JP5937563B2 - Communication base station and control method thereof - Google Patents

Description

  The present invention relates to communication technology. More specifically, the present invention relates to a communication base station for connecting a communication terminal such as a notebook PC or smart phone to a network.

  Hereinafter, description will be made using wireless communication as an example. However, the present invention can be applied regardless of whether it is wired communication or wireless communication.

  In recent years, an opportunity to connect to a network via wireless communication such as WiFi and access a remote office or the like is increasing. However, unauthorized access via the network is rampant, and it is necessary to realize safer communication means.

  In conventional wireless communication, a plurality of wireless terminals connected to one wireless base station (access point) generally use the same IP address range. As a result, communication between the plurality of wireless terminals is connected at the IP layer, and individual wireless terminals cannot be isolated at the IP layer. Further, even if a single access point uses service set identifiers (SSIDs) that are a plurality of logical access point identifiers, the same IP address or IP address is used between a plurality of wireless terminals connected to one SSID. Again, because the address range is allocated, individual wireless terminals cannot be isolated at the IP layer.

  As a result, the plurality of wireless terminals communicate via a network that is not logically separated. For example, the virtual lines are only separated from each other using the identifier of the transferred packet. As described above, in conventional wireless communication, there is no mechanism for separating communication between a plurality of wireless terminals that perform communication through the same wireless base station. Also, there is no mechanism that can easily increase the number of IP addresses that can be used in a radio base station or the IP address range. Such a technical situation causes a problem in the safety of wireless communication.

  When searching for prior art documents that may be related to the present invention, the following three patent documents were found. However, Patent Document 1 differs from the present invention in that a call identifier is used instead of a terminal-specific identifier. Further, the invention described in Patent Document 1 does not have a mechanism for paying out an IP address or an IP address range. Patent Document 2 is a method in which a plurality of radio base stations are connected to a network having a ring configuration, and a logical line (virtual line) using ATM or the like is constructed between the radio base stations, which is different from the present invention. . Furthermore, Patent Document 3 is a mechanism for receiving a virtual circuit identification from a wireless terminal and managing the virtual circuit using an OAM cell, which is different from the present invention.

  In addition, although not published, <http://www.connect802.com/download/aruba/AP-2E.pdf> describes products available from Aruba Networks in the United States. Has been made. This document describes a technique for constructing a tunnel in a management server (controller) using an IP level GRE tunnel from all wireless base stations in a centralized manner. However, this product of Aruba Networks is different from the present invention in that a virtual circuit cannot be created for each wireless terminal.

JP 06-086356 JP 07-212375 A JP 08-242231 A

  In order to solve the above-described problems in the conventional wireless communication, the present invention makes it possible to configure a closed network in which a plurality of wireless terminals connected to an AP can be logically closed, thereby ensuring the safety of wireless communication. The purpose is to improve the performance.

According to the present invention, when a plurality of communication terminals are connected to a network, the communication base station functions as an access point to the network, and a network address corresponding to a physical address that physically identifies each of the plurality of communication terminals. In response to communication requests received from multiple communication terminals and the network addresses corresponding to the physical addresses of the respective communication terminals included in the communication request. There is provided a communication base station comprising communication control means for forming a plurality of logically isolated communication lines through a network from each of a plurality of communication terminals using the network address .

  In such communication control means, the network path control and communication line bandwidth control functions are separated from network devices such as network switches, and are called SDN (Software Defined Network), which is a centralized management system using a controller such as a server. There are technologies that can be used. In the present invention, this SDN technology can also be used.

  According to the present invention, there is provided a communication base station characterized in that the communication control means described above further comprises means for assigning different IP addresses or IP ranges to a plurality of communication terminals.

  Still further, according to the present invention, means for forming a plurality of logical communication lines on a wide area IP network such as the Internet by configuring a plurality of logical communication lines formed on the network in a layer 3 such as VXLAN. A communication base station is further provided.

  Furthermore, according to the present invention, the apparatus further comprises means for forming a plurality of logical communication lines by configuring the plurality of logical communication lines formed on the network with a layer 2 such as VLAN or MPLS. A communication base station is provided.

Furthermore, according to the present invention, a plurality of communication terminals, a plurality of communication base stations that function as access points to the network when the plurality of communication terminals connect to the network, and the physical addresses of the plurality of communication terminals, In response to a communication request received from a plurality of communication terminals, a database in which network addresses corresponding to pairs of identification data of a plurality of communication base stations are stored, and each of the communication requests included in the communication request A network address corresponding to the physical address of the communication terminal and the identification data of the communication base station accessed by each communication terminal is obtained from the database, and the network is obtained from each of the plurality of communication terminals using the obtained network address. Communication control to form a plurality of logically isolated communication lines via Communication system comprising a stage, is provided.

According to the present invention, when a plurality of communication terminals are connected to a network, the communication base station functions as an access point to the network, and a network address corresponding to a physical address that physically identifies the plurality of communication terminals is stored. A communication base station comprising a communication database and communication control means for forming a plurality of communication lines logically isolated from each of a plurality of communication terminals via a network, the communication control Means for responding to communication requests received from a plurality of communication terminals, obtaining a network address corresponding to the physical address of each communication terminal included in the communication request from the database, and communication control means, wherein from each of the plurality of communication terminals using the acquired network address Ne Forming a plurality of communication lines that are logically isolated via network, the method comprising is provided.

  Furthermore, according to the present invention, there is provided a method characterized in that the communication control means described above further comprises means for assigning different IP addresses or IP address ranges to each of a plurality of communication terminals.

  Furthermore, according to the present invention, the above-described communication base station configures a plurality of logical communication lines formed on the network with a layer 3 such as VXLAN, thereby enabling a plurality of logical networks on a wide area IP network such as the Internet. There is provided a method characterized in that it further comprises means for forming a static communication line.

  Furthermore, according to the present invention, the communication base station described above forms a plurality of logical communication lines by configuring a plurality of logical communication lines formed on the network in a layer 2 such as VLAN or MPLS. A method is provided, further comprising means.

Furthermore, according to the present invention, a plurality of communication terminals, a plurality of communication base stations that function as access points to the network when the plurality of communication terminals connect to the network, and the physical addresses of the plurality of communication terminals, A database that stores network addresses corresponding to pairs of identification data of a plurality of communication base stations, and communication that forms a plurality of communication lines that are logically isolated from each of the plurality of communication terminals via the network. Each of the communication terminals included in the communication request in response to the communication request received from each of the plurality of communication terminals. physical address and each of the communication terminals corresponding to the set of identification data of the communication base stations accessing the Acquiring Tsu network address from a database, comprising: communication control means forms a plurality of communication lines that are logically isolated over a network from each of the plurality of communication terminals using the acquired network address, Is provided.

  Furthermore, according to the present invention, a computer program for causing a computer to execute the above-described method is provided.

  Furthermore, according to the present invention, there is provided a computer-readable storage medium storing the above-described computer program.

It is a block diagram which shows roughly the structure of Example 1 of this invention. In Example 1, it is a figure which shows the correspondence of the data stored in database DB connected to controller CTL. In Example 1, it is a figure which shows the correspondence of the data stored in another database DB connected to controller CTL. 2 is a diagram illustrating a configuration of a controller CTL in Embodiment 1. FIG. 1 is a configuration diagram of a radio base station AP in Embodiment 1. FIG. 3 is a configuration diagram of a flow DB in Embodiment 1. FIG. It is a figure which shows the data stored in the server in Example 1. FIG. 6 is a flowchart illustrating individual processing by the radio base station AP according to the first embodiment. 5 is a flowchart illustrating processing when assigning an IP address in the first embodiment. FIG. 6 is a sequence diagram of flow setting and IP address inquiry processing in the first embodiment. It is a block diagram which shows roughly the structure of Example 2 of this invention. It is a block diagram of router RT in Example 2. FIG. 6 is a configuration diagram of a switch DB in Embodiment 2. FIG. It is a block diagram which shows roughly the structure of Example 3 of this invention. It is a block diagram which shows roughly the structure of Example 4 of this invention. It is a block diagram which shows roughly the structure of Example 5 of this invention. In Example 5, it is a figure which shows the correspondence of the data stored in database DB connected to controller CTL. In Example 5, it is a figure which shows the correspondence of the data stored in another database DB connected to controller CTL. It is a block diagram which shows schematically another structure of Example 5 of this invention.

  FIG. 1 is a block diagram showing the configuration of the first embodiment of the present invention. Two different wireless terminals ND1 and ND2 access the wireless base station AP and connect to the servers SV1 and SV2 via the network. The situation is shown schematically. For example, wireless terminals ND1 and ND2, which are notebook PCs and smart phones, are connected to two different servers SV1 and SV2 via the network using the same wireless base station AP as an access point to the network. According to the present invention, communication from the wireless terminal ND1 to the server SV1 and communication from the wireless terminal ND1 to the server SV2 can be logically separated. In the following, a mechanism that enables logical separation of communication will be described using a specific embodiment.

First, the wireless terminal ND1 transmits a communication request to the wireless base station AP using WiFi communication such as IEEE802.1a (3G or LTE may be used). The radio base station AP acquires a MAC address for physically identifying the radio terminal ND1 from the received communication request, and allows the controller CTL to permit communication of the radio base station ND1 and a virtual circuit network that can be used by the radio base station ND1. Ask for an address .

  The controller CTL searches the database DB to determine whether or not the communication of the wireless terminal ND1 that has transmitted the communication request should be permitted, and returns the connection network address NETADDR1 of the wireless terminal ND1 to the wireless base station AP. NETADDR1 may be an IP address or a SIM header such as MPLS. The radio base station AP gives the network address NETADDR1 to the communication terminal ND1. In the case of NETADDR1, in the case of an address range composed of a plurality of network addresses, one network address is provided from the address range by the radio base station AP. As described above, the radio base station AP constructs a communication circuit that connects between the radio terminal ND1 and the SV1 having the same network address range, and the radio terminal ND1 and the server SV1 can communicate with each other. This communication circuit may be made in advance. Similarly, the wireless terminal ND2 can communicate with the server SV2. However, communications between a plurality of wireless terminals and a plurality of servers are logically isolated from each other. That is, the wireless terminal ND1 and the server SV1 cannot communicate with the wireless terminal ND2 and the server SV2.

The above process will be described in more detail. As shown in FIG. 2, the database DB connected (or built in) to the controller CTL has a MAC address of a wireless terminal that permits communication and a virtual that is used by a wireless terminal having the MAC address. The network address of the line and the port number used in the radio base station AP are stored in advance. The controller CTL searches the database DB using the MAC address as a key, acquires the corresponding network address and port number, and gives them to the radio base station AP.

When a network via the radio base station AP is configured using a virtual circuit, as shown in FIG. 3, the database DB includes a communication protocol that configures the virtual circuit, and its communication protocol. The network address (for example, L2 network virtualization identifier) of the virtual circuit to be used is managed in advance. When the wireless base station AP gives an IP address or an IP address range used by the wireless terminal ND1, the L3 network address range is managed in the DB. Thereby, the controller CTL, in response to the inquiry from the wireless base station AP based on the MAC address of the wireless terminal ND1, specifies the virtual circuit ID (virtualization identifier) to be used and the protocol type (virtualization protocol), If necessary, the IP address range assigned to the wireless terminal ND1 is transmitted to the wireless base station AP.

Next, details of the function of the controller CTL and the configuration of the database DB will be described. As shown in FIG. 4, the controller CTL includes a flow restriction generation device and a flow restriction transmission device. The database DB includes a MAC address / network address database in which the correspondence shown in FIG. 2 is stored and an L3 address allocation state database in which the correspondence shown in FIG. 3 is stored.

In response to an inquiry based on the MAC address from the radio base station AP, the controller CTL controls communication (flow) that can be used by the radio terminal ND1 by the flow restriction generation device. Specifically, a MAC address / network address database is used to generate a virtual circuit ID and port information used on the radio base station AP for the corresponding MAC address. The controller CTL transmits these pieces of information generated using the flow restriction transmitting device to the radio base station AP.

  When it is necessary to assign an IP address or an IP address range from the wireless base station AP to the wireless terminal ND1, the flow regulation generation device in the controller CTL searches the L3 address assignment state database and assigns the IP address to the wireless terminal ND1. An address or an IP address range is determined, and the assigned IP address or IP address range is transmitted from the flow restriction transmitter to the radio base station AP.

  Next, the operation of the radio base station AP based on the information transmitted from the CTL will be described. FIG. 5 is a configuration diagram of the radio base station AP. The wired port at the right end of FIG. 5 is connected to the servers SV1 and SV2, or communicates with the servers SV1 and SV2 via other network devices. The radio base station AP is connected to and communicates with the controller CTL via the control port, but may be connected to the CTL via a wired port as necessary. The wireless port communicates with a plurality of wireless terminals ND1 and ND2 via a wireless protocol such as WiFi. The virtual circuit ID and port number received from the CTL are recorded in the flow DB. The flow is managed by a virtual circuit ID and a port number used by each wireless terminal. Based on the virtual line ID recorded in the flow DB, a virtual line is formed by the L2 network virtualization apparatus. At this time, a virtual line is formed using the wired port as an output port. The configuration of the flow DB is shown in FIG.

  The IP address or IP address range received from the controller CTL is assigned to each wireless terminal via the L3 address assignment device. The assigned IP address or IP address range is used by the wireless terminal. When an unknown MAC address is received from a wireless terminal, the matching circuit requests communication permission, flow control, and new assignment of an IP address from the controller CTL via the control port. The matching circuit connects individual virtual lines and IP addresses to flows managed by the radio base station AP (flows recorded in the flow DB). As a result, communication can be performed in a logically isolated communication environment between each wireless terminal and a server corresponding to each wireless terminal, and communication security is greatly improved.

In the above description, an IP address or an IP address range is assigned from the controller CTL to the wireless terminals ND1 and ND2 via the wireless base station AP. However, the IP address or IP address range may be assigned by the servers SV1 and SV2. When the allocation by the server is performed, the data shown in FIG. 7 is stored in advance in the server. In this case, the network address and port information of the virtual line, which is flow information, are transmitted from the controller CTL to the radio base station AP, and the wireless terminal and the server are connected via the virtual line. Next, the IP address used for the server is inquired from the wireless terminal through a protocol such as DHCP, and the server uses the information shown in FIG. 7 to obtain the IP address based on the MAC address of the inquiring wireless terminal. Pay out.

  Although the outline of the operation of the radio base station AP according to the present invention has been described above, individual processing is shown in the flowchart of FIG. As shown in FIG. 8, when the AP receives a packet, it determines whether the reception port is from a wired port or a wireless port. When a packet is received from the wired port, it is determined whether or not the MAC address of the communication destination wireless terminal is registered by destination MAC rule matching processing. If the packet is not registered, the received packet is discarded. On the other hand, if it is registered for destination MAC rule matching, the header of the virtual network is removed (the tunnel of the virtual network is removed), and the packet is transmitted to the wireless port of the target wireless terminal.

  On the other hand, when a packet is received from the wireless port, if it is already registered by the source MAC rule matching, it is determined whether it is a request packet for assigning an IP address by address request packet processing, and the IP address If it is a request packet, an IP address or an IP address range is assigned by address assignment processing. If the received packet is not an address request packet, an L2 virtualization header is inserted and the packet is transmitted to the wired port for tunneling processing to the virtual network line.

  In addition, in the case of a packet that is not registered by the source MAC rule matching, the controller CTL is inquired of the MAC address, the flow rule is received, and the rule type is permitted to register the rule. If the rule type is rejected by the rule type, the packet is discarded.

  Further, FIG. 9 shows a processing flowchart for assigning an IP address. When an IP address or IP address range is requested from the access point AP to the controller CTL, an address request is issued to the CTL, and as a result, a response is received from the CTL. As a result of receiving the response, if the assignment of the IP address or the IP address range is successful, the address assignment information is transmitted to the wireless terminal. When allocation of an IP address or IP address range fails, response to the wireless terminal is canceled or allocation failure is notified by packet discard processing.

  Further, a sequence diagram of the flow setting and IP address inquiry processing is shown in FIG. The wireless terminal ND makes an address request after wirelessly connecting to the access point AP. The AP makes a MAC inquiry to the controller CTL using the ND MAC address information as a search / authentication key, and the flow rule is transmitted from the CTL to the AP. The flow rule is subjected to processing such as registration within the AP. Subsequently, the AP issues an address request to the CTL, and the CTL assigns an IP address or IP address range to the AP. Subsequently, an IP address or an IP address range is assigned to the ND from the AP. Subsequently, an access process from the ND to the server SV is started, and server access information is transmitted to the SV through the virtual network line or the like via the AP. A server response to the server access is transmitted from the SV to the AP, and the AP transmits the server response to the ND.

The first embodiment based on the network configuration of FIG. 1 has been described above. Next, the case of the second embodiment having a different network configuration shown in FIG. 11 will be described. The difference between the configuration of FIG. 11 and the configuration of FIG. 1 is that, in FIG. 11, a router RT, which is a network device, is connected to the radio base station AP, and servers SV1 and SV2 are connected to the router. The difference in the processing sequence is that the network address of the virtual circuit and the port to be used (virtualization protocol type information as required) are transmitted from the CTL to the RT as flow information set on the RT. It is. Then, a virtual line is formed between the AP and RT.

  In the second embodiment, the WiFi wireless terminal ND1 connects to the wireless base station AP using WiFi, 3G, or LTE wireless communication. The radio base station AP acquires the individual identification ID (MAC address) of the ND 1 using radio communication, and inquires the AP control system CTL about communication permission with the MAC address identified. The CTL determines the communication permission using the database DB in which the communication permission for each MAC address is registered, creates a logical tunnel between the AP and the router RT, and connects the server SV1 where the ND1 is located remotely to the Ethernet (registered trademark) or the like. It can be so. This tunnel may be created in advance. Instead of Ethernet, connection may be made at the VLAN or ATM line level.

  After ND1 and SV1 are connected at the Ethernet level, NETADDR1 is paid out from SV1 to ND1. NETADDR1 may be an IP address or a SIM header such as MPLS. In the case of an address range composed of a plurality of network addresses, NETADDR1 allows one network address to be paid out by the AP from the address range. In this way, the AP constructs a communication circuit that connects SV1 having the same network address range as ND1, and ND1 can communicate with server SV1. Similarly, the wireless terminal ND2 can communicate with the server SV2. However, as in the case of the first embodiment, in the second embodiment also, the ND1 and SV1 cannot communicate with the ND2 and SV2, and an isolated communication circuit can be constructed.

  FIG. 12 shows a configuration diagram of the router RT. Flow setting information is received from the CTL via the control port and stored in the switch DB. The configuration of the switch DB is shown in FIG. The RT has a plurality of SV ports. The L2 network virtualization apparatus configures a virtual line with the AP. The switching circuit connects each virtual circuit and an IP address to a flow managed by the AP (a flow recorded in the flow DB). This enables communication in a communication environment logically isolated between each wireless terminal and the server.

  FIG. 14 shows a third embodiment. In the second embodiment, the logical tunnel between the AP and the RT is composed of Ethernet, VLAN, or ATM, which is layer 2 on the OSI. In the third embodiment, the VXLAN is connected between the radio base station AP and the router RT. A logical tunnel is configured by layer 3 such as GRE. Even in such a case, according to the present invention, communication can be performed in a communication environment logically isolated between each wireless terminal and the server.

  FIG. 15 shows a fourth embodiment. The fourth embodiment realizes the functions of the second and third embodiments in a network composed of a plurality of APs and a plurality of RTs. Even in such a case, according to the present invention, communication can be performed in a communication environment logically isolated between each wireless terminal and the server.

The above is the contents described in Japanese Patent Application No. 2013-078487 filed on April 4, 2013 (hereinafter referred to as “prior application”). In the invention described in the previous application, as described above, the physical address of the communication terminal accessing the communication base station (access point) in order to form a plurality of logically isolated communication lines. It was characterized by using. However, the inventor continued further research and development activities after the previous application. As a result, the inventor is able to construct a more flexible network by simultaneously considering the access point identification data indicating which access point the communication terminal is accessing in addition to the physical address of the communication terminal. I found it possible. That is, it has been found that by using a combination of terminal information and access point information, an additional effect can be obtained in addition to the effect achieved by the invention described in the previous application. In the following, the new embodiment will be described.

FIG. 16 is a block diagram showing a schematic configuration of a fifth embodiment added in the present application. However, FIG. 16 shows a case where the first communication terminal and the second communication terminal access the same access point. In this case, when the first terminal ND1 connects to the access point AP, the access point AP uses the combination information of the MAC address of the first terminal ND1 and the data related to the access point AP that is itself to the controller CTL. Inquire. The controller CTL returns the connection network NETADDR1 to the access point AP based on the combination information of ND1 and AP obtained from the database DB. Then, the access point AP gives the IP address of NETADDR1 to the first terminal ND1. In this way, a communication line that connects the first communication terminal ND1 and the first server SV1 via the access point AP is constructed, and the first communication terminal ND1 and the first server SV1 communicate with each other. Is possible. The same applies to the second communication terminal ND2. Thus, in the case of FIG. 16, the first communication terminal ND1 and the second communication terminal ND2 are not simply distinguished from each other. Given what network address to the first communication terminal ND1 that is accessing the access point AP, or give any network addresses in the second communication terminal ND2 accessing the access point AP, but It becomes a problem. For example, even if the first communication terminal ND1 is the same, when accessing another access point AP ′, another network address may be given.

In the invention described in the previous application, the correspondence between the MAC address and the network address of the communication terminal stored in the database DB connected to the controller CTL is shown in FIG. Further, FIG. 3 shows a correspondence relationship regarding network addresses stored in another database. On the other hand, the correspondence in the case of the present Example which also considers the information regarding an access point is shown by FIG. 17 and FIG. In FIG. 17, the information regarding an access point is contained under the physical address of the terminal. As a specific example of the access point information, an IP address or a MAC address can be considered, and other management information may be used. FIG. 18 is the same as FIG.

Next, also in FIG. 19, a schematic configuration of the present embodiment is shown as a block diagram. However, although it is the same embodiment, FIG. 19 is different from FIG. 16 in the case where the same two communication terminals access different access points, in order to clarify the characteristic operational effects of this embodiment. It is an illustration. In the configuration of FIG. 19, when the first communication terminal ND1 connects to the first access point AP1, the first access point AP1 receives the MAC address of the first communication terminal ND1 and the data related to the first access point AP1. The controller CTL is inquired based on the combination information. The controller CTL returns the network address corresponding to the combination of the first communication terminal ND1 and the first access point AP1 obtained from the database DB to AP1. The first access point and the router RT use this network address to construct a communication line that connects the first communication terminal ND1 and the first server SV1. The first communication terminal ND1 sends an IP address payout request to the first server SV1, and the first server SV1 pays out an IP address to the ND1 in response to the request.

Next, the same first communication terminal ND1 is connected to the second access point AP2, which is another access point. In this case, the second access point AP2 makes an inquiry to the controller CTL based on the combination information of the MAC address of the first communication terminal ND1 and the data relating to the second access point AP1 that is itself. The controller CTL returns to AP2 a network address corresponding to the combination of the first communication terminal ND1 and the second access point AP2 obtained from the database DB. The second access point AP2 and the router RT use this network address to construct a communication line that connects the first communication terminal ND1 and the second server SV2. The first communication terminal ND1 sends an IP address issue request to the second server SV2, and in response to the request, the second server SV2 issues an IP address to the first communication terminal ND1.

Next, as in this embodiment, not only the physical address of the communication terminal but also the data related to the access point connected by the communication terminal is considered, and the network address is determined based on the set of these two data. What effects can be obtained will be described by giving some examples.

According to the present embodiment, firstly, it is possible to find unauthorized access that could not be found in the past. For example, the access point of WiFi generally has a communication distance of about 20 m, and even when the view is good, the limit is about 100 m. For this purpose, it is necessary to install access points in a plurality of locations such as a director's room, a reception room, a laboratory, and a business meeting room in an office in a building. For example, let's assume that there is a rule that an experiment engineer can access an in-house network only through an access point placed in a laboratory on the first floor. In this case, if there is a communication request via the access point of the board room on the 5th floor from a terminal that is said to be an experimental engineer's terminal, it must be rejected. In this example, (1) the terminal ID of the user (MAC address or individual identification number (for example, serial number, IMEI, MEID, CDN, and ICCID)), and (2) identification data (IP address, Unauthorized access is prevented by performing communication permission authentication processing using a combination of a MAC address and an individual identification number (for example, serial number, data path ID, ESSID, IMEI, MEID, CDN, and ICCID). It becomes possible. Note that the terminal and access point identification data listed here are merely examples, and other identification data may be used according to necessity or situation. In addition to an access point, unauthorized access can be found in the same way even in the case of an L2 switch or an L3 switch connected by wire.

  According to the present embodiment, secondly, the access state can be improved even when communication may still be difficult in the invention described in the previous application. In the invention described in the previous application, only the terminal is identified using a MAC address, a serial number, or the like. Therefore, the connection to the network is permitted or denied through identifying the terminal. In other words, since it is not possible to control the location where the terminal is currently located, it is impossible to control the connection only from the specific location. If authentication based on a set of a terminal and an access point according to the present embodiment is possible, access from a specific location (access point) can be permitted for a certain communication terminal. Conversely, only a specific communication terminal can be permitted for connection to a certain place (access point).

  According to the present embodiment, thirdly, the change of the personal department or charge in a certain company or organization can be appropriately reflected in the access authority. For example, in an office building of a company, there are development department 1 (1st floor) and development 2 department (9th floor), each of which is a mutually competitive customer (competitor car manufacturers A and B). ) System. It is assumed that the engineer S belongs to the Development Department 1 until the end of December 2013, and during that period, the operation was performed by connecting to the network only from the AP and L2 / L3 switch installed on the first floor. However, when the engineer S is transferred to the development 2 department from January 2014, it is necessary to change the operation to connect to the network only from the AP or L2 / L3 switch installed on the 9th floor. In such a case, according to the present embodiment, the organization to which the engineer X belongs and the use terminal are related and managed as a set of two data. With this management, information on the organization to which the user belongs is notified to the controller (CTL), and the access authority can be appropriately controlled.

In the invention described in the previous application, it is possible to construct a logically independent communication line using the physical address of the communication terminal. However, as described above, further consideration can be given to data relating to the access point, and by adopting a characteristic configuration in which the network address is determined using a set of the physical address of the terminal and the access point data, a further variety can be obtained. Flexible communication control that enables simple control.

Claims (4)

Multiple communication terminals,
A plurality of communication base stations functioning as access points for the plurality of communication terminals;
All combinations of physical addresses that physically identify each of the plurality of communication terminals and data that identify each of the plurality of communication base stations, and network addresses of networks that can be used by each of the combinations A database storing correspondences;
In response to a communication request received from one communication terminal of the plurality of communication terminals in one communication base station of the plurality of communication base stations, the physical address included in the communication request and the By obtaining a network address corresponding to a combination with data identifying the one communication base station that has received the communication request from the database, and providing the obtained network address to the one communication terminal, the 1 Communication control means configured to allow one communication terminal to communicate via the one communication base station and the network identified by the provided network address; By
A communication system that enables each of the plurality of communication terminals to communicate via a network logically isolated from each other. A plurality of communication terminals, a plurality of communication base stations that function as access points for the plurality of communication terminals, a physical address that physically identifies each of the plurality of communication terminals, and each of the plurality of communication base stations A database storing a correspondence relationship between a combination of data for identifying the network and a network address of a network that can be used by each of the combinations, and logical isolation from each of the plurality of communication terminals via the network A communication control means comprising a communication control means for forming a plurality of communication lines,
The communication control means is included in the communication request in response to a communication request received from one communication terminal of the plurality of communication terminals in one communication base station of the plurality of communication base stations. Obtaining from the database a network address corresponding to a combination of a physical address and data identifying the one communication base station that received the communication request;
The communication control means provides the acquired network address to the one communication terminal, whereby the one communication terminal communicates via a network identified by the provided network address. Including enabling steps,
A method of enabling each of the plurality of communication terminals to communicate via a network logically isolated from each other.   A computer program for causing a computer to execute the method according to claim 2.   A computer-readable storage medium in which the computer program according to claim 3 is stored.

Images