1. Technical Field
The present invention relates to a network relay device and a network relay method; and particularly to a network relay device and a network relay method adapted to detect an irregular terminal on a network.
2. Description of Related Art
DHCP (Dynamic Host Configuration Protocol) is a method used for allocating an IP address to a terminal automatically. DHCP has been standardized by the IETF (Internet Engineering Task Force) and is published as RFC (Request for Comments) 2131. By allocating an IP address to an administered terminal only while not allocating an IP address to an irregular terminal, DHCP can prevent an irregular terminal from connecting to a network. However, an irregular terminal could still connect to a network, through manual setting of its IP address.
Technologies for preventing communication by an irregular terminal whose IP address has been set manually have been proposed in the past.
According to this technology, a DHCP protocol which is exchanged among a DHCP server and a terminal is monitored; and information about a terminal to which an address has been allocated by DHCP is managed through its IP address and MAC address, enabling communication only with a terminal that matches the managed information.
Other technologies besides the technology mentioned above for preventing communication by an irregular terminal whose IP address has been set manually have been proposed in the past.
According to this technology, a DHCP protocol which is exchanged among a DHCP server and a terminal is monitored (DHCP snooping), filtering (IP Source Guard) utilizing an IP address, a port and a VLAN (Virtual Local Area Network) of a terminal to which an address has been allocated by DHCP is executed, and filtering (Port Security) utilizing a MAC address, a port and a VLAN of a terminal to which an address has been allocated by DHCP is executed.
However, technologies mentioned above do not take into account the possibility that a MAC address of a terminal could be set manually. Thus, with the technologies, there exists a risk that an irregular terminal having a manually set IP address and MAC address identical to those of a terminal for which addresses have been allocated by DHCP is able to connect to a different port of the network relay device or to a different VLAN, so that irregular communication cannot be prevented.
According to the technologies, the IP address, which is the layer 3 address, and the MAC address, which is the layer 2 address, are handled separately. There accordingly exists a risk that a terminal having the DHCP-allocated IP address of a first terminal and the DHCP-allocated MAC address of a second terminal could not be prevented from irregular communication.
Thus, in consideration of the possibility that the MAC address of a terminal could be set manually, there exists a need to more carefully identify irregular communication by an irregular terminal.