Method and system for traffic isolation in a network
First Claim
1. A method for facilitating traffic isolation in a switch, the method comprising:
- configuring one or more ports of the switch as members of first a traffic isolation zone, wherein a traffic isolation zone is a subset of ports in the switch and precludes a data flow not belonging to the traffic isolation zone from reaching a port within the traffic isolation zone;
identifying that a data flow belongs to the first traffic isolation zone based on the subset of ports belonging to the first traffic isolation zone;
in response to a port of the first traffic isolation zone being available, associating the data flow with the port as an output port;
in response to the port not being available, determining whether a failover option for the first traffic isolation zone is enabled; and
in response to the failover option being enabled, associating the data flow with a second port as an output port, wherein the second port is a member of a second traffic isolation zone, and wherein the second traffic isolation zone is distinct from the first traffic isolation zone.
5 Assignments
0 Petitions
Accused Products
Abstract
One embodiment of the present invention provides a system that facilitates traffic isolation (TI) in a network. During operation, the system configures a set of switch ports as members of a TI zone. The switch ports are part of an end-to-end path across one or more switch domains between a source and a destination. The switch ports within the TI zone and outside the TI Zone belong to a common storage area network (SAN) zone which compartmentalizes data for security purposes. The system then determines whether a data flow entering a switch domain belongs to the TI zone. The system subsequently forwards the data flow to the next port within the TI zone if the data flow belongs to the TI zone.
-
Citations
24 Claims
-
1. A method for facilitating traffic isolation in a switch, the method comprising:
-
configuring one or more ports of the switch as members of first a traffic isolation zone, wherein a traffic isolation zone is a subset of ports in the switch and precludes a data flow not belonging to the traffic isolation zone from reaching a port within the traffic isolation zone; identifying that a data flow belongs to the first traffic isolation zone based on the subset of ports belonging to the first traffic isolation zone; in response to a port of the first traffic isolation zone being available, associating the data flow with the port as an output port; in response to the port not being available, determining whether a failover option for the first traffic isolation zone is enabled; and in response to the failover option being enabled, associating the data flow with a second port as an output port, wherein the second port is a member of a second traffic isolation zone, and wherein the second traffic isolation zone is distinct from the first traffic isolation zone. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory computer-readable medium storing instructions which when executed by a computer cause the computer to perform a method for facilitating traffic isolation in a network, the method comprising:
-
configuring one or more ports of a switch as members of a first logical group, wherein a logical group is a subset of ports in the switch and precludes a data flow not belonging to the logical group from reaching a port within the logical group; identifying that a packet belongs to the first logical group based on the subset of ports belonging to the first traffic isolation zone; in response to a port of the first logical group being available, associating the packet with the port as an output port; in response to the port not being available, determining whether a failover option for the first logical group is enabled; and in response to the failover option being enabled, associating the packet with a second port as an output port, wherein the second port is a member of a second logical group, and wherein the second logical group is distinct from the first logical group. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A switch for facilitating traffic isolation in a network, the switch comprising:
-
a set of ports operable as members of a first logical group, wherein a logical group is a subset of ports in the switch and precludes a data flow not belonging to the logical group from reaching a port within the logical group; a logical-group mapping module adapted to; identify that a packet belongs to the first logical group based on the subset of ports belonging to the first logical group; and determine whether a failover option for the first logical group is enabled in response to a port of the first logical group not being available; and a forwarding module adapted to; associate the packet with the port as an output port in response to the port being available; and associate the packet with a second port as an output port in response to the failover option being enabled, wherein the second port is a member of a second logical group, and wherein the second logical group is distinct from the first logical group. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification