JP2007129283A - Data transfer apparatus - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a technology capable of coping with dynamic filtering, relieving a load of configuration definition inputs, using learning information in a network node apparatus for the filtering, and achieving exceptional handling and simultaneous operations of a plurality of protocol automatic cooperation filters in the case that a plurality of filter technologies are combined for execution in the network node apparatus. <P>SOLUTION: One subnet is built up in the network node apparatus by being divided into a plurality of VLANs and the network node apparatus therein interconnects the respective VLANs. The protocol automatic cooperation filters different from each other are activated in the respective VLANs to simultaneously operate the plurality of protocol automatic cooperation filters. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a communication control technique on the Internet, and more particularly to a network access control technique.

  With the diversification of network attack means in the Internet and the complexity of network access authority, packet filtering techniques in network devices have become complicated in both quality and quantity. The qualitative complexity is due to the diversification of conditions for packet filtering. The quantitative complexity is due to the large number of packet filtering entries.

  However, especially in corporate networks that require such network security measures, reducing network operating costs is also a major issue. Therefore, there is an increasing need for automatic packet filtering settings.

  At the same time, demand for reducing network operating costs often leads to the adoption of a flat network configuration that accommodates users on a single IP subnet. In such a configuration, it is difficult to apply the conventional method of dividing IP subnets and applying a filter in units of IP subnets with routers connecting IP subnets. It is necessary to apply filters on the switches that make up the IP subnet.

  A number of implementations have been developed so far in order to realize the complicated packet filtering on both the mass side as described above in the switches constituting the IP subnet. These implementation methods can be broadly classified into three types: VLAN control method, automatic filtering condition distribution method, and automatic protocol filtering method.

  The VLAN control method is a method for controlling the communication range by controlling VLAN communication. Private-VLAN (Non-Patent Document 1) and overlap port (Non-Patent Document 2) are typical examples.

  Private-VLAN is a technology that configures one IP subnet from three different VLANs. Specifically, there are three types: isolated-VLAN that cannot be directly communicated with each other, community-VLAN that can be directly communicated with each other, and primary-VLAN that accommodates these two VLANs. Communication from the primary-VLAN to the other two VLANs is possible, but isolated-VLAN and community-VLAN cannot communicate via primary-VLAN. Therefore, the communication range can be limited by making the terminal belong to an appropriate VLAN in the Private-VLAN.

  Overlapping ports are a technology that allows one port to belong to multiple VLANs. Direct communication between VLANs is possible only via ports belonging to multiple VLANs. Therefore, the communication range from the terminal can be limited depending on whether the port connecting the terminal belongs to multiple VLANs.

  The filtering condition automatic distribution method is a method for automatically setting a filter by automatically distributing a filtering rule from an external server to a switch. In addition to NETCONF (see Non-Patent Document 3), many methods such as Patent Document 1 and Patent Document 2 have been proposed.

  The protocol automatic linkage filtering method is a method of automatically setting a filter in conjunction with a route control protocol, an address distribution protocol, or the like in a switch. Typical examples are DHCP Snooping, IP Source Guard (see Non-Patent Document 4), and Authentication VLAN (Non-Patent Document 5).

"Private VLANs: Addressing VLAN scalability and security issues in a multi-client environment", http://www.ietf.org/internet-drafts/draft-sanjib-private-vlan-03.txt

"GS4000 / GS3000 Software Manual Reference Vol.1 (Compatible with Ver 08-06, 08-07)", http://www.hitachi.co.jp/Prod/comp/network/manual/switch/gs4k/080607/ HTML / KAISETSU / INDEX.HTM "NETCONF Configuration Protocol", http://www.ietf.org/internet-draft/draft-ietf-netconf-proto-09.txt "Configuring DHCP Snooping and IP Source Guard", http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_1_19/config/dhcp.pdf "Authenticated VLANs", http://www.ind.alcatel.com/library/techbrief/TB_Authenticated_VLAN.pdf Japanese Patent Laid-Open No. 2002-281093 JP 2001-168913

  The VLAN control method is a technology that controls the communication range within a VLAN only by ON / OFF. Since the communication range is determined based on a static topology such as a physical port, the problem is that dynamic filtering conditions cannot be specified.

  The filtering condition automatic distribution method is a method that can cope with qualitative diversity by automatically distributing all filtering conditions from the outside. However, there are problems that configuration definition distribution itself becomes a load, and that filtering conditions using information that can be learned only inside the switch (eg, route information) cannot be distributed.

  The automatic protocol filtering method is a method for generating filtering conditions based on protocol information in the switch. For this reason, the above three problems (corresponding to dynamic filtering, load of configuration definition input, lack of learnable information) can be solved. However, there is a problem that it is difficult to handle exception processing (for example, packets from the device management terminal are passed regardless of the filter setting) and simultaneous operation of a plurality of protocol automatic interlocking filters.

  In the present invention, the two problems of the protocol automatic interlocking filtering method are solved by the following means.

  In the present invention, one subnet is divided into a plurality of VLANs in the switch, and each VLAN is connected in the switch. Multiple protocol automatic link filters are operated simultaneously by moving different protocol automatic link filtering methods for each VLAN.

  Furthermore, when traffic received in a certain VLAN is relayed to an adjacent VLAN, exception handling is realized by relaying only traffic that matches a specific pattern to a VLAN different from the normal one.

  When multiple VLANs are connected using a physical cable, there is a problem that the throughput of the switch is limited by the communication capacity of the physical cable. There is also a problem that physical ports are consumed for connection between VLANs.

  In order to solve these problems, a virtual port is provided in the switch, and virtual connectivity between the virtual ports is defined. By assigning the virtual port to an appropriate VLAN, the above two problems can be avoided.

  In the present invention, a plurality of protocol automatic interlocking filters operate independently in the switch. Therefore, protocol automatic operation without worrying about mutual interference (eg, processing when a flow approved by one filter is rejected by the other filter) when multiple protocol automatic interlocking filters are operated simultaneously. An interlocking filter can be realized.

  In addition, since the exception handling of the protocol automatic linkage filter is realized as an exception handling for inter-VLAN relay regardless of the protocol type, it is possible to avoid the trouble of implementing the exception handling individually in each protocol automatic linkage filter.

  By defining connectivity between virtual ports and virtual ports, connectivity between VLANs can be realized without consuming physical ports. In particular, since the port unit price of the high-speed physical interface is expensive, realizing the present invention without consuming physical ports is effective in reducing the port unit price.

  First, referring to FIG. 1, an apparatus configuration that is an object of the present invention will be described. The network node device 111 includes an interface 121, a virtual interface 122, packet relay units 123 and 124, a backplane 125, and a route control unit 126. The interface 121 has physical ports 131, 132,... To which physical lines are connected.

  The virtual port which is the subject of the present invention is realized as a virtual interface 122 in the apparatus. The virtual interface 122 includes a virtual port 141,... Recognized as the physical port from the inside of the device, a loopback processing processor 151 for looping back and transferring the packet transferred from the device to the virtual interface, and a loopback processing memory 152. Exists. In the loopback processing memory, there is a port connection table 153 showing connections between virtual ports.

  The packet relay units 123 and 124 include packet relay processing processors 161 and 162 and packet relay processing memories 163 and 164. In the packet relay processing memories 163 and 164, VLAN management tables 171 and 172 indicating correspondence between received packets and VLANs, VLANs There are filter tables 173 and 174 indicating the filter processing in FIG. 5, and route tables 175 and 176 indicating the packet transfer destinations.

  As shown in Figure 2, the VLAN management table manages the VLAN to which a packet belongs based on VLAN search conditions. VLAN search conditions include input port, IEEE802.1Q tag, source L2 address, and protocol.

  As shown in FIG. 3, the filter table manages filter processing for packets based on filter search conditions. Filter search conditions include an input port, VLAN, source L2 address, destination L2 address, protocol, source L3 address, destination L3 address, and the like. Filter processing includes IP Source Guard that passes packets with the correct correspondence between the input port and the L2 address and the L3 address, and ARP Inspection that passes packets with the correct correspondence between the L2 address and the L3 address of the ARP message.

  As shown in FIG. 4, in the route table, output ports for packets are managed based on route search conditions. The route search conditions include an input port, VLAN, source L2 address, destination L2 address, and the like.

  As shown in FIG. 5, the port connection table manages connections between virtual ports, that is, virtual ports to which packets output from a certain virtual port are input. By referring to this port connection table, the packet can be returned within the apparatus.

  When a packet is input to the physical port 131 in FIG. 1, the packet relay processing processor 161 in the packet relay unit 123 determines the VLAN to which the packet belongs based on the VLAN management table 175. Based on the determined VLAN, the filter table 173 and the route table 171 are searched, and the packet is relayed from the packet relay unit 123 to the appropriate port via the backplane 125. When this output port is a virtual port, a packet is again input from the virtual port into the apparatus according to the port connection table 153, and the belonging VLAN determination, filtering process, and route search are performed.

  For this reason, multiple filter processes can be implemented hierarchically by defining multiple VLANs in the device as shown in Figure 6, connecting these VLANs hierarchically, and defining filter processes for each VLAN. It becomes.

A specific example is shown below using FIG.
In FIG. 7, a device management terminal 212, a terminal 213 not compatible with DHCP, and a terminal 214 compatible with DHCP are connected to the network node device 211 with fixed connection ports and addresses. VLAN 1, VLAN 2, and VLAN 3 are configured in the network node device 211. IP Source Guard is defined in VLAN 1, ARP Inspection is defined in VLAN 2, and QoS filters are defined in VLAN 3. IP Source Guard and ARP Inspection are a kind of protocol automatic linkage filter.

  FIG. 8 shows specific examples of the L2 address and L3 address of the device management terminal 212, the DHCP incompatible terminal 213, and the DHCP compatible terminal 214 in FIG.

  Fig. 9 shows a specific example of the VLAN management table in the VLAN configuration of Fig. 7. VLAN 1, VLAN 2, and VLAN 3 in this example are port VLANs that do not use the IEEE 802.1Q tag, source L2 address, and protocol for VLAN determination.

  Figure 10 shows a specific example of the filter table for VLAN 1. The first line of the filter table is an exceptional IP Source Guard filter element for the device management terminal 212 of FIG. Unlike the other ports, the device management terminal connected to the object 1a is a filter element that does not depend on the protocol because the port and the L2 and L3 addresses are completely fixed. Lines 6-8 are static filter elements related to the DHCP incompatible terminal 213 in FIG. 7, and lines 9-11 are dynamic filter elements by DHCP.

  Figure 11 shows a specific example of the filter table for VLAN 2. The first and second columns of the filter table are static filter elements of ARP Inspection relating to the non-DHCP compatible terminal 213 in FIG. 7, and the other are dynamic filter elements by DHCP.

  Figure 12 shows a specific example of the filter table for VLAN 3. This filter table shows the filter elements related to QoS.

  Fig. 13 shows a specific example of the routing table in the VLAN configuration of Fig. 7.

  Figure 14 shows a specific example of the port connection table in the VLAN configuration of Figure 7.

  Consider processing of packets transmitted from the DHCP compatible terminal 214 in FIG. 7 to the external network. This packet is input from the physical port object 1c to the network node device 211, determined as VLAN 1 by the VLAN management table in FIG. 9, and from the virtual port temporary 1b by the VLAN 1 filter table in FIG. 10 and the route table in FIG. Is output. The packet output from the temporary port 1b is input from the virtual port port 2a according to the port connection table of FIG. The packet input from the virtual port temporary 2a is determined to be VLAN 2 by the VLAN management table of FIG. 9, and is output from the virtual port temporary 2b by the VLAN 2 filter table of FIG. 11 and the route table of FIG. The packet output from the temporary port 2b is input from the virtual port temporary port 3b according to the port connection table of FIG. The packet input from the virtual port temporary 3b is determined to be VLAN 3 by the VLAN management table of FIG. 9, and is output from the physical port 3a by the VLAN 3 filter table of FIG. 12 and the route table of FIG.

  In this way, IP Source Guard, ARP Inspection, and QoS filter processing in each VLAN are set and operated independently in each VLAN. Therefore, an automatic protocol interlocking filter can be realized without being conscious of mutual interference among the filters.

FIG. VLAN management table. Filter table. Route table. Port connection table. Conceptual diagram of VLAN layering filter. The conceptual diagram of the specific example of a VLAN layering filter. Table showing specific examples of L2 and L3 addresses for each server and terminal. Specific example of VLAN management table. Example of filter table for VLAN 1. A specific example of the filter table for VLAN 2. Example of filter table for VLAN 3. Specific example of the routing table. . Specific example of port connection table.

Explanation of symbols

111 Network node equipment
121 interface
122 virtual interfaces
123, 124 packet relay device
125 backplane
126 Route controller
131, 132 physical ports
141 virtual ports
151 Folding processor
152 Wrap memory
153 port connection table
161, 162 packet relay processor
163, 164 packet relay processing memory
171 and 172 route tables
173, 174 filter table
175, 176 VLAN management table
211 Network node equipment
212DHCP server
213DHCP incompatible terminal
214DHCP compatible terminal
215 external network.

Claims (6)

  A data transfer apparatus connected to a network, comprising: an interface for transmitting and receiving data; and a transfer control processing unit for performing transfer control processing on data received from the interface, wherein the transfer control processing unit is output The data is transmitted to the interface, and when the interface receives the data from the transfer control processing unit, the data is transmitted to the transfer control processing unit again, thereby performing the transfer control processing for the data a plurality of times. A data transfer device.   2. The data transfer device according to claim 1, wherein the transfer control processing unit includes a filter processing unit that performs a filter process on data received from the interface, and performs the filter process in the transfer control process. By doing so, the above-described filter processing is performed a plurality of times.   2. The data transfer device according to claim 1, wherein the interface includes a loopback mechanism that transmits data received from the transfer control processing unit to the transfer control processing unit.   4. The data transfer device according to claim 3, wherein the interface operates as a virtual interface by operating the loopback mechanism.   5. The data transfer device according to claim 4, wherein the virtual interface includes a plurality of virtual ports that are recognized by a transfer control processing unit in the same manner as a physical port, and the data transfer device includes the plurality of virtual ports. A memory for storing connection information between virtual ports is provided, and the virtual interface transmits data received from the transfer control processing unit to one of the plurality of virtual ports. The loopback mechanism is realized by referring to the connection information between the virtual ports and receiving from other virtual ports among the plurality of virtual ports, and the transfer control processing unit A data transfer device for transmitting. 6. The data transfer apparatus according to claim 5, wherein the transfer control processing unit has a memory for holding VLAN management information in which an input port of received data is associated with a VLAN identifier of a VLAN to which the data belongs, The transfer control processing unit is determined based on the VLAN to which the received data belongs and the destination address of the received data determined by the VLAN management information among the plurality of virtual ports in the virtual interface. A data transfer apparatus for transmitting the received data to the virtual port.

Images