Port isolation for restricting traffic flow on layer 2 switches
First Claim
1. A method comprising:
- configuring a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 switch as protected or non-protected;
generating a forwarding map for a data packet allowing said data packet to be forwarded from a protected port to a non-protected port while preventing said data packet from being forwarded to another of said protected ports; and
matching a destination address on said data packet with a physical address on said layer 2 switch, said data packet received by an ingress port;
wherein generating the forwarding map for the data packet allowing said data packet to be forwarded from the protected port to the non-protected port while preventing said data packet from being forwarded to another of said protected ports comprises editing, by a global mask on the layer 2 switch, a forwarding feature of the data packet by modifying port numbers on the forwarding map such that when the ingress port is configured as protected port, the global mask modifies the forwarding map so that the data packet will not be forwarded to ports configured as protected on the layer 2 switch.
1 Assignment
0 Petitions
Accused Products
Abstract
This invention provides for an apparatus and method to isolate ports on layer 2 switches on the same VLAN to restrict traffic flow. The apparatus comprises a switch having said plurality of ports, each port configured as a protected port or a non-protected port. An address table memory stores an address table having a destination address and port number pair. A forwarding map generator generates a forwarding map which is responsive to a destination address of a data packet. The method for isolating ports on a layer 2 switch comprises configuring each of the ports on the layer 2 switch as a protected port or a non-protected port. A destination address on an data packet is matched with a physical address on said layer 2 switch and a forwarding map is generated for the data packet based upon the destination address on the data packet. The data packet is then sent to the plurality of ports pursuant to the forwarding map generated based upon whether the ingress port was configured as a protected or nonprotected port.
-
Citations
41 Claims
-
1. A method comprising:
-
configuring a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 switch as protected or non-protected; generating a forwarding map for a data packet allowing said data packet to be forwarded from a protected port to a non-protected port while preventing said data packet from being forwarded to another of said protected ports; and matching a destination address on said data packet with a physical address on said layer 2 switch, said data packet received by an ingress port; wherein generating the forwarding map for the data packet allowing said data packet to be forwarded from the protected port to the non-protected port while preventing said data packet from being forwarded to another of said protected ports comprises editing, by a global mask on the layer 2 switch, a forwarding feature of the data packet by modifying port numbers on the forwarding map such that when the ingress port is configured as protected port, the global mask modifies the forwarding map so that the data packet will not be forwarded to ports configured as protected on the layer 2 switch. - View Dependent Claims (2, 3, 4, 5, 41)
-
-
6. A program storage device readable by an apparatus and including a program of instructions encoded thereon that, when performed by the apparatus, causes the apparatus to:
-
configure a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 switch as protected or non-protected; generate a forwarding map for a data packet allowing said data packet to be forwarded from a protected port to a non-protected port while preventing said data packet from being forwarded to another of said protected ports; and match a destination address on said data packet with a physical address on said layer 2 switch, said data packet received by an ingress port; when generating the forwarding map for the data packet allowing said data packet to be forwarded from the protected port to the non-protected port while preventing said data packet from being forwarded to another of said protected ports, edit forwarding feature of the data packet by modifying port numbers on the forwarding map such that when the ingress port is configured as protected port, the global mask modifies the forwarding map so that the data packet will not be forwarded to ports configured as protected on the layer 2 switch. - View Dependent Claims (7, 8, 9, 10)
-
-
11. An apparatus comprising:
-
means for configuring a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 switch as protected or non-protected; means for generating a forwarding map for a data packet allowing said data packet to be forwarded from a protected port to a non-protected port while preventing said data packet from being forwarded to another of said protected ports; and means for matching a destination address on said data packet with a physical address on said layer 2 switch, said data packet received by an ingress port; wherein means for generating the forwarding map for the data packet allowing said data packet to be forwarded from the protected port to the non-protected port while preventing said data packet from being forwarded to another of said protected ports comprises means for editing a forwarding feature of the data packet by modifying port numbers on the forwarding map such that when the ingress port is configured as protected port, the global mask modifies the forwarding map so that the data packet will not be forwarded to ports configured as protected on the layer 2 switch. - View Dependent Claims (12, 13, 14, 15)
-
-
16. An apparatus comprising:
-
a port configurer to configure a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 switch as protected or non-protected; and a forwarding map generator configured to generate a forwarding map for a data packet allowing said data packet to be forwarded from a protected port to a non-protected port while preventing said data packet from being forwarded to another of said protected ports; wherein said apparatus is further configured to match a destination address on said data packet with a physical address on said layer 2 switch, said data packet received by an ingress port, and wherein when generating the forwarding map for the data packet allowing said data packet to be forwarded from the protected port to the non-protected port while preventing said data packet from being forwarded to another of said protected ports, the forwarding map generator is configured to edit a forwarding feature of the data packet by modifying port numbers on the forwarding map such that when the ingress port is configured as protected port, the global mask modifies the forwarding map so that the data packet will not be forwarded to ports configured as protected on the layer 2 switch. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A method comprising:
-
maintaining a state for a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 switch as protected or non-protected; generating a forwarding map for a data packet allowing said data packet to be forwarded from a protected port to a non-protected port while preventing said data packet from being forwarded to another of said protected ports; and matching a destination address on said data packet with a physical address on said layer 2 switch, said data packet received by an ingress port; wherein generating the forwarding map for the data packet allowing said data packet to be forwarded from the protected port to the non-protected port while preventing said data packet from being forwarded to another of said protected ports comprises editing, by a global mask on the layer 2 switch, a forwarding feature of the data packet by modifying port numbers on the forwarding map such that when the ingress port is configured as protected port, the global mask modifies the forwarding map so that the data packet will not be forwarded to ports configured as protected on the layer 2 switch. - View Dependent Claims (22, 23, 24, 25)
-
-
26. A program storage device readable by an apparatus and including a program of instructions encoded thereon that, when performed by the apparatus, causes the apparatus to:
-
maintain a state for a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 switch as protected or non-protected; generate a forwarding map for a data packet allowing said data packet to be forwarded from a protected port to a non-protected port while preventing said data packet from being forwarded to another of said protected ports; and match a destination address on said data packet with a physical address on said layer 2 switch, said data packet received by an ingress port; wherein when generating the forwarding map for the data packet allowing said data packet to be forwarded from the protected port to the non-protected port while preventing said data packet from being forwarded to another of said protected ports, edit a forwarding feature of the data packet by modifying port numbers on the forwarding map such that when the ingress port is configured as protected port, the global mask modifies the forwarding map so that the data packet will not be forwarded to ports configured as protected on the layer 2 switch. - View Dependent Claims (27, 28, 29, 30)
-
-
31. An apparatus comprising:
-
means for maintaining a state for a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 switch as protected or non-protected; means for generating a forwarding map for a data packet allowing said data packet to be forwarded from a protected port to a non-protected port while preventing said data packet from being forwarded to another of said protected ports; and means for matching a destination address on said data packet with a physical address on said layer 2 switch, said data packet received by an ingress port; wherein means for generating the forwarding map for the data packet allowing said data packet to be forwarded from the protected port to the non-protected port while preventing said data packet from being forwarded to another of said protected ports comprises means for editing a forwarding feature of the data packet by modifying port numbers on the forwarding map such that when the ingress port is configured as protected port, the global mask modifies the forwarding map so that the data packet will not be forwarded to ports configured as protected on the layer 2 switch. - View Dependent Claims (32, 33, 34, 35)
-
-
36. An apparatus comprising:
-
a state maintenance module configured to maintain a state for a plurality of ports sharing a single virtual local area network (VLAN) on a layer 2 switch as protected or non-protected; and a forwarding map generator configured to generate a forwarding map for a data packet allowing said data packet to be forwarded from a protected port to a non-protected port while preventing said data packet from being forwarded to another of said protected ports; wherein said apparatus is further configured to match a destination address on said data packet with a physical address on said layer 2 switch, said data packet received by an ingress port, and wherein when generating the forwarding map for the data packet allowing said data packet to be forwarded from the protected port to the non-protected port while preventing said data packet from being forwarded to another of said protected ports, the forwarding map generator is configured to edit a forwarding feature of the data packet by modifying port numbers on the forwarding map such that when the ingress port is configured as protected port, the global mask modifies the forwarding map so that the data packet will not be forwarded to ports configured as protected on the layer 2 switch. - View Dependent Claims (37, 38, 39, 40)
-
Specification