Port isolation for restricting traffic flow on layer 2 switches

US 7,881,296 B2
Filed: 07/26/2006
Issued: 02/01/2011
Est. Priority Date: 12/20/2000
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

configuring a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 switch as protected or non-protected;

generating a forwarding map for a data packet allowing said data packet to be forwarded from a protected port to a non-protected port while preventing said data packet from being forwarded to another of said protected ports; and

matching a destination address on said data packet with a physical address on said layer 2 switch, said data packet received by an ingress port;

wherein generating the forwarding map for the data packet allowing said data packet to be forwarded from the protected port to the non-protected port while preventing said data packet from being forwarded to another of said protected ports comprises editing, by a global mask on the layer 2 switch, a forwarding feature of the data packet by modifying port numbers on the forwarding map such that when the ingress port is configured as protected port, the global mask modifies the forwarding map so that the data packet will not be forwarded to ports configured as protected on the layer 2 switch.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This invention provides for an apparatus and method to isolate ports on layer 2 switches on the same VLAN to restrict traffic flow. The apparatus comprises a switch having said plurality of ports, each port configured as a protected port or a non-protected port. An address table memory stores an address table having a destination address and port number pair. A forwarding map generator generates a forwarding map which is responsive to a destination address of a data packet. The method for isolating ports on a layer 2 switch comprises configuring each of the ports on the layer 2 switch as a protected port or a non-protected port. A destination address on an data packet is matched with a physical address on said layer 2 switch and a forwarding map is generated for the data packet based upon the destination address on the data packet. The data packet is then sent to the plurality of ports pursuant to the forwarding map generated based upon whether the ingress port was configured as a protected or nonprotected port.

Citations

41 Claims

1. A method comprising:
- configuring a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 switch as protected or non-protected;
  
  generating a forwarding map for a data packet allowing said data packet to be forwarded from a protected port to a non-protected port while preventing said data packet from being forwarded to another of said protected ports; and
  
  matching a destination address on said data packet with a physical address on said layer 2 switch, said data packet received by an ingress port;
  
  wherein generating the forwarding map for the data packet allowing said data packet to be forwarded from the protected port to the non-protected port while preventing said data packet from being forwarded to another of said protected ports comprises editing, by a global mask on the layer 2 switch, a forwarding feature of the data packet by modifying port numbers on the forwarding map such that when the ingress port is configured as protected port, the global mask modifies the forwarding map so that the data packet will not be forwarded to ports configured as protected on the layer 2 switch.
- View Dependent Claims (2, 3, 4, 5, 41)
- - 2. The method of claim 1, further comprising sending said data packet to said plurality of ports pursuant to said forwarding map.
  - 3. The method of claim 1 wherein said generating step further comprises sending said data packet to each of said non-protected ports if said destination address is not matched with said physical address and said ingress port is configured as protected.
  - 4. The method of claim 1 wherein said generating step further comprises sending said data packet to all of said plurality of ports if said destination address is not matched with said physical address and said ingress port is configured as non-protected.
  - 5. The method of claim 1 wherein said generating step further comprises allowing said data packet to be forwarded from one of said non-protected ports to another of said non-protected ports.
  - 41. The method of claim 1, wherein:
    - generating a forwarding map for a data packet allowing said data packet to be forwarded from a protected port to a non-protected port while preventing said data packet from being forwarded to another of said protected ports comprises generating a forwarding map for a data packet allowing said data packet to be forwarded from a protected port to a non-protected port while preventing said data packet from being forwarded from the protected port to another of said protected ports; and
      
      editing, by the global mask on the layer 2 switch, the forwarding feature of the data packet by modifying port numbers on the forwarding map such that when the ingress port is configured as protected port, the global mask modifies the forwarding map so that the data packet will not be forwarded to ports configured as protected on the layer 2 switch comprises editing, by the global mask on the layer 2 switch, the forwarding feature of the data packet by modifying port numbers on the forwarding map such that when the ingress port is configured as a first protected port, the global mask modifies the forwarding map so that the data packet will not be forwarded to another port on the layer 2 switch configured as a second protected port to prevent traffic generated on the first protected port from being detected by the second protected port.

6. A program storage device readable by an apparatus and including a program of instructions encoded thereon that, when performed by the apparatus, causes the apparatus to:
- configure a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 switch as protected or non-protected;
  
  generate a forwarding map for a data packet allowing said data packet to be forwarded from a protected port to a non-protected port while preventing said data packet from being forwarded to another of said protected ports; and
  
  match a destination address on said data packet with a physical address on said layer 2 switch, said data packet received by an ingress port;
  
  when generating the forwarding map for the data packet allowing said data packet to be forwarded from the protected port to the non-protected port while preventing said data packet from being forwarded to another of said protected ports, edit forwarding feature of the data packet by modifying port numbers on the forwarding map such that when the ingress port is configured as protected port, the global mask modifies the forwarding map so that the data packet will not be forwarded to ports configured as protected on the layer 2 switch.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The program storage device of claim 6 including the program of instructions encoded thereon that, when performed by the apparatus, causes the apparatus to send said data packet to said plurality of ports pursuant to said forwarding map.
  - 8. The program storage device of claim 6 including the program of instructions encoded thereon that, when performed by the apparatus, causes the apparatus to send said data packet to each of said non-protected ports if said destination address is not matched with said physical address and said ingress port is configured as protected.
  - 9. The program storage device of claim 6 including the program of instructions encoded thereon that, when performed by the apparatus, causes the apparatus to send said data packet to all of said plurality of ports if said destination address is not matched with said physical address and said ingress port is configured as non-protected.
  - 10. The program storage device of claim 6 including the program of instructions encoded thereon that, when performed by the apparatus, causes the apparatus to allow said data packet to be forwarded from one of said non-protected ports to another of said non-protected ports.

11. An apparatus comprising:
- means for configuring a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 switch as protected or non-protected;
  
  means for generating a forwarding map for a data packet allowing said data packet to be forwarded from a protected port to a non-protected port while preventing said data packet from being forwarded to another of said protected ports; and
  
  means for matching a destination address on said data packet with a physical address on said layer 2 switch, said data packet received by an ingress port;
  
  wherein means for generating the forwarding map for the data packet allowing said data packet to be forwarded from the protected port to the non-protected port while preventing said data packet from being forwarded to another of said protected ports comprises means for editing a forwarding feature of the data packet by modifying port numbers on the forwarding map such that when the ingress port is configured as protected port, the global mask modifies the forwarding map so that the data packet will not be forwarded to ports configured as protected on the layer 2 switch.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The apparatus of claim 11, further comprising means for sending said data packet to said plurality of ports pursuant to said forwarding map.
  - 13. The apparatus of claim 11 wherein said means for generating further comprises means for sending said data packet to each of said non-protected ports if said destination address is not matched with said physical address and said ingress port is configured as protected.
  - 14. The apparatus of claim 11 wherein said means for generating further comprises means for sending said data packet to all of said plurality of ports if said destination address is not matched with said physical address and said ingress port is configured as non-protected.
  - 15. The apparatus of claim 11 wherein said means for generating further comprises means for allowing said data packet to be forwarded from one of said non-protected ports to another of said non-protected ports.

16. An apparatus comprising:
- a port configurer to configure a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 switch as protected or non-protected; and
  
  a forwarding map generator configured to generate a forwarding map for a data packet allowing said data packet to be forwarded from a protected port to a non-protected port while preventing said data packet from being forwarded to another of said protected ports;
  
  wherein said apparatus is further configured to match a destination address on said data packet with a physical address on said layer 2 switch, said data packet received by an ingress port, andwherein when generating the forwarding map for the data packet allowing said data packet to be forwarded from the protected port to the non-protected port while preventing said data packet from being forwarded to another of said protected ports, the forwarding map generator is configured to edit a forwarding feature of the data packet by modifying port numbers on the forwarding map such that when the ingress port is configured as protected port, the global mask modifies the forwarding map so that the data packet will not be forwarded to ports configured as protected on the layer 2 switch.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The apparatus of claim 16 wherein said apparatus is further configured to send said data packet to said plurality of ports pursuant to said forwarding map.
  - 18. The apparatus of claim 16 wherein said forwarding map generator is further configured to send said data packet to each of said non-protected ports if said destination address is not matched with said physical address and said ingress port is configured as protected.
  - 19. The apparatus of claim 16 wherein said forwarding map generator is further configured to send said data packet to all of said plurality of ports if said destination address is not matched with said physical address and said ingress port is configured as non-protected.
  - 20. The apparatus of claim 16 wherein said forwarding map generator is further configured to allow said data packet to be forwarded from one of said non-protected ports to another of said non-protected ports.

21. A method comprising:
- maintaining a state for a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 switch as protected or non-protected;
  
  generating a forwarding map for a data packet allowing said data packet to be forwarded from a protected port to a non-protected port while preventing said data packet from being forwarded to another of said protected ports; and
  
  matching a destination address on said data packet with a physical address on said layer 2 switch, said data packet received by an ingress port;
  
  wherein generating the forwarding map for the data packet allowing said data packet to be forwarded from the protected port to the non-protected port while preventing said data packet from being forwarded to another of said protected ports comprises editing, by a global mask on the layer 2 switch, a forwarding feature of the data packet by modifying port numbers on the forwarding map such that when the ingress port is configured as protected port, the global mask modifies the forwarding map so that the data packet will not be forwarded to ports configured as protected on the layer 2 switch.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The method of claim 21, further comprising sending said data packet to said plurality of ports pursuant to said forwarding map.
  - 23. The method of claim 21 wherein said generating step further comprises sending said data packet to each of said non-protected ports if said destination address is not matched with said physical address and said ingress port is configured as protected.
  - 24. The method of claim 21 wherein said generating step further comprises sending said data packet to all of said plurality of ports if said destination address is not matched with said physical address and said ingress port is configured as non-protected.
  - 25. The method of claim 21 wherein said generating step further comprises allowing said data packet to be forwarded from one of said non-protected ports to another of said non-protected ports.

26. A program storage device readable by an apparatus and including a program of instructions encoded thereon that, when performed by the apparatus, causes the apparatus to:
- maintain a state for a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 switch as protected or non-protected;
  
  generate a forwarding map for a data packet allowing said data packet to be forwarded from a protected port to a non-protected port while preventing said data packet from being forwarded to another of said protected ports; and
  
  match a destination address on said data packet with a physical address on said layer 2 switch, said data packet received by an ingress port;
  
  wherein when generating the forwarding map for the data packet allowing said data packet to be forwarded from the protected port to the non-protected port while preventing said data packet from being forwarded to another of said protected ports, edit a forwarding feature of the data packet by modifying port numbers on the forwarding map such that when the ingress port is configured as protected port, the global mask modifies the forwarding map so that the data packet will not be forwarded to ports configured as protected on the layer 2 switch.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The program storage device of claim 26 including the program of instructions encoded thereon that, when performed by the apparatus, causes the apparatus to send said data packet to said plurality of ports pursuant to said forwarding map.
  - 28. The program storage device of claim 26 including the program of instructions encoded thereon that, when performed by the apparatus, causes the apparatus to send said data packet to each of said non-protected ports if said destination address is not matched with said physical address and said ingress port is configured as protected.
  - 29. The program storage device of claim 26 including the program of instructions encoded thereon that, when performed by the apparatus, causes the apparatus to send said data packet to all of said plurality of ports if said destination address is not matched with said physical address and said ingress port is configured as non-protected.
  - 30. The program storage device of claim 26 including the program of instructions encoded thereon that, when performed by the apparatus, causes the apparatus to allow said data packet to be forwarded from one of said non-protected ports to another of said non-protected ports.

31. An apparatus comprising:
- means for maintaining a state for a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 switch as protected or non-protected;
  
  means for generating a forwarding map for a data packet allowing said data packet to be forwarded from a protected port to a non-protected port while preventing said data packet from being forwarded to another of said protected ports; and
  
  means for matching a destination address on said data packet with a physical address on said layer 2 switch, said data packet received by an ingress port;
  
  wherein means for generating the forwarding map for the data packet allowing said data packet to be forwarded from the protected port to the non-protected port while preventing said data packet from being forwarded to another of said protected ports comprises means for editing a forwarding feature of the data packet by modifying port numbers on the forwarding map such that when the ingress port is configured as protected port, the global mask modifies the forwarding map so that the data packet will not be forwarded to ports configured as protected on the layer 2 switch.
- View Dependent Claims (32, 33, 34, 35)
- - 32. The apparatus of claim 31, further comprising means for sending said data packet to said plurality of ports pursuant to said forwarding map.
  - 33. The apparatus of claim 31 wherein said means for generating further comprises means for sending said data packet to each of said non-protected ports if said destination address is not matched with said physical address and said ingress port is configured as protected.
  - 34. The apparatus of claim 31 wherein said means for generating further comprises means for sending said data packet to all of said plurality of ports if said destination address is not matched with said physical address and said ingress port is configured as non-protected.
  - 35. The apparatus of claim 31 wherein said means for generating further comprises means for allowing said data packet to be forwarded from one of said non-protected ports to another of said non-protected ports.

36. An apparatus comprising:
- a state maintenance module configured to maintain a state for a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 switch as protected or non-protected; and
  
  a forwarding map generator configured to generate a forwarding map for a data packet allowing said data packet to be forwarded from a protected port to a non-protected port while preventing said data packet from being forwarded to another of said protected ports;
  
  wherein said apparatus is further configured to match a destination address on said data packet with a physical address on said layer 2 switch, said data packet received by an ingress port, andwherein when generating the forwarding map for the data packet allowing said data packet to be forwarded from the protected port to the non-protected port while preventing said data packet from being forwarded to another of said protected ports, the forwarding map generator is configured to edit a forwarding feature of the data packet by modifying port numbers on the forwarding map such that when the ingress port is configured as protected port, the global mask modifies the forwarding map so that the data packet will not be forwarded to ports configured as protected on the layer 2 switch.
- View Dependent Claims (37, 38, 39, 40)
- - 37. The apparatus of claim 36 wherein said apparatus is further configured to send said data packet to said plurality of ports pursuant to said forwarding map.
  - 38. The apparatus of claim 36 wherein said forwarding map generator is further configured to send said data packet to each of said non-protected ports if said destination address is not matched with said physical address and said ingress port is configured as protected.
  - 39. The apparatus of claim 36 wherein said forwarding map generator is further configured to send said data packet to all of said plurality of ports if said destination address is not matched with said physical address and said ingress port is configured as non-protected.
  - 40. The apparatus of claim 36 wherein said forwarding map generator is further configured to allow said data packet to be forwarded from one of said non-protected ports to another of said non-protected ports.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Joshi, Monica, Shuen, Pauline
Primary Examiner(s)
Ton; Dang T
Assistant Examiner(s)
Zhao; Wei

Application Number

US11/494,084
Publication Number

US 20060262798A1
Time in Patent Office

1,651 Days
Field of Search

370/256, 370/252, 370/255, 370/401, 370/422, 370/423, 370/452, 370/392, 709/245
US Class Current

370/392
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 12/467   Arrangements for supporting...

H04L 49/351   for local area network [LAN...

H04L 49/354   for supporting virtual loca...

Port isolation for restricting traffic flow on layer 2 switches

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Port isolation for restricting traffic flow on layer 2 switches

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links