1. Field of the Invention
The present invention relates to a technique of switching over affiliation of a terminal at least between a first network and a second network.
2. Description of the Related Art
In an authentication quarantine network system, the network independence is essential to prohibit communication between a quarantine network and a business network. Similarly in an authentication network system, the network independence is essential to prohibit communication between a pre-authentication network and a post-authentication network. In order to ensure the network independence, a packet relay device allocates different VLANs or virtual local area networks to the respective networks. Allocation of the different VLANs logically separates the communication.
FIG. 10 is a block diagram schematically illustrating the configuration of a prior art terminal affiliation switchover system applied in an authentication quarantine network system. In the authentication quarantine network system shown in FIG. 10, a packet relay device RS10 first affiliates a terminal PC10, which does not satisfy the security policy of the network, with a VLAN 100 corresponding to a quarantine network NW1. An authentication server SV1 and a quarantine server SV2 connecting with the quarantine network NW1 then authenticate and quarantine the terminal PC10. When the terminal PC10 is quarantined to satisfy the security policy and is authenticated, the packet relay device RS10 affiliates the terminal PC10 with a VLAN 200 corresponding to a business network NW2.
A DHCP server module 1121 included in the packet relay device RS10 allocates an IP address to the terminal PC10 and enables the terminal PC10 to make an access and establish communication. In the conventional system, each packet may be relayed on the layer 3 routing between different VLANs. The DHCP server module 1121 in the packet relay device RS10 is thus required to allocate a different IP address to the same terminal PC10 in response to a switchover of the affiliated VLAN of the terminal PC10. In the layer 3 routing, unless different subnet IP addresses are allocated to the respective VLANs, the packet relay device can not identify a target VLAN as a receiver of a relayed packet. In the event of a switchover of affiliation of the terminal PC10 from the VLAN 100 corresponding to the quarantine network NW1 to the VLAN 200 corresponding to the business network NW2, the DHCP server module 1121 allocates a different IP address to the terminal PC10 under the condition of affiliation with the VLAN 200 of the business network NW2 from a previous IP address allocated to the same terminal PC10 under the condition of affiliation with the VLAN 100 of the quarantine network NW1.
In the authentication quarantine network system of FIG. 10, the packet relay device RS10 has a VLAN 100 processor 1401 for management of the VLAN 100, a VLAN 200 processor 1501 for management of the VLAN 200, an authentication daemon 1301 for switchover of affiliation of the terminal PC10 between the VLAN 100 and the VLAN 200, and a routing module 1111 for management of routing, in addition to the DHCP server module 1121. The DHCP server module 1121 has a DHCP table 1122, and the routing module 1111 has a routing table 1112. The business network NW2 is connected with a business server SV3.
FIG. 11 is a block diagram schematically illustrating the configuration of a prior art terminal affiliation switchover system applied in an authentication network system. In the authentication network system shown in FIG. 11, a packet relay device RS20 first affiliates a terminal PC10 prior to authentication with a VLAN 100 corresponding to a pre-authentication network NW3. An authentication server SV1 connecting with the packet relay device RS20 then authenticates the terminal PC10. On completion of authentication, the packet relay device RS20 affiliates the terminal PC10 with a VLAN 200 corresponding to a business network NW2 as a post-authentication network.
A DHCP server module 1121 included in the packet relay device RS20 allocates an IP address to the terminal PC10 and enables the terminal PC10 to make an access and establish communication. As in the conventional authentication quarantine network system of FIG. 10, in this authentication network system of FIG. 11, in the event of a switchover of affiliation of the terminal PC10 from the VLAN 100 corresponding to the pre-authentication network NW3 to the VLAN 200 corresponding to the business network NW2 as the post-authentication network, the DHCP server module 1121 allocates a different IP address to the terminal PC10 under the condition of affiliation with the VLAN 200 of the business network NW2 as the post-authentication network from a previous IP address allocated to the same terminal PC10 under the condition of affiliation with the VLAN 100 of the pre-authentication network NW3.
The like constituents in the authentication network system of FIG. 11 to those in the quarantine authentication network system of FIG. 10 are expressed by the like numerals and symbols and are not specifically mentioned here. The pre-authentication network NW3 is constructed to include only a VLAN 100 processor 1401 of the packet relay device RS20.
One known example of the authentication network system is disclosed in Japanese Patent Laid-Open Gazette No. 2006-33206.
As described above, in the conventional quarantine authentication network system and the conventional authentication network system, the DHCP server module 1121 is required to allocate a different IP address to the same terminal PC10 in response to every switchover of the affiliated VLAN of the terminal PC10. The DHCP server module 1121 allocates an IP address to the terminal PC10, in response to an IP address allocation request sent from the terminal PC10 to the DHCP server module 1121. The terminal PC 10, however, sends the IP address allocation request to the DHCP server module 1121 only after elapse of a preset lease time in the event of a switchover of the affiliated VLAN. Namely the terminal PC10 holds the previous IP address until elapse of the preset lease time, even when the affiliation is switched over to the VLAN 200 corresponding to the business network NW2 (post-authentication network). This undesirably interrupts the communication of the terminal PC10.