System and method for restricting network access using forwarding databases

US 8,964,747 B2
Filed: 02/12/2009
Issued: 02/24/2015
Est. Priority Date: 05/03/2006
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a data unit including layer 2 client-identification data;

if the data unit does include layer 3 address data, forwarding the data unit, and if the included layer 3 address data confirms a layer 3 address assignment and if a layer 3 address assignment status restriction attribute associated with the received data unit is enabled, disabling the layer 3 address assignment status restriction attribute associated with the received data unit; and

if the data unit does not include layer 3 address data and if the layer 3 address assignment status restriction attribute associated with the received data unit is enabled, discarding the data unit.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This specification describes a system that can offer, among other advantages, dynamically allowing or rejecting non-DHCP packets entering a switch. In addition, a FDB is commonly used by a bridge or switch to store an incoming packet'"'"'s source MAC address and its port number, then later on if the destination MAC address of another incoming packet matching any entry in FDB will be forwarded to its associated port. Using the techniques described herein, not only this will be completely transparent to user, the techniques can also result in an increase in switch performance by blocking unwanted traffic at an earlier stage of forwarding process and freeing up other processing units at a later stage, like switch fabric or packet processing stages.

605 Citations

19 Claims

1. A method, comprising:
- receiving a data unit including layer 2 client-identification data;
  
  if the data unit does include layer 3 address data, forwarding the data unit, and if the included layer 3 address data confirms a layer 3 address assignment and if a layer 3 address assignment status restriction attribute associated with the received data unit is enabled, disabling the layer 3 address assignment status restriction attribute associated with the received data unit; and
  
  if the data unit does not include layer 3 address data and if the layer 3 address assignment status restriction attribute associated with the received data unit is enabled, discarding the data unit.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method claim 1, further comprising:
    - if the layer 3 address data does not confirm the layer 3 address assignment, forwarding the data unit.
  - 3. The method of claim 1 further comprising:
    - if the layer 2 client-identification data has been recorded, determining whether the layer 3 address assignment status restriction attribute associated with the received data unit is enabled.
  - 4. The method of claim 1, wherein the data unit is a packet, further comprising preprocessing the packet.
  - 5. The method of claim 1, further comprising executing switching functions with respect to the data unit.

6. A system comprising:
- a switching device configured to perform layer 2 functions and receive a data unit;
  
  a memory coupled to the switching device, the memory having a forwarding database storing an entry associated with the received data unit, the entry having an associated layer 2 address and a layer 3 address assignment status restriction attribute; and
  
  a processor coupled to the memory and the switching device, the processor configured to execute packet forwarding functions, if the received data unit includes layer 3 address data, the switching device forwards the data unit, and if the included layer 3 address data confirms a layer 3 address assignment and if the layer 3 address assignment status restriction attribute associated with the received data unit is enabled, disable the layer 3 address assignment status restriction attribute associated with the received data unit.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 7. The system of claim 6, further comprising:
    - a plurality of wireless access points coupled to the switching device.
  - 8. The system of claim 6, further comprising:
    - a plurality of clients coupled to the switching device through one or more wireless access points.
  - 9. The system of claim 6, wherein the layer 2 address is a MAC address.
  - 10. The system of claim 6, wherein the layer 3 address is an IP address.
  - 11. The system of claim 6, wherein the data unit is a packet.
  - 12. The system of claim 6, wherein the data unit is a frame.
  - 13. The system of claim 6, wherein the entry of the forwarding database includes a port ID and a VLAN ID.
  - 14. The system of claim 6, wherein the entry of the forwarding database includes an age parameter.
  - 15. The system of claim 6, wherein if the layer 3 address assignment data does not confirm a layer 3 address assignment, the switching device forwards the data unit.

16. A system comprising:
- a switching device configured to perform layer 2 functions;
  
  a memory coupled to the switching device, the memory configured to have a forwarding database storing an entry associated with a received data, said entry having an associated layer 2 address and a layer 3 address assignment status restriction attribute associated with the received data; and
  
  an address restriction engine coupled to the memory and the switching device, the address restriction engine configured to execute packet forwarding and data traffic filtering functions, said address restriction engine having;
  
  an address status restriction module having control logic configured to manipulate a layer 3 address assignment status restriction attribute associated with the received data, anda packet forwarding module having logic configured to monitor data traffic and notify the address status restriction module that a first data with layer 3 address assignment data has been received;
  
  the address status restriction module configured to disable the layer 3 address assignment status restriction attribute associated with the first data if the layer 3 address assignment data confirms a layer 3 address assignment, based on a second data the address status restriction module receives from the packet forwarding module.
- View Dependent Claims (17, 18, 19)
- - 17. The system of claim 16, wherein the layer 2 address is a MAC address.
  - 18. The system of claim 16, wherein the layer 3 address is an IP address.
  - 19. The system of claim 16, wherein the switching device is configured to perform layer 3 functions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trapeze Networks Incorporated (Juniper Networks Incorporated)
Original Assignee
Trapeze Networks Incorporated (Juniper Networks Incorporated)
Inventors
Albert Hu, Tyng Jar
Primary Examiner(s)
VU, HOANG-CHUONG Q

Application Number

US12/370,562
Publication Number

US 20100040059A1
Time in Patent Office

2,203 Days
Field of Search

370/389, 370/395.53, 370/395.52, 370/392, 370/469, 709/203, 709/224, 455/410, 455/411, 455/428, 455/429
US Class Current

370/392
CPC Class Codes

H04L 49/3009   Header conversion, routing ...

H04L 49/35   Switches specially adapted ...

H04L 49/354   for supporting virtual loca...

H04L 61/5014   using dynamic host configur...

H04L 63/02   for separating internal fro...

System and method for restricting network access using forwarding databases

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

605 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for restricting network access using forwarding databases

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

605 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links