Network control apparatus and method with port security controls
First Claim
1. A method for controlling a logical switching element comprising one or more logical ports, the logical switching element implemented by a set of managed switching elements that forward data packets in a network, the method comprising:
- determining a set of network addresses for a logical port of the logical switching element;
identifying a physical port of a particular managed switching element of the set of managed switching elements that corresponds to the logical port, wherein different logical ports of the logical switching element correspond to physical ports of different managed switching elements; and
configuring the particular managed switching element to drop data packets entering or exiting the physical port of the particular managed switching element when the data packets do not include a network address in the set of network addresses for the logical port.
2 Assignments
0 Petitions
Accused Products
Abstract
Port security in some embodiments is a technique to apply to a particular port of a logical switching element such that the network data entering and existing the logical switching element through the particular logical port have certain addresses that the switching element has restricted the logical port to use. For instance, a logical switching element may restrict a particular logical port to one or more certain network addresses To enable a logical port of a logical switch for port security, the control application of some embodiments receives user inputs that designate a particular logical port and a logical switch to which the particular logical port belongs. The control application in some embodiments formats the user inputs into logical control plane data specifying the designation. The control application in some embodiments then converts the logical control plane data into logical forwarding data that specify port security functions.
298 Citations
19 Claims
-
1. A method for controlling a logical switching element comprising one or more logical ports, the logical switching element implemented by a set of managed switching elements that forward data packets in a network, the method comprising:
-
determining a set of network addresses for a logical port of the logical switching element; identifying a physical port of a particular managed switching element of the set of managed switching elements that corresponds to the logical port, wherein different logical ports of the logical switching element correspond to physical ports of different managed switching elements; and configuring the particular managed switching element to drop data packets entering or exiting the physical port of the particular managed switching element when the data packets do not include a network address in the set of network addresses for the logical port. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of implementing a logical switching element on a set of managed switching elements, the method comprising:
-
providing a first set of tables for storing a set of network addresses corresponding to logical ports of the logical switching element; providing a second set of tables for storing mappings between the logical ports of the logical switching element and physical ports of the set of managed switching elements, wherein different logical ports of the logical switching element correspond to different physical ports on different managed switching elements; for a particular logical port, mapping the set of network addresses for the particular logical port to the particular physical port that corresponds to the particular logical port by performing a set of database join operations on the first and second sets of tables; and distributing data instructions to the managed switching element on which the particular physical port is located to drop data packets entering or exiting the particular physical port of the managed switching element when the data packets do not include a network address in the set of network addresses for the corresponding logical port. - View Dependent Claims (12, 13, 14)
-
-
15. A managed switching element of a set of managed switching elements that forward data in a network to implement a logical switching element, the managed switching element comprising:
-
a first physical port that corresponds to a first logical port of the logical switching element, the first logical port for receiving data into the logical switching element, wherein a second physical port on a different managed switching element of the set of switching elements corresponds to a second logical port of the logical switching element; and a set of tables for implementing an access control list (ACL) for storing a set of network addresses for the first logical port, wherein the managed switching element drops data packets entering or exiting the managed switching element through the physical port when the data packets do not include a network address in the set of network addresses for the first logical port.
-
-
16. The managed switching element of 15, wherein the set of network addresses includes at least one of a Media Access Control (MAC) address and an Internet Protocol (IP) address.
-
17. The managed switching element of 15, wherein the data packets include a source network address, wherein the managed switching element drops a data packet when the data packet is received by the managed switching element through the first physical port and the set of network addresses does not include the source network address of the data packet.
-
18. The managed switching element of 15, wherein the data packets include a destination network address, wherein the managed switching element drops a data packet when the data packet is destined for the first physical port of the managed switching element and the set of network addresses does not include the destination network address of the data packet.
-
19. The managed switching element of 15, wherein the data packets include an Access Resolution Protocol (ARP) response that includes a network address, wherein the managed switching element drops an ARP response when the set of network addresses does not include the ARP response'"'"'s network address.
Specification