Port isolation for restricting traffic flow on layer 2 switches
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
H04L-012/28
H04L-009/00
출원번호
US-0745280
(2000-12-20)
발명자
/ 주소
Joshi,Monica
Shuen,Pauline
출원인 / 주소
Cisco Technology, Inc.
대리인 / 주소
Thelen Reid &
인용정보
피인용 횟수 :
6인용 특허 :
69
초록▼
This invention provides for an apparatus and method to isolate ports on layer 2 switches on the same VLAN to restrict traffic flow. The apparatus comprises a switch having said plurality of ports, each port configured as a protected port or a non-protected port. An address table memory stores an add
This invention provides for an apparatus and method to isolate ports on layer 2 switches on the same VLAN to restrict traffic flow. The apparatus comprises a switch having said plurality of ports, each port configured as a protected port or a non-protected port. An address table memory stores an address table having a destination address and port number pair. A forwarding map generator generates a forwarding map which is responsive to a destination address of a data packet. The method for isolating ports on a layer 2 switch comprises configuring each of the ports on the layer 2 switch as a protected port or a non-protected port. A destination address on an data packet is matched with a physical address on said layer 2 switch and a forwarding map is generated for the data packet based upon the destination address on the data packet. The data packet is then sent to the plurality of ports pursuant to the forwarding map generated based upon whether the ingress port was configured as a protected or nonprotected port.
대표청구항▼
What is claimed is: 1. A method for isolating a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 switch, wherein the single VLAN is a group of devices within a local area network, at least one device in the group not belonging to any other VLAN, the method comprisi
What is claimed is: 1. A method for isolating a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 switch, wherein the single VLAN is a group of devices within a local area network, at least one device in the group not belonging to any other VLAN, the method comprising: configuring each of said plurality of ports by a user on said layer 2 switch as a protected port or a non-protected port; matching a destination address on a data packet with a physical address on said layer 2 switch, said data packet received by an ingress port; generating a forwarding map for said data packet based upon said destination address on said data packet, wherein the generating further includes allowing said data packet to be forwarded from a protected port to a non-protected port while preventing said data packet from being forwarded to another of said protected ports; and sending said data packet to said plurality of ports pursuant to said forwarding map. 2. The method of claim 1 wherein said generating step further comprises sending said data packet to each of said non-protected ports if said destination address is not matched with said physical address and said ingress port is a protected port. 3. The method of claim 1 wherein said generating step further comprises sending said data packet to all of said plurality of ports if said destination address is not matched with said physical address and said ingress port is a non-protected port. 4. The method of claim, 1 wherein said generating step further comprises allowing said data packet to be forwarded from one of said non-protected ports to another of said non-protected ports. 5. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform a method for isolating a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 switch, wherein the single VLAN is a group of devices within a local area network, at least one device in the group not belonging to any other VLAN, said method comprising: configuring each of said plurality of ports by a user on said layer 2 switch as a protected port or a non-protected port; matching a destination address on a data packet with a physical address on said layer 2 switch, said data packet received by an ingress port; generating a forwarding map for said data packet based upon said destination address on said data packet, wherein the generating further includes allowing said packet to be forwarded to another of said protected ports; and sending said data packet to said plurality of ports pursuant to said forwarding map. 6. An apparatus for isolating a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 switch, wherein the single VLAN is a group of devices within a local area network, at least one device in the group not belonging to any other VLAN, the apparatus comprising: a port configurer to configure said plurality of ports as a protected port or a non-protected port; an address table memory storing an address table, said address table having a destination address and port number pair; a forwarding map generator generating a forwarding map; and said forwarding map responsive to a destination address of a data packet so that the data packet is forwarded either to a port number paired with the destination address in said forwarding table, or if not so paired, said data packet is forwarded to each of said non-protected ports on said switch and said data packet is prevented from forwarded to a protected port if an ingress port is protected or if said ingress port is non-protected, said data packet is forwarded to all of said plurality of ports. 7. The apparatus of claim 6 wherein said incoming packet is forwarded from one of said non-protected ports to other non-protected ports. 8. An apparatus for isolating a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 switch, wherein the single VLAN is a group of devices within a local area network, at least one device in the group not belonging to any other VLAN, the apparatus comprising: means to configure each of said plurality of ports on said layer 2 switch as a protected or non-protected port; means to match a destination address on a data packet with a physical address on said layer 2 switch, said data packet received on an ingress port; means to generate a forwarding map for said data packet based upon said destination address on said data packet, wherein the generating further includes allowing said data packet to be forwarded from a protected port to a non-protected port while preventing said data packet from being forwarded to another of said protected ports; and means to send said data packet to said plurality of ports pursuant to said forwarding map. 9. The apparatus of claim 8 wherein said means to generate a forwarding map further comprises a means to forward said data packet to each of said non-protected ports if said destination address is not matched with said physical address and said ingress port is a protected port. 10. The apparatus of claim 8 wherein said means to generate a forwarding map further comprises a means to forward said data packet to all of said plurality of ports if said destination address is not matched with said physical address and said ingress port is a non-protected port. 11. The apparatus of claim 8 wherein said means to generate a forwarding map further comprises means to allow said data packet to be forwarded from one of said non-protected ports to another of said non-protected ports. 12. A method for isolating a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 switch, wherein the single VLAN is a group of devices within a local area network, at least one device in the group not belonging to any other VLAN, the method comprising: maintaining a state for each of said plurality of ports on said layer 2 switch as a protected port or a non-protected port; matching a destination address on a data packet with a physical address on said layer 2 switch, said data packet received by an ingress port; generating a forwarding map for said data packet based upon said destination address on said data packet, wherein the generating further includes allowing said data packet to be forwarded from a protected port to a non-protected port while preventing said data packet from being forwarded to another of said protected ports; and sending said data packet to said plurality of ports pursuant to said forwarding map. 13. The method of claim 12 wherein said generating step further comprises sending said data packet to each of said non-protected ports if said destination address is not matched with said physical address and said ingress port is a protected port. 14. The method of claim 12 wherein said generating step further comprises sending said data packet to all of said plurality of ports if said destination address is not matched with said physical address and said ingress port is a non-protected port. 15. The method of claim 12 wherein said generating step further comprises allowing said data packet to be forwarded from one of said non-protected ports to another of said non-protected ports. 16. The method of claim 12 wherein said generating step further comprises allowing said data packet to be forwarded between one of said non-protected ports to each of said protected ports. 17. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform a method for isolating a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 switch, wherein the single VLAN is a group of devices within a local area network, at least one device in the group not belonging to any other VLAN, said method comprising: maintaining a state for each of said plurality of ports on said layer 2 switch as a protected port or a non-protected port; matching a destination address on a data packet with a physical address on said layer 2 switch, said data packet received by an ingress port; generating a forwarding map for said data packet based upon said destination address on said data packet, wherein the generating further includes allowing said data packet to be forwarded from a protected port to a non-protected port while preventing said data packet from being forwarded to another of said protected ports; and sending said data packet to said plurality of ports pursuant to said forwarding map. 18. An apparatus for isolating a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 switch, wherein the single VLAN is a group of devices within a local area network, at least one device in the group not belonging to any other VLAN, the method comprising: means for maintaining a state for each of said plurality of ports on said layer 2 switch as a protected port or a non-protected port; means for matching a destination address on a data packet with a physical address on said layer 2 switch, said data packet received by an ingress port; means for generating a forwarding map for said data packet based upon said destination address on said data packet, wherein the generating further includes allowing said data packet to from being forwarded to another of said protected ports; and means for sending said data packet to said plurality of ports pursuant to said forwarding map. 19. The apparatus of claim 18 wherein said means for generating further comprises means for sending said data packet to each of said non-protected ports if said destination address is not matched with said physical address and said ingress port is a protected port. 20. The apparatus of claim 18 wherein said means for generating further comprises means for sending said data packet to all of said plurality of ports if said destination address is not matched with said physical address and said ingress port is a non-protected port. 21. The apparatus of claim 18 wherein said means for generating further comprises means for allowing said data packet to be forwarded from one of said non-protected ports to another of said non-protected ports. 22. An apparatus for isolating a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 switch, wherein the single VLAN is a group of devices within a local area network, at least one device in the group not belonging to any other VLAN, the apparatus comprising: a state maintenance module configured to maintain a state for each of said plurality of ports on said layer 2 switch as a protected port or a non-protected port; a destination address matching module coupled to said state maintenance module and configured to match a destination address on a data packet with a physical address on said layer 2 switch, said data packet received by an ingress port; a forwarding map generator coupled to said destination address matching module; and a data packet sending module coupled to said forwarding map generator and configured to send said data packet to said plurality of ports pursuant to said forwarding map while preventing said data packet from being forwarded from an ingress protected port to another of said protected ports. 23. The apparatus of claim 22 wherein said forwarding map generator is configured to send said data packet to each of said non-protected ports if said destination address is not matched with said physical address and said ingress port is a protected port. 24. The apparatus of claim 22 wherein said forwarding map generator is configured to send said data packet to all of said plurality of ports if said destination address is not matched with said physical address and said ingress port is a non-protected port. 25. The apparatus of claim 22 wherein said forwarding map generator is further configured to allow said data packet to be forwarded from one of said non-protected ports to another of said non-protected ports.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (69)
Hiller Thomas L. (Glen Ellyn IL) Spanke Ronald A. (Wheaton IL) Stanaway ; Jr. John J. (Wheaton IL) Wierzbicki Alex L. (Bolingbrook IL) Zola Meyer J. (Oak Park IL), ATM distribution networks for narrow band communications.
Hiller Thomas L. (Glen Ellyn IL) Spanke Ronald A. (Wheaton IL) Stanaway ; Jr. John J. (Wheaton IL) Wierzbicki Alex L. (Bolingbrook IL) Zola Meyer J. (Oak Park IL), ATM networks for narrow band communications.
Hiller Thomas L. (Glen Ellyn IL) Spanke Ronald A. (Wheaton IL) Stanaway ; Jr. John J. (Wheaton IL) Wierzbicki Alex L. (Bolingbrook IL) Zola Meyer J. (Oak Park IL), Access switches for large ATM networks.
Videlock Gary B. (Foxborough MA) Gocht Russell C. (North Attleboro MA) Freitas AnneMarie (E. Walpole MA) Freitas Mark J. (E. Walpole MA), Apparatus and method for learning and filtering destination and source addresses in a local area network system.
Bannai, Vinay K.; Barry, Charles F.; Choi, Inwhan; Fan, Jason C.; Kalman, Robert F.; Lindquist, Richard; Mallick, Sohail; Shinde, Atul; Srinivasan, Seshadri; Stillman, Robert; Watts, Warren, Architecture for transport of multiple services in connectionless packet-based communication networks.
Joy Andrew K. (Northampton GB2) Jager Michael D. (Surrey GB2) Pickering Andrew J. (Warwickshire GB2) Oakley Raymond E. (Northants GB2) Arnold John S. (Northants GB2), Asynchronous time division switching arrangement and a method of operating same.
Bostica Bruno (Pino ITX) Daniele Antonella (Bareggio ITX) Vercellone Vinicio (Venaria ITX), Basic element for the connection network of a fast packet switching node.
Bryant David B. (Raleigh NC) Cossack Mark A. (Rochester MN) Frett Dennis J. (Rochester MN) Himwich Harold A. (Raleigh NC) Huynh Lap T. (Raleigh NC) McGinn John E. (Rochester MN), Border node having routing and functional capability in a first network and only local address capability in a second ne.
Ferenc James J. (Boulder CO) Goke Louis R. (Austin TX) Grimes Gary J. (Thornton CO) Moffitt Bryan S. (Redbank NJ), Building-block architecture of a multi-node circuit-and packet-switching system.
Lyles Joseph B. (Mountain View CA), Copy network providing multicast capabilities in a broadband ISDN fast packet switch suitable for use in a local area ne.
Ellis John G. (Kanata CAX) Dysart Keith C. (Kanata CAX) Commons Douglas N. (Ottawa CAX), Digital telecommunication link for efficiently transporting mixed classes of packets.
Derby Jeffrey H. (Chapel Hill NC) Drake ; Jr. John E. (Pittsboro NC) Galand Claude (Cagnes Sur Mer NC FRX) Gun Levent (Durham NC) Marin Gerald A. (Chapel Hill NC) Roginsky Allen L. (Durham NC) Tedija, Dynamic bandwidth estimation and adaptation for packet communications networks.
Hiller Thomas L. (Glen Ellyn IL) Phelan James J. (Downers Grove IL) Zola Meyer J. (Oak Park IL), Establishing telecommunications call paths between clustered switching entities.
Hiller Thomas L. (Glen Ellyn IL) Phelan James J. (Downers Grove IL) Zola Meyer J. (Oak Park IL), Establishing telecommunications call paths in broadband communication networks.
Hiller Thomas L. (Glen Ellyn IL) Phelan James J. (Downers Grove IL) Zola Meyer J. (Oak Park IL), Establishing telecommunications calls in a broadband network.
McHarg Christopher G. (Winfield IL) Newman Thomas E. (Wheaton IL) Schaff Kenneth N. (Warrenville IL) Wendland Kenneth E. (St. Charles IL), High bandwidth packet switch.
Hiller Thomas L. (Glen Ellyn IL) Spanke Ronald A. (Wheaton IL) Stanaway ; Jr. John J. (Wheaton IL) Wierzbicki Alex L. (Bolingbrook IL) Zola Meyer J. (Oak Park IL), Intra-switch communications in narrow band ATM networks.
Chao Hung-Hsiang J. (Madison NJ) Lee Sang H. (Bridgewater NJ) Wu Liang T. (Gladstone NJ), Method and apparatus for multiplexing circuit and packet traffic.
Moore Victor S. (Delray Beach FL) Van Duren Richard G. (Big Torch Key FL) Wu David C. (Boca Raton FL), Method and system for maintaining routing between mobile workstations and selected network workstation using routing tab.
Cidon Israel (Haifa NY ILX) Gopal Inder S. (New York NY) Guerin Roch A. (Yorktown Heights NY), Method and system of requesting resources in a packet-switched network with minimal latency.
Shachar Yuval,ILX ; Bendelac Chaim,ILX ; Marko Reuven,ILX, Method for switching between a data communication session and a voice communication session.
Eckberg ; Jr. Adrian E. (Holmdel NJ) Luan Daniel T. (East Brunswick NJ) Lucantoni David M. (Eatontown NJ) Schonfeld Tibor J. (Livingston NJ), Packet switching system arranged for congestion control.
Eckberg ; Jr. Adrian E. (Holmdel NJ) Luan Daniel T. (East Brunswick NJ) Lucantoni David M. (Eatontown NJ) Schonfeld Tibor J. (Livingston NJ), Packet switching system arranged for congestion control through bandwidth management.
Opher Ayal (Mountain View CA) Garg Gaurav (Mountain View CA) Kruzinski Philip (Redwood City CA) Sikdar Som (San Jose CA), Routing device utilizing an ATM switch as a multi-channel backplane in a communication network.
Devon Mark (San Jose CA) Lynch John (San Jose CA) Nichols James B. (San Mateo CA), Serial I/O device identifies itself to a computer through a serial interface during power on reset then it is being conf.
Baehr Geoffrey G. ; Danielson William ; Lyon Thomas L. ; Mulligan Geoffrey ; Patterson Martin,FRX ; Scott Glenn C. ; Turbyfill Carolyn, System for packet filtering of data packet at a computer network interface.
Baehr Geoffrey G. ; Danielson William ; Lyon Thomas L. ; Mulligan Geoffrey ; Patterson Martin,FRX ; Scott Glenn C. ; Turbyfill Carolyn, System for packet filtering of data packets at a computer network interface.
Devault Michel (22 ; rue de Bourgogne Lannion FRX 22300) Quinquis Jean-Paul (Rue de Cornic Perros Quirec FRX 22700) Rouaud Yvon (Les Fontaines A. 33 Lannion FRX 22300), Time division multiplex switching network for multiservice digital networks.
Lidinsky William P. (Naperville IL) Roediger Gary A. (Downers Grove IL) Steele Scott B. (Naperville IL) Weddige Ronald C. (Western Springs IL), User to network interface protocol for packet communications networks.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.