the present invention, the inter-user communication by the two-layer protocol is cut off, and the inter-user communication by the three-layer protocol is realized by performing all the communication once through the router. The network administrator can centrally reflect the security policy on the network, freeing the troublesome work of separately setting security-related settings for each two-layer protocol transfer device and reducing the possibility of setting errors. It can be made smaller. According to the third and fourth aspects, since the communication based on the address resolution request protocol is determined to be appropriate and then transferred to each device, the third-layer address is prevented from being illegally used. According to the fourth aspect, it is possible to prevent unauthorized use of the third-layer address and the second-layer address.

[0013]

Next, one embodiment of the present invention will be described with reference to the drawings. [First Embodiment] FIG. 1 shows a first embodiment of a two-layer protocol transfer apparatus according to the present invention. In the figure, the two-layer protocol transfer device 100 includes terminals 109 and 110
And the port 10 to which the router 111 is connected
1, 102 and 103, a transfer determination unit 104, a two-layer address: port correspondence storage unit 105, a router information storage unit 106, a transfer unit 107, and an address resolution processing unit 10.
8 is provided. Here, for the sake of simplicity, a diagram in which two terminals and one router are connected to this apparatus is shown.
This device prohibits direct communication between users using the two-layer protocol by performing different processing on received frames when the connected communication device is a terminal and a router, and only uses the three-layer protocol for communication. Be able to do it.
The number of ports is not limited to three, and may be three or more.

First, information set and stored in the apparatus in advance will be described. When a communication device connected to this device communicates for the first time, the correspondence between the port to which the communication device is connected and the two-layer address of the communication device is set to two.
Layer address: Write to port correspondence storage unit 105. For simplicity, the two-layer address of the communication device connected to this device has already been learned, and the two-layer address: port correspondence storage unit 105
It is assumed that it is written in In addition, the administrator of this apparatus registers a pair of the third-layer address and the second-layer address of the router 111 in the router information storage unit 106 in advance.

The details of each section will be described below. FIG. 2 is a block diagram illustrating details of the transfer determination unit in FIG. The transfer determination unit 104 receives, at the input port identification unit 104a, a block (frame) of two-layer protocol data input from a port to which each communication device is connected. The input port identification unit 104a compares the source two-layer address written in the received frame with the router two-layer address registered in the router information storage unit 106 in advance. If they match, the frame is passed to the output port determining unit 104b.
Pass the frame to c.

The output port determining unit 104b outputs the destination port (output port) of the frame from the correspondence table learned in the destination two-layer address and the two-layer address: port correspondence storage unit 105 written in the frame. And determine
Transfer to transfer section 107. In the output port identification unit 104c,
Frame destination two-layer address and router information storage unit 106
Is compared with the two-layer address of the router registered in advance. If they match, the output port is passed to the transfer unit 107 as the port 103 to which the router 111 is connected. If they do not match, the frame is passed to the address resolution processing unit 108.

FIG. 3 is a block diagram showing details of the address resolution processing section of FIG. In the address resolution processing unit 108, the address resolution determination unit 108a looks at a portion written in the passed frame and indicates what protocol data the frame is, and determines whether the frame is an address resolution request frame. Then, if the frame is an address resolution request frame, the frame is passed to the proxy response unit 108b; otherwise, the frame is discarded.

The proxy responding unit 108b receives the requested 3 according to the information registered in the router information storing unit 106 in advance.
For the layer address, the two-layer address of the router 111 is written in the address resolution response frame as a proxy, and the source two-layer address and the two-layer address written in the frame received from the address resolution determining unit 108a and the port correspondence storage unit A port to which an address resolution response frame is to be output is determined from the correspondence table learned by 105 and the frame is transferred to the transfer unit 107. The transfer unit 107 transfers the frame to each of the ports 101 and 10 based on the passed output port information.
2 and 103, and each of the ports 101, 102 and 103 transmits a frame to each of the connected communication terminals 109, 110 and 111.

Next, another embodiment of the present invention will be described. [Second Embodiment] FIG. 4 shows a two-layer protocol transfer apparatus according to a second embodiment of the present invention. In the figure, the two-layer protocol transfer device 200 includes terminals 209 and 210
And the port 20 to which the router 211 is connected, respectively.
1, 202 and 203, a transfer determination unit 204, a two-layer address / port correspondence storage unit 205, a default gateway information storage unit 206, a transfer unit 207, and an address resolution processing unit 208. Here, for the sake of simplicity, two terminals and one router are connected to this device, IP is used as a three-layer protocol, and each device has the settings (subnet address, default gateway address) shown in FIG. , IP address, and two-layer address). The number of ports is not limited to three, and may be three or more.

Here, since each user terminal belongs to a different subnet, when communicating with a communication device other than the user terminal, the default gateway set for each terminal is used instead of communication using the two-layer protocol. The communication is based on a three-layer protocol that passes through. As a result, direct communication between users by the two-layer protocol can be prevented. However, since the communication by the three-layer protocol cannot be performed as it is, the present apparatus enables the communication between users by the three-layer protocol.

First, information set and stored in the apparatus in advance will be described. When a communication device connected to the communication device first communicates, the correspondence between the port to which the communication device is connected and the two-layer address of the communication device is stored in the two-layer address: port correspondence storage unit 205. Write to. For simplicity, it is assumed that the two-layer address of the communication device connected to the present device has already been learned and has been written in the two-layer address: port correspondence storage unit 205. Also, the administrator of this apparatus registers a set of a plurality of three-layer addresses of the default gateway and a second layer address of the router set for each terminal in the default gateway information storage unit 206.

Hereinafter, each part will be described. FIG. 5 is a block diagram showing details of the transfer determination unit in FIG. The transfer judging unit 204 determines which port 201 to which each communication device is connected to.
The input port identification unit 204a receives a block (frame) of the data of the two-layer protocol input from the input unit 203. The input port identification unit 204a compares the source two-layer address written in the received frame with the router two-layer address registered in the default gateway information storage unit 206 in advance. If they match, the frame is passed to the output port determination unit 204b, and if they do not match, the frame is passed to the output port identification unit 204c.

The output port determining unit 204b outputs the destination port (output port) of the frame from the correspondence table learned in the destination two-layer address and the two-layer address: port correspondence storage unit 205 written in the frame. And determine
This is passed to the transfer unit 207. In the output port identification unit 204c,
The destination second-layer address of the frame is compared with the router's second-layer address registered in the default gateway information storage unit 206 in advance. If they match, the output port is set to router 21
The frame is passed to the transfer unit as port 1 connected. If they do not match, the frame is passed to the address resolution processing unit 208.

FIG. 6 is a block diagram showing details of the address resolution processing section of FIG. In the address resolution processing unit 208, the address resolution determination unit 208a looks at a part written in the passed frame and indicates the protocol of the frame, and determines whether the frame is an address resolution request frame. Then, if the frame is an address resolution request frame, the frame is passed to the proxy response unit 208b; otherwise, the frame is discarded. In the proxy response unit 208b, the default gateway information storage unit 2
In accordance with the information registered in advance in 06, for the requested three-layer address, the second-layer address of the router 211 is written in the address resolution response frame as a proxy, and is written in the frame received from the address resolution determination unit 208a. Source two-layer address and two-layer address: port correspondence storage unit 2
The port to which the address resolution response frame is to be output is determined from the correspondence table learned in step 05, and the frame is transferred to the transfer unit 207. The transfer unit 207 transfers the frame to each port based on the passed output port information, and each port transmits the frame to each connected communication terminal.

[Third Embodiment] FIG. 7 shows a third embodiment of the two-layer protocol transfer apparatus according to the present invention.
In the figure, the two-layer protocol transfer device 300
10, 301, and 303 to which the router 312 is connected, the input port identification unit 304, the input port filter unit 305, the output port filter unit 306, the transfer unit 307, and the router information storage unit 308, respectively. And two-layer address: port correspondence storage unit 309
And a three-layer address: port correspondence storage unit 313

Here, for simplicity, a diagram is shown in which two terminals and one router are connected to the present apparatus. This device can be used when the connected communication device is a terminal or a router.
By performing different processing on the received frame, unauthorized use of the user's three-layer address is prevented. The number of ports is not limited to three, and may be three or more.

First, information set and stored in the apparatus in advance will be described. When a communication device connected to the communication device first communicates, the correspondence between the port to which the communication device is connected and the two-layer address of the communication device is stored in the two-layer address: port correspondence storage unit 309. Write to. For simplicity, it is assumed that the two-layer address of the communication device connected to the present device has already been learned and has been written in the two-layer address: port correspondence storage unit 309. In addition, the administrator of this apparatus registers a set of the third-layer address and the second-layer address of the router 312 in the router information storage unit 308 in advance. In addition, the administrator of this apparatus registers the three-layer address of the communication device connected to each of the ports 310 to 312 in the three-layer address: port correspondence storage unit 313 in advance.

Hereinafter, each part will be described. FIG. 8 is a block diagram showing details of the input port filter unit of FIG.
The input port identification unit 304 receives a block (frame) of data of a two-layer protocol input from a port to which each communication device is connected, and transmits a source two-layer address written in the received frame and a router. Information storage unit 308
Is compared with the two-layer address of the router registered in advance. If they match, the frame is passed to the output port filter unit 306, and if they do not match, the frame is passed to the input port filter unit 305.

The input port filter unit 305 classifies into a frame of a three-layer protocol and a frame of an address resolution protocol based on the information written in the frame passed by the protocol identification unit 305a. The information is passed to the layer protocol filter unit 305c and the address resolution protocol filter unit 305b. Frames of other protocols are discarded. The three-layer protocol filter unit 305c calculates the input port from the correspondence table learned in the source two-layer address and the two-layer address: port correspondence storage unit 309 written in the passed frame, and registers the input port in advance in the port. The stored three-layer address to the three-layer address: port correspondence storage unit 31
3 and if it matches the source 3rd layer address of the passed frame, the output port filter unit 30
6 and the frame is discarded if they do not match. The address resolution protocol filter unit 305b looks at the passed frame, determines whether the frame is an address resolution request frame or an address resolution response frame, and passes the frame to the request filter unit 305d and the response filter unit 305e, respectively.

The request filter unit 305d calculates an input port from the correspondence table learned in the source two-layer address and the two-layer address: port correspondence storage unit 309 written in the passed frame, and assigns the port to the port in advance. The registered three-layer address is determined from the information of the three-layer address: port correspondence storage unit 313, and if it does not match the destination three-layer address of the passed frame, it is passed to the output port filter unit 306. Discard. The response filter unit 305e calculates the input port from the correspondence table learned in the source two-layer address and the two-layer address: port correspondence storage unit 309 written in the passed frame, and is registered in the port in advance. The three-layer address is determined from the information in the three-layer address: port correspondence storage unit 313, and is passed to the output port filter unit 306 if it matches the source three-layer address of the passed frame, and discarded if it does not match. I do.

FIG. 9 is a block diagram showing details of the output port filter unit of FIG. Output port filter unit 30
In step 6, based on the information written in the frame passed in the protocol identification unit 306a, the frame is classified into a three-layer protocol frame and an address resolution protocol frame to be used.
06c, passed to the address resolution protocol filter unit 306b. Frames of other protocols are discarded. In the three-layer protocol filter unit 306c, an output port is determined from the correspondence table learned in the destination two-layer address and the two-layer address: port correspondence storage unit 309 written in the passed frame and registered in the port in advance. The three-layer address is determined from the information in the three-layer address: port correspondence storage unit 313, and if it matches the destination three-layer address of the passed frame, the frame is passed to the transfer unit 307, and if not, discarded. I do.

Address resolution protocol filter section 306
In b, the passed frame is checked, and it is determined whether the frame is an address resolution request frame or an address resolution response frame, and the frame is passed to the request filter unit 306d and the response filter unit 306e, respectively. Request filter unit 306
In d, an output port is determined from a destination two-layer address and a two-layer address written in the passed frame: a correspondence table learned in the port correspondence storage unit 309, and a three-layer address registered in the port in advance. From the information in the three-layer address: port correspondence storage unit 313, and passes it to the transfer unit 307 if it matches the destination three-layer address of the passed frame, and discards it if it does not match.

The response filter unit 306e determines the output port from the correspondence table learned in the destination two-layer address and the two-layer address: port correspondence storage unit 309 written in the passed frame, and registers the output port in advance in the port. The three-layer address is determined from the information in the three-layer address: port correspondence storage unit 313, and if it does not match the source three-layer address of the passed frame, it is passed to the transfer unit 307, and if it matches, discarded. . The transfer unit 307 determines an output port from the correspondence table learned in the destination two-layer address and the two-layer address: port correspondence storage unit 309 of the passed frame, transfers the frame to the port, and connects each port. Frame to each communication terminal.

[Fourth Embodiment] FIG. 10 shows a fourth embodiment of the two-layer protocol transfer apparatus according to the present invention. In the figure, a two-layer protocol transfer device 400 includes ports 401, 402, and 403 to which terminals 408, 409 and a router 410 are connected, a transfer determination unit 404, a proxy response unit 405, a transfer unit 406, and a two-layer protocol transfer unit. Address: three-layer address: port correspondence storage unit 407. Here, for the sake of simplicity, a diagram in which two terminals and one router are connected to this apparatus is shown. The present apparatus performs a proxy response to an address resolution request and blocks an address resolution / response from a connected communication apparatus to a received frame, so that a three-layer address and a second layer of a user are received.
Prevent unauthorized use of layer addresses. The number of ports is not limited to three, and may be three or more.

First, information set and stored in the apparatus in advance will be described. When a communication device connected to this device communicates for the first time, the correspondence between the port to which the communication device is connected and the two-layer address of the communication device is defined as: two-layer address: three-layer address: port Correspondence storage unit 4
07 is written. For simplicity, the two-layer address of the communication device connected to this device has already been learned and the two-layer address: 3
It is assumed that the layer address is written in the port correspondence storage unit 407. Also, the administrator of the present apparatus registers a set of the three-layer address and the two-layer address of the communication device connected to each port in the three-layer address: two-layer address: port correspondence storage unit 407 in advance.

Hereinafter, each part will be described. Transfer determination unit 40
4 receives a frame input from a port to which each communication device is connected, and determines whether the frame is an address resolution request frame or an address resolution response frame based on information written in the received frame. It is determined whether it is a two-layer broadcast other than the address resolution request or a frame other than these. Then, in the case of the address resolution request frame, it is passed to the proxy response unit 405, in the case of the address resolution response frame, discarded, in the case of a two-layer broadcast other than the address resolution request, it is discarded, and in the case of other frames, the transfer unit 406 Pass to.

In the proxy response unit 405, a three-layer address: 2
Layer address: According to the information registered in the port correspondence storage unit 407 in advance, the second layer address of the communication device is written in the address resolution response frame on behalf of the third layer address for which the address resolution is requested, and is written in the received frame. The source two-layer address, which is the requested source, is written in the address resolution response frame as the destination two-layer address, and the frame is transferred to the transfer unit 406. The transfer unit 406 finds an output port from the correspondence table learned in the destination 2nd layer address and the 2nd layer address: 3rd layer address: port correspondence storage unit 407 of the passed frame, and transfers the frame to the port. Each port transmits a frame to each connected communication terminal.

[0038]

As described above, according to the present invention, the network manager can be released from the complicated setting work by performing the unified management of the network security.
Further, by preventing unauthorized use of the third-layer address and the second-layer address, normal communication of the user is guaranteed, and protection of network security is realized.

[Brief description of the drawings]

FIG. 1 is a block diagram showing a first embodiment of the present invention.

FIG. 2 is a block diagram illustrating details of a transfer determination unit in FIG. 1;

FIG. 3 is a block diagram illustrating details of an address resolution processing unit in FIG. 1;

FIG. 4 is a block diagram showing a second embodiment of the present invention.

FIG. 5 is a block diagram illustrating details of a transfer determination unit in FIG. 4;

FIG. 6 is a block diagram illustrating details of an address resolution processing unit in FIG. 4;

FIG. 7 is a block diagram showing a third embodiment of the present invention.

FIG. 8 is a block diagram illustrating details of an input port filter unit in FIG. 7;

FIG. 9 is a block diagram illustrating details of an output port filter unit of FIG. 7;

FIG. 10 is a block diagram showing a fourth embodiment of the present invention.

[Explanation of symbols]

100: two-layer protocol transfer device, 101 to 103: port, 104: transfer determination unit, 104a: input port identification unit, 104b: output port determination unit, 104c: output port identification unit, 105: two-layer address: port correspondence storage Department,
106: router information storage unit, 107: transfer unit, 108 ...
Address resolution processing unit, 108a ... address resolution determination unit,
108b: proxy response unit, 109, 110: terminal, 111
... Router, 200 ... Two-layer protocol transfer device, 201-201
203: port, 204: transfer determination unit, 204a: input port identification unit, 204b: output port determination unit, 204c
... Output port identification section, 205... 2-layer address: port correspondence storage section, 206... Default gateway information storage section, 207.
08a: Address resolution determination unit, 208b: Proxy response unit
209, 210 terminal, 211 router, 300 two-layer protocol transfer device, 301-303 port, 304
... input port identification unit, 305 ... input port filter unit,
305a: Protocol identification unit, 305b: Address resolution protocol filter unit, 305c: Three-layer protocol filter unit, 305d: Request filter unit, 305e: Response filter unit, 306: Output port filter unit, 306a ...
Protocol identification unit, 306b: Address resolution protocol filter unit, 306c: Three-layer protocol filter unit, 3
06d: request filter unit, 306e: response filter unit,
307: transfer unit, 308: router information storage unit, 309 ...
Layer 2 address: port correspondence storage unit, 310, 311 terminal, 312 ... router, 313 ... layer address port correspondence storage unit, 400 ... layer 2 protocol transfer device, 401-4
03: port, 404: transfer determination unit, 405: proxy response unit, 406: transfer unit, 407: 2-layer address: 3-layer address: port correspondence storage unit, 408, 409: terminal, 41
0 ... Router.

 ──────────────────────────────────────────────────続 き Continuing on the front page (72) Inventor Toshinobu Inuzuka 2-3-1, Otemachi, Chiyoda-ku, Tokyo Within Nippon Telegraph and Telephone Corporation (72) Inventor Shinya Matsumoto 2--3, Otemachi, Chiyoda-ku, Tokyo No. 1 Within Nippon Telegraph and Telephone Corporation (72) Kazuhiro Sato 2-3-1 Otemachi, Chiyoda-ku, Tokyo Nippon Telegraph and Telephone Corporation (72) Hirohide Mikami, Otemachi, Chiyoda-ku, Tokyo 2-3-1, Nippon Telegraph and Telephone Corporation F-term (reference) 5K030 GA11 GA15 HD03 KX24 5K033 AA08 CB02 CB08 CC01 DA05 EC03 5K034 AA17 DD03 HH61 KK27

Claims (4)

[Claims] 1. A communication network comprising a plurality of terminals and routers, which are communication devices using a three-layer protocol, and a three-layer address of the communication device for transferring the three-layer protocol through a two-layer network. In a two-layer protocol transfer device in a two-layer network using a protocol for acquiring a two-layer address from a network (hereinafter, referred to as an address resolution protocol), a plurality of ports for connecting the communication devices, and a plurality of ports connected to the respective ports First storage means for storing a correspondence between a two-layer address and a port of the communication device, second storage means for storing a set of a three-layer address and a two-layer address of the router, and (a) the address. For the address resolution request from the terminal to the router by the resolution protocol, the two-layer address of the router registered in advance is used. (B) blocking communication between the terminals by the two-layer protocol, and (c) permitting all communication by the two-layer protocol from the router to the terminal by the three-layer protocol. A means for performing terminal-to-terminal communication via the router and utilizing a filtering function of the router. 2. A communication network comprising a plurality of terminals and routers, which are communication devices using a three-layer protocol,
The layer address has a network section and a host section, and further has a network (hereinafter, referred to as a subnet) obtained by dividing the host section as a network address. The three-layer broadcast uses a common address for communication devices in the subnet. The terminals belong to different subnets, and a three-layer address of a communication device (hereinafter referred to as a default gateway) to which a packet is to be transmitted when communicating with a communication device outside the subnet is set for each terminal. The router belongs to a subnet including all subnets for each terminal, and a protocol for obtaining a two-layer address from a three-layer address of the communication device (hereinafter referred to as address resolution) in order to transfer the three-layer protocol via a two-layer network. Protocol)) A two-layer protocol transfer device, wherein: a plurality of ports for connecting the communication devices; and first storage means for storing correspondence between a two-layer address and a port of the communication device connected to each of the ports. Second storage means for storing a set of a third-layer address and a second-layer address of the default gateway; and (a) an address resolution request from the terminal to the default gateway according to the address resolution protocol is registered in advance. (B) interrupting communication by the two-layer protocol between the terminals, and (c) permitting all communication by the two-layer protocol from the router to the terminal. All terminal-to-terminal communication using the three-layer protocol is performed via the router, and filtering at the router is performed. 2-layer protocol transfer apparatus characterized by comprising a means for utilizing the grayed function. 3. A communication network comprising a plurality of terminals and a router, which are communication devices using a three-layer protocol, and a three-layer address of the communication device for transferring the three-layer protocol via a two-layer network. In a two-layer protocol transfer device in a two-layer network using a protocol for acquiring a two-layer address from a network (hereinafter, referred to as an address resolution protocol), a plurality of ports for connecting the communication devices, and a plurality of ports connected to the respective ports First storage means for storing a correspondence between a two-layer address and a port of the communication device; second storage means for storing a set of a three-layer address and a two-layer address of the router; For the communication by the two-layer protocol from the terminal, a terminal other than the three-layer address of the terminal registered in advance with respect to the port to which the frame is input. Only three types of addresses, namely, an address resolution request to a communication device, an address resolution response from the terminal registered in advance, and communication by a three-layer protocol having a source of the three-layer address of the terminal registered in advance are passed. Discard other than these. (B) For communication with the terminal using the two-layer protocol, an address resolution request for the terminal's three-layer address registered in advance for the port to which a frame is output, and According to the above-described 2nd, only three types, that is, an address resolution response from a communication device other than the terminal and a communication by a three-layer protocol destined to a three-layer address of the terminal registered in advance are passed and the others are discarded. To all terminals in the layer network, and (c) permit all communication by the two-layer protocol on the port to which the router is connected. 2-layer protocol transfer apparatus characterized by comprising a means. 4. A communication network comprising a plurality of terminals and routers, which are communication devices using a three-layer protocol, and a three-layer address of the communication device for transferring the three-layer protocol through a two-layer network. In a two-layer protocol transfer device in a two-layer network using a protocol for acquiring a two-layer address from a network (hereinafter, referred to as an address resolution protocol), a plurality of ports for connecting the communication devices, and a plurality of ports connected to the respective ports (A) first storage means for storing a correspondence between a two-layer address and a port of the communication device, and second storage means for storing a set of a three-layer address and a two-layer address of the communication device; To prevent the propagation of the two-layer broadcast to the outside, and an address resolution request from a communication device connected to the port to another communication device includes: (B) telling all communication devices connected to the port that all address resolution responses from each communication terminal are to be blocked And means for performing
Layer protocol transfer device.