JPH09172450A - Address security control system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To obtain an equipment preventing the unnecessary consumption of throughput by providing an address table, a detection means, a comparing means, a filtering means and a control means. SOLUTION: The port corresponding table 900 registers an address assigned to a communication terminal or a network by each port of a communication equipment. The detection means 100 detects a communication address from a data frame received by each port. The comparing means 200 compares the address detected by the detection means 100 and the address registered in the table 900. When the two addresses compared by the comparing means 200 coincide with each other than, the equipment transmits received data frame to a port connected with a communication destination address. On the other hand, the means 200 starts a part address filtering means 300 when the two addresses do not coincide with each other.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an address security control system in a communication device, such as a HUB device, which has a plurality of ports and relays a data frame between these ports or with another network. .

[0002]

2. Description of the Related Art As a communication device having a plurality of ports and realizing a frame relay function between ports and a network, a device connected to each port, such as a device called HUB used for LAN, is used. There is a device for distributing the data frame to all the connected terminals or transmitting the data frame only to a specific terminal when the data frame is received or the data frame from outside the network.

As the HUB of the LAN, in addition to the above-mentioned functions, a device called an intelligent HUB having a network management function and a security function is also provided.

As a method of implementing the security function, when a media address is assigned to each terminal connected to each port and a data frame is transmitted and received, the media address of the source terminal and the media address of the destination terminal are used. Is added to a data frame, a filtering function is known that, when a data frame to which a media address not added to a communication device is added is received, the data frame is rejected.

By the way, the above-mentioned filtering function is only a function of rejecting the received data frame, and even after rejecting the data frame from the unauthorized source address, the filtering function for the port which has received the data frame. Needless processing power of the communication device.

Further, since the media address which allows reception at any port is fixed at the port,
Every time the port to which the terminal is connected is changed, the media address permitted to be received at the port must be changed, which makes the work complicated.

[0007]

SUMMARY OF THE INVENTION Therefore, the present invention has been made in view of the above problems, and provides a communication device having a plurality of ports and realizing a frame relay function between ports or with another network. , When a data frame from an invalid source address is received, the state of the port that received the data frame is set to a state in which transmission / reception cannot be performed, and the filtering process for the port is interrupted, thereby consuming unnecessary processing power. Preventing is the first issue.

A second object is to realize security corresponding to the changed address without changing the address that allows reception at each port every time the terminal connected to each port is changed. And

Further, even when the ports are grouped to realize the address security for each group, unnecessary consumption of the processing capacity by the filtering process is prevented, and even when the address permitted to be received by each group is changed, A third problem is to realize a security function corresponding to the changed address without performing a complicated operation.

[0010]

The present invention has been made as follows to solve the above-mentioned problems. This will be described based on the principle diagram of FIG.

First, the means for solving the first problem will be described. (1) The present invention is a system applied to a communication device that has a plurality of ports, such as a HUB device, and that relays data frames between these ports or from another network. , Source address detecting means 100, port address comparing means 20
0, port address filtering means 300, and port state control means 400.

The port-corresponding address table 900 is a table for registering, for each port of the communication device, an address assigned to a communication terminal or a network connected to each port.

The source address detecting means 100 detects the source address added to the data frame from the data frame received at each port. The port address comparing means 200 is a source address detecting means 100.
The transmission source address detected by is compared with the address registered in the port corresponding address table 900. That is, when a data frame is received at a certain port, the port address comparison means 200 refers to the port corresponding address table 900 to read the address registered corresponding to the port, and the read address And the source address detected by the source address detecting means 100 are compared. Here, if the two addresses compared by the port address comparing means 200 match, the communication device transmits the received data frame to the port connected to the destination address. On the other hand, when the two addresses do not match, the address comparison means 200 determines the port address filtering means 3
00 is started.

Port address filtering means 300
Rejects the data frame if the two addresses compared by the port address comparing means 200 do not match.

When the port address filtering means 300 rejects the data frame, the port status control means 400 puts the port that received the data frame in a non-transmittable / receivable state.

In order to solve the second problem, the port-corresponding address table 900 corresponds to the first port for registering the address of the terminal or the network currently connected to each port for each port. Address table, and for each port, the address of the terminal or network to be connected to each port in the future and the time to change from the terminal or network currently connected to the terminal or network to be connected in the future A second port-corresponding address table for registering the change time shown may be provided.

In this case, the port address comparing means 200
Is based on the premise that the first port corresponding address table is referred to. Then, when the address of each port in the first port-corresponding address table reaches the change time,
The address is rewritten to the address registered in the second port corresponding address table.

For example, when a terminal or network connected to each port is changed, an address is assigned to each terminal or network. Therefore, if the terminal or network to be connected is changed, reception is allowed at each port. The address to do will also be changed.
Therefore, a port corresponding address table corresponding to the changed address is required. However, if the port-corresponding address table is recreated at the time of change, security will not be performed until the table is completed. Therefore, as in the present invention, if the second port corresponding address table corresponding to the changed address is created in advance and the change time is further set, the contents of the table are automatically updated. , Immediately after the change,
Security corresponding to the changed address will be performed.

Next, means for solving the third problem will be described. (2) In the address security control method of the present invention, the ports of the communication device may be divided into groups of two or more ports, and security may be performed for each group.

In this case, the address security control system according to the present invention uses the group corresponding address table 1000,
Source address detecting means 100, group address comparing means 500, group address filtering means 60
0 and the group state control means 700 are provided.

Group-corresponding address table 1000
Is a table for registering, for each group, an address assigned to a terminal or a network connected to a port of each group.

The source address detecting means 100 detects the source address added to this data frame from the data frame received at each port. The group address comparison unit 500 reads out the address corresponding to the port that received the data frame from the addresses registered in the group corresponding address table 1000, and the read address and the source address detection unit 100 detect the read address. Compare with the source address.

Group address filtering means 60
When the group address comparison unit 500 determines that the address corresponding to the source address is not registered in the group corresponding address table 1000, the group address comparison unit 500 rejects the data frame.

When the group address filtering unit 600 rejects the data frame, the group state control unit 700 sets the port that has received the data frame in a state in which transmission / reception cannot be performed.

Here, the group corresponding address table 1
000 is a first group-corresponding address table for registering, for each group, the address of the terminal or network currently connected to the port of each group; A second group-corresponding address table for registering an address of a planned terminal or network and a change time indicating a time at which the terminal or network currently connected is changed to the terminal or network planned to be connected in the future. It may be provided.

In this case, the group address comparing means 50
0 refers to the first group corresponding address table 1000. Then, the address of each group in the first group corresponding address table is rewritten to the address registered in the second group corresponding address table at the change time.

For example, when the terminal or network connected to the port of each group is changed, the address permitted for reception is also changed in each group, so that the group corresponding address table corresponding to the changed address is created. You will need it. However, if a new group-corresponding address table is created at the time of change, the work is complicated and security is not performed until the table is completed. Therefore, as in the present invention,
If the second group corresponding address table corresponding to the changed address is created in advance and the change time is further set, the contents of the table are automatically updated and the changed address is immediately obtained after the change. Security corresponding to will be performed.

Further, the group corresponding address table 10
00 is a first group-corresponding address table for registering, for each group, the address of the terminal or network connected to the port currently configuring each group, and for each group, configures each group in the future. A second group-corresponding address table for registering an address of a terminal or a network connected to a planned port and a change time indicating a time at which the currently configured port is changed to the planned port in the future; May be provided.

In this case, the group address comparing means 50
It is assumed that 0 refers to the first group corresponding address table. Then, the address of each group in the first group corresponding address table is rewritten to the address registered in the second group corresponding address at the change time.

For example, when the ports making up each group are changed (for example, when a certain port changes its belonging group from group A to group B), the change time is set in advance, The contents of the table will be updated automatically, and immediately after the change,
The security corresponding to the changed group can be realized.

(3) Furthermore, in the address security control method of the present invention, security for individual ports and security for groups may be performed in parallel. In this case, the address security control system of the present invention uses the port-corresponding address table 90.
0, group corresponding address table 1000, security type registration table 1100, source address detecting means 100, security type determining means 800, group address comparing means 500, group address filtering means 600, group state controlling means 700, port address comparing means 200. , Port address filtering means 300, and port state control means 400.

Group correspondence address table 1000
Registers, for each group of two or more ports, the address assigned to the terminal or network connected to the port of each group.

The port-corresponding address table 900 registers, for each port among the plurality of ports of the communication device, that does not belong to a group, an address assigned to a terminal or a network connected to each port.

Security type registration table 1100
For each port, the security type indicating whether or not each port belongs to the group is registered. The source address detecting means 100 detects the source address added to this data frame from the data frame received at each port.

The security type determination means 800 refers to the security type registration table 1100 and determines whether the port that received the data frame belongs to a group.

The group address comparison means 500 is activated when the security type determination means 800 determines that the port that received the data frame belongs to a group, and the transmission source detected by the transmission source address detection means 100. The address is compared with the address registered in the group corresponding address table 1000.

Group address filtering means 60
When the group address comparison unit 500 determines that the address corresponding to the source address is not registered in the group corresponding address table 1000, the group address comparison unit 500 rejects the data frame.

Then, the group state control means 700 is
When the data frame is rejected by the group address filtering means 700, the port that received the data frame is set in a state in which transmission / reception cannot be performed.

The port address comparison means 200 is activated when the security type determination means 800 determines that the port that received the data frame does not belong to a group, and the transmission source detected by the transmission source address detection means 100. The address is compared with the address registered in the port corresponding address table 900.

Port address filtering means 300
Rejects the data frame when the two addresses compared by the port address comparing means 200 do not match.

When the port address filtering means 300 rejects the data frame, the port state control means 400 puts the port that received the data frame in a non-transmittable / receivable state.

Here, the security type registration table 1
100 is a first registering security type for each port, which indicates whether each port currently belongs to a group
Security type registration table, security type for each port that identifies whether each port will belong to the group in the future, time when each port is scheduled to belong to the group, or time when each port is scheduled to leave the group And a second security type registration table for registering and.

In this case, the security type judging means 80
0 refers to the first security type registration table 1100. Then, the security type of each port of the first security type registration is rewritten to the security type registered in the second security type registration table at the scheduled time.

For example, when a port belonging to a certain group leaves the group and joins another group,
When the port attributes are changed, such as when a port that does not belong to the group newly joins the group or when a port that belongs to the group leaves the group, the table contents are automatically updated. As soon as the information is updated, the security corresponding to the changed attribute can be realized immediately after the change.

The port state control means 400 may return the port that has received the data frame to the transmittable / receivable state after a certain period of time has passed since the port was not transmitted / received.

Furthermore, the group state control means 700 is
After the port that has received the data frame is set to the transmission / reception disabled state, the port may be returned to the transmission / reception enabled state after a lapse of a certain time.

[0047]

BEST MODE FOR CARRYING OUT THE INVENTION An embodiment of an address security control system of the present invention will be described below with reference to the drawings.

<< First Embodiment >> FIG. 2 shows a communication system to which the address security control method of the present invention is applied.

In the figure, the communication system includes a communication device 1 having ten ports 31 to 40 and communication terminals 2a, 2b, 2c and 2d connected to the ports 31 to 40 of the communication device 1 via a communication line.・ 2e ・ 2f ・ 2g ・ 2h ・
2i / 2j (hereinafter collectively referred to as the communication terminal 2) and a console (MC) 3 for maintaining and managing the communication device 1.

In this communication system, it is assumed that a source address for specifying a source communication terminal and a destination address for specifying a destination (destination) communication terminal are added to a transmitted / received data frame. .

The communication device 1 determines the destination of the data frame received at each of the ports 31 to 40, and determines the ports 31 to 40 connected to the destination communication terminal 2. Then, the communication device 1 receives the data frame from the port 3
1 to 40 and port 3 connected to the destination communication terminal 2
1 to 40, and has a relay function of transmitting a data frame to the destination communication terminal 2.

FIG. 2 is a diagram showing an internal configuration of the communication device 1. As shown in the figure, the communication device 1 includes a switching circuit (SW) 4 for switching connection / disconnection between ports,
Read-only memory (ROM) 5 and central control unit (C
C) 6 and main memory (MM) that can be read and written freely
7 and 7 are connected by a bus.

The ROM 5 stores an application program to be executed by the central controller (CC) 6. In the main memory device (MM) 7, as shown in FIG. 4, a port corresponding address table 70 and a port state registration table 71 are registered.

Here, the port corresponding address table 70
5, an entry for registering an address assigned to the communication terminal 2 connected to each of the ports 31 to 40 for each port number identifying each of the ports 31 to 40 (in the figure, " Security target address ”) is provided.

Then, in the port status registration table 71, as shown in FIG. 6, an entry (FIG. 6) for registering information indicating the status of each of the ports 31 to 40 for each port number identifying each of the ports 31 to 40. Medium, "port state"),
An entry (“recovery time condition” in the figure) for registering a time condition until the ports 31 to 40 in the communication disabled state are restored to the communication enabled state is provided. The information indicating the states of the ports 31 to 40 is, for example, whether the port is in an idle state (“00” in the figure), is in a communication state (“01” in the figure), or is in an incommunicable state (in the figure). "02"). In addition, the information indicating the time condition for recovery of each of the ports 31 to 40 is information indicating the time condition until the ports 31 to 40 in the incommunicable state are recovered to the communicable state. In the case where the communication is restored 100 seconds after the communication is disabled, “100” is registered. This time condition may be uniform for all the ports 31 to 40, or the number of times the communication is disabled may be counted and changed according to the number of times. Good.

Next, the central control unit (CC) 6 reads the ROM 5
The functions realized by executing the application program will be described with reference to FIG. As shown in the figure, the central control device (CC) 6 executes the application program to cause the source address detection unit 60, the port address detection unit 61, the port address filtering unit 62, and the port state control unit 63 to operate. Realize the function.

The source address detecting section 60 is an example of the source address detecting means of the present invention, and each of the ports 31-4.
When a data frame of 0 is received, the source address added to the data frame is detected via the switching circuit (SW) 4. Then, the source address detection unit 60, together with the detected source address,
The port numbers of the ports 31 to 40 that received the data frame are determined.

The port address comparison unit 61 is an example of the port address comparison means of the present invention, and uses the port number determined by the transmission source address detection unit 60 as a keyword, and the port correspondence address table of the main memory device (MM) 7. 70 is accessed, and the address registered in the entry of the port number is read. Then, the port address comparison unit 61 compares the address read from the main storage device (MM) 7 with the transmission source address detected by the transmission source address detection unit 60. Here, if both addresses match, the port address comparison unit 61 instructs the switching circuit (SW) 4 to connect the port and the port connected to the destination communication terminal. Also,
If the two addresses do not match, the port address comparison unit 61 activates the port address filtering unit 62.

The port address filtering unit 62
The switching circuit (SW) 4 is an example of the port address filtering unit of the present invention, and when activated by the port address comparison unit 61, discards the data frame together with the port number of the port that has received the data frame. Give instructions to.

The port state control unit 63 is an example of the port state control means of the present invention, and the port address comparison unit 61.
When the two addresses compared by the above are not matched, the port number of the main memory device (MM) 7 is accessed by using the port number of the port that received the data frame as a keyword, and the port number is registered. In this entry, the information indicating the "communication impossible state" is registered, and the time condition for recovery is registered.

The operation and effect of this embodiment will be described below. First, the operation of the communication device 1 when receiving a data frame will be described with reference to FIG.

When a data frame from the communication terminal 2 is received by the port 31 to 40 of the communication device 1 (S80
1), the central controller (CC) 6 detects the source address from the received data frame (S802) and determines the port number of the port that received the data frame.

The central controller (CC) 6 accesses the port-corresponding address table 70 of the main memory device (MM) 7 by using the determined port number as a keyword and reads the address registered in the port number entry. . Then, the address read from the port corresponding address table 70 is compared with the source address detected from the data frame (S803).

If the two compared addresses do not match, the central controller (CC) 6 instructs the switching circuit (SW) 4 to discard the received data frame (S804). Furthermore, the central controller (C
C) 6 accesses the port state registration table 71 of the main memory device (MM) 7 by using the port number of the port that received the data frame as a keyword, and the entry of the port number indicates the information indicating the incommunicable state. And the recovery time condition are registered (S805). Further, the central control device (CC) 6 is provided with respect to the switching circuit (SW) 4,
Instruct to disconnect the port.

On the other hand, if the two addresses compared in S803 above match, the central controller (CC) 6
Executes the relay processing of the data frame (S80
6). Specifically, the central controller (CC) 6 detects the destination address from the received data frame and determines the port number of the port connected to the communication terminal 2 indicated by this address. And the central controller (CC) 6
Shows the determined port number in the switching circuit (SW)
4 is notified, and the port indicated by this port number is connected to the port that received the data frame.

Next, the operation of the communication device when the incommunicable port is restored to the communicable state will be described with reference to FIG. Central control unit (CC) 6 of the communication device 1
Accesses the recovery time condition entry of the port status registration table 71 of the main memory device (MM) 7 at regular time intervals (S901) and satisfies the recovery time condition of the ports in the incommunicable state. It is determined whether a port exists (S902).

Here, if there is a port satisfying the restoration time condition, the central control unit (CC) 6 communicates the entry of the port state of the port satisfying the restoration time feeling from the information indicating the incommunicable state. It is rewritten to information indicating a possible state (S903). Further, the central controller (CC) 6
Instructs the switching circuit (SW) 4 to connect the port.

As described above, according to the present embodiment, even if the data frame is received by the port in the incommunicable state, the communication device 1 does not have to perform the filtering process on this data frame, and the central control unit (CC It is possible to prevent the processing capacity of 6) from being wasted.

<Embodiment 2> This embodiment is different from Embodiment 1 described above in the configuration of the main memory (MM) 7 and the functions realized by the application programs of the central controller (CC) 6 and the ROM 5. The other configurations are the same as those of the first embodiment described above.

First, the main memory (M
The configuration of M) 7 will be described with reference to FIG. As shown in the figure, the main memory device (MM) 7 of the present embodiment has a port corresponding address table 70, a first port corresponding address table 70a and a second port corresponding to the configuration of the above-described first embodiment. It is configured to include the port corresponding address table 70b.

First port corresponding address table 70a
11, an entry for registering an address assigned to the communication terminal 2 currently connected to each of the ports 31 to 40 for each port number of each of the ports 31 to 40 (in the figure, " Security target address ”) is provided.

Second port corresponding address table 70b
12, an entry for registering an address assigned to the communication terminal 2 to be connected to each of the ports 31 to 40 for each port number of each of the ports 31 to 40 (in FIG. (Entry address)) and an entry (in the figure, which registers the date and time when the communication terminal 2 that is currently connected is changed to the communication terminal 2 that is scheduled to be connected in the future.
“Change time condition”) is provided.

Next, the central control unit (CC) 6 reads the ROM
FIG. 13 shows a functional configuration realized by executing the application program of No. 5. As shown in the figure, the central control unit (CC) 6 executes the application program of the ROM 5, so that the source address detection unit 60, the port address comparison unit 61, the port address filtering unit 62, the port state control unit 63, And the function of the port corresponding address changing unit 64 is realized.

A source address detecting section 60, a port address comparing section 61, a port address filtering section 62,
The port state control unit 63 and the port state control unit 63 are the same as those in the first embodiment, and the description thereof will be omitted.

The port-corresponding address changing unit 64 accesses the second port-corresponding address table of the main storage device (MM) 7 at regular intervals, and there is an entry in which the date and time of the change is before the present time. Or not.
Then, when it is determined that there is an entry whose date and time of change is earlier than the present time, the port corresponding address changing unit 64 reads the port number and the address of the communication terminal to be changed from the entry, and reads it. The issued port number is used as a keyword to access the first port-corresponding address table 70a, and the address of the entry corresponding to the port number is rewritten to the address read from the second port-corresponding address table 70b.

The operation and effect of this embodiment will be described below. FIG. 14 is a flowchart showing an operation process of the communication device 1 when updating the contents of the first port-corresponding address table.

The central controller (CC) 6 of the communication device 1 is
The second port-corresponding address table 70b of the main memory device (MM) 7 is accessed at regular intervals (S1401, 1
402), it is determined whether or not there is an entry whose modification date and time is before the present time (S1403).

If there is no entry whose modification date and time is before the present time, the central controller (CC) 6 waits until the next fixed time elapses. On the other hand, if there is an entry whose modification date and time is before the present time, the central control unit (CC)
6 reads the port number and address of the entry (S1404).

Then, the central controller (CC) 6 is
The port number read from the port-corresponding address table 70b is used as a keyword to access the first port-corresponding address table 70a, and the address of the entry corresponding to the port number is read from the second port-corresponding address table 70b. It is rewritten to the specified address (S
1405). Further, the central control unit (CC) 6 has a second
The entry in the port-corresponding address table 70b is reset (S1406).

As described above, according to this embodiment, each port 31
When changing the communication terminal 2 connected to ~ 40, it is possible to automatically update the contents of the port corresponding address table by setting the date and time to be changed in advance. Therefore, the burden on the maintenance person of the communication device 1 can be reduced, and the security for the port in which the connection terminal is changed can be realized immediately after the change.

<< Third Embodiment >> In this embodiment, the port 3 is used.
1 to 40 are divided into groups each including two or more ports, and the communication device 1 that performs security for each group will be described as an example.

The present embodiment is different from the above-described first embodiment in the configuration of the main memory (MM) 7 and the central controller (C).
C) The functions realized by the application programs of 6 and the ROM 5 are different.

The hardware configurations of the communication system and the communication device 1 in this embodiment are the same as those in the above-described first embodiment, and the description thereof will be omitted. First, the configuration of the main memory device (MM) 7 in this embodiment will be described with reference to FIG. As shown in the figure, the main memory device (MM) 7
Is composed of a group identification table 72, a group corresponding address table 73, and a port state registration table 71.

In the group identification table 72, as shown in FIG. 16, for each port number that identifies each of the ports 31 to 40, an entry ("in the figure" in the figure, which registers the group number of the group to which each port belongs Group number ") is provided. For example, the three ports of ports 31, 34, and 37 are grouped as “01”, and the ports 32, 33, and
The four ports 36, 38 are grouped as “02”, and the three ports 35, 39, 40 are grouped as “0”.
When set to “3”, the group number “01” is registered in each entry of the ports 31, 34, and 37. And
The group number “02” is registered in each entry of the ports 32, 33, 36 and 38. Further, the group number “03” is registered in each entry of the ports 35, 39 and 40.

In the group-corresponding address table 73,
As shown in FIG. 17, for each group number that identifies an individual group, an entry that registers the address of the communication terminal 2 connected to the ports 31 to 40 belonging to each group (in the figure, “security target address”) Is provided. Here, FIG. 17 corresponds to FIG. 16 described above, and the entries of the group “01” include ports 31, 3
The addresses of a total of three communication terminals 2 connected to Nos. 4 and 37 are registered. Addresses of a total of four communication terminals 2 connected to the ports 32, 33, 36 and 38 are registered in the entry of the group “02”. Further, the entries of the group “03” include ports 35 and 3
The addresses of a total of three communication terminals 2 connected to 9, 40 are registered.

The port status registration table 71 is shown in FIG.
As shown in, for each port number of each port 31 to 40,
An entry ("port state" in the figure) for registering information indicating the status of each port 31-40 and the time until the communication disabled status of the ports 31-40 are restored. An entry ("recovery time condition" in the figure) for registering the condition is provided. The information indicating the states of the ports 31 to 40 is, for example, whether the port is in an idle state (“00” in the figure), is in a communication state (“01” in the figure), or is in an incommunicable state (in the figure). "02"). Further, the information indicating the recovery time condition of each of the ports 31 to 40 is information indicating the time condition until the communication disabled state of the ports 31 to 40 that have been made incommunicable is restored. In the case of recovering 100 seconds after the time when the status becomes possible, "10
0 ”is registered. This time condition is for all ports 3
The number may be uniform for 1 to 40, or the number of times the communication is disabled can be counted for each port and changed depending on the number of times.

Next, the central control unit (CC) 6 reads the ROM 5
The functions realized by executing the application program will be described with reference to FIG. The central controller (CC) 6 realizes the functions of the source address detection unit 60, the group address comparison unit 65, the group address filtering unit 66, and the group state control unit 67 by executing the application program of the ROM 5.

As in the first embodiment, the transmission source address detection unit 60, when receiving the data frame at each of the ports 31 to 40, changes the transmission source address added to the data frame to the switching circuit. It is detected via (SW) 4. Then, the source address detection unit 60
Determines the port number of each of the ports 31 to 40 that received the data frame together with the detected source address.

The group address comparison unit 65 is an example of the group address comparison means of the present invention, and uses the port number determined by the source address detection unit 60 as a keyword to identify the group identification table 72 of the main memory device (MM) 7. To access the group number registered in the entry of the port number. Then, the group address comparison unit 65 uses the group number read from the group identification table 72 as a keyword to access the group-corresponding address table 73 of the main storage device (MM) 7, and is registered in the entry of the group number. Read all existing addresses. Further, the group address comparison unit 65 includes the source address detection unit 6 in the address read from the group corresponding address table 73.
It is determined whether or not there is an address that matches the source address detected by 0. Here, if an address that matches the address detected by the source address detection unit 60 exists in the addresses read from the group corresponding address table 73, the group address comparison unit 65 causes the switching circuit (SW). 4 is instructed to connect the port on which the data frame is received and the port connected to the destination communication terminal 2. On the other hand, the group address comparing unit 65, if there is no address that matches the address detected by the source address detecting unit 60 among the addresses read from the group corresponding address table 73, the group address filtering unit 66. To start.

Group address filtering unit 66
Is an example of the group address filtering means of the present invention, and when activated by the group address comparison unit 65, the switching circuit (SW) 4 receives this port number together with the port number at which the data frame was received. Instructs to discard the data frame received at the indicated port.

The group state control section 67 is an example of the group state control means of the present invention, and matches the address detected by the source address detection section 60 among the addresses read from the group corresponding address table 73. The switching circuit (SW) 4 is activated when there is no address to be operated and disconnects the ports 31 to 40 on which the data frame is received. further,
The group state control unit 67 accesses the port state registration table 71 of the main storage device (MM) 7 by using the port number of the port on which the data frame is received as a keyword, and the entry of the port number indicates "Communication impossible". Status"
Is registered and the "recovery time condition".

The operation and effect of this embodiment will be described below. FIG. 20 is a flowchart showing an operation process of the communication device 1 when receiving a data frame.

When a data frame is received at a certain port of the communication device 1 (S2001), the central controller (CC)
6 determines the port number of the port from which the data frame was received via the switching circuit (SW) 4 and also detects the source address added to the received data frame. And the central controller (CC)
6 uses the determined port number as a keyword to access the group identification table 72 of the main memory device (MM) 7 and reads the group number registered in the entry of the port number. And the central controller (CC) 6
Group-corresponding address table 7 using the group number read from the group identification table 72 as a keyword
3 is accessed to read all the addresses registered in the entry of the group number (S2002).

Subsequently, the central controller (CC) 6 determines whether or not the address read from the group correspondence address table 73 has an address that matches the source address read from the data frame. Is determined (S2003).

Here, the group corresponding address table 7
If there is no address that matches the source address read from the data frame among the addresses read from 3, the central controller (CC) 6 tells the switching circuit (SW) 4 that It is instructed to discard the data frame received at the port indicated by the port number (S2004).

Further, the central controller (CC) 6 instructs the switching circuit (SW) 4 to disconnect the port. And the central controller (CC) 6
Is the main storage device (M
M) The port state registration table 71 of 7 is accessed, and the information indicating the incommunicable state and the recovery time condition are registered in the entry of the port number (S2005).

On the other hand, when the address read from the group corresponding address table 73 contains an address that matches the source address read from the data frame in S2003 described above, the central controller ( CC) 6 executes a relay process of the data frame (S2006). Specifically, the central controller (CC)
6 detects the destination address from the received data frame, and determines the port number of the port connected to the communication terminal 2 indicated by this address. Then, the central control device (CC) 6 notifies the determined port number to the switching circuit (SW) 4, and connects the port indicated by this port number and the port that has received the data frame.

The operation of the communication device 1 in the case of restoring the incommunicable state of the port to the communicable state is the same as that of the above-mentioned first embodiment, and the explanation thereof is omitted. As described above, according to the present embodiment, the same effect as that of the above-described first embodiment can be obtained for the communication device that performs group security.

<< Fourth Embodiment >> The communication device 1 according to the present embodiment is different from the third embodiment in that the main storage device (M
The configuration of M) 7 is different from that of the central controller (CC) 6 and the functions implemented by the application programs of the ROM 5, and the other configurations are the same as those of the third embodiment.

First, the main memory device (M
The structure of M) 7 is shown in FIG. As shown in the figure, in the main memory device (MM) 7, the group corresponding address table 73 has a first group corresponding address table 73a and a second group corresponding address table 73b with respect to the configuration of the third embodiment. It consists of and.

First group corresponding address table 73
As shown in FIG. 22, a is provided with an entry (“security target address” in the figure) for registering the address of the communication terminal 2 currently connected to the port belonging to each group for each group number of each group. Has been.

Second group corresponding address table 73
As shown in FIG. 23, b is an entry for registering, for each group number of each group, the address of the communication terminal 2 to be connected to the port belonging to each group in the future (in the figure,
“Change security target address”) and the communication terminal 2 which is to be connected in the future from the communication terminal 2 which is currently connected.
An entry (“change time condition” in the figure) for registering the date and time to be changed to is registered.

The port status registration table 71 and the group identification table 72 are the same as those in the above-mentioned third embodiment, and a description thereof will be omitted. Next, the central controller (CC) 6 is a ROM
Functions implemented by executing the application program 5 will be described with reference to FIG.

As shown in the figure, the central controller (CC)
6 executes the application program in the ROM 5, so that the source address detection unit 60, the group address detection unit 65, the group address filtering unit 6
6. The functions of the group state control unit 67 and the group corresponding address changing unit 68 are realized.

Source address detector 60, group address detector 65, group address filtering unit 6
6 and the group state control unit 67 are the same as those in the third embodiment.
The description is omitted.

The group-corresponding address changing unit 68 accesses the second group-corresponding address table 73b of the main storage device (MM) 7 at regular intervals, and there is an entry indicating that the date and time of the change is before the present time. It is determined whether or not to do. Then, when it is determined that there is an entry whose change date and time is before the present time, the group corresponding address changing unit 68 reads the group number and the address of the communication terminal to be changed from the entry,
The read group number is used as a keyword to access the first group-corresponding address table 73a, and the address of the entry corresponding to the group number is rewritten to the address read from the second group-corresponding address table 73b.

The operation and effect of this embodiment will be described below. FIG. 25 is a flowchart showing an operation process of the communication device 1 when updating the contents of the first group corresponding address table 73a.

The central controller (CC) 6 of the communication device 1 is
The second group corresponding address table 73b of the main storage device (MM) 7 is accessed at regular intervals (S2501,
2502), it is determined whether or not there is an entry whose modification date and time is before the present time (S2503).

If there is no entry whose modification date and time is before the present time, the central controller (CC) 6 waits until the next fixed time elapses. On the other hand, if there is an entry whose modification date and time is before the present time, the central control unit (CC)
6 reads the group number and address of the entry (S2504).

Then, the central controller (CC) 6 is
Using the group number read from the group corresponding address table 73b as a keyword, the first group corresponding address table 73a is accessed, and the address of the entry corresponding to the group number is read from the second group corresponding address table 73b. The rewritten address is rewritten (S2505). In addition, the central controller (CC)
6 resets the entry of the second group corresponding address table 73b (S2506).

As described above, according to the present embodiment, when the communication terminals 2 connected to the ports 31 to 40 belonging to each group are changed, the date and time to be changed are set in advance, so that the group corresponding address is changed. The contents of the table can be updated automatically. Therefore, it is possible to reduce the burden on the maintenance person of the communication device 1, and even when the communication terminals connected to the ports 31 to 40 belonging to the group are changed, immediately after changing the security for the group. Can be realized.

<< Fifth Embodiment >> The communication device 1 of this embodiment is different from the third embodiment in that the main memory device (M
The configuration of M) 7 is different from that of the central controller (CC) 6 and the functions implemented by the application programs of the ROM 5, and the other configurations are the same as those of the third embodiment.

First, the main memory device (M
The structure of M) 7 is shown in FIG. As shown in the figure, in the main memory device (MM) 7, a group identification table 72, a first group identification table 72a, and a second group identification table 72b are added to the configuration of the third embodiment.
It is composed of

As shown in FIG. 27, the first group identification table 73a is an entry for registering the group number of the group to which each port currently belongs (“group number” in the figure). ) Is provided.

As shown in FIG. 28, the second group identification table 72b stores an entry (“group number” in the figure) for registering a group number to which each port will belong in the future, for each port number. , And an entry (“change time condition” in the figure) for registering the date and time of change from the group to which the user currently belongs to the group to which the group belongs in the future.

The port status registration table 71 and the group-corresponding address table 73 are the same as those in the above-mentioned third embodiment, and their explanations are omitted. Next, the central controller (CC) 6
The functions realized by executing the application program in the ROM 5 will be described with reference to FIG.

As shown in the figure, the central controller (CC)
6 executes the application program in the ROM 5, so that the source address detection unit 60, the group address detection unit 65, the group address filtering unit 6
6, group state control unit 67, and group changing unit 69
Implement the function of

Source address detector 60, group address detector 65, group address filtering unit 6
6 and the group state control unit 67 are the same as those in the third embodiment.
The description is omitted.

The group changing section 69 is arranged such that the second group identification table 72 of the main storage device (MM) 7 is set at regular intervals.
By accessing b, it is determined whether or not there is an entry in which the date and time of the change is before the present time. Then, when it is determined that there is an entry whose change date and time is earlier than the present time, the group changing unit 69 reads the port number and the group number of the group to be changed from the entry, and reads the port number and the group number. The port number is used as a keyword to access the first group identification table 72a, and the group number of the entry corresponding to the port number is rewritten to the group number read from the second group identification table 72b.

Further, when the content of the first group identification table 72a is updated, the group changing section 69 also rewrites the content of the group corresponding address table 73 correspondingly. For example, when the group to which the communication terminal 2a connected to the port 31 belongs is changed from the group 01 to the group 02, the group changing unit 69
After updating the contents of the first group identification table 72a, access the group corresponding address table 73,
The address of the communication terminal 2a is deleted from the entry of the group 01, and the address of the communication terminal 2a is added to the entry of the group 02.

The operation and effect of this embodiment will be described below. FIG. 30 is a flowchart showing an operation process of the communication device 1 when updating the contents of the first group identification table 72a.

The central controller (CC) 6 of the communication device 1 is
The second group identification table 72b of the main storage device (MM) 7 is accessed at regular intervals (S3001, 300).
2) It is determined whether or not there is an entry whose modification date and time is before the present time (S3003).

If there is no entry whose modification date and time is before the present time, the central controller (CC) 6 waits until the next fixed time elapses. On the other hand, if there is an entry whose modification date and time is before the present time, the central control unit (CC)
6 reads the port number and group number of the entry (S3004).

Then, the central controller (CC) 6 is
The first group identification table 7 using the port number read from the group identification table 72b
2a, and the group number of the entry corresponding to the port number is rewritten to the group number read from the second group identification table 72b (S300).
5). Further, the central controller (CC) 6 resets the entry of the second group identification address table 72b (S3006).

Subsequently, the central controller (CC) 6 is
The updated contents of the group identification table 72b of FIG. That is, the central controller (CC) 6 accesses the group corresponding address table 73, deletes the address of the communication terminal 2 connected to the port of the port number from the entry of the group to which it originally belonged, and It is added to the entry of the newly belonging group (S3007).

As described above, according to the present embodiment, when the organization of the group is changed, the contents of the group identification table can be automatically updated by setting the date and time of the change in advance. Therefore, the burden on the maintenance person of the communication device 1 can be reduced, and the security for the group whose organization has been changed can be realized immediately after the change.

<Embodiment 6> In the present embodiment, a communication device 1 for performing security for a group and security for an individual port in parallel will be described as an example.

In this embodiment, the configuration of the main memory (MM) 7 and the central control unit (C
C) The functions realized by 6 and ROM 5 are different,
The hardware configuration of the communication device 1 is similar to that of the first embodiment described above.

First, the structure of the main memory device (MM) 7 will be described with reference to FIG. As shown in the figure, the main memory device (MM) 7 has a port-corresponding address table 70.
, Port status registration table 71, group corresponding address table 73, security type registration table 7
And 4.

As shown in FIG. 32, the security type registration table 74 is an entry for registering whether or not each port belongs to a group for each port number (31 to 40) specifying each port 31 to 40. ("Security type" in the figure). More specifically, the security type registration table 74 shows that the ports belonging to the group (in the figure, port numbers 33, 34, 36, 37, 38,
39, 40), the group numbers (group numbers 01 to 03 in the figure) of the groups to which each port belongs are registered as security types, and the ports not belonging to the group (port number 31 in the figure) , 32, 3
"00" is registered as the security type in the entry of 5).

The port-corresponding address table 70 is provided with an entry for registering the address of the communication terminal 2 connected to each port for each port number of a port that does not belong to the group. For example, as shown in FIG. 33, the port-corresponding address table 70 has an entry (“security target address” in the figure) for registering an address for each port number of each port, and belongs to a group ( In the figure, port numbers 33, 34, 36, 3
7, 38, 39, 40) does not register anything,
Ports that do not belong to a group (port number 3 in the figure
The address of the communication terminal 2 connected to the port is registered only in the entry (1, 32, 35).

In the group-corresponding address table 73,
An entry for registering the address of the communication terminal 2 connected to the ports 31 to 40 belonging to each group is provided for each group number that identifies each group. For example, as shown in FIG. 34, the group-corresponding address table 73 includes ports 3 belonging to each group for each group number (group numbers 01 to 03 in the figure) of each group.
Entry for registering the address of the communication terminal 2 connected to 1 to 40 ("Security target address" in the figure)
have. It should be noted that FIG. 34 corresponds to the security type registration table 74 of FIG. 32 described above, and the entry of the group number 01 has two ports (port numbers 37 and 40 in FIG. 32) forming the group 01. The address of the connected communication terminal 2 is registered. Also,
The entry of the group number 02 includes three ports (port numbers 33, 34,
The address of the communication terminal 2 connected to 38) is registered. Furthermore, the entry of group number 03 includes
The addresses of the communication terminals 2 connected to the two ports (port numbers 36 and 39 in FIG. 32) forming the group 03 are registered.

The port status registration table 71 is a table that serves as both the port status registration table and the group status registration table of the present invention. As shown in FIG. 35, each port number is assigned to each port number 31-40. 31-40
Of the entry ("port state" in the figure) for registering the information for identifying the state of the port, and the time until the ports in the incommunicable state (ports 32 and 37 in the figure) are restored to the communicable state. It has an entry for registering a condition (“recovery time condition” in the figure).

The information for identifying the port state is information for identifying whether each port is in the communication state, in the idle state, or in the incommunicable state. The time condition until the recovery is set when the ports 31 to 40 are set in the incommunicable state, and, for example, when the port 31 to 40 is recovered 100 seconds after the incommunicable state is set, "100" is registered. This time condition may be uniform for all the ports 31 to 40, or the number of times communication is disabled can be counted for each port and changed according to the number of times. You may do it.

Next, the central control unit (CC) 6 reads the ROM 5
The functions realized by executing the application program are described with reference to FIG. As shown in the figure, the central control device (CC) 6 executes the application program of the ROM 5 so as to execute the transmission source address detection unit 60, the security type determination unit 60A,
A port address comparison unit 61, a port address filtering unit 62, a port state control unit 63, a group address comparison unit 65, a group address filtering unit 66,
Also, the function of the group state control unit 67 is realized.

The source address detecting section 60 is an example of the source address detecting means of the present invention, and each of the ports 31-4.
When a data frame of 0 is received, the source address added to the data frame is detected via the switching circuit (SW) 4. Then, the source address detection unit 60, together with the detected source address,
The port numbers of the ports 31 to 40 that received the data frame are determined.

The security type determination unit 60A is an example of the security type determination means of the present invention, and uses the port number determined by the source address detection unit 60 as a keyword to create a security type registration table in the main storage device (MM) 7. 74, and determines whether the port specified by the port number belongs to the group. Then, the security type determination unit 60A activates the port address comparison unit 61 if the port does not belong to the group. On the other hand, if the port belongs to the group, the security type determination unit 60A determines from the security type registration table 74 that the ports 31 to 4 are
The group number of the group to which 0 belongs is read, and the group address comparison unit 65 is activated.

The port address comparison unit 61 is an example of the port address comparison unit 61 of the present invention, and the port number determined by the transmission source address detection unit 60 is used as a keyword, and the port corresponding address of the main memory device (MM) 7 is used. The table 70 is accessed to read the address registered in the entry of the port number. Then, the port address comparison unit 61 compares the address read from the main storage device (MM) 7 with the transmission source address detected by the transmission source address detection unit 60. Here, if both addresses match, the port address comparison unit 61
Instructs the switching circuit (SW) 4 to connect the port to the port connected to the destination communication terminal.
If the two addresses do not match, the port address comparison unit 61 activates the port address filtering unit 62.

The port address filtering unit 62
It is an example of the port address filtering means of the present invention, and when activated by the port address comparison unit 61, notifies the switching circuit (SW) 4 of the port number of the port that has received the data frame, and indicates the port number. It is instructed to discard the data frame received by the ports 31 to 40.

The port state control unit 63 is an example of the port state control means of the present invention, and the port address comparison unit 61.
When the two addresses compared by the above are not matched, the port number of the main memory device (MM) 7 is accessed by using the port number of the port that received the data frame as a keyword, and the port number is registered. In this entry, the information indicating the "communication impossible state" is registered, and the time condition for recovery is registered.

The group address comparison unit 65 is an example of the group address comparison means of the present invention, and uses the group number read by the security type determination unit 60A as a keyword to create a group corresponding address table of the main memory device (MM) 7. 73 to access all the addresses registered in the entry of the group number.
Then, the group address comparison unit 65 determines whether or not there is an address that matches the transmission source address detected by the transmission source address detection unit 60 among the addresses read from the group corresponding address table 73. . Here, if the address read from the group corresponding address table 73 includes an address that matches the address detected by the source address detection unit 60, the group address comparison unit 65 switches the switching circuit (SW). 4 is instructed to connect the port on which the data frame is received and the port connected to the destination communication terminal 2. On the other hand, the group address comparing unit 65, if there is no address that matches the address detected by the source address detecting unit 60 among the addresses read from the group corresponding address table 73, the group address filtering unit 66. To start.

Group address filtering unit 66
Is an example of the group address filtering means of the present invention, and when activated by the group address comparison unit 65, notifies the switching circuit (SW) 4 of the port number at which the data frame was received, and Instructs to discard the data frame received at the port specified by the port number.

The group state control unit 67 is an example of the group state control means of the present invention, and matches the address detected by the source address detection unit 60 among the addresses read from the group corresponding address table 73. The switching circuit (SW) 4 is activated when there is no address to be operated and disconnects the ports 31 to 40 on which the data frame is received. further,
The group state control unit 67 accesses the port state registration table 71 of the main storage device (MM) 7 by using the port number of the port on which the data frame is received as a keyword, and the entry of the port number indicates "Communication impossible". Status"
Is registered and the "recovery time condition".

The operation and effect of this embodiment will be described below. FIG. 37 is a flowchart showing an operation process of the communication device 1 when receiving a data frame.

When a data frame from the communication terminal 2 is received by the port 31-40 of the communication apparatus 1 (S370).
1), the central controller (CC) 6 detects the source address from the received data frame (S3702) and also determines the port number of the port that received the data frame. Then, the central control device (CC) 6 uses the determined port number as a keyword and stores it in the main storage device (M
M) The security type registration table 74 of 7 is accessed, and it is determined whether the port specified by the port number belongs to the group (S3702, S370).
3).

If the port specified by the port number belongs to the group, the central controller (C
C) 6 reads out the group number registered in the entry of the port number from the security type registration table 74. Then, the central control unit (CC) 6 uses the read group number as a keyword and stores it in the main storage unit (M
M) The group corresponding address table 73 of 7 is accessed, and all the addresses registered in the entry of the group number are read (S3704).

Then, the central controller (CC) 6 checks whether or not the address read from the group-corresponding address table 73 includes an address that matches the source address read from the data frame. It is determined (S3705).

Here, the group-corresponding address table 7
If there is no address that matches the source address read from the data frame among the addresses read from 3, the central controller (CC) 6 tells the switching circuit (SW) 4 that It is instructed to discard the data frame received at the port indicated by the port number (S3706).

The central controller (CC) 6 also instructs the switching circuit (SW) 4 to disconnect the port. And the central controller (CC) 6
Main memory (MM) using the port number as a keyword
The port state registration table 71 of No. 7 is accessed, and the information indicating the incommunicable state and the recovery time condition are registered in the entry of the port number (S3707).

On the other hand, in S3705 described above, if the address read from the group-corresponding address table 73 contains an address that matches the source address read from the data frame, the central controller (CC). 6 executes the relay process of the data frame (S3708). Specifically, the central controller (CC) 6
Detects the destination address from the received data frame and determines the port number of the port connected to the communication terminal 2 indicated by this address. Then, the central control device (CC) 6 notifies the determined port number to the switching circuit (SW) 4, and connects the port indicated by this port number and the port that has received the data frame.

If the port specified by the port number does not belong to the group in S3703 described above, the central controller (CC) 6 uses the port number as a keyword in the main memory (MM) 7. The port-corresponding address table 70 is accessed to read the address registered in the port number entry (S370).
9).

Then, the port corresponding address table 70
The address read from is compared with the source address detected from the data frame (S3710). If the two compared addresses do not match, the central controller (CC) 6 instructs the switching circuit (SW) 4 to discard the received data frame (S3711).

Then, the central controller (CC) 6 accesses the port state registration table 71 of the main memory device (MM) 7 by using the port number of the port that received the data frame as a keyword, and enters the entry of the port number. The information indicating the incommunicable state and the recovery time condition are registered (S3712). Further, the central controller (CC) 6
It instructs the switching circuit (SW) 4 to disconnect the port.

On the other hand, if the two addresses compared in S3710 described above match, the central controller (CC)
6 executes the relay process of the data frame (S371).
3). Specifically, the central controller (CC) 6 detects the destination address from the received data frame and determines the port number of the port connected to the communication terminal 2 indicated by this address. And the central controller (CC) 6
Shows the determined port number in the switching circuit (SW)
4 is notified, and the port indicated by this port number is connected to the port that received the data frame.

The operation of the communication device in the case of restoring the incommunicable port to the communicable state is the same as that of the above-described first embodiment, and the description thereof will be omitted. As described above, according to the present embodiment, the same effect as that of the above-described first embodiment can be obtained even in a communication device that performs port security for individual ports and group security for groups in parallel. it can.

<< Embodiment 7 >> The communication device 1 of the present embodiment.
Is the main memory (MM) 7 compared to the sixth embodiment.
2 and the functions realized by the application programs of the central controller (CC) 6 and the ROM 5 are different, and other configurations are the same as those of the above-described sixth embodiment.

First, the main memory (M
The configuration of M) 7 will be described with reference to FIG. As shown in the figure, the main memory device (MM) 7 of the present embodiment has a security type registration table 74, a first security type registration table 74a, in addition to the configuration of the above-described sixth embodiment.
And the second security type registration table 74b.

First security type registration table 74
In a, as shown in FIG. 39, for each port number that identifies each port, an entry that registers a security type that identifies whether or not each port currently belongs to a group (“security type” in the figure) Is provided.

Second security type registration table 74
In b, as shown in FIG. 40, for each port number that identifies each port, an entry for registering a security type for identifying whether or not each port belongs to a future group (“security type” in the figure) And an entry (“change time condition” in the figure) for registering the date and time when the current security type is changed to the future security type.

Next, the central control unit (CC) 6 reads the ROM
FIG. 41 shows the configuration of each function realized by executing the application program of No. 5. As shown in the figure, the central control unit (CC) 6 executes the application program of the ROM 5, so that the source address detection unit 60, the port address comparison unit 61, the port address filtering unit 62, the port state control unit 63, Functions of the group address comparison unit 65, the group address filtering unit 66, the group state control unit 67, the security type determination unit 60A, and the security type change unit 610 are realized.

Here, the source address detection unit 60, the port address comparison unit 61, the port address filtering unit 62, the port state control unit 63, the group address comparison unit 65, the group address filtering unit 66, the group state control unit 67, and Security type determination unit 60
A is the same as in the above-described sixth embodiment, and the description thereof is omitted. The security type changing unit 610,
The second security type registration table 74b of the main storage device (MM) 7 is accessed to determine whether or not there is an entry indicating that the security type change time is earlier than the current time. Then, when it is determined that there is an entry whose date and time of change is earlier than the present time,
The security type changing unit 610 reads the port number and security type of the entry, accesses the first security type registration table 74a by using the read port number as a keyword, and accesses the security type of the entry corresponding to the port number. Is rewritten to the read security type. Here, as security type change modes, (1) when a single port joins any group, (2) when a port belonging to a group leaves the group and becomes a single port,
(3) A port that belongs to a group may leave the group and join another group. In the case of (1) above, the security type changing unit 610
The address registered in the entry of the port is deleted from the port corresponding address table 70, and the address is written in the entry of the group to which the port joins in the group corresponding address table 73. In the case of (2), the security type changing unit 610
Deletes the address of the communication terminal 2 connected to the port from the entry of the group to which the port belongs in the group corresponding address table 73, and adds the address to the entry of the port in the port corresponding address table 70. Write. In the case of (3),
The security type changing unit 610 deletes the address of the communication terminal 2 connected to the port from the entry of the group from which the port has been removed in the group corresponding address table 73, and adds the address of the group to which the port has joined to the entry. Write the address.

The operation and effect of this embodiment will be described below. FIG. 42 is a flowchart showing an operation process of the communication device 1 when updating the contents of the first security type registration table 74a.

The central controller (CC) 6 of the communication device accesses the second security type registration table 74b of the main memory (MM) 7 at regular intervals (S4201, 4).
(202), it is determined whether or not there is an entry whose modification date and time is before the present time (S4203).

If there is no entry whose modification date and time is before the present time, the central controller (CC) 6
Waits until the next fixed time elapses. On the other hand, if there is an entry whose modification date and time is before the current time,
The central controller (CC) 6 reads the port number and security type of the entry (S4204).

Then, the central controller (CC) 6 is
Of the security type registration table 74b is used as a keyword to access the first security type registration table 74a, and the security type registered in the entry of the port number is changed to the second security type registration table. The security type is read out from 74b (S4205). Further, the central controller (CC) 6 resets the entry of the second security type registration table 74b (S4206).

Further, the central controller (CC) 6 changes the security type according to the port-corresponding address table 70.
And reflected in the group corresponding address table 73.
That is, as described above, when the security type is changed because a single port joins any group, the security type changing unit 610 is registered in the entry of the port from the port corresponding address table 70. Address is deleted, and the address is written in the entry of the group to which the port has joined in the group corresponding address table 73. Further, when the security type is changed because a port belonging to a certain group is removed from the group and becomes a single port, the security type changing unit 610
While deleting the address of the communication terminal 2 connected to the port from the entry of the group to which the port belongs in the group corresponding address table 73,
The address is written in the entry of the port in the port corresponding address table 70. Further, when a port belonging to a certain group leaves the group and joins another group, and the security type is changed, the security type changing unit 610 removes the port in the group corresponding address table 73. The address of the communication terminal 2 connected to the port is deleted from the entry of the digit group, and the address is written to the entry of the group to which the port has joined (S
4207).

As described above, according to this embodiment, each port 31
When changing the attributes of ~ 40, the contents of the security type registration table can be automatically updated by setting the change time in advance. Therefore, the burden on the maintenance person of the communication device 1 can be reduced, and the security for the port whose attribute has been changed can be realized immediately after the change.

[0168]

According to the present invention, a plurality of ports are provided,
In a communication device that implements a frame relay function between ports or with another network, when a data frame from an invalid source address is received, the state of the port that received the data frame is set to a state in which transmission / reception cannot be performed. As a result, it is not necessary to continuously perform the filtering process for the port, and the processing capacity of the communication device is not wasted.

Also, when changing the terminal or network connected to the port, when changing the terminal or network connected to the port in the group, or when changing the subscribing group of the port, Immediately after the change, the security corresponding to the changed content can be realized.

[Brief description of the drawings]

FIG. 1 is a principle diagram of the present invention.

FIG. 2 is a schematic configuration diagram of a communication system to which the present invention is applied.

FIG. 3 is a hardware configuration diagram of a communication device

FIG. 4 is an internal configuration diagram of a main memory device (MM) according to the first embodiment.

FIG. 5: Specific example of port-corresponding address table

FIG. 6 is a specific example of a port status registration table.

FIG. 7 is a block diagram showing a functional configuration of a communication device.

FIG. 8 is an operation flowchart of the communication device when receiving a data frame.

FIG. 9 is a flowchart showing a process of recovering an incommunicable port.

FIG. 10 is an internal configuration diagram of a main memory device (MM) according to the second embodiment.

FIG. 11 is a specific example of a first port corresponding address table.

FIG. 12 is a specific example of a second port corresponding address table.

FIG. 13 is a block diagram showing a functional configuration of a communication device.

FIG. 14 is a flowchart showing the update processing of the first port corresponding address table.

FIG. 15 is an internal configuration diagram of a main memory device (MM) according to the third embodiment.

FIG. 16 is a specific example of a group identification table.

FIG. 17 is a specific example of a group corresponding address table.

FIG. 18 is a specific example of a port status registration table.

FIG. 19 is a block diagram showing a functional configuration of a communication device.

FIG. 20 is a flowchart of the operation of the communication device when receiving a data frame.

FIG. 21 is an internal configuration diagram of a main memory device (MM) according to the fourth embodiment.

FIG. 22 is a specific example of a first group corresponding address table.

FIG. 23 is a specific example of a second group corresponding address table.

FIG. 24 is a block diagram showing a functional configuration of a communication device.

FIG. 25 is a flowchart showing the update processing of the first group corresponding address table.

FIG. 26 is an internal configuration diagram of a main memory device (MM) according to the fifth embodiment.

FIG. 27 is a specific example of a first group identification table.

FIG. 28 is a specific example of a second group identification table.

FIG. 29 is a block diagram showing a functional configuration of a communication device.

FIG. 30 is a flowchart showing the update processing of the first group identification table.

FIG. 31 is an internal configuration diagram of a main memory device (MM) according to the sixth embodiment.

FIG. 32 is a specific example of a security type registration table.

FIG. 33 is a specific example of a port corresponding address table.

FIG. 34 is a specific example of a group corresponding address table.

FIG. 35 is a specific example of a port status registration table

FIG. 36 is a block diagram showing a functional configuration of a communication device.

FIG. 37 is an operation flowchart of the communication device when receiving a data frame.

FIG. 38 is an internal configuration diagram of a main memory device (MM) according to the seventh embodiment.

FIG. 39 is a specific example of a first security type registration table.

FIG. 40 is a specific example of a second security type registration table.

FIG. 41 is a block diagram showing a functional configuration of a communication device.

FIG. 42 is a flow chart showing the update processing of the first security type registration table.

[Explanation of symbols]

 1. Communication device 2. Communication terminal 2a Communication terminal 2b Communication terminal 2c Communication terminal 2d Communication terminal 2e Communication terminal 2f Communication terminal 2g Communication terminal 2h Communication terminal 2i ··· Communication terminal 2j ··· Communication terminal 3 · · Console (MC) 4 · · Switching circuit (SW) 5 · · Read-only memory (ROM) 6 · · Central control unit (CC) 7 · · Main storage device ( MM) 31 ・ Port 32 ・ Port 33 ・ Port 34 ・ Port 34 ・ Port 36 ・ Port 37 ・ Port 38 ・ Port 39 ・ Port 40 ・ Port 60 ・ ・ Source address detector 60A-Security type determination unit 60B-Security type change unit 61-Port address comparison unit 62-Port address filtering unit 63-Port status control Part 64. Port corresponding address changing unit 65. Group address comparing unit 66. Group address filtering unit 67. Group state control unit 68. Group corresponding address changing unit 69. Group changing unit 70. Port corresponding address Table 70a-First port-corresponding address table 70b-Second port-corresponding address table 71-Port state registration table 72-Group identification table 72a-First group identification table 72b-Second group Identification table 73..Group corresponding address table 73a..First group corresponding address table 73b..Second group corresponding address table 74..Security type registration table 74a..First security type registration table 74b. Two Security type registration table 100 ・ ・ Source address detection means 200 ・ ・ Port address comparison means 300 ・ ・ Port address filtering means 400 ・ ・ Port state control means 500 ・ ・ Group address comparison means 600 ・ ・ Group address filtering means 700 ・ ・Group status control means 800 ・ ・ Security type determination means 900 ・ ・ Port compatible address table 1000 ・ ・ Group compatible address table 1100 ・ ・ Security type registration table

 ─────────────────────────────────────────────────── ─── Continuation of the front page (72) Kenji Kubo 1-4-4 Hakataekimae, Hakata-ku, Fukuoka City, Fukuoka City, Fukuoka Prefecture, Fujitsu Kyushu Communication Systems Limited (72) Hiroshi Shiokawa Hakataekimae, Hakata-ku, Fukuoka City, Fukuoka Prefecture 1-4-4 Fujitsu Kyushu Communication System Co., Ltd.

Claims (9)

[Claims] 1. A port-corresponding address table for registering an address of a terminal or a network that allows reception for each port of a communication device that has a plurality of ports and that relays data frames from these ports or from another network. A source address detecting means for detecting a source address added to the data frame from the data frame received at each port, a source address detected by the source address detecting means, and A port address comparing means for comparing the address registered in the port corresponding address table; a port address filtering means for rejecting the data frame if the two addresses compared by the port address comparing means do not match; Port address filter When the data frame is rejected by means address security control system and a port state control means for the port that has received the data frame to the reception impossible state. 2. A port of a communication device having a plurality of ports, which relays a data frame between these ports or from another network, is divided into a group of two or more ports, and reception is performed for each group. A group-corresponding address table for registering addresses of terminals or networks permitted, source address detection means for detecting a source address added to the data frame received from each port, and the transmission Group address comparing means for comparing the source address detected by the source address detecting means with the address registered in the group corresponding address table, and the address corresponding to the source address is registered in the group corresponding address table If not, the data frame Address security control comprising: a group address filtering unit that rejects the group address; and a group state control unit that, when the group address filtering unit rejects the data frame, puts the port that received the data frame into a state in which transmission and reception cannot be performed. method. 3. A communication device comprising a plurality of ports and relaying a data frame between these ports or from another network, wherein the plurality of ports are either ports belonging to a group consisting of two or more ports. It is divided into ports that do not belong to a group, and for each port, a security type registration table that indicates whether each port belongs to a group, and for each port that does not belong to the group, each port is connected to each port Port-corresponding address table for registering terminal or network address, group-corresponding address table for registering terminal or network address connected to each group port for each group, and data received at each port From the frame, the source address attached to this data frame A source address detection unit for detecting a port, a security type determination unit that refers to the security type registration table and determines whether the port that received the data frame belongs to a group, and the security type determination unit When it is determined that the port belongs to a group, a group address comparing unit that compares the source address detected by the source address detecting unit with an address registered in the group corresponding address table In the group-corresponding address table, if an address that matches the source address is not registered, a group address filtering unit that rejects the data frame, and if the data frame is rejected by the group address filtering unit, Before A group status control unit that puts a port that has received a data frame in a transmission / reception disabled state, and if the security type determination unit determines that the port does not belong to a group, the source address detection unit detects it. If the source address and the address registered in the port corresponding address table are compared with each other, and if the two addresses compared by the port address comparison unit do not match, the data frame is rejected. An address security control method comprising: a port address filtering unit; and a port state control unit which, when the data frame is rejected by the port address filtering unit, puts the port that received the data frame into a state in which transmission and reception cannot be performed. 4. The port-corresponding address table includes a first port-corresponding address table for registering, for each of the ports, an address of a terminal or a network currently connected to the port, and for each of the ports. Second, registering an address of a terminal or a network to be connected to the port in the future and a change time indicating a time when the terminal or network currently connected is changed to the terminal or the network to be connected in the future Each port registered in the first port corresponding address table is rewritten to an address registered in the second port corresponding address table at the change time. The address security control system according to claim 1. 5. The group-corresponding address table includes, for each group, a first group-corresponding address table for registering an address of a terminal or a network currently connected to a port of each group, and for each group. , The address of the terminal or network to be connected to each group port in the future, and the change time indicating the time to change from the currently connected terminal or network to the terminal or network to be connected in the future. A second group-corresponding address table to be registered, and the address of each group registered in the first group-corresponding address table becomes the change time,
The address security control method according to claim 2, wherein the address is rewritten to an address registered in the second group corresponding address table. 6. The group-corresponding address table includes a first group-corresponding address table for registering, for each of the groups, an address of a terminal or a network connected to a port currently configuring each group, For each group, the address of the terminal or network connected to the port that will be configured in the future for each group, and the change time that indicates the time when the port that is currently configured is changed to the port that is planned to be configured in the future And a second group corresponding address table for registering, and the addresses of each group of the first group corresponding address table are registered in the second group corresponding address table at the change time. The address security control system according to claim 2, which is rewritten to an address. 7. The security type registration table includes, for each port, a first security type registration table for registering a security type indicating whether or not each port currently belongs to a group, and for each port, A second security type registration table for registering a security type indicating whether or not the port is planned to belong to a group in the future, and a scheduled time when each port is scheduled to belong to the group or scheduled to leave the port, and the first security. When the security time of each port in the type registration table reaches the scheduled time, the security type of the second
4. The address security control method according to claim 3, wherein the security type is rewritten to the security type registered in the security type registration table. 8. The port state control means returns the port to a transmittable / receivable state after a certain period of time has elapsed since the port that received the data frame was set to the transmit / receive disabled state. Address security control method. 9. The group state control means sets the port that has received the data frame to a state in which transmission and reception are impossible, and then returns the port to a state in which transmission and reception is possible after a certain time has elapsed. Address security control method.