In a data center that uses a virtual machine monitor, plural different users (for example, companies or the like) share resources such as a network, and taking into consideration security and logically dividing resources for each user are requested. Divided resources or users that use the divided resources may be called “tenants”, and this kind of network may be called a “multi-tenant network”.
Conventionally, there is a technique for making it impossible for virtual machines (VM) of other tenants in the data center to receive broadcast communication data that is transmitted by the VM of a specific tenant in the multi-tenant network. More specifically, a header that includes identification information for identifying a tenant is attached to the outside of communication data (that is, the communication data is encapsulated). Moreover, a multicast address is assigned to each tenant, and data for managing the correlation between tenant identification information and multicast address is given a switch. Then, the switch identifies a multicast address that corresponds to the tenant identification information that is attached to broadcast communication data, and transfers communication data to the identified multicast address.
However, in this technique, communication data is transmitted to the same tenant VM regardless of whether or not communication data was requested, so there is a problem in that the load on the network becomes large. Reducing the burden on the administrator that manages the switches is also not taken into consideration.
Moreover, there is a technique for performing verification of multicast communication in a switch. More specifically, the verification is performed using a verification table for a terminal that transmitted an Internet Group Management Protocol (IGMP) Membership Report, and data is registered in a forwarding table only for an allowed terminal. As a result, it is possible to transmit multicast data only to the allowed terminal. However, in this technique, there is a problem in that a verification table is set beforehand by an administrator or the like, so the management cost increases. It is also not possible to flexibly build a multicast domain.
Moreover, there is a technique for suitably transferring multicast data by providing plural correspondence tables in a relay apparatus such as a switch and router. However, in this technique as well, an administrator sets the correspondence tables in advance, so there is a problem in the management costs. This technique also does not take into consideration encapsulation of the communication data.
In other words, there is no technique for automatically building appropriate multicast domain in a multi-tenant network.