Security groups for VLANs
First Claim
1. A method of implementing a security group within a network, the method comprising:
- receiving a packet;
classifying the packet as having a security group designation selected from a plurality of security group designations, the security group designation associating a set of destinations and a set of sources authorized to access the set of destinations; and
applying a security group tag to the packet which identifies the security group designation, the security group tag being applied in a field not reserved for virtual local area network information.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and devices are provided for implementing security groups in an enterprise network. The security groups include first network nodes that are subject to rules governing communications between the first network nodes and second network nodes. An indicator, referred to as a security group tag (SGT), identifies members of a security group. In some embodiments, the SGT is provided in a field of a data packet reserved for layer 3 information or a field reserved for higher layers. However, in other embodiments, the SGT is provided in a field reserved for layer 1 or layer 2. In some embodiments, the SGT is not provided in a field used by interswitch links or other network fabric devices for the purpose of making forwarding decisions.
-
Citations
42 Claims
-
1. A method of implementing a security group within a network, the method comprising:
-
receiving a packet;
classifying the packet as having a security group designation selected from a plurality of security group designations, the security group designation associating a set of destinations and a set of sources authorized to access the set of destinations; and
applying a security group tag to the packet which identifies the security group designation, the security group tag being applied in a field not reserved for virtual local area network information. - View Dependent Claims (2, 3)
-
-
4. A method of implementing a security group within a network, the method comprising:
-
receiving a packet;
classifying the packet as having a security group designation selected from a plurality of security group designations, the security group designation associating a set of destinations and a set of sources authorized to access the set of destinations; and
applying a security group tag to the packet which identifies the security group designation, the security group tag being applied in a field reserved for security group information. - View Dependent Claims (5, 6)
-
-
7. A method for implementing a security group within a network, the method comprising:
-
receiving a first packet;
classifying the first packet as having a first security group designation selected from a plurality of security group designations, wherein the first security group designation associates a first set of destinations and a first set of sources authorized to access the first set of destinations; and
applying a first security group tag to the first packet which identifies the first security group designation, wherein the first security group tag is applied in a field reserved for layer three or higher and wherein the information in the field is not used in forwarding decisions by interswitch links. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. An apparatus for implementing a security group within a network, the apparatus comprising:
-
means for receiving a first packet;
means for classifying the first packet as having a first security group designation selected from a plurality of security group designations, wherein the first security group designation associates a first set of destinations and a first set of sources authorized to access the first set of destinations; and
means for applying a first security group tag to the first packet which identifies the first security group designation, wherein the first security group tag is applied in a field reserved for layer three or higher and wherein the information in the field is not used in forwarding decisions by interswitch links.
-
-
19. An apparatus for implementing a security group within a network, the apparatus comprising:
-
a port for receiving a first packet;
a processor for classifying the first packet as having a first security group designation selected from a plurality of security group designations, wherein the first security group designation associates a first set of destinations and a first set of sources authorized to access the first set of destinations; and
an encoder for applying a first security group tag to the first packet which identifies the first security group designation, wherein the first security group tag is applied in a field reserved for layer three or higher and wherein the information in the field is not used in forwarding decisions by interswitch links.
-
-
20. A computer program embodied in a computer-readable storage medium, the computer program comprising instructions which cause a computer to:
-
receive a first packet;
classify the first packet as having a first security group designation selected from a plurality of security group designations, wherein the first security group designation associates a first set of destinations and a first set of sources authorized to access the first set of destinations; and
apply a first security group tag to the first packet which identifies the first security group designation, wherein the first security group tag is applied in a field reserved for layer three or higher and wherein the information in the field is not used in forwarding decisions by interswitch links.
-
-
21. A method for implementing a security group within a network, the method comprising:
-
receiving a packet;
verifying a source of the packet;
reading a destination address of the packet;
reading a security group tag in a field of the packet reserved for layer three or higher;
determining a first security group of the packet based on the security group tag, wherein the first security group is one of a plurality of security groups and wherein the first security group associates a first set of destination addresses and a first set of sources authorized to access the first set of destination addresses; and
deciding, based upon the source and the first security group designation, whether to transmit the packet to the destination address. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
-
-
29. A computer program embodied in a computer-readable storage medium, the computer program comprising instructions which cause a computer to:
-
receive a packet;
verify a source of the packet;
read a destination address of the packet;
read a security group tag in a field of the packet reserved for layer three or higher;
determine a first security group of the packet based on the security group tag, wherein the first security group is one of a plurality of security groups and wherein the first security group associates a first set of destination addresses and a first set of sources authorized to access the first set of destination addresses; and
decide, based upon the source and the first security group designation, whether to transmit the packet to the destination address.
-
-
30. An apparatus for implementing a security group within a network, the apparatus comprising:
-
means for receiving a packet;
means for verifying a source of the packet;
means for reading a destination address of the packet and for reading a security group tag in a field of the packet reserved for layer three or higher; and
means for determining a first security group of the packet based on the security group tag, wherein the first security group is one of a plurality of security groups and wherein the first security group associates a first set of destination addresses and a first set of sources authorized to access the first set of destination addresses and for deciding, based upon the source and the first security group designation, whether to transmit the packet to the destination address.
-
-
31. An apparatus for implementing a security group within a network, the apparatus comprising:
-
a port for receiving a packet; and
a processor for;
verifying a source of the packet;
reading a destination address of the packet;
reading a security group tag in a field of the packet reserved for layer three or higher;
determining a first security group of the packet based on the security group tag, wherein the first security group is one of a plurality of security groups and wherein the first security group associates a first set of destination addresses and a first set of sources authorized to access the first set of destination addresses and deciding, based upon the source and the first security group designation, whether to transmit the packet to the destination address.
-
-
32. A method of implementing a security group in an enterprise network having a plurality of security groups, wherein the security groups each include multiple network nodes within the enterprise network, and wherein the network nodes within a security group are subject to rules governing which network nodes they can communicate with, the method comprising:
-
(a) receiving a packet having a security group tag identifying a particular security group within the enterprise network, wherein the security group tag is provided in a field of the packet containing layer 3 or higher information, and wherein the field is not used in forwarding decisions;
(b) based on the security group identified in the security group tag, determining whether to transmit the packet to its intended destination; and
(c) transmitting the packet or denying transmission or delaying transmission of the packet to the intended destination based on the determination in (b). - View Dependent Claims (33, 34, 35, 36, 37)
-
-
38. A computer program embodied in a computer-readable storage medium for implementing a security group in an enterprise network having a plurality of security groups, wherein the security groups each include multiple network nodes within the enterprise network, and wherein the network nodes within a security group are subject to rules governing which network nodes they can communicate with, the computer program comprising instructions which cause a computer to:
-
(a) receive a packet having a security group tag identifying a particular security group within the enterprise network, wherein the security group tag is provided in a field of the packet containing layer 3 or higher information, and wherein the field is not used in forwarding decisions;
(b) based on the security group identified in the security group tag, determine whether to transmit the packet to its intended destination; and
(c) transmit the packet or deny transmission or delay transmission of the packet to the intended destination, based on the determination in (b). - View Dependent Claims (39, 40, 41, 42)
-
Specification