Enterprise network architecture for implementing a virtual private network for wireless users by mapping wireless LANs to IP tunnels

US 7,961,725 B2
Filed: 07/31/2007
Issued: 06/14/2011
Est. Priority Date: 07/31/2007
Status: Active Grant

First Claim

Patent Images

1. A method for communicating a data packet from a wireless communication device to an entity in a restricted network segment of a central site in an enterprise network, comprising:

storing, at a wireless switch that is coupled to a plurality of access ports and being located at a remote site in the enterprise network, a wireless communication device database (WCDD) comprising;

a list of wireless communication devices associated with the wireless switch indexed by respective MAC addresses of each wireless communication device, respective addresses of each wireless communication device, a WLAN which each wireless communication device is associated with, a mapping table of WLANs-to-VLANs, and a mapping table of WLANs-to-tunnels;

receiving, at the wireless switch, the data packet from a wireless communication device via an access port coupled to the wireless switch;

determining, at the wireless switch based on the data packet, whether the wireless communication device is associated with one of;

an unauthorized access WLAN; and

an authorized access WLAN that is mapped to a Generic Routing Encapsulation (GRE) tunnel implemented over the IP network and that is designed to allow communications with an IP router at the central site via the wireless switch over the GRE tunnel, wherein the GRE tunnel extends an IP subnet from the central site to the authorized access WLAN.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An enterprise network is provided which includes a central site, a network and a remote site communicatively coupled to the central site over the network. The central site includes a first termination device in communication with a restricted network segment including at least one server. The remote site includes an infrastructure device, an authorized access wireless local area network (WLAN), and an unauthorized access WLAN. The infrastructure device comprises a second termination device which communicates with the first termination device over the network. The authorized access WLAN allow communications with the central site via the second termination device over a tunnel coupling the first termination device to the second termination device, whereas the unauthorized access WLAN allows communications with the network via the second termination device.

Citations

8 Claims

1. A method for communicating a data packet from a wireless communication device to an entity in a restricted network segment of a central site in an enterprise network, comprising:
- storing, at a wireless switch that is coupled to a plurality of access ports and being located at a remote site in the enterprise network, a wireless communication device database (WCDD) comprising;
  
  a list of wireless communication devices associated with the wireless switch indexed by respective MAC addresses of each wireless communication device, respective addresses of each wireless communication device, a WLAN which each wireless communication device is associated with, a mapping table of WLANs-to-VLANs, and a mapping table of WLANs-to-tunnels;
  
  receiving, at the wireless switch, the data packet from a wireless communication device via an access port coupled to the wireless switch;
  
  determining, at the wireless switch based on the data packet, whether the wireless communication device is associated with one of;
  
  an unauthorized access WLAN; and
  
  an authorized access WLAN that is mapped to a Generic Routing Encapsulation (GRE) tunnel implemented over the IP network and that is designed to allow communications with an IP router at the central site via the wireless switch over the GRE tunnel, wherein the GRE tunnel extends an IP subnet from the central site to the authorized access WLAN.
- View Dependent Claims (2, 3, 4, 5)
- - 2. A method according to claim 1, wherein the step of determining, at the wireless switch based on the data packet, whether the wireless communication device is associated with one of:
    - an authorized access WLAN and an unauthorized access WLAN, comprises;
      
      determining the source MAC address of the data packet; and
      
      determining, at the wireless switch based on the source MAC address of the data packet and information stored in the WCDD, whether a WLAN that the wireless communication device is associated with is an authorized access WLAN that is mapped to a Generic Routing Encapsulation (GRE) tunnel.
  - 3. A method according to claim 2, when the wireless switch determines that the WLAN that the wireless communication device is associated with is an authorized access WLAN that is mapped to a Generic Routing Encapsulation (GRE) tunnel, further comprising:
    - removing, at the wireless switch, a layer 2 (L2) header from the data packet to generate a layer 3 data packet;
      
      encapsulating, at the wireless switch, the layer 3 (L3) data packet with a GRE header and an outer IP header to generate a GRE-over-IP packet; and
      
      tunneling, from the wireless switch, the GRE-over-IP packet over the open network via the GRE tunnel to the IP router.
  - 4. A method according to claim 3, further comprising:
    - decapsulating, at the IP router, the GRE-over-IP packet by removing the outer IP header and the GRE header to generate the layer 3 (L3) data packet; and
      
      transmitting, from the IP router, the layer 3 (L3) data packet to an entity in the restricted network segment located at the central site.
  - 5. A method according to claim 1, when the wireless switch determines that the WLAN that the wireless communication device is associated with is an unauthorized access WLAN, further comprising:
    - transmitting, from the wireless switch, via an access port coupled to the wireless switch, the data packet to a destination on an IP network.

6. A method for communicating a Layer 3 data packet from an entity in a restricted network segment of a central site in an enterprise network to an authorized wireless communication device at a remote site in the enterprise network, the method comprising:
- receiving, at an IP router, the Layer 3 data packet from an entity in the restricted network segment;
  
  removing, at the IP router, a layer 2 (L2) header from the Layer 3 data packet;
  
  encapsulating, at the IP router, the Layer 3 data packet with a GRE header and an outer IP header to generate a GRE-over-IP packet;
  
  transmitting, from the IP router, the GRE-over-IP packet over a Generic Routing Encapsulation (GRE) tunnel that couples the IP router to a wireless switch having an access port coupled thereto;
  
  receiving, at the wireless switch, the GRE-over-IP packet; and
  
  decapsulating, at the wireless switch, the GRE-over-IP packet by removing the outer IP header and the GRE header to generate an inner data packet; and
  
  storing, at the wireless switch, a wireless communication device database (WCDD) comprising;
  
  a list of wireless communication devices associated with the wireless switch indexed by respective MAC addresses of each wireless communication device, respective addresses of each wireless communication device, a WLAN which each wireless communication device is associated with, a mapping table of WLANs-to-VLANs, and a mapping table of WLANs-to-tunnels.
- View Dependent Claims (7, 8)
- - 7. A method according to claim 6, further comprising:
    - determining, at the wireless switch, whether the inner data packet is destined for a wireless communication device associated with an authorized access WLAN that is mapped to a tunnel based on a destination address of the inner data packet and information stored in the WCDD.
  - 8. A method according to claim 7, further comprising:
    - when the inner data packet is destined for a wireless communication device associated with an authorized access WLAN that is mapped to a tunnel,encapsulating the inner data packet into a data frame having a MAC address associated with the destination wireless communication device; and
      
      transmitting the data frame over-the-air (OTA) to the destination wireless communication device via an access port coupled to the wireless switch.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Extreme Networks, Inc.
Original Assignee
Symbol Technologies, Inc. (Zebra Technologies Corporation)
Inventors
Nagarajan, Ramakrishnan, Borkar, Udayan
Primary Examiner(s)
Ryman; Daniel J
Assistant Examiner(s)
Patel; Jay P

Application Number

US11/831,315
Publication Number

US 20090034431A1
Time in Patent Office

1,414 Days
Field of Search

370/382, 370/389, 370/230, 370/231, 370/401, 370/328
US Class Current

370/389
CPC Class Codes

H04L 12/4666   Operational details on the ...

H04L 45/00   Routing or path finding of ...

H04L 63/0272   Virtual private networks

H04L 63/164   at the network layer

H04W 12/03   Protecting confidentiality,...

H04W 12/084   using delegated authorisati...

H04W 84/12   WLAN [Wireless Local Area N...

Enterprise network architecture for implementing a virtual private network for wireless users by mapping wireless LANs to IP tunnels

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Enterprise network architecture for implementing a virtual private network for wireless users by mapping wireless LANs to IP tunnels

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links