Management computer and computer system for setting port configuration information

US 20080056161A1
Filed: 06/26/2007
Published: 03/06/2008
Est. Priority Date: 08/29/2006
Status: Active Grant

First Claim

Patent Images

1. A management computer for managing switches included in a network, comprising:

a processor for executing computing;

a memory connected to the processor; and

an interface connected to the processor and the network,wherein the memory stores configuration information for controlling the switches, network topology information indicating a connection between the switches, and ports configuration information indicating, for each switch, whether client authentication is executed at each port provided in the switch, the client authentication being processing of verifying whether a client connected to the port provided in the switch has right to connect to the network, andwherein the processor is configured to;

judge, based on the network topology information, for each port provided in each switch, whether the client authentication is executed; and

set, in the ports configuration information, based on a result of the judging, whether to execute the client authentication at the port.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided is a computer system capable of cutting the cost of running and managing a company network and improving the security of the network by reducing wrong settings and skipped settings due to human factor. The computer system has switches which constitute a network, a management computer which is connected to the network and manages the network, and clients which are connected to the switches. The management computer sets each switch such that client authentication is executed at port provided in the switch that can be connected to the client. The client authentication is processing of verifying whether the client has the right to connect to the network.

Citations

19 Claims

1. A management computer for managing switches included in a network, comprising:
- a processor for executing computing;
  
  a memory connected to the processor; and
  
  an interface connected to the processor and the network,wherein the memory stores configuration information for controlling the switches, network topology information indicating a connection between the switches, and ports configuration information indicating, for each switch, whether client authentication is executed at each port provided in the switch, the client authentication being processing of verifying whether a client connected to the port provided in the switch has right to connect to the network, andwherein the processor is configured to;
  
  judge, based on the network topology information, for each port provided in each switch, whether the client authentication is executed; and
  
  set, in the ports configuration information, based on a result of the judging, whether to execute the client authentication at the port.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The management computer according to claim 1,wherein the memory stores switch information for indicating whether the switch can execute the client authentication, andwherein the processor is configured to:
    - judge, based on the switch information, whether it is a switch that can execute the client authentication;
      
      judge, in a case where it is judged that the switch can execute the client authentication, based on the network topology information, for each port provided in the switch that can execute the client authentication, whether the client authentication is executed at the port; and
      
      set, in the ports configuration information, based on a result of the judging, whether to execute the client authentication at the port.
  - 3. The management computer according to claim 1, wherein the processor is configured to:
    - receive link state information from a switch in the network, the link state information including an identifier of a source switch from which the link state information is sent, an identifier of a connected switch which is connected to the source switch, an identifier of one port provided in the source switch and connected to the connected switch, and an identifier of a connected port which is one port provided in the connected switch and connected to the source switch;
      
      set the network topology information based on the received link state information;
      
      judge, based on the set network topology information, for each port provided in the switch, whether the client authentication is executed; and
      
      set, in the ports configuration information, based on a result of the judging, whether to execute the client authentication at the port.
  - 4. The management computer according to claim 3, further comprising an input unit, which is input the switch information and the link state information.
  - 5. The management computer according to claim 1, wherein the processor is configured to:
    - receive, in a case of adding of a new switch to the network, link state information sent by an existing switch to which the new switch is connected, the link state information including an identifier of the existing switch, an identifier of an existing port provided in the existing switch and connected to the new switch, an identifier of the new switch, and an identifier of a new port provided in the new switch and connected to the existing switch;
      
      judge, based on the received link state information, for each port provided in the new switch and the existing switch, whether the client authentication is executed; and
      
      set, in the ports configuration information that is associated with the new switch and the existing switch, based on a result of the judging, whether to execute the client authentication at the each port provided in the new switch and the existing switch.
  - 6. The management computer according to claim 1, wherein the processor is configured to:
    - receive, in a case of adding a new switch to the network, link state information that indicates a connection of an existing switch to which the new switch is connected, the link state information being received from the existing switch; and
      
      set, based on the received link state information, the ports configuration information that is associated with the new switch and the existing switch such that the client authentication is executed at port provided in the new switch that can be connected to the client.
  - 7. The management computer according to claim 1, wherein the processor is configured to:
    - receive, in a case of removing a switch from the network, link state information sent by an existing switch from which the removed switch is disconnected, the link state information indicating the fact that the removed switch has been disconnected from the existing switch, and including an identifier of the existing switch and an identifier of an existing port provided in the existing switch and disconnected from the removed switch;
      
      judge, based on the received link state information, for each port provided in the existing switch, whether the client authentication is executed; and
      
      set, in the ports configuration information that is associated with the existing switch, based on a result of the judging, whether to execute the client authentication at the each port provided in the existing switch.
  - 8. The management computer according to claim 1, wherein the processor is configured to:
    - receive, in a case of removing a switch from the network, link state information that indicates a connection of an existing switch from which the removed switch is disconnected, the link state information being received from the existing switch; and
      
      set, based on the received link state information, the ports configuration information that is associated with the existing switch such that the client authentication is executed at the port provided in the existing switch and disconnected from the removed switch.
  - 9. The management computer according to claim 1,wherein the network is built such that each switch constituting the network belongs to at least one VLAN, the VLAN being identified uniquely by a VLAN identifier,wherein the ports configuration information includes at least one VLAN identifier allocated to each port, andwherein the processor is configured to:
    - receive, in a case of adding a new switch to the network, link state information sent by an existing switch to which the new switch is connected, the link state information including an identifier of the existing switch, an identifier of an existing port provided in the existing switch and connected to the new switch, an identifier of the new switch, and an identifier of a new port provided in the new switch and connected to the existing switch;
      
      obtain, based on the ports configuration information that is associated with the existing switch, at least one VLAN identifier that is allocated to the existing port; and
      
      set the ports configuration information that is associated with the new switch such that the obtained at least one VLAN identifier is allocated to the new port.
  - 10. The management computer according to claim 9,wherein the VLAN identifier includes a management VLAN identifier with which the management computer access the switches, andwherein the processor is configured to:
    - refer to the ports configuration information that is associated with the existing switch; and
      
      set, in a case where it is found as a result that the management VLAN identifier is allocated to one port provided in the existing switch, the ports configuration information that is associated with the new switch such that the management VLAN identifier and the VLAN identifier obtained as the at least one VLAN identifier allocated to the existing port are allocated to the new port, and the ports configuration information that is associated with the existing switch such that the management VLAN identifier is allocated to the existing port.
  - 11. The management computer according to claim 1,wherein the network is built such that each switch constituting the network belongs to at least one VLAN, the VLAN being identified uniquely by a VLAN identifier,wherein the ports configuration information includes at least one VLAN identifier allocated to each port, andwherein the processor is configured to:
    - receive, in a case of adding a new switch to the network, link state information sent by an existing switch to which the new switch is connected, the link state information including an identifier of the existing switch, an identifier of an existing port provided in the existing switch and connected to the new switch, an identifier of the new switch, and an identifier of a new port provided in the new switch and connected to the existing switch;
      
      refer to the ports configuration information that is associated with the existing switch;
      
      obtain all of VLAN identifiers allocated to all ports provided in the existing port; and
      
      set the ports configuration information that is associated with the new switch such that the obtained all of VLAN identifiers are allocated to the new port.
  - 12. The management computer according to claim 1,wherein the network is built such that each switch constituting the network belongs to at least one VLAN, the VLAN being identified uniquely by a VLAN identifier,wherein the ports configuration information includes at least one VLAN identifier allocated to each port, and a port type indicating, for each port, whether a VLAN function is enabled at the port, andwherein the processor is configured to:
    - receive, in a case of adding a new switch to the network, link state information sent by an existing switch to which the new switch is connected, the link state information including an identifier of the existing switch, an identifier of an existing port provided in the existing switch and connected to the new switch, an identifier of the new switch, and an identifier of a new port provided in the new switch and connected to the existing switch;
      
      set the ports configuration information that is associated with the existing switch such that “
      
      access”
      
      is registered as the port type of the existing port, the “
      
      access”
      
      meaning that the VLAN function is disabled; and
      
      set the ports configuration information that is associated with the new switch such that “
      
      trunk”
      
      is registered as the port type of the new port whereas “
      
      access”
      
      is set as the port type of other ports provided in the new switch than the new port, the “
      
      trunk”
      
      meaning that the VLAN function is enabled.
  - 13. The management computer according to claim 1,wherein the network is built such that each switch constituting the network belongs to at least one VLAN, the VLAN being identified uniquely by a VLAN identifier,wherein the ports configuration information includes at least one VLAN identifier allocated to each port, and a port type indicating, for each port, whether a VLAN function is enabled at the port, andwherein the processor is configured to:
    - receive, in a case of removing a switch from the network, link state information sent by an existing switch from which the removed switch is disconnected, the link state information indicating the fact that the removed switch has been disconnected from the existing switch, and including an identifier of the existing switch and an identifier of an existing port provided in the existing switch and disconnected from the removed switch; and
      
      set the ports configuration information that is associated with the existing switch such that “
      
      trunk”
      
      is registered as the port type of the existing port, “
      
      trunk”
      
      meaning that the VLAN function is enabled.
  - 14. The management computer according to claim 13,wherein the ports configuration information includes at least one VLAN identifier allocated to each port, andwherein the processor is configured to:
    - receive, in a case of removing a switch from the network, link state information sent by an existing switch from which the removed switch is disconnected, the link state information indicating the fact that the removed switch has been disconnected from the existing switch, and including an identifier of the existing switch and an identifier of an existing port provided in the existing switch and disconnected from the removed switch;
      
      refer to the ports configuration information that is associated with the existing switch; and
      
      set, in a case where it is found as a result that a management VLAN identifier is allocated to the existing port, the ports configuration information that is associated with the existing switch such that the management VLAN identifier allocated to the existing port is deleted from the ports configuration information that is associated with the existing switch, the management VLAN identifier being used by the management computer to access the switches.
  - 15. The management computer according to claim 1,wherein the management computer is connected to an authentication server via the network,wherein the authentication server executes authentication to verify, based on authentication request messages sent from the switches, whether the clients have right to connect to the network, andwherein the processor sets, in a case of adding a new switch to the network, the configuration information for the new switch such that an identifier of the authentication server is included as a destination of an authentication request message that is sent by the new switch.

16. A computer system, comprising:
- a plurality of switches included in a network;
  
  a management computer connected to the network, for managing the network; and
  
  a client connected to the network,wherein each switch has a first processor for executing computing, a first memory connected to the first processor, and ports connected to devices that access the network,wherein the management computer has a second processor for executing computing, a second memory connected to the second processor, and a second interface connected to the network, andwherein the second processor sets each switch such that client authentication is executed at the port that can be connected to the client, the client authentication being processing of verifying whether the client connected to the port provided in the switch has right to connect to the network.
- View Dependent Claims (17, 18)
- - 17. The computer system according to claim 16,wherein the first processor in an existing switch to which a new switch is connected sends, in a case where the new switch is added to the network, link state information for indicating a connection of the existing switch, andwherein the second processor receives the link state information and sets, based on the received link state information, the new switch such that the client authentication is executed at the port that can be connected to the client.
  - 18. The computer system according to claim 16,wherein the first processor in an existing switch from which a removed switch is disconnected sends, in a case where the removed switch is removed from the network, link state information for indicating a connection of the existing switch, andwherein the second processor receives the link state information and sets, based on the received link state information, the existing switch such that the client authentication is executed at one port that has been connected to the removed switch and that can now be connected to the client.

19. A switch managed by a management computer, and included in a network, comprising:
- a processor for executing computing;
  
  a memory connected to the processor; and
  
  ports connected to the processor and to which a client can be connected,wherein the processor receives from the management computer information that indicates, for each port provided in the switch, whether client authentication is executed, the client authentication being processing of verifying whether the client connected to the port provided in the switch has right to connect to the network, andwherein the client authentication is executed at the port provided in the switch based on the received information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alaxala Networks Corporation (Fortinet Inc.)
Original Assignee
Hitachi, Ltd.
Inventors
Sumiyoshi, Takashi, Okita, Hideki, Ozawa, Yoji

Granted Patent

US 7,826,393 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/254
CPC Class Codes

H04L 41/00 Arrangements for maintenanc...

Management computer and computer system for setting port configuration information

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Management computer and computer system for setting port configuration information

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links