Multiplex communications – Pathfinding or routing – Switching a message which includes an address header
Reexamination Certificate
1997-02-11
2001-03-20
Hsu, Alpus H. (Department: 2738)
Multiplex communications
Pathfinding or routing
Switching a message which includes an address header
C370S409000
Reexamination Certificate
active
06205147
ABSTRACT:
BACKGROUND OF THE INVENTION
The present invention relates generally to networks of the type that connect two or more data processing elements to one another for data communication. More particularly, the invention relates to a method and apparatus for dividing a physical network into a number of separate, “virtual” networks and work groups. Communication is then allowed only between elements that are members of the same virtual network and workgroup.
The recent growth of the personal computer market has been accompanied by the desire to interconnect numbers of personal computers for resource sharing, distributed processing, and like data processing functions. Such interconnectivity is often accomplished using local area network (LAN) or wide area network (WAN) topologies. A LAN topology typically interconnects data processing equipment in a limited geographic area by such physical media as twisted pair wiring or coaxial cable and various connective devices such as repeaters, routers, and bridges. Information is communicated by message packets.
Repeaters operate to repeat information from one transmitting medium to all others to which the repeater connects; that is, a repeater connects segments of the same network to form an extended network, and message packets received by the repeater are repeated to all connected segments. Bridges, on the other hand, connect separate LANs. Bridges typically operate to pass message packets on one LAN to another LAN if the destination of that message packet is not located on the source LAN, examining the message packet to determine onto which network the message packet should be forwarded.
Routers also connect separate LANs. They are capable of communicating with end nodes and other routers, by which communication they determine internal routing tables. Message packets are forwarded based upon destination address contained in the message packets and these routing tables.
Since bridges and routers are capable of selective communication of message traffic, they do perform some message security functions. One limitation of this is that end nodes (the data processing elements interconnected by the network) on the same local area network (LAN) have access to all message packets sent to any one of them.
Recent advances in the industry have provided repeaters with the ability to perform security functions in order to preclude connected end nodes from receiving message packet. Examples of such message security is found in U.S. Pat. Nos. 5,177,788, 5,161,192, and 4,901,348. A message packet received by a repeater will be examined for source and/or destination information contained in the message packet. Based upon that examination, a determination is made as to which ports of the device will be allowed to re-send the message packet, and which will be precluded from re-sending.
SUMMARY OF THE INVENTION
The invention is preferably employed in a network infrastructure of a type including a number of connective devices (e.g., repeaters, routers, and bridges) interconnected to provide data communication between data processing elements. Specifically, the invention provides a method, and apparatus for implementing that method, for controlling message traffic and bandwidth within a network based upon the entry and exit points of the network infrastructure used by the message traffic. The invention operates to prevent unauthorized communication, limiting transmission of message traffic from the network infrastructure to only those exit points authorized—based upon the point of entry to the network infrastructure of the message traffic.
Broadly, the invention allows the physical configuration of a network infrastructure to be sub-divided into a number of “virtual” networks. Entry/exit points to the network infrastructure for end nodes (i.e., data processing equipment such as workstations, peripherals, and shared resources) are assigned to one or another of the virtual networks, thereby assigning the connected end nodes to the corresponding virtual networks. Further, according to the invention, each virtual network may be divided into workgroups, and the entry/exit points (and, therefore, the connected end nodes) assigned to one or more such workgroups. Communication between the end nodes is limited to those assigned to specific virtual networks and workgroups.
In a preferred embodiment of the invention the network infrastructure employs a number of connective devices (routers, repeaters, bridges, and the like) that are interconnected to one another. They connect to end nodes by physical transmission media such as twisted pair wiring or coaxial cable. The network infrastructure provides data communication for message traffic in the form of message packets between end nodes that connect to ports (entry/exit points) of the infrastructure by physical media. According to the invention, each port providing entry/exit access to/from the network infrastructure is provided with virtual network identification (VNID) information. Entry points to the network infrastructure are assigned an input virtual network identification (I-VNID), and all message packets incoming through a port of the network infrastructure (i.e., at a particular connective device) from an end node will have the I-VNID information assigned to that port associated with the packet. This association is maintained as long as the packet remains in the network infrastructure.
Similarly, exit points from the network infrastructure are assigned an outgoing virtual network identification (O-VNID). A port may have an assigned I-VNID that is the same as its assigned O-VNID, or the assigned I-VNID and O-VNID for the port may be different.
When a message packet has entered the network infrastructure, and in so doing been assigned I-VNID information, that I-VNID information is checked at all ports of the network infrastructure at which the packet seeks departure by comparing the message packet's I-VNID information with the O-VNID information of the departure port. If the I-VNID information of the packet matches the O-VNID of the port, the packet will be transmitted from the port. Conversely, if there is no such match, the packet will not be transmitted.
In the preferred embodiment of the invention the VNID information includes two separate fields: one to identify the particular virtual network to which a port is assigned, and the second to identify one or more “workgroup” divisions of which the port is a member. Generally then, message packets are allowed to exit only those ports having O-VNID information that identifies a virtual network and workgroup assignment that matches that allocated the message packet by the port of its entry. (As will be seen, the virtual network assignments must match exactly, but only one of the number of possible workgroup assignments need match for exit from a port.) On the other hand, the port will not send the message packet if the I-VNID information associated with the message packet does not match the O-VNID of the port from which the packet seeks to exit.
In the case of exit ports in a repeater, if the exit port is of a virtual network different from that identified in the I-VNID information of the message packet, or if there is no workgroup match, the message will exit the port with the data of the message replaced with a meaningless bit pattern.
There are a number of advantages achieved by the present invention. By dividing a physical network infrastructure in the manner proposed by the invention, message packets can be allocated to limited numbers of ports and end nodes rather than allowing the message packets to propagate through the entire system. In one embodiment of the invention, the capability of being able to preclude retransmission of a message from a port exit that is not a member of virtual network/workgroup associated with the packet provides a way to manage bandwidth on a media segment. End nodes of a particular media segment will see only those message packets originating with the other end nodes (if any) connected to that media segment and such other message
Horowitz Joseph N.
Mayo Brian T.
Rogers Landis C.
Sassower Stanley P.
Hsu Alpus H.
Newbridge Networks Corporation
Townsend and Townsend / and Crew LLP
LandOfFree
Virtual network architecture does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Virtual network architecture, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Virtual network architecture will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2456339