JP5350333B2 - Packet relay apparatus and network system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To allow a subnet, to which a terminal belongs to, to be the same before and after authentication so as to enable an authentication network to be accessed even after authentication. <P>SOLUTION: In an authentication network, a packet relay apparatus has a routing table which does not have a transfer path to a job network, and in the job network, an L3 switch 131 having a routing table comprising transfer paths to the authentication network and the job network is used. A transmission packet from an unauthenticated terminal is transferred to the L3 switch 131 in the authentication network by an L2 switch 121, and transfer to the job network is discarded as unknown destination in routing in the authentication network of the L3 switch 131. A transmission packet from an authenticated terminal is transferred to the L3 switch 131 in the job network by the L2 switch 121, thereby enabling the packet to be transferred not only to the authentication network but also to the job network in routing in the job network of the L3 switch 131. <P>COPYRIGHT: (C)2012,JPO&amp;INPIT

Description

  The present invention relates to a packet relay device and a network system.

  In an IP (Internet Protocol) network, there is a technique for selecting a relay destination network for an IP packet transmitted from a transmission terminal based on the state of the transmission terminal and information (such as a destination IP address) included in the transmission packet. An example of a technique for selecting a relay destination network is a dynamic VLAN (Virtual Local Area Network) that realizes an authentication network system.

  An authentication network system is a network in which a terminal performs authentication and quarantine (hereinafter simply “authentication”) (hereinafter simply “authentication network”) and after the terminal performs authentication (hereinafter simply “after authentication”). Only terminals that have a network to connect to (hereinafter simply “business network”) and have been authenticated (hereinafter simply “authenticated terminals”) are permitted to access the business network and have not yet been authenticated (hereinafter “terminal”) , Simply a network system that prevents unauthorized access by “unauthenticated terminals”).

  The dynamic VLAN is a technique in which an authentication network and a business network are configured by different VLANs, the VLAN to which the terminal belongs is changed according to the authentication status of the terminal, and the relay destination network of the transmission packet of the terminal is switched. In the dynamic VLAN, since the VLAN to which the terminal belongs is changed before and after authentication, it is necessary to assign IP addresses of different subnets to the terminal before and after authentication. Therefore, since the subnet is divided before and after the authentication, the IP address utilization efficiency is lowered.

  Patent Document 1 describes a method for assigning the same IP address to a dynamic VLAN before and after authentication. This is realized by configuring the authentication network and the business network as VPNs (Virtual Private Networks), and making the IP subnets of the VLANs to which the terminals belong within each VPN the same. The IP address assigned to the terminal is set so that the DHCP (Dynamic Host Configuration Protocol) server installed in each VPN is synchronized between the VPNs, so that the IP address assigned to the terminal before and after authentication is the same. Yes.

JP 2008-193231 A

  In the technique of Patent Document 1, there is a problem that an authenticated terminal cannot access an authentication network, which is possible with a dynamic VLAN. Therefore, for example, a quarantine system that exists in the authentication network (for example, a system that updates anti-virus software or an operating system) cannot be used from the business network side, and an equivalent system is prepared on the business network side. Need arises. In Patent Document 1, it is necessary to install a plurality of DHCP servers having special functions that synchronize with each other.

In view of the above, an object of the present invention is to make it unnecessary to change an IP subnet before and after authentication in a dynamic VLAN, and to enable access to a quarantine network even after authentication.
In addition, the present invention makes it possible to switch the network through which packets are relayed before and after authentication without changing the network to which the terminal belongs, making it unnecessary to change the IP address before and after authentication, and improving the IP address utilization efficiency. One of the purposes is to improve and enable access to the authentication network even after authentication.

  In response to an ARP (Address Resolution Protocol) request sent by the terminal to obtain the MAC (Media Access Control) address of the gateway of the L3 (Layer 3) switch, the L2 (Layer 2) switch uses the MAC address of the L2 switch as an ARP response. Send to the terminal. As a result, the destination MAC address of the packet that goes through the gateway for the terminal to communicate outside the subnet to which it belongs is the MAC address of the L2 switch, and the L2 switch can determine whether it is destined for the gateway only by the destination MAC address of the received packet. It becomes. When receiving a packet whose destination MAC address is the L2 switch, the L2 switch changes the relay destination network according to the authentication state of the terminal. The packet of the unauthenticated terminal is relayed to the gateway of the L3 switch of the authentication network, and the packet of the authenticated terminal is relayed to the gateway of the L3 switch of the business network. The L3 switch here is an apparatus that can have an independent routing table for each network. The L3 switch that receives a transmission packet from a terminal relays the packet according to the received routing table of the network of the gateway. By not having a route addressed to the business network in the routing table of the authentication network, a packet addressed to the business network from an unauthenticated terminal is discarded as an unknown destination on the L3 switch. A route addressed to the network and the business network is provided, so that the L3 switch can relay to each network regardless of whether a packet addressed to the authentication network or the business network is transmitted from the authenticated terminal. By switching the relay destination as a proxy of the gateway by the L2 switch, the terminal does not need to change the IP subnet to which the terminal belongs before and after authentication.

  For packets addressed to the terminal network from the authentication network and the business network, the L3 switch relays the terminal network to the terminal network in the routing table of the L3 switch of the authentication network and the business network, and passes through the L2 switch. To be sent to the terminal.

According to the first solution of the present invention,
In a network system comprising: a first network to which a terminal belongs; a second network to which an authentication server belongs; and one or more third networks to which a server accessible by the authenticated terminal belongs, A packet relay apparatus belonging to each of the first to third networks,
A plurality of interfaces corresponding to the first to third networks;
The identification information of the first to third networks, the address information of the corresponding network gateway, and output information including output interface information and / or output destination address information for transmitting packets to the gateway are stored. Gateway management table,
Corresponding to the address information of the terminal after authentication, a relay table that stores at least the identification information and output information of the third network permitted to communicate by the authentication;
According to the relay table, when a packet is received from the terminal belonging to the first network that is not permitted to communicate with the third network, the packet is relayed to the gateway of the second network, and the third network A packet processing unit that relays to the gateway of the third network when a packet is received from the terminal that is allowed to communicate with the network of
A packet relay device is provided in which output information corresponding to the third network stored in the gateway management table is stored in output information corresponding to the third network in the relay table.

According to the second solution of the present invention,
A first packet relay device that is the packet relay device described above;
A second packet relay device connected to the first packet relay device via the first to third networks;
With
The second packet relay device is
Function as a gateway in the first and second and third networks;
A first transfer route table having a transfer route to the first network, and the first transfer route table is used for transferring a packet received by the first network;
A second transfer route table having transfer routes to the first network and the second network, and the second transfer route table is used for transfer processing of packets received by the second network; ,
One or more third transfer path tables having transfer paths to the first network, the second network, and one or more third networks, the third transfer path table being the third network; Used to transfer packets received on other networks,
When the first packet relay apparatus receives a transmission packet from the terminal belonging to the first network to a device belonging to other than the first network, the packet is transmitted to the second or second packet according to the relay table. Relay to network 3
When the second packet relay device receives a transmission packet from a device belonging to the second or third network to the terminal belonging to the first network, the second transfer route table and the second A network system is provided that relays the packet to the first network according to any one of the three transfer path tables.

According to the present invention, it is not necessary to change the IP subnet before and after authentication in the dynamic VLAN, and it is possible to access the quarantine network even after authentication.
In addition, according to the present invention, it is possible to switch the network through which packets are relayed before and after authentication without changing the network to which the terminal belongs, making it unnecessary to change the IP address before and after authentication, and the efficiency of using IP addresses. And it is possible to access the authentication network even after authentication.

The network block diagram in 1st Embodiment. Packet format used in the first embodiment. Explanatory drawing of the L2 switch internal structure in 1st Embodiment. Explanatory drawing of the data hold | maintained in L2 switch in 1st Embodiment. The packet reception flow of the L2 switch in 1st Embodiment. Explanatory drawing of the routing table of L3 switch in 1st Embodiment. The network block diagram in 2nd Embodiment. Explanatory drawing of the data hold | maintained in L2 switch in 2nd Embodiment. Explanatory drawing of the additional routing table in 2nd Embodiment.

1. First Embodiment In this embodiment, an operation example when realizing an authentication network system is shown.
FIG. 1 shows a network configuration diagram for explaining the present embodiment.
1 includes a terminal network 101 to which a terminal 111 and a DHCP server (address assignment server, network information setting server) 141 belong, an authentication network 102 to which an authentication server 142 belongs, and a business network 103 to which a business server 143 belongs. Including three networks. The L2 switch 121 and the L3 switch 131 belong across the three networks.

  The terminal network 101 is composed of, for example, a VLAN “10” of the IP subnet 10.0.0.0/8, and the terminal 111 and the interface 121-1 of the L2 switch 121 are connected, and the interface 121-2 of the L2 switch 121 is connected. And the interface 131-1 of the L3 switch 131 are connected, and the interface 131-4 of the L3 switch 131 and the DHCP server 141 are connected.

  The authentication network 102 is composed of, for example, a VLAN “20” of the IP subnet 20.0.0.0/8, and the interface 121-3 of the L2 switch 121 and the interface 131-2 of the L3 switch 131 are connected to each other. The interface 131-5 of 131 and the authentication server 142 are connected.

  The business network 103 is composed of, for example, a VLAN “30” of the IP subnet 30.0.0.0/8, and the interface 121-4 of the L2 switch 121 and the interface 131-3 of the L3 switch 131 are connected to each other, and the L3 switch The interface 131-6 of 131 and the business server 143 are connected.

  As for the MAC address of each device (hereinafter, simply referred to as MAC), for example, the terminal 111 is MAC111, the L2 switch 121 is MAC121, the L3 switch 131 is MAC131, the DHCP server 141 is MAC141, the authentication server 142 is MAC142, The business server 143 is denoted as MAC 143. Also, the IP address (hereinafter sometimes simply referred to as IP) is dynamically allocated to the terminal 111. For example, the DHCP server is “10.0.0.4”, and the authentication server is “20.0.0”. .4 ”and“ 30.0.0.4 ”are assigned to the business server. The L2 switch 121 and the L3 switch 131 are assigned IP addresses in VLAN units. For example, the L2 switch 121 is “20.0.0.2” for the VLAN “20”, and the L3 switch 131 is “10” for the VLAN “10”. “20.0.0.3” is assigned to the VLAN “20”, and “30.0.0.3” is assigned to the VLAN “30”.

  A dotted line arrow in FIG. 1 represents a communication path for communication with a device on a network other than the terminal network 101 with which the terminal 111 before authentication can communicate. A solid line arrow indicates a communication path for communication with a device on a network other than the terminal network 101, with which the authenticated terminal 111 can communicate.

  The L3 switch 131 in FIG. 1 has a function having independent routing spaces in each of the terminal network 101, the authentication network 102, and the business network 103. This function is a function called VRF (Virtual Routing and Forwarding), and is implemented in general equipment as a known technique.

FIG. 2 shows a format in which only main fields of a packet used for communication in this embodiment are described.
Fields common to each packet are given the same reference numerals. The destination MAC 211 is the MAC address of the destination device in L2 communication, the source MAC 212 is the MAC address of the source device in L2 communication, the source MAC 221 is the MAC address of the ARP request source device, the source IP 222 is the IP address of the ARP request source device, and the target IP 223 is a field for storing the IP address of the target device for checking the MAC address, and target MAC 224 is a field for storing the MAC address for the target IP 223. The client MAC 231 is a field for storing the MAC address of a device that issues a DHCP request, the client IP 232 is an IP address assigned by DHCP, and the gateway IP 233 is a field for storing an IP address of a gateway distributed by DHCP. The source IP 213 is the IP address of the source device in the L3 communication, the destination IP 214 is the IP address of the destination device in the L3 communication, the L2 authentication data 251 is the account information necessary for authentication sent from the terminal 111 to the L2 switch 121, and the L2 authentication result 252 is an authentication result returned from the L2 switch 121 to the terminal 111, server authentication data 261 is account information necessary for authentication sent from the L2 switch 121 to the authentication server 142, and server authentication result 262 is an authentication result sent from the authentication server 142 to the L2 switch 121. , Is a field for storing.

Based on the above, the authentication network system will be described below.
FIG. 3 shows the internal structure of the L2 switch 121.
The L2 switch 121 includes an interface 311-i (i: an integer from 1 to n), a packet transmission / reception unit 312, an FDB learning unit 313, a packet type determination unit 314, a packet processing unit, and a main storage (main storage unit). 331. The packet processing unit includes a forwarding unit 321, a CPU unit 322, an inter-network relay unit 323, and a gateway processing unit 324. The main memory 331 includes a MAC table 332, a GW management table 333, and a relay table 334.

  A packet received by each interface 311-i is sent to the FDB learning unit 313 via the packet transmission / reception unit 312. The FDB learning unit 313 updates the MAC table 332 with the received packet information, and sends the received packet to the packet type determining unit 314. The packet type determination unit 314 sends the received packet to any of the forwarding unit 321, the CPU unit 323, the inter-network relay unit 323, and the gateway processing unit 324 according to the received packet information.

  The forwarding unit 321 transmits a packet via the packet transmission / reception unit 312 while referring to and updating the contents of the MAC table 332 stored in the main memory 331. The CPU unit 322 refers to and updates the contents of a GW (Gateway, gateway) management table 333 and a relay table 334 stored in the main memory 331, and transmits a packet via the packet transmission / reception unit 312. The inter-network relay unit 323 refers to the contents of the relay table 334 stored on the main memory 331 and transmits a packet via the packet transmission / reception unit 312. The gateway processing unit 324 refers to and updates the GW management table 333 based on the contents of the received DHCP packet or ARP packet, and transmits the packet via the forwarding unit 321 or directly via the packet transmission / reception unit 312. The solid arrows in FIG. 3 indicate the packet flow, and the dotted arrows indicate reference / update of the main memory 331.

FIG. 4 shows the contents of various tables that the L2 switch 121 has in the main memory 331.
The MAC table 410 shown in FIG. 4A corresponds to the contents of the MAC table 332, and is a table for determining the destination interface according to the VLAN of the interface that received the packet and the destination MAC 211 of the received packet. In the initial state, there is no registration entry in the MAC table 410. For example, the MAC table 410 stores a VLAN identifier 411, a destination MAC address 412, and an output interface identifier 413 corresponding to each other.

  The GW management table 420 shown in FIG. 4B corresponds to the contents of the GW management table 333, and includes the gateway VLAN identifier 421 representing the VLAN to which the L2 switch 121 in each network belongs, and the gateway IP address in the gateway VLAN 421. It includes an entry array including a gateway IP 422 that represents, an output interface identifier 423 that represents an interface connected to the gateway of the gateway VLAN 421, and an output MAC 424 that represents the MAC address of the gateway of the gateway VLAN 421.

  In the initial state, the IP address of each VLAN of the L3 switch 131 is set as the IP address of the gateway in each network of VLAN “10”, “20”, “30”. 4B, and the second entry has the IP address of the L3 switch 131 of VLAN “20” being 20.0.0.3, so that the gateway VLAN 421 is “20” and the gateway The IP 422 is set to “20.0.0.3”. Similarly, the third entry is set. Here, “indefinite” indicates that the problem is solved dynamically. The value in parentheses represents the value after being updated in the subsequent processing. Since the first entry is for VLAN “10”, the gateway VLAN 421 may be set to “10” and the gateway IP 422 may be set to “10.0.0.3”. In this embodiment, the first entry is dynamically set by DHCP. In order to determine the IP address of the gateway, “undefined” is set.

  A relay table 430 shown in FIG. 4C corresponds to the contents of the relay table 334, and a source MAC 431 indicating a MAC address for identifying a terminal, and an output VLAN indicating a relay destination VLAN of a packet transmitted from the terminal to the gateway. This is a table including an identifier 432 of an output interface, an identifier 433 of an output interface representing an interface to transmit, and an output MAC 434 representing a MAC address of a destination gateway. As an initial state, there is no registration entry.

Next, the L3 switch will be described.
As the L3 switch 131, a device realized by a known technique can be used. Therefore, detailed description of the operation is omitted. The L3 switch 131 is a device having a VRF function, and has an independent routing space in each of the terminal network 101, the authentication network 102, and the business network 103. In each routing space, another routing space can be designated as a packet relay destination.

FIG. 6 shows a routing table in each routing space.
Each routing table (transfer route table) has an entry including a destination IP address, a mask length, and an identifier of the output VLAN.
The routing table 610 shows a routing table in the terminal network 101, and only the first entry exists as a route to the network to which the terminal 111 belongs in the initial state.

The routing table 620 shows a routing table in the authentication network 102, and has up to the second entry in the initial state. The first entry indicates a route addressed to the terminal network 101, and the second entry indicates a route addressed to the authentication network 102.
The routing table 630 shows a routing table in the business network 103, and has up to the third entry in the initial state. The first entry is for the terminal network 101, the second entry is for the authentication network 102, and the third entry is for the business network 103.

  Each routing table is set so that the output destinations addressed to 10.0.0.0/8 are the same. It is assumed that the L3 switch 131 relays the packet according to the routing table of the network that has received the received packet. When relaying, it is assumed that the MAC address of the neighboring device is resolved by ARP and relaying to the neighboring device is performed.

(Acquisition of IP address)
First, in order for the terminal 111 to acquire an IP address, the destination MAC 211 is “FF: FF: FF: FF: FF: FF”, the source MAC 212 is “MAC111” (the MAC address of the terminal 111), and the client MAC 231 is the DHCP of the MAC 111. Send a request packet. The L2 switch 121 receives the DHCP request packet through the interface 121-1.

FIG. 5 is a processing flow at the time of packet reception in the L2 switch 121.
In the flow of FIG. 5, double line items are processed by the inter-network relay unit 323, and dotted line items are processed by the gateway processing unit 324.
The L2 switch 121 that has received the DHCP request packet first performs processing of FDB (ForwardingDataBase) learning 511, and the identifier of the received interface 121-1 is displayed in the field of the output interface 413 in the MAC table 410, and the VLAN of the VLAN to which the interface belongs. An entry having the identifier “10” as the input VLAN 411 field and the transmission source MAC 212 of the received packet as the destination MAC 412 field is registered. The processing of the FDB learning 511 is performed by the FDB learning unit 313. Hereinafter, the VLAN to which the interface that received the packet belongs is expressed as a reception VLAN. The registered result is the content of the first entry in the MAC table 410 in FIG. Subsequently, the process proceeds to packet type determination 512.

  The packet type determination 512 is performed by the packet type determination unit 314. In the packet type determination 512, the processing is branched according to a packet that requires individual processing. Packets that require individual processing are determined in advance, and can be determined by an appropriate identifier in the packet, for example. In the case of a DHCP request packet, since individual processing is not necessary, the flow proceeds to FDB search transmission 513 processed by the forwarding unit 321 as “others”. In the FDB search transmission 513, an entry in which the input VLAN 411 matches the destination MAC 412 is searched from the MAC table 410 using the received VLAN and the packet destination MAC 211 as a key. At this time, since there is only the first entry, there is no entry in which the destination MAC 211 of the DHCP request packet matches “FF: FF: FF: FF: FF: FF”, so all the interfaces belonging to the received VLAN other than the received interface A process of transmitting the received packet (hereinafter referred to as flooding) is performed. In this embodiment, a DHCP request packet is transmitted from the interface 121-2. The DHCP request packet transmitted from the interface 121-2 is received by the L13 switch 131 through the interface 131-1.

  The L3 switch 131 that has received the DHCP request packet by the interface 131-1 relays the packet within the reception VLAN without referring to the routing table because the packet destination MAC 211 is not the MAC 131 (the MAC address of the L3 switch 131). In this example, it relays to the interface 131-4, and the DHCP server 141 receives the DHCP request packet.

  Upon receiving the DHCP request packet, the DHCP server 141 sets the destination MAC 211 to “MAC111”, the source MAC 212 to “MAC141” (the MAC address of the DHCP server 141), and the client IP 232 to “10.0.0.1” (to the terminal 111). (IP address to be assigned) and gateway IP 233 "10.0.0.3" (gateway IP address) DHCP response packet is transmitted. The DHCP response packet is received by the L3 switch 131 by the interface 131-4.

  The L3 switch 131 that has received the DHCP response packet performs packet relay in the reception VLAN in the same manner as the DHCP request packet reception. As a result, a DHCP response packet is transmitted from the interface 131-1. The DHCP response packet is received by the L2 switch 121 through the interface 121-2.

  The L2 switch 121 that has received the DHCP response packet updates the MAC table 410 by FDB learning 511 (FIGS. 4 and 511). As a result of the update, the second entry in FIG. 4A is created. Subsequently, in the packet type determination 512, since the received packet is a DHCP response packet, the process proceeds to “DHCP response” and gateway acquisition 521 is performed. In the gateway acquisition 521, the gateway processing unit 324 has the value of the gateway IP 233 included in the DHCP response packet, and the gateway VLAN 421 in the GW management table 420 is “undefined” in the first entry that matches the received VLAN “10”. The gateway IP 422 is updated.

  After obtaining the gateway 521, the process proceeds to FDB search transmission 513, and searches for an entry having a destination MAC 412 that matches the destination MAC 211 of the packet among the entries in which the input VLAN 411 of the MAC table 410 is the received VLAN “10” of the received packet. To do. At this time, since the first entry matches, the received packet is transmitted from the interface indicated by the output interface 413 of the matched entry. In this case, since it is the first entry of the MAC table 410, a DHCP response packet is transmitted from the interface 121-1. The terminal 111 receives the DHCP response packet transmitted from the interface 121-1.

  The terminal 111 that has received the DHCP response packet sets the IP address of the terminal 111 from the client IP 232 of the DHCP response packet to 10.0.0.1. In addition, the gateway IP233 (10.0.0.3) is stored as the gateway IP address.

(L2 switch table update)
The description up to this point has been made until the IP address assignment of the terminal 111 by DHCP is completed. However, the L2 switch 121 can output the output interface of the GW management table 420 in parallel with or prior to the IP address assignment by the DHCP of the terminal 111. 423, the output MAC 424, and the relay table 430 are updated. The update process will be described below.

  In the VLAN network of the gateway VLAN 421 “20” of the second entry in the GW management table 420, the L2 switch 121 sets the destination MAC 211 as “FF: FF: FF: FF: FF: FF” (broadcast address) and the source MAC 212 as “ MAC 121 ”(the MAC address of the own device), the source MAC 221 is“ MAC 121 ”, the source IP 222 is“ 20.0.0.2 ”, the target IP 223 is“ 20.0.0.3 ”(the IP stored in the gateway IP 422) ARP request packet (MAC address information acquisition request) to be an address. In this case, an ARP request packet is transmitted from the interface 121-3 belonging to the VLAN “20”. The ARP request packet is received by the L3 switch 131 at the interface 131-2, and as a response, the destination MAC 211 is “MAC121”, the source MAC212 is “MAC131”, the source IP222 is “20.0.0.3”, and the target IP223 ARP response packet (MAC address information acquisition response) with “20.0.0.3” as the target MAC 224 and “MAC 131” (the MAC address of its own device) as the target MAC 224 is transmitted from the interface 131-2.

  The L2 switch 121 determines that the packet type determination 512 is an ARP response addressed to the L2 switch 121 and performs the processing of the gateway ARP reception 541. The gateway ARP reception 541 searches the GW management table 420 for an entry in which the gateway VLAN 421 is the reception VLAN “20” and the gateway IP 422 matches the target IP 223 or the source IP 222 of the received packet. Different processing is performed depending on which of the target IP 223 and the source IP 222 matches. In this case, since the second entry matches the target IP 223, for the second entry, the interface 121-3 that received the ARP response packet is set as the output interface 423, and the value of the target MAC 224 of the ARP response packet is set as the output MAC 424. .

  Similarly, for the third entry, an ARP request packet is transmitted from the interface 121-4, and the reception interface of the received ARP response packet and the target MAC 224 are reflected in the third entry. The L2 switch 121 updates the GW management table 420 through the above processing. When these two ARP response packets are received, the FDB learning 512 creates the third and fourth entries of the MAC table 410. The first entry is also updated in the same manner as the second and third entries after the value of the gateway IP 422 is determined by receiving the DHCP response packet. Processing in the case where the source IP 222 of the received packet matches the gateway IP 422 in the gateway ARP reception 541 will be described later.

  Subsequently, the value of the second entry of the GW management table 420 corresponding to the VLAN “20” of the authentication network 102 that is a network to which an unauthenticated terminal is allowed to communicate is determined, so that the first entry of the relay table 430 is determined. An entry addressed to the authentication network 102 is created in the entry. In this case, “00: 00: 00: 00: 00: 00” is set in the transmission source MAC 431 as a value representing an arbitrary terminal, and the second entry of the GW management table 420 is set in the output VLAN 432, the output interface 433, and the output MAC 434. The gateway VLAN 421, the output interface 423, and the output MAC 424 are set.

(Access from unauthenticated terminal)
Next, access to the business network 103 by the terminal 111 will be described. At this point, since the terminal 111 has not been authenticated, the terminal 111 is in an unauthenticated state. In the unauthenticated state, the business network 103 cannot be accessed, and only the authentication network 102 can be accessed.

  The terminal 111 acquires the MAC address of the gateway in order to send a data packet to the business network 103 which is a different subnetwork. Therefore, the terminal 111 sets the destination MAC 211 to “FF: FF: FF: FF: FF: FF”, the transmission source MAC 212 to “MAC 111” (the MAC address of the terminal 111), the source MAC 221 to “MAC 111”, and the source IP 222 to “ An ARP request packet with 10.0.0.1 "and target IP 223" 10.0.0.3 "(gateway IP address distributed by DHCP) is transmitted. The ARP request packet is received by the L2 switch 121 at the interface 121-1.

  The L2 switch 121 that has received the ARP request packet performs the FDB learning 511, but since there is already an entry of the MAC 111 in the MAC table 410, the table is not updated here. In subsequent packet type determination 512, since the received packet is an ARP request packet, the process proceeds to “ARP request”, and gateway determination 551 is performed. In the gateway determination 551, the gateway processing unit 324 checks whether the source IP 222 or the target IP 223 of the ARP request packet matches the gateway IP 422 of the first entry in which the gateway VLAN 421 in the GW management table 420 matches the received VLAN “10”. In this case, since the target IP 223 matches with the IP address “10.0.0.3”, the process proceeds to “target IP match” and performs the gateway ARP response 552. In the gateway ARP response 552, an ARP response packet having the target MAC 224 as the MAC 121 (the MAC address of the L2 switch 121) is transmitted from the interface that has received the ARP request packet. In this case, the destination MAC 211 is “MAC 111”, the source MAC 212 is “MAC 121”, the source IP 222 is “10.0.0.3”, the target IP 223 is “10.0.0.3”, and the target MAC 224 is “MAC 121”. Is transmitted from the interface 121-1. The terminal 111 receives the ARP response packet. If the gateway determination 551 results in “mismatch”, the process proceeds to FDB search transmission 513, and flooding is performed on the reception VLAN “10” on the assumption that there is no entry matching the destination MAC 211 of the ARP request packet.

  The terminal 111 that has received the ARP response packet stores the MAC address of the gateway as “MAC121” from the target MAC 224 of the received packet. As a communication addressed to the business server 143, the terminal 111 sets “MAC 121” in which the destination MAC 211 is stored, the source MAC 212 is “MAC111”, the source IP 213 is “10.0.0.1”, and the destination IP214 is “30. A data packet “0.0.4” (IP address of the business server 143) is transmitted. The IP address of the business server 143 can be stored in the terminal 111 in advance. The data packet is received by the L2 switch 121 at the interface 121-1.

  In the packet type determination 512, the L2 switch 121 that has received the data packet proceeds to “own MAC” because the destination MAC 211 of the data packet is the MAC address “MAC121” of the L2 switch, and performs inter-network relay 561. In the inter-network relay 561, the inter-network relay unit 323 searches the relay table 430 for an entry of the transmission source MAC 431 that matches the transmission source MAC 212 of the data packet. If there is no entry that matches the transmission source MAC 431, it is considered that the entry of the transmission source MAC 431 “00: 00: 00: 00: 00” matches. In the case of the data packet here, it is considered that the data packet matches the first entry. Then, the L2 switch 121 updates the destination MAC 211 of the data packet to the value “MAC 131” of the output MAC 434 of the matching entry, and transmits it from the interface 121-3 of the output interface 433 of the matching entry. A data packet whose destination MAC 211 is MAC 131 is received by the L3 switch 131 by the interface 131-2. In this embodiment, the relay destination of the first entry is the VLAN “20” corresponding to the authentication network 102, but it may be implemented to discard without relaying. In this case, for example, if the output interface 433 is “undefined”, the output interface 433 of the first entry is set to “undefined” as being discarded.

The L3 switch 131 that has received the data packet determines that the packet to be received because the destination MAC 211 of the data packet is the MAC address “MAC131” of the L3 switch 131. Then, the routing table 620 is searched using the packet destination IP 214 as a key. Since there is no route in the routing table 620 that matches the destination IP 214 “30.0.0.4” of the data packet, the L3 switch 131 discards the received packet as an unknown destination.
As described above, in the unauthenticated state, since communication from the terminal 111 to the business server 143 is discarded by the L3 switch 131, communication between the terminal 111 and the business network 103 does not hold.

(Device authentication)
Next, an operation when the terminal 111 in an unauthenticated state accesses the authentication server 142 will be described.
First, the terminal 111 sets the destination MAC 211 to “MAC121”, the source MAC 212 to “MAC111”, the source IP 213 to “10.0.0.1”, and the destination IP214 to “20.0.0.4” (authentication server). Data packet) is transmitted. The IP address of the authentication server can be stored in the terminal 111 in advance. The data packet addressed to the authentication server 142 is relayed by the L2 switch 121 and received by the L3 switch 131 in the same procedure as the data packet addressed to the business server 143 described above.

In the L3 switch 131, since the second entry exists in the routing table 620 as a route that matches the destination IP 214 “20.0.0.4”, the L3 switch 131 authenticates the authentication network 102 by ARP. The MAC address of the server 142 is acquired, a data packet is transmitted from the interface 131-5 to the authentication server 142, and the authentication server 142 receives the data packet.
As described above, communication from the terminal 111 to the authentication server 142 is established.

  On the other hand, in the data packet addressed to the terminal 111 from the authentication server 142, the destination MAC 211 is “MAC 131”, the source MAC 212 is “MAC 142”, the source IP 213 is “20.0.0.4”, and the destination IP 214 is “10. 0.03 ", and the L3 switch 131 receives the data through the interface 131-5. The L3 switch 131 acquires the MAC address of the terminal 111 by ARP on the output VLAN 623 “10” of the first entry as a route addressed to “10.0.0.1” according to the routing table 620. The ARP at this time is performed via the L2 switch 121. The ARP request packet transmitted by the L3 switch 131 is “MAC 131” for the source MAC 221 and “10.0.0.3” for the source IP 222. The MAC address of the gateway whose address is “10.0.0.3” is re-stored as “MAC131”, and the packet sent from the terminal 111 to the gateway can be correctly relayed to the other network by the L2 switch 121. Disappear. Therefore, the L2 switch 121 performs the following processing in the ARP packet relay of the L3 switch 131.

  First, the L3 switch 131 transmits an ARP request packet from an interface belonging to the VLAN “10” in order to perform ARP on the VLAN “10”. In this case, the interface 131-4 is included, but it is omitted because there is no response terminal. In the ARP request packet transmitted from the interface 131-1, the destination MAC 211 is “FF: FF: FF: FF: FF: FF”, the source MAC 212 is “MAC131” (the MAC address of the L3 switch 131), and the source MAC 221 is “ The MAC 131 ”, the source IP 222 becomes“ 10.0.0.3 ”, the target IP 223 becomes“ 10.0.0.1 ”, and the L2 switch 121 receives at the interface 121-2. In the L2 switch 121, in the gateway determination 551, the source IP 222 “10.0.0.3” is the GW management table 420 and the gateway IP 422 “10.0.0.3” of the first entry that is the reception VLAN “10”. ”, The process proceeds to the source IP match, and the gateway ARP transmission 553 is processed.

  The gateway ARP transmission 553 rewrites the received ARP request packet with information of the L2 switch 121 such as “MAC 121” for the source MAC 212 and “MAC 121” for the source MAC 221 and floods the received VLAN “10”. The ARP request packet rewritten from the interface 121-1 by flooding is transmitted and received by the terminal 111.

  Upon receiving the ARP request packet, the terminal 111 sets the destination MAC 211 to “MAC121”, the source MAC 212 to “MAC111”, the source IP 222 to “10.0.0.3”, and the target IP 223 to “10.0.0.1”. , An ARP response packet with the target MAC 224 as “MAC111” is transmitted. The L2 switch 121 that has received the ARP response packet determines that it is an ARP response addressed to itself, and performs the processing of the gateway ARP reception 541. In the gateway ARP reception 541, as described above, the entry corresponding to the target IP 223 “10.0.0.1” of the received packet is searched for in the entry of the received VLAN “10” in the GW management table 420, but it does not exist. Search for an entry for the gateway IP 422 that matches the source IP 222 “10.0.0.3”. In this case, since the first entry is applicable, the processing which has been described later in the processing of the gateway ARP reception 541 is performed. When the source IP 222 matches, the gateway ARP reception 541 rewrites the destination MAC 211 in the received ARP response packet to the output MAC 424 “MAC 131” of the matching entry, and rewrites it from the output interface 423 “interface 121-2” of the matching entry. ARP response packet is transmitted. The ARP response packet transmitted from the interface 121-2 is received by the L3 switch 131 at the interface 131-1, and the L3 switch 131 receives the target IP 223 “10.0.0.1” and the target MAC 224 “MAC 111” of the ARP response packet. Then, the MAC address of the device having the IP address “10.0.0.1” is stored as “MAC111”.

  As described above, when the L2 switch 121 modifies the ARP packet relay processing for the terminal 111 of the L3 switch 131, the L3 switch 131 correctly stores the MAC address of the terminal 111, and the MAC address of the gateway of the terminal 111 Can be prevented from being updated to unintended values.

  The L3 switch 131 that has acquired the MAC address of the terminal 111 by ARP transmits the data packet by rewriting the destination MAC 211 to “MAC 111” from the interface 131-1. The data packet is received by the L2 switch 121 through the interface 121-2. The L2 switch 121 determines “other” in the packet type determination 512, performs FDB search transmission 513, and transmits a data packet from the interface 121-1 from the contents of the first entry matched by the search. The terminal 111 receives the data packet. As described above, communication from the authentication server 142 to the terminal 111 is established, and communication between the unauthenticated terminal and the authentication network 102 is established.

Next, the operation in the authentication process is shown.
In order to access the business network 103, the terminal 111 in the unauthenticated state has a destination MAC 211 of “MACL2” (indicating an L2 authentication request and response), a source MAC 212 of “MAC111”, and a user of L2 authentication data 251 An L2 authentication request packet containing account information such as name and password is transmitted. Upon receiving the L2 authentication request packet, the L2 switch 121 proceeds to “L2 authentication request” in the packet type determination 512 and processes the authentication request 571. In the authentication request 571, for example, the CPU unit 322 sets the destination MAC 211 to “MAC 142” (the MAC address of the authentication server 142), the transmission source MAC 212 to “MAC 121”, and the transmission source IP 213 to “20.0.0.2” (of the L2 switch). The IP address of the VLAN “20”), the destination IP 214 is “20.0.0.4” (the IP address of the authentication server 142), the server authentication data 261 includes the MAC address “MAC111” of the terminal 111, the user name, the password, and the like A server authentication request packet including the account information is transmitted from the interface 121-3.

  The L3 switch 131 that has received the server authentication request packet relays the server authentication request packet to the authentication server 142 in the reception VLAN because it is not communication outside the network. In response to the received server authentication request packet, the authentication server 142 sets the destination MAC 211 to “MAC121”, the source MAC 212 to “MAC142”, the source IP 213 to “20.0.0.4”, and the destination IP214 to “20.0. 0.2 ”, a server authentication response packet including data indicating“ authentication permitted ”in the server authentication result, the MAC address“ MAC111 ”of the terminal 111 indicating the permitted terminal, and the access destination VLAN“ 30 ”after authentication. Send. The L3 switch 131 relays the server authentication response packet to the interface 131-2 without referring to the routing table.

In the packet type determination 512, the L2 switch 121 proceeds to “server authentication response” and performs authentication processing 572. In the authentication processing 572, since the content of the server authentication result 262 in the server authentication response packet is “authentication permitted”, the MAC address “MAC111” of the terminal included in the server authentication result 262 and the access destination VLAN “30” after authentication are included. Are set in the transmission source MAC 431 and the output VLAN 432 of the second entry of the relay table. Further, the output interface 423 “121-4” of the entry in the GW management table 420 of the gateway VLAN 421 that matches the output VLAN 432 of the second entry is set to the output interface 433, and the output MAC 424 “MAC131” is set to the output MAC 434. The destination MAC 211 is “MACL2” (indicating the L2 authentication request and response), the source MAC 212 is “MAC121”, and the L2 authentication result 252 includes data indicating “authentication permitted”. Send more. The terminal 111 receives the transmitted L2 authentication response packet, and the terminal 111 determines that access to the business network 103 is possible.
Through the authentication processing described above, a new entry is created in the relay table 430 of the L2 switch 121, and access to the business network 103 from the terminal 111 becomes possible.

(Access to authenticated terminals)
Next, access to the business server 143 by the authenticated terminal 111 will be described.
The terminal 111 needs to acquire the MAC address of the gateway in order to access the business server 143, but since it has already been acquired, the destination MAC 211 is “MAC121”, the source MAC 212 is “MAC111”, and the source IP 213 is A data packet having “10.0.0.1” and a destination IP 214 of 30.0.0.4 (IP address of the business server 143) is transmitted. The data packet is received by the L2 switch 121 at the interface 121-1.

  The L2 switch 121 that has received the data packet has an entry that sets the source MAC 431 as “MAC111” as the second entry in the relay table 430 in the inter-network relay 561, so that the destination MAC 211 of the data packet is changed to the relay table 430. The output MAC 434 “MAC 131” of the second entry is rewritten, and the data packet is transmitted from the interface “121-4” of the output interface 433. The data packet having the destination MAC 211 of “MAC 131” is received by the L3 switch 131 through the interface 131-3.

The L3 switch 131 that has received the data packet of the MAC 131 as the destination MAC 211 relays according to the routing table 630. Unlike the routing table 620, the routing table 630 has a route addressed to the business server 143 and relays it without discarding it. As a result, communication addressed to the business server 143 from the terminal 111 is established. When the business server 143 transmits a data packet to the terminal 111, the L3 switch 131 sends the data packet with the destination IP 214 of “10.0.0.1” according to the routing table 630 and ARP in the VLAN “10”. The MAC address of the terminal 111 is acquired, and the data packet is relayed to the terminal 111.
As described above, communication between the authenticated terminal 111 and the business server 143 is established.

  On the other hand, when the authenticated terminal 111 accesses the authentication server 142, as in the case of access to the business server 143, the routing table 630 of the L3 switch 131 has a route addressed to the authentication network 102. The Further, the processing from the authentication server 142 to the terminal 111 is processed in the same manner as in the unauthenticated state, and is correctly relayed to the terminal 111.

  As described above, the terminal 111 in the unauthenticated state is allowed to access only the authentication network 102 and cannot access the business network 103, but the terminal 111 in the authenticated state accesses the business network 103. And the access to the authentication network 102 can be continued. In addition, when the authentication state is changed, it is not necessary to change the IP address as in the case of the dynamic VLAN. Therefore, it is not necessary to divide the subnet that accommodates the terminal before and after the authentication, and the IP address utilization efficiency can be improved. It becomes possible.

2. Second Embodiment The first embodiment is a case where there is one business network, but a configuration is considered in which networks accessible after authentication by a terminal are separated.
In this example, for the configuration in which, for example, the development network 104 is added to the configuration of the first embodiment as a network that can be accessed after authentication, a network that can be accessed after the terminal 111 is authenticated is the business network 103 only. , A case where only the development network 104 is used, and a case where the business network 103 and the development network 104 are used. In addition to the business network 103 and the development network 104, an appropriate network may be used, and not limited to two, there may be a plurality of appropriate networks.

In the description of this example, only differences from the first embodiment will be described.
FIG. 7 is a network configuration diagram in which a development network 104 and an integrated network 105 are added to the network configuration of FIG.
The development network 104 is configured with a VLAN “40” of the IP subnet 40.0.0.0/8. The interface 121-5 of the L2 switch 121 and the interface 131-7 of the L3 switch 131 are connected to each other. The interface 131-8 and the development server 144 are connected.

  The integrated network 105 is configured by VLAN “50” of the IP subnet 50.0.0.0/8, and the interface 121-6 of the L2 switch 121 and the interface 131-9 of the L3 switch 131 are connected to each other.

  FIG. 8 is obtained by adding an entry for the second embodiment to the GW management table 420 of the first embodiment. In the gateway VLAN 421 and the gateway IP 422 of the GW management table 820 in FIG. 8, the fourth entry includes the VLAN and gateway IP address of the development network 104, and the fifth entry includes the VLAN and gateway IP address of the integrated network 105. Each is set. When the output interface 423 and output MAC 424 of the second and third entries of the first embodiment are resolved, the output interface 423 and output MAC 424 of the fourth and fifth entries are also resolved.

  FIG. 9 shows a routing table 910 in the development network 104 of the L3 switch 131 and a routing table 920 in the integrated network 105 according to the second embodiment.

  The first entry of the routing table 910 indicates the route to the network to which the terminal 111 belongs, the second entry to the network to which the authentication server 142 belongs, and the third entry to the network to which the development server 144 belongs.

  The first entry of the routing table 920 is for the network to which the terminal 111 belongs, the second entry is for the network to which the authentication server 142 belongs, the third entry is for the network to which the business server 143 belongs, and the fourth entry is for the development server 144. Indicates the route to the network to which the belongs.

First, when the terminal 111 is allowed to access only the business network 103 after authentication, it is the same as in the first embodiment, and is omitted.
Next, a case where the terminal 111 can access only the development network 104 after authentication will be described.

  In the server authentication result 262 in the server authentication response packet returned by the authentication server 142 in the first embodiment, the post-authentication access destination VLAN is returned as “40”. As a result, the relay destination VLAN of the L2 switch 121 is “40”, and relaying according to the routing table 910 is performed in the routing of the VLAN “40” of the L3 switch 131. Since only the route registered in the routing table 910 is relayed, only the development network 104 is added as an accessible network after authentication.

Finally, when the terminal 111 can access a plurality of networks of the business network 103 and the development network 104 after authentication.
In the server authentication result 262 in the server authentication response packet returned by the authentication server 142 in the first embodiment, the post-authentication access destination VLAN is returned as “50”. As a result, the relay destination VLAN of the L2 switch 121 becomes “50”, and the relay according to the routing table 920 is performed in the routing of the VLAN “50” of the L3 switch 131. Since only the route registered in the routing table 920 is relayed, the business network 103 and the development network 104 are added as accessible networks after authentication.

  As described above, the L3 switch 131 creates an individual routing table, and the L2 switch 121 relays it to an appropriate routing space, whereby the accessible network after authentication can be changed by the terminal.

  The present invention can be used for an authentication network, for example.

101 Terminal Network 102 Authentication Network 103 Business Network 104 Development Network 105 Integrated Network 111 Terminal 121 L2 Switch 121-1, 121-2, 121-3, 121-4, 121-5, 121-6 L2 Switch Interface 131 L3 Switch 131-1, 131-2, 131-3, 131-4, 131-5, 131-6, 131-7, 131-8, 131-9 L3 switch interface 141 DHCP server 142 Authentication server 143 Business server 144 Development Server 211 Destination MAC
212 Source MAC
213 Source IP
214 Destination IP
221 Source MAC
222 Source IP
223 Target IP
224 Target MAC
231 Client MAC
232 Client IP
233 Gateway IP
241 IP data 251 L2 authentication data 252 L2 authentication result 261 Server authentication data 262 Server authentication result 311-i Interface 312 Packet transmission / reception unit 313 FDB learning unit 314 Packet type determination unit 321 Forwarding unit 322 CPU unit 323 Inter-network relay unit 324 Gateway processing 331 Main memory 332, 410 MAC table 411 Input VLAN
412 Destination MAC
413 Output interface 333, 420, 910 GW management table 421 Gateway VLAN
422 Gateway IP
423 Output interface 424 Output MAC
334, 430 Relay table 431 Source MAC
432 output VLAN
433 Output interface 434 Output MAC
511 FDB learning 512 Packet type determination 513 FDB search transmission 521 Gateway acquisition 541 Gateway ARP reception 551 Gateway determination 552 Gateway ARP response 561 Inter-network relay 571 Authentication request 572 Authentication processing 710, 720, 730, 1010, 1020 Routing tables 711, 721, 731, 1011, 1021 Destination IP
712, 722, 732, 1012, 1022 Mask length 713, 723, 733, 1013, 1023 Output VLAN

Claims (9)

In a network system comprising: a first network to which a terminal belongs; a second network to which an authentication server belongs; and one or more third networks to which a server accessible by the authenticated terminal belongs, A packet relay apparatus belonging to each of the first to third networks,
A plurality of interfaces corresponding to the first to third networks;
The identification information of the first to third networks, the address information of the corresponding network gateway, and output information including output interface information and / or output destination address information for transmitting packets to the gateway are stored. Gateway management table,
Corresponding to the address information of the terminal after authentication, a relay table that stores at least the identification information and output information of the third network permitted to communicate by the authentication;
According to the relay table, when a packet is received from the terminal belonging to the first network that is not permitted to communicate with the third network, the packet is relayed to the gateway of the second network, and the third network A packet processing unit that relays to the gateway of the third network when a packet is received from the terminal that is permitted to communicate with the network of
With
Output information corresponding to the third network stored in the gateway management table is stored in output information corresponding to the third network in the relay table;
The packet processing unit
When the address information of the gateway of the first network transmitted from the device belonging to the first network to the terminal belonging to the first network is received, the identifier of the first network correspondingly, Rupa packet relay apparatus to register the gateway address information of the first network to the gateway management table. The packet processing unit
When the MAC address information acquisition request for the gateway address information is received from the terminal and the gateway address information is stored in the gateway management table, the MAC address of the own packet relay device is transmitted to the terminal as a response. ,
The terminal receives a packet for transmission to a network other than the first network that has been transmitted with the MAC address of the packet relay device included in the response as a destination;
The packet according to claim 1, wherein when the destination MAC address of the packet is the MAC address of the own packet relay device, the packet is determined as a packet to be transmitted to the second or third network, and the packet is relayed according to the relay table. Packet relay device. In a network system comprising: a first network to which a terminal belongs; a second network to which an authentication server belongs; and one or more third networks to which a server accessible by the authenticated terminal belongs, A packet relay apparatus belonging to each of the first to third networks,
A plurality of interfaces corresponding to the first to third networks;
The identification information of the first to third networks, the address information of the corresponding network gateway, and output information including output interface information and / or output destination address information for transmitting packets to the gateway are stored. Gateway management table,
Corresponding to the address information of the terminal after authentication, a relay table that stores at least the identification information and output information of the third network permitted to communicate by the authentication;
According to the relay table, when a packet is received from the terminal belonging to the first network that is not permitted to communicate with the third network, the packet is relayed to the gateway of the second network, and the third network A packet processing unit that relays to the gateway of the third network when a packet is received from the terminal that is permitted to communicate with the network of
With
Output information corresponding to the third network stored in the gateway management table is stored in output information corresponding to the third network in the relay table;
The packet processing unit
Transmitting MAC address information acquisition requests for the address information of the gateways of the first to third networks stored in the gateway management table, respectively, through the first to third networks, and including the MAC address information of the gateways; wherein receiving the respective response of the MAC address information acquisition request, the identifier of the interface received, as output information and the MAC address information of the gateway included in the received response, updates to Rupa packet relay apparatus the gateway management table . The packet processing unit
From the authentication server belonging to the second network, a packet including the address information of the terminal belonging to the first network and the identification information of the network permitting communication is received and the authentication result is transmitted to the terminal 2. The packet relay device according to claim 1, wherein address information of the terminal and identification information of a network that permits communication are extracted and registered in the relay table. In a network system comprising: a first network to which a terminal belongs; a second network to which an authentication server belongs; and one or more third networks to which a server accessible by the authenticated terminal belongs, A packet relay apparatus belonging to each of the first to third networks,
A plurality of interfaces corresponding to the first to third networks;
The identification information of the first to third networks, the address information of the corresponding network gateway, and output information including output interface information and / or output destination address information for transmitting packets to the gateway are stored. Gateway management table,
Corresponding to the address information of the terminal after authentication, a relay table that stores at least the identification information and output information of the third network permitted to communicate by the authentication;
According to the relay table, when a packet is received from the terminal belonging to the first network that is not permitted to communicate with the third network, the packet is relayed to the gateway of the second network, and the third network A packet processing unit that relays to the gateway of the third network when a packet is received from the terminal that is permitted to communicate with the network of
With
Output information corresponding to the third network stored in the gateway management table is stored in output information corresponding to the third network in the relay table;
The packet processing unit
Included in the MAC information acquisition request when a MAC address information acquisition request for the address information of the terminal including the MAC address of the gateway device as request source MAC address information is received from the gateway of the first network the request source MAC address information rewritten to the MAC address information of the packet relay apparatus, it transmits to Rupa packet relay device to the terminal. The packet processing unit
When receiving a MAC address information acquisition response transmitted as a response from the terminal that has received the MAC address information acquisition request, the destination MAC address information included in the MAC address information acquisition response is used as the MAC address information of the gateway device. The packet relay device according to claim 5 , wherein the packet relay device is rewritten and transmitted to the gateway. In a network system comprising: a first network to which a terminal belongs; a second network to which an authentication server belongs; and one or more third networks to which a server accessible by the authenticated terminal belongs, A first packet relay device belonging to each of the first to third networks ;
A second packet relay device connected to the first packet relay device via the first to third networks;
With
The first packet relay device
A plurality of interfaces corresponding to the first to third networks;
The identification information of the first to third networks, the address information of the corresponding network gateway, and output information including output interface information and / or output destination address information for transmitting packets to the gateway are stored. Gateway management table,
Corresponding to the address information of the terminal after authentication, a relay table that stores at least the identification information and output information of the third network permitted to communicate by the authentication;
According to the relay table, when a packet is received from the terminal belonging to the first network that is not permitted to communicate with the third network, the packet is relayed to the gateway of the second network, and the third network A packet processing unit that relays to the gateway of the third network when a packet is received from the terminal that is permitted to communicate with the network of
With
Output information corresponding to the third network stored in the gateway management table is stored in output information corresponding to the third network in the relay table;
The second packet relay device is
Function as a gateway in the first and second and third networks;
A first transfer route table having a transfer route to the first network, and the first transfer route table is used for transferring a packet received by the first network;
A second transfer route table having transfer routes to the first network and the second network, and the second transfer route table is used for transfer processing of packets received by the second network; ,
One or more third transfer path tables having transfer paths to the first network, the second network, and one or more third networks, the third transfer path table being the third network; Used to transfer packets received on other networks,
When the first packet relay apparatus receives a transmission packet from the terminal belonging to the first network to a device belonging to other than the first network, the packet is transmitted to the second or second packet according to the relay table. Relay to network 3
When the second packet relay device receives a transmission packet from a device belonging to the second or third network to the terminal belonging to the first network, the second transfer route table and the second A network system that relays the packet to the first network according to any one of the three transfer path tables. The first packet relay device that has received a first packet addressed to a network other than the first network from an unauthenticated unauthenticated terminal belonging to the first network is the first network in the second network. Sending the packet to the second packet relay device;
The second packet relay device that has received the first packet is:
When the transfer route to the destination address of the first packet exists in the second transfer route table, the first packet is transmitted according to the transfer route; otherwise, the first packet is discarded,
The first packet relay device that has received a second packet addressed to a network other than the first network from an authenticated terminal that has been authenticated belonging to the first network receives a second packet from the third network. To the second packet relay device,
The second packet relay device that has received the second packet
If the transfer route to the destination address of the second packet is present in the third transfer path table, transmits the second packet according to the forwarding path, and if not, claim 7 to discard the second packet The network system described in 1. The third network is a network to which the first server belongs;
The network system includes:
A fourth network to which the second server belongs;
A fifth network for accessing both the first server and the second server;
The terminal is authenticated to access either or both of the third and fourth networks;
The second packet relay device is:
Having a fourth transfer route table having a transfer route to the fourth network, and using the fourth transfer route table for transferring a packet received by the fourth network;
A fifth transfer path table having transfer paths to both the third and fourth networks, and using the fifth transfer path table for transfer processing of packets received by the fifth network;
The first packet relay device includes:
When receiving a packet from the terminal that is allowed to communicate with the third and fourth networks, relay to the corresponding third and fourth networks,
The network system according to claim 7 , wherein when a packet is received from the terminal that is permitted to communicate with both the third and fourth networks, the network system relays the packet to the fifth network.

Images