JP2022100833A - Communication control device, system, method, and program - Google Patents

Abstract

To make it possible to suppress a communication failure even when devices having overlapping MAC addresses exist on different networks.SOLUTION: Each interface 31 sends and receives frames to and from a corresponding communication device 20. Transfer control means 32 controls the transfer of frames between a plurality of interfaces 31. Determination means 33 determines whether at least two of the plurality of interfaces 31 have received frames with the same source MAC address. When the determination means 33 determines that at least two interfaces 31 have received the frames with the same source MAC address, transfer suppression means 34 suppresses the transfer of frames between those interfaces.SELECTED DRAWING: Figure 1

Description

The present disclosure relates to communication control devices, systems, methods, and programs.

As a standard specification of the communication control device, the communication specification of the Ethernet frame on the Ethernet (registered trademark) network is defined in the layer 2 (data link layer) of the OSI reference model (Open Systems Interconnection reference model). Further, in layer 3 (network layer), communication specifications of IP packets on an IP (Internet Protocol) network are defined.

Further, there is a VLAN (Virtual Local Area Network) tagging as a communication specification for coexisting a plurality of layer 3 networks on the same layer 2 network. The communication specifications for VLAN tagging are defined as IEEE 802.1Q, which is a standard established by the Institute of Electrical and Electronics Engineers (IEEE). In VLAN tagging, the frame is encapsulated by adding a 32-bit VLAN tag field to the Ethernet frame, and the network is divided into a plurality of VLANs. The VLAN tag includes a 12-bit VID (VLAN Identifier) field, and the VID is used to identify a plurality of layer 3 networks.

In the VLAN tagging, when a packet belonging to each IP network is transmitted to the Ethernet work, it is encapsulated by the above-mentioned VLAN tag. Frames encapsulated by the VLAN tag are received only in the VLAN network with the matching VID. By this operation, it is possible to realize communication of a plurality of IP networks on the same Ethernet work and to separate communication between each IP network.

By using VLAN tagging, it is possible to construct a plurality of logically separated layer 3 networks on a physical environment constructed by a single layer 2 network. Further, in the VLAN tagging environment, the logical configuration of the layer 3 network can be changed only by changing the VID to which each communication terminal belongs. Therefore, in an environment using VLAN tagging, it is possible to flexibly manage the logical network of layer 3 without changing the physical configuration of layer 2.

FIG. 9 shows a network in which VLAN tagging is used. In FIG. 9, the network 300 includes a center A301, a base B302, a base C303, and a base D304. The center A301, the base B302, the base C303, and the base D304 exist in different business establishments, and are physically connected on the same Ethernet by constructing a wide area Ethernet. The center A301 has a department 321b that manages the base B302, a department 321c that manages the base C303, and a department 321d that manages the base D304.

In the network 300, each base and each department are separated by a logical network using VLAN tagging. The base B302 and the department 321b belong to the network 311 to which VID = 101 is assigned. The base C303 and the department 321c belong to the network 312 to which VID = 102 is assigned. The base D304 and the department 321d belong to the network 313 to which VID = 103 is assigned.

Here, it is assumed that the base C303 will be integrated into the base B302 due to the organizational restructuring, and it becomes necessary to reorganize the logical network accordingly. That is, it is assumed that the network 312 is integrated into the network 311 and the configuration is changed so that the base B302, the base C303, the department 321b, and the department 321c all belong to the network 311.

Suppose that VLAN tagging is not used in the network 300, and the network 300 is constructed by a plurality of layer 3 networks composed of a plurality of layer 2 networks. In that case, in order to reorganize the network, it is necessary to physically integrate the layer 2 Ethernet belonging to the network 311 and the network 312. In order to physically integrate layer 2 Ethernet, work by local workers is required at each site, which causes costs such as labor costs.

FIG. 10 shows a network when the base C303 is integrated with the base B302. When the network 300 is configured using VLAN tagging, as shown in FIG. 10, the network integration is performed by changing the VID = 102 corresponding to the network 312 to the VID = 101 corresponding to the network 311. Is possible. Since this network integration is a logical control that can be realized only by changing the VID setting of the communication terminal, there is no need to change the physical configuration, and there is no cost such as labor cost by the local worker. Similarly, network division and recombination can be realized by logical control, so VLAN tagging is used to flexibly manage a plurality of networks on the same Ethernet.

As a related technique, Patent Document 1 discloses a management server for managing a cloud appliance of a VLAN. The management server includes a network interface, a storage device, and a processing device. The network interface connects to the switch with a trunk port. The storage device stores the conversion mapping table. The processing device receives the first external data packet from the switch via the network interface. The first external data packet has a sourceless IP address, an external source medium access control (MAC) address, and a VLAN tag.

The processing device modifies the first external data packet and generates the first internal data packet by exchanging the external source MAC address with the internal source MAC address and deleting the VLAN tag according to the translation mapping table. .. The processing device generates a second internal data packet with a broadcast destination IP address and an internal destination MAC address. The processing device modifies the second internal data packet and generates a second external data packet by exchanging the internal destination MAC address with the external destination MAC address and adding a VLAN tag according to the conversion mapping table. The processing device also sends a second external data packet to the switch via the network interface.

JP-A-2015-95894

In the VLAN tagging environment, there is a problem that a failure occurs when communication with a duplicate MAC address occurs on the Ethernet work. This case will be described with reference to FIGS. 11 and 12. FIG. 11 shows a configuration example of a network in which routers are made redundant. The network 300a shown in FIG. 11 includes a center A301, a base B302, and a base C303. The center A301 has a department 321b that manages the base B302 and a department 321c that manages the base C303. In the network 300a, each base and each department are separated by a logical network using VLAN tagging. The base B302 and the department 321b belong to the network 311 to which VID = 101 is assigned. The base C303 and the department 321c belong to the network 312 to which VID = 102 is assigned.

The center A301 has a switch A323, a router A325, and a router A326. The switch 323 performs tagging VLAN transmission / reception processing for communications belonging to the network 311 and the network 312. The router A325 and the router A326 make the gateway portion of the center A301 redundant. The router A325 and the router A326 are each connected to a wide area network. In the normal state, the router A325 is selected as the route to the base B302, and the router A326 is selected as the route to the base C303.

The base B302 has a router B331 and a router B332 in the gateway portion. The router B331 and the router B332 make the gateway portion of the base B302 redundant. In the normal state, the router B331 is selected as the priority route. The router B331 and the router B332 perform the tagging VLAN transmission / reception processing of the network 311 (VID = 101). Under the router B331 and the router B332, a LAN in the base B premises and a premises terminal are connected. The redundancy of the router B331 and the router B332 is configured by VRRP (Virtual Router Redundancy Protocol). A VRRP virtual host B335 is set on the network 311. VRRP is a redundancy protocol defined in RFC (Request for Comments) 2338. The redundant configuration of VRRP is identified by a VRID (Virtual Router Identifier) arbitrarily set by the network administrator.

The configuration of the base C303 is the same as the configuration of the base B302. The base C303 has a router C341 and a router C342. The router C341 and the router C342 make the gateway portion of the base C303 redundant. The base C303 belongs to the network 312 and has a VID of 102. A VRRP virtual host C345 is set in the network 312.

In the network 300a shown in FIG. 11, the network 311 and the network 312 are logically separated by using VLAN tagging. However, since the layer 2 Ethernet frame is not separated by VLAN tagging, the Ethernet frame generated in the network 311 and the network 312, and the MAC address system are shared on the Ethernet.

FIG. 12 shows a network when a common value “1” is set for the VRID of VRRP in the base B302 and the base C303. In RFC2338, the MAC address of the virtual host is defined to be "00-00-5E-00-01- {VRID}". Therefore, the MAC address of the virtual host B335 on the network 311 is 00-00-5E-00-01-01, and the MAC address of the virtual host C345 on the network 312 is 00-00-5E-00-01-01. Become. In this way, when the same VRID = 1 is used in networks with different VIDs, the MAC addresses of the virtual hosts on each network have the same value 00-00-5E-00-01-01. The communication specifications of the layer 2 network do not assume that the same MAC address exists on the same network. Therefore, if the state of FIG. 12 continues, a communication failure occurs on the network as described below.

FIG. 13 shows a situation in which a broadcast is performed from the virtual host B335. When a broadcast is performed from the virtual host B335, the router A325 receives the broadcasted frame on the WAN (Wide Area Network) side interface. The frame is broadcast to the premises network of center A301. The router A326 receives the frame at the LAN side interface. Therefore, the router A326 learns that the terminal with the MAC address 00-00-5E-00-01-01 exists on the LAN side.

FIG. 14 shows a situation in which the terminal of the department 321c tries to communicate with the virtual host C345 in the center A301. The terminal of the department 321c transmits a frame destined for 00-00-5E-00-01-01, which is the MAC address of the virtual host C345, to the router A326. However, the router A326 has learned that the MAC address 00-00-5E-00-01-01 exists on the LAN side. Therefore, the frame is not transferred to the WAN side and does not reach the base C303. Therefore, a failure occurs in communication destined for the virtual host C345. Further, if the address of the virtual host C345 is used for routing and encryption of communication between the center A301 and the base C303, other communication on the network 312 also fails.

MAC address learning in a typical implementation is updated with the MAC address information of the last received frame. Therefore, the same event as described above may occur in the MAC address learning of the router A325. As a result, the router A325 and the router A326 are in a situation where similar failures occur repeatedly, so that the communication of the entire network becomes unstable.

In the above, an example of a network composed of two bases has been described, but the same failure as described above occurs even when the network is configured by a larger number of bases. Further, if there is even one site where the VRIDs overlap, the above-mentioned failure occurs. Therefore, even if some VRIDs are mistakenly duplicated during network design, the network settings of an existing base are diverted to a new base, or there is an error in changing the logical network of a single base, the above-mentioned problems occur. May occur. Even if the configuration does not use VRRP, it is the same on the same Ethernet work when a communication device with an invalid MAC address is connected to the network, a device failure, or a malicious attack. A device with a MAC address may be connected. Even in that case, the above-mentioned failure may occur.

As mentioned above, in a large-scale environment where a VLAN tag network is configured between multiple bases on a wide area Ethernet work, duplicate MAC addresses occur on the same Ethernet work due to VRRP setting mistakes, etc., resulting in a failure. May occur. The above failure is recovered when the MAC address is relearned. However, if the wrong MAC address is learned again, a failure will occur. That is, failures and recovery can occur alternately. In addition, the location of the above-mentioned obstacle changes. For this reason, it tends to be difficult to identify the suspected part and the cause in the failure analysis.

As a method of avoiding duplication of MAC addresses, it is conceivable to physically divide the network without constructing the same large-scale layer 2 network. However, in that case, the flexibility of the logical network configuration obtained by utilizing VLAN tagging or the like on a single large-scale layer 2 network is impaired. Therefore, it is an issue of the layer 2 network to detect the existence of duplicate MAC addresses and prevent a failure while maintaining a large-scale layer 2 network.

In Patent Document 1, the processing device exchanges the external source MAC address with the internal source MAC address by using the conversion mapping table. In Patent Document 1, when two appliances deployed in different VLANs have the same MAC address, the MAC addresses are converted into different MAC addresses based on the respective VLAN tags. Therefore, it is possible to prevent MAC address conflict. However, in Patent Document 1, it is necessary to prepare a conversion mapping table in advance.

In view of the above circumstances, an object of the present disclosure is to provide a communication control system, a device, a method, and a program capable of suppressing a communication failure even when devices having duplicate MAC addresses exist on different networks. do.

In order to achieve the above object, the present disclosure provides a communication control device as a first aspect. The communication control device includes a plurality of interfaces for transmitting and receiving frames to and from a plurality of communication devices, each of which is different from each other, a transfer control means for controlling the transfer of frames between the plurality of interfaces, and the plurality of interfaces. At least two interfaces have a determination means for determining whether or not the source MAC (Media Access Control) address has received the same frame, and at least two interfaces in the determination means have the same source MAC address. When it is determined that the frame has been received, the transfer suppressing means for suppressing the transfer of the frame between the at least two interfaces is provided.

The present disclosure provides a communication control system as a second aspect. The communication control system includes a plurality of communication devices and the above-mentioned communication control device.

The present disclosure provides a communication control method as a third aspect. The communication control method receives frames from a plurality of communication devices, each of which is different from each other, and determines whether or not at least two interfaces of the plurality of interfaces have received frames having the same source MAC address. When it is determined that the at least two interfaces have received the same frame with the MAC address of the source, it includes suppressing the transfer of the frame between the at least two interfaces.

The present disclosure provides a program as a fourth aspect. The program is for causing a computer to execute the above communication control method.

The communication control system, device, method, and program according to the present disclosure can suppress a communication failure even when there are devices having duplicate MAC addresses on different networks.

The block diagram schematically showing the communication control system which concerns on this disclosure. The block diagram which shows the network including the communication control system which concerns on 1st Embodiment of this disclosure. A block diagram showing a configuration example of a communication control device. A flowchart showing an operation procedure in a communication control device. A block diagram showing the state of the network in a certain aspect. The block diagram which shows the network when the broadcast frame occurs from virtual host B. The block diagram which shows the communication control system in 2nd Embodiment of this disclosure. The block diagram which shows the structural example of the apparatus which can be used as a communication control apparatus. A block diagram showing a network in which VLAN tagging is used. The block diagram which shows the network when the base C is integrated into the base B. A block diagram showing an example of a network configuration in which routers are made redundant. The block diagram which shows the network when the common value is set for the VRID of VRRP in the base B and the base C. The block diagram which shows the situation that the broadcast was performed from the virtual host B. A block diagram showing a situation in which a terminal of department c attempts communication to virtual host C in center A.

Prior to the description of the embodiments of the present disclosure, the outline of the present disclosure will be described. FIG. 1 schematically shows a communication control system according to the present disclosure. The communication control system 10 has a plurality of communication devices 20 and a communication control device 30. The communication control device 30 has a plurality of interfaces 31, transfer control means 32, determination means 33, and transfer suppression means 34.

Each of the plurality of communication devices 20 is connected to the communication control device 30 via the corresponding interface 31. Each interface 31 sends and receives frames to and from the corresponding communication device 20. The transfer control means 32 controls the transfer of frames between the plurality of interfaces 31. Note that FIG. 1 shows an example in which the communication control system 10 has three communication devices 20 and the communication control device 30 has three interfaces 31, but the number of communication devices 20 and interfaces 31 is specific. Not limited to numbers. The communication control system 10 may have two or more communication devices 20, and the communication control device 30 may have two or more interfaces 31.

The determination means 33 determines whether or not at least two of the plurality of interfaces 31 have received the same frame with the same source MAC address. When the determination means 33 determines that at least two interfaces 31 have received frames having the same source MAC address, the transfer suppression means 34 suppresses the transfer of frames between those interfaces.

In the present disclosure, the determination means 33 determines whether or not a frame having the same MAC address as the source is received by a plurality of interfaces. The transfer suppressing means 34 suppresses the transfer of frames between a plurality of interfaces that have received frames of the same MAC address as the source. For example, it is assumed that the first communication device and the second communication device among the plurality of communication devices 20 receive a frame transmitted from a host having a duplicate MAC address. In that case, the communication control device 30 does not transfer the frame received from the first communication device to the interface connected to the second communication device. In this case, in the second communication device, learning of the MAC address based on the frame received from the first communication device can be suppressed. By doing so, the communication control device 30 can suppress a communication failure even when there are devices having overlapping MAC addresses on different networks.

Hereinafter, embodiments of the present disclosure will be described in detail. FIG. 2 shows a network including a communication control system according to the first embodiment of the present disclosure. The network 100 includes a center A110, a base (network base) B130, and a base C140. The center A110, the base B130, and the base C140 exist in different business establishments. The center A110, the base B130, and the base C140 are physically connected on the same Ethernet. This embodiment is capable of detecting duplicate MAC addresses in standard communication specifications, especially in layer 2 (data link layer) and layer 3 (network layer) of the OSI reference model, and suppressing failures caused by duplicate MAC addresses. And.

The center A110 includes a router A111, a router A112, a switch 113, a department 114b, a department 114c, and a communication control device 120. The department (management department) 114b includes one or more terminals used to manage the base B130. The department 114c includes one or more terminals used to manage the base C140. The terminals included in the department 114b and the department 114c include, for example, a personal computer (PC) and a computer device such as a server device. The department 114b and the department 114c are connected to the switch 113, respectively.

In the network 100, each base and each management department are separated by a logical network using VLAN tagging. The base B130 and the department 114b belong to the network (first VLAN) 161 identified by VID = 101. The base C140 and the department 114c belong to the network (second VLAN) 162 identified by VID = 102. The switch 113 performs tagging VLAN transmission / reception processing for networks 161 and 162.

The base B130 has a router B131 and a router B132 in the gateway portion. The router B131 and the router B132 make the gateway portion of the base B130 redundant. In the normal state, the router B131 is selected as the priority route. The router B131 and the router B132 perform tagging VLAN transmission / reception processing of the network 161 (VID = 101). Under the router B131 and the router B132, a LAN in the base B premises and a premises terminal are connected. The redundancy of router B131 and router B132 is configured by VRRP. A VRRP virtual host B135 is set on the network 161. The VRRP redundant configuration is identified by a VRID arbitrarily set by the network administrator.

The configuration of the base C140 is the same as the configuration of the base B130. The base C140 has a router C141 and a router C142. The router C141 and the router C142 make the gateway portion of the base C140 redundant. The base C140 belongs to the network 162 and has a VID of 102. A VRRP virtual host C145 is set in the network 162.

In the center A110, the router A111 and the router A112 are arranged in the gateway portion. The router A111 and the router A112 make the gateway portion of the center A110 redundant. For example, VRRP is used for the redundant configuration of the router. The router A111 and the router A112 are connected to a wide area network, respectively, and perform tagging VLAN transmission / reception processing of the networks 161 and 162, respectively. In the normal state, the router A111 is selected as the route to the base B130, and the router A112 is selected as the route to the base C140. In other words, in the normal state, the router A111 is connected to the network (first external network) 161 and the router A112 is connected to the network (second external network) 162. The router A111 is connected to the routers B (first router) 131 and 132 via the network 161. The router A112 is connected to the routers C (second router) 141 and 142 via the network 162. The router A111 and the router A112 correspond to the communication device 20 shown in FIG.

The communication control device 120 is configured as a switch or hub having a general layer 2 frame transmission / reception function. The communication control device 120 has a plurality of interfaces 121-1 to 121-3. The interface (first interface) 121-1 and the interface (second interface) 121-2 are WAN-side interfaces. Interface 121-1 is connected to router A (first communication device) 111. Interface 121-1 sends and receives frames to and from router A111. Interface 121-2 is connected to router A (second communication device) 112. Interface 121-2 sends and receives frames to and from router A112.

The interface (third interface) 121-3 is an interface connected to the internal network (LAN) of the center A110. Interface 121-3 is connected to switch 113. The departments 114b and 114c in the center A110 are connected to the communication control device 120 via the switch 113. As shown in FIG. 2, in the present embodiment, the communication control device 120 is installed at a place where the communication from the base B130 (traffic) and the communication from the base C140 physically merge. The communication control device 120 corresponds to the communication control device 30 shown in FIG.

FIG. 3 shows a configuration example of the communication control device 120. The communication control device 120 has a transfer control unit 122, a MAC address storage unit 123, a determination unit 124, and a transfer suppression unit 125, in addition to the plurality of interfaces 121-1 to 121-3. Although FIGS. 2 and 3 show an example in which the communication control device 120 has a total of three interfaces, the number of interfaces is not limited to a specific number. The communication control device 120 may have at least two interfaces connected to a communication device such as a router. In the following description, interfaces 121-1 to 121-3 are also referred to as interfaces 121 unless it is necessary to distinguish them. The interface 121 corresponds to the interface 31 shown in FIG.

The transfer control unit 122 performs frame transfer processing between the plurality of interfaces 121. The transfer control unit 122 corresponds to the transfer control means 32 shown in FIG. The MAC address storage unit (MAC address storage means) 123 has a MAC address storage device (area) corresponding to each of the plurality of interfaces 121. The MAC address storage unit 123 stores the source MAC address of the frame received by the corresponding interface 121. The MAC address storage unit 123 stores the MAC address (first MAC address) of the source of the frame received by the interface 121-1 from the router A111. Further, the MAC address storage unit 123 stores the MAC address (second MAC address) of the source of the frame received by the interface 121-2 from the router A112.

The determination unit 124 determines whether or not at least two interfaces of the plurality of interfaces 121 have received frames having the same source MAC address. In other words, it detects duplicate MAC addresses on multiple interfaces. The determination unit 124 refers to the MAC address storage unit 123, and checks whether or not the first MAC address and the second MAC address match. When the first MAC address and the second MAC address match, the determination unit 124 determines that the interface 121-1 and the interface 121-2 have received a frame having the same source MAC address. The determination unit 124 corresponds to the determination means 33 shown in FIG.

When the determination unit 124 determines that at least two interfaces have received frames having the same source MAC address, the transfer suppression unit 125 suppresses the transfer of frames between those interfaces. For example, when the first MAC address and the second MAC address match, the transfer suppression unit 125 forwards the frame received by the interface 121-1 to the router A112 via the interface 121-2. Suppress. Further, the transfer suppression unit 125 suppresses the transfer of the frame received by the interface 121-2 to the router A111 via the interface 121-1. The transfer suppression unit 125 corresponds to the transfer suppression means 34 shown in FIG.

FIG. 4 shows an operation procedure (communication control method) in the communication control device 120. The communication control device 120 receives frames from the connected router A111, router A112, and switch 113 at each interface 121 (step S1). The MAC address storage unit 123 stores the MAC address of the source of the frame received by each interface 121 (step S2).

The determination unit 124 refers to the MAC address storage unit 123, and determines whether or not the MAC addresses are duplicated in the plurality of interfaces 121 (step S3). In other words, the determination unit 124 determines whether or not a frame having the same source MAC address is received in the two or more interfaces 121. For example, the determination unit 124 selects the interfaces 121 one by one, and in the MAC address storage unit 123, the MAC address of the transmission source stored corresponding to the selected interface and the transmission of the frame received in step S1 are transmitted. Compare with the original MAC address. When the overlapping MAC addresses are stored corresponding to two or more interfaces 121, the determination unit 124 determines whether or not a frame having the same source MAC address is received in the two or more interfaces 121. ..

When the transfer suppression unit 125 determines in step S3 that two or more interfaces 121 are receiving frames having the same source MAC address, the transfer suppression unit 125 transfers the frame received in step S1 to the interface 121. Suppress the transfer (step S4). The transfer control unit 122 transfers the frame to an interface other than the interface whose transfer is suppressed in step S4 among the interface 121 of the transfer destination of the frame (step S5). If it is determined in step S3 that two or more interfaces 121 do not receive frames having the same source MAC address, the transfer control unit 122 transfers the frame to the transfer destination interface 121 in step S5.

Hereinafter, the operation in the communication control system will be described using a specific example. FIG. 5 shows the situation of the network 100 in a certain aspect. It is assumed that a common value "1" is set for the VRID of VRRP in the base B130 and the base C140. In that case, the MAC address of the virtual host B135 on the network 161 is 00-00-5E-00-01-01, and the MAC address of the virtual host C145 on the network 162 is 00-00-5E-00-01-01. Is. That is, the virtual host B135 and the virtual host C145 have the same MAC address.

In the above situation, when communication from the virtual host B135 to the department 114b occurs, the communication control device 120 receives the packet of the communication on the interface 121-1 via the router A111. The MAC address storage unit 123 (see FIG. 3) stores the MAC address "00-00-5E-00-01-01" of the fume transmission source for the interface 121-1. Further, when the communication from the virtual host C145 to the department 114c occurs, the communication control device 120 receives the packet of the communication on the interface 121-2 via the router A112. The MAC address storage unit 123 stores the MAC address "00-00-5E-00-01-01" of the hum transmission source for the interface 121-2. By this operation, the communication control device 120 is in a state of learning the MAC addresses 00-00-5E-00-01-01 that are duplicated in the plurality of interfaces.

FIG. 6 shows the network 100 when a broadcast frame is generated from the virtual host B135. The communication control device 120 receives the broadcast frame transmitted from the virtual host B135 via the router A111. The communication control device 120 refers to the MAC address storage unit 123, and checks whether or not there is an interface in which the same MAC address as the MAC address of the source of the broadcast frame is stored. The MAC address storage unit 123 stores the MAC address 00-00-5E-00-01-01 for the interface 121-2. Therefore, the transfer suppression unit 125 suppresses the transfer of the broadcast frame to the interface 121-2. In this case, the transfer control unit 122 transfers the broadcast frame to the interface 121-3.

By doing the above, the frame whose source is the MAC address 00-00-5E-00-01-01 is not received by the LAN side interface of the router A112. Therefore, the MAC address is not relearned in the router A112 due to the broadcast frame transmitted by the virtual host B. Assuming that the MAC address is relearned in the router A112, a communication failure occurs when the terminal of the department 114c tries to communicate with the virtual host C145, as in the example shown in FIG. In the present embodiment, since the transfer of the broadcast frame is suppressed in the communication control device 120, such a communication failure can be avoided. Even when a broadcast frame is generated from the virtual host C145, the MAC address relearning of the router A111 does not occur due to the same operation, and the failure is avoided.

It should be noted that the interface of the communication control device 120 has no opportunity to store the MAC address of the virtual host until some communication from the virtual host to the center A occurs. It is conceivable that a broadcast frame is generated from either virtual host before both interfaces 121-1 and 121-2 learn the MAC address 00-00-5E-00-01-01. In that case, the detection of the duplicate MAC address and the suppression of forwarding may not operate, and the router A111 or the router A112 may be in a state of learning the MAC address on the LAN side interface. In that case, the above communication failure temporarily occurs. However, if communication from the virtual host on the WAN side occurs after that, the MAC address of the router is relearned and the failure is recovered. Further, in the communication control device 120, the MAC address storage unit 123 stores the MAC address, so that the determination unit 124 can detect the overlapping state of the MAC addresses. In that case, the transfer suppression unit 125 suppresses the transfer of the frame to the interface that stores the duplicate MAC address, thereby suppressing the recurrence of the failure.

In the present embodiment, the communication control device 120 has a communication control function according to the provisions of the OSI reference model. Further, in the communication control device 120, the MAC address storage unit 123 stores the MAC address of the source of the frame for each interface. The determination unit 124 detects MAC addresses that overlap between a plurality of interfaces. The transfer suppression unit 125 suppresses the transfer of the frame to the interface that stores the same MAC address as the MAC address that is stored corresponding to the interface that received the frame. When the source MAC address of the frame received by one interface matches the MAC address stored in another interface, the communication control device 120 assumes that there is a device having an overlapping MAC address in the connection destination area of those interfaces. to decide. In that case, the communication control device 120 suppresses the transfer of the frame to the interface in which the device having the overlapping MAC address in the connection destination area exists. By doing so, it is possible to detect the duplicated MAC address shown as a problem in the layer 2 network and prevent a failure caused by the duplicated MAC address.

In the present embodiment, the communication control device 120 is installed at a segment point where communications from a plurality of bases merge. The communication control device 120 separates transferable areas for communication of overlapping MAC addresses in an environment in which a plurality of layer 3 networks coexist on the same layer 2 network, such as a network using VLAN tagging. Can be done. Therefore, this embodiment can suppress the failure caused by the existence of duplicate MAC addresses while minimizing the influence on the network.

In the present embodiment, the communication control device 120 can avoid or suppress a failure that occurs when a duplicate MAC address exists on the layer 2 network. Further, by installing the communication control device 120 at the confluence of communication, even in an environment where a failure due to duplication of MAC addresses has already occurred, other physical configurations and logical configurations are not affected. , It is possible to eliminate the obstacle. The communication control device 120 according to the present embodiment is a preventive measure for suppressing a failure when a duplicate MAC address occurs in a large-scale environment in which a VLAN tag network is configured between a plurality of bases on a wide area Ethernet work. Can be installed. Further, the communication control device can be installed as a preventive measure for suppressing a failure when a duplicate MAC address occurs in an environment in which a plurality of VRRP configurations are formed on the layer 2 network.

Subsequently, the second embodiment of the present disclosure will be described. FIG. 7 shows a communication control system according to the second embodiment of the present disclosure. In the present embodiment, the center A110 has communication control devices 120-1 and 120-2 in the gateway unit 115. In the present embodiment, the management system is divided in the network of the center A110, and the administrator of the gateway unit 115 has only the authority to change the configuration of the router A111 and the router A112. The administrator of the gateway unit 115 cannot change the configurations of the department 114b, the department 114c, and the switch 113. In the present embodiment, the administrator of the gateway unit 115 does not have the authority to change the configuration of the place where the communication from the base B130 and the communication from the base C140 merge.

In the present embodiment, the communication control device 120-1 is installed on the LAN side of the router A111. The communication control device 120-2 is installed on the LAN side of the router A112. The communication control device 120-1 is arranged between the router A111 and the switch 113, and the communication control device 120-2 is arranged between the router A112 and the switch 113. The configurations of the communication control devices 120-1 and 120-2 may be the same as the configurations of the communication control devices 120 described in the first embodiment shown in FIG.

In the present embodiment, the communication control devices 120-1 and 120-2 have a function of sharing the MAC address stored in each MAC address storage unit 123 by using a network line. When the interface 121-1 receives a frame from the router A111, the MAC address storage unit 123 of the communication control device 120-1 stores the MAC address of the source of the frame for the interface 121-1. For example, when the router A111 receives a frame from the virtual host B135 of the base B130 (see FIG. 5), the MAC address storage unit 123 has the MAC address 00-00-5E-00-01-01 for the interface 121-1. Remember. Further, the MAC address storage unit 123 transmits the transmission source MAC address 00-00-5E-00-01-01 to the MAC address storage unit 123 of the communication control device 120-2 via the network line. The MAC address storage unit 123 of the communication control device 120-2 stores the received MAC address 00-00-5E-00-01-01 for the interface 121-1.

When the interface 121-2 receives a frame from the router A112, the MAC address storage unit 123 of the communication control device 120-2 stores the MAC address of the source of the frame for the interface 121-2. For example, when the router A112 receives a frame from the virtual host C145 of the base C140, the MAC address storage unit 123 stores the MAC address 00-00-5E-00-01-01 for the interface 121-2. Further, the MAC address storage unit 123 transmits the transmission source MAC address 00-00-5E-00-01-01 to the MAC address storage unit 123 of the communication control device 120-1 through the network line. The MAC address storage unit 123 of the communication control device 120-1 stores the received MAC address 00-00-5E-00-01-01 for the interface 121-2. By doing so, the MAC address of the source of the frame received by each interface is stored in both MAC address storage units 123.

The operations of the determination unit 124 and the transfer suppression unit 125 may be the same as the operations described in the first embodiment. The determination unit 124 determines the overlapping MAC addresses among the plurality of WAN-side interfaces 121, and the transfer suppression unit 125 suppresses the transfer of the frame to the WAN-side interface 121 that stores the overlapping MAC addresses. The configuration and operation in the present embodiment are such that the communication control device 120 is separated for each router (communication device), and the MAC address of the source of the frame of each interface is shared among the plurality of communication control devices 120. , The configuration and operation in the first embodiment may be the same.

For example, it is assumed that the MAC addresses 00-00-5E-00-01-01 are stored for the interfaces 121-1 and 121-2 in the MAC address storage units 123 of both the communication control devices 120-1 and 120-2. .. In that case, it is assumed that the interface 121-1 receives the broadcast frame from the virtual host B135 of the base B130. The transfer control unit 122 of the communication control device 120-1 transfers the broadcast frame to the switch 113 and the communication control device 120-2 via the interface on the LAN side. The communication control device 120-2 receives the broadcast frame at the interface on the LAN side. The determination unit 124 of the communication control device 120-2 refers to the MAC address storage unit 123, and determines that the MAC addresses overlap between the interface 121-1 and the interface 121-2. In that case, the transfer suppression unit 125 does not transfer the broadcast frame from the interface 121-2 to the router A112.

In the present embodiment, the plurality of communication control devices 120 are used to detect duplicate MAC addresses and suppress the transfer of frames to the interface that stores the duplicate MAC addresses. In this way, by installing the plurality of communication control devices 120 at a plurality of locations, even if the communication control device 120 cannot be arranged at the location where the plurality of communications merge, the detection of the duplicate MAC address and the duplicate MAC address are the causes. It is possible to prevent obstacles. Other effects are similar to those described in the first embodiment.

In each of the above embodiments, an example in which the number of bases connected to the center is two has been described. However, the present disclosure is not limited to this. The present disclosure can also be applied to a large-scale network in which a large number of VLAN tagging networks exist at a large number of sites. Further, in the above embodiment, an example in which the communication control device 120 is used in a network in which VRRP is used has been described, but the present disclosure is not limited thereto. When a communication device with an invalid MAC address is connected to the network, or due to a device failure or malicious attack, a device with the same MAC address may be connected on the same Ethernet work. The parallel control device 120 can detect duplicate MAC addresses and prevent failures caused by duplicate MAC addresses even in such a case.

As an application of each of the above embodiments, when the communication control device 120 detects the duplication of MAC addresses, the administrator may be notified of the duplication of MAC addresses. For example, when the duplication of MAC addresses is detected, the communication control device 120 may turn on the alarm lamp attached to the communication control device to notify the administrator of the duplication of MAC addresses. Alternatively, the communication control device 120 may display an alarm on the control console of the communication control device when the duplication of MAC addresses is detected. By doing so, the administrator can know the duplicated state of the MAC address before the failure caused by the duplicated MAC address actually occurs. By knowing the duplicated state of MAC addresses, the administrator can promote countermeasures such as correction of misconfig and blocking of unauthorized terminals, which are the causes, and contribute to maintaining the soundness of the network.

In the above embodiment, at least a part of the functions of the transfer control unit 122, the MAC address storage unit 123, the determination unit 124, and the transfer suppression unit 125 in the communication control device 120 is, for example, a processor included in the communication control device 120. It can be realized by operating according to the program of. FIG. 8 shows a configuration example of a computer device that can be used in the communication control device 120. The computer device 200 includes a processor 210 and a memory 220. The memory 220 includes a volatile memory and / or a non-volatile memory. The memory 220 stores software (computer program) executed on the processor 210, for example, in a non-volatile memory. The processor 210 is, for example, a CPU (Central Processing Unit) or the like, and the control and calculation performed by each unit of the computer device 200 can be realized, for example, by operating the processor 210 according to a computer program read from the memory 220. The processor 210 may read and execute the computer program from the memory outside the computer device 200 instead of reading the computer program from the memory 220 in the computer device 200.

The program is stored using various types of non-temporary computer-readable media and can be supplied to the computer device 200. Non-temporary computer-readable media include various types of tangible storage media. Examples of non-temporary computer readable media are magnetic recording media such as flexible disks, magnetic tapes, or hard disks, such as optical magnetic recording media such as optical magnetic disks, CDs (compact discs), or DVDs (digital versatile disks). Includes optical disk media such as, and semiconductor memory such as mask ROM (read only memory), PROM (programmable ROM), EPROM (erasable PROM), flash ROM, or RAM (random access memory). The program may also be supplied to the computer device 200 using various types of temporary computer-readable media. Examples of temporary computer readable media include electrical, optical, and electromagnetic waves. The temporary computer-readable medium can supply the program to the computer device 200 via a wired communication path such as an electric wire and an optical fiber, or a wireless communication path.

Although the embodiments of the present disclosure have been described in detail above, the present disclosure is not limited to the above-described embodiments, and changes and modifications are made to the above-described embodiments without departing from the spirit of the present disclosure. Are also included in this disclosure.

For example, some or all of the above embodiments may be described as, but not limited to, the following appendixes.

[Appendix 1]
Multiple interfaces for sending and receiving frames to and from multiple communication devices, each of which is different from each other.
A transfer control means for controlling the transfer of frames between the plurality of interfaces,
A determination means for determining whether or not at least two of the plurality of interfaces have received the same frame at the source MAC (Media Access Control) address.
Communication control including a transfer suppressing means for suppressing the transfer of the frame between the at least two interfaces when it is determined in the determination means that at least two interfaces have received a frame having the same source MAC address. Device.

[Appendix 2]
The plurality of interfaces include a first interface for transmitting and receiving frames to and from a first communication device, and a second interface for transmitting and receiving frames to and from a second communication device.
In the communication control device, the first MAC address of the source of the frame received by the first interface via the first communication device, and the second interface via the second communication device. Further provided with a MAC address storage means for storing the second MAC address of the source of the received frame,
When the first MAC address and the second MAC address match, the determination means determines that the first interface and the second interface have received frames having the same source MAC address. The communication control device according to Appendix 1.

[Appendix 3]
When the transfer suppressing means determines that the first interface and the second interface have received frames having the same source MAC address, the transfer suppressing means sets the frame received by the first interface to the second. Addendum that suppresses transfer to the second communication device via the interface and transfer of a frame received by the second interface to the first communication device via the first interface. 2. The communication control device according to 2.

[Appendix 4]
The communication control device according to Appendix 2 or 3, wherein the first communication device and the second communication device are connected to a first external network and a second external network, respectively.

[Appendix 5]
The communication control device according to Appendix 4, wherein the first external network and the second external network are a first VLAN and a second VLAN, which are divided by using VLAN (Virtual Local Area Network) tagging, respectively.

[Appendix 6]
The communication control device according to Appendix 5, wherein the first VLAN and the second VLAN are identified by using a VID (VLAN Identifier).

[Appendix 7]
The first communication device and the second communication device are connected to the first router and the second router via the first VLAN and the second VLAN, respectively. Communication control device.

[Appendix 8]
The communication control device according to Appendix 7, wherein the first router and the second router are each made redundant by using VRRP (Virtual Router Redundancy Protocol).

[Appendix 9]
The communication control device according to Appendix 8, wherein a common VRID (Virtual Router Identifier) is set in each of the first router and the second router.

[Appendix 10]
The communication control device according to any one of Supplementary note 4 to 9, which is installed at a place where the traffic from the first external network and the traffic from the second external network meet.

[Appendix 11]
The communication control device according to any one of Supplementary note 1 to 10, wherein the plurality of interfaces include a third interface connected to an internal network.

[Appendix 12]
With multiple communication devices,
Equipped with a communication control device
The communication control device is
A plurality of interfaces for transmitting and receiving frames to and from the plurality of communication devices, and
A transfer control means for controlling the transfer of frames between the plurality of interfaces,
A determination means for determining whether or not at least two of the plurality of interfaces have received the same frame at the source MAC (Media Access Control) address.
Communication having a transfer suppressing means for suppressing the transfer of the frame between the at least two interfaces when it is determined in the determination means that at least two interfaces have received the same frame with the MAC address of the source. Control system.

[Appendix 13]
The plurality of interfaces include a first interface for transmitting and receiving frames to and from a first communication device, and a second interface for transmitting and receiving frames to and from a second communication device.
In the communication control device, the first MAC address of the source of the frame received by the first interface via the first communication device, and the second interface via the second communication device. Further provided with a MAC address storage means for storing the second MAC address of the source of the received frame,
When the first MAC address and the second MAC address match, the determination means determines that the first interface and the second interface have received frames having the same source MAC address. The communication control system according to Appendix 12.

[Appendix 14]
The communication control according to Appendix 13, wherein the first communication device and the second communication device are connected to a first VLAN and a second VLAN, which are divided by using VLAN (Virtual Local Area Network) tagging, respectively. system.

[Appendix 15]
Each receives frames from multiple communication devices that are different from each other,
At least two of the plurality of interfaces determine whether or not the source MAC (Media Access Control) address has received the same frame.
A communication control method that suppresses the transfer of the frame between the at least two interfaces when it is determined that the at least two interfaces have received the same frame with the same source MAC address.

[Appendix 16]
Each receives frames from multiple communication devices that are different from each other,
At least two of the plurality of interfaces determine whether or not the source MAC address has received the same frame.
A program for causing a computer to execute a process of suppressing transfer of the frame between the at least two interfaces when it is determined that the at least two interfaces have received the same frame as the source MAC address.

"Appendix 17"
With multiple communication devices,
A communication control system including the communication control device according to any one of Supplementary note 1 to 11.

[Appendix 18]
A program for causing a computer to execute the communication control method according to the appendix 15.

10: Communication control system 20: Communication device 30: Communication control device 31: Interface 32: Transfer control means 33: Judgment means 34: Transfer suppression means 100: Network 110: Center A
111, 112: Router A
113: Switch 114b, 114c: Department 115 Gateway unit 120: Communication control device 121: Interface 122: Transfer control unit 123: MAC address storage unit 124: Determination unit 125: Transfer suppression unit 130: Base B
131, 132: Router B
135: Virtual host B
140: Base C
141, 142: Router C
145: Virtual host C
161 and 162: Network 200: Computer device 210: Processor 220: Memory

Claims (10)

Multiple interfaces for sending and receiving frames to and from multiple communication devices, each of which is different from each other.
A transfer control means for controlling the transfer of frames between the plurality of interfaces,
A determination means for determining whether or not at least two of the plurality of interfaces have received the same frame at the source MAC (Media Access Control) address.
Communication control including a transfer suppressing means for suppressing the transfer of the frame between the at least two interfaces when it is determined in the determination means that at least two interfaces have received a frame having the same source MAC address. Device. The plurality of interfaces include a first interface for transmitting and receiving frames to and from a first communication device, and a second interface for transmitting and receiving frames to and from a second communication device.
In the communication control device, the first MAC address of the source of the frame received by the first interface via the first communication device, and the second interface via the second communication device. Further provided with a MAC address storage means for storing the second MAC address of the source of the received frame,
When the first MAC address and the second MAC address match, the determination means determines that the first interface and the second interface have received frames having the same source MAC address. The communication control device according to claim 1. When the transfer suppressing means determines that the first interface and the second interface have received frames having the same source MAC address, the transfer suppressing means sets the frame received by the first interface to the second. A request for suppressing transfer to the second communication device via the interface and transfer of a frame received by the second interface to the first communication device via the first interface. Item 2. The communication control device according to Item 2. The communication control device according to claim 2 or 3, wherein the first communication device and the second communication device are connected to a first external network and a second external network, respectively. The first external network and the second external network are a first VLAN and a second VLAN divided by using VLAN (Virtual Local Area Network) tagging, respectively.
The communication according to claim 4, wherein the first communication device and the second communication device are connected to a first router and a second router via the first VLAN and the second VLAN, respectively. Control device. The first router and the second router are each made redundant by using VRRP (Virtual Router Redundancy Protocol).
The communication control device according to claim 5, wherein a common VRID (Virtual Router Identifier) is set in each of the first router and the second router. The communication control device according to any one of claims 4 to 6, wherein the communication control device is installed at a place where the traffic from the first external network and the traffic from the second external network meet. With multiple communication devices,
A communication control system including the communication control device according to any one of claims 1 to 7. Each receives frames from multiple communication devices that are different from each other,
At least two of the plurality of interfaces determine whether or not the source MAC (Media Access Control) address has received the same frame.
A communication control method that suppresses the transfer of the frame between the at least two interfaces when it is determined that the at least two interfaces have received the same frame with the same source MAC address. A program for causing a computer to execute the communication control method according to claim 9.

Images