Communications control method and information relaying device for communications network system
First Claim
1. A network relaying method for a communication network system in which a plurality of network devices are coupled via a communication path, each network device including a network relaying device which is coupled via a plurality of I/O ports to a corresponding plurality of terminals, the method comprising the steps of:
- receiving a packet at a first I/O port from a source terminal coupled to the first I/O port, the packet including a header containing a packet transmission source address;
determining whether a first combination of information contained in the received packet coincides with a second combination of information that has been registered in advance, wherein said first combination of information includes the first I/O port and the packet transmission source address of the received packet and said second combination of information includes an I/O port and a transmission source address that have been registered in advance with a correspondence therebetween, and, in response to the determining step resulting in a determination that the first combination of information coincides with the second combination of information, transferring the packet received at the first I/O port via a second I/O port, wherein it is determined that said first combination of information coincides with said second combination of information that has been registered in advance when only said first I/O port and said packet transmission source address coincide with said I/O port and transmission source address that have been registered in advance with a correspondence therebetween;
in response to the determining step resulting in a determination that the first combination of information does not coincide with the second combination of information;
limiting transfer of the received packet and transmitting a request for user authentication of a user to the source terminal of said received packet;
receiving user authentication information sent from the source terminal in response to the request for user authentication;
executing user authentication of the user based on the user authentication information thus received and based on the packet transmission source address;
when the user is authenticated by the user authentication executed in the executing step, registering the first I/O port with a correspondence to the packet transmission source address;
transferring the packet received at the first I/O port via the second I/O port; and
when the user is not authenticated by the user authentication executed in the executing step, not transferring the packet received at the first I/O port.
2 Assignments
0 Petitions
Accused Products
Abstract
A LAN switch is one component of a communications network system composed of a virtual LAN having network terminals such as personal computers connected with ports respectively. The LAN switch provides a host table for holding correspondence between each port and address information of the network terminal connected to each port and an authentication table for holding information for authenticating a user of each network terminal. If a request takes place of changing the correspondence about the source network terminal held in the host table when relaying the packets, the LAN switch prompts a user name and a password for the source network terminal, does user authentication on the basis of the information held in an authentication table, and enables rewrite of the host table and relay of the packets if the user is correct. These processes are executed for easily preventing false use of an address or tapping or false access by a malignant user as well as analyzing or recovering the erroneously set address.
-
Citations
12 Claims
-
1. A network relaying method for a communication network system in which a plurality of network devices are coupled via a communication path, each network device including a network relaying device which is coupled via a plurality of I/O ports to a corresponding plurality of terminals, the method comprising the steps of:
-
receiving a packet at a first I/O port from a source terminal coupled to the first I/O port, the packet including a header containing a packet transmission source address; determining whether a first combination of information contained in the received packet coincides with a second combination of information that has been registered in advance, wherein said first combination of information includes the first I/O port and the packet transmission source address of the received packet and said second combination of information includes an I/O port and a transmission source address that have been registered in advance with a correspondence therebetween, and, in response to the determining step resulting in a determination that the first combination of information coincides with the second combination of information, transferring the packet received at the first I/O port via a second I/O port, wherein it is determined that said first combination of information coincides with said second combination of information that has been registered in advance when only said first I/O port and said packet transmission source address coincide with said I/O port and transmission source address that have been registered in advance with a correspondence therebetween; in response to the determining step resulting in a determination that the first combination of information does not coincide with the second combination of information; limiting transfer of the received packet and transmitting a request for user authentication of a user to the source terminal of said received packet; receiving user authentication information sent from the source terminal in response to the request for user authentication; executing user authentication of the user based on the user authentication information thus received and based on the packet transmission source address; when the user is authenticated by the user authentication executed in the executing step, registering the first I/O port with a correspondence to the packet transmission source address; transferring the packet received at the first I/O port via the second I/O port; and when the user is not authenticated by the user authentication executed in the executing step, not transferring the packet received at the first I/O port. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A network relaying apparatus, comprising:
-
a plurality of I/O ports adapted to be coupled to a plurality of terminals, respectively; a communication portion for transmitting and receiving data via the plurality of I/O ports; a relay portion which determines a transmitting I/O port of the plurality of I/O ports, from which a packet received via the communication portion from a receiving I/O port of the plurality of I/O ports is output via the communication portion; and
which determines whether a first combination of information contained in the received packet coincides with a second combination of information that has been registered in advance, wherein said first combination of information includes the receiving I/O port and a packet transmission source address of the received packet and said second combination of information includes an I/O port and a transmission source address that have been registered in advance with a correspondence therebetween, wherein said relay portion transfers the received packet from the transmitting I/O port in response to the relay portion determining that the first combination of information coincides with the second combination of information, wherein it is determined by said relay portion that said first combination of information coincides with said second combination of information that has been registered in advance when only said receiving I/O port and said packet transmission source address coincide with said I/O port and transmission source address that have been registered in advance with a correspondence therebetween, and wherein said relay portion requests user authentication of a user from a source terminal of said received packet in response to the relay portion determining that the first combination of information does not coincide with the second combination of information;an authentication portion which registers the receiving I/O port with a correspondence to the packet transmission source address when completing user authentication based on user authentication information sent from the source terminal in response to the request for user authentication and based on the packet transmission source address, wherein when the authentication portion does not authenticate the user, the relay portion does not transfer the received packet. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A network relaying method for a communication network system in which a plurality of network devices are coupled via a communication path, each network device including a network relaying device which is coupled via a plurality of I/O ports to a corresponding plurality of terminals, the method comprising the steps of:
-
receiving a packet at a first I/O port from a source terminal coupled to the first I/O port, the packet including a header containing a packet transmission source address; determining whether a combination of only the first I/O port and the packet transmission source address coincides with a combination of an I/O port and a transmission source address that have been registered in advance with a correspondence therebetween; when the determining step results in a determination that the combination of only the first I/O port and the packet transmission source address coincides with a combination of an I/O port and transmission source address that have been registered in advance with a correspondence therebetween, transferring the packet received at the first I/O port via a second I/O port; when the determining step results in a determination that the combination of only the first I/O port and the packet transmission source address do not have a coincidence with a combination of an I/O port and transmission source address that have been registered in advance with a correspondence therebetween; limiting transfer of the received packet and transmitting a request for user authentication of a user to the source terminal of said received packet; receiving user authentication information sent from the source terminal in response to the request for user authentication; executing user authentication of the user based on the user authentication information thus received and based on the packet transmission source address; when the user is authenticated by the user authentication executed in the executing step, registering the first I/O port with a correspondence to the packet transmission source address; transferring the packet received at the first I/O port via the second I/O port; and when the user is not authenticated by the user authentication executed in the executing step, not transferring the packet received at the first I/O port; wherein the source terminal coupled to the first I/O port belongs to a VLAN; and wherein when a user is not authenticated by the user authentication executed in the executing step, a warning message is sent to all terminals belonging to the same VLAN as the source terminal of the packet received at the first I/O port.
-
-
12. A network relaying apparatus, comprising:
-
a plurality of I/O ports adapted to be coupled to a plurality of terminals, respectively; a communication portion for transmitting and receiving data via the plurality of I/O ports; a relay portion which determines a transmitting I/O port of the plurality of I/O ports, from which a packet received via the communication portion from a receiving I/O port of the plurality of I/O ports is output via the communication portion; and
which determines whether a combination of only the receiving I/O port and a packet transmission source address contained in the packet coincides with a combination of an I/O port and a transmission source address that have been registered in advance with a correspondence therebetween, wherein said relay portion transfers the received packet from the transmitting I/O port when the relay portion determines that the combination of only the receiving I/O port and the packet transmission source address coincides with a combination of an I/O port and transmission source address that have been registered in advance with a correspondence therebetween, and wherein said relay portion requests user authentication of a user from a source terminal of said received packet when the relay portion determines that the combination of only the receiving I/O port and the packet transmission source address do not have a coincidence with a combination of an I/O port and a transmission source address that have been registered in advance with a correspondence therebetween;an authentication portion which registers the receiving I/O port with a correspondence to the packet transmission source address when completing user authentication based on user authentication information sent from the source terminal in response to the request for user authentication, wherein when the authentication portion does not authenticate the user, the relay portion does not transfer the received packet, wherein the source terminal of the received packet belongs to a VLAN; and wherein when a user is not authenticated by the user authentication, a warning message is sent to all terminals belonging to the same VLAN as the source terminal of the received packet.
-
Specification