Personal virtual bridged local area networks
First Claim
1. An apparatus for segregating traffic amongst a plurality of stations that are associated with an access point, comprising:
- a LAN segment; and
a personal virtual bridged local area network (personal VLAN) for partitioning said LAN segment logically into multiple virtual bridged local area networks (VLANs).
3 Assignments
0 Petitions
Accused Products
Abstract
A mechanism for segregating traffic amongst STAs that are associated with a bridge, referred to herein as the personal virtual bridged local area network (personal VLAN), is based upon the use of a VLAN to segregate traffic. The IEEE 802.1Q-1998 (virtual bridged LANs) protocol provides a mechanism that is extended by the invention to partition a LAN segment logically into multiple VLANs. In the preferred embodiment, a VLAN bridge forwards unicast and group frames only to those ports that serve the VLAN to which the frames belong. One embodiment of the invention extends the standard VLAN bridge model to provide a mechanism that is suitable for use within an AP. In a preferred embodiment, the Personal VLAN bridge extends the standard VLAN bridge in at least any of the following ways: VLAN discovery in which a personal VLAN bridge provides a protocol for VLAN discovery; VLAN extension in which a Personal VLAN allows a station to create a new port that serves a new VLAN, or to join an existing VLAN via an authentication protocol; Logical ports in which a Personal VLAN bridge can maintain more than one logical port per physical port, and bridges between ports of any kind; and cryptographic VLAN separation.
-
Citations
37 Claims
-
1. An apparatus for segregating traffic amongst a plurality of stations that are associated with an access point, comprising:
-
a LAN segment; and
a personal virtual bridged local area network (personal VLAN) for partitioning said LAN segment logically into multiple virtual bridged local area networks (VLANs). - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method for segregating traffic amongst a plurality of stations that are associated with an access point, comprising the steps of:
-
providing a distribution system comprising multiple virtual local area networks (VLANs), wherein every station that associates with said access point can create a new VLAN with itself and said distribution system as its members, wherein a creator of a new VLAN can authenticate stations that wish to join said new VLAN; and
separating traffic between trusted and untrusted stations even though they associate with a same access point. - View Dependent Claims (13, 14)
-
-
15. A method for segregating traffic amongst a plurality of stations that are associated with an access point, comprising the steps of:
-
providing a protocol for virtual local area network (VLAN) discovery;
allowing a station to create a new port that serves a new VLAN, or to join an existing VLAN. maintaining more than one logical port per physical port; and
providing cryptographic VLAN separation, wherein traffic within one VLAN is separated from another VLAN on a same physical port by cryptography. - View Dependent Claims (16, 17, 18)
-
-
19. In a system for segregating traffic amongst a plurality of stations that are associated with an access point, an apparatus for virtual local area network (VLAN) discovery, comprising:
-
a personal VLAN bridge for partitioning a LAN segment logically into multiple VLANs; and
server and client VLAN discovery agents associated with said VLAN bridge for discovering other VLANs and/or allowing VLANs that said VLAN bridge serves to be discovered. - View Dependent Claims (20, 21, 22, 23)
-
-
24. In a system for segregating traffic amongst a plurality of stations that are associated with an access point, a method for requesting service for a new virtual local area network (VLAN), comprising the steps of:
-
a bridge receiving a request frame with a source MAC address through a control channel of a physical port, wherein a holder of said MAC address is a requester;
receiving said request frame initiating an authentication protocol with said requester through said control channel;
discarding said request if said requester cannot be authenticated, or is not authorized to request VLAN service from said bridge;
creating a new logical port and associating said new logical port with a physical port through which said request frame is received if there is no conflict in using a virtual LAN ID (VID) requested;
otherwise, said bridge negotiating a VID with said requester; and
updating port state information for said logical port to include a security association, shared with said requester, that is in effect for all traffic through said port
-
-
25. In a system for segregating traffic amongst a plurality of stations that are associated with an access point, a method for linking a new virtual local area network (VLAN) to one or more existing VLANs served by physical ports of a bridge, comprising the steps of:
-
sending a join-VLAN request over a control channel;
authenticating said request wherein, if authentication fails, said request is discarded;
adding a logical port that serves a source VLAN to a member set of every virtual LAN ID (VID) in a set of VIDs for VLANs served by a set of physical ports which comprise destination VLANs; and
adding every physical port in said set of physical ports to a member set of said source VLAN;
and forming an untagged set of said source VLAN by taking a union of all untagged sets for VIDs in said set of VIDs for VLANs served by a set of physical ports which comprise destination VLANs;
wherein if a request frame contains a null VID in its tag header, or it is untagged, then a logical port of said bridge is added to an untagged set of every VID in set of VIDs for VLANs served by a set of physical ports which comprise destination VLANs.
-
-
26. In a system for segregating traffic amongst a plurality of stations that are associated with an access point, a method for joining a personal virtual local area network (VLAN) served by a logical port, comprising the steps of:
-
if source and destination VLANs have a same creator, and said creator issued a join-VLAN request, then said request is discarded;
if said source and destination VLANs are identical and said creator did not issue said request, then said creator authenticates said requester for membership into said personal VLAN; and
in all other cases, a bridge first authenticates said request to make sure that said requester is the creator of said source VLAN;
wherein if authentication succeeds, then said creator authenticates said requester for membership into said destination VLAN; and
wherein said requester authenticated said creator to make sure that said creator is the creator of said destination VLAN.
-
-
27. In a system for segregating traffic amongst a plurality of stations that are associated with an access point, a method for authenticating a request for joining a personal virtual local area network (VLAN) served by a logical port, comprising the steps of:
-
providing a personal VLAN bridge having a control channel for authentication of a requester by a creator;
said personal VLAN bridge using said control channel to relay authentication protocol messages between said creator and said requester; and
if said creator can authenticate said requester, then said creator sharing a security association it holds with said personal VLAN bridge with said requester as well. - View Dependent Claims (28, 29, 30, 31, 32)
-
-
33. An apparatus for segregating traffic amongst stations (STAs) that are associated with a bridge, comprising:
a personal virtual bridged local area network (personal VLAN) that uses a VLAN to segregate traffic. - View Dependent Claims (34, 35, 36, 37)
Specification