Remote client remediation

US 7,792,990 B2
Filed: 04/30/2007
Issued: 09/07/2010
Est. Priority Date: 04/30/2007
Status: Active Grant

First Claim

Patent Images

1. A method for remote client remediation, comprising:

identifying, by a local network device, a client connected to the local network device and associated with an original VLAN and needing remediation;

creating at the local network device an entry in a lookup table, said entry including a MAC address of the client, a flag indicating a remediation status of the client, information of the original VLAN, and a tunnel-encapsulation IP address of a remote switch connected to a remote remediation functionality;

receiving at the local network device packets from the client during remediation;

performing a lookup in the lookup table using information in the packets;

if the information in the packets matches with the entry in the lookup table, determining whether the flag in the entry indicates the client needs remediation;

if the flag in the entry indicates the client needs remediation, tunnel-encapsulating the packets; and

forwarding the tunnel-encapsulated packets to the remote remediation functionality different from an original destination address of the packets and having membership in a remediation VLAN different from the original VLAN.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the invention may include network devices, systems, and methods, including executable instructions and/or logic, for remote client remediation. One method includes identifying a client needing remediation, tunnel-encapsulating packets originating from the client during remediation, and forwarding the tunnel-encapsulated packets to a remote remediation functionality different from an original destination address of the packets and having membership in a remediation VLAN different from the original VLAN.

Citations

20 Claims

1. A method for remote client remediation, comprising:
- identifying, by a local network device, a client connected to the local network device and associated with an original VLAN and needing remediation;
  
  creating at the local network device an entry in a lookup table, said entry including a MAC address of the client, a flag indicating a remediation status of the client, information of the original VLAN, and a tunnel-encapsulation IP address of a remote switch connected to a remote remediation functionality;
  
  receiving at the local network device packets from the client during remediation;
  
  performing a lookup in the lookup table using information in the packets;
  
  if the information in the packets matches with the entry in the lookup table, determining whether the flag in the entry indicates the client needs remediation;
  
  if the flag in the entry indicates the client needs remediation, tunnel-encapsulating the packets; and
  
  forwarding the tunnel-encapsulated packets to the remote remediation functionality different from an original destination address of the packets and having membership in a remediation VLAN different from the original VLAN.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method recited in claim 1, wherein the method includes isolating the client during remediation to communication with a subset of its post-remediation network access.
  - 3. The method recited in claim 2, wherein the subset is limited to the remediation VLAN.
  - 4. The method recited in claim 1, wherein the method includes removing original VLAN information from packets before forwarding to the remediation VLAN.
  - 5. The method recited in claim 1, wherein all packets originating from the client during remediation are tunnel-encapsulated.
  - 6. The method recited in claim 5, wherein the method includes restoring original VLAN information to packets before forwarding to the client.
  - 7. The method recited in claim 6, wherein the method includes determining original VLAN information for each packet from the lookup table corresponding to a destination MAC address of the client as a key.
  - 8. The method recited in claim 1, wherein the client needing remediation is identified using the lookup table keyed to the MAC address of the client.
  - 9. The method recited in claim 1, wherein the method includes dropping a packet not addressed to the remediation functionality.
  - 10. The method recited in claim 1, wherein the method includes learning from a packet received from a remediation tunnel that the client is located during remediation at the other end of the remediation tunnel.

11. A network, comprising:
- a first network device;
  
  a client associated with an original VLAN and connected to the first network device;
  
  a second network device; and
  
  a virtual remediation tunnel having a first destination associated with the first network device, and a second destination associated with the second network device;
  
  wherein the first network device has logic to;
  
  identify the client needing remediation;
  
  create an entry in a lookup table, wherein said entry includes a MAC address of the client, a flag indicating a remediation status of the client, information of the original VLAN, and a tunnel-encapsulation IP address of the second network device;
  
  receive packets from the client during remediation;
  
  perform a lookup in the lookup table using information in the packets;
  
  if the information in the packets matches with the entry in the lookup table, determine whether the flag in the entry indicates the client needs remediation;
  
  if the flag in the entry indicates the client needs remediation, force the packets through the virtual remediation tunnel to a remediation VLAN associated with the second network device.
- View Dependent Claims (12, 13, 14)
- - 12. The network of claim 11, wherein the method includes a remote remediation functionality associated with the remediation VLAN.
  - 13. The network of claim 12, wherein the second network device has logic to drop packets forced to the remediation VLAN not addressed to the remote remediation functionality.
  - 14. The network of claim 11, wherein all packets originating from the client during remediation are forced to the remediation VLAN.

15. A network device, comprising:
- a network chip including a number of network ports for receiving and transmitting packets therefrom, and logic to;
  
  identify a client, associated with a first VLAN, needing remediation;
  
  create an entry in a lookup table, said entry including a MAC address of the client, a flag indicating a remediation status of the client, information of the first VLAN, and a tunnel-encapsulation IP address of a remote switch connected to a remote remediation VLAN;
  
  receive packets from the client during remediation;
  
  perform a lookup in the lookup table using information in the packets;
  
  if the information in the packets matches with the entry in the lookup table, determine whether the flag in the entry indicates the client needs remediation;
  
  if the flag in the entry indicates the client needs remediation, tunnel-encapsulate the packets;
  
  force the tunnel-encapsulated packets into a bridging tunnel having a destination end associated with the remote remediation VLAN during remediation; and
  
  wherein the first VLAN is different from the remote remediation VLAN.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The network device of claim 15, wherein performing the lookup in the lookup table using the information in the packets includes using a MAC address of the client as a lookup key.
  - 17. The network device of claim 15, wherein the remote remediation VLAN includes a remote remediation functionality having a destination address different from an original destination address of the packets.
  - 18. The network device of claim 15, wherein the network chip includes logic to remove first VLAN information from the packets before forcing the tunnel-encapsulated packets to the remediation VLAN.
  - 19. The network device of claim 15, wherein the network chip includes logic to:
    - determine a received packet is from a tunnel associated with the remediation VLAN;
      
      decapsulate the received packet; and
      
      assign first VLAN information to the packet before forwarding to the client.
  - 20. The network device of claim 15, wherein the bridging tunnel is a secure bridging tunnel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Albrecht, Alan R., Gooch, Mark, LaVigne, Bruce E., Jorgensen, Steven G., Sanchez, Mauricio
Primary Examiner(s)
Nguyen; Dustin
Assistant Examiner(s)
Mesa; Joel

Application Number

US11/796,973
Publication Number

US 20080270606A1
Time in Patent Office

1,226 Days
Field of Search

726/25, 726/22, 370/401, 370/218, 370/389, 370/338, 370/392, 370/255, 709/245, 709/238
US Class Current

709/238
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/029   Firewall traversal, e.g. tu...

Remote client remediation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Remote client remediation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links