Network including snooping

US 7,975,048 B2
Filed: 08/18/2009
Issued: 07/05/2011
Est. Priority Date: 04/27/2005
Status: Active Grant

First Claim

Patent Images

1. A method for controlling access to a computer network, comprising the following computer-implemented steps:

monitoring signal traffic through at least one switch connecting at least one edge device to a remainder of the computer network to determine, without changing the signal traffic, for each of the at least one edge device, a MAC address, an IP address, and a port of the switch to which it is connected;

providing to a first dynamic table within said at least one switch for each edge device, a MAC address, an IP address, and a port to which it is connected;

providing an authentication server which includes a second table of user names and their relevant passwords used by Network Login, in which the second table, which includes User and Password information, also includes for each user name and password the corresponding virtual local network (VLAN) and/or VLAN tag membership and/or the Quality of Service (QoS);

adding to the first dynamic table the user name, membership VLAN, VLAN tag and QoS information learnt from the authentication server in the second table.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer network including:

- at least one switch connecting at least one edge device to the remainder of the network, said at least one switch including:
- snooping apparatus using DHCP to monitor the signal traffic through the switch to or from the each edge device to determine, without changing the traffic signals, for each edge device, the MAC address, the IP address, and the port of the switch to which it is connected, and
- a dynamic table within said switch of, for each edge device, the MAC address, the IP address, and the port which it is connected, the contents of the table being provided by said snooping apparatus.

23 Citations

View as Search Results

20 Claims

1. A method for controlling access to a computer network, comprising the following computer-implemented steps:
- monitoring signal traffic through at least one switch connecting at least one edge device to a remainder of the computer network to determine, without changing the signal traffic, for each of the at least one edge device, a MAC address, an IP address, and a port of the switch to which it is connected;
  
  providing to a first dynamic table within said at least one switch for each edge device, a MAC address, an IP address, and a port to which it is connected;
  
  providing an authentication server which includes a second table of user names and their relevant passwords used by Network Login, in which the second table, which includes User and Password information, also includes for each user name and password the corresponding virtual local network (VLAN) and/or VLAN tag membership and/or the Quality of Service (QoS);
  
  adding to the first dynamic table the user name, membership VLAN, VLAN tag and QoS information learnt from the authentication server in the second table.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, in which the switch contains a Network Login (802.1x) protocol engine and/or a RADA (RADIUS Authenticated Destination MAC Address) based authentication protocol engine, said method further comprising, with said protocol engine, detecting a user name and adding said user name to the first dynamic table.
  - 3. The method of claim 1, further comprising operating the switch in level 2 and/or layer 3 of the Open Systems Interconnection (OSI) model.
  - 4. The method of claim 1, further comprising:
    - retaining entries in said first dynamic table for a predetermined period of time; and
      
      ,then, discarding entries that have remained in the first dynamic table for said predetermined period of time.
  - 5. The method of claim 1, in which the IP address is added to the first dynamic table by a Dynamic Host Configuration Protocol (DHCP) response process.
  - 6. The method of claim 5, in which the first dynamic table which includes MAC addresses and their corresponding IP addresses, for each MAC addresses and corresponding IP addresses includes the virtual local network (VLAN) membership and VLAN tag state, VLAN information being added to the dynamic table by a DHCP response process and applied to the port with required VLAN tagging.
  - 7. The method of claim 6, further comprising, with the switch, automatically interconnecting all ports that are also in the same VLAN.
  - 8. The method of claim 1, further comprising accessing information in the first dynamic table of the switch with a management apparatus that is controlling the network.
  - 9. The method of claim 8, further comprising, with the switch, informing the management apparatus as soon as a user is added to the first dynamic table and passing to the management apparatus data on connection time, the MAC and IP address and switch port information for that user.
  - 10. The method of claim 8, further comprising, with the management apparatus,determining IP address information associated with misuse of any network components;
    - andidentifying a user associated with that IP address information associated with the misuse of any network components.
  - 11. The method of claim 8, further comprising configuring entries in the first dynamic table with the management apparatus.
  - 12. The method of claim 1, with the switch,processing data packets being passed to the switch to determine a requested IP destination address of a destination of each packet;
    - comparing the requested destination IP address to the list of IP addresses in the first dynamic table; and
      
      discarding a packet if that packet'"'"'s requested destination IP address is not in the list of IP addresses in the first dynamic table.
  - 13. The method of claim 12, in which a data packet is only forwarded to its destination IP address if its MAC source address and, for an IP packet, its IP source address is contained in the first dynamic table.
  - 14. The method of claim 1, in which the edge device comprises a work station or a computer.
  - 15. The method of claim 14, in which the edge device runs Voice-over-Internet-Protocol (VoIP) Phone software and is automatically connected to a mixed voice data network.
  - 16. The method of claim 1, in which the edge device comprises an Voice-over-Internet-Protocol (VoIP) phone.
  - 17. The method of claim 1, in which the first dynamic table of the switch includes a list of allowed Dynamic Host Configuration Protocol (DHCP) servers, said method comprising, for any DHCP server response received by said switch, checking an IP address of a corresponding DHCP server against this list of allowed DHCP servers;
    - andand preventing access to the network from that IP address if that IP address is not associated with a valid DHCP server in said list of allowed DHCP servers.

18. A computer-implemented method for controlling access to a computer network, comprising:
- with a snooping apparatus at a network switch, monitoring signal traffic through that switch, where the switch connects at least one edge device to a remainder of the computer network to determine, without changing the signal traffic, for an edge device, a Media Access Control (MAC) address, an Internet Protocol (IP) address, and a port of the switch to which that edge device is connected;
  
  maintaining a first dynamic table within the switch that lists, for said edge device, a MAC address, an IP address, and a port to which the edge device is connected;
  
  accessing an authentication server which maintains a second table that lists user names and passwords for Network Login, in which the second table also includes, for each user name and password, a corresponding virtual local network (VLAN) membership, VLAN tag, or Quality of Service (QoS) information;
  
  adding to the first dynamic table in the switch the user name, VLAN membership, VLAN tag and QoS information learnt from the authentication server in the second table.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, in which the first dynamic table of the switch includes a list of allowed Dynamic Host Configuration Protocol (DHCP) servers, said method comprising, for any DHCP server response received by said switch, checking an IP address of a corresponding DHCP server against this list of allowed DHCP servers;
    - andand preventing access to the network from that IP address if that IP address is not associated with a valid DHCP server in said list of allowed DHCP servers.
  - 20. The method of claim 18, with the switch,processing data packets being passed to the switch to determine a requested IP destination address of a destination of each packet;
    - comparing the requested destination IP address to the list of IP addresses in the first dynamic table; and
      
      discarding a packet if that packet'"'"'s requested destination IP address is not in the list of IP addresses in the first dynamic table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Valtrus Innovations Limited (f/k/a Dolya Holdco 9 Limited) (Key Patent Innovations Limited)
Original Assignee
Hewlett-Packard Company (HP Inc.)
Inventors
Saunderson, Peter, Smith, John P.
Primary Examiner(s)
LIN, WEN TAI

Application Number

US12/543,069
Publication Number

US 20090300178A1
Time in Patent Office

686 Days
Field of Search

None
US Class Current

709/224
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/0213   Standardised network manage...

H04L 41/08   Configuration management of...

H04L 41/5022   by giving priorities, e.g. ...

H04L 41/5087   wherein the managed service...

H04L 49/354   for supporting virtual loca...

H04L 61/5014   using dynamic host configur...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0272   Virtual private networks

H04L 63/101   Access control lists [ACL]

Network including snooping

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Network including snooping

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links