JP2009267987A - Station-side apparatus, pon system and home gateway device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To obtain a station-side apparatus which achieves connections between a single subscriber terminal and a plurality of Internet service providers (ISPs) while applying IEEE802.1x authentication. <P>SOLUTION: A station-side apparatus comprises: an authentication processing section 13 in which, when a subscriber terminal desires a connection to an ISP, authentication information to be used for authentication processing of the connection with the ISP is acquired from the subscriber terminal and the acquired information is used to carry out IEEE802.1x authentication, thereby determining whether or not the subscriber terminal can be connected to the ISP; a connection management section 14 which correspondingly manages management information of the subscriber terminal and the ISP in the case where it is determined that the subscriber terminal can be connected; and an L2SW11 for transferring a received MAC frame in accordance with the information managed by the connection management section 14. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention includes a station side device, a subscriber side device, and a transmission medium for connecting them, performs data transmission / reception by a MAC (Media Access Control) frame, and uses a virtual communication connection called a logical link. The present invention relates to a PON (Passive Optical Network) system.

  The Ethernet (registered trademark) PON system connects a station side device (OLT: Optical Line Terminal) and a plurality of subscriber side devices (ONU: Optional Network Unit) with an optical transmission medium, and transmits and receives data using MAC frames. The Ethernet (registered trademark) service is transparently accommodated in the PON system. The OLT is installed in the communication network operator station, and the ONU is installed in the subscriber's home or outdoors. When providing a constant Internet connection service by FTTH (Fiber To The Home) using the PON system, the ONU accommodates a plurality of subscriber terminals.

  Here, as shown in Patent Document 1 below, PPPoE (Point to Point Protocol over Ethernet (registration) defined by IETF (Internet Engineering Task Force) is used in the conventional general Internet always-on service. Trademark)) protocol is used to perform user authentication between a subscriber terminal and an ISP (Internet Service Provider). Therefore, the PPPoE header occupies a part of the payload portion of the Ethernet (registered trademark) packet, and there is a problem that the transmission efficiency is lowered by the amount corresponding to the PPPoE header. In order to solve this problem, in the relay device described in Patent Document 1 below, overhead due to the PPPoE header is obtained by applying IEEE 802.1x authentication instead of PPPoE authentication based on a method known as an authentication VLAN function. It does not occur.

Japanese Patent Laid-Open No. 2003-224577

  In recent Internet constant connection services, with the spread of IP telephone services, IP broadcast services, and the like, the form in which ISP provides HGW devices, which are terminal devices connected to the PON system, is increasing. This is due to a request to limit only the HGW apparatus provided by the ISP as a subscriber terminal connected to the PON system so that the ISP does not affect the IP telephone service provided by the ISP.

  Here, when such a form is realized in a conventional PON system that performs user authentication based on PPPoE, generally, an IEEE (Institute of Electrical and Electronics) is used to determine whether or not to permit connection of a terminal device. Authenticate with 802.1x. This method requires two authentication operations of user authentication (PPPoE user authentication) and device authentication (IEEE 802.1x authentication) in order to connect to the ISP, resulting in poor efficiency. On the other hand, as described above, when the relay device described in Patent Document 1 is used, PPPoE user authentication is not required, and only IEEE 802.1x authentication is performed.

  However, when the relay device described in Patent Document 1 is applied, in a form in which one HGW device is connected under the ONU and a plurality of subscriber terminals are connected under the ONU, a plurality of ISPs are connected from the subscriber terminal. There was a problem of being unable to connect to the network.

  Regarding a case where a function equivalent to a function of connecting from a subscriber terminal to a plurality of ISPs, which was possible when using PPPoE authentication, is realized in a system to which the relay device described in Patent Document 1 is applied. It is only mentioned that a plurality of subscriber terminals can access different ISPs by identifying a source MAC address by a relay device (advanced edge switch). There was a problem that nothing was explained about the handling of broadcast and multicast Etherframes.

  The present invention has been made in view of the above, and avoids duplication of authentication processing, a station-side device that realizes connection between a single subscriber terminal and a plurality of ISPs while applying IEEE 802.1x authentication, PON An object is to obtain a system and a home gateway device.

  In order to solve the above-described problems and achieve the object, the present invention is a station-side device of a PON system connected to an ISP, and when a subscriber terminal desires connection to the ISP, the connection is desired. The authentication information used in the connection authentication process between the subscriber terminal and the ISP is acquired from the subscriber terminal, and the IEEE 802.1x authentication is performed using the acquired information to the ISP of the subscriber terminal. Authentication processing means for determining whether or not connection is possible, and connection with management information of the subscriber terminal included in the MAC frame received when acquiring the authentication information when the authentication processing means determines that connection is possible Management means that associates and manages the ISPs that are permitted to be received, and when receiving a MAC frame, the received MAC frame is managed according to the information managed by the connection management means. Transfer means for feeding, characterized in that it comprises a.

  According to the present invention, the subscriber terminal can connect to the ISP without executing a plurality of authentication processes in the PON system.

  Hereinafter, embodiments of a station side device, a PON system, and a home gateway device according to the present invention will be described in detail with reference to the drawings. Note that the present invention is not limited to the embodiments.

Embodiment 1 FIG.
FIG. 1 is a diagram showing a configuration example of a first embodiment of a PON system according to the present invention. The PON system includes a station side device (OLT) 1 and a plurality of subscriber side devices (ONU) 2 connected to the OLT 1 via an optical transmission medium. The OLT 1 is connected to the Internet 6 via an ISP network (ISP) 5. The ONU 2 can accommodate a plurality of subscriber terminals 4.

  The OLT 1 realizes a bridge function (frame transfer) 11 and a plurality of PON interfaces (PON I / F) 12 connected to the layer 2 switch 11 for accommodating the ONU 2. And an authentication processing unit 13 that performs authentication processing when the subscriber terminal 4 connects to the ISP 5, and a connection management unit 14 that manages connection between the subscriber terminal 4 and the ISP 5. When the OLT 1 configured as described above receives an EAP (Extensible Authentication Protocol) authentication frame defined by IEEE802.1x from the subscriber terminal 4 via the subordinate ONU 2, the subscriber identifier and ISP identifier included in the EAP (Extensible Authentication Protocol) authentication frame are received. Based on the authentication type, the IEEE 802.1x authentication corresponding to the specified authentication type is executed. Further, based on the authentication result, connection processing is performed between the MAC address of the authentication request source (the source of the EAP authentication frame) subscriber terminal 4 and the ISP side network (ISP network 5). Further, after the connection process (connection setting) is completed, the MAC frame transfer process is executed according to the contents set in the connection process.

  Next, details of authentication processing and connection processing of the subscriber terminal in the PON system of the present embodiment will be described with reference to FIG. FIG. 2 is a diagram showing an example of a communication sequence in the PON system of the present embodiment, and shows a sequence when the subscriber terminal 4 connects to the ISP 5. In this example, the sequence when subscriber terminal # 1 which is one of subscriber terminals 4 is connected to ISP # 1 which is one of ISP5, and subscriber terminal # 2 is connected to ISP # 2. The sequence in the case of doing is shown. Since each connection sequence is the same, description will be made without distinguishing them.

  As shown in FIG. 2, when connection with the ISP is started, the subscriber terminal 4 (subscriber terminals # 1 and # 2) starts authentication with the ISP (ISP # 1 and # 2) that desires connection. The EAPOL-Start frame for notifying is sent to the OLT 1. When the EAPOL-Start frame is received, in the OLT 1, the authentication processing unit 13 transmits an EAP-Request / Identity frame to the subscriber terminal 4 that is the transmission source to request authentication information.

  The subscriber terminal 4 that has received the authentication request (EAP-Request / Identity frame) returns an EAP-Response / Identity frame including a user ID that is one of authentication information of the ISP 5 that desires connection. Here, the user ID is generally described in a format such as “userA @ pro1”, etc., the part “userA” before “@” is the identification name of the user, and the part “pro1” after “@” is the provider. It represents the identification name.

  Therefore, in the OLT 1, the authentication processing unit 13 interprets the user ID included in the EAP-Response / Identity frame received from the subscriber terminal 4, so that the user (user identification name, so-called user name) and ISP (desired to be connected). ISP). Then, referring to a subscriber information table set in advance as illustrated in FIG. 3, a user ID matching process is executed using the recognized user ID and ISP, and an authentication method used in the authentication process is determined. Identify. In FIG. 2, as an example, an operation when the collation of the user ID is normally completed and EAP-MD5 is specified is shown. If the identified authentication method is EAP-MD5, the authentication processing unit 13 transmits an EAP-Request / Challenge frame to the subscriber terminal 4 and requests a password. In response to this, the subscriber terminal 4 responds (transmits) a password, which is one of authentication information, in an EAP-Response / Challenge frame. The authentication processing unit 13 examines the received password, and if the authentication information (password) is correct, that is, if it matches the password registered in the subscriber information table shown in FIG. Is registered in the transfer table to which the layer 2 switch 11 refers when transferring the MAC frame. A configuration example of this transfer table is shown in FIG. Note that the forwarding table shown in FIG. 4 is different from the normal MAC learning table so that the MAC addresses on the same physical port can be managed as different groups.

  In the OLT 1, when the authentication processing by the authentication processing unit 13 is normally completed (authentication is successful), the connection management unit 14 next analyzes the DHCP (Dynamic Host) in the ISP network identified by analyzing the user ID. The Configuration Protocol server is accessed, and the IP address used when the subscriber terminal 4 that has executed the authentication process communicates with the ISP network is acquired. Instead of performing automatic acquisition using the DHCP protocol, an IP address designated in advance from the ISP or an IP address acquired by another method may be used.

  The connection management unit 14 notifies the acquired IP address to the subscriber terminal 4, and the subscriber terminal 4 to which the IP address is notified (assigned) subsequently uses the assigned IP address. Packet communication is possible.

  Next, an operation of the OLT 1 when an IP packet is received from the Internet 6 will be described. When an IP packet (MAC frame) is received from the Internet 6 via the ISP network 5, the layer 2 switch 11 of the OLT 1 confirms the destination of the received MAC frame, and is a MAC address indicating unicast and retained. When the MAC address is present in the forwarding table (when the MAC address is registered in the forwarding table), the MAC frame is forwarded to the physical port corresponding to the MAC address. On the other hand, in the case of a MAC address not registered in the forwarding table and a MAC address indicating multicast or broadcast instead of unicast, the MAC frame is flooded to all physical ports corresponding to the ISP that has received the MAC frame.

  As described above, in the PON system of the present embodiment, the IEEE 802.1x authentication is performed for the ISP that the subscriber terminal desires to connect to, and in the OLT, for each transmission source MAC address of the subscriber terminal, the subscriber terminal IEEE802.1x authentication is executed using the authentication information (user ID, password) acquired from, and the source MAC address on the subscriber terminal side and the ISP side network are connected according to the authentication result. Thereby, the subscriber terminal connected to the ONU and the ISP can be connected without executing PPPoE user authentication. The subscriber terminal can be connected to a plurality of ISPs.

  In addition, when a multicast frame or broadcast frame is received from an ISP, it is decided to perform flooding transfer to all subscriber terminals connected to that ISP, so that multicast MAC frames and broadcast MAC frames can also be transferred. .

  In the above description, the operation when EAP-MD5 is used as the authentication method has been described. However, a method such as EAP-TLS or EAP-TTLS may be used. In addition, the OLT does not perform IEEE 802.1x authentication, but separately prepares a device (authentication device) that executes IEEE 802.1x authentication processing. The OLT transfers the IEEE 802.1x frame to the authentication device, and the above-described 802 described above. The authentication apparatus may execute the 1x authentication process. Further, the OLT may transfer an IEEE 802.1x authentication frame to an authentication server in the ISP network and execute an authentication process on the ISP side.

  Further, the transfer table shown in FIG. 4 may be extended as shown in FIG. When the forwarding table shown in FIG. 5 is adopted, the OLT confirms the destination IP address in the ARP message in the forwarding process of the ARP (Address Resolution Protocol) frame whose destination MAC address is the broadcast MAC address, and responds to it. It is possible to transfer only to a specific ONU. Thereby, it is possible to prevent an unnecessary frame from being received by a subscriber terminal unrelated to the destination IP address. The IP address may be learned when the ARP message is received, or may be learned from the response message by transmitting the ARP message itself at the end of the authentication process. Moreover, you may make it acquire with authentication information in an authentication process. Further, the OLT may transfer the ARP message to all ONUs, and the ARP message may be transferred only when the ONU confirms the IP address and needs to transfer the ARP message. Thereby, the load on the network can be reduced.

  In this embodiment, the MAC frame whose destination is a multicast MAC address is flooded. However, the MAC frame is confirmed by performing IGMP (Internet Group Management Protocol) snooping, and a necessary transfer destination is determined. It is also possible to transfer only to. For example, the layer 2 switch 11 stores which multicast group is participating in which multicast group by snooping (confirming) the contents of the IGMP report message transmitted from the subscriber terminal. Then, when a MAC frame with a multicast MAC address is received, the received MAC frame destination is changed to the MAC address of the subscriber terminal that wants to receive the MAC frame according to the stored information. Then send. Thereby, the load on the network can be reduced.

Embodiment 2. FIG.
Next, the second embodiment will be described. In the first embodiment, the case where 802.1x authentication is performed for each MAC address of a subscriber terminal has been described. In this embodiment, a modification of the first embodiment will be described.

  For example, as shown in FIG. 6, in a system in which an ONU accommodates a home gateway (HGW), an LLID (Logical Link ID) is assigned to each MAC address on the HGW side, so that the ONU and the OLT Then, it is possible to identify the MAC address on the HGW side using the LLID. When such a configuration is adopted, a frame including LLID information is transmitted and received between the OLT and the ONU. Specifically, when receiving the MAC frame from the HGW, the ONU inserts the LLID corresponding to the MAC address of the transmission source and then transfers the MAC frame to the OLT. The OLT removes the LLID from the received MAC frame, The MAC frame is transferred to the ISP associated with the LLID. Further, when the OLT receives a MAC frame from the ISP, the OLT transfers the MAC frame to the ONU after inserting the LLID corresponding to the ISP, and the ONU removes the LLID from the received MAC frame and is associated with the LLID. To the current MAC address. When the above configuration is adopted, the OLT manages the connection with the ISP using the LLID instead of the MAC address, that is, performs 802.1x authentication for each LLID. Even if it does in this way, the effect similar to Embodiment 1 is acquired.

  In addition to the functions described in the first embodiment, the OLT can be configured to have the following functions. Specifically, when an ARP frame (MAC frame indicating an ARP message) is received from the ISP 5, the layer 2 switch 11 confirms the destination IP address included therein and recognizes the MAC address corresponding to the IP address. If the ARP frame related to the IP address has been received in the past and the address resolution has been completed, the broadcast MAC address set as the destination of the received ARP frame is changed to the MAC address corresponding to the IP address. It is also possible to adopt a configuration having a function of performing unicast transfer. Thereby, it is possible to prevent the ARP frame from being transferred to a MAC address that does not need to be transmitted, and to prevent the load on the network from increasing more than necessary.

  Further, the layer 2 switch 11 snoops the IGMP report message transmitted from the subscriber terminal participating in the multicast group, and the obtained information (information indicating which subscriber terminal is participating in which multicast group) ) To convert the destination of the multicast frame from the multicast MAC address to the unicast MAC address. This can prevent the load on the network from increasing more than necessary.

  In addition, when the ARP message is received, the broadcast MAC address is replaced with the unicast MAC address and transferred, and the multicast MAC address is unicast using the information acquired by snooping the IGMP report message. It is good also as a structure which gave the function which replaces with a MAC address and transfers.

Embodiment 3 FIG.
Next, Embodiment 3 will be described. In the first embodiment, the PON system in which the ONU accommodates the subscriber terminal has been described. In the present embodiment, a PON system having a different configuration will be described.

  FIG. 7 is a diagram illustrating a configuration example of the PON system according to the third embodiment. This PON system includes a station side device (OLT) 1a and a subscriber side device (the same as the subscriber side device according to the first embodiment). ONU) 2. However, the ONU 2 accommodates not the subscriber terminal 4 but the home gateway (HGW) 3, and the HGW 3 accommodates the subscriber terminal 4.

  The OLT 1a is composed of the same components as the OLT 1 shown in the first embodiment and has an equivalent function. However, connection authentication and connection management with the ISP 5 are performed between the HGW 3 and the ISP 5. FIG. 8 is a diagram showing an example of a communication sequence in the PON system of the third embodiment, and shows a sequence when the HGW 3 acts as a proxy for the process of connecting the subscriber terminal 4 to the ISP 5. As can be seen from a comparison between the sequence shown in FIG. 8 and the sequence shown in FIG. 2, the connection sequence of the present embodiment is implemented except that the HGW 3 executes the processing executed by the subscriber terminal. This is the same as the connection sequence of form 1.

  The HGW 3 holds IEEE 802.1x authentication information with at least one connection destination ISP 5, and has one virtual interface (virtual port) to which a MAC address is individually assigned as a physical interface for connection with the ONU 2. Hold above. A function for executing IEEE 802.1x authentication with the ISP for each virtual interface, a function for setting an IP address for each virtual interface, and a process for transferring an IP packet to the ISP side. A function of transmitting a MAC frame with the MAC address assigned to the identified virtual interface as a source MAC address, a function of receiving a unicast MAC frame transmitted from the ISP side with a virtual interface with a matching MAC address, It has a function of receiving multicast MAC frames and broadcast MAC frames transmitted from the ISP side at all virtual interfaces.

  A MAC frame transfer operation by the HGW 3 will be described. When the HGW 3 receives an IP packet to be transmitted from the subscriber terminal 4 to the PON system side, the HGW 3 searches the route information based on the destination IP address, and determines where the virtual interface is to be transmitted. Note that the MAC address assigned to the virtual interface is set as the source MAC address of the MAC frame transmitted from the virtual interface. The MAC frame transmitted from the HGW 3 is transferred to the OLT 1a via the ONU 2, and is transferred to the ISP network side by the layer 2 switch 11 according to information registered in advance.

  On the other hand, a frame addressed to the unicast MAC address from the ISP network side is transferred by the layer 2 switch 11 in accordance with information registered in advance in the OLT 1a, and arrives at the HGW 3 via the ONU 2. And it is received by the virtual interface corresponding to the destination MAC address among the virtual interfaces of HGW3.

  FIG. 9 is a diagram illustrating an operation example of the HGW 3 when a MAC frame is received from the ONU 2. As shown in FIG. 9, when the HGW 3 of the present embodiment receives a MAC frame via a WAN port (physical interface), the reception distribution processing unit uses the destination MAC address (MAC DA (Destination Address)). If the destination MAC address is a unicast MAC address, the MAC frame is transferred to the virtual interface corresponding to the unicast MAC address (the process indicated by (1) in FIG. 9). If the destination MAC address is a broadcast MAC address or a multicast MAC address, the MAC frame is copied and transferred to all virtual interfaces (the process shown in (2) of FIG. 9). The MAC frame transferred to each virtual interface is transferred to the subscriber terminal via a NAT / FW unit that realizes an address conversion function, a file function, and a wall function.

  For example, when an ARP frame is transmitted from the ISP 5 side, the ARP frame is received by the OLT 1a as a broadcast frame. Then, in the OLT 1a, the layer switch 11 refers to the transfer table and transfers the frame to the ONU 2 where all the source MAC addresses connected to the ISP 5 exist. Similarly, when a multicast frame is transmitted from the ISP 5, the frame is transferred to the ONU 2 in which all the transmission source MAC addresses connected to the ISP 5 exist. The HGW 3 receives broadcast MAC frames or multicast MAC frames transmitted via the ONU 2 on all virtual interfaces and passes them to higher layers.

  Note that the IP route information in the HGW 3 when connected to multiple ISPs 5 is specified as the default route on the ISP 5 side that receives the provision of Internet services (one of which is provided with multiple ISPs). It is assumed that static route information is set on the ISP 5 side receiving the service.

  As described above, in the present embodiment, when the HGW accommodated in the ONU has a plurality of virtual interfaces, the IEEE 802.1x authentication is performed with the ISP for each virtual interface. Thereby, it is possible to connect to a plurality of ISPs with a single HGW.

The HGW may further have a function of executing the operation illustrated in FIG. That is,
(1) A function of identifying an EAP frame received from a subscriber terminal (PC), storing the source MAC address, and bridging (forwarding) to the ONU (WAN) side;
(2) If the destination MAC address of the EAP frame received from the ONU side is identified and matches the MAC address stored when the above processing (function shown in (1)) is executed, the subscriber A function to bridge to the terminal side,
(3) After identifying the ERP authentication result frame and detecting the authentication success, if the MAC frame is received from the subscriber terminal, if the source MAC address is identified and matches the stored MAC address Bridge to the ONU side, and when receiving a MAC frame from the ONU side, identify the destination MAC address and bridge to the subscriber terminal side if it matches the stored MAC address,
It is good also as a structure which has.

  With this configuration, it is possible to provide a subscriber terminal with a service equivalent to the PPPoE bridge function in the HGW that has been provided in the conventional connection service using PPPoE.

  As described above, the station-side apparatus according to the present invention is useful for a PON system, and is particularly suitable for a station-side apparatus of a PON system that provides a usage mode for connecting a single subscriber terminal to a plurality of ISPs. .

It is a figure which shows the structural example of Embodiment 1 of the PON system concerning this invention. 6 is a diagram showing an example of a communication sequence in the PON system of Embodiment 1. FIG. It is a figure which shows an example of the subscriber information table used by an authentication process. It is a figure which shows an example of the transfer table used by a transfer process. It is a figure which shows an example of the extended transfer table. 6 is a diagram illustrating a system configuration example of a second embodiment. FIG. FIG. 10 is a diagram illustrating a configuration example of a PON system according to a third embodiment. FIG. 10 is a diagram showing an example of a communication sequence in the PON system of the third embodiment. It is a figure which shows the operation example of HGW when a MAC frame is received from ONU. It is a figure for demonstrating the extended function which HGW has.

Explanation of symbols

1, 1a Station side equipment (OLT)
2 Subscriber side equipment (ONU)
3 Home gateway (HGW)
4 Subscriber terminal 5 ISP network (ISP)
6 Internet 11 Layer 2 switch (L2SW)
12 PON interface (PON I / F)
13 Authentication Processing Unit 14 Connection Management Unit

Claims (11)

A station side device of a PON system connected to an ISP,
When a subscriber terminal wishes to connect to an ISP, the authentication information used in the connection authentication process between the subscriber terminal that desires the connection and the ISP is obtained from the subscriber terminal, and the obtained information is used. Authentication processing means for determining whether or not the subscriber terminal can connect to the ISP by executing IEEE 802.1x authentication;
If the authentication processing unit determines that the connection is possible, the management information of the subscriber terminal included in the MAC frame received when the authentication information is acquired is associated with the ISP permitted to be connected and managed. Connection management means to
A transfer unit that, when receiving a MAC frame, transfers the received MAC frame according to information managed by the connection management unit;
A station-side device comprising:   The station apparatus according to claim 1, wherein the authentication information is a user ID and a password. The transfer means includes
When a broadcast MAC frame or a multicast MAC frame is received from an ISP, a process for specifying the MAC address of a subscriber terminal that desires to distribute the received MAC frame based on information stored in advance is executed, and the MAC The station apparatus according to claim 1 or 2, wherein if the address can be specified, the specified MAC address is set as a destination of the received MAC frame and transferred.   The station-side apparatus according to claim 3, wherein the information to be held is information acquired when address resolution processing is executed in the past and information acquired by executing IGMP snooping in the past. . A PON system including a subscriber side device capable of accommodating a plurality of subscriber terminals and a station side device connected to an ISP,
The subscriber side device is:
When a MAC frame is received from a subscriber terminal, an LLID corresponding to the source MAC address of the MAC frame is inserted and transferred. When a MAC frame is received from a station side device, it is included in the MAC frame. MAC frame transfer means for deleting and transferring the existing LLID,
With
The station side device
When a subscriber terminal wishes to connect to an ISP, authentication information used in a connection authentication process between the subscriber terminal that desires the connection and the ISP is acquired from the subscriber terminal via the subscriber side device. Authentication processing means for determining whether or not the subscriber terminal can connect to the ISP by performing IEEE 802.1x authentication using the acquired information;
A connection management unit that manages the LLID included in the MAC frame received when acquiring the authentication information in association with the ISP permitted to be connected when the authentication processing unit determines that the connection is possible;
When a MAC frame is received from the subscriber side device, a process of deleting an LLID included therein is executed. When a MAC frame is received from the ISP, a process of adding an LLID corresponding to the destination MAC address is performed. A transfer unit that executes and transfers the obtained MAC frame according to the information managed by the connection management unit;
A PON system comprising:   The PON system according to claim 5, wherein the authentication information is a user ID and a password. The MAC frame transfer means includes:
When a broadcast MAC frame or a multicast MAC frame is received from the station side device, a process for specifying the MAC address of the subscriber terminal that desires to distribute the received MAC frame based on information stored in advance is executed. The PON system according to claim 5 or 6, wherein when the MAC address can be specified, the specified MAC address is set as a destination of the received MAC frame and transferred.   8. The PON system according to claim 7, wherein the information to be held is information acquired when address resolution processing is executed in the past and information acquired by executing IGMP snooping in the past. In a PON system composed of a station-side device connected to an ISP and a subscriber-side device connected to the station-side device, the PON system includes one or more virtual ports assigned MAC addresses, and is connected to the virtual port. A home gateway device that performs MAC frame transfer processing between the subscriber terminal and the subscriber-side device,
Authentication information holding means for holding authentication information used in connection authentication processing when a subscriber terminal connected to the virtual port connects to an ISP;
When a subscriber terminal connected to the virtual port wishes to connect to an ISP, the authentication information held by the authentication information holding means is used to connect the subscriber terminal that wants to connect to the ISP. An authentication process executing means for executing an IEEE 802.1x authentication process with the ISP that the subscriber terminal desires to connect by transmitting an EAP frame in which the MAC address of the virtual port is set as the source MAC address;
A home gateway device comprising: When receiving a unicast MAC frame transmitted from a subscriber side device, it is received by a virtual port to which the same MAC address as the destination MAC address is assigned, and a broadcast MAC frame or multicast transmitted from the subscriber side device When receiving a MAC frame, MAC frame processing means for receiving at all virtual ports;
The home gateway apparatus according to claim 9, further comprising: The MAC frame processing means
It monitors whether or not the authentication process executed by the authentication process execution unit has been normally completed, and when the normal process is detected, obtains the MAC address of the subscriber terminal from the EAP frame used in the authentication process. Thereafter, when the destination MAC address of the MAC frame received from the subscriber side device matches the MAC address acquired from the ERP frame and stored, the received MAC frame is stored in the subscriber terminal. If the source MAC address of the MAC frame received from the subscriber terminal matches the retained MAC address, the received MAC frame is transferred to the subscriber side device. The home gateway device according to claim 10.

Images