SYSTEM AND METHOD FOR RESTRICTING NETWORK ACCESS USING FORWARDING DATABASES
First Claim
1. A method comprising:
- receiving a data unit including layer 2 client-identification data;
determining whether the data unit includes layer 3 address data;
if the data unit does not include any layer 3 address data;
determining whether the layer 2 client-identification data has been recorded;
if the layer 2 client-identification data has not been recorded;
recording the layer 2 client-identification data;
enabling a layer 3 address assignment status restriction attribute;
if the layer 2 client-identification data has been recorded, unless the address assignment status restriction attribute is enabled, forwarding the data unit.
3 Assignments
0 Petitions
Accused Products
Abstract
This specification describes a system that can offer, among other advantages, dynamically allowing or rejecting non-DHCP packets entering a switch. In addition, a FDB is commonly used by a bridge or switch to store an incoming packet'"'"'s source MAC address and its port number, then later on if the destination MAC address of another incoming packet matching any entry in FDB will be forwarded to its associated port. Using the techniques described herein, not only this will be completely transparent to user, the techniques can also result in an increase in switch performance by blocking unwanted traffic at an earlier stage of forwarding process and freeing up other processing units at a later stage, like switch fabric or packet processing stages.
-
Citations
20 Claims
-
1. A method comprising:
-
receiving a data unit including layer 2 client-identification data; determining whether the data unit includes layer 3 address data; if the data unit does not include any layer 3 address data; determining whether the layer 2 client-identification data has been recorded; if the layer 2 client-identification data has not been recorded; recording the layer 2 client-identification data; enabling a layer 3 address assignment status restriction attribute; if the layer 2 client-identification data has been recorded, unless the address assignment status restriction attribute is enabled, forwarding the data unit. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system comprising:
-
a switching device capable of performing layer 2 functions; a memory coupled to the switching device, the memory having a forwarding database including an entry having an associated layer 2 address and a layer 3 address assignment status restriction attribute; a processor, coupled to the memory and the switching device, for executing memory access and packet forwarding functions wherein, in operation, when the processor enables the layer 3 address assignment status restriction attribute, data units that include the associated layer 2 address, other than data units having layer 3 address assignment data, are not forwarded by the switching device.
-
-
8. The system of claim 8, further comprising:
- a plurality of wireless access points coupled to the switching device.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 20)
-
16. A system comprising:
-
a switching device capable of performing layer 2 functions; a memory coupled to the switching device, the memory having a forwarding database including an entry wherein said entry having an associated layer 2 address and a layer 3 address assignment status restriction attribute; an address restriction engine, coupled to the memory and the switching device, for executing packet forwarding and data traffic filtering functions, said engine having; an address status restriction module having control logic for manipulating said layer 3 address assignment status restriction attribute, a packet forwarding module having logic for monitoring data traffic and for notifying the address status restriction module that it has received data with layer 3 address assignment data; wherein the address status restriction module determines whether to disable the layer 3 address assignment status restriction attribute based on data it receives from the packet forwarding module.
-
- 17. The system of claim 17, wherein the layer 2 address is a MAC address.
Specification