JP2009033577A - Tag-based VLAN security method and relay device - Google Patents

Abstract

There is provided a tag-based VLAN security method capable of preventing communication by an unauthorized terminal and enhancing tag-based VLAN security.
A switch 34a changes a frame received from a PC 31a to 33a only when the VLAN tag information in the frame received from the PC 31a to 33a matches the VLAN tag information held by the port to which the PC 31a to 33a is connected. Recreate the corresponding transmission frame. The switch 34b transmits the transmission frame corresponding to the frame received from the PCs 31b to 33b only when the VLAN tag information in the frame received from the PCs 31b to 33b matches the VLAN tag information of the port to which the PCs 31b to 33b are connected. Recreate.
[Selection] Figure 1

Description

  The present invention relates to a tag-based VLAN security method in which VLAN (Virtual Local Area Network) tag information is included in a transfer frame between relay devices, and a relay device used to implement the tag-based VLAN security method.

  VLAN technology is known as a method of logically dividing a network group. VLANs can be classified into, for example, port-based VLANs, MAC (Media Access Control) -based VLANs, and tag-based VLANs.

  The port-based VLAN is a technology for constructing a VLAN by assigning a VLAN number to each port of the relay device. The MAC-based VLAN is a technology for constructing a VLAN by assigning a VLAN number to each MAC address of a terminal.

  Tag-based VLAN is a technology devised to prevent an increase in the line between relay devices, which is a disadvantage of port-based VLAN and MAC-based VLAN, and uses frames conforming to IEEE802.1Q for data transfer between relay devices. To do.

  The frame according to IEEE802.1Q is a frame in which VLAN tag information describing a VLAN number is added to a frame according to IEEE802.3, which is the basic of the network.

  FIG. 7 is a configuration diagram of a frame according to IEEE 802.3. That is, a frame according to IEEE 802.3 has a configuration of “preamble → destination MAC address → source MAC address → length → IP (Internet Protocol) packet → FCS (Frame Check Sequence)”.

  The “preamble” portion is a portion in which a value indicating the head of the frame is entered. The “destination MAC address” portion is a portion in which the MAC address value of the counterpart device that transmits the frame is entered. The “transmission source MAC address” portion is a portion in which the MAC address value of the device that has transmitted the frame is entered.

  The “length” portion is a portion where a value indicating the length of the frame is entered. The “IP packet” portion is a portion in which an IP header and data such as a source / destination IP address and a packet length are entered. The “FCS” part is a part where a CRC (Cyclic Redundancy Check) code for detecting whether or not there is an error in the header part and the data part of the frame.

  FIG. 8 is a configuration diagram of a frame according to IEEE802.1Q. That is, the frame according to IEEE802.1Q has a configuration of “preamble → destination MAC address → source MAC address → VLAN tag information → length → IP packet → FCS”.

  The “VLAN tag information” portion is a portion in which VLAN tag information describing a VLAN number is entered. The VLAN tag information is 4 bytes, but 12 bits are used as the VLAN number. Therefore, a maximum of 4096 VLANs can be identified. Since the “VLAN tag information” part is inserted, a recalculated value is entered in the “FCS” part.

  FIG. 9 is a diagram illustrating a configuration example of a port-based VLAN. In FIG. 9, 1a to 3a, 1b to 3b are personal computers (hereinafter referred to as PCs) which are terminals, 4a and 4b are switches which are relay devices, 5a to 10a are ports of the switch 4a, and 5b to 10b are switches of the switch 4b. Ports 11a to 13a, 11b to 13b, and 14 to 16 are LAN cables.

  In this configuration example, the PC 1a is connected to the port 5a of the switch 4a by a LAN cable 11a. The PC 2a is connected to the port 6a of the switch 4a with a LAN cable 12a. The PC 3a is connected to the port 7a of the switch 4a by a LAN cable 13a.

  The PC 1b is connected to the port 5b of the switch 4b with a LAN cable 11b. The PC 2b is connected to the port 6b of the switch 4b with a LAN cable 12b. The PC 3b is connected to the port 7b of the switch 4b with a LAN cable 13b.

  The port 8a of the switch 4a and the port 8b of the switch 4b are connected by a LAN cable 14. The port 9a of the switch 4a and the port 9b of the switch 4b are connected by a LAN cable 15. The port 10a of the switch 4a and the port 10b of the switch 4b are connected by a LAN cable 16.

  Here, for example, a VLAN number designating VLAN1 is assigned to ports 5a and 8a of switch 4a and ports 5b and 8b of switch 4b, and VLAN2 is designated to ports 6a and 9a of switch 4a and ports 6b and 9b of switch 4b. Assume that a VLAN number is assigned and a VLAN number designating VLAN 3 is assigned to the ports 7a and 10a of the switch 4a and the ports 7b and 10b of the switch 4b.

  In this way, the PCs 1a and 1b belong to the VLAN 1 and can communicate only between the PCs 1a and 1b. The PCs 2a and 2b belong to the VLAN 2 and can communicate only between the PCs 2a and 2b. Further, the PCs 3a and 3b belong to the VLAN 3 and can communicate only between the PCs 3a and 3b.

  In this case, the configuration of the transfer frame between the PCs 1a to 3a and the switch 4a, between the PCs 1b to 3b and the switch 4b, and between the switch 4a and the switch 4b follows the configuration shown in FIG. Thus, in the port-based VLAN, the configuration of the transfer frame between the PC and the switch and between the switch and the switch follows the configuration shown in FIG.

  Further, in the configuration example of the port-based VLAN shown in FIG. 9, three LAN cables 14 to 16 are required between the switch 4a and the switch 4b. Thus, in the port-based VLAN, as many lines as the number of VLANs are required between the switches.

  FIG. 10 is a diagram illustrating a configuration example of a tag-based VLAN. In this configuration example, transfer frames between the PCs 1a to 3a and the switch 4a and between the PCs 1b to 3b and the switch 4b follow the configuration shown in FIG. 7, and the transfer frames between the switch 4a and the switch 4b are illustrated in FIG. The configuration shown in FIG. Further, in this configuration example, a single LAN cable 14 is sufficient between the switch 4a and the switch 4b.

  Thus, in the tag-based VLAN, the transfer frame between the PC and the switch follows the configuration shown in FIG. 7, and the transfer frame between the switch and the switch follows the configuration shown in FIG. A single line is sufficient between the switches.

  FIG. 11 is a schematic configuration diagram of the switch 4a, and the switch 4b is configured similarly. In FIG. 11, 18 is a network LSI that performs frame transmission / reception and signal processing, 19 is a memory, and 20a to 23a are PHY (physical layer) devices.

  FIG. 12 is a diagram for explaining frame processing executed by the switch 4a. In FIG. 12, reference numeral 24 denotes a reception frame received by the switch 4a from any one of the PCs 1a to 3a. When the switch 4a receives the frame 24 from any one of the PCs 1a to 3a, an IP packet is received from the reception frame 24. Only, and the transmission frame 25 is assembled again.

In this case, the switch 4a uses the information (transmission destination MAC address, transmission source MAC address, and VLAN tag information) 26 that the port has, further adds a preamble and calculates the length and FCS, and transmits the transmission frame 25. Will be assembled.
JP 11-127167 A JP 11-74923 A JP 2000-196647 A

  FIGS. 13 and 14 are diagrams for explaining the problems of the tag-based VLAN shown in FIG. 10. FIG. 13 accesses the configuration example of the tag-based VLAN shown in FIG. 10 only to PC1a and PC1b which are VLAN1 members. This shows a case where a VLAN1 shared server 28 capable of being connected is connected.

  FIG. 14 shows a case where the PC 1a shown in FIG. In this case, the unauthorized PC 29 belongs to the VLAN 1 and can communicate with the PC 1 b and enter the VLAN 1 shared server 28.

  Here, even if the access to the VLAN 1 shared server 28 is restricted such as a password, the access is not denied unless the password or the like is seen, and anyone can easily enter the VLAN 1 shared server 28. be able to. For this reason, it cannot be said that there is sufficient security in this environment.

  For example, when the VLAN1 member is moved to VLAN2 due to reorganization of the member or the like, the original VLAN1 member can easily connect the VLAN1 port to the VLAN1 port by simply connecting a PC to the VLAN1 unless the password of the VLAN1 shared server 28 is changed. It becomes possible to become a member and intrude into the VLAN 1 shared server 28. Therefore, when another VLAN member is connected to the VLAN port which is the entrance, it is necessary to devise so that communication is not possible.

  In view of the above, the present invention provides a tag-based VLAN security method and a tag-based VLAN security method capable of preventing communication by an unauthorized terminal and enhancing tag-based VLAN security. It is an object to provide a relay device that can be used for implementation.

  The tag-based VLAN security method of the present invention includes VLAN tag information set in the terminal by a network administrator in a transmission frame of a terminal connected to the relay apparatus, and the relay apparatus includes a frame in a frame received from the terminal. Only when the VLAN tag information matches the VLAN tag information of the port to which the terminal is connected, a transmission frame corresponding to the frame received from the terminal is recreated.

  The relay apparatus according to the present invention includes a comparison unit that compares VLAN tag information in a frame received from a terminal with VLAN tag information held by a port to which the terminal is connected, and VLAN tag information in a frame received from the terminal. A transmission frame creation means for recreating a transmission frame corresponding to a frame received from the terminal only when the comparison means detects that the VLAN tag information of the port to which the terminal is connected matches. Is.

  According to the tag-based VLAN security method of the present invention, the relaying apparatus can be used only when the VLAN tag information in the frame received from the terminal matches the VLAN tag information of the port to which the terminal is connected. The transmission frame corresponding to the frame received from is recreated. In other words, if the VLAN tag information in the frame received from the terminal does not match the VLAN tag information held by the port to which the terminal is connected, the relay device transmits a transmission frame corresponding to the frame received from the terminal. Do not recreate.

  In other words, communication cannot be performed even if a terminal whose VLAN tag information of the connection destination port is not set by the network administrator is connected to the relay device. Therefore, communication by an unauthorized terminal can be prevented and the security of the tag-based VLAN can be improved. In addition, the relay apparatus of this invention can be used as a relay apparatus.

  FIG. 1 is a diagram showing a configuration example of a tag-based VLAN in which an embodiment of the tag-based VLAN security method of the present invention is implemented. In FIG. 1, 31a to 33a and 31b to 33b are PCs, 34a and 34b are switches according to an embodiment of the relay apparatus of the present invention, 35a to 38a are ports of the switch 34a, 35b to 38b are ports of the switch 34b, 41a ˜43a, 41b˜43b, 44 are LAN cables.

  In this configuration example, the PC 31a is connected to the port 35a of the switch 34a by a LAN cable 41a. The PC 32a is connected to the port 36a of the switch 34a by a LAN cable 42a. The PC 33a is connected to the port 37a of the switch 34a by a LAN cable 43a.

  The PC 31b is connected to the port 35b of the switch 34b by a LAN cable 41b. The PC 32b is connected to the port 36b of the switch 34b by a LAN cable 42b. The PC 33b is connected to the port 37b of the switch 34b by a LAN cable 43b. The port 38a of the switch 34a and the port 38b of the switch 34b are connected by a LAN cable 44.

  In one embodiment of the tag-based VLAN security method of the present invention, transfer frames not only between the switch 34a and the switch 34b but also between the PCs 31a to 33a and the switch 34a and between the PCs 31b to 33b and the switch 34b. Is configured in accordance with IEEE802.1Q.

  Therefore, VLAN tag information is set by the network administrator in the LAN cards in the PCs 31a to 33a and 31b to 33b. Setting of the VLAN tag information on the LAN cards in the PCs 31a to 33a and 31b to 33b by the network administrator is performed by writing the VLAN tag information in a rewritable nonvolatile memory such as a flash memory in the LAN card. .

  FIG. 2 is a diagram showing LAN cards in the PCs 31a to 33a and 31b to 33b. In FIG. 2, 51a is a LAN card in the PC 31a, 61a is a CPU (central processing unit), and 71a is a flash memory accessed by the CPU 61a. 52a is a LAN card in the PC 32a, 62a is a CPU, and 72a is a flash memory accessed by the CPU 62a. 53a is a LAN card in the PC 33a, 63a is a CPU, and 73a is a flash memory accessed by the CPU 63a.

  Reference numeral 51b denotes a LAN card in the PC 31b, 61b denotes a CPU, and 71b denotes a flash memory accessed by the CPU 61b. 52b is a LAN card in the PC 32b, 62b is a CPU, and 72b is a flash memory accessed by the CPU 62b. 53b is a LAN card in the PC 33b, 63b is a CPU, and 73b is a flash memory accessed by the CPU 63b.

  In this example, the PCs 31a and 31b belong to the VLAN 1, the PCs 32a and 32b belong to the VLAN 2, and the PCs 33a and 33b belong to the VLAN 3. In this case, the flash memory 71a in the LAN card 51a and the flash memory 71b in the LAN card 51b are connected to the flash memory 71b in the LAN card 51b via a communication line between the network administrator's computer and the PCs 31a and 31b. VLAN tag information describing the VLAN number designating VLAN1 is written.

  The flash memory 72a in the LAN card 52a and the flash memory 72b in the LAN card 52b are VLANs in which the network administrator designates VLAN 2 via a communication line between the network administrator's computer and the PCs 32a and 32b. VLAN tag information in which a number is described is written.

  Further, the flash memory 73a in the LAN card 53a and the flash memory 73b in the LAN card 53b are VLANs in which the network administrator designates VLAN 3 via a communication line between the network administrator's computer and the PCs 33a and 33b. VLAN tag information in which a number is described is written.

  Thus, in this embodiment, the setting of VLAN tag information on the LAN cards 51a to 53a and 51b to 53b is performed by the network administrator between the network administrator's computer and the PCs 31a to 33a and 31b to 33b. Since it is performed via a line, the user cannot write VLAN tag information in the flash memories 71a to 73a and 71b to 73b in the LAN cards 51a to 53a and 51b to 53b.

  3A and 3B are diagrams showing transmission frame examples of the PCs 31a to 33a and 31b to 33b. FIG. 3A is a transmission frame example of the PCs 31a and 31b, FIG. 3B is a transmission frame example of the PCs 32a and 32b, and FIG. An example of a transmission frame is shown.

  In this example, since the PCs 31a and 31b belong to the VLAN 1, as shown in FIG. 3A, conforming to IEEE802.1Q in which the VLAN tag information in which the VLAN number designating the VLAN 1 is described is inserted. Send a frame. The insertion of the VLAN tag information into the transmission frame of the PC 31a is performed by the CPU 61a in the LAN card 51a, and the insertion of the VLAN tag information into the transmission frame of the PC 31b is performed by the CPU 51b in the LAN card 51b.

  Since the PCs 32a and 32b belong to the VLAN 2, as shown in FIG. 3B, a frame conforming to IEEE802.1Q in which the VLAN tag information in which the VLAN number designating the VLAN 2 is described is inserted. Send. The insertion of the VLAN tag information into the transmission frame of the PC 32a is performed by the CPU 62a in the LAN card 52a, and the insertion of the VLAN tag information into the transmission frame of the PC 32b is performed by the CPU 62b in the LAN card 52b.

  Further, since the PCs 33a and 33b belong to the VLAN 3, as shown in FIG. 3C, a frame conforming to IEEE802.1Q formed by inserting VLAN tag information in which the VLAN number designating the VLAN 3 is described. Send. The insertion of the VLAN tag information into the transmission frame of the PC 33a is performed by the CPU 63a in the LAN card 53a, and the insertion of the VLAN tag information into the transmission frame of the PC 33b is performed by the CPU 63b in the LAN card 53b.

  FIG. 4 is a schematic configuration diagram of the switch 34a, and the switch 34b is configured similarly. In FIG. 4, reference numeral 80 denotes a network LSI that performs frame transmission / reception and signal processing, 81 denotes a CPU in the network LSI 80, 82 denotes an SDRAM (synchronous dynamic random access memory), 83 denotes a flash memory, 84 denotes a comparator, and 85a to 88a denote It is a PHY (physical layer) device.

  In this example, the PC 31a belongs to VLAN 1, the PC 32a belongs to VLAN 2, and the PC 33a belongs to VLAN 3. Therefore, the network administrator designates VLAN 1 as the VLAN number of the port 35a in the flash memory 83 by the network administrator. The number is written, the VLAN number specifying VLAN2 is written as the VLAN number of the port 36a, and the VLAN number specifying VLAN3 is written as the VLAN number of the port 37a.

  In the flash memory in the switch 34b configured similarly to the switch 34a, a VLAN number designating VLAN1 is written as the VLAN number of the port 35b by the network administrator, and VLAN2 is set as the VLAN number of the port 36b. The designated VLAN number is written, and the VLAN number that designates VLAN 3 is written as the VLAN number of the port 37b.

  Here, the switch 34a compares the VLAN tag information in the frame received from the PC connected to the port 35a with the VLAN tag information held by the port 35a, and connects to the port 35a only when they match. A transmission frame corresponding to the frame received from the received PC is recreated and transmitted to the switch 34b. The switch 34a discards the received frame when the VLAN tag information in the frame received from the PC connected to the port 35a does not match the VLAN tag information held by the port 35a.

  The switch 34a compares the VLAN tag information in the frame received from the PC connected to the port 36a with the VLAN tag information held by the port 36a, and is connected to the port 36a only when they match. The transmission frame corresponding to the frame received from the PC is recreated and transmitted to the switch 34b. The switch 34a discards the received frame when the VLAN tag information in the frame received from the PC connected to the port 36a does not match the VLAN tag information held by the port 36a.

  The switch 34a compares the VLAN tag information in the frame received from the PC connected to the port 37a with the VLAN tag information held by the port 37a, and is connected to the port 37a only when they match. The transmission frame corresponding to the frame received from the PC is recreated and transmitted to the switch 34b. Note that the switch 34a discards the received frame when the VLAN tag information in the frame received from the PC connected to the port 35a does not match the VLAN tag information held by the port 37a.

  The switch 34b compares the VLAN tag information in the frame received from the PC connected to the port 35b with the VLAN tag information held by the port 35b, and is connected to the port 35b only when they match. The transmission frame corresponding to the frame received from the PC is recreated and transmitted to the switch 34a. The switch 34b discards the received frame when the VLAN tag information in the frame received from the PC connected to the port 35b does not match the VLAN tag information held by the port 35b.

  The switch 34b compares the VLAN tag information in the frame received from the PC connected to the port 36b with the VLAN tag information held by the port 36b, and is connected to the port 36b only when they match. The transmission frame corresponding to the frame received from the PC is recreated and transmitted to the switch 34a. Note that the switch 34b discards the received frame when the VLAN tag information in the frame received from the PC connected to the port 36b does not match the VLAN tag information held by the port 36b.

  The switch 34b compares the VLAN tag information in the frame received from the PC connected to the port 37b with the VLAN tag information held by the port 37b, and is connected to the port 37b only when they match. The transmission frame corresponding to the frame received from the PC is recreated and transmitted to the switch 34a. Note that the switch 34b discards the received frame when the VLAN tag information in the frame received from the PC connected to the port 37b does not match the VLAN tag information held by the port 37b.

  FIG. 5 is a diagram for explaining an example of frame processing executed by the switch 34a, in which the PC 31a belonging to the VLAN 1 is connected to the port 35a of the switch 34a. In FIG. 5, reference numeral 90 denotes a frame received by the switch 34a from the PC 31a. When the switch 34a receives the frame 90 from the PC 31a, the switch 34a extracts only the VLAN tag information and the IP packet from the received frame 90. The VLAN tag information 91 extracted from the received frame 90 is compared with the VLAN tag information 92 possessed by the port 35a.

  In the case of this example, the VLAN number in the VLAN tag information 91 extracted from the received frame 90 and the VLAN number in the VLAN tag information 92 possessed by the port 35a are both VLAN numbers that specify VLAN1. The VLAN tag information 91 extracted from the received frame 90 matches the VLAN tag information 92 held by the port 35a.

  Therefore, in this case, the transmission frame 93 is assembled again in the network LSI 80. Specifically, the switch 34a uses the information (transmission destination MAC address, transmission source MAC address, and VLAN tag information) held by the port 35a as in the conventional case, and further adds a preamble, FCS is calculated and the transmission frame 93 is assembled.

  FIG. 6 is a diagram for explaining an example of frame processing executed by the switch 34a, in which the PC 32a belonging to the VLAN 2 is connected to the port 35a of the switch 34a. In FIG. 6, reference numeral 94 denotes a frame received from the PC 32a connected to the port 35a. When the switch 34a receives the frame 94 from the PC 32a, it extracts only the VLAN tag information and the IP packet from the received frame 94, and a comparator. At 74, the VLAN tag information 95 extracted from the received frame 94 is compared with the VLAN tag information 92 possessed by the port 35a.

  In the case of this example, the VLAN number in the VLAN tag information 95 extracted from the received frame 94 is a VLAN number that specifies VLAN2, and the VLAN tag information 92 that the port 35a has is a VLAN number that specifies VLAN1. The VLAN tag information 95 extracted from the received frame 94 and the VLAN tag information 92 held by the port 35a do not match. In this case, the transmission frame corresponding to the reception frame 94 is not recreated, and the reception frame 94 is discarded.

  As described above, in one embodiment of the tag-based VLAN security method of the present invention, the switch 34a includes the VLAN tag information in the frame received from the PCs 31a to 33a and the VLAN tag possessed by the port to which the PCs 31a to 33a are connected. Only when the information matches, the transmission frame corresponding to the frame received from the PCs 31a to 33a is recreated and transmitted to the switch 34b.

  In other words, when the VLAN tag information in the frames received from the PCs 31a to 33a does not match the VLAN tag information held by the port to which the PCs 31a to 33a are connected, the switch 34a changes the frame received from the PCs 31a to 33a. Do not recreate the corresponding transmission frame.

  That is, the PC connected to any of the ports 35a to 37a of the switch 34a communicates with other PCs if the VLAN tag information of the connection destination port is not set by the network administrator. I can't.

  The switch 34b corresponds to the frame received from the PCs 31b to 33b only when the VLAN tag information in the frame received from the PCs 31b to 33b matches the VLAN tag information of the port to which the PCs 31b to 33b are connected. The transmission frame is recreated and transmitted to the switch 34a.

  In other words, if the VLAN tag information in the frames received from the PCs 31b to 33b does not match the VLAN tag information held by the port to which the PCs 31b to 33b are connected, the switch 34b updates the frames received from the PCs 31b to 33b. Do not recreate the corresponding transmission frame.

  That is, the PC connected to any of the ports 35b to 37b of the switch 34b communicates with other PCs if the VLAN tag information of the connection destination port is not set by the network administrator. I can't.

  Therefore, according to an embodiment of the tag-based VLAN security method of the present invention, it is possible to prevent communication by an unauthorized PC and to enhance the security of the tag-based VLAN.

It is a figure which shows the structural example of the tag base VLAN by which one Embodiment of the security method of the tag base VLAN of this invention is implemented. It is a figure which shows the LAN card in the personal computer with which the tag base VLAN shown in FIG. 1 is provided. It is a figure which shows the example of a transmission frame of the personal computer with which the tag base VLAN shown in FIG. 1 is provided. It is a schematic block diagram of the switch which is one Embodiment of the relay apparatus of this invention. It is a figure for demonstrating the example of a frame process which the switch which is one Embodiment of the relay apparatus of this invention performs. It is a figure for demonstrating the example of a frame process which the switch which is one Embodiment of the relay apparatus of this invention performs. It is a block diagram of the frame according to IEEE802.3. It is a block diagram of a frame according to IEEE802.1Q. It is a figure which shows the structural example of a port base VLAN. It is a figure which shows the structural example of a tag base VLAN. It is a schematic block diagram of the switch with which the tag base VLAN shown in FIG. 10 is provided. It is a figure for demonstrating the frame process which the switch with which the tag base VLAN shown in FIG. 10 is provided. It is a figure for demonstrating the problem which the tag base VLAN shown in FIG. 10 has. It is a figure for demonstrating the problem which the tag base VLAN shown in FIG. 10 has.

Explanation of symbols

1a-3a, 1b-3b ... Personal computer (PC)
4a, 4b ... switches 5a-10a, 5b-10b ... ports 11a-13a, 11b-13b, 14-16 ... LAN cables 18 ... network LSI
DESCRIPTION OF SYMBOLS 19 ... Memory 20a-23a ... PHY (physical layer) device 24 ... Reception frame 25 ... Transmission frame 26 ... Information which the port of a switch has 28 ... VLAN1 shared server 29 ... Unauthorized personal computer (illegal PC)
31a-33a, 31b-33b ... Personal computer (PC)
34a, 34b ... switches (one embodiment of the relay device of the present invention)
35a-38a, 35b-38b ... Ports 41a-43a, 41b-43b, 44 ... LAN cables 51a-53a, 51b-53b ... LAN cards 61a-63a, 61b-63b ... CPU
71a to 73a, 71b to 73b ... flash memory 80 ... network LSI
81 ... CPU
82 ... SDRAM
83 ... Flash memory 84 ... Comparator 85a to 88a ... PHY (physical layer) device 90 ... Reception frame 91, 92 ... VLAN tag information 93 ... Transmission frame 94 ... Reception frame 95 ... VLAN tag information

Claims (2)

Including the VLAN tag information set in the terminal by the network administrator in the transmission frame of the terminal connected to the relay device,
The relay apparatus retransmits a transmission frame corresponding to the frame received from the terminal only when the VLAN tag information in the frame received from the terminal matches the VLAN tag information held by the port to which the terminal is connected. A tag-based VLAN security method comprising: creating a tag-based VLAN. Comparison means for comparing the VLAN tag information in the frame received from the terminal with the VLAN tag information of the port to which the terminal is connected;
A transmission corresponding to the frame received from the terminal only when the comparison means detects that the VLAN tag information in the frame received from the terminal matches the VLAN tag information of the port to which the terminal is connected. A transmission frame creation means for re-creating a frame;
A relay apparatus comprising:

Images