JP2010239591A - Network system, relay device, and method of controlling network - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide: a network system which protects information and prevents illegal access; a relay device; and a method of controlling a network. <P>SOLUTION: A network system 101 includes terminals 6, a DHCP server 3 for managing the IP addresses of the terminals 6 in a network 7 and for dynamically allocating and applying the IP addresses to the terminals 6 in response to a request, and a relay device 10 located between the terminals 6 and the DHCP server 3 to be connected to the network. A plurality of DHCP servers 3a, 3b having different priorities are present in the network 7. The relay device 10 determines a transmission range of a broadcast frame based on an IP address acquisition message exchanged between the terminals 6 and the DHCP servers 3a, 3b, and transmits a response of only the DHCP server 3 that has the highest priority out of the DHCP servers 3a, 3b in responding to an address application server retrieval message from the terminal 6, to the terminal 6. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a network system, a relay device, and a network control method, and more particularly to a network system, a relay device, and a network control method that simultaneously accommodate terminals having different access rights.

  In some cases, terminals having various access rights are included in the same network. For example, in an in-house LAN (Local Area Network), an employee may have access to all networks and servers, and a member who is specially authorized other than the employee may only have access to an external network.

  The access right is confirmed by a method such as confirmation and authentication in the network and the connection destination device. As a specific method for confirming the access right, (1) a method of authenticating with an ID and a password every access, (2) an IP address or MAC address (Media Access Control address) at a server, router, or switch ) And receiving only matching ones, and (3) a method of preparing a plurality of network domains for each access right.

  The above (1) is a method in which the user inputs an ID and a password each time access is made, and there is a problem in that the user is troublesome. In order to avoid the trouble of the user, it is desirable to use a method in which the network device can automatically discriminate using terminal-specific information such as confirming the IP address or MAC address after the first authentication.

  In the above (2), as an example, Patent Document 1 discloses a switching hub having a switching function of relaying and blocking. However, when managed by a switch, there is a problem that access across network domains cannot be managed. On the other hand, there is also a method of managing with a router or a server. In this case, it is necessary to individually register the IP address of the terminal, or it is necessary to individually check the IP address and registration information, and the device load and network management. The problem is that the amount of time and effort is increased.

  As described above, the method of dividing by logical address (3) above is desirable. By preparing a separate domain, it is possible to reduce the load on devices such as servers and the network management load. As a method of realizing (3), there is an address assignment system disclosed in Patent Document 2.

FIG. 25 shows the configuration of the address assignment system described in Patent Document 2.
The address assignment system includes an address assignment server 91, a router 92, terminals A-1 and A-2 belonging to a network domain 94 (domain A), and a terminal B-1 belonging to a network domain 95 (domain B) different from the network domain 94. , B-2. The terminal can be connected to the external network 93 via the router 92. The address assignment server 91 has a DHCP function 91a and a controller 91b. The DHCP function 91a holds address pools of the network domain 94 (domain A) and the network domain 95 (domain B).

The operation of the address assignment system described in Patent Document 2 will be described below.
When a terminal newly connects to the network 90 and requests an IP address, the address assignment server 91 issues an IP address of the network domain 94 (domain A), and sets the address of the default gateway of the terminal in the address assignment server 91. At this time, the terminal belongs to the network domain 94 (domain A).

  Thereafter, when the terminal transmits a packet to the external network 93, the packet is transmitted to the address assignment server 91 set as the default gateway. When the address assignment server 91 receives the packet to the external network 93, it makes an authentication request to the terminal of the transmission source. If the terminal is successfully authenticated, the address assignment server 91 issues an IP address of the network domain 95 (domain B) and sets the default gateway of the terminal in the router 92. At this time, the terminal belongs to the network domain 95 (domain B).

  That is, in order for a terminal belonging to the network domain 94 (domain A) to connect to the external network, the authentication succeeds and the IP address of the network domain 95 (domain B) is received, so that the terminal belongs to the network domain 95 (domain B). There is a need. In this way, a plurality of logical domains can be constructed within a single physical network.

  The address assignment system disclosed in Patent Document 2 described above has a problem that it cannot cope with an unauthorized terminal manually setting an IP address. This is because an unauthorized terminal can connect to an external network without authentication by manually assigning an IP address of network domain B and setting a default gateway in the router.

  In addition, when an unauthorized terminal manually sets an IP address, a broadcast frame such as an ARP (Address Resolution Protocol) from a terminal belonging to the same physical network can be seen. This is because Patent Document 2 refers only to the division of the logical domain and does not consider the division of the physical network domain. By seeing the ARP, it is possible to easily know the IP address and MAC address pair of a regular terminal belonging to the network domain B, the IP address of the router that is the default gateway, and the like.

  A technique for solving such problems is described in Patent Document 3. When receiving a request for IP address distribution from a terminal, the packet transfer apparatus described in Patent Document 3 stores the IP address and MAC address in the DHCP packet in the user management table, so that which IP address is assigned to which terminal. Recognize whether to assign. The device described in the document can block communication of a terminal that accesses a network illegally using a static IP address.

  Further, in the network system described in Patent Literature 4, when the MAC address of the terminal whose address allocation is restricted is registered in the address ratio server, the IP address is not assigned to the terminal, but the terminal is assigned the address. If registered, an IP address is assigned to the terminal. Thereby, access to the server by a predetermined terminal can be restricted. Patent Document 5 also has a similar description.

  In the IP telephone premises system described in Patent Document 6, the NAT function unit of the gateway discriminates the external telephone by the WAN side IP address, and the LAN side IP telephone by the LAN side IP address and the MAC address. Allows distribution of IP packet data.

  In the network computing system described in Patent Document 7, a virtual PC physically uses a network adapter of a host server, and acquires a local address that allows direct communication with another PC inside the LAN as an IP address. The communication with the outside uses NAT provided by the host server, and the private address assigned by the host server is used as the IP address, and the IP address of the host server is changed.

JP-A-11-55302 JP 2006-80789 A JP 2007-36374 A Japanese Patent Laid-Open No. 2003-309569 JP-A-9-214550 Japanese Patent Laying-Open No. 2005-252809 JP 2007-193429 A

  However, none of the above-described network systems has a problem that when a plurality of address assignment servers exist on the network, it cannot cope with an unauthorized terminal manually setting an IP address. Further, there is a problem in that an unauthorized terminal can sniff broadcast frames such as ARP from terminals belonging to the same physical network by manually setting an IP address.

  An object of the present invention is to provide a network system, a relay device, and a network control method for protecting information, which is the above-described problem, and solving unauthorized access prevention.

The first network system of the present invention is:
A communication terminal;
Managing an IP (Internet Protocol) address dynamically assigned to the communication terminal on the network, and assigning and assigning the IP address to the communication terminal in response to a request from the communication terminal;
A relay device arranged between the communication terminal and the address assignment server and connected to the network,
There are a plurality of the address assignment servers on the network, and a plurality of the address assignment servers are provided with a priority,
The relay device is
Based on the IP address acquisition message exchanged between the communication terminal and the address assignment server, determine the transfer range of the broadcast frame,
Among the plurality of address assignment servers, only the response of the address assignment server with the highest priority that returns a response to the address assignment server search message from the communication terminal is transferred to the communication terminal.

The second network system of the present invention is:
A virtual machine execution terminal;
An address assignment server connected to the virtual machine execution terminal via a network,
There are a plurality of the address assignment servers on the network, and a plurality of the address assignment servers are provided with a priority,
The virtual machine execution terminal is
Means for realizing a virtual machine execution environment which is an application of a host OS operating on the virtual machine execution terminal;
The virtual machine execution environment is:
Means provided in the relay device according to any one of claims 1 to 5,
Virtual machine bridge means for sending a packet sent from the network interface of the guest OS operating on the virtual machine execution environment to the network as it is through the network interface of the host OS;
A virtual device that is recognized as one of the address assignment servers by the means included in the relay device, manages an IP address of a network domain different from the address assignment server, and assigns the IP address according to a request and simultaneously sets a default gateway A machine address assigning means;
A virtual machine address conversion unit that performs NAT or NAPT processing on a packet sent from the network interface of the guest OS, and sends the packet to the network via the network interface of the host OS;
Means for realizing the virtual machine execution environment includes:
When the guest OS can obtain an IP address from the address assignment server, the data sent from the network interface of the guest OS is sent to the network via the virtual machine bridge means,
If the guest OS cannot obtain an IP address from the address assigning server, the virtual machine address assigning means assigns the IP address of the guest OS and converts the data sent from the network interface of the guest OS to a virtual machine address To the network via the means.

The relay device of the present invention
Network-connected to a communication terminal and an address assignment server that manages an IP address dynamically assigned to the communication terminal on the network and assigns and assigns the IP address to the communication terminal according to a request,
There are a plurality of the address assignment servers on the network, and a plurality of the address assignment servers are provided with a priority,
Based on the IP address acquisition message exchanged between the communication terminal and the address assignment server, determine the transfer range of the broadcast frame,
Among the plurality of address assignment servers, only the response of the address assignment server with the highest priority that returns a response to the address assignment server search message from the communication terminal is transferred to the communication terminal.

The virtual machine execution terminal of the present invention is
Network connection with the address assignment server
Means for realizing a virtual machine execution environment as an application of the host OS,
There are a plurality of the address assignment servers on the network, and a plurality of the address assignment servers are provided with a priority,
The virtual machine execution environment is:
Means provided in the relay device of the present invention;
Virtual machine bridge means for sending a packet sent from the network interface of the guest OS operating on the virtual machine execution environment to the network as it is through the network interface of the host OS;
A virtual device that is recognized as one of the address assignment servers by the means included in the relay device, manages an IP address of a network domain different from the address assignment server, and assigns the IP address according to a request and simultaneously sets a default gateway A machine address assigning means;
A virtual machine address conversion unit that performs NAT or NAPT processing on a packet sent from the network interface of the guest OS, and sends the packet to the network via the network interface of the host OS;
Means for realizing the virtual machine execution environment includes:
When the guest OS can obtain an IP address from the address assignment server, the data sent from the network interface of the guest OS is sent to the network via the virtual machine bridge means,
If the guest OS cannot obtain an IP address from the address assigning server, the virtual machine address assigning means assigns the IP address of the guest OS and converts the data sent from the network interface of the guest OS to a virtual machine address To the network via the means.

The network control method of the present invention includes:
A communication terminal;
An IP address assignment server that manages an IP address dynamically assigned to a communication terminal on a network, and assigns and assigns the IP address in response to a request from the communication terminal;
Controlling a network including a relay device arranged between the communication terminal and the address assignment server and connected to the network;
There are a plurality of the address assignment servers on the network, and a plurality of the address assignment servers are provided with a priority,
The relay device is
Based on the IP address acquisition message exchanged between the communication terminal and the address assignment server, determine the transfer range of the broadcast frame,
Among the plurality of address assignment servers, only the response of the address assignment server with the highest priority that returns a response to the address assignment server search message from the communication terminal is transferred to the communication terminal.

  It should be noted that any combination of the above-described constituent elements and a conversion of the expression of the present invention between a method, an apparatus, a system, a recording medium, a computer program, etc. are also effective as an aspect of the present invention.

  The various components of the present invention do not necessarily have to be independent of each other. A plurality of components are formed as a single member, and a single component is formed of a plurality of members. It may be that a certain component is a part of another component, a part of a certain component overlaps with a part of another component, or the like.

  Moreover, although the several procedure is described in order in the control method of this invention, the order of the description does not limit the order which performs a several procedure. For this reason, when implementing the control method of this invention, the order of the several procedure can be changed in the range which does not interfere in content.

  Furthermore, the plurality of procedures of the control method of the present invention are not limited to being executed at different timings. For this reason, another procedure may occur during the execution of a certain procedure, or some or all of the execution timing of a certain procedure and the execution timing of another procedure may overlap.

  According to the present invention, a network system, a relay device, and a network control method for protecting information and solving unauthorized access prevention are provided.

It is a block diagram which shows the structure of the network system which concerns on embodiment of this invention. It is a functional block diagram which shows the structure of the relay apparatus of the network system which concerns on embodiment of this invention. It is a figure which shows an example of the structure of the port management table of the network system which concerns on embodiment of this invention. It is a flowchart which shows an example of operation | movement of the relay apparatus of the network system which concerns on embodiment of this invention. It is a block diagram which shows the structure of the network system which concerns on embodiment of this invention. It is a functional block diagram which shows the structure of the relay apparatus of the network system which concerns on embodiment of this invention. It is a flowchart which shows an example of operation | movement of the relay apparatus of the network system which concerns on embodiment of this invention. It is a flowchart which shows an example of operation | movement of the relay apparatus of the network system which concerns on embodiment of this invention. It is a flowchart which shows an example of operation | movement of the relay apparatus of the network system which concerns on embodiment of this invention. It is a flowchart which shows an example of operation | movement of the relay apparatus in this Embodiment. It is a functional block diagram which shows the structure of the relay apparatus of the network system which concerns on embodiment of this invention. It is a flowchart which shows an example of operation | movement of the relay apparatus of the network system which concerns on embodiment of this invention. It is a block diagram which shows the structure of the network system in the Example of this invention. It is a sequence diagram which shows operation | movement of the network system in the Example of this invention. It is a block diagram which shows the structure of the network system in the Example of this invention. It is a sequence diagram which shows operation | movement of the network system in the Example of this invention. It is a sequence diagram which shows operation | movement of the network system in the Example of this invention. It is a sequence diagram which shows operation | movement of the network system in the Example of this invention. It is a sequence diagram which shows operation | movement of the network system in the Example of this invention. It is a block diagram which shows the structure of the network system in the Example of this invention. It is a functional block diagram which shows the structure of the address translation apparatus in the Example of this invention. It is a sequence diagram which shows operation | movement of the network system in the Example of this invention. It is a block diagram which shows the network system structure in the Example of this invention. It is a functional block diagram which shows the structure of the VM execution terminal in the Example of this invention. 10 is a block diagram illustrating a configuration of an address assignment system described in Patent Document 2. FIG.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. In all the drawings, the same reference numerals are given to the same components, and the description will be omitted as appropriate.

(First embodiment)
A first embodiment of the present invention will be described in detail with reference to the drawings.
FIG. 1 is a block diagram showing a configuration of a network system 100 according to an embodiment of the present invention.

  The network system 100 according to this embodiment manages an IP address dynamically assigned to a communication terminal (terminal 6) and a terminal 6 on the network 7, and assigns an IP address to the terminal 6 in response to a request from the terminal 6. An address assignment server to be assigned and provided, and a relay device 1 disposed between the terminal 6 and the address assignment server (DHCP server 3) and connected to the network. The relay device 1 includes the terminal 6 and the DHCP server 3 The transmission range of the broadcast frame is determined based on the IP address acquisition message exchanged between the two.

  Specifically, the network system 100 according to the present embodiment includes a relay device 1, a DHCP server 3, and a terminal 6 (in the figure, a plurality of terminals A, terminal B, and terminal C are shown as examples). The network 7 is configured. The relay device 1 and the DHCP server 3 are connected to a network 7. The terminal 6 is connected to the network 7 via the relay device 1.

  In the embodiment of the present invention, a TCP (Transmission Control Protocol) / IP network is assumed, and a DHCP server is assumed as an address assignment server.

  The DHCP server 3 manages IP address pools of a plurality of network domains. In the present embodiment, for example, two network domain IP address pools of “192.168.0.0/24” and “192.168.1.0/24” are managed.

For example, the following differences can be made.
(1) A terminal belonging to the former network domain (192.168.0.0/24) can access all communication devices connected to the network 7.
(2) A terminal belonging to the latter network domain (192.168.1.0/24) can access some devices connected to the network 7, but cannot access other communication devices. .

  As a method of managing the access right to the communication device, there are a method of filtering in a network domain, a method of arranging the relay device 1 between the communication device and the network 7, and the like. Although FIG. 1 shows a case where there are three terminals, the present invention can be applied to cases where there are other than three terminals.

In the following drawings, the configuration of parts not related to the essence of the present invention is omitted and is not shown.
Each component of the network system of the present invention includes an arbitrary computer CPU, memory, a program for realizing the components shown in the figure loaded in the memory, a storage unit such as a hard disk for storing the program, and a network connection It is realized by any combination of hardware and software centering on the interface. It will be understood by those skilled in the art that there are various modifications to the implementation method and apparatus. Each figure described below shows functional unit blocks, not hardware unit configurations.

FIG. 2 is a functional block diagram showing the configuration of the relay apparatus 1 of the network system 100 of the present embodiment shown in FIG.
The relay device 1 of the present embodiment stores a MAC address and network domain information for each of a plurality of ports 14a and 14b connected to a communication device (not shown) on the network 7 and the terminal 6, and the IDs of the ports 14a and 14b. The port management table 13 and the received frame message are checked to determine whether the frame is related to the IP address acquisition message. If the frame is related to the IP address acquisition message, the contents of the IP address acquisition message are displayed. In the case of a message other than an IP address acquisition message, the message monitoring unit 11 outputs the frame as it is, and the source and destination addresses of the frame input from the message monitoring unit 11 are referred to, and the port management is performed. Recorded in table 13 The AC address and network domain information to determine the transfer range of the frame on the basis, comprises a transfer unit 12 for transferring the frame in accordance with the transfer range. In the present embodiment, the exchange of the IP address acquisition message is based on DHCP.

  Specifically, the relay device 1 includes a message monitoring unit 11, a transfer unit 12, a port management table 13, a terminal side port 14 a connected to the terminal 6, and a network side port 14 b connected to the network 7. ,including.

  In the following, in the block diagram showing the apparatus configuration as shown in FIG. 2, a solid line arrow indicates a frame flow, a solid line indicates data update, and a broken line arrow indicates data reference.

  FIG. 3 is a diagram illustrating an example of the structure of the port management table 13. In the port management table 13, a MAC address, a network domain, and a DHCP state are recorded for each port ID. In the example of FIG. 3, the terminal IDs # 1 to # 4 indicate the terminal-side port 14a, and # 5 indicates the registration contents regarding the network-side port 14b.

  The port ID of the terminal-side port 14a records the MAC address, network domain, and DHCP status of the terminal 6. The DHCP state of the terminal 6 to be connected is recorded in the DHCP state. There are four types of DHCP states: “DISCOVER”, “OFFER”, “REQUEST”, and “ACK”.

  “DISCOVER” is a state in which a DHCP DISCOVER packet is transmitted from the terminal 6, “OFFER” is a state in which the terminal 6 has received a DHCP OFFER packet from the DHCP server, and “REQUEST” is a state in which the terminal 6 has transmitted a DHCP REQUEST packet. The state “ACK” represents a state in which the terminal 6 has received a DHCP ACK packet from the DHCP server.

  When the state transitions to the “ACK” state, an IP address is assigned to the terminal 6, so that the network domain is registered based on the IP address of the terminal 6. If the IP address acquisition by DHCP is not completed, the network domain is not registered. When the terminal 6 is not registered in the terminal side port 14a, or when the terminal 6 connected to the terminal side port 14a does not use DHCP, none of the MAC address, the network domain, and the DHCP state is registered. Registration and update processing in the port management table 13 is performed by the message monitoring unit 11 described later.

  The network side port 14b registers the MAC address, network domain, and DHCP status of the communication device connected to the network 7. The MAC address and network domain of the network side port 14b may be registered manually or automatically using a DHCP message or an ARP message. The DHCP state of the network to be connected is recorded in the DHCP state. There are three types of DHCP states, “DISCOVER”, “OFFER”, and “REQUEST”, which are the same as those in the terminal side port 14a. However, the MAC address and the network domain are registered regardless of the DHCP state.

Returning to FIG. 2, the message monitoring unit 11 confirms the content of the frame received via the port 14. In the case of a frame including a DHCP message, the message content is confirmed, and the MAC address, network domain, and DHCP status of the port corresponding to the port management table 13 are registered or updated based on the message content. The contents of registration or update are shown below.
(1) In the case of DHCP DISCOVER, when received from the terminal-side port 14a, the MAC address is registered in the received port ID, and the DHCP state is updated to “DISCOVER”. Also, the DHCP state of the network side port 14b is updated to “DISCOVER”. When received from the network side port 14b, the frame is discarded.
(2) In the case of DHCP OFFER, the port ID whose DHCP status is “DISCOVER” and the DHCP status of the network side port 14b that is the transmission source of DHCP OFFER are updated to “OFFER”, and the DHCP of the other network side port 14b Reset the state.
(3) In the case of DHCP REQUEST, the port ID whose DHCP state is “OFFER” is updated to “REQUEST”.
(4) In the case of DHCP ACK, for the port ID whose DHCP state is “REQUEST”, the DHCP state is updated to “ACK”, and the network domain of the assigned IP address is registered. The DHCP state of the network side port 14b is reset.

  After registration or update in the port management table 13 is completed, the message monitoring unit 11 passes the frame to the transfer unit 12. If the frame does not include a DHCP message, the frame is transferred to the transfer unit 12 as it is.

  When the frame is delivered from the message monitoring unit 11, the transfer unit 12 refers to the port management table 13 and broadcasts the frame via an appropriate port 14.

  In other words, in the present embodiment, the broadcast frame transfer range is limited to networks belonging to the same network domain as the IP address assigned to the terminal 6.

  Specifically, the transfer unit 12 compares the transmission source port of the frame with the port management table 13 and broadcasts the frame only to a port that matches the transmission source network domain described in the port management table 13. To do.

  When the transmission source of the frame is the terminal 6, when the DHCP state of the terminal side port 14a is DISCOVER or REQUEST, the transfer unit 12 broadcasts to the port of the network side port 14b whose DHCP state is DISCOVER or REQUEST. When the frame is transmitted from the DHCP server 3, if there is a terminal side port 14a whose DHCP state corresponds to OFFER or ACK, the frame is forwarded only to the corresponding terminal side port 14a. Transfer under the same conditions as the frame.

The operation of the relay apparatus 1 of the network system 100 of this embodiment configured as described above will be described.
FIG. 4 is a flowchart showing an example of the operation of the relay device 1 of the network system 100 shown in FIG. Hereinafter, description will be made with reference to FIGS.

  When the relay device 1 receives the frame, the message monitoring unit 11 confirms the contents of the frame (step S101). In the case of a DHCP message (YES in step S101), the message content is confirmed and the port management table 13 is updated (step S102). After that, the transfer unit 12 refers to the destination MAC address and the port management table 13 and transfers it to an appropriate port (step S103). If it is determined in step S101 that the message is not a DHCP message (NO in step S101), the process proceeds to step S103.

  As described above, according to the network system 100 of the present embodiment, since the transfer range of the frame transmitted from the terminal 6 is determined based on the IP address acquisition result, an IP address is assigned from the DHCP server 3. Network connection from an unauthorized terminal 6 that has not been made can be rejected. As described above, according to the network system 100 of the present embodiment, it is possible to accommodate terminals 6 having different access rights at the same time, reduce the device load and management load, and reject network connections from unauthorized terminals 6. And a highly reliable network system.

(Second Embodiment)
Next, a second embodiment of the present invention will be described in detail with reference to the drawings. FIG. 5 is a block diagram showing the configuration of the network system 101 of this embodiment.
This embodiment is different from the above-described embodiment in that a plurality of networks are connected to the network side port of the relay apparatus, and each network independently includes a DHCP server and belongs to an independent network domain. In the present embodiment, it is shown that the present invention can be applied to such a configuration by modifying the above embodiment.

  The network system of this embodiment manages the IP address dynamically assigned to the terminal 6 and the terminal 6 on the network 7, and assigns and assigns an IP address to the terminal 6 in response to a request from the terminal 6. A relay device 10 disposed between the terminal 3 and the DHCP server 3 and connected to the network. A plurality of DHCP servers 3 exist on the network 7, and the plurality of DHCP servers 3a and 3b include A priority is provided, and the relay apparatus 10 determines a transfer range of a broadcast frame based on an IP address acquisition message exchanged between the terminal 6 and the DHCP servers 3a and 3b, and a plurality of DHCP servers. Among the servers 3a and 3b, the DHCP server with the highest priority that returns a response to the address assignment server search message from the terminal 6 3 responses only, and transfers to the terminal 6.

  In the network system of the present embodiment, the relay device 10 includes a plurality of ports 14 connected to the terminals 6 on the network 7, a port management table 13 that stores a MAC address and network domain information for each ID of the port 14, Check the message of the received frame, determine whether the frame is related to the IP address acquisition message, and if the frame is related to the IP address acquisition message, update the contents of the IP address acquisition message in the port management table 13, If the message is not an IP address acquisition message, the MAC is recorded in the port management table 13 by referring to the message monitoring unit 11 that outputs the frame as it is, and the source and destination addresses of the frame input from the message monitoring unit 11 Address And network domain information to determine the transfer range of the frame on the basis, comprises a transfer unit 12 for transferring the frame in accordance with the transfer range.

The message monitoring unit 11 further includes a buffer 15.
When the message monitoring unit 11 receives a frame including the address assignment server search message, the message monitoring unit 11 transfers the frame to all the DHCP servers 3, and then receives a response frame from other than the DHCP server 3 having the highest priority. Checks the buffer 15,
Stored when there is no response frame in the buffer 15 or when the priority of the source DHCP server 3 of the stored response frame is lower than the priority of the source DHCP server 3 of the received response frame Discard the response frame, save the received response frame,
When the priority of the stored response frame transmission source DHCP server 3 is higher than the priority of the received response frame transmission source DHCP server 3, the received response frame is discarded, and the DHCP server with the highest priority When the response frame is received from 3, the response frame in the buffer 15 is discarded and the received response frame is transferred to the transfer means. The response frame in the buffer 15 is acquired and passed to the transfer unit 12.

The configuration and operation of the relay device 10 are the same as the configuration and operation of the relay device 1 in the above embodiment of FIG. 2 except for the message monitoring unit 11a.
Further, this embodiment may be combined with the above embodiment.

  In the present embodiment, a plurality of DHCP servers (3a, 3b) are each assigned a priority, and only the DHCP OFFER message from the DHCP server with the highest priority is transferred to the terminal 6. By associating the high priority of the DHCP server (3a, 3b) with the wide access right of the network domain assigned by the DHCP server (3a, 3b), the terminal 6 is the most permitted in the network system 101. An IP address of a network domain having a wide access right can be acquired. After obtaining the IP address, the communication range is determined according to the network domain of the IP address.

  The network system 101 in this embodiment of FIG. 5 has a configuration in which a plurality of networks are connected to the relay device in the above-described embodiment of FIG. In the present embodiment, the relay device 10 is connected to the DHCP server 3a via the network 7a. The relay device 10 is connected to the DHCP server 3b via the network 7b. The networks 7a and 7b belong to different network domains, and the DHCP servers 3a and 3b manage IP address pools of the network domains to which the networks 7a and 7b to which the networks 7a and 7b are connected respectively belong. Each network 7a, 7b has a priority. Note that FIG. 5 shows an example in which two networks 7 are connected to the relay apparatus 10, but the present invention can be applied to the case where there are three or more networks. FIG. 5 shows an example in which three terminals 6 (terminal A, terminal B, and terminal C) are connected, but the present invention can be applied to cases other than three.

  FIG. 6 is a functional block diagram showing the configuration of the relay device 10 of the network system 101 of this embodiment. The relay device 10 includes a message monitoring unit 11a in addition to the transfer unit 12, the port management table 13, and the port 14 that are the same as those of the relay device 1 of the above embodiment. The port 14 includes a terminal side port 14a connected to the terminal 6 and a network side port 14b connected to the networks 7a and 7b. In addition, the message monitoring unit 11a includes a buffer 15 that stores a DHCP OFFER frame.

The message monitoring unit 11a confirms the contents of the frame received via the port 14. In the case of a frame including a DHCP message, the message content is confirmed. When the content is DHCP OFFER, the following operation is performed.
(1) If it is the highest priority, that is, DHCP OFFER transmitted by the primary DHCP server, the message content is confirmed and the port management table 13 is updated. At this time, if a frame is stored in the buffer 15, the frame in the buffer 15 is discarded. When the update is completed, the frame is transferred to the transfer unit 12.
(2) If the DHCP OFFER is not transmitted by the primary DHCP server, the frame and the DHCP OFFER frame in the buffer 15 are compared with the priority of the transmission source DHCP server. If the priority of the transmission source DHCP server of the frame is higher, or if the frame is not stored in the buffer 15, the frame is stored. At this time, if a frame is stored in the buffer 15, the frame is stored after discarding the existing frame in the buffer 15. If the transmission source DHCP server of the frame has a lower priority, the frame is discarded.

When a frame is stored in the buffer 15, the following operation is performed.
(3) If a DHCP OFFER frame has been stored in the buffer 15 for a predetermined time or longer, the frame is acquired from the buffer 15, the message content is confirmed, and the port management table 13 is updated. When the update is completed, the frame is transferred to the transfer unit 12.

  When the message content is other than DHCP OFFER or a frame other than DHCP OFFER, the same operation as the message monitoring unit 11 of the above embodiment of FIG. 2 is performed. Further, the contents of the update of the port management table 13 are the same as those in the above embodiment of FIG.

  In the configuration as described above, a network control method in the network system 101 of the present embodiment will be described below. 7 and 8 are flowcharts illustrating an example of the operation of the relay apparatus 10 of the network system 101 illustrated in FIG.

  The network control method of the present embodiment manages a terminal 6, a DHCP server 3 that manages an IP address dynamically assigned to the terminal 6 on the network 7, and assigns and assigns an IP address in response to a request from the terminal 6. A network 7 including a relay device 10 disposed between the terminal 6 and the DHCP server 3 and connected to the network is controlled, and a plurality of DHCP servers 3 exist on the network 7 and a plurality of DHCP servers 3a, 3b Is assigned a priority, and the relay device 10 transmits a broadcast frame transfer range based on an IP address acquisition message exchanged between the terminal 6 and the DHCP servers 3a and 3b (steps S101 and S111). (Steps S112 to S116, S102), and the terminal out of the plurality of DHCP servers 3a and 3b. Only the response of the highest priority DHCP server 3 returns a response to the address assignment server search message from, and transfers to the terminal 6 (S103).

In the network control method of the present embodiment, the relay device 10 includes a plurality of ports 14 connected to the terminal 6 on the network 7, and a port management table 13 that stores a MAC address and network domain information for each ID of the port 14. Further included.
The relay apparatus 10 confirms the message of the received frame, determines whether the frame is related to the IP address acquisition message, and if the frame is related to the IP address acquisition message (YES in step S101), the content of the IP address acquisition message Is updated to the port management table 13, and then a frame is output (steps S102 to S116). If it is not an IP address acquisition message (NO in step S101), a message monitoring procedure (step S101) for outputting the frame as it is, The relay apparatus 10 refers to the frame source and destination addresses input in the message monitoring procedure, determines the frame transfer range based on the MAC address and network domain information recorded in the port management table 13, and transfers the transfer range. In Including, a transfer procedure for transferring the frame have.

Relay device 10 further includes a buffer 15.
When a frame including an address assignment server search message is received in the message monitoring procedure (step S101) (YES in step S101), the frame is transferred to all the DHCP servers 3, and then the DHCP server having the highest priority. When a response frame is received from other than 3 (NO in step S112), the buffer 15 is checked (step S114),
Stored when there is no response frame in the buffer 15 or when the priority of the source DHCP server 3 of the stored response frame is lower than the priority of the source DHCP server 3 of the received response frame The response frame received after discarding the response frame is stored (step S115),
If the priority of the stored response frame transmission source DHCP server 3 is higher than the priority of the received response frame transmission source DHCP server 3, the received response frame is discarded (step S116). When a response frame is received from the highest DHCP server (YES in step S112), the response frame in the buffer 15 is discarded (step S113), and the received response frame is shifted to the transfer procedure (step S103) (step S102). ) When a predetermined time or more has elapsed since the response frame was stored in the buffer 15 (start of FIG. 8), the response frame in the buffer 15 is acquired (step S121) and the process proceeds to the transfer procedure (step S103). (Step S102).

The operation of the relay apparatus 10 of the network system 101 of this embodiment configured as described above will be described below with reference to the drawings.
First, the operation when the port 14 receives a frame in the relay apparatus 10 in the network system 101 shown in FIG. 5 will be described. This will be described below with reference to FIGS.

  As shown in FIG. 7, first, when the relay device 10 receives a frame, the message monitoring unit 11a confirms the contents of the frame (step S101). In the case of a DHCP message (YES in step S101), the content of the message is confirmed, and it is confirmed whether it is DHCP OFFER (step S111). In the case of DHCP OFFER (YES in step S111), it is confirmed whether the transmission source is the highest priority, that is, from the primary DHCP server (step S112). If it is from the primary DHCP server (YES in step S112), the frame in the buffer 15 is discarded (step S113).

  If it is from other than the primary DHCP server (NO in step S112), the priority of the transmission source DHCP server is compared between the frame and the DHCP OFFER frame in the buffer 15 (step S114). When the priority is higher in the source DHCP server of the frame, or when the frame is not stored in the buffer 15, the frame is stored (step S115). At this time, if a frame is already stored in the buffer 15, the frame is stored after discarding the existing frame in the buffer 15. If the transmission source DHCP server of the frame has a lower priority, the frame is discarded (step S116).

  In the case of a frame other than DHCP OFFER in step S111 (NO in step S111) and after completion of step S113, the message content is confirmed and the port management table 13 is updated (step S102). If it is not a DHCP message in step S101 (NO in step S101), and after step S102 is completed, the transfer unit 12 refers to the destination MAC address and the port management table and broadcasts it to an appropriate port ( Step S103).

  Next, in the relay apparatus 10 in the network system 101 shown in FIG. 5, an operation when a predetermined time or more has elapsed since the DHCP OFFER frame was stored in the buffer 15 will be described. Hereinafter, description will be made with reference to FIGS. 5, 6, and 8.

  As shown in FIG. 8, when a predetermined time or more elapses, the message monitoring unit 11a acquires the frame from the buffer 15 (step S121), confirms the message content, and updates the port management table 13 (step S102). . After the update is completed, the transfer unit 12 refers to the destination MAC address and the port management table and broadcasts it to an appropriate port (step S103).

  As another connection form of the plurality of networks 7a and 7b, there is a form in which a tunnel interface is used in the relay device 10. For example, the network 7a is directly connected, and the network 7b is connected as a device belonging to the same network via a tunnel interface. Even in such a form, the method shown in this embodiment can be applied as it is, and thus detailed description thereof is omitted.

As described above, according to the network system 101 of this embodiment, the same effect as that of the above-described embodiment can be obtained even in the network system 101 in which a plurality of DHCP servers 3a and 3b exist.
The reason is that only the response of the DHCP server 3 with the highest priority that returns a response to the DHCP server search message from the terminal 6 among the plurality of DHCP servers 3a and 3b is transferred.

  That is, the terminal 6 is assigned an IP address from the DHCP server 3 having the highest priority that is permitted in the network system 101. By associating the high priority with the wide access right, the terminal 6 is assigned the IP address with the widest access right that is permitted by the network system 101.

(Third embodiment)
Next, a third embodiment of the present invention will be described in detail with reference to the drawings. Note that the configuration of the network system in the present embodiment is the same as that of the above-described embodiment of FIGS. This embodiment is different from the above embodiment in the operation of a message monitoring unit (not shown). The other configurations and operations of the relay device are the same as the configurations and operations in the case of combining the above embodiment and the above embodiment. Further, this embodiment may be combined with the above embodiment.

  In the network system of this embodiment, when the message monitoring unit 11 further receives a frame including the address assignment server search message, the message monitoring unit 11 transmits the frame to the DHCP server 3 having the highest priority, waits for a certain time, and within a certain time When the response frame is received, the response frame is transferred to the transfer unit 12. If the response frame is not received within a predetermined time, the frame is transmitted to the DHCP server 3 having the next highest priority, waits for a predetermined time, and within a predetermined time. The operation is sequentially repeated until a response frame is received or there is no corresponding DHCP server 3.

  Specifically, this embodiment is characterized by the following points. That is, first, the DHCP DISCOVER message is transmitted to the DHCP server having the highest priority. If no DHCP OFFER message is returned within a predetermined time, a DHCP DISCOVER message is transmitted to the DHCP server having the next highest priority. Then, this operation is sequentially repeated until a DHCP OFFER message is returned or there is no corresponding DHCP server.

  By associating the high priority of the DHCP server with the wide access right of the network domain assigned by the DHCP server, the terminal acquires the IP address of the network domain with the widest access right, which is permitted in the network system. be able to. After obtaining the IP address, the communication range is determined according to the network domain of the IP address.

  In the present embodiment, the message monitoring unit confirms the content of the received frame. In the case of a frame including a DHCP message, the message monitoring unit confirms the message content. If the content is DHCP DISCOVER, the message monitoring unit updates the port management table 13 to broadcast the frame to the network having the highest priority, that is, the primary DHCP server, and passes the frame to the transfer unit 12. . At this time, the message monitoring unit copies the frame and stores it in the buffer 15.

  Thereafter, when the DHCP OFFER is received, the message monitoring unit discards the frame in the buffer 15 and passes the received frame to the transfer unit 12.

  If the DHCP OFFER is not received for a certain period of time, the message monitoring unit updates the port management table 13 so as to broadcast the DHCP DISCOVER to the network having the next highest priority, that is, the secondary DHCP server, and the buffer 15 Is copied to the transfer unit 12.

  The message monitoring unit sequentially repeats the above operation until a DHCP OFFER is received or there is no corresponding DHCP server.

  When the message content is other than DHCP DISCOVER and DHCP OFFER, and when it is a frame other than DHCP, the same operation as the message monitoring units 11 and 11a in the above embodiment is performed. When the message content is other than DHCP DISCOVER, the update content of the port management table 13 is the same as in the above embodiment.

  A network control method in the network system of the present embodiment having the above configuration will be described below. FIG. 9 and FIG. 10 are flowcharts showing an example of the operation of the relay device in this embodiment. FIG. 9 shows an operation when a frame is received by the relay apparatus, and FIG. 10 shows an operation when a frame is stored in the buffer 15. When a frame is stored in the buffer 15, the operation shown in FIG. 9 and the operation shown in FIG. 10 are performed in parallel. Hereinafter, description will be made with reference to FIGS. 5, 6, 9, and 10.

  In the network control method of the present embodiment, when the message monitoring procedure (step S101) further receives a frame including the address assignment server search message (YES in step S101), the message monitoring procedure (step S101) sends the frame to the address assignment server with the highest priority. Transmit and wait for a certain time (step S141), if a response frame is received within a certain time (NO in step S142), transition to a transfer procedure, and if no response frame is received within a certain time (YES in step S142), Next, the frame is transmitted to the address assignment server with the highest priority (steps S143 to S145, S103), waits for a certain time (step S141), and receives a response frame within the certain time (NO in step S142) Corresponding address There is no grant server (step S 43 of not) repeat the sequential operation to.

The operation of the relay device of the network system of this embodiment configured as described above will be described.
First, the operation when a frame is received by the relay apparatus will be described with reference to FIG. When the relay device in the present embodiment receives the frame, the message monitoring unit confirms the contents of the frame (step S101). In the case of a DHCP message (YES in step S101), it is subsequently confirmed whether the message is DHCP DISCOVER (step S131).

  In the case of DHCP DISCOVER (YES in step S131), the DHCP state in the port management table 13 is updated to “DISCOVER” only for the port where the primary DHCP server exists among the corresponding terminal side port 14a and network side port 14b. (Step S132). Subsequently, the frame is copied and stored in the buffer 15 (step S133).

  If it is a frame other than DHCP DISCOVER in step S131 (NO in step S131), it is subsequently confirmed whether it is DHCP OFFER (step S134). In the case of DHCP OFFER (YES in step S134), the frame in the buffer is discarded (step S135).

  When it is a frame other than DHCP OFFER in step S134 (NO in step S134) and when step S135 is completed, the contents of the DHCP message are confirmed, and the port management table 13 is updated (step S102). If it is not a DHCP message in step S101 (NO in step S101), and after completion of steps S133 and S102, the transfer unit 12 refers to the destination MAC address and the port management table, and designates the frame as an appropriate port. (Step S103).

  Next, the operation when the DHCP DISCOVER frame is stored in the buffer 15 in the relay apparatus will be described with reference to FIG. After the DHCP DISCOVER message is stored in the buffer 15, it waits for a predetermined time (step S141). After a certain time elapses, it is confirmed whether the frame remains stored in the buffer 15 (step S142). If not saved (NO in step S142), it is considered that the DHCP OFFER has arrived within a predetermined time and the frame in the buffer 15 has been discarded, and the operation is terminated. If it is stored (YES in step S142), it is considered that DHCP OFFER has not arrived, and processing for transmitting DHCP DISCOVER to the DHCP server having the next highest priority is performed.

  That is, first, it is confirmed whether there is a DHCP server with the next highest priority (step S143). If it does not exist ("No" in step S143), the frame in the buffer 15 is discarded and the operation is terminated (step S146). If it exists ("Yes" in step S143), only the port where the DHCP server exists in the network side port 14b is updated so that the DHCP state in the port management table 13 becomes "DISCOVER" (step S144). After the update, the frame in the buffer 15 is copied and acquired (step S145). At this point, the frame remains stored in the buffer 15.

  The acquired frame is transferred to the transfer unit 12. The transfer unit 12 refers to the port management table 13 and broadcasts the frame to an appropriate port (step S103). Thereafter, the process returns to step S141, and the above-described operation is repeated.

  As another connection form of the plurality of networks 7a and 7b, there is a form in which a tunnel interface is used in the relay device. For example, the network 7a is directly connected, and the network 7b is connected as a device belonging to the same network via a tunnel interface. Even in such a form, the method shown in this embodiment can be applied as it is, and thus detailed description thereof is omitted.

  As described above, according to the network system of the present embodiment, it is possible to realize a network system that can simultaneously accommodate terminals having different access rights, and that can prevent broadcast frames from being seen by unauthorized terminals. Play. This is because the transfer range of the frame transmitted from the terminal is determined based on the result of IP address acquisition. That is, a broadcast frame from another terminal does not reach an unauthorized terminal that is not assigned an IP address from the address assignment server.

(Fourth embodiment)
Next, a fourth embodiment of the present invention will be described in detail with reference to the drawings. FIG. 11 is a functional block diagram showing the configuration of the relay device 19 in the network system of this embodiment.

  In the network system of the present embodiment, the relay device refers to the destination address of the received frame, passes the frame to the message monitoring unit 11 if it is a broadcast address, and outputs the frame if it is not broadcast. A header monitoring unit 16 and a switch unit 17 that refers to the destination address of the frame received from the header monitoring unit 16 and transfers the frame based on the MAC address recorded in the port management table 13 are further provided.

  In this embodiment, it shows that the operation load of the relay apparatus in each embodiment can be reduced by adding a function to the said embodiment. Specifically, the monitoring target in the message monitoring unit is only a broadcast frame, and other frames are processed by the same operation as a normal switching hub. This is because even in one-to-one unicast communication, ARP transmitted in a broadcast frame is essential for obtaining a destination MAC address. That is, if only the broadcast frame is monitored, the transfer range of all communications can be limited, and the same effect as the above embodiment can be obtained.

  In the following description, the above embodiment of FIG. 2 will be described as a reference, but other embodiments can be realized by the same method.

  As shown in FIG. 11, the relay device 19 of this embodiment further includes a header monitoring unit 16 and a switch unit 17 in addition to the configuration of the relay device 1 of the above-described embodiment of FIG. 2. .

  The header monitoring unit 16 confirms all frames received by the port 14. The header monitoring unit 16 passes the frame to the message monitoring unit 11 in the case of a broadcast frame, and passes the frame to the switch unit 17 in other cases.

  The switch unit 17 performs the same operation as that of the switching hub. When the frame is passed from the header monitoring unit 16, the switch unit 17 refers to the MAC address described in the port management table 13 and the destination MAC address of the frame, and transmits the frame via an appropriate port 14. Forward the frame.

  In the configuration as described above, a network control method in the network system 101 of the present embodiment will be described below. FIG. 12 is a flowchart showing an example of the operation of the relay device 19 of the present embodiment shown in FIG. Hereinafter, a description will be given with reference to FIGS. 11 and 12.

  In the network control method of the present embodiment, the relay device 19 refers to the destination address of the received frame and switches the frame based on the MAC address recorded in the port management table 13, and the relay device 19 A header monitoring procedure that refers to the destination address of the received frame, transitions to a message monitoring procedure if it is a broadcast address, and transitions to a switching procedure if it is not broadcast.

The operation of the relay device 19 of the present embodiment configured as described above will be described below with reference to the drawings.
First, when the relay device 19 receives the frame, the header monitoring unit 16 confirms the destination MAC address (step S104). If the destination MAC address is not broadcast (NO in step S104), the switch unit 17 transfers the frame via an appropriate port according to the destination MAC address (step S105). If the destination MAC address is broadcast in step S101 (YES in step S104), the message monitoring unit 11 confirms the contents of the frame (step S101).

  As a result, in the case of a DHCP message (YES in step S101), the message content is confirmed and the port management table 13 is updated (step S102). Thereafter, the transfer unit 12 refers to the destination MAC address and the port management table, and broadcasts to an appropriate port (step S103). If it is determined in step S101 that the message is not a DHCP message (NO in step S101), the process proceeds to step S103.

  As described above, according to the network system of this embodiment, the same effect as that of the above embodiment can be obtained, and the operation load of the relay device can be reduced without checking the message contents of all received frames. it can.

  Next, embodiments of the present invention will be described in detail with reference to the drawings. Note that the drawings and specific numerical values shown in the embodiments of the present invention should not be used for the interpretation of the present invention.

Example 1
In the present embodiment, the operation will be described using a specific example of the network system according to the embodiment shown in FIGS.

  FIG. 13 is a block diagram showing the configuration of the network system 110 in this embodiment. The network system 110 in this embodiment includes the relay device 20, the router 50, the DHCP server 30, the shared server 40, the Internet 75, the terminal 60, and the network 70. Relay device 20, router 50, DHCP server 30, and shared server 40 are connected to each other via network 70. The terminal 60 can be connected to the network 70 via the relay device 20. The network 70 can be connected to the Internet 75 via the router 50.

  The relay apparatus 20 in the present example has the same configuration as the relay apparatus 1 in the embodiment of FIG. Hereinafter, a description will be given with reference to FIGS. 2 and 13.

  In the network 70, there are two network domains of “AAAA0 / 24” and “BBBB0 / 24”. Hereinafter, the former network domain is referred to as domain A, and the latter network domain is referred to as domain B. The DHCP server 30 has a domain A address from “AAAA101” to “AAAA150” and “BBBB101” to “BBBB150”. Domain B addresses up to

  The router 50 and the DHCP server 30 have both domain A and domain B IP addresses. On the other hand, the shared server 40 has an IP address only for the domain A. That is, the terminal 60 can access the router 50 regardless of the domain A and the domain B. On the other hand, the shared server 40 can accept only the access from the terminal 60 belonging to the domain A and can exclude the access from the terminal 60 belonging to the domain B. That is, the terminals 60 having different access rights can be accommodated simultaneously due to the difference in the network domain.

  On the other hand, three terminals 60 (terminal A, terminal B, and terminal C) are connected to the relay device 20. Terminal B is assigned an IP address of domain B, and terminal C is assigned an IP address of domain A from DHCP server 30. When an IP address is assigned from the DHCP server 30, the MAC address, network domain, and DHCP status are described in the port management table 13 of the relay device 20. The terminal B belongs to the domain B, the terminal C belongs to the domain A, and the DHCP status is “ACK” because the address distribution by DHCP is completed.

  At this time, the DHCP state of the terminal A in the port management table 13 of the relay device 20 is “DISCOVER”. That is, terminal A is in a state where it sends out a DHCP DISCOVER packet and waits for a DHCP OFFER packet. Since address distribution by DHCP has not been completed, the network domain of terminal A in the port management table is blank.

The operation of the network system 110 of this embodiment configured as described above will be described below.
FIG. 14 is a sequence diagram showing the operation of the IP address acquisition sequence by DHCP of the network system 110 in this embodiment of FIG. Hereinafter, the sequence in which the terminal A obtains the IP address will be described in detail with reference to FIGS. 2, 13, and 14.

  Terminal A sends out DHCP DISCOVER (sequence 1001). When the relay device 20 receives the frame, it is a DHCP message. Therefore, the relay device 20 registers the MAC address M60a of the terminal A in the port management table 13 (sequence 1002), and sets the DHCP status of the corresponding terminal side port 14a and network side port 14b. After updating to “DISCOVER”, it is broadcast to the network side port 14b (sequence 1003). At this point, the port management table 13 is in the state shown in FIG.

  When receiving the frame, the DHCP server 30 selects an IP address from the address pool according to a predetermined policy, and transmits it as DHCP OFFER (sequence 1004). The policy is determined based on the MAC address. That is, if the MAC address of the terminal A is registered in the DHCP server 30, an IP address is selected from the domain A address pool with strong access right, and if not registered, the IP address is selected from the domain B address pool with weak access right. There is a method.

  When the relay device 20 receives the frame, it is a DHCP message. Therefore, the DHCP state of the port management table 13 is “DISCOVER”, and the DHCP state of the terminal A is updated to “OFFER” (sequence 1005). Transfer to port A (sequence 1006). At this time, the DHCP state of the network side port 14b that is the transmission source of DHCP OFFER is updated to “OFFER”, and the DHCP state of the other network side port 14b is reset.

  When the terminal A receives the frame, the terminal A selects one from the IP addresses indicated in the message, and transmits a DHCP REQUEST (sequence 1007). When receiving the frame, the relay device 20 updates the DHCP status of the port whose DHCP status in the port management table 13 is “OFFER” from “OFFER” to “REQUEST” because it is a DHCP message (sequence 1008). After the update, it is broadcast to the network side port 14b (sequence 1009).

  When the DHCP server 30 receives the frame, if the IP address requested by the terminal A is available, the DHCP server 30 transmits a DHCP ACK including the IP address (sequence 1010). When the relay device 20 receives the frame, it is a DHCP message, so the DHCP status of the port management table 13 is “REQUEST”, and the DHCP status of terminal A is updated from “REQUEST” to “ACK”, and the assigned IP Based on the address, the network domain of the corresponding terminal-side port 14a is registered in the port management table 13. Further, the DHCP state of the network side port 14b is reset (sequence 1011). After registration and update, the transfer unit 12 transfers the frame to the terminal-side port 14a of the registered network domain (sequence 1012).

When the terminal A receives the frame, the terminal A sets an IP address and a network based on the received information.
In the case of a broadcast frame other than a DHCP message, the transfer range is determined based on the network domain.

  As described above, the relay device 20 can register and update the port management table 13 based on the received frame. Then, since the frame is broadcast only to the port 14 that matches the transmission source network domain described in the port management table 13, the frame can be transmitted via an appropriate one of the ports 14. .

(Example 2)
In this example, the operation will be described using a specific example of the network system according to the embodiment shown in FIGS.
FIG. 15 is a diagram illustrating a configuration of the network system 112 in the present embodiment.
This embodiment is different from the above embodiment of FIG. 13 in that a plurality of networks are connected.

  In this embodiment, the relay device 22 is connected to the router 50a, the DHCP server 32a, and the shared server 42a via the network 72a. The relay device 22 is connected to the router 52b and the DHCP server 32b via the network 72b. The terminal 60 can be connected to the networks 72 a and 72 b via the relay device 22. The networks 72a and 72b can be connected to the Internet 75 via the routers 52a and 52b.

  The networks 72a and 72b belong to the domain A and the domain B, respectively, and the DHCP servers 32a and 32b also manage the IP address pools of the domain A and the domain B, respectively. The DHCP server 32a is a primary DHCP server, and the DHCP server 32b is a secondary DHCP server. Only the domain A is provided with the shared server 42a, and the IP address of the domain A can be acquired only by the terminal 6 registered in the DHCP server 32a. On the other hand, the IP address of domain B can be obtained regardless of whether or not it is registered by inquiring to the DHCP server 32b. That is, terminals 6 having different access rights can be accommodated at the same time depending on the network to be connected.

The relay device 22 in the present example has the same configuration as the relay device 10 of the above embodiment in FIG.
The operation of the network system 112 of this embodiment configured as described above will be described below.
FIGS. 16 and 17 are sequence diagrams illustrating an IP address acquisition operation by DHCP of the network system 112 in this embodiment. FIG. 16 shows a case where the terminal A can acquire the IP address of the domain A, and FIG. 17 shows a case where the terminal A cannot acquire the IP address of the domain A.

  First, the sequence in which the terminal A acquires the IP address of the domain A will be described in detail with reference to FIGS. 6, 15, and 16. FIG.

  First, terminal A sends out DHCP DISCOVER (sequence 1101). When the relay device 22 receives the frame, it is a DHCP message, so the MAC address M60a of the terminal A is registered in the port management table 13 (sequence 1102), and the DHCP of the corresponding terminal side port 14a and all the network side ports 14b are registered. The state is updated to “DISCOVER” and then broadcast to the network side port 14b (sequence 1103). At this time, since “DISCOVER” is registered in both the networks 72a and 72b, it is broadcast to both.

  When receiving the frame, the DHCP server 32b selects an IP address from the address pool and transmits it as DHCP OFFER (sequence 1104). When the relay device 22 receives the frame, the relay device 22 checks the transmission source DHCP server because it is a DHCP OFFER message. Since the DHCP server 32b that is the transmission source is a secondary DHCP server, the relay device 22 temporarily stores the frame in the buffer 15 (sequence 1105).

  On the other hand, when receiving the frame, the DHCP server 32a selects the IP address from the address pool and transmits it as DHCP OFFER (sequence 1106) because the transmission source terminal A is registered. When the relay device 22 receives the frame, the relay device 22 checks the transmission source DHCP server because it is a DHCP OFFER message. Since the DHCP server 32a that is the transmission source is the primary DHCP server, the relay device 22 discards the frame stored in the buffer 15 (sequence 1107). Subsequently, the relay device 22 updates the DHCP state of the terminal A and the network 72a to “OFFER” (sequence 1108) in which the DHCP state of the port management table 13 is “DISCOVER”, and the received frame is transmitted to the terminal A. (Sequence 1109). At this time, the DHCP state of the network 72b is reset.

  The operations of sequences 1110 to 1105 described below are the same as the operations of sequences 1007 to 1012 in the embodiment of FIG. That is, when terminal A receives the frame, it selects one from the IP addresses indicated in the message, and sends out DHCP REQUEST (sequence 1110). When receiving the frame, the relay device 22 updates the DHCP status of the port whose DHCP status in the port management table 13 is “OFFER” from “OFFER” to “REQUEST” because it is a DHCP message (sequence 1111). After the update, it is broadcast to the network side port 14b (sequence 1112).

  At this time, since the network side port 14b in which “REQUEST” is registered is only on the network 72a side, it is broadcast only to the network 72a. When the DHCP server 32a receives the frame, if the IP address requested by the terminal A is available, the DHCP server 32a transmits a DHCP ACK including the IP address (sequence 1113). When the relay device 22 receives the frame, it is a DHCP message, so the DHCP status of the port management table 13 is “REQUEST”, and the DHCP status of the terminal A is updated from “REQUEST” to “ACK”, and the assigned IP address Then, the network domain of the corresponding terminal side port 14a is registered in the port management table 13. (Sequence 1114). After registration and update, the transfer unit 12 transfers the frame to the terminal-side port 14a of the registered network domain (sequence 1115).

  When the terminal A receives the frame (DHCP ACK), the terminal A sets an IP address and a network based on the information.

  Next, with reference to FIG. 17, a sequence for acquiring the IP address of domain B as a result of terminal A not being able to acquire the IP address of domain A will be described in detail. Note that sequences 1101 to 1105 are the same as the sequence in FIG.

  Even if the DHCP server 32a receives the DHCP DISCOVER, the terminal A is not registered and therefore does not transmit the DHCP OFFER. Therefore, after a predetermined time has elapsed from the sequence 1105, the relay device 22 extracts the DHCP OFFER frame from the DHCP server 32b stored in the buffer 15 (sequence 1121), and refers to the message. Subsequently, the DHCP status of the port management table 13 is “DISCOVER”, and the DHCP status of the terminal A and the network 72b is updated from “DISCOVER” to “OFFER” (sequence 1122). The data is transferred to the terminal side port 14a (sequence 1123). At this time, the DHCP state of the network 72a is reset.

  The operations of sequences 1124 to 1129 are the same as the operations of sequences 1007 to 1012 in FIG. 15 and sequences 1110 to 1115 in FIG. That is, when the terminal A receives the frame, it selects one from the IP addresses indicated in the message and sends out a DHCP REQUEST (sequence 1124). When the relay device 22 receives the frame, it is a DHCP message, so the DHCP status of the port whose DHCP status in the port management table 13 is “OFFER” is updated from “OFFER” to “REQUEST” (sequence 1125). After the update, it is broadcast to the network side port 14b (sequence 1126).

  At this time, since the network side port 14b in which “REQUEST” is registered is only on the network 72b side, it is broadcast only to the network 72b. When the DHCP server 32b receives the frame, if the IP address requested by the terminal A is available, the DHCP server 32b transmits a DHCP ACK including the IP address (sequence 1127). When the relay device 22 receives the frame, it is a DHCP message, so the DHCP status of the port management table 13 is “REQUEST”, and the DHCP status of the terminal A is updated from “REQUEST” to “ACK”, and the assigned IP address Then, the network domain of the corresponding terminal side port 14a is registered in the port management table 13. (Sequence 1128). After registration and update, the transfer unit 12 transfers the frame to the terminal-side port 14a of the registered network domain (sequence 1129).

  When the terminal A receives the frame (DHCP ACK), the terminal A sets an IP address and a network based on the information.

Example 3
In this example, the operation will be described using a specific example of the network system shown in the embodiment shown in FIG. 5, FIG. 6, FIG. 9, and FIG.
The configuration of the network system 112 in this embodiment is the same as that of the network system 112 in the above embodiment of FIG. The relay device 22 in this example has the same configuration as the relay device 22 in the above embodiment of FIG. 15, but the operation of the relay device 22 is different from this example and the above example of FIG.

Hereinafter, the operation of the network system 112 of this embodiment will be described.
FIG. 18 and FIG. 19 are sequence diagrams showing the IP address acquisition operation by DHCP of the network system 112 in this embodiment. FIG. 18 shows a case where the terminal A can obtain the IP address of the domain A, and FIG. 19 shows a case where the terminal A cannot obtain the IP address of the domain A.

First, the sequence in which terminal A obtains the IP address of domain A will be described in detail with reference to FIGS. 6, 15, and 18.
First, terminal A sends out DHCP DISCOVER (sequence 1201). When the relay device 22 receives the frame, it is a DHCP DISCOVER message, so the MAC address M60a of the terminal A is registered in the port management table 13 (sequence 1202), and the corresponding terminal side port 14a and all the network side ports 14b are registered. The DHCP state is updated to “DISCOVER” and then broadcasted only to the network 72a where the primary DHCP server exists (sequence 1203).

  When receiving the frame, the DHCP server 32a selects the IP address from the address pool and transmits it as DHCP OFFER (sequence 1204) because the transmission source terminal A is registered. When the relay device 22 receives the frame, it is a DHCP message, so the DHCP status of the port management table 13 is “DISCOVER”, and the DHCP status of the terminal A and the network 72a is updated from “DISCOVER” to “OFFER” ( Then, the received frame is transferred to the port of terminal A (sequence 1206). At this time, the DHCP state of the network 72b is reset.

The operations of the sequences 1207 to 1212 in FIG. 18 are the same as the operations of the sequences 1110 to 1115 in the embodiment of FIG.
That is, when terminal A receives the frame (DHCP ACK) (sequence 1212), it performs IP address and network setting based on the information.

  Next, with reference to FIG. 19, the sequence in which the terminal A acquires the IP address of the domain B as a result of not being able to acquire the IP address of the domain A will be described in detail. Note that sequences 1201 to 1203 are the same as the sequence of FIG.

  Even if the DHCP server 32a receives the DHCP DISCOVER, the terminal A is not registered and therefore does not transmit the DHCP OFFER. Therefore, after a predetermined time has elapsed from the sequence 1203, the relay device 22 broadcasts DHCP DISCOVER to the network 72b in which the secondary DHCP server exists (sequence 1221).

  When receiving the frame, the DHCP server 32b selects an IP address from the address pool and transmits it as DHCP OFFER (sequence 1222). When the relay device 22 receives the frame, it is a DHCP message, so the DHCP status of the port management table 13 is “DISCOVER”, and the DHCP status of the terminal A and the network 72b is updated from “DISCOVER” to “OFFER” (sequence) 1223) and the received frame is transferred to the port of terminal A (sequence 1224). At this time, the DHCP state of the network 72a is reset.

The operations of sequences 1225 to 1230 are the same as the operations of sequences 1207 to 1212 in FIG.
That is, when terminal A receives the frame (DHCP ACK) (sequence 1230), it performs IP address and network setting based on the information.

Example 4
In the present embodiment, the configuration and operation will be described by taking as an example a configuration using an address translation device that is an extension of the relay device of the present embodiment.
FIG. 20 is a block diagram showing the configuration of the network system 114 in the present embodiment.

  The address translation device 24 shown in the present embodiment further includes an address translation function in addition to the functions of the relay device of the above-described embodiment, and is connected to the terminal side ports 14e, 14f, and 14g of the address translation device 24. Can be assigned an IP address. The advantage of using the address translation device 24 shown in the present embodiment is that the object of the present invention can be achieved and the network system 114 operated in a single network domain can be easily introduced.

  The network system 114 in this embodiment includes an address translation device 24, a router 54, a DHCP server 34, a shared server 44, the Internet 75, a terminal 60, and a network 74. The address translation device 24, the router 54, the DHCP server 34, and the shared server 44 are connected via a network 74. The terminal 60 can be connected to the network 74 via the address translation device 24. The network 74 can be connected to the Internet 75 via the router 54.

  The network 74 belongs to the domain A. The network 74 side interface of the address translation device 24, the router 54, the DHCP server 34, and the shared server 44 have an IP address of the domain A, and the DHCP server 34 manages the address pool of the domain A.

FIG. 21 is a functional block diagram showing the configuration of the address translation device 24 in this embodiment.
In the network system 114 of this embodiment, the relay device is recognized as one of the address assignment servers (DHCP server 34) from the message monitoring unit, the transfer unit, and the port management table, and has an IP address in a network domain different from the DHCP server 34. And assigning an IP address in response to a request and simultaneously setting a default gateway in the address conversion unit 124, a terminal 60 to which the address assignment unit 126 has assigned a network address, and a device connected to the network 74 And a switch unit 122 ("switch" in the figure) for transferring a frame based on the destination MAC address of the received frame.

  Specifically, the address translation device 24 includes a relay device unit 120, a port 14, an address translation unit 124, an address assignment unit 126, and a switch unit 122.

  The port 14 includes terminal-side ports 14e, 14f, and 14g, and a network-side port 14h. The network side port of the relay device unit 120 is connected to the address conversion unit 124 and the switch unit 122. The address conversion unit 124 has two interfaces on the WAN side and the LAN side. The LAN side interface is connected to the relay device unit 120, and the WAN side interface is connected to the network 74 via the switch unit 122 and the network side port 14h. The IP address of the network 74 side interface of the address translation device 24 is functionally assigned to the WAN side interface of the address translation unit 124.

  The relay device unit 120 has the same configuration as the relay device 10 in the above-described embodiment shown in FIG. 6 and performs the same operation. Hereinafter, the relay device unit 120 will be described as performing the operation of the relay device 10 according to the above-described embodiment illustrated in FIGS. 7 and 8, but the relay device 10 according to the above-described embodiment illustrated in FIGS. 9 and 10. Even if the operation is performed, the same can be realized.

  The address translation unit 124 performs NAT (Network Address Translation) operation or NAPT (Network Address and Port Translation) operation. Details of the NAT operation and the NAPT operation are well known to those skilled in the art, and a description thereof will be omitted. In the following description, it is assumed that the address conversion unit 124 performs a NAPT operation.

  The address assigning unit 126 has a DHCP function and manages the domain B address pool. Functionally, an IP address of domain B is assigned to the LAN side interface of the address conversion unit 124 and is set as a default gateway of a terminal to which domain B is assigned. Similarly, the address assigning unit 126 is assigned an IP address of domain B.

The operation of the network system 114 of this embodiment configured as described above will be described below.
FIG. 22 is a sequence diagram illustrating an example of an IP address acquisition operation of the network system 114 according to this embodiment.

The IP address acquisition sequence in the network system 114 shown in FIG. 22 is the same as the IP address acquisition sequence in the network system 114 of the above-described embodiment shown in FIGS. That is, the primary DHCP server 32a in the above embodiment of FIG. 15 corresponds to the DHCP server 34 in this embodiment, and the secondary DHCP server 32b in the above embodiment of FIG. 15 corresponds to the address conversion unit 124 in this embodiment.
That is, in the address translation device 24 of the present embodiment, the priority of the address assigning unit 126 is set to the lowest.

This will be described below with reference to FIGS.
As shown in FIG. 22, terminal B has acquired the IP address of domain B, and terminal C has acquired the IP address of domain A. The shared server 44 is assigned an IP address of domain A. Further, in the address translation unit 124 in the address translation device 24, an IP address of domain B is assigned to the LAN side interface, and an IP address of domain A is assigned to the WAN side interface.

  As shown in FIG. 22, when a frame addressed to the shared server 44 is sent from the terminal C (sequence 1301), the destination MAC address is the MAC address M40 of the shared server 44 (sequence 1321). The frame is received by the relay device unit 120 of the address translation device 24. The relay device unit 120 of the address translation device 24 refers to the destination MAC address and transfers the frame to the network 74 via the switch unit 122 (sequence 1302). The frame is received by the shared server 44 on the network 74.

  On the other hand, when the frame addressed to the shared server 44 is transmitted from the terminal B (sequence 1311), since the terminal B belongs to a different network domain from the shared server 44, the destination MAC address is the MAC address L_NT of the address conversion unit 124 that is the default gateway. (Sequence 1322). The frame is received by the relay device unit 120 of the address translation device 24. The relay device unit 120 of the address translation device 24 refers to the destination MAC address and transfers the frame to the address translation unit 124 (sequence 1312).

  The address conversion unit 124 performs a NAPT operation to convert the IP address of the source domain B into the IP address of the domain A of the WAN side interface of the address conversion unit 124 (sequence 1323). Then, the frame is transmitted to the network 74 via the switch unit 122 (sequence 1313). The frame is received by the shared server 44 on the network 74.

  As shown in FIG. 22, when a terminal to which an IP address of domain B is assigned accesses a device belonging to domain A, the transmission source IP address is a network side port of the address translation device 24. That is, the terminals belonging to the domain B under the address translation device 24 are aggregated with the source IP addresses when connecting to the network 74. Therefore, when restricting access rights from terminals belonging to the domain B, only the IP address assigned to the network side port of the address translation device 24 is targeted regardless of the number of terminals under the address translation device 24. Good.

(Example 5)
FIG. 23 is a block diagram illustrating a configuration of the network system 116 according to the present embodiment. The network system 116 of the present embodiment includes a virtual machine (hereinafter referred to as “VM”) execution terminal 80 instead of the address translation device 24 of the network system 114 of the above-described embodiment of FIG. In the present embodiment, a configuration and operation in which the present invention is applied to a VM execution environment provided in the VM execution terminal 80 will be described. As an example of the VM execution environment, VMware (registered trademark) and Xen (registered trademark) are known.

  Specifically, the network system 114 in this embodiment includes a VM execution terminal 80, a router 54, a DHCP server 34, a shared server 44, the Internet 75, and a network 74. The VM execution terminal 80, the router 54, the DHCP server 34, and the shared server 44 are connected via a network 74. The network 74 can be connected to the Internet 75 via the router 54.

  FIG. 24 is a functional block diagram illustrating a configuration of the VM execution terminal 80 according to the present embodiment. The VM execution terminal 80 includes a host OS 89 and a guest OS 87. A VM execution environment 88 operates as an application on the host OS 89. The VM execution environment 88 is regarded as virtual hardware, and the guest OS 87 operates on it.

  An advantage of using the VM execution terminal 80 shown in the present embodiment is that the coexistence of different access rights between the host OS 89 and the guest OS 87 can be applied automatically and easily.

The network system 116 of this embodiment includes a VM execution terminal 80 and a DHCP server 34 connected to the VM execution terminal 80 through a network. A plurality of DHCP servers 34 exist on the network 74, and a plurality of DHCP servers 34 are provided. Has a priority.
The VM execution terminal 80 implements a VM execution environment 88 that is an application of the host OS 89 that runs on the VM execution terminal 80. The VM execution environment 88 sends a packet sent from the network interface 85 of the guest OS 87 operating on the VM execution environment 88 to the network 74 as it is via the network interface 86 of the host OS 89. It is recognized as one of the DHCP servers 34 from the means provided in the bridge unit 82 and the relay device unit 10y, manages an IP address of a network domain different from the DHCP server 34, assigns an IP address according to a request, and simultaneously sets a default gateway. Packets sent from the VM address assignment unit 84 set in the VM address conversion unit 83 and the network interface 85 of the guest OS 87 are subjected to NAT or NAPT processing, and the packet is sent to the network of the host OS 89. Via chromatography click interface 86 to implement the VM address converter 83 to be transmitted to the network 74, the.
When the guest OS 87 can obtain an IP address from the DHCP server 34, the VM execution environment 88 sends the data sent from the network interface 85 of the guest OS 87 to the network 74 via the VM bridge unit 82, and the guest OS 87 uses DHCP. If the IP address cannot be acquired from the server 34, the VM address assigning unit 84 assigns the IP address of the guest OS 87, and sends the data sent from the network interface 85 of the guest OS 87 to the network 74 via the VM address converting unit 83. To do.

  In FIG. 23, the network 74 belongs to the domain A. The host OS 89 (FIG. 24), the router 54, the DHCP server 34, and the shared server 44 of the VM execution terminal 80 have domain A IP addresses, and the DHCP server 34 manages the domain A address pool.

  As a logical network connection between the host OS 89 of the VM execution terminal 80 and the guest OS 87 (FIG. 24), a bridge connection, an address conversion connection, and the like are known.

  The bridge connection is one of connections in which the host OS 89 and the guest OS 87 (FIG. 24) belong to the same network domain. The IP address of the guest OS 87 (FIG. 24) is acquired from the DHCP server 34 via the bridge interface on the VM execution environment 88 (FIG. 24) and the NIC (Network Interface Card) of the VM execution terminal 80.

  The address translation connection is one of connections in which the host OS 89 and guest OS 87 (FIG. 24) of the VM execution terminal 80 belong to different network domains. When the guest OS 87 (FIG. 24) connects to the network 74, the source address of the packet is NAT or NAPT converted to the IP address of the host OS 89 (FIG. 24). The IP address of the guest OS 87 (FIG. 24) is assigned by the VM address conversion unit 83 (FIG. 24) on the VM execution environment 88 (FIG. 24) described later.

  As shown in FIG. 24, the VM execution terminal 80 includes a relay device unit 10y, a virtual interface 81, a VM bridge unit 82, a VM address conversion unit 83, a VM address assignment unit 84, and network interfaces 85 and 86. Become. Note that FIG. 24 shows a configuration with one guest OS 87, but even if there are a plurality of guest OSs 87, there is no problem in realizing the present invention.

  The relay device unit 10y has the same configuration as the relay device 10 in the above-described embodiment shown in FIG. 6, and performs the same operation. Hereinafter, the relay device unit 10y will be described as performing the operation of the relay device 10 in the embodiment shown in FIGS. 7 and 8, but the relay device 10 in the embodiment shown in FIGS. Even if the operation is performed, the same can be realized.

  The VM bridge unit 82 is virtually connected between the network interfaces 85 and 86 of the host OS 89 and the guest OS 87, and performs a bridge operation on the logical network.

  The VM address conversion unit 83 is virtually connected between the network interfaces 85 and 86 of the host OS 89 and the guest OS 87, and performs NAT operation or NAPT operation on the logical network. Functionally, an IP address of domain B is assigned to the LAN side interface of the VM address conversion unit 83 and is set as a default gateway of the guest OS 87 to which domain B is assigned. In the following description, it is assumed that the VM address conversion unit 83 performs a NAPT operation.

The VM address assigning unit 84 has a DHCP function and manages the domain B address pool.
The network interfaces 85 and 86 are interfaces for connecting to an external network when viewed from the OS. The guest OS 87 is included in the network interface 85, and the host OS 89 is included in the network interface 86.
The virtual interface 81 is a function on the VM execution environment 88 and exchanges frames with the network interface 85 of the guest OS 87.

  The operation in the network system 114 of this embodiment is the same as the operation in the network system 114 of the above-described embodiment shown in FIG. That is, the address translation device 24, the address translation unit 124, the address assigning unit 126, the switch unit 122, the ports 14e to 14g, and the terminal 60 in the above embodiment of FIGS. 20 and 21 are the VM execution terminal in the present embodiment of FIG. This corresponds to 80 VM execution environments 88, a VM address conversion unit 83, a VM address assignment unit 84, a VM bridge unit 82, a virtual interface 81, and a guest OS 87, respectively.

  In the present embodiment, the priority of the VM address assigning unit 84 is set to the lowest in each unit included in the relay device unit 10y.

  Although the present invention has been described with reference to the embodiments and examples, the present invention is not limited to the above embodiments and examples. Various changes that can be understood by those skilled in the art can be made to the configuration and details of the present invention within the scope of the present invention.

DESCRIPTION OF SYMBOLS 1 Relay apparatus 3 DHCP server 6 Terminal 7 Network 10 Relay apparatus 10y Relay apparatus part 11 Message monitoring part 12 Transfer part 13 Port management table 14 Port 15 Buffer 16 Header monitoring part 17 Switch part 19 Relay apparatus 20 Relay apparatus 22 Relay apparatus 24 Address Conversion device 30 DHCP server 34 DHCP server 40 Shared server 44 Shared server 50 Router 52 Router 54 Router 60 Terminal 70 Network 72 Network 74 Network 75 Internet 80 VM execution terminal 81 Virtual interface 82 VM bridge unit 83 VM address conversion unit 84 VM address assignment Unit 85 Network interface 86 Network interface 88 VM execution environment 100 Network system 101 Network system 11 Network system 112 network system 114 network system 116 network system 120 repeater unit 122 switch unit 124 the address conversion unit 126 address assignment unit 87 guest OS
89 Host OS

Claims (28)

A communication terminal;
Managing an IP (Internet Protocol) address dynamically assigned to the communication terminal on the network, and assigning and assigning the IP address to the communication terminal in response to a request from the communication terminal;
A relay device arranged between the communication terminal and the address assignment server and connected to the network,
There are a plurality of the address assignment servers on the network, and a plurality of the address assignment servers are provided with a priority,
The relay device is
Based on the IP address acquisition message exchanged between the communication terminal and the address assignment server, determine the transfer range of the broadcast frame,
A network system for transferring, to the communication terminal, only the response of the address assignment server having the highest priority that returns a response to an address assignment server search message from the communication terminal among the plurality of address assignment servers. The network system according to claim 1,
A network system in which a transfer range of the broadcast frame is limited only to a network belonging to the same network domain as an IP address assigned to the communication terminal. The network system according to claim 1 or 2,
The relay device is
A plurality of ports connected to the communication terminal on the network;
A port management table storing a MAC address and network domain information for each ID of the port;
Check the message of the received frame, determine whether the frame is related to the IP address acquisition message, and if the frame is related to the IP address acquisition message, update the contents of the IP address acquisition message in the port management table After that, when outputting the frame, and other than the IP address acquisition message, message monitoring means for outputting the frame as it is,
The frame transmission range is determined based on the MAC address and the network domain information recorded in the port management table with reference to the frame source and destination addresses input from the message monitoring means. Transfer means for transferring the frame according to
The message monitoring means further includes a buffer,
The message monitoring means includes:
If a frame containing the addressing server search message is received, transfer the frame to all the addressing servers, and then
If a response frame is received from other than the address assignment server with the highest priority, check the buffer,
If there is no response frame in the buffer, or the priority of the source address assignment server of the stored response frame is lower than the priority of the source address assignment server of the received response frame, the saved response frame The response frame received is discarded and the received response frame is saved,
If the priority of the source address assignment server of the stored response frame is higher than the priority of the source address assignment server of the received response frame, discard the received response frame;
If a response frame is received from the address assignment server having the highest priority, the response frame in the buffer is discarded and the received response frame is passed to the transfer means,
A network system for acquiring a response frame in the buffer and passing it to the transfer means when a predetermined time or more has elapsed since the response frame was stored in the buffer. The network system according to claim 3,
The message monitoring means further includes
If a frame containing the addressing server search message is received, send the frame to the highest priority addressing server and wait for a certain period of time,
If the response frame is received within the predetermined time, the response frame is passed to the transfer means,
If the response frame is not received within the predetermined time, the frame is transmitted to the next highest priority address assignment server, waits for a predetermined time, and the response frame is received within the predetermined time or the corresponding address assignment server A network system that repeats operations until there is no more. The network system according to claim 4, wherein
The relay device is
Switch means for referring to the destination address of the received frame and transferring the frame based on the MAC address recorded in the port management table;
Reference is made to the destination address of the received frame, and if it is a broadcast address, the frame is passed to the message monitoring means, and if it is not broadcast, the header monitoring means passes the frame to the switch means;
A network system further comprising: The network system according to any one of claims 3 to 5,
The relay device is
It is recognized as one of the address assignment servers from the message monitoring means, the transfer means, and the port management table, manages an IP address of a network domain different from the address assignment server, and assigns the IP address in response to a request. Address assignment means for setting a default gateway at the same time;
Address conversion means for performing NAT (Network Address Translation) or NAPT (Network Address and Port Translation) operation between a terminal to which the address assigning means has assigned a network address and a device connected to the network;
Switch means for transferring the frame based on the destination MAC address of the received frame. The network system according to claim 6,
In the relay device, a network system in which the priority of the address assigning means is set to the lowest. The network system according to any one of claims 1 to 7,
The address assignment server is a DHCP (Domain Host Configuration Protocol) server, and the exchange of the IP address acquisition message is a network system based on DHCP. A virtual machine execution terminal;
An address assignment server connected to the virtual machine execution terminal via a network,
There are a plurality of the address assignment servers on the network, and a plurality of the address assignment servers are provided with a priority,
The virtual machine execution terminal is
Means for realizing a virtual machine execution environment which is an application of a host OS operating on the virtual machine execution terminal;
The virtual machine execution environment is:
Means provided in the relay device according to any one of claims 1 to 5,
Virtual machine bridge means for sending a packet sent from the network interface of the guest OS operating on the virtual machine execution environment to the network as it is through the network interface of the host OS;
A virtual device that is recognized as one of the address assignment servers by the means included in the relay device, manages an IP address of a network domain different from the address assignment server, and assigns the IP address according to a request and simultaneously sets a default gateway A machine address assigning means;
A virtual machine address conversion unit that performs NAT or NAPT processing on a packet sent from the network interface of the guest OS, and sends the packet to the network via the network interface of the host OS;
Means for realizing the virtual machine execution environment includes:
When the guest OS can obtain an IP address from the address assignment server, the data sent from the network interface of the guest OS is sent to the network via the virtual machine bridge means,
If the guest OS cannot obtain an IP address from the address assigning server, the virtual machine address assigning means assigns the IP address of the guest OS and converts the data sent from the network interface of the guest OS to a virtual machine address A network system for sending to the network via means. The network system according to claim 9, wherein
The network system in which, in the means included in the relay device, the priority of the virtual machine address assigning means is set to the lowest. The network system according to claim 9 or 10,
The address assignment server is a DHCP server, and the virtual machine address assignment means operates based on DHCP. Network-connected to a communication terminal and an address assignment server that manages an IP address dynamically assigned to the communication terminal on the network and assigns and assigns the IP address to the communication terminal according to a request,
There are a plurality of the address assignment servers on the network, and a plurality of the address assignment servers are provided with a priority,
Based on the IP address acquisition message exchanged between the communication terminal and the address assignment server, determine the transfer range of the broadcast frame,
A relay device that transfers only the response of the highest priority addressing server that returns a response to the addressing server search message from the communication terminal to the communication terminal among the plurality of addressing servers. The relay device according to claim 12,
A relay device that limits a transfer range of the broadcast frame only to networks belonging to the same network domain as an IP address assigned to the communication terminal. The relay device according to claim 12 or 13,
A plurality of ports connected to the communication terminal on the network;
A port management table storing a MAC address and network domain information for each ID of the port;
Check the message of the received frame, determine whether the frame is related to the IP address acquisition message, and if the frame is related to the IP address acquisition message, update the contents of the IP address acquisition message in the port management table After that, when outputting the frame, and other than the IP address acquisition message, message monitoring means for outputting the frame as it is,
The frame transmission range is determined based on the MAC address and the network domain information recorded in the port management table with reference to the frame source and destination addresses input from the message monitoring means. Transfer means for transferring the frame according to
The message monitoring means further includes a buffer,
The message monitoring means includes:
If a frame containing the addressing server search message is received, transfer the frame to all the addressing servers, then
If a response frame is received from other than the address assignment server with the highest priority, check the buffer,
If there is no response frame in the buffer, or if the priority of the source address assignment server of the stored response frame is lower than the priority of the source address assignment server of the received response frame, the saved response frame The response frame received is discarded and the received response frame is saved,
If the priority of the source address assignment server of the stored response frame is higher than the priority of the source address assignment server of the received response frame, discard the received response frame;
If a response frame is received from the address assignment server having the highest priority, the response frame in the buffer is discarded and the received response frame is passed to the transfer means,
A relay device that acquires a response frame in the buffer and passes it to the transfer means when a predetermined time or more has elapsed since the response frame was stored in the buffer. The relay device according to claim 14,
The message monitoring means further includes
If a frame containing the addressing server search message is received, send the frame to the highest priority addressing server and wait for a certain period of time,
If the response frame is received within the predetermined time, the response frame is passed to the transfer means,
If the response frame is not received within the predetermined time, the frame is transmitted to the next highest priority address assignment server, waits for a predetermined time, and the response frame is received within the predetermined time or the corresponding address assignment server A repeater that repeats the operation until there is no more. The relay device according to claim 15,
Switch means for referring to the destination address of the received frame and transferring the frame based on the MAC address recorded in the port management table;
A header monitoring unit that refers to the destination address of the received frame, passes the frame to the message monitoring unit if it is a broadcast address, and passes the frame to the switch unit if it is not broadcast; A relay device provided. The relay device according to any one of claims 12 to 16,
It is recognized as one of the address assignment servers from the message monitoring means, the transfer means, and the port management table, manages an IP address of a network domain different from the address assignment server, and assigns the IP address in response to a request. Address assignment means for setting a default gateway at the same time;
Address conversion means for performing NAT or NAPT operation between a terminal to which the address assigning means has assigned the IP address and a device connected to the network;
And a switching unit that transfers the frame based on a destination MAC address of the received frame. The relay device according to claim 17,
In the message monitoring unit, a relay apparatus in which the priority of the address assigning unit is set to the lowest. The relay device according to any one of claims 12 to 18,
The address assignment server is a DHCP server, the address assignment unit operates based on DHCP, and the exchange of the IP address acquisition message is a relay apparatus based on DHCP. Network connection with the address assignment server
Means for realizing a virtual machine execution environment as an application of the host OS,
There are a plurality of the address assignment servers on the network, and a plurality of the address assignment servers are provided with a priority,
The virtual machine execution environment is:
Means provided in the relay device according to any one of claims 12 to 16,
Virtual machine bridge means for sending a packet sent from the network interface of the guest OS operating on the virtual machine execution environment to the network as it is through the network interface of the host OS;
A virtual device that is recognized as one of the address assignment servers by the means included in the relay device, manages an IP address of a network domain different from the address assignment server, and assigns the IP address according to a request and simultaneously sets a default gateway A machine address assigning means;
A virtual machine address conversion unit that performs NAT or NAPT processing on a packet sent from the network interface of the guest OS, and sends the packet to the network via the network interface of the host OS;
Means for realizing the virtual machine execution environment includes:
When the guest OS can obtain an IP address from the address assignment server, the data sent from the network interface of the guest OS is sent to the network via the virtual machine bridge means,
If the guest OS cannot obtain an IP address from the address assigning server, the virtual machine address assigning means assigns the IP address of the guest OS and converts the data sent from the network interface of the guest OS to a virtual machine address A virtual machine execution terminal for sending to the network via means. The virtual machine execution terminal according to claim 20,
The virtual machine execution terminal in which the priority of the virtual machine address assigning means is set to the lowest in the means provided in the relay device. In the virtual machine execution terminal according to claim 20 or 21,
The address assignment server is a DHCP server, the virtual machine address assignment means operates based on DHCP, and the exchange of the IP address acquisition message is a virtual machine execution terminal based on DHCP. A communication terminal;
An IP address assignment server that manages an IP address dynamically assigned to a communication terminal on a network, and assigns and assigns the IP address in response to a request from the communication terminal;
Controlling a network including a relay device arranged between the communication terminal and the address assignment server and connected to the network;
There are a plurality of the address assignment servers on the network, and a plurality of the address assignment servers are provided with a priority,
The relay device is
Based on the IP address acquisition message exchanged between the communication terminal and the address assignment server, determine the transfer range of the broadcast frame,
A network control method for transferring, to the communication terminal, only a response from the address assignment server having the highest priority that returns a response to an address assignment server search message from the communication terminal among the plurality of address assignment servers. The network control method according to claim 23, wherein
A network control method for limiting a transfer range of the broadcast frame to only networks belonging to the same network domain as an IP address assigned to the communication terminal. The network control method according to claim 23 or 24, wherein:
The relay device is
A plurality of ports connected to the communication terminal on the network;
A port management table storing a MAC address and network domain information for each port ID; and
The relay device confirms the message of the received frame, determines whether the frame is related to the IP address acquisition message, and if the frame is related to the IP address acquisition message, the content of the IP address acquisition message is A message monitoring procedure for outputting the frame after updating to the port management table, and outputting the frame as it is in cases other than the IP address acquisition message;
The relay device refers to the frame source and destination addresses input in the message monitoring procedure, and determines the frame transfer range based on the MAC address and the network domain information recorded in the port management table. And a transfer procedure for transferring the frame in accordance with the transfer range,
The relay device further includes a buffer,
In the message monitoring procedure,
If a frame containing the addressing server search message is received, transfer the frame to all the addressing servers, then
If a response frame is received from other than the address assignment server with the highest priority, check the buffer,
If there is no response frame in the buffer, or if the priority of the source address assignment server of the stored response frame is lower than the priority of the source address assignment server of the received response frame, the saved response frame The response frame received is discarded and the received response frame is saved,
If the priority of the source address assignment server of the stored response frame is higher than the priority of the source address assignment server of the received response frame, discard the received response frame;
When a response frame is received from the address assignment server having the highest priority, the response frame in the buffer is discarded and the received response frame is shifted to the transfer procedure,
A network control method for acquiring a response frame in the buffer and transitioning to the transfer procedure when a predetermined time or more has elapsed since the response frame was stored in the buffer. The network control method according to claim 25,
The message monitoring procedure further includes:
If a frame containing the addressing server search message is received, send the frame to the highest priority addressing server and wait for a certain period of time,
If a response frame is received within the predetermined time, the process proceeds to the transfer procedure,
If a response frame is not received within the predetermined time, the frame is transmitted to the address assignment server having the next highest priority, waits for a predetermined time, and a response frame is received within a predetermined time. A network control method that repeats the operation until it runs out. The network control method according to claim 26, wherein
A switching procedure in which the relay device refers to the destination address of the received frame and transfers the frame based on the MAC address recorded in the port management table;
The relay device refers to the destination address of the received frame, transitions to the message monitoring procedure if it is a broadcast address, and transitions to the switch procedure if it is not broadcast. A network control method further comprising: The network control method according to any one of claims 23 to 27,
The address assignment server is a DHCP server, and the exchange of the IP address acquisition message is a network control method based on DHCP.

Images