[go: up one dir, main page]

MXPA00010209A - Establishing connectivity in networks - Google Patents

Establishing connectivity in networks

Info

Publication number
MXPA00010209A
MXPA00010209A MXPA/A/2000/010209A MXPA00010209A MXPA00010209A MX PA00010209 A MXPA00010209 A MX PA00010209A MX PA00010209 A MXPA00010209 A MX PA00010209A MX PA00010209 A MXPA00010209 A MX PA00010209A
Authority
MX
Mexico
Prior art keywords
traffic
network
group
field
sub
Prior art date
Application number
MXPA/A/2000/010209A
Other languages
Spanish (es)
Inventor
Thomas G Mcneill
Joseph J Ekstrom
Stephen S Moss
Original Assignee
Internap Network Services Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Internap Network Services Corporation filed Critical Internap Network Services Corporation
Publication of MXPA00010209A publication Critical patent/MXPA00010209A/en

Links

Abstract

A network includes a number of domains ("layer 2 domains") interconnected by routers. Withing each domain, traffic is forwarded based on MAC addresses (or other data link layer addresses). The routes route traffic based on IP addresses or other network layer addresses. To restrict network connectivity, a network administrator specifies connectivity groups each of which is a group of sub-networks that are allowed to communicate. The administrator also specifies which entities (MAC addresses, ports, or user names) belong to the same group. The entities may be in the same or different domains. A computer system automatically creates access control lists for routers to allow or deny traffic as specified by the administrator. The computer system also creates VLANs to allow or deny traffic as specified, wherein each VLAN is part of a domain or is a whole domain. Connectivity within each domain is restricted by VLANs and connectivity between domains is restricted by access control lists.

Description

k * ESTABLISHMENT OF NETWORK CONNECTIVITY Field of the Invention The present invention relates to networks, and more particularly to the establishment of connectivity in networks.
Antecedents of the Invention. Some networks restrict connectivity for security reasons or to reduce network traffic. So 0 some stations in the network are allowed to communicate with each other, while other stations are not allowed. Connectivity could be allowed, or disabled by establishing physical communication links between stations that are allowed to communicate and without providing physical links between the 5 stations that are not allowed to communicate. However, this is impractical because it requires a separate configuration of physical links for each set of connectivity constraints. Therefore, techniques have been developed to establish or change the connectivity of the network, issuing commands 0 to the appropriate devices of the network. This is illustrated in Figures 1 and 2. (These Figures also illustrate some aspects of the present invention and therefore are not of the prior art). The network 1 10, is a business network suitable for the interconnection of a large organization. Network 5 1 10 includes "2-layer fields" 1 16 P, 1 16Q, 1 16R, 1 16S and 1 16T.
(The term "2 layers" refers to the data link layer of the OSI reference model described in the article by D. Bierer and associates, "NetWare® 4 for professionals" (1993), pages 1 to 9) . Stations 124 belonging to the same 2-layer field 16 (for example, stations 124.1, 124.2 in field 1 16P) can communicate with each other using their 2-layer addresses, MAC addresses). A MAC address (access medium controller) is a physical address burned into the interface card of the network station (NIC) or established by setting the N IC switches. Some or all fields 1 16 may include one or more network switches 128 (should not be confused with N IC switches). Switches 128 of each field 1 16 send traffic between stations 124 using the addresses MAC of the stations. Stations that are in different 2-layer fields (for example, stations 124.1, and 124.3) can not communicate with each other using only the MAC addresses. They communicate using their IP addresses, which are logical addresses. The routers 130.1, 130.2 and 130.3 route the traffic between the fields 1 16 based on the IP addresses of the stations, moving between the IP addresses and the MAC addresses as necessary. Within some fields 1 16, connectivity can be restricted using virtual LANs (or VLANs). For example, field 1 16P contains three VLANs 140a, 140b, 140c (Figure 2). Stations 124 in field 1 16P can communicate with each other in layer 2 (for example, using their layer 2 addresses), only if they belong to the same VLAN. In this way and as illustrated in Figure 1, stations 124.1, 124.2 belong to VLAN 140a and can therefore communicate. The VLANs are implemented by means of the LAN switches 128. More particularly, the switches 128 will send a packet only between the stations within the same VLAN. (Switches 128 are referred to as "VLAN capable" because they have the ability to restrict traffic for the VLAN Some 2-layer fields, for example field 1 16S or 1 16T, may include switches with non-VLAN capability) . The connectivity between the different 2-layer fields is restricted by the routers 130. The routers 130 use the access control lists (ACLs) which define the connectivity restrictions based on the I P addresses. See, for example, the K article Siyan and C. Hare, "Protections Against Internet Fire and Network Security" (1995), pages 187 to 192. The creation of access control lists and the definition of VLANs can be a confusing and laborious process for a network administrator. This process has to be repeated frequently in dynamic network environments in which stations, users and network services move from place to place, or are transferred from one organization to another, without moving physically, or that become aggregated or canceled.
Therefore, it is desirable to facilitate the establishment of network connectivity.
Summary of the Invention The present invention provides new methods and systems for the establishment and restriction of network connectivity. Some modes allow the easy creation of VLANs and access control lists. In some modalities, access control lists are created by the administering station. The administrator station receives the definitions of the connectivity groups. Each connectivity group is a group of sub-networks. Traffic will be allowed within each group. In some modalities, each sub-network is identified as an IP sub-network. The administrator station creates the access control lists from the information that defines the connectivity groups. In some modalities, the administering station also receives the identification of the sub-networks by parties, and generates ACLs, which allow traffic between any shared sub-network and any sub-network in any connectivity group. In some modalities, the administering station creates sub-fields, such as VLANs, by appropriately configuring the fields. To configure the fields, a network administrator enters the information for each connectivity group which defines the traffic that belongs to the group. Examples of such information are lists of entities (such as switch ports, or MAC addresses of network stations, or user names specified to the registry by users) that belong to the same connectivity group. The entities of different connectivity groups are not allowed to communicate. A connectivity group can contain entities from different 2-layer fields. Entities can be assigned to connectivity groups without specifying which entity belongs to which VLAN. The administering station determines which entities of the same group belong to a single field, and places said entities within an appropriate VLAN. In some embodiments, the information identifying the traffic in the connectivity group includes bit values of 2-layer packets. The present invention is not limited to 2-layer fields or to switches or routers. Other features and advantages of the present invention will be described below. The present invention is defined in the appended claims.
BRIEF DESCRIPTION OF THE DRAWINGS Figure 1 is a block diagram of a network in which connectivity is established according to the present invention. Figure 2 is a block diagram illustrating the interfaces of VLANs and routers in the network of Figure 1.
Detailed Description of the Invention Network 1 10 includes five fields of 2 layers 1 16. These fields are called "2 layers" because it is handled by packets within each field is made based on the content of the package in the reference model OSI of 2 layers (data link layer). The routers 130 route traffic based on the content of the packet in layer 3 (network layer). In particular, the I P addresses are the addresses of the layer 3. However, the present invention is not limited to layers 2 or 3 or to the networks that conform to the OSI reference model. Field 1 16P includes switches with VLAN capability 128.1, 128.2 that send traffic based on MAC addresses. The switches are connected to each other by means of trunk 150.1. Each switch has one or more ports, each connected to a segment of the network. Therefore, port 160.1 of switch 128.1 is connected to a segment of the network containing station 124.1. Port 160.2 of switch 128.2 is connected to a network segment that contains station 124.2. In Figure 1, each network segment contains a single station. In some embodiments, a network segment contains multiple stations. Port 160M of switch 128.1 is connected to the manager station 124M used to create the connectivity groups as will be described below.
The switch 128.1 is connected to the router 130.1 by the trunk 150.2. The router 130.1 is connected to the router 130.2, to the router 130.3 and to the internet connection 170. The router 130.2 is connected to the router 130.3. Router 130.2 is connected by means of trunk 150.3 to switch with VLAN 128.3 capability of field 1 16Q. Field 1 16Q also contains switches with VLAN capability 128.4, 128.5 and 128.6 each being connected to one or more network segments in a manner similar to switches 128.1, 128.2. Only the segment containing station 124.3 is illustrated. The switches 128 of field 1 16Q are also connected to each other. Router 130.2 is connected to the field of 2 layers 1 16T. Router 130.3 is connected to the switch with VLAN capability 128.7 of field 1 16R and to the field of two layers 1 16S. Switch 128.7 is connected to the network segment (not shown) in a similar way as switches 128.1, 128.2. Fields 1 16S, 1 16T include zero or more switches (not shown). In some modalities, one or more fields 1 16 have no switches, or have switches, masses, or hubs that do not have VLAN capability. As explained above, communications between different fields use I P addresses. For example, to send a packet to station 124.3, station 124.1 inserts the IP address of station 124.3 and the MAC address of router 130.1 into the packet. as the logical and physical destination addresses respectively. The router 130.1 replaces the destination MAC address with the MAC address of the router 130.2 and replaces the MAC source address of the stations 124.1 with the MAC address of the router 130.1, then the router 130.1 sends the packet to the router 130.2. Router 130.2 replaces the source MAC address in the packet with its own MAC address and the destination MAC address with the MAC address of station 124.3 and sends the packet to switch 128.3. Switch 128.3 that sends the packet to station 124.3 through switch 128.5. Field 1 16P includes VLANs that do not overlap 140a, 140b, 140c (Figure 2); Field 1 16Q includes VLANs that do not overlap 140d, 140e, 140f; field 1 16R includes VLANs that do not overlap 140g, 140h, 140i. A membership of the station in a VLAN is defined by a switch port 160 to which the station is connected, or by the MAC address of the station, or by the name of the user that was registered in the station. The establishment of the VLAN membership is based on a port or on the MAC addresses described in the article by G. Held, "Virtual LANs: Construction, Implementation, and Administration" (1997), pages 233 to 249, incorporated herein. description as reference. The establishment of the VLAN membership by user name is described in Appendix A. Also see U.S. Patent No. 5, 968, 126, issued October 19, 1999 to J. Ekstrom and associates, entitled "User-Based Link. of Network Stations for Transmission Fields "which is incorporated herein by reference. In some embodiments, a VLAN 140 combines the stations identified by port, stations identified by MAC addresses, and / or stations identified by the user's name. Fields 1 16S, 1 16T may or may not include any VLANs. The management station 124M belongs to VLAN 140b.
Station 124M can communicate with any switch 128 and any router 130. In some embodiments, (1) all switches 128 are switches of the Catalyst ™ type marketed by Cisco, Inc. of San Jose, California; and (2) routers 130 are routers marketed by Cisco, Inc. and described in the document that can be obtained with Cisco, Inc. as part number 78-2040-01, incorporated herein by reference. Network 1 10 includes connectivity groups that can include entities (switch ports without trunk 160, MAC addresses, or user names) in different fields 1 16. For example, a connectivity group may consist of all entities that are located in VLANs 140a, 140d, 140g. Communication between entities in the same conductivity group is allowed, but is not allowed between entities in different connectivity groups. In particular, switches 128 and routers 130 will not route a packet from a station 124 of a connectivity group to a station 124 of another connectivity group. As is well known, a VLAN is a transmission field (also called a "2-layer transmission field" or "2-layer BD" in accordance with the present disclosure). In contrast, a connectivity group is not necessarily a transmission field. Therefore, in some modalities, the transmission or multiple traffic is confined to only one VLAN. The VLANs also referred to in the present invention as "Virtual Transmission Fields" or VBDs. A VBD is a transmission field that can be defined without necessarily changing the physical connections (for example, wiring) in a network. The manager station 124M includes the storage 192 for storing the programs and data and also includes user interface devices 194 such as a keyboard, a screen, and / or other interface devices. Appendix B illustrates a process of creating connectivity groups (and in particular the creation of VLANs 140 and access control lists of the router) in some modalities. This process will now be described in a VLAN example of Figure 1, and the following three connectivity groups: Group 1 consists of VLANs 140a, 140d, and 140g; Group 2 consists of VLANs 140b, 140e, and 140h; this group will be designated as the administration connectivity group that contains the 124M admin station; Group 3 consists of VLANs 140c, 140f, and 140i. In some embodiments, the 2-layer 1 16S field is a transmission field. The process in Appendix B configures field 1 16S as a shared IP subnetwork which is allowed to communicate with any connectivity group. It is notable that each 2-layer transmission field is an IP sub-network or a combination of IP sub-networks. The process in Appendix B leaves the two-layer 1 16T field and the associated sub-network "unmanaged", for example, no ACL is created for the corresponding router interface and, in addition, sub-network 1 16T is not explicitly mentioned in any ACL created by the process. Therefore, field 1 16T can receive traffic from any connectivity group, but traffic from field 1 16T to any connectivity group will be filtered (blocked) by routers 130. In some embodiments, the simple 2-layer field includes sub-networks managed and not managed. The process of Appendix B can be carried out before or after any VLANs or connectivity groups have been established in the network 1 10. In some modalities, the process in Appendix B is first performed to establish a "management group". "simple connectivity" that contains all the entities that communicate in all fields 1 16 (except perhaps, the entities of shared and unmanaged fields such as fields 1 16S, 1 16T). The management group makes it possible for the management station 124M to communicate with all switches and routers. Subsequently, the process of Appendix B, or the maintenance process of Appendix G, is performed to establish groups 1, 2, 3 described above or any other groups. The establishment of such groups is facilitated by the ability of the administering station to communicate with the switches and routers. Alternatively, only the ports of the switches 128 and the management station 124M are placed within the connectivity management group. In some embodiments, only those ports of the switches 128 are connected within the management group of connectivity management that are necessary to allow the management station 124M to communicate with all the switches with VLAN capability and with all the routers. In the embodiment described below, it is presumed that there is no administration connectivity group when the process of Appendix B is started. Before the process of Appendix B is initiated, each of the routers 130 is configured so that one or more subnets P are assigned to each interface of router 210 (Figure 2). (Note that we use the term "interface" for what some Cisco documentation calls "sub-interface").
Then when the process of Appendix B is finished, each router 130 will have a separate interface for each VLAN 140 in field 1 16 to which the router is connected. Note that since each VLAN 140 is a sub-network or a combination of sub-networks, the routers 130 essentially make the VLAN-based send decisions even when the route software is not explicitly warned of the VLANs. The routers are connected to the field through the routers' trunk ports (such as the trunk port 220), and that each interface is a logical sub-port of the trunk port. As is well known, trunk ports of switches and routers (for example, ports connected to trunks 150 that interconnect switches or routers and switches) carry traffic for multiple VLANs. The traffic that goes through the junction ports uses a connection protocol in which each packet is encapsulated in a larger packet which is labeled with the identification of the VLAN to which the packet is assigned. The VLAN tag allows the receiver switch 128 to identify the packet VLAN if the VLAN membership is defined by a port instead of a MAC address. The routers 130 understand the protocol of the trunks and treat the traffic from different VLANs in the same port of the trunk as if the traffic of each of them had arrived in a separate port assigned to the VLAN. Instead of the trunk, some modes use separate physical connections between a router and a 2-layer field to carry traffic to separate VLANs. Each interface has a portal address which is managed by each sub-network through the interface. The address of the portal is the address of the router in the sub-network. Appendix C illustrates in the database created for some steps of Appendix B in storage 192. In step M5 (Appendix B), the network administrator provides the management station 124M with the IP address range of the network 1 10. In the example in Appendix B the address range is 10.0.0.0/8. Within the network 1 10, each subnet has a subnet mask 255.255.255.0. The IP address ranges and sub-networks have the form 10.0.0.0/8 (the mask of the sub-network has eight more significant 1 's followed by all the zeros) or as a combination of the IP address (10.0. 0.0) and the network mask (255.0.0.0). The administrator station 124M enters the IP address range of the network 1 10 in its database as illustrated by number 11 in Appendix C. The step M7 is performed by the administrator as described in the Appendix B. Station 124M creates data structures 12 (Appendix C). This information, as well as other information in Appendix C, is organized differently in different ways. For example, in some modes, item 12-1 (addresses of the switches) is stored as a list of addresses for each field. In other modalities, the same information is stored as pairs of an address and the respective field. Other data structures are used in other modalities. In step M 10, the network administrator defines the VLANs 140. The definition of the VLANs comprises providing VLAN identifiers to the station 124M and each switch in the respective field 1 16. A VLAN identifier is an identifier that can be understand for switches 128, for example, a VLAN number. Each of the switches 128.1, 128.2 receives the identifiers of the VLANs 140a, 140b, 140c; switch 128.7 receives the identifiers of VLANs 140g, 140h, 140i, and so on. The definition of VLANs does not include the definition of which entities belong to each VLAN (ports, MAC addresses or user names). In some embodiments, the administrator directly enters the VLAN identifiers into each switch 128. In other embodiments, the administrator enters the VLAN identifiers of a control switch 128 of each field 1 16. The control switch sends the identifiers to the others switches (if any) in the same field. In yet another embodiment, the administrator provides this information to the switches 128 remotely from the 124M station using, for example, the Telnet or SNMP protocol. Station 124M stores this information in its database as illustrated in 13 in Appendix C. In step M 14, the network administrator enters information 14 (Appendix C) into station 124M. In Figures 1 and 2, a separate sub-network is allocated for each BD layer so that there is a one-to-one correspondence between the 2-layer DBs and the IP sub-networks. The sub-networks are illustrated in Figure 2, and in Table 1 below: TABLE 1 In some modalities, several sub-networks are assigned to a 2-layer DB. The sub-networks are provided to the station 124M using the sub-network address / number of 1 's in the sub-network mask notation or the address of the sub-network or the mask annotation. Also in step M 14, the network 1 10 is configured to assign IP addresses to each VLAN from the corresponding IP sub-networks. In this way, in some modalities of Windows NT ™, the DHCP server is configured to assign the I P addresses in the respective sub-networks. (Windows NT is described, for example, in the article R. Sant'Angelo and associates, "Windows® NT Server Survivability Guide" (1996) incorporated herein by reference). In some embodiments, a DHCP server is attached to one of the sub-networks in a router 130. The router is configured to send the DHCP requests from all the sub-networks directly attached to the router and to this DHCP server. In other embodiments, a separate DHCP server is provided in each sub-network. In step M20, for each connectivity group, the administrator enters in the station 124M the IP sub-networks that are members of the connectivity group (for example, the IP sub-networks that are part of the 2-layer DB that are members of the connectivity group). Therefore, the administrator enters the sub-networks in the VLANs 140a, 140d, 140g for the connectivity group 1; the sub-networks of the VLANs 140b, 140e, 140h for group 2; and the sub-networks of the VLANs 140c, 140f, 140i for group 3. Alternatively, for each connectivity group, the administrator enters the IDs of the BD members of 2 layers of the connectivity group. In any case, in order to reach any router from the 124M administrator station, the administrator can enter the IP sub-networks which will be members of the connectivity management group. In some embodiments, each router has at least one I P portal address in a shared sub-network, or one sub-network member in the group administrator group. Some modalities do not require that each router be reachable from the administering station. Therefore, routers directly connected only to the unmanaged sub-network and to other routers do not have to be reachable in some modes. Item 15 (Appendix C) is created in step M20. If multiple networks are assigned to a single 2-layer DB, they are all assigned to the same connectivity group.
In step M30, the administrator enters in the station 124M the entities belonging to each connectivity group. Item 16 (Appendix C) is created. For example, for connectivity group 1, the administrator enters the switch ports 160.1, 160.2, 160.3 (assuming that station 124.3 is connected to port 160.3 belongs to VLAN 140d), and other ports, MAC addresses, and / or user names belong to VLANs 140a, 140d, 140g. In some modes, the administrator does not have to remember to which field or VLAN the ports, MAC addresses or user names belong. Ports 160 are identified at station 124M by labels which can be assigned by the administrator, so that it is an easy reference. For example, if a port is connected to a station 124 used by a user named Fred, the administrator can assign the label "Fred" to the port, and in step M30 you can enter "Fred" to designate this port to a connectivity group. . The assignment of the MAC addresses to the connectivity groups is similar. In step M40, the administrator enters information 17 e 18 into the management station 124M (Appendix C). In step M45, station 124M creates VLANs 140, placing each entity within the appropriate VLAN as illustrated in Appendix D. In Appendix D, the numbers in parentheses refer to the items in the databases of Appendix C that are used in the corresponding steps of Appendix D. In Appendix D, if an entity E of a connectivity group is a port 160 of a switch with VLAN capability (step V1), the entity is placed only within the VLAN in field 1 16 to which the port belongs. In contrast, if the entity is a MAC address (step V2) or a user name (step V3), the entity is placed within each VLAN in the connectivity group. In the case of a MAC address, this allows the station to have that MAC address to be connected in a field 16 that includes a VLAN in the connectivity group. Therefore, you can connect a laptop (for example a laptop computer) that has a MAC address in connectivity group 1 to field 1 16P, 1 16Q, 1 16R. If the computer is connected to field 1 16P, switches 128.1, 128.2 that receive the packet that has the MAC address of the computer as the source address will place the computer within VLAN 140a. Similarly, if the computer is connected to field 16Q, it will be connected to VLAN 140d; and so on. In a similar way, a user name is placed within each VLAN 140 in the connectivity group. If the user registers in the 1 16P field, a request to the UBNC user to connect the user with the correct VLAN will arrive from the 1 16P field. If for example, the user's name is in connectivity group 1, the UBNC server will place the user within VLAN 140a. In a similar way, if the user registers in field 1 16Q or 1 16R, the UBNC server will place the user in VLAN 140d or 140g respectively.
In step V3, "Modality 1" does not require the UBNC server to know anything about the connectivity groups. The station 124M tells the UBNC server which VLAN is assigned to the user's name in each field 1 16 (step V3-2). In Modality 2, the UBNC server knows which VLAN belongs to which connectivity group (this information can be provided directly or remotely to the UBNC server, for example, from station 124M). Therefore, in step V3-1 of Mode 2 station 124M does not inform the UBNC server which VLANs are assigned to the user. When the user registers, the UBNC server determines the user's VLAN from the user's connectivity group and from field 1 16 in which the registration occurred. The field 16 is determined by the IP address of the user since the UBNC database includes the IP sub-networks associated with each VLAN in each field 1 16. In some embodiments, the UBNC server operates the management station 124M. In step M50 (Appendix B), station 124M creates the access control lists of the router by executing a program shown in Appendix E. A separate access control list is created for each interface of the router to which it is attached. directly connected a member of the sub-network of a connectivity group. The program in Appendix E will be explained in the example of interface 210 of router 130.2 to VLAN 140e.
For each phase of the router, if the corresponding subnet belongs to a connectivity group, steps A1 through A5 create an access control list such as the one illustrated in Appendix F. The line numbers in the Appendix F (for example, AL1 -1) corresponds to the numbers in the steps in Appendix E. Therefore, step A1 (Appendix E) creates line AL1 -1, step A2 creates lines AL1 -2a and AL1 - 2b, and so on. Appendix F uses the syntax used by some routers marketed by Cisco, Inc. of San Jose California. This syntax is described in K. Siyan and C. Hare, "Internet Firewalls and Network Security" (1995), pages 186 to 191, incorporated herein by reference. Line numbers, (such as AL1 -1) are not part of the access control list. In addition, the text that begins with an exclamation point "!" and that it operates at the end of the line is a comment ignored by the routers. These comments are admitted by some modalities. Step A1 creates the lines that allow traffic to interface 210 from each of the shared sub-networks such as sub-network 1 16S. The program writes in the access control list the words "access-list", the number of the access control list (generated consecutively by the program itself in some modalities), the words "allow ip", the IP address of the shared subnet, and the wildcard mask of 0.0.0.255. (A bit 0 in the wildcard mask indicates that the corresponding bit of the source IP address is used by the router in comparisons with incoming IP packets of IPs, a bit 1 in the wildcard mask indicates that the corresponding bit is not used .) The wildcard mask 0.0.0.255 on line AL1 -1 is determined by inverting the mask of the sub-network. Step A2 creates the lines, such as the lines AL1 -2a, AL1 -2b, which allow traffic from each of the other sub-networks (for example BD of 2 layers) in the same connectivity group. Line AL1 -2a allows traffic from sub-network 10.1 .2.0 / 24 (VLAN 140b). Line AL1 -2b allows traffic from sub-network 10.3.2.0/24 (VLAN 140h). Step 3 creates line AL1 -3 denying traffic from all other stations in network 1 10. (Note, that when the router receives a packet, the router tests the packet starting from the beginning of the access control list When a line that is applicable to the packet is found, the rest of the access control list is ignored). The wildcard mask is obtained by inverting the mask of the IP address range of network 1 10. Step A4 creates line AL1 -4 allowing traffic from any station outside the network 1 10, including traffic from the Internet 170. In some modalities, before step M50 the administrator indicates to the administrator station 124M and the traffic from the Internet to the sub-network is allowed for each of the sub-networks in a group of connectivity If the traffic is denied, step A4 is omitted for the corresponding interface, and step A3 creates a line "deny any ip" instead of line AL1 -3. Step A5 is performed as described in Appendix E. If the router interface is not connected to a BD member of a connectivity group, but is connected to a shared or unmanaged sub-network (e.g. 160S) or the Internet 170, the ACL is not created, making the sub-network or Internet accessible from any other sub-network. In some embodiments, in step M40 of Appendix B, the administrator specifies what access will be provided to each shared subnet, and the process in Appendix E creates an appropriate access control list using methods known in the art. For example, if the shared sub-network is to be made accessible only from within the network 1 10, the access control list will consist of lines such as: access-list 1 allow ip 10.0.0.0 0.255.255.255 access-list 1 deny any ip In other modalities, this functionality is provided by a Wall of Fire throughout the company implemented in router 130.1 or some other devices (not shown). The administering station 124M instructs each router 130 to cancel any existing access control lists and to replace the new access control lists.
Some modes allow the network administrator to insert additional commands into the access control list. Thus, in some embodiments, before step M50, the administrator can specify the additional terms of the sub-network that are to be inserted into the access control list of the corresponding interface for each of the sub-networks. More particularly, the administrator can specify the terms to be inserted before step A1, the terms to be inserted between steps A2 and A3, and the terms to be inserted between steps A3 and A4 and the terms that are going to be inserted after step A4. In some * modalities, this technique is used to incorporate the protection functionality into the access control lists and thus eliminate the need for enterprise level protection. In some embodiments, steps M 10 and M20 are omitted.
In step M45, the management station 124M creates a VLAN in each field 1 16 that has a switch with VLAN capability and that has one or more entities in the connectivity group for each connectivity group, and places the entities within the VLAN . (Therefore, a VLAN is created in the field if the field has a port 160 in the connectivity group, or if the connectivity group includes a MAC address or a user name). Station 124M also allocates an IP sub-network (eg, 10.1 .1 .0 / 24) for each VLAN.
In some modalities, VLAN membership, MAC addresses or user names are determined by criteria other than ports. Therefore, in some embodiments, the VLAN membership is determined based on a package content for example on a value of certain bits in the 2-layer package. When the switch 128 receives a packet in which the value of said bits is in a set of one to more previously determined values, the switch places the source MAC address of the packet, or the port 160 in which the packet arrived, in the Corresponding VLAN. When a switch 128 transmits a packet over a trunk port connected to a router, the switch attaches the VLAN number of the packet to the packet. Routers 130, each of the VLAN numbers is associated with an interface. (This association is established when 'the interface is defined). Thus, as illustrated in Figure 2, each of the routers 130 has a separate interface 210 for each IP sub-network to which the router is directly connected. The connectivity groups are created in a similar way to the Appendices modality from B to G. In particular, in step M30 the specific administrator, the rules that determine which packets belong to the connectivity group for each of these groups. For example, a rule may state that packets that have certain values of certain bits belong to a certain connectivity group.
In some modalities, the access control lists of routers 130 allow or deny traffic based on criteria other than IP addresses. For example, some criteria include port numbers. See, for example, "Internet Protection and Security" by W. Cheswick and S. Bellovin, (1994), pages 94-109 incorporated herein by reference. In addition, some criteria specify traffic from the interface instead of the interface. Prior to step M50, the administrator provides sufficient information to station 124 to create the access control lists according to said criteria. In some embodiments, a VLAN 140 may be connected to different interfaces 210 of the same router for redundancy purposes. Two interfaces are assigned to the same sub-network or to two different sub-networks. The respective ACLs implement the same restrictions for both interfaces. If a VLAN is connected to different router interfaces, one of these routers might try to send the data through the VLAN to the other router, possibly by routing the information to other stations accessible from other routers.
In that case, the ACLs for the interface connected to the VLAN are built to unduly restrict the traffic between the routers. In some modalities, the VLAN sub-network is shared or unmanaged, and is not a member of any connectivity group.
Appendix G describes maintenance processes to change the connectivity in the network 1 10. Any changes could be achieved by re-operating the Appendix B process. However, the processes in Appendix G simplify the maintenance process in some modalities. Some modalities emit step M50 (ACLs are not generated). The embodiments described above illustrate but do not limit the present invention. The present invention is not limited to any network, layers, switches, routers, operating systems or any other particular hardware or software. The present invention is not limited to business networks. In some modalities, the MAC addresses are not burned within the NICs but are generated by the software. In some embodiments, all or part of the administration software of the Appendices B through G operates on a switch 128 or a router 130 instead of station 124. The Software is distributed in some modes. In some embodiments, fields 1 16 use protocols other than 2-layer protocols, and routers 130 route traffic based on protocols other than 3-layer protocols. The connectivity in each of the fields is determined based on information different from the contents of the MAC addresses or the 2-layer packets, and the routers 130 allow or deny the traffic based on information different from the IP addresses. In some embodiments, routers 130 use I PX addresses. Some embodiments use the Netware or AppleTalk networks described in "NetWare® 4 for professionals" by D. Biere et al. (1993), incorporated herein by reference. Other embodiments and variations are within the scope of the present invention as defined by the appended claims. APPENDIX A Control of the User-Based Network (UBNC) In some modalities, the VLAN membership is determined based on a user who registered at the station. In some Windows NT ™ modes, a UBNC server is provided accessible from all VLANs (for example, the server is in a starting subnet). When a network station is turned on, it is placed in a VLAN "default" (there is a default VLAN in each field of two layers 1 16). The station obtains an IP address from a DHCP server that serves the default of the VLAN. When a user registers at the station, the station sends a request to the UBNC server to connect the station to a VLAN associated with the name of the user provided in the registry. The request contains the name of the user, the MAC address of the station, and the current I P address of the station. The UBNC server determines the associated VLAN of a UBNC server database. In some modalities, and for each user name, the database contains the identification of the associated VLAN. In other embodiments, the database contains the following information provided by the administering station: (A) for each user's name, an identification of the connectivity group to which the user's name belongs; (B) the identifications of the VLANs belonging to each connectivity group; (C) for each VLAN, the associated sub-network (s). When a UBNC server receives the request, the server sends it to the requesting station: (1) an indication of whether the station will be connected to a different VLAN (if the user registered when the station was not in the default VLAN, it is possible that the connection is not required, also, the connection will not be made if the user is registered in a 2-layer DB in which the VLAN is not defined), and (2) the IP subnetwork and subnet mask of the VLAN assigned to the user. Next, the UBNC server waits for the station to release its DHCP lease. Then the UBNC server sends an appropriate command to a switch or switches 128 in the 2-layer field 16 containing the station. The switches place the station within the VLAN assigned to the user. After receiving the response from the UBNC server, the station releases its DHCP lease and then waits a period of time to allow the server to connect the station with the assigned VLAN. After said period of time, the station assumes that it has been connected, and issues a request for a new DHCP lease. In response, the station receives a new IP address. The station checks the new IP against the I P subnet and the subnet mask received from the UBNC server. If the new IP is not in the sub-network, the station repeats the procedure by issuing a new request to the UBNC server. The new IP can be in a wrong sub-network if the station has not been connected to the assigned VLAN when the station requested the new IP. In some modes, VLAN defaults are ignored. In other modes, each station or a group of geographically close stations are assigned to a separate default VLAN to restrict communication until users are connected to their associated VLANs through the UBNC server. When a user is canceled, the user's station is returned to the appropriate default VLAN.
APPENDIX B Creation of Connectivity Groups M5 Provide the I P address range (for example, 10.0.0.0/8) of network 1 10 to the management station 124M. M7 Provide the information station 124M with the information 12 (Appendix C). M 10 Define the VLANs. M 14 Assign IP sub-networks to 2-layer DBs.
M20 For each connectivity group, provide the administrator station with the members of the IP sub-networks of the group. Designate a connectivity group, the connectivity management group. M30 Assign manageable entities (ports, MAC addresses and / or user names) to the connectivity groups. M40 Provide information 17 e 18 to the administering station. M45 The 124M administrator station places the entities within the appropriate VLANs (see Appendix D). M50 The administrator station 124M creates the access control lists for the routers (see Appendix E).
APPENDIX C Administrative Station Database M_ Network IP address range 1 10. 2. For each field 1 16: 12-1 IP addresses for all switches with VLAN 128 capability in field 1 16. I2-2 Identification of ports without trunk 160 of each switch. 3 For each field 1 16, identification of the VLANs in the field.
\ £ For each 2-layer DB, an indication of whether the DB is a VLAN or not, and the IP sub-network (s) included in the DB. If the BD is a VLAN, the identification of the VLAN. 15. For each connectivity group, the IP sub-networks that belong to the connectivity group. 16. For each connectivity group, the entities (ports, MAC addresses, and / or user names) that belong to the connectivity group. 12. For each router interface: 17-1 The associated sub-networks, if any. I7-2 A signal indication of whether the interface is connected or not to a 2-layer field with VLAN capability. List of all shared sub-networks in the network 1 10.
APPENDIX D Creation of the VLAN For each group of CG connectivity, for each entity E in the connectivity group (16): Vi If entity E is a port 160 of a switch with VLAN capability 128: V1 -1 Find field 1 16-E (one of 1 16P, 1 16Q, 1 16R) to which the port belongs (I2-2, 12-1). V1 -2 Find the VLAN which is in both the CG connectivity group and the 1 16-E field (13, 14, 15).
V1 -3 Place port E inside the VLAN by sending commands to switches 128 of field 1 16-E or to a control switch 128 of field 1 16-E. V2 In addition, if entity E is a MAC address, then each VLAN in connectivity group CG (14, 15): V2-1 Determine field 1 16-V (one of 1 16P, 1 16Q, 1 16R) that contains the VLAN (13). V2-2 Place the MAC addresses E within the VLAN by sending the appropriate commands to all the switches 128, or to the control switch 128, of field 1 16-V. V3 In addition entity E is a name of the user: Mode 1: For each VLAN in the connectivity group CG (14, 15): V3-1 Determine the field 1 16-V that contains the VLAN (13).
V3-2 Send the identification of the VLAN, the identification of the field 1 16-V, and the name of the user to the UBNC server. Modality 2: V3-1 Send the identification of the CG connectivity group and the user's name to the UBNC server.
APPENDIX E Step M50: Creation of the Access Control Lists for the Routers For each router in the network 1 10 (I2-3), for each interface of the router (17), if the subnetwork associated with the interphase belongs to a connectivity group: By allowing traffic from each shared sub-network (18). A2 Allow traffic from all other sub-networks in the same connectivity group (15, 14). A3 Denying traffic of all sub-networks in the network 1 10 (11). A4 Allow traffic from outside to the network 1 10. A5 Open a Telnet session in the router, and send to the router: (1) a command to remove an existing ACL, if any, from the interface, for example: no access-group 1 (2) the access list; (3) the commands: interface vlan_e access-group 1 outside These commands assign the ACL to the interface of the router labeled "vlan_e".
APPENDIX F Access Control List for the Interface of Router 210 to VLAN 140e AL1 -1 access-list 1 allow ip 10.3.4.0 0.0.0.255 shared sub-network! AL1 -2a access-list 1 allow ¡p 10.1 .2.0 0.0.0.255 sub-network in it! Corporate connectivity group! AL1 -2b access-list 1 allow ip 10.3.2.0 0.0.0.255 sub-network in it! Corporate connectivity group! AL1 -3 access-list 1 deny ip 10.0.0.0 0.255.255.255 all sub-networks in the network 1 10! Outside the same connectivity group! AL1 -4 access-list 1 allow any ip to allow access from! Out of the network 1 10! APPENDIX G Maintenance Algorithms Conversion of a sub-network from a group of unmanaged connectivity to a member of a connectivity group If the sub-network has more than one portal address, the sub-network does not become a member of a network. connectivity group. Otherwise, add the sub-network to a connectivity group, and generate access control lists for each interface to which a sub-network is directly attached in the same connectivity group, as described in the Appendix E.
Conversion from a non-managed sub-network to shared Add the sub-network to the list 18 of shared sub-networks (Appendix C). Regenerate the access control list of each router interface to which a sub-network is attached in any connectivity group, as described in the Appendix E. (The sub-network will be added to each ACL). Conversion from a sub-network from shared to unhandled Remove the sub-network from list 18 of shared sub-networks (Appendix C). Regenerate the access control list of each router interface to which a sub-network is attached in any connectivity group, as described in the Appendix E. (The sub-network will be removed from each ACL). Converting a shared sub-network to a member of a connectivity group If the sub-network has more than one portal address, the sub-network does not become a member of a connectivity group. Otherwise, remove the sub-network from list 18 of shared sub-networks (Appendix C), and add the sub-network to the connectivity group (14 in the Appendix C). Regenerate the access control list of each switch interface to which a sub-network is connected in any connectivity group, as described in Appendix E. Conversion of a sub-network of a member of a group of connectivity to unhandled Remove the sub-network of any connectivity group (15 in Appendix C). Regenerate the access control list of each interface of the router to which a sub-network is directly connected in the same connectivity group, as described in Appendix E. (The sub-network will be removed from each ACL) . Remove, and then regenerate, if necessary, the ACL for the interface of the router to which the subnet is directly connected, as described in Appendix E. (If there is no other subnet directly connected to the interface, do not will regenerate ACL any, if there is another sub-network or sub-networks, then the appropriate ACL will be regenerated). Conversion of a sub-network from a member of a connectivity group to a shared one Remove the sub-network from the connectivity group (15 in Appendix C). Remove the ACL from the interface of the router to which the sub-network is directly connected. Regenerate the access control list of each router interface to which a sub-network is directly attached in any connectivity group, as described in Appendix E. (The sub-network will be removed as a member of the group of some ACL, but added to a shared sub-network to each ACL). Move a sub-network from one connectivity group ("old" group) to another ("new" group) Remove the sub-network from the old group and add it to the new group (15 in Appendix C). Regenerate the ACL of each router's network to which a sub-network is directly connected in any of the connectivity groups, old or new, as described in Appendix E. Addition of a new communication entity (port, MAC address, user, etc.) to a connectivity group (see also step M30) The administrator indicates the group of connectivity to which of the new entities should belong. Port 160. The port is associated with a switch 128, which is itself part of the field of 2 layers 1 16. In the determined 2-layer field, the selected connectivity group is associated with a particular sub-network, which it is itself linked to a particular VLAN. When the port is assigned to the connectivity group, step V1 (Appendix D) will be performed to place the port inside the VLAN which is a member of the connectivity group in the 2-layer field. Note that all ports are generally aggregated in groups, and when a multiple port module is added to a switch, or when a switch is added to the network. In these cases, the complete set of new ports is added to a connectivity group selected by the administrator. Then the administrator can change the port assignment one by one, if desired. MAC address. As in the case of ports, within a particular 2-layer field the selected connectivity group is associated with a sub-network / VLAN pair. For each 2-layer field, step V2 (Appendix D) configures all switches (or a single control switch, depending on the capabilities of the switches) so that the provided MAC address is assigned to a designated VLAN. User. See step V3 in Appendix D. Movement of a communication entity (port, MAC address, user) from one connectivity group ("old" group) to another ("new" group) (see also step M30) Port 160. The port is associated with a switch with VLAN 128 capability, which is itself part of a 2-layer field. In the 2-layer field, the connectivity groups, new and old, are associated with particular sub-networks, which themselves link to the particular VLANs. (If there is no sub-network in the 2-layer field that belongs to the new connectivity group, then the change is not made). The manager station 124M changes the assignment of the port VLAN to a new VLAN. MAC address. As in the case of a port, within a particular 2-layer field, the new connectivity group is associated with a sub-network / VLAN pair. For each 2-layer field, station 124M will configure all switches (or a single control switch, depending on the capabilities of the switches) so that the provided MAC address is assigned to the designated VLAN. If there is no sub-network corresponding to the desired connectivity group in a particular 2-layer field, then no VLAN assignment is made for the MAC address in that 2-layer field. If the MAC address appears in the 2-layer field as a result of a move or because the MAC address is assigned is assigned to a laptop or other mobile computer that is connected within the 2-layer field, then the switch will take any action which it normally takes when an unknown MAC address appears. User. See step V3 in Appendix D. Adding a new router / VLAN / sub-network interface If the new interface of router 210 does not have directly connected sub-networks (without portal addresses) then no action is required. Otherwise, the interface has one or more portal addresses and the corresponding sub-networks directly connected. For each directly connected sub-network: 1. If the sub-network is already a member of a connectivity group (and therefore is directly connected to an interface of another router), then the sub-network is converted into a shared sub-network. See previous process to convert a subnet of a member of a connectivity group to a shared sub-network. 2. In addition, if the sub-network has already been designated as shared or not managed, then no action is required. 3. In addition, the sub-network is a new sub-network. Add the sub-network to the list 18 of shared sub-networks (Appendix C).
Regenerate the access control list of each router interface to which a sub-network is directly connected to any connectivity group, as described in Appendix E. (The sub-network will be added to each ACL as one shared subnet). If the sub-network is in a 2-layer field containing switches with VLAN 128 capability, then a new VLAN is created in the field and is associated with the new sub-network. Adding a new router A new router 130 can have a number of interfaces. For each router interface, the aforementioned actions are performed for new router interfaces. Adding a new switch with VLAN capability The new switch with VLAN 128 capability is added to a 2-layer field in which there is a sub-network assigned to the connectivity management group, and there is a VLAN corresponding to this group. If the switch implements port-based VLANs, then all the ports in the switch and the switch management stack are assigned to the VLAN corresponding to the sub-network in the connectivity management group. In addition, the switch is assigned an IP address from this sub-network. For example, if sub-network 10.50.3.0/24 was the sub-network in the 2-layer field which is assigned to the administration group, and if VLAN 3 was the VLAN associated with the sub-network 10.50.3.0 / 24, a command like the following would be issued to the console of a Cisco Catalyst 5000 series switch in order to assign it an address in the connectivity management group: See the interface scO 3 10.50.3.200 255.255.255.0.10.50.3.255 the cases in which scO is the designator for the switch management stack, 3 is the VLAN corresponding to the sub-network 10.50.3.0/24, 10.50 .3.200 is the IP address in the subnet 10.50.3.200/24 assigned to the switch management stack, 255.255.255.0 is the subnet mask for subnet 10.50.3.0/24, and 10.50. 3,255 is the transmission address. If the switch implements VLANs based on MAC address, then the MAC address of the management stack is assigned to the VLAN corresponding to the sub-network in the connectivity management group. In a similar way to port-based VLANs, the switch was assigned an IP address of this sub-network. Adding a new connectivity group A new connectivity group (empty) can be added at any time. The way in which a subset is added to a connectivity group was discussed earlier.

Claims (32)

  1. R E I V I N D I C A C I O N S Having described the present invention, it is considered as a novelty and, therefore, the content of the following CLAIMS is claimed as property: 1. A method for linking network stations to virtual transmission fields (VBDs; from 140a to 140¡), said method comprising: receiving, from a network station, in a network, the information that identifies a user of the network station; determining, from the identification of user information, a connectivity group to which the user belongs, wherein the connectivity group contains one or more VBDs; determining one or more VBDs to which the network station is to be linked, and wherein the one or more VBDs are members of the connectivity group; and issue a command to link the network station to one or more VBDs.
  2. 2. The method, as described in Claim 1, further characterized in that: each VBD is a subfield of a field (1 16P) capable of restricting the transmission traffic to the VBD in which the traffic originates; the connectivity group contains VBDs from at least two fields; and the one or more VBDs to which the network station is going to be linked are determined based on the field that contains the network station.
  3. 3. The method, as described in Claim 2, further characterized in that each VBD is a VLAN, and the network station is to be linked to the VLAN which belongs to the connectivity group and to the field containing the network station .
  4. 4. A structure for linking network stations to virtual transmission fields (VBDs; 140), said structure comprising: means for receiving information from a network station, on a network, identifying a user of the network station; means for determining, from the user identification information, a connectivity group to which the user belongs, wherein the connectivity group contains one or more VBDs; means for determining one or more VBDs to which the network station is to be linked, wherein the one or more VBDs are members of the connectivity group; and means for issuing a command to link the network station to one or more VBDs.
  5. 5. The structure, as described in Claim 4, further characterized in that: each VBD is a subfield of a field (1 16P) with capacity to restrict the transmission traffic to the VBD in which the traffic originates; the connectivity group contains VBDs from at least two fields; and the one or more VBDs to which the network station is to be linked, are determined based on a field that contains the network station.
  6. 6. The structure, as described in Claim 5, further characterized in that each VBD is a VLAN, and the network station is to be linked to the VLAN which belongs to the connectivity group, and to the field containing the net.
  7. 7. The structure, as described in Claim 4, further characterized in that it comprises (1) a computer system (124M), and (2) a program loaded within the computer system, comprising the computer system and the program each one of said means of determination.
  8. 8. The structure, as described in Claim 4, further characterized in that the structure is a computer means that can be read and wherein each of the means comprises one or more computer instructions, computer reading data, or a combination of one or more instructions or data.
  9. 9. A method to create one or more access control lists (ACLs) for one or more apparatuses (130) that route traffic between the network fields (1 16P, 1 16Q, 1 16R, 1 16S, 1 16T), where if an ACL is provided to said apparatus, the apparatus uses the ACL to determine what traffic is allowed and / or not allowed between the fields, said method comprising: defining one or more groups of sub-networks (140a, 1 16T) so that traffic will be allowed within each group of sub-networks, where each sub-network is a portion of a network field or is a total network field and for each group, providing identifications of the sub-networks, belonging to the group, to a system of computer; the computer system generates the one or more ACLs to allow traffic within each group.
  10. 10. The method, as described in Claim 9, further characterized in that it comprises the definition of a plurality of said groups, wherein the one or more ACLs do not allow traffic between the sub-networks in different groups. eleven .
  11. The method, as described in Claim 9, further characterized in that it comprises the reception by the computer system of an identification of one or more shared sub-networks, where traffic will be allowed between each sub-network shared, and any other sub-network of any of the groups, where the one or more ACLs allows traffic between any of the shared sub-networks and any of the sub-networks in any of the groups.
  12. 12. The method, as described in Claim 9, further characterized in that: at least each of the fields has the ability to restrict traffic in the field; and the method further comprises: for each or more groups, the computer system receives the information to identify the traffic allowed and / or not allowed within the group, where the information is going to be used by one or more fields in the restriction of traffic; The computer system configures each field with traffic restriction capacity, to allow and / or reject traffic as specified by said information.
  13. 13. The method, as described in Claim 12, further characterized in that the information for identifying permitted and / or rejected traffic within a group comprises an identification of one or more of: (1) ports (160) of one or more switches (128) each of them sending traffic within a field with traffic restriction capacity, where the ports will carry the traffic within the group, (2) the physical addresses of the entities (124) belonging to the group, and (3) the names of the users allowed to send or receive traffic within the group.
  14. 14. The method, as described in Claim 9, further characterized in that each identification of the sub-network is an address or an address range.
  15. 15. The method, as described in Claim 9, further characterized in that the one or more traffic routers based on the IP addresses, and within each field the traffic is sent between the stations based on the physical addresses.
  16. 16. A structure for the creation of one or more access control lists (ACLs) for one or more apparatuses (130) that route traffic between the fields of the network (1 16P, ..., 1 16T), where an ACL is provided to said apparatus, the apparatus uses the ACL to determine what traffic is allowed and / or not allowed between the fields, said structure comprising: means for defining a computer system of one or more groups of sub-networks (140, 1 16) so that the traffic that is to be allowed within each group, and where each subnet is a portion of a network field, or is a total network field, the means being also for reading by the computer system, for each group, identification of the sub-networks that belong to the group; means for generation by the computer system of the one or more ACLs to allow traffic within each group.
  17. 17. The structure, as described in Claim 16, further characterized in that said structure comprises the computer system (124M) and a program loaded within the computer system, comprising, the combination of the computer system and the program, the means of definition and the means of generation.
  18. 18. The structure, as described in Claim 16, further characterized in that the structure is a computer reading means which comprises instructions for implementing the definition means and the generation means.
  19. 19. The structure, as described in Claim 16, further characterized in that the one or more ACLs do not allow traffic between the sub-networks in different groups when the defining means define a plurality of groups.
  20. 20. The structure, as described in Claim 16, further characterized in that it additionally comprises means for reading by means of the computer system an identification of one or more shared networks (1 16S), where the traffic is going to be allowed. between each shared sub-network, and any other sub-network in any other of the groups, where the one or more ACLs allow traffic between any of the shared sub-networks and any of the sub-networks of any other of the sub-networks. groups twenty-one .
  21. The structure, as described in Claim 16, further characterized in that: at least one of the fields has the ability to restrict traffic in the field; and further comprising said structure: means for reading by a computer system, for each or more groups, of the information to identify the traffic allowed and / or not allowed within the group, where the information is going to be used by one or more fields in the restriction of the traffic, and means for the configuration by the computer system of each field with capacity of traffic restriction, to allow and / or reject the traffic as it has been specified by said information.
  22. 22. The structure, as described in Claim 21, further characterized in that the information for identifying permitted and / or rejected traffic within a group comprises an identification of one or more of: (1) ports (160) of one or more switches (128), where each one sends the traffic within a field with restriction capacity of the traffic, where the one or more ports are to carry the traffic within the group, (2) the physical addresses of the entities that belong to the group, and (3) the names of the users allowed to send or receive traffic within the group.
  23. 23. The structure, as described in Claim 16, further characterized in that each of the identifications of the network is an address or a range of addresses.
  24. 24. The structure, as described in Claim 16, further characterized in that the one or more traffic routing devices based on the IP addresses, and within each field the traffic is sent between the stations based on the physical addresses.
  25. 25. A method for establishing connectivity in a network comprising a plurality of fields (1 16), said method comprising: each network station can have both, addresses of a first type and addresses of a second type; the traffic between the network stations within each of the fields is delivered to the stations of the destination network using addresses of the first type of the destination network stations without using the second type of addresses of the destination network stations , but between the fields the traffic is transferred, and it is restricted, using the second type of addresses of the destination network stations; at least one field has the ability to have subfields (140) defined in the field so that the field allows traffic within a single subfield but prevents traffic between subfields, said method comprising: proportion of a computer system (124M) with information INF1 that defines the traffic belonging to a connectivity group CG 1, where the connectivity group CG 1 is going to have sub-fields in different fields in at least two of the which each has the capacity to restrict traffic to a sub-field; and for at least the connectivity group CG 1, the computer system configures each field D 1 having a subfield SD 1 in the connectivity group CG 1 so that the field D 1 allows the traffic defined by said information I NF1 but restricts said traffic to subfield SD1 when the field delivers the traffic using the first type addresses without using the second type addresses.
  26. 26. The method, as described in Claim 25, further characterized in that the information defining the traffic comprises, at least one group, an identification of one or more of: (1) ports (160) of one or more switches (128) where each of them sends the traffic within a single field, and where the one or more ports are to carry the traffic within the group, (2) the physical addresses of the stations (124) that are members of the group, and (3) the names of the users that allow sending or receiving traffic within the group.
  27. 27. The method, as described in Claim 26, further characterized in that the configuration of each field comprises, a switch that sends the traffic within a single field that has a sub-field in the group, configuring the switch for: ( a) allow traffic between the physical addresses of the stations that are members of the group and (b) reject traffic between the physical addresses of the stations that are members of different groups. • go V,
  28. 28. A structure for the establishment of connectivity in a network which comprises a plurality of fields (1 16), said method comprising: each network station can have both, a first type of address 5 and a second type of address; the traffic between the stations of the network within each of the fields is sent to the stations of the destination network using the addresses of the first type of the destination network stations without using the addresses of the second type of the stations 10 of the destination network, but between the fields the traffic is transferred, and it is restricted, using the addresses of the second type of stations of the destination network; at least one field has the ability to have subfields (140) defined in the field so that the field allows traffic within a simple subfield but rejects traffic between subfields, said structure comprising: means for receiving, by a computer system (124M), information INF1 that defines the traffic belonging to a group of 20 connectivity CG 1, where connectivity group CG 1 will have sub-fields in different fields in at least two of which each has the capacity to restrict traffic to a sub-field; means for receiving, by the computer system, for at least one connectivity group, identifications of the sub-fields 25 that are members of the connectivity group; and means for configuring, by means of the computer system, at least for the connectivity group CG 1, each field D1 having a subfield SD1 in the connectivity group CG 1 so that the field D1 allows the traffic defined by said information INF1 but restricts said traffic to the subfield SD 1 when the field D1 sends the traffic using the addresses of the first type without using the addresses of the second type.
  29. 29. The structure, as described in Claim 28, further characterized in that the information defining the traffic comprises, at least for a group, an identification of one or more of: (1) ports (160) of one or more switches (128), each of which sends the traffic within a single field, and wherein the one or more ports are for carrying the traffic within the group, (2) physical addresses of the stations (124) that are members of the group, and (3) names of the users allowed to send or receive traffic within the group.
  30. 30. The structure, as described in Claim 28, further characterized in that the structure comprises the computer system and a program loaded into the computer system, and the combination of the computer system and the program comprises all of said means.
  31. 31 The structure, as described in Claim 28, further characterized in that the structure is a computer reading means which comprises instructions for implementing all said means.
  32. 32. The structure, as described in Claim 28, further characterized in that the traffic within each field is sent between the stations based on the physical addresses of the stations, and the traffic between the fields is routed based on the logical addresses of the stations. the seasons. SUMMARY A network that includes a number of fields ("2-layer fields") interconnected by routers. Within each field, a traffic based on MAC addresses (or other data link layer addresses) is sent. Routers route traffic based on I P addresses or other network layer addresses. To restrict the network connection capacity, a network administrator specifies the connection capacity groups, each of which is a group of sub-networks that are allowed to communicate. The administrator also specifies which entities (MAC addresses, ports or user names) belong to the same group. A computer system automatically creates access control lists for routers to allow or deny traffic, as specified by the administrator. The computer system also creates VLANs to allow or deny traffic, as specified, where each VLAN is part of a field or is a complete field. The connection capacity within each field is restricted by the VLANs, and the ability to connect between the fields is restricted by the access control lists.
MXPA/A/2000/010209A 1998-04-27 2000-10-18 Establishing connectivity in networks MXPA00010209A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US09067761 1998-04-27

Publications (1)

Publication Number Publication Date
MXPA00010209A true MXPA00010209A (en) 2002-03-26

Family

ID=

Similar Documents

Publication Publication Date Title
US6167052A (en) Establishing connectivity in networks
KR101089442B1 (en) System, method and function for ethernet mac address management
US5751971A (en) Internet protocol (IP) work group routing
JP4587446B2 (en) NETWORK SYSTEM, SWITCH DEVICE, ROUTE MANAGEMENT SERVER, ITS CONTROL METHOD, COMPUTER PROGRAM, AND COMPUTER-READABLE STORAGE MEDIUM
EP2569908B1 (en) A method to pass virtual local area network information in virtual station interface discovery and configuration protocol
US8085662B2 (en) Open network connections
US20030051195A1 (en) Systems and methods for isolating faults in computer networks
GB2422508A (en) Establishing network connections
Yu et al. A survey of virtual LAN usage in campus networks
US20150030027A1 (en) Switch Device With Device-Specified Bridge Domains
Alimi et al. Enhancement of network performance of an enterprises network with VLAN
EP4250650A2 (en) System resource management in self-healing networks
JP3858884B2 (en) Network access gateway, network access gateway control method and program
US8437357B2 (en) Method of connecting VLAN systems to other networks via a router
Odi et al. The proposed roles of VLAN and inter-VLAN routing in effective distribution of network services in Ebonyi State University
RU2310994C2 (en) Traffic division filter
Prasad et al. Intervlan routing and various configurations on Vlan in a network using Cisco Packet Tracer 6.2
JP2003167805A (en) Network communication method and server device between multiple user side closed network and server side closed network
US20040057439A1 (en) Hierarchical optical VPNs in a carrier's carrier VPN environment
CN100413260C (en) Configuration method of virtual local area network identification in virtual local area network slave node
MXPA00010209A (en) Establishing connectivity in networks
JP3794496B2 (en) Network connection method, network connection system, layer 2 switch and management server constituting the same
EP1701503B1 (en) Lawful interception in IP networks
US7969966B2 (en) System and method for port mapping in a communications network switch
EP1770913A1 (en) System and method for port mapping in a communications network switch