1. Field of the Invention
The present invention relates to frame forwarding apparatuses, and more specifically, to a frame forwarding apparatus which sets up the discarding of a frame, makes a discarding notification, and forwards a frame, in a system for forwarding frames in accordance with their media access control (MAC) addresses.
2. Description of the Related Art
A layer-2 switch device which forwards a frame in accordance with its MAC address generally contains a forwarding table that includes a combination of a MAC address and a port ID of a port having a device with the MAC address. When a MAC frame is received, the forwarding table is searched for the destination MAC address of the frame. If there is a hit, the frame is forwarded to the corresponding port. If the matching port is the receiving port of the frame (if the destination port matches the receiving port), the frame is discarded. If there is no hit, the frame is forwarded to all ports except the receiving port. The forwarding of a frame to all ports except the receiving port when the destination MAC address is not found is called flooding. Flooding is not always forwarding to all ports. Flooding can also be made to ports specified as a group such as those in a virtual LAN.
An entry can be added to the forwarding table in several ways. When a MAC frame is received, the source MAC address of the frame and the receiving port of the frame can be automatically entered (MAC automatic learning). The administrator can add them by entering a command or the like. If automatic learning is used, since the number of entries in the forwarding table is finite, MAC addresses must be deleted and replaced. Accordingly, MAC automatic learning is used often with automatic deletion of a MAC address that is not accessed for a predetermined period of time. The deletion of the address that has not been accessed for the predetermined period of time is called aging.
Access networks have been gaining high-speed broadband capabilities, and an increasing number of IP networks have been introduced. In that environment, a network failure can be caused by a spoofed frame given by an unauthorized user, a denial-of-service attack (DoS attack), or a computer virus. A loop frame generated by a wrong connection or a wrong setting performed by the user, a fraudulent frame, or a spoofed frame can also cause a network failure.
One known method of preventing those failures uses a flag in the forwarding table of the layer-2 switch device, for instance. The administrator specifies the MAC address to be discarded in a network apparatus in advance, and if the destination or source MAC address of a received MAC frame matches the specified MAC address, the frame is discarded. In another known method, an access permission table is provided in the apparatus, and the administrator specifies a desired forwarding MAC address. If the destination or source MAC address of a received MAC frame matches the specified address, the frame is transferred.
In one known monitoring method (refer to Japanese Unexamined Patent Application Publication No. Hei-8-186569, for instance), combinations of a MAC address and an IP address are listed. The presence of a fraudulent terminal or a fraudulent frame is monitored by checking whether the combination of the source or destination MAC address and the IP address of a received frame is found in the list. Another known method (refer to Japanese Unexamined Patent Application Publication No. 2005-244603, for instance) analyzes protocol data of layer 3 or above (DHCP message, for instance), holds the combination of the MAC address and the IP address in a table, and discards a received frame if the combination of the source or destination MAC address and the IP address of the received frame does not match any combination in the table.