Title:
Communication apparatus for routing or discarding a packet sent from a user terminal
Document Type and Number:
Kind Code:
A1

Abstract:
A packet communications apparatus of the present invention essentially comprises a plurality of network interfaces (NIFs), a learned address table, a packet forwarding unit (PFU) and a processor for directive packets to change state (PDPCS). The learned address table contains information for identifying a NIF through which to send a packet. The PFU selects a port through which to forward a packet by referring to the learned address table, according to the state of the NIFs, and forwards or discards a packet received from a user terminal. The PDPCS receives a packet including a directive to change the state of a specific NIF to one of the connected state, disconnected state and stateless. The PDPCS changes the state of the specific NIF to one of the connected state, disconnected state and stateless, according to the directive in the packet.

Inventors:
Sawada, Sunao (Yokohama, JP)
Watanuki, Tatsuya (Ebina, JP)
Nozaki, Shinji (Yokohama, JP)
      Plaque It!

Sponsored by:
Flash of Genius
Application Number:
09/893004
Publication Date:
02/07/2002
Filing Date:
06/28/2001
View Patent Images:
Images are available in PDF form when logged in. To view PDFs, Login  or  Create Account (Free!)
Referenced by:
View patents that cite this patent
Export Citation:
Click for automatic bibliography generation
Primary Class:
709/238
Other Classes:
709/203
International Classes:
(IPC1-7): G06F015/173; G06F015/16
Attorney, Agent or Firm:
ATTORNEYS AT LAW,MATTINGLY, STANGER & MALUR, P.C. (SUITE 370, ALEXANDRIA, VA, 22314, US)
Claims:

What is claimed is:



1. A packet communications apparatus to be used in a network system wherein user terminals that can be linked via a network to said apparatus send/receive packets to/from a server for authentication and a file server connected via a network to said apparatus, comprising: a plurality of network interfaces; a learned address table containing information for identifying one of said network interfaces through which to send a packet; a packet forwarding unit that selects a port through which to forward a packet by referring to said learned address table, according to the state of said network interfaces, and forwards or discards a packet sent from the user terminal, addressed to the server for authentication/file server and vice versa; a processor for directive packets to change state that receives a directive packet to change state, the packet holding a directive to change the state of a specific network interface to one of the connected state, disconnected state and stateless, via said packet forwarding unit from the server for authentication; and state managers, each installed in each network interface and each that receives a directive packet to change state from said processor for directive packets to change state and changes the state of the network interface to one of the connected state, disconnected state and stateless, according to the directive packet to change state.

2. The packet communications apparatus according to claim 1, wherein: said network system further includes a server for address assignment that dynamically leases an address to a user terminal linked to it via a network or networks and a router; said apparatus further includes a filtering table in which the source address of a packet it received is registered; said processor for directive packets to change state, upon receiving a directive packet to change state that directs it to register a specific address registered in said filtering table into said learned address table, registers the specific address into the learned address table; and said apparatus unconditionally forwards a packet whose destination address is registered in the learned address table and forwards a packet whose destination address is registered in said filtering table, but not registered in the learned address table, provided the source address of the packet is the router or the server for authentication.

3. The packet communications apparatus according to claim 1, wherein: each of said network interfaces further includes a link down detector that finds whether a network link terminated to the interface is now workable; each of said state managers, when said line down detector detect a link-down, changes the state of the network interface in which the link-down has now been detected to the disconnected state; each of said state managers, when a user terminal is user-authenticated by said server for authentication, changes the state of the network interface to which the user terminal is linked to the connected state, and said packet forwarding unit, upon receiving a packet through a network interface set in the disconnected state, does not forward the packet to a network interface set in the disconnected or connected state, but forwards the packet to only a specific network interface, and upon receiving a packet through a network interface set in the connected state, does not forward the packet to a network interface set in the disconnected state.

4. A packet communications apparatus to be used in a network system wherein user terminals that can be linked via a network to said apparatus send/receive packets to/from a server for authentication and a file server connected via a network to said apparatus, comprising: physical interfaces, each making the connection to a network; a packet forwarding unit that selects a port through which to forward a packet; filtering units that perform packet filtering, each located between each of said physical interfaces and the packet forwarding unit and comprising a filtering table containing information for forwarding or discarding a packet and a packet processor that discards a packet or transfers a packet to said packet forwarding unit, according to the contents of said filtering table; and a processor for directives to change filtering that transfers a directive to change filtering from said server for authentication to the appropriate one of said filtering units, changes the information in the filtering table initially set to discard all received packets, according to the directive from said server for authentication, and sequentially adds information for forwarding such packets to said file server that include the address of a user terminal that has now been user-authenticated by said server for authentication as the source address to said filtering table.

5. A packet communications apparatus to be used in a network system wherein user terminals that can be linked via a network to said apparatus send/receive packets to/from a server for authentication and a file server connected via a network to said apparatus, comprising: network interfaces for sending/receiving packets to/from the user terminals, the server for authentication and the file server; an IP address registration table in which the addresses of the user terminals user-authenticated by the server for authentication are registered; and a packet forwarding unit that forwards a packet whose source address matches an address registered in said IP address registration table and encapsulates a packet whose source address is not registered in the IP address registration table and then sends the encapsulated packet to a specific address.

Description:

BACKGROUND OF THE INVENTION

[0001] The present invention relates to packet communications apparatus and a network system, and more particularly, to packet communications apparatus and a network system arranged for preventing the unfair use of networking service, wherein a LAN switch, router, etc is used as that apparatus.

[0002] Recently, it has been appreciated that information security techniques for restricting network use are required in order to ensure the confidentiality of information transferred over networks. On the other hand, with convenient use of networks taken into consideration, networking is implemented such that, only by connecting a terminal to a network, the terminal user can use networking service in some Local Area Networks (LANs), typically, for example, a 802.3 network of Carrier Sense Multiple Access with Collision Detection (CSMA/CD) type, the specifications thereof being prescribed by the Institute of Electrical and Electronics Engineers, Inc. (IEEE).

[0003] For a network using a Dynamic Host Configuration Protocol (DHCP) standardized by the Internet Engineering Task Force (IETF), when a terminal is newly connected to the network, its address is automatically assigned to it. By combining these networks or LANs with mobile terminals such as notebook-size personal computers, a (public) network parts system has appeared, allowing a terminal user to use networking service from anywhere, whenever necessary. Technique regarding the network ports system has been disclosed in, for example, JP-A-68765/1999.

SUMMARY OF THE INVENTION

[0004] As networks become easy to use, however, it is conceivable that even a user who is not authorized to use networking service (unauthorized user) can use networking service only if the user's terminal is connected to a network. Consequently, a security problem arises that resources such as file servers connected to the network system are unfairly accessed from unauthorized users.

[0005] As technique used for preventing such unfair access by Unauthorized users, “packet filtering” carried out by packet communications apparatus such as routers is known. To enable packet filtering, the conditions for packet filtering must be preset. However, it is almost impossible to predetermine the conditions for packet filtering for the above-mentioned network ports system or the like, that is, networks wherein a terminal at any place is assigned a dynamically leased address for networking.

[0006] Addressing the above-described problem, an object of the prevent invention is to provide packet communications apparatus and a network system that prevent unauthorized users from using networking service unfairly.

[0007] Another object of the present invention is to provide packet communications apparatus and a network system wherein, even if a user connects the user terminal to a network from anywhere and using a different address each time the terminal is reconnected to the network, the user can gain access to a network resource entity only if authorized to access the entity.

[0008] In accordance with the present invention, a packet communications apparatus is provided that is used in a network system wherein user terminals that can be linked via a network to the apparatus send/receive packets to/from a server for authentication and a file server connected via a network to the apparatus, comprising a plurality of network interfaces, a learned address table containing information for identifying a network interface through which to send a packet, a packet forwarding unit that selects a port through which to forward a packet by referring to the learned address table, according to the state of the network interfaces, and forwards or discards a packet sent from the user terminal, addressed to the server for authentication/file server and vice versa, a processor for directive packets to change state that receives a directive packet to change state, holding a directive to change the state of a specific network interface to one of the connected state, disconnected state and stateless, via the packet forwarding unit from the server for authentication, and state managers, each installed in each network interface and each that receives a directive packet to change state from the processor for directive packets to change state and changes the state of the network interface to one of the connected state, disconnected state and stateless, according to the directive packet to change state.

[0009] Moreover, in accordance with the present invention, a packet communications apparatus is provided that is used in a network system wherein user terminals that can be linked via a network to the apparatus send/receive packets to/from a server for authentication and a file server connected via a network to the apparatus, comprising physical interfaces, each making the connection to a network, a packet forwarding unit that selects a port through which to forward a packet, filtering units that perform packet filtering, each located between each physical interface and the packet forwarding unit and comprising a filtering table containing information for forwarding or discarding a packet and a packet processor that discards a packet or transfers a packet to the packet forwarding unit, according to the contents of the filtering table, and a processor for directives to change filtering that transfers a directive to change filtering from the server for authentication to the appropriate filtering unit, changes the information in the filtering table initially set to discard all received packets, according to the directive from the server for authentication, and sequentially adds information for forwarding such packets to the file server that include the address of a user terminal that has now been user-authenticated by the server for authentication as the source address to the filtering table.

[0010] Moreover, in accordance with the present invention, a packet communications apparatus is provided that is used in a network system wherein user terminals that can be linked via a network to the apparatus send/receive packets to/from a server for authentication and a file server connected via a network to the apparatus, comprising network interfaces for sending/receiving packets to/from the user terminals, the server for authentication and the file server, an IP address registration table in which the addresses of the user terminals user-authenticated by the server for authentication are registered, and a packet forwarding unit that forwards a packet whose source address matches an address registered in the IP address registration table and encapsulates a packet whose source address is not registered in the IP address registration table and then sends the encapsulated packet to a specific address.

[0011] A feature of the present invention is that the packet communications apparatus essentially comprises a plurality of network interfaces, the packet forwarding unit, and the state managers, each keeping the state of each network interface in one of the connected state, disconnected state and stateless. The packet forwarding unit selects a port through which to forward a packet, depending on the state of the network interfaces.

[0012] Another feature of the present invention is that the packet communications apparatus includes the processor for directive packets to change state and can change the state of a network interface that is specified in a directive packet to change state to a state specified in the directive packet.

[0013] A further feature of the present invention is that each network interface includes a link down detector and the packet communications apparatus can change the state of the network interface to disconnected state when the link down detect detects link-down.

[0014] The present invention is preferably implemented such that all network interfaces are initialized to disconnected state when the packet communications apparatus initialized.

[0015] Yet another feature of the present invention is that the packet communications apparatus can forward packets received at a network interface set in the disconnected state to only a specific network interface.

[0016] The present invention is preferably implemented such that the packet communications apparatus does not forward packets received at a network interface set in the disconnected state to a network interface set in the disconnected or connected state.

[0017] The present invention is preferably implemented such that the packet communications apparatus changes the state of a network interface to which a terminal operated by an authenticated user is linked to the connected state.

[0018] A still further feature of the present invention is that the packet communications apparatus essentially comprises a plurality of network interfaces, the packet forwarding unit, the filtering table, the packet filtering units that perform packet filtering, according to the contents of the filtering table, and the processor for directives to change filtering that updates the contents of the filtering table by a directive from the external, and to the filtering tables whose contents are initially set to discard all received packets, information for permitting the packet communications apparatus to forward packets including a specific source address can be added sequentially, according to a directive from the external.

[0019] The present invention is preferably implemented such that information for permitting the packet communications apparatus to forward packets whose destination address is the address of a terminal operated by an authenticated user is sequentially added to the filtering table.

[0020] A yet another feature of the present invention is that the packet communications apparatus essentially comprises a plurality of network interfaces, the packet forwarding unit, the filtering table, the learned address table, and the processor for directive packets to change state, and when it receives a directive packet change state that directs it to register the source address of the received packet into the filtering table and register a specific address registered in the filtering table into the learned address table, the processor for directive packets to change state registers the specific address registered in the filtering table into the learned address table.

[0021] The present invention is preferably implemented such that the packet communications apparatus unconditionally forwards a packet whose destination address is registered in the learned address table and forwards a packet whose destination address is registered in the filtering table, but not registered in the learned address table, provided the packet includes a specific source address.

[0022] The present invention is preferably implemented such that the packet communications apparatus can be directed to register the address of a terminal operated by an authenticated user into the learned address table.

[0023] The present invention is preferably implemented such that the packet communications apparatus essentially comprises a plurality of network interfaces, the packet forwarding unit, and the address registration table, forwards a packet whose source address is registered in the address registration table, and encapsulates a packet whose source address is not registered in the address registration table and then sends the encapsulated packet to a specific address.

[0024] The present invention is preferably implemented such that, when encapsulating and sending a packet whose source address is not registered in the address registration table, as the destination address of the encapsulated packet, the address of the equipment that performs user authentication is specified in the packet.

[0025] The present invention is preferable implemented such that the packet communications apparatus registers the address of a terminal operated by an authenticated user into the address registration table.

[0026] The present invention is preferably implemented such that each network interface of the packet communications interface has a function of monitoring its state, thereby seeing whether it is in the disconnected state, and disconnects communication if it enters the disconnected state.

[0027] The present invention is preferably implemented such that, when a terminal is disconnected from the network, the network interface that detected the disconnection automatically changes to “disconnected” state.

[0028] The present invention is preferably implemented such that the packet communications apparatus memorizes the addresses respectively assigned to terminal users and sets packet filtering On/Off, according to the memorized addresses.

[0029] Other and further objects, features and advantages of the invention will appear more fully from the following description.

BRIEF DESCRIPTION OF THE DRAWINGS

[0030] A preferred form of the present invention illustrated in the accompanying drawings in which:

[0031] FIG. 1 is a structural diagram of a packet communications apparatus in accordance with a preferred embodiment of the present invention;

[0032] FIG. 2 is a structural diagram of one of network interfaces 102 to 107 ;

[0033] FIG. 3 illustrates a learned address table 108 and entries;

[0034] FIG. 4 is a topological schematic diagram of a network system in which a LAN switch 100 is used;

[0035] FIG. 5 is a diagram of communication sequence after the connection of a user terminal 403 to a network port 409 ;

[0036] FIG. 6 is a flowchart illustrating how the LAN switch 100 forwards a packet;

[0037] FIG. 7 illustrates the leaned address table 108 and updated entries;

[0038] FIG. 8 is a flowchart of the step 604 mentioned in FIG. 6 ;

[0039] FIG. 9 illustrates a forwarding table 901 and entries;

[0040] FIG. 10 is a structural diagram of a packet communications apparatus configured in accordance with another preferred embodiment of the invention;

[0041] FIG. 11 is a structural diagram of one of filtering units 1012 to 1017 ;

[0042] FIG. 12 illustrates a filtering table 1101 and entries;

[0043] FIG. 13 is a topological schematic diagram of a network system in which a router 1000 is used;

[0044] FIG. 14 is a diagram of communication sequence after the connection of a user terminal 1333 to a network port 409 ;

[0045] FIG. 15 illustrates the filtering table 1101 and updated entries;

[0046] FIG. 16 is a structural diagram of a packet communications apparatus configured in accordance with a further preferred embodiment;

[0047] FIG. 17 illustrates a filtering table 1606 and entries;

[0048] FIG. 18 illustrates a learned address table 1606 and entries;

[0049] FIG. 19 is a topological schematic diagram of a network system in which a LAN switch 1600 is used;

[0050] FIG. 20 is a diagram of communication sequence after the connection of a user terminal 1905 to a network port 409 of network B;

[0051] FIG. 21 is a flowchart illustrating how the LAN switch 1600 forwards a packet;

[0052] FIG. 22 illustrates the learned address table 1606 and updated entries;

[0053] FIG. 23 is a topological schematic diagram of a network system in which a router 2300 is used;

[0054] FIG. 24 a diagram of communication sequence after the connection of a user terminal 2312 to a network port connected to network B 2313 ;

[0055] FIG. 25 is a flowchart illustrating how the router 2300 forwards a packet;

[0056] FIG. 26 is a flowchart illustrating how a server for authentication 2310 handles a packet it received;

[0057] FIG. 27 illustrates an IP address registration table 2306 and entries in the initial state;

[0058] FIG. 28 is a topological schematic diagram of a network system wherein a plurality of networks are interconnected via a plurality of packet communications apparatuses A to C 2801 and a route 2820 ;

[0059] FIG. 29 illustrates a subnet table 2814 and entries;

[0060] FIG. 30 illustrates an address for authentication table 2813 and entries;

[0061] FIG. 31 is an out-of-authentication address table 2812 and entry;

[0062] FIG. 32 is a flowchart illustrating how each packet communications apparatus forwards a packet;

[0063] FIG 33 a diagram of communication sequence after the connection of a user terminal 2806 to a network in a network ports system 2830 ;

[0064] FIG. 34 is a flowchart illustrating an ARP packet learning process to be executed by each packet communications apparatus 2801 ;

[0065] FIG. 35 illustrates a learned address table 2811 and entries;

[0066] FIG. 36 illustrates the learned address table 2811 and updated entries;

[0067] FIG. 37 illustrates the learned address table and updated entries; and

[0068] FIG. 38 is a flowchart illustrating a process of updating the learned address table 2811 to be executed by each packet communications apparatus 2801 .

DESCRIPTION OF THE PREFERRED EMBODIMENTS

[0069] With reference to the appended drawings, preferred embodiments of the present invention will be described below.

[0070] FIG. 1 is a structural diagram of a packet communications apparatus configured in accordance with a preferred embodiment (first illustrative embodiment) of the present invention.

[0071] A LAN switch 100 as the packet communications apparatus, for example, comprises a packet forwarding unit 101 , a plurality of network interfaces (hereinafter abbreviated to NIFs) 102 to 107 , a learned address table 108 , and a processor for directive packets to change state (hereinafter abbreviated to PDPCS) 109 . The NIFs 102 to 107 are assigned respective names (A to F as shown) for their unique identification. Instead of the names, numbers or the like may be used if the NIFs can uniquely be identified by them.

[0072] These NIFs 102 to 107 are respectively connected to different networks and perform packet sending/receiving. In the first illustrative embodiment, it is assumed that 802.3 networks of CSMA/CD type, the specifications thereof being prescribed by the IEEE, are connected to the switch with twisted pair cables. However, the present invention is applicable to other types of networks (for example, wireless networks).

[0073] The packet forwarding unit 101 connects with all NIFs 102 to 107 and performs packet forwarding on a data link layer in an Open System Interconnection (OSI) reference model. The learned address table 108 contains information required for the packet forwarding unit 101 to determine an NIF through which to send a packet.

[0074] FIG. 3 illustrates a learned address table 108 and entries ( 1 ).

[0075] The learned address table 108 contains entries in an address field 301 and a sending port field 302 . The address field 301 contains a physical address (hereinafter represented as a MAC address) and the sending port field 302 contains the name of an NIF. The meaning of each line of entry in the learned address table 108 is that, if the destination address of a packet matches the address in the address field 301 , the packet is sent through the NIF in the sending port field 302 on the same entry line. Additionally, a plurality of NIFs may be registered into the sending port field 302 . As an example, for a special case, if the MAC address of the LAN Switch 100 itself has been registered into the address field 301 and “X” into the sending port field 302 , the meaning of this entry line is that the packet is handled as the packet addressed to the LAN switch 100 .

[0076] The PDPCS 109 receives via the packet forwarding unit 101 a directive packet to change state sent across any network connected to the LAN switch 100 from an external entity (e.g., a server for authentication 401 which will be described later) to the LAN switch 100 . The PDPCS 109 notifies the appropriate one of the NIFs 102 to 107 of the contents of the received directive packet to change state. The directive packet to change state holds a directive to change the state of a specific NIF to a specific state as information. As the protocol for packet communications discussed herein, for example, a Simple Network Management Protocol (SNMP) is used. However, other protocols such as a telecommunications network protocol (telnet) and a Hyper Text Transfer Protocol (HTTP) may be used. While the LAN switch 100 is used as the packet communications apparatus in the first illustrative embodiment, the present invention is applicable to a router and other types of packet communications apparatus.

[0077] FIG. 2 is a structural diagram of one of the NIFs 102 to 107 .

[0078] An NIF, any one of 102 to 107 , for example, comprises a physical interface 201 to which a network link is terminated, a link down detector 202 that finds whether the network is now workable, and a state manager 203 that controls the state of the NIF, wherein the physical interface 201 and the state manager 203 are connected to the packet forwarding unit 101 .

[0079] The link down detector 202 electrically finds whether the circuit (cable) of the network is connected to the LAN switch or whether a terminal connected to the LAN switch over the line is set in the communication enabled state (powered-on state). The link down detector 202 notifies the state manager 203 of detected link-down. In the first illustrative embodiment, the link down detector 202 detects link-down in this way: after the physical interface 201 alerts it to watch the link-down state, if that state continues for 100 ms or longer, it judges that the link is down. If an optical fiber is used as the circuit, link-down detection is performed, depending on whether optical signals come. If a wireless channel is used instead, that detection is performed, depending on whether radio waves come.

[0080] The state manager 203 controls the state of the NIF that may be “connected” state, “disconnected” state, or “stateless.” The user (the administrator of the switch) can preset the NIF, any one of 102 to 107 , in the “connected” state or “stateless” invariably by instructing the state manager 203 to do so. The NIF, any one of 102 to 107 , is fixed in either state if set by the user; otherwise, it is initially put in the “disconnected” state. When the link down detector 202 notifies the state manager 203 of link-down, the state manager changes the NIF state to the “disconnected” state unless a specific state is preset by the user. Moreover, when the PDPCS 109 gives the state manager some instruction, the state manager changes the NIF state to one of the above three states, according to the instruction.

[0081] Then, using a network system as will be shown in FIG. 4 as an example, the operation of the network system in which the packet communications apparatus of the present invention is used will be described below.

[0082] FIG. 4 is a topological schematic diagram of the network system in which the LAN switch 100 of the first illustrative embodiment is used.

[0083] The present network system, for example, comprises the LAN switch 100 (with its MAC address being 22:22:00:FF:FF:FF); a server for authentication 401 (with its MAC address being 22:22:00:11:11:11) connected to the NIF-A 102 of the LAN switch 100 ; a file server 402 (with its MAC address being 22:22:00:22:22:22) connected to the NIF-B 103 of the LAN switch 100 ; so-called network ports 409 respectively linked to the NIFs C to F, 104 to 107 , allowing end users to use networking service by freely connecting their terminal thereto; and a representative user terminal 403 (with its MAC address being 22:22:FF00:00:01) connected via a network port 409 to the NIF-C 104 .

[0084] The server for authentication 401 judges whether a terminal user that is attempting connection is authorized to use networking service and notifies the LAN switch 100 of the result thereof. In the first illustrative embodiment, a terminal user is authenticated by user ID and password. The initial settings of the NIFs A to F ( 102 to 107 ) of the LAN switch 100 are assumed as follows: NIF-B 103 is set in the invariably “connected” state, NIF-A 102 is set in the “stateless” and the remaining NIFs C to F ( 104 to 107 ) are not set in any state. Thus, the NIFs C to F ( 104 to 107 ) remains in the “disconnected” state when being initialized (at this time, the contents of the learned address table 108 in the LAN switch 100 are as shown in FIG. 3 ).

[0085] Then, in the present network system, assume that the user terminal 403 (with its MAC address being 22:22:FF:00:00:01) has now been connected to the network port 409 that is connected to the NIF-C. This case will be discussed below.

[0086] FIG. 5 is a diagram of communication sequence after the user makes the connection of the user terminal 403 to the network port 409 .

[0087] If the user terminal 403 is not yet user-authenticated, but access to the file server 402 is attempted therefrom, a packet 501 addressed to the file server is sent from the user terminal 403 with its destination address being the MAC address (22:22:00:22:22:22) of the file server and its source address being the MAC address (22:22:FF:00:00:01) of the user terminal 403 . When the LAN switch 100 receives the packet 501 , a process of forwarding the packet begins, which will be explained below.

[0088] FIG. 6 is a flowchart illustrating how the LAN switch 100 forwards a packet it received.

[0089] The packet forwarding unit 101 of the LAN switch 100 , which received the packet 501 , refers to the learned address table 108 . If the source address (the MAC address 22:22:FF:00:00:01 of the user terminal 403 ) is not registered in the learned address table 108 , the packet forwarding unit 101 registers it into the address field 301 or an additional entry line in the learned address table 108 . At the same time, the packet forwarding unit 101 registers C, the name of the NIF that received the packet 501 into the sending port filed 302 .

[0090] FIG. 7 illustrates the learned address table 108 and entries ( 2 ).

[0091] In the learned address table 108 , the MAC address of the user terminal 403 as the source address has now been registered in the address field on the entry # 4 line and NIF-C in the sending port field as well.

[0092] Since the destination address, the MAC address (22:22:00:22:22:22) of the file server 402 has been registered in the learned address table 108 (step 602 ), then, the packet forwarding unit 101 obtains NIF-B information as the port through which to send the packet 501 , from the content of the sending port field 302 on the entry line on which the destination address of the file server 402 has been registered in the learned address table 108 (step 603 ). Then, the packet forwarding unit 101 carries out the forwarding process (step 604 ).

[0093] The step 604 will now be explained.

[0094] FIG. 8 is a flowchart of the step 604 .

[0095] First, the packet forwarding unit 101 judges whether the sending port (NIF-B 103 in this case) and the receiving port (NIF-C 104 in this case) are the same (step 801 ). Since the sending port and the receiving port are different in the case in question, the packet forwarding unit 101 forwards the packet, according to a forwarding table 901 which will be described below (step 802 ).

[0096] FIG. 9 illustrates the forwarding table 901 and entries.

[0097] The forwarding table 901 is used for the packet forwarding unit to determine whether to forward or discard a packet, depending on the receiving port state and the sending port state. According to the table entries in the case in question, the receiving port (NIF-C 104 ) of the LAN switch 100 at which the packet 501 sent from the user terminal 403 was received remains in the “disconnected” state, while the sending port (NIF-B 103 ) is set in the “connected” state Thus, the forwarding table 901 indicates “discard.” In consequence, the packet 501 is discarded by the packet forwarding unit 101 . By this action, the access from the unauthenticated user terminal 403 to the file server 402 has now been avoided.

[0098] Then, a case where the user terminal 403 sends the server for authentication 401 a packet 502 addressed to the server for authentication will be discussed.

[0099] The user terminal 403 sends the packet 502 with its destination address being the MAC address (22:22:00:11:11:11) of the server for authentication 401 and its source address being the MAC address (22:22:FF:00:00:01) of the user terminal 403 . When the LAN switch 100 receives that packet 502 , its packet forwarding unit 101 begins the process of forwarding the packet, according to the above flowchart shown in FIG. 6 .

[0100] The packet forwarding unit 101 skips the first step 603 because the MAC address (22:22:FF:00:00:01) of the user terminal 403 has already been registered into the learned address table 106 on the last time reception of the preceding packet 501 . Since the destination address, the MAC address (22:22:00:11:11:11) of the server for authentication 401 has been registered in the learned address table 108 (step 603 ), then, the packet forwarding unit 101 obtains NIF-A information as the port through which to send the packet 502 , from the content of the sending port field 302 on the entry line on which the destination address of the server for authentication 401 has been registered in the learned address table 108 (step 603 ). Then, the packet forwarding unit 101 carries out the forwarding process (step 604 ).

[0101] The step 604 will now be explained again, referring to FIGS. 8 and 9 .

[0102] In the first step in FIG. 8 , since the sending port (NIF-A 102 in this case) and the receiving port (NIF-C 104 in this case) are different (step 801 ), the process goes to the step 802 . In the forwarding table 901 shown in FIG. 9 , since the state of the NIF-C 102 that is the receiving port is “disconnected” and the state of the NIF-A that is the standing port is “stateless,” the forwarding table 901 indicates “forward.” In consequence, the packet forwarding unit 101 forwards the packet 502 to the server for authentication 401 through the NIF-A 102 .

[0103] Moreover, a reply packet 503 is similarly forwarded from the server for authentication 401 to the user terminal 403 . In this case, the NIF-A 102 is the port to receive the packet 503 and the NIF-C 104 is the port to send it. The forwarding table 901 indicates “forward” as the state of the NIF-C is “disconnected” and the state of the NIF-A is “stateless.” Consequently, the packet forwarding unit 101 forwards the packet 503 to the user terminal 403 through the NIF-C 104 . Thereby, a bidirectional communication path between the server for authentication 401 and the user terminal 403 has now been established and a user authentication procedure begins.

[0104] On the server for authentication 401 , if, for example, user ID and password 504 included in the packet 502 sent from the user terminal 403 matches those that it holds as those of the user authorized to use networking service, the server sends notice of connection permission to the LAN switch 100 . For the notice of connection permission, a directive packet to change state 505 with its destination address being the MAC address (22:22.00:FF:FF:FF) of the LAN switch 100 is used. The packet 505 includes the directive to “change to connected state” and the MAC address (22:22:FF:00:00:01) of the user terminal 403 as information.

[0105] When the LAN switch 100 receives the directive packet to change state 505 , its packet forwarding unit 101 refers to the learned address table 108 . Return to FIG. 6 . In the learned table 108 , “X” is designated in the sending port field 302 on the entry line on which the MAC address of the LAN switch 100 itself has been registered as the destination address of the directive packet to change state 505 (step 602 ). Thus, the packet forwarding unit 101 internally forwards the packet 505 to the PDPCS 109 (step 605 ). The PDPCS 109 obtains the MAC address (22:22:FF:00:00:01) of the user terminal 403 from the information included in the packet 505 and searches through the address fields 301 of the learned address table 108 for that MAC address. For the NIP (C in this case) designated in the sending port field 302 on the entry line on which the searched out MAC address of the user terminal 403 has been registered, the PDPCS 109 directs that its state be changed to “connected state.”

[0106] In the NIF-C 104 , the state manager 203 changes the NIF state from “disconnected” to “connected” state. After that, the NIF-C 104 , that is, the port to receive a packet 506 addressed to the file server sent from the user terminal 403 is set in the “connected” state. In this case, because the NIF-B 103 , that is, the port to send the packet is also held in the “connected” state, the forwarding table 901 indicates “forward.” Thus, the user terminal 403 becomes possible to access the file server 402 .

[0107] Then, assume that the user terminal 403 has now been disconnected from the network port 409 . In this case, the LAN switch 100 operates as will be explained below.

[0108] When the user disconnects the user terminal 403 from the network port 409 by pulling out the cable (twisted pair) therefrom, the physical interface 201 of the NIF-C 104 enters the link down state. On the elapse of 100 ms with the NIF staying in that state, the link down detector 202 notifies the state manager 203 of link-down. The state manager 203 , when being notified of link-down, changes the state of the NIF-C 104 to “disconnected” state. Thus, even if a new user terminal is connected to the same network port 409 , access from the user terminal to the file server 402 will be disabled until it is user-authenticated.

[0109] As described above, by using the LAN switch 100 configured in accordance with the first illustrative embodiment, a network system can be built that refuses access from an unauthenticated user terminal 403 to the file server 402 ; only after the terminal user is authenticated, the terminal becomes possible to access the server. After disconnection of the user terminal 403 from the network port, the access to the file server 402 through the network port is refused before another user terminal connected to the port is user-authenticated. While the case where the user terminal 403 has been connected to the network port 409 connected to the NIF-C 104 was discussed above in the first illustrative embodiment, the NIFs C to F, 104 to 107 , operate the same and produce the same effect no matter what network port 409 is used as the port to which the user terminal 403 is connected.

[0110] Furthermore, in the first preferred embodiment, the state of each NIF is reinitialized to “disconnected” state on the detection of link-down. Alternatively, a terminal user may notify the server for authentication 401 of a disconnection by communicating therewith before the user disconnects the link. Upon receiving that notification, the server for authentication 401 sends a packet including directive information to “change to disconnected state” and the MAC address of the user terminal 403 to the MAC address (22:22:00:FF:FF:FF) of the LAN switch 100 . The PDPCS 109 receives this packet and the state of the NIF that forms the link changes to “disconnected” state as directed by the PDPCS. According to this manner, the user can perform On/Off control of using networking service without disconnecting the user terminal 403 from the network port 409 .

[0111] FIG. 10 is a structural diagram of a packet communications apparatus configured in accordance with another preferred embodiment (second illustrative embodiment) of the present invention.

[0112] A router 1000 as the packet communications apparatus, for example, comprises a plurality of physical interfaces (hereinafter abbreviated to PHYS. IFs) 1002 to 1007 , a packet forwarding unit 1001 , a plurality of filtering units 1012 to 1017 , and a processor for directives to change filtering (hereinafter abbreviated to PDCF) 1009 . The PHYS. IFs 1002 to 1007 are respectively connected to different networks and perform packet sending/receiving. In the second illustrative embodiment, an IP protocol (IPv 4 IP version 4 )) is used as the protocol for forwarding packets. The present invention is, however, applicable to other network layer protocols such as, for example IPv 6 (IP version 6 ). While the router 1000 is used as the packet communications apparatus in the second illustrative embodiment, the present invention is applicable to other types of packet communications apparatus such as a LAN switch.

[0113] FIG. 11 is a structural diagram of one of the filtering units 1012 to 1017 .

[0114] A filtering unit, any of 1012 to 1017 , comprises a filtering table 1101 and a packet processor 1102 . The filtering table contains information used for judgment as to whether to forward or discard a packet. The packet processor 1102 discards a packet or transfers it to the packet forwarding unit 1001 , according to the information contained in the filtering table 1101 . The packet transferred to the packet forwarding unit 1001 is further transferred to one of the PHYS. IFs 1002 to 1007 . Each filtering table 1101 is connected with the PDCF 1009 and the contents of the table 1101 can be changed as directed by the PDCF 1009 .

[0115] FIG. 12 illustrates a filtering table 1101 and entries ( 1 ).

[0116] The filtering table 1101 contains information used for judgment as to whether to forward or discard a packet and entries in an destination address condition field 1201 , a source address condition field 1202 , and a forward/discard flag field 1203 . In the destination address condition field 1201 and the source address condition field 1202 , an IP address or data representing an “arbitrary” address is registered. In the forward/discard flag field 1203 , information is registered to indicate whether to forward or discard a packet received whose destination address and source address match the destination address condition and the source address condition. If a packet meets a plurality of entries of address information, the top one out of the entries applies to the packet. For a packet not meeting any entry, the filtering unit transfers it to the packet forwarding unit 1001 .

[0117] The PDCF 1009 communicates with a server for authentication 1311 via a network and receives a directive to change filtering from the server for authentication 1311 . While telnet is assumed as the communication protocol in the second illustrative embodiment, other protocols such as HTTP and Common Open Policy service (COPS) may be used. The directive to change filtering includes information to be registered or deleted on a target entry line and a directive to add/delete it. The PDCF 1009 reflects the directive in the filtering table of the filtering unit, any of 1012 to 1017 , corresponding to the PHYS. IF, any of 1002 to 1007 , connected to the subnet to which the specified IP address contained in the source address condition field 1202 belongs.

[0118] FIG. 13 is a topological schematic diagram of a network system in which the router 1000 is used.

[0119] The present network system, for example, includes subnets A to F, 1302 to 1307 , respectively connected to the PHYS. IFs 1002 to 11007 of the router 1000 ; a server for authentication 1311 connected to subnet A 1302 ; a file server 1322 connected to subnet b 1303 ; a plurality of network ports 409 respectively linked to subnets C to F, 1304 to 1307 , allowing end users to freely connect their terminal thereto; and a representative user terminal 1333 connected via a network port 409 to subnet C 1304 .

[0120] In the initial state, nothing is registered in the filtering tables 1101 of the filtering units A 1012 and B 1013 of the router 1000 . In the filtering tables 1001 of the filtering units C to F, 1014 to 1017 , the same contents are illustrated in FIG. 12 are set.

[0121] Then, in the present network system, assume that the user terminal 1333 has been connected to the network port 409 connected to the subnet C 1304 . This case will be discussed below.

[0122] FIG. 14 is a diagram of communication sequence after the user makes the connection of the user terminal 1333 to the network port 409 .

[0123] To access the file serer 1322 , the user terminal 1333 that is not yet user-authenticated sends a packet 1401 addressed to the file server, that is, with its destination address being the IP address (192. 168.2.2) of the file server 1322 . In this case, the packet 1401 is transferred via the PHYS. IF-C 1004 of the router 1000 to the filtering unit C 1014 . In the filtering table 1101 of the filtering unit C 1014 , as illustrated in FIG. 12 , entry # 2 exists, on the line of which the content of the destination address condition field 1201 matches the destination address included in the packet 1401 . The filtering unit C 1014 refers to entry # 2 in the filtering table 1101 and looks up the contents of the associated source address condition field 1202 and forward/discard flag field 1203 . The content of the forward/discard flag field 1203 on the entry # 2 line in the filtering table 1101 indicates “discard.” Thus, the filtering unit C 1014 discards the packet 1401 , according to the contents of the filtering table 1101 . In consequence, the packet 1401 sent from the unauthenticated user terminal 1333 does not arrive at the file server 1322 .

[0124] Next, a procedure in which the user terminal 1333 is user-authenticated and permitted for access to the file server 1322 will be explained.

[0125] To gain authentication, the user terminal 1333 sends a packet 1402 with its destination address being the If address (192.168.1.1) of the server for authentication 1311 . The packet 1402 is received by the PHYS. IF-C 1004 or the router 100 and transferred to the filtering unit C 1014 , The filtering unit C 1014 searches the filtering table 1101 for a match with the packet 1402 . In this case, the contents of the address condition fields 1201 on both lines of entries # 1 and # 2 in the filtering table 1101 match the destination address included in the packet 1401 .

[0126] Of these entries registered in the table, the top one, namely entry # 1 applies to the packet 1402 . The content of the forward/discard flag field 1203 on the line of entry # 1 in the filtering table 1101 indicates “forward.” Thus, the filtering unit C 1014 which referred to the filtering table 1101 and entry # 1 transfers the packet to the packet forwarding unit 1001 , according to the content of the forward/discard flag field 1203 . The packet forwarding unit 1001 forwards the packet 1402 through the PHYS. IF-A 1002 to the server for authentication 1311 . Thereby, a communication path from the user terminal 403 to the server for authentication 1311 has now been established.

[0127] A reply packet 1403 sent from the server for authentication 1311 to the user terminal 133 is received by the PHYS. IF-A 1002 and transferred to the filtering unit A 1012 . The filtering table 1101 of the filtering unit A 1012 has no entries registered. Thus, the filtering unit A 1012 transfers the packet 1403 to the packet forwarding unit 1001 .

[0128] The packet forwarding unit 1001 sends the packet 1403 through the PHYS. IF-C to the user terminal 1333 . Thereby a bidirectional communication path between the user terminal 1333 and the server for authentication 1311 has now been established so that the user of the user terminal 1333 can gain authentication from the server for authentication 1311 .

[0129] The packet 1403 requests the user terminal 1433 to send user ID and password. Thus, the user inputs user ID and password to the user terminal 1333 which received the packet 1403 . A packet 1404 including the input user ID and password is sent from the user terminal 1333 to the server for authentication 1311 . The packet 1404 is forwarded by the router 1000 as described above and received by the server for authentication 1311 . On the server for authentication 1311 , if the user ID and password included in the packet 1404 sent from the user terminal 1333 matches those that it holds as those of the user authorized to make networking connection, the server communicates with the PDCF 1009 of the router 1000 and issues a directive 1405 to add an entry line to the filtering table 1101 and register “arbitrary” into the destination address condition field 1201 , “192.168.3.3,” namely, the IP address of the user terminal 1333 , into the source address condition field, and “forward” into the forward/discard flag field 1203 .

[0130] FIG. 15 illustrates the filtering table 1101 and entries ( 2 ).

[0131] Since the subnet (subnet C 1304 ) to which the source address condition “192.168.3.3” specified by the directive from the server for authentication 1311 belongs is connected to the PHYS. IF-C 1004 , the PDCF 1009 adds an entry line and registers those specified by the directive to the filtering table 1101 of the filtering unit C 1014 . As a result, a new entry # 1 line is added to the filtering table 1101 of the filtering unit C 1014 and the filtering table 1101 contains three sets of entries numbered # 1 to # 3 as illustrated in FIG. 15 .

[0132] After that, when the user terminal 1333 sends a packet 1406 addressed to the file server 1322 , the source address included in the packet 1406 matches the source address condition on the line of entry # 1 in the filtering table 1101 of the filtering unit C 1014 . Thus, the packet 1406 is transferred from the filtering unit C to the packet forwarding unit 111 and forwarded to the file server 1322 . In consequence, the user terminal 1333 becomes possible to access the file server 1322 .

[0133] As described above, by using the router 1000 , a network system can be built that refuses access to the file server 1322 from a user terminal 1333 that is not yet user-authenticated by the server for authentication 1311 ; only after being user-authenticated, the user terminal 1333 is permitted to access the file server 1322 . The PHYS. IFs 1002 to 1007 of the router 1000 each can accommodate a plurality of network ports 409 . Moreover, the router has discrete filtering units per PHYS. IF so that the filtering load on the router 1000 can be distributed.

[0134] FIG 16 is a structural diagram of a packet communications apparatus configured in accordance with a further preferred embodiment (third illustrative embodiment) of the present invention.

[0135] A LAN switch 1600 as the packet communications apparatus, for example, comprises a packet forwarding unit 1601 , a plurality of network interfaces (NIFs) 1602 to 1605 , a learned address table 1606 , a filtering table 1607 and a processor for directive packets to change state (PDPCS) 1608 . The NIFs 1602 to 1605 are assigned respective names (A to D as shown) for their unique identification. Instead of the names, numbers or the like may be used if the NIFs can uniquely be identified by them.

[0136] These NIFs 1602 to 1605 are respectively connected to different networks and perform packet sending/receiving. The networks are assumed compliant to 802.3 networks prescribed by the IEEE. In the following description, the NIF-A 1602 will be referred to as an “uplink” one and the NIFs B to D, 1603 to 1605 as “downlink” ones.

[0137] The packet forwarding unit 1601 performs forwarding of packets from a network to another network, according to the information held in the learned address table 1606 and filtering table 1607 . The PDPCS 1608 receives a directive packet to change state from a server for authentication which will be described later and updates the contents of the filtering table 1607 and learned address table 1606 . The directive packet to change state includes IP address and information indicating “permission/inhibition.”

[0138] FIG. 17 illustrates a filtering table 1607 and entries.

[0139] In the filtering table 1607 , information for identifying a packet not permitted to be forwarded is registered. The filtering table 1607 contains entries in a MAC address field 1701 , an IP address field 1702 , and a connection port field 1703 . In the MAC address field 1701 , a MAC address for which filtering is applied is registered. In the IP address field 1702 , the IP address associated with the MAC address is registered. In the connection port field, 1703 , the name of the NIF, any of 1602 to 1605 , connected to a network to which the user terminal having the MAC address belongs is registered.

[0140] FIG. 18 illustrates a learned address table 1606 and entries ( 1 ).

[0141] In the learned address table 1606 , information about the NIF through which a packet is forwarded is registered. The learned address table 1606 contains entries in a MAC address field 1801 and a connection port field 1802 . In the MAC address field 1801 , a MAC address that must exist in a packet to be forwarded is registered. In the connection port field 1802 , the name of the NIF, any of 1602 to 1605 , through which the LAN switch is to forward a packet including its destination MAC address that matches the content of the MAC address field is registered. Arrangement is made so that an entry that was not being referred to for a predetermined time is automatically deleted from the learned address table 1606 .

[0142] Then, using a network system as will be shown in FIG. 19 as an example, the operation of the network system in which the LAN switch 1600 is used will be described below.

[0143] FIG. 19 is a topological schematic diagram of the network system in which the LAN switch 1600 is used.

[0144] The present network system, for example, comprises the LAN switch 1600 ; networks A to D, respectively connected to the NIFs 1602 to 1605 of the LAN switch 1600 ; a plurality of network ports 409 linked via one of the networks B to D to one of the downlink NIFs B to D, 1603 to 1605 , allowing end users to freely connect their terminal thereto; a representative user terminal 1905 connected via a network port 409 to the network B; a router 1904 connected via the network A to the uplink NIF-A; and a file server, a DHCP server 1903 , and a server for authentication 1901 connected via a network to the router 1904 .

[0145] The router 1904 has a BootP relay agent function and performs packet forwarding, based on the IP protocol. The DHCP server 1903 leases an IP address to a user terminal, base on the DHCP protocol. The server for authentication 1901 sends notice of the result of user authentication in a directive packet to change state to the LAN switch 1600 .

[0146] In the present network system, each unit of equipment connected to a specific network is assigned an IP address belonging to the network (IP address designation as shown). A physical address (hereinafter represented as a MAC address) is set for the interface of each unit of equipment connected to a specific network. “MAC address” designation as shown will be referenced if necessary in the following description.

[0147] Then, assume that the user terminal 1905 has now been connected to the network port 409 of network B. This case will be discussed below.

[0148] FIG. 20 is a diagram of communication sequence after the connection of the user terminal 1905 to the network port 409 of network B.

[0149] In the initial state, nothing is registered in the filtering tables 1607 of the LAN switch 1600 . The learned address table 1606 has one set of entries: MAC address (22:22:00:44:44:44) of the router 1904 in the MAC address field 1801 and the name of the NIF-A 1602 in the connection port field 1802 .

[0150] After the connection to the network port 409 , first, the user terminal 1905 sends an address request packet 2001 for requesting the assignment of an IP address to it by following the DHCP protocol. In this case, the user terminal 1905 sends the packet 2001 having a broadcast address as the destination address. The packet 2001 is received by the NIF-B 1603 of the LAN switch 1600 and transferred to the packet forwarding unit.

[0151] When the LAN switch 1600 receives the packet 2001 , a process of forwarding the packet begins, which will be explained below.

[0152] FIG. 21 is a flowchart illustrating how the packet forwarding unit 1601 of the LAN switch 1600 forwards the packet received.

[0153] Upon receiving the packet 2001 , the packet forwarding unit 1601 , which is abbreviated to PFU hereinafter, searches the learned address table 1606 for a registration matching the destination address of the packet 2001 (step 2101 ). Since the destination address is not registered in the learned address table 1606 , the PFU judges whether the destination address is a broadcast address (step 2102 ). Since the destination address is a broadcast address, the PFU judges whether the receiving port is uplink (step 2103 ). Since the receiving port is NIF-B 1603 that is not uplink, the PFU searches the learned address table 1606 for a registration matching the source address of the packet 2001 (step 2104 ). The source address, the MAC address (22:22:FF:00:00:01) of the user terminal 1905 is not registered in the learned address table. Since that address is not registered in the filtering table 1607 as well, the PFU 1601 registers the MAC address (22:22:FF:00:00:01) of the user terminal 1905 into the MAC address field 1701 on one entry line in the filtering table 1607 (step 2105 ).

[0154] In this case, as illustrated in FIG. 17 , the following are registered on the entry line in the filtering table 1607 : information “unregistered” in the IP address field and “B” as the name of NIF-B 1603 in the connection port field 1703 .

[0155] Then, the PFU 1601 forwards the packet 2001 to the uplink only, thus sending it to the router 1904 (step 2105 ).

[0156] Because the packet 2001 is the address request packet, it is forwarded to the DHCP server 1903 by the BootP relay agent function of the router 1904 .

[0157] Referring to FIG. 20 , an address leasing packet 2002 is sent back from the DHCP server 1903 to the router and further sent to the destination, MAC address (22:22:FF:00:00:01) of the user terminal 1905 , by the BootP relay agent function of the router 1904 .

[0158] The packet 2002 is received by the NIF-A 1602 of the LAN switch 1600 and transferred to the PFU 1601 . The PFU 1601 begins the process of forwarding the packet 2002 , according to the flowchart shown in FIG. 21 . The PFU 1601 searches the learned address table 1606 for a registration matching the destination address of the packet 2002 , namely, the MAC address (22:22:FF:00:00:01) of the user terminal 1905 (step 2101 ). Since the destination address is not registered in the learned address table 1606 , the PFU judges whether the destination address is a broadcast address (step 2102 ). Since the destination address is not a broadcast address, the PFU searches the filtering table 1607 for a registration matching the destination address (step 2106 ). Since the MAC address of the user terminal 1905 is registered in the filtering table 1607 , the PFU judges whether the receiving port is uplink (step 2107 ). Since the receiving port of the packet 2002 is NIF-A 1602 that is uplink, the PFU judges whether the communication protocol of the packet 2002 is IP protocol (step 2108 ). Since the communication protocol is IP protocol, the PFU judges whether the source IP address included in the packet 2002 is the IP address of the relay agent (router 1904 ) or the server for authentication (step 2109 ). Since the source IP address is the IP address of the relay agent (router 1904 ), the PFU 1601 forwards the packet 2002 . In this case, the PFU 1601 refers to the filtering table 1607 , entry # 1 , on the line of which the content of the MAC address field 1701 matches the destination address of the packet 2002 . Since the connection port field 1703 on the entry # 1 line contains a registration, the name of NIF-B 1603 , the PFU 1601 forwards the packet 2002 to the NIF-B 1603 and the packet is sent through the NIF-B 1603 (step 2110 ). Thereby, the address leasing packet 2002 is sent to the user terminal 1905 . Now, assume that IP address “192.168.5.1” has just been leased to the user terminal 1905 from the DHCP server 1903 .

[0159] Then, a case where access to the file server 1902 is attempted from the user terminal 1905 that is not yet user-authenticated by the server will be discussed below, wherein the IP protocol is used for the access.

[0160] In the network system shown in FIG. 19 , the file server 1902 (IP address 192.168.1.2) and the user terminal 1905 (IP address 192.168.5.1) are separately connected to different subnets. Thus, a packet 2003 that the user terminal 1905 sends the file server 1902 for accessing the server includes the IP address (192.168.1.2) of the file server 1902 as the destination IP address and the MAC address (22:22:00:44:44:44) of the router 1904 as the destination MAC address. The packet 2003 is sent from the user terminal 1905 and received by the NIF-B 1603 of the LAN switch 1600 . The NIF-B transfers the received packet 2003 to the PFU 1601 .

[0161] After the LAN switch 1600 receives the packet 2003 , how its PFU 1601 carries out the process of forwarding the packet will be explained below, using the flowchart shown in FIG. 21 .

[0162] Upon receiving the packet 2003 , the PFU 1601 searches the learned address table 1606 for a registration matching the destination MAC address of the packet 2003 step 2101 ). The destination address, the MAC address of the router 1904 is registered in the learned address table 1606 . Thus, the PFU 1601 makes sure whether the communication protocol of the packet 2003 is IP protocol and whether the source MAC address included in the packet 2003 is registered in the filtering table 1607 (step 2111 ). The communication protocol of the packet 2003 is IP protocol and the source MAC address, the MAC address of the user terminal 1905 is registered in the filtering table 1607 . Thus, the PFU 1601 registers the source IP address included in the packet 2003 into the IP address field 1702 on the entry line on which the MAC address of the user terminal 1905 has been registered in the filtering table 1607 (step 2111 ). In this case, originally, information “unregistered” has been registered in the IP address field 1702 on the entry line on which the MAC address of the user terminal 1905 has been registered in the filtering table 1607 as illustrated in FIG. 17 . Consequently, that information is replaced by the source IP address included in the packet 2003 . The source IP address included in the packet 2003 is the IP address (192.168.5.1) leased to the user terminal 1905 from the DHCP server 1903 .

[0163] Then, the PFU 1601 forwards the packet 2003 to the unlink, according to the content of the connection port field 1802 on the entry line on which the destination MAC address has been registered in the learned address table 1606 . The packet 2003 is sent to the router 1904 through the uplink. The router 1904 forwards the packet 2003 to the file server 1902 , pursuant to the IP protocol specifications.

[0164] Upon receiving the packet 2003 , the file server 1902 sends a reply packet 2004 including data requested by the user terminal 1905 . The router 1904 receives the packet 2004 and forwards it to the LAN switch 1600 . The NIF-A 1602 of the LAN switch 1600 receives the packet 2004 and transfers it to the PFU 1601 .

[0165] After the LAN switch 1600 receives the packet 2004 , how its PFU 1601 carries Out the process of forwarding the packet will be explained below, according to the flowchart shown in FIG. 21 .

[0166] The packet 2004 includes the MAC address (22:22:FF:00:00:01) of the user terminal 1905 as the destination MAC address, the IP address (192.168.5.1) of the ever terminal 1905 as the destination IP address and the IP address (192.168.1.2) of the file server 1902 as the source IP address.

[0167] First, the PFU 1601 searches the learned address table 1606 for a registration matching the destination MAC address of the packet 2004 (step 2101 ). Since the destination MAC address is not registered in the learned address table 1606 , the PFU judges whether the destination MAC address is a broadcast address (step 2102 ). Since the destination MAC address is not a broadcast address, the PFU searches the filtering table 1607 for a registration matching the destination MAC address (step 2106 ). Since the MAC address of the user terminal 1905 is registered in the filtering table 1607 , the PFU judges whether the receiving port is uplink (step 2107 ). Since the receiving port of the packet 2004 is NIF-A 1602 that is uplink, the PFU judges whether the communication protocol of the packet 2004 is IP protocol (step 2108 ). Since the communication protocol is IP protocol, the PFU judges whether the source IP address included in the packet 2004 is the IP address of the relay agent (router 1904 ) or the server for authentication (step 2109 ). Since the source IP address is the IP address of the file server 1902 , the PFU discards the packet 2004 (step 2109 ). In fact, the packet 2004 is not sent from the LAN switch 1600 to the user terminal 1904 . Consequently, the access from the user terminal 1905 to the file server 1902 is unsuccessful.

[0168] Next, a procedure in which the user terminal 1905 is user-authenticated by the server for authentication will be explained below.

[0169] To gain authentication by the server for authentication 1901 , the user inputs user ID and password to the user terminal 1905 . The user terminal 1905 sends the server for authentication 1901 a packet 2005 including the input user ID and password. In this case, the server for authentication (IP address 192.168.1.1) and the user terminal 1905 (IP address 192.168.5.1) separately belongs to different subnets. Thus, the packet 2005 includes the IP address (192.168.1.1) of the server for authentication 1901 as the destination IP address and the MAC address (22:22:00:44:44:44) of the router 1904 as the destination MAC address. The packet 2005 is sent from the user terminal 1905 and received by the NIF-B 1603 of the LAN switch 1600 . The NIF-B transfers the received packet 2005 to the PFU 1601 .

[0170] After the LAN switch 1600 receives the packet 2005 , how its PFU 1601 carries out the process of forwarding the packet will be explained below, using the flowchart shown in FIG. 21 .

[0171] Upon receiving the packet 2005 , the PFU 1601 searches the learned address table 1606 for a registration matching the destination MAC address of the packet 2005 (step 2101 ). The destination address, the MAC address of the router 1904 is registered in the learned address table 1606 . Thus, the PFU 1601 makes sure whether the communication protocol of the packet 2005 is IP protocol and whether the source MAC address included in the packet 2005 is registered in the filtering table 1607 (step 2111 ). The communication protocol of the packet 2005 is IP protocol and the source MAC address, the MAC address of the user terminal 1905 is registered in the filtering table 1607 . Moreover, the source IP address included in the packet 2005 is also registered in the filtering table 1607 . Thus, the PFU 1601 forwards the packet 2005 to the uplink, according to the content of the connection port field 1802 on the entry line on which the destination MAC address has been registered in the learned address table 1606 . The packet 2005 is sent to the router 1904 through the uplink. The router 1904 forwards the packet 2005 to server for authentication 1901 , pursuant to the IP protocol specifications.

[0172] On the server for authentication 1901 , if t are those that it holds as those of the user authorized to use networking service, the server he user ID and password included in the packet 2005 sent from the user terminal 1905 sends a directive packet to change state, addressing it to the PDPCS 1608 of the LAN switch 1600 . The directive packet to change state 2006 includes the IP address (192.168.5.1) of the user terminal 1905 and information “permission.” The router 1904 forwards the directive packet to change state 2006 to the LAN switch 1600 . The NIF-A 1602 of the LAN switch 1600 receives the directive packet to change state 2006 and transfers it via the PFU 1601 to he PDPCS 1608 . Upon receiving the directive packet to change state 2006 , the PCPCS 1608 searches the filtering table 1607 for the IP address (192.168.5.1) included in the packet 2006 . After searching out the IP address (192.168.5.1) entry from the filtering table 1607 , the PDPCS 1606 reads the associated MAC address (22:22:FF:00:00:01) and connection port name (B) on the entry line from the MAC address field 1701 and connection port field 1703 . The PDPCS 1608 adds a new entry line to the learned address table 1606 and registers the above MAC address and connection port name into the respective fields on the entry line.

[0173] FIG. 22 illustrates the learned address table 1606 and entries ( 2 ). As illustrated in FIG. 22 , the learned address table 1606 includes entry # 2 and new entries of MAC address (22:22:FF:00:00:01) and connection port name (B).

[0174] After being user-authenticated by the server for authentication 1901 , when the user terminal 1905 sends a packet 2007 to the file server 1902 again for accessing the server, the packet 2007 is forwarded via the LAN switch 1602 and the router 1904 and sent to the file server 1902 .

[0175] Upon receiving the packet 2007 , the file server 1902 sends back a reply packet 2008 including data requested by the user terminal 2905 . The router 1904 receives the packet 2008 as and forwards it to the LAN switch 1600 . The NIF-A 1602 of the LAN switch 1600 receives the packet 2008 and transfers it to the PFU 1601 . Upon receiving the packet 2008 , the PFU 1601 carries out the process of forwarding the packet in accordance with the flowchart shown in FIG. 21 , which will be explained below.

[0176] The packet 2008 includes the MAC address (22:22:FF:00:00:01) of the user terminal 1905 as the destination MAC address, the IP address (192.168.5.1) of the user terminal 1905 as the destination IP address, and the IP address (192.168.1.2) of the file server 1902 as the source IP address.

[0177] The PFU 1601 searches the learned address table 1606 for a registration matching the destination MAC address of the packet 2008 , namely, the MAC address of the user terminal 1905 (step 2101 ). Because the destination MAC address is the MAC address (22:22:FF:00:00:01) of the user terminal 1905 , it is registered in the learned address table 1606 <