ENTERPRISE NETWORK ARCHITECTURE FOR IMPLEMENTING A VIRTUAL PRIVATE NETWORK FOR WIRELESS USERS BY MAPPING WIRELESS LANs TO IP TUNNELS

US 20090034431A1
Filed: 07/31/2007
Published: 02/05/2009
Est. Priority Date: 07/31/2007
Status: Active Grant

First Claim

Patent Images

1. An enterprise network, comprising:

a central site comprising;

a first termination device in communication with a restricted network segment including at least one server; and

a network;

a remote site, communicatively coupled to the central site over the network, the remote site comprising;

an infrastructure device comprising;

a second termination device which communicates with the first termination device over the network;

an authorized access wireless local area network (WLAN) designed to allow communications with the central site via the second termination device over a Generic Routing Encapsultation (GRE) tunnel coupling the first termination device to the second termination device; and

an unauthorized access WLAN designed to allow communications with the network via the second termination device, and when the second termination device receives an IEEE 802.11 data packet from a wireless communication device, wherein the second termination device is designed to;

determine whether the IEEE 802.11 data packet is from a wireless communication device associated with the authorized access WLAN, and when the IEEE 802.11 data packet is from a wireless communication device associated with the authorized access WLAN, wherein the second termination device is further designed to;

remove a Layer 2 header from the IEEE 802.11 data packet;

encapsulate the Layer 3 data packet with a GRE header to generate a GRE-over-IP packet; and

transmit the GRE-over-IP packet over the open network via the GRE tunnel to the first termination device.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An enterprise network is provided which includes a central site, a network and a remote site communicatively coupled to the central site over the network. The central site includes a first termination device in communication with a restricted network segment including at least one server. The remote site includes an infrastructure device, an authorized access wireless local area network (WLAN), and an unauthorized access WLAN. The infrastructure device comprises a second termination device which communicates with the first termination device over the network. The authorized access WLAN allow communications with the central site via the second termination device over a tunnel coupling the first termination device to the second termination device, whereas the unauthorized access WLAN allows communications with the network via the second termination device.

Citations

33 Claims

1. An enterprise network, comprising:
- a central site comprising;
  
  a first termination device in communication with a restricted network segment including at least one server; and
  
  a network;
  
  a remote site, communicatively coupled to the central site over the network, the remote site comprising;
  
  an infrastructure device comprising;
  
  a second termination device which communicates with the first termination device over the network;
  
  an authorized access wireless local area network (WLAN) designed to allow communications with the central site via the second termination device over a Generic Routing Encapsultation (GRE) tunnel coupling the first termination device to the second termination device; and
  
  an unauthorized access WLAN designed to allow communications with the network via the second termination device, and when the second termination device receives an IEEE 802.11 data packet from a wireless communication device, wherein the second termination device is designed to;
  
  determine whether the IEEE 802.11 data packet is from a wireless communication device associated with the authorized access WLAN, and when the IEEE 802.11 data packet is from a wireless communication device associated with the authorized access WLAN, wherein the second termination device is further designed to;
  
  remove a Layer 2 header from the IEEE 802.11 data packet;
  
  encapsulate the Layer 3 data packet with a GRE header to generate a GRE-over-IP packet; and
  
  transmit the GRE-over-IP packet over the open network via the GRE tunnel to the first termination device.
- View Dependent Claims (2, 3, 4, 6, 7, 8, 9, 11, 12)
- - 2. An enterprise network according to claim 1, wherein the GRE tunnel comprises a first tunnel endpoint which terminates at the second termination device and a second tunnel end point which terminates at the first termination device.
  - 3. An enterprise network according to claim 1, wherein the authorized access WLAN is mapped to the GRE tunnel.
  - 4. An enterprise network according to claim 1, further comprising:
    - at least one authorized wireless communication device, wherein the authorized access wireless local area network (WLAN) is designed to allow the authorized wireless communication device to communicate with the central site via the second termination device over the GRE tunnel coupling the first termination device to the second termination device; and
      
      at least one unauthorized wireless communication device, wherein the unauthorized access WLAN at the remote site is designed to allow the unauthorized wireless communication device to communicate with the network via the second termination device.
  - 6. An enterprise network according to claim 1, when the first termination device receives the GRE-over-IP packet, wherein the first termination device is designed to:
    - decapsulate the GRE-over-IP packet by removing the GRE header to generate a layer 3 data packet; and
      
      transmit the layer 3 data packet to a destination address of a server in the restricted network segment.
  - 7. An enterprise network according to claim 1, wherein, when the first termination device receives a Layer 3 data packet from a server in the restricted network segment, wherein the first termination device is designed to:
    - remove a layer 2 header from the Layer 3 data packet;
      
      encapsulate the Layer 3 data packet with a GRE header to generate a GRE-over-IP packet; and
      
      transmit the GRE-over-IP packet via the GRE tunnel to the second termination device.
  - 8. An enterprise network according to claim 7, when the second termination device receives the GRE-over-IP packet, wherein the second termination device is designed to:
    - decapsulate the GRE-over-IP packet by removing an outer IP header and the GRE header to generate a Layer 3 data packet; and
      
      determine whether the Layer 3 data packet is destined for a wireless communication device associated with the authorized access WLAN.
  - 9. An enterprise network according to claim 8, when the second termination device determines that the Layer 3 data packet is destined for a wireless communication device associated with the authorized access WLAN, wherein the second termination device is further designed to:
    - encapsulate the Layer 3 data packet into an IEEE 802.11 data frame having a MAC address associated with the destination wireless communication device; and
      
      transmit the IEEE 802.11 data frame over-the-air (OTA) to the destination wireless communication device.
  - 11. An enterprise network according to claim 1, wherein the second termination device comprises a wireless switch with GRE-over-IP tunneling capability, and wherein the first termination device comprises an IP router with GRE-over-IP tunneling capability.
  - 12. An enterprise network according to claim 1, wherein the central site is physically located at a first location, and wherein the remote site is physically located at a second location different than the first location.

5. (canceled)

10. (canceled)

13. A method for communicating an IEEE 802.11 data packet from a wireless communication device to an entity in a restricted network segment of a central site, comprising:
- storing, at the termination device, a wireless communication device database (WCDD) comprising;
  
  a list of wireless communication devices associated with the termination device indexed by respective MAC addresses of each wireless communication device, respective addresses of each wireless communication device, a WLAN which each wireless communication device is associated with, a mapping table of WLANs-to-VLANs, and a mapping table of WLANs-to-tunnels;
  
  receiving, at a termination device, an IEEE 802.11 data packet from a wireless communication device via an access point; and
  
  determining, at the termination device based on the IEEE 802.11 data packet, whether the wireless communication device is associated with one of;
  
  an authorized access WLAN and an unauthorized access WLAN.
- View Dependent Claims (15, 16, 17, 18)
- - 15. A method according to claim 13, wherein the step of determining, at the termination device based on the IEEE 802.11 data packet, whether the wireless communication device is associated with one of:
    - an authorized access WLAN and an unauthorized access WLAN, comprises;
      
      determining the source MAC address of the IEEE 802.11 data packet; and
      
      determining, at the termination device based on the source MAC address of the IEEE 802.11 data packet and information stored in the WCDD, whether a WLAN that the wireless communication device is associated with is an authorized access WLAN that is mapped to a tunnel.
  - 16. A method according to claim 15, when the termination device determines that the WLAN that the wireless communication device is associated with is an authorized access WLAN that is mapped to a tunnel, further comprising:
    - removing, at the termination device, a layer 2 (L2) header from the IEEE 802.11 data packet to generate a layer 3 data packet;
      
      encapsulating, at the termination device, the layer 3 (L3) data packet with a GRE header and an outer IP header to generate a GRE-over-IP packet; and
      
      tunneling, from the termination device, the GRE-over-IP packet over the open network via the GRE tunnel to the termination device.
  - 17. A method according to claim 16, further comprising:
    - decapsulating, at the termination device, the GRE-over-IP packet by removing the outer IP header and the GRE header to generate the layer 3 (L3) data packet; and
      
      transmitting, from the termination device, the layer 3 (L3) data packet to an entity in the restricted network segment located at the central site.
  - 18. A method according to claim 13, when the termination device determines that the WLAN that the wireless communication device is associated with is an unauthorized access WLAN, further comprising:
    - transmitting, from the termination device, the IEEE 802.11 data packet to a destination on the open network.

14. (canceled)

19. A method for communicating a Layer 3 data packet from an entity in a restricted network segment of a central site to an authorized wireless communication device, the method comprising:
- receiving, at a termination device, the Layer 3 data packet from an entity in the restricted network segment;
  
  removing, at the termination device, a layer 2 (L2) header from the Layer 3 data packet;
  
  encapsulating, at the termination device, the Layer 3 data packet with a GRE header and an outer IP header to generate a GRE-over-IP packet; and
  
  transmitting, from the termination device, the GRE-over-IP packet over the open network via a GRE tunnel to another termination device.
- View Dependent Claims (20, 21, 22, 23)
- - 20. A method according to claim 19, further comprising:
    - receiving, at the termination device, the GRE-over-IP packet; and
      
      decapsulating, at the termination device, the GRE-over-IP packet by removing the outer IP header and the GRE header to generate an inner data packet.
  - 21. A method according to claim 20, further comprising:
    - storing, at the termination device, a wireless communication device database (WCDD) comprising;
      
      a list of wireless communication devices associated with the termination device indexed by respective MAC addresses of each wireless communication device, respective addresses of each wireless communication device, a WLAN which each wireless communication device is associated with, a mapping table of WLANs-to-VLANs, and a mapping table of WLANs-to-tunnels.
  - 22. A method according to claim 21, further comprising:
    - determining, at the termination device, whether the inner data packet is destined for a wireless communication device associated with an authorized access WLAN that is mapped to a tunnel based on a destination address of the inner data packet and information stored in the WCDD.
  - 23. A method according to claim 22, when the inner data packet is destined for a wireless communication device associated with an authorized access WLAN that is mapped to a tunnel.encapsulating the inner data packet into an IEEE 802.11 data frame having a MAC address associated with the destination wireless communication device;
    - andtransmitting the IEEE 802.11 data frame over-the-air (OTA) to the destination wireless communication device.

24. An enterprise network, comprising:
- a central site comprising;
  
  a first termination device in communication with a restricted network segment including at least one server; and
  
  a network;
  
  a remote site, communicatively coupled to the central site over the network, the remote site comprising;
  
  an infrastructure device comprising;
  
  a second termination device which communicates with the first termination device over the network;
  
  an authorized access wireless local area network (WLAN) designed to allow communications with the central site via the second termination device over a Generic Routing Encapsultation (GRE) tunnel coupling the first termination device to the second termination device; and
  
  an unauthorized access WLAN designed to allow communications with the network via the second termination device, and, when the first termination device receives a Layer 3 data packet from a server in the restricted network segment, wherein the first termination device is designed to;
  
  remove a layer 2 header from the Layer 3 data packet;
  
  encapsulate the Layer 3 data packet with a GRE header to generate a GRE-over-IP packet; and
  
  transmit the GRE-over-IP packet via the GRE tunnel to the second termination device.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 25. An enterprise network according to claim 24, wherein the GRE tunnel comprises a first tunnel endpoint which terminates at the second termination device and a second tunnel end point which terminates at the first termination device.
  - 26. An enterprise network according to claim 24, wherein the authorized access WLAN is mapped to the GRE tunnel.
  - 27. An enterprise network according to claim 24, further comprising:
    - at least one authorized wireless communication device, wherein the authorized access wireless local area network (WLAN) is designed to allow the authorized wireless communication device to communicate with the central site via the second termination device over the GRE tunnel coupling the first termination device to the second termination device; and
      
      at least one unauthorized wireless communication device, wherein the unauthorized access WLAN at the remote site is designed to allow the unauthorized wireless communication device to communicate with the network via the second termination device.
  - 28. An enterprise network according to claim 24, when the second termination device receives an IEEE 802.11 data packet from a wireless communication device, wherein the second termination device is designed to:
    - determine whether the IEEE 802.11 data packet is from a wireless communication device associated with the authorized access WLAN, and when the IEEE 802.11 data packet is from a wireless communication device associated with the authorized access WLAN, wherein the second termination device is further designed to;
      
      remove a Layer 2 header from the IEEE 802.11 data packet;
      
      encapsulate the Layer 3 data packet with a GRE header to generate a GRE-over-IP packet; and
      
      transmit the GRE-over-IP packet over the open network via the GRE tunnel to the first termination device.
  - 29. An enterprise network according to claim 28, when the first termination device receives the GRE-over-IP packet, wherein the first termination device is designed to:
    - decapsulate the GRE-over-IP packet by removing the GRE header to generate a layer 3 data packet; and
      
      transmit the layer 3 data packet to a destination address of a server in the restricted network segment.
  - 30. An enterprise network according to claim 24, when the second termination device receives the GRE-over-IP packet, wherein the second termination device is designed to:
    - decapsulate the GRE-over-IP packet by removing an outer IP header and the GRE header to generate a Layer 3 data packet; and
      
      determine whether the Layer 3 data packet is destined for a wireless communication device associated with the authorized access WLAN.
  - 31. An enterprise network according to claim 30, when the second termination device determines that the Layer 3 data packet is destined for a wireless communication device associated with the authorized access WLAN, wherein the second termination device is further designed to:
    - encapsulate the Layer 3 data packet into an IEEE 802.11 data frame having a MAC address associated with the destination wireless communication device; and
      
      transmit the IEEE 802.11 data frame over-the-air (OTA) to the destination wireless communication device.
  - 32. An enterprise network according to claim 24, wherein the second termination device comprises a wireless switch with GRE-over-IP tunneling capability, and wherein the first termination device comprises an IP router with GRE-over-IP tunneling capability.
  - 33. An enterprise network according to claim 24, wherein the central site is physically located at a first location, and wherein the remote site is physically located at a second location different than the first location.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Extreme Networks, Inc.
Original Assignee
Symbol Technologies, Inc. (Zebra Technologies Corporation)
Inventors
Nagarajan, Ramakrishnan, Borkar, Udayan

Granted Patent

US 7,961,725 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/254
CPC Class Codes

H04L 12/4666   Operational details on the ...

H04L 45/00   Routing or path finding of ...

H04L 63/0272   Virtual private networks

H04L 63/164   at the network layer

H04W 12/03   Protecting confidentiality,...

H04W 12/084   using delegated authorisati...

H04W 84/12   WLAN [Wireless Local Area N...

ENTERPRISE NETWORK ARCHITECTURE FOR IMPLEMENTING A VIRTUAL PRIVATE NETWORK FOR WIRELESS USERS BY MAPPING WIRELESS LANs TO IP TUNNELS

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

ENTERPRISE NETWORK ARCHITECTURE FOR IMPLEMENTING A VIRTUAL PRIVATE NETWORK FOR WIRELESS USERS BY MAPPING WIRELESS LANs TO IP TUNNELS

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links