Network including snooping

US 20060248229A1
Filed: 07/29/2005
Published: 11/02/2006
Est. Priority Date: 04/27/2005
Status: Active Grant

First Claim

Patent Images

1. A computer network including:

at least one switch connecting at least one edge device to the remainder of the network, said at least one switch including;

snooping apparatus using DHCP to monitor the signal traffic through the switch to or from each edge device to determine, without changing the traffic signals, for each edge device, the MAC address, the IP address, and the port of the switch to which it is connected, and a first dynamic table (14T) within said switch of, for each edge device, the MAC address, the IP address, and the port which it is connected, the contents of the first dynamic table being provided by said snooping apparatus.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer network including: at least one switch connecting at least one edge device to the remainder of the network, said at least one switch including: snooping apparatus using DHCP to monitor the signal traffic through the switch to or from the each edge device to determine, without changing the traffic signals, for each edge device, the MAC address, the IP address, and the port of the switch to which it is connected, and a dynamic table within said switch of, for each edge device, the MAC address, the IP address, and the port which it is connected, the contents of the table being provided by said snooping apparatus

139 Citations

26 Claims

1. A computer network including:
- at least one switch connecting at least one edge device to the remainder of the network, said at least one switch including;
  
  snooping apparatus using DHCP to monitor the signal traffic through the switch to or from each edge device to determine, without changing the traffic signals, for each edge device, the MAC address, the IP address, and the port of the switch to which it is connected, and a first dynamic table (14T) within said switch of, for each edge device, the MAC address, the IP address, and the port which it is connected, the contents of the first dynamic table being provided by said snooping apparatus.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. A computer network as claimed in claim 1 in which the switch contains a Network Login (802.1x) protocol engine and/or a RADA (RADIUS Authenticated Destination MAC Address) based authentication protocol engine, which protocol engines detect the user name which is added to the dynamic table (14T).
  - 3. A computer network as claimed in claim 1 in which the switch operates in level 2 and/or layer 3 of the OSI model.
  - 4. A computer network as claimed in claim 1 including means whereby the first dynamic table (14T) includes entries which are only retained for a predetermined period of time and then discarded.
  - 5. A computer network as claimed in claim 1 including an authentication server which includes a second table (13T) of user names and their relevant passwords used by Network Login.
  - 6. A computer network as claimed in claim 5 in which the second table (13T) which includes User and Password information also includes, for each user name and password the corresponding virtual local network (VLAN) and/or VLAN tag and/or the Quality of Service (QoS).
  - 7. A computer network as claimed in claim 1 in which the user name, VLAN, VLAN tag and QoS information learnt from the authentication server and in the second table (13T) is added to the first dynamic table (14T).
  - 8. A computer network as claimed in claim 7 in which the IP address is added to the first dynamic table (14T) by a DHCP response process.
  - 9. A computer network as claimed in claim 8 in which the first dynamic table (14T) which includes MAC addresses and their corresponding IP addresses, for each MAC addresses and corresponding IP addresses includes the virtual local network (VLAN) and/or VLAN tag state, the VLAN information being added to the dynamic table by a DHCP response process and applied to the port with the required VLAN tagging.
  - 10. A computer network as claimed in claim 9 in which the switch includes a GVRP process that is used to automatically interconnect all the ports that are also in the same VLAN.
  - 11. A computer network as claimed in claim 1 in which the information in the first dynamic table (14T) of the switch may be accessed by a management apparatus controlling the network.
  - 12. A computer network as claimed in claim 11 in which the switch is adapted to inform the management apparatus as soon as a user is added to the first dynamic table (14T) and passes data on the connection time, the MAC and IP address and switch port information about that user.
  - 13. A computer network as claimed in claim 12 further comprising network components that do not require user login to enable access such as Web servers, Web Caches and firewalls.
  - 14. A computer network as claimed in claim 13 in which the mamgement apparatus is adapted to determine and collate IP address information from misuse of any network components and relate this directly to the users of that network that caused the misuse.
  - 15. A computer network as claimed in claim 11 in which the first dynamic table (14T) has entries configured by the management apparatus.
  - 16. A computer network as claimed in claim 15 in which the switch is adapted to process data packets being passed to the switch to determne the requested IP address of the destination and compares these to the list of IP addresses in the first dynamic table, the packet being discarded if the IP address requested is not in the list of IP addresses in the first dynamic table.
  - 17. A computer network as claimed in claim 1 in which the edge device comprises a work station or a computer.
  - 18. A computer network as claimed in claim 17 in which the edge device is adapted to run IP Phone software and be automatically connected to on a mixed voice data network to keep the voice traffic separate from a purely data network and the data network separate from a purely voice network.
  - 19. A computer network as claimed in claim 1 in which the edge device comprises an IP phone.
  - 20. A computer network as claimed in claim 18 in which the switch may, via the use of the table, control access of said computer to a predetermined output ports suitable for the purpose.
  - 21. A computer network as claimed in claim 18 in which the switch may, via the use of the table, control access of said IP phone to a predetermined output ports suitable for the purpose.
  - 22. A computer network as claimed in claim 1 in which a data packet is only forwarded to its destination address if its MAC source address and, for an IP packet, its IP source address is contained in the dynamic table.
  - 23. A computer network as claimed in claim 6 in which the first dynamic table (14T) of the switch includes a list of allowed DHCP servers, and for any DHCP server response can check the IP address of the DHCP server against this allowed list and prevent access to the network from this IP address if it is not a valid DHCP server.

24. A computer network including:
- at least one switch connecting at least one edge device to the remainder of the network, said at least one switch including;
  
  snooping apparatus using DHCP to monitor the signal traffic through the switch to or from the edge device to determine, without changing the traffic signals, for each edge device, the MAC address, the IP address, and the port of the switch to which it is connected, and a dynamic table within said switch of, for each edge device, the MAC address, the VLAN to which the edge device is to be connected, and/or the VLAN tag state of the port, and the port which it is connected, the contents of the table being provided by said snooping apparatus.

25. A method of operating a computer network including:
- at least one switch connecting at least one edge device to the remainder of the network, said at least one switch including;
  
  snooping apparatus using DHCP to monitor the signal traffic through the switch to or from each edge device to determine, without changing the traffic signals, for each edge device, the MAC address, the IP address, and the port of the switch to which it is connected, and a dynamic table within said switch of, for each edge device, the MAC address, the IP address, and the port which it is connected, the contents of the table being provided by said snooping apparatus, said method comprising the steps Step 100;
  
  is MAC SA (source address) authenticated? If NO go to Step 101, if YES go to Step 108. Step 101;
  
  Is MAC DA (destination address) the EAP MAC address? If NO go to Step 102, if YES go to Step 106. Step 102;
  
  Perform RADA authentication and go to Step 103. Step 103;
  
  Is MAC authenticated? If NO go to Step 104, if YES go to Step 105. Step 104;
  
  Perform MAC Intrusion Action. Step 105;
  
  Add User Name and/or MAC SA to Authenticated Table (in table 14T) Add any QoS and VLAN information configuration to the port and the Table 14T. Step 106;
  
  Perform Network Login (802.1x) Authentication and go to Step 107. Step 107;
  
  Is User Name Authenticated? If YES go to Step 105, if No go to Step 104. Step 108;
  
  Perform QoS prioritization of the packet and go to Step 109. Step 109;
  
  Tag the packet with VLAN information if necessary and go to Step 110. Step 110;
  
  Is this packet a DHCP Packet? If NO go to Step 111, if YES go to Step 118. Step 111;
  
  Is it an IP packet? If NO, forward packet normally to destination at step 115, if YES, go to step 112. Step 112;
  
  Is packet an ARP Response? If NO go to Step 113, if YES go to Step 116. Step 113;
  
  Does IP source address match the IP address assigned to this MAC in Table 14T? If NO go to Step 114, if YES go to Step 115. Step 114;
  
  Perform IP Intrusion Action. Step 115;
  
  Perform normal packet forwarding to destination. Step 116;
  
  Does IP Source address match the IP assigned to this MAC in Table 14T? If YES go to Step 115, if NO go to Step 117. Step 117;
  
  Perform Gratuitous ARP Action. Step 118;
  
  Perform DHCP Processing and go to Step 115.
- View Dependent Claims (26)
- - 26. The method of claim 25 further comprising, when a data packet is sent to an edge port, the steps:
    - Step 125;
      
      Is the MAC DA (destination address) known in table? If NO go to Step 126, if YES go to Step 127. Step 126;
      
      Discard Unknown MAC DA frames. Step 127;
      
      Is the packet a DHCP Response? If NO go to Step 128/129, if YES go to Step 132. Step 128;
      
      Is the packet an IP packet? If NO forward the packet normally to its destination, if YES, go to step 129. Step 129;
      
      Is IP Destination Address known? If NO go to Step 130, if YES go to Step 131. Step 130;
      
      Perform IP Intrusion Action. Step 131;
      
      Perform normal packet forwarding to destination. Step 132;
      
      Add IP address from DHCP response to table Add VLAN Information to Authentication Table and the port and go to Step 131.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Valtrus Innovations Limited (f/k/a Dolya Holdco 9 Limited) (Key Patent Innovations Limited)
Original Assignee
3Com Corporation (HP Inc.)
Inventors
Saunderson, Peter, Smith, John P.

Granted Patent

US 7,596,614 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/245
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/0213   Standardised network manage...

H04L 41/08   Configuration management of...

H04L 41/5022   by giving priorities, e.g. ...

H04L 41/5087   wherein the managed service...

H04L 49/354   for supporting virtual loca...

H04L 61/5014   using dynamic host configur...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0272   Virtual private networks

H04L 63/101   Access control lists [ACL]

Network including snooping

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

139 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Network including snooping

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

139 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links