KR20000011371A - Secure port access to a device on a local area network - Google Patents

Abstract

PURPOSE: A network device is provided to prevent a non-permitted user from accessing to the network resource and to increase the network band resource so more users as to share the resource. CONSTITUTION: The network device contains; a memory for storing the plural programmed addresses; a port for receiving and transmitting the packet data including the source address through a network; a controller combined with the port and the memory and for comparing the source address with the plural programmed addresses, and disabling the port if the source address is not equal to anything of the plural programmed addresses.

Description

Secure port access to devices on LAN {SECURE PORT ACCESS TO A DEVICE ON A LOCAL AREA NETWORK}

The present invention relates generally to exchanging data over a local area network (LAN), and, more particularly, to secure port access to devices on a LAN.

LANs are commonly used to interconnect computers or other devices. One computer may send a packet of data to another computer via a network. This packet includes a source address field, a destination address field, a data field, and other fields. The destination address field is used to route the packet to the appropriate destination.

A LAN may be augmented to include a large number of devices and to reach a large physical space. For example, multiple personal computers can be interconnected via a LAN. Personal computers may be distributed across multiple locations. As the number of devices increases, so does the demand for network bands. As the distance between devices increases, so does the signal degradation.

Network devices such as routers, hubs, switches, bridges, repeaters, and the like may be used to distribute network traffic and amplify network signals. For example, a network switch may be used to divide the network into subnetwork. When there is no need to send a packet to all subnetworks, this switch routes this packet to the appropriate subnetwork (ie, the subnetwork with the device address that matches the destination address of this packet). In this way, the switch can reduce traffic within the subnetwork.

LANs can also be used to share data and computer resources among multiple users located in various physical locations. Authorized users should be able to access and share these resources, but unauthorized users should be prohibited from doing so. However, as the number of network devices increases, it becomes more difficult to properly identify unauthorized users. Likewise, as the number of physical locations housing network devices increases, it becomes more difficult to ensure network security. For example, an unauthorized user may enter the LAN and attempt to access secret data or computer resources.

Thus, there is a need for a network device that prevents unauthorized users from accessing network resources. There is also a need for network devices that augment network bandwidth resources so that more users can share resources.

According to one aspect of the invention, a network device for receiving and transmitting packet data includes a memory, a port, and a controller. The memory is configured to store a plurality of programmed addresses. The port is configured to receive and transmit packet data (including source address) over the network. The controller is operatively coupled to the port and the memory and is configured to compare the source address with a plurality of programmed addresses. If the source address does not match any of the plurality of programmed addresses, the controller disables the port.

According to another aspect of the present invention, a network device that receives and transmits packet data includes a register, a port, and a memory. The register is configured to select from a plurality of operating modes, including a secure program mode. The port is operatively associated with a register and configured to receive packet data (including source address) over the network. The memory is operatively associated with registers and ports and configured to store a plurality of programmed addresses. The memory compares the source address with a plurality of programmed addresses and, upon detecting a mismatch, disables the port.

According to another aspect of the invention, a network device receives packet data (including a source address) via a first port. The network device compares the source address with a plurality of programmed addresses. If the comparing step results in a mismatch, the network device disables the first port.

1 is a block diagram of one preferred embodiment of a switched network comprising three data exchangers and two associated uplinks.

2 is a block diagram of another preferred embodiment of a switched network including two data exchanges connected to a switch bus.

3 is a block diagram of one preferred embodiment of dividing a frame into cells.

4 is a block diagram of one preferred embodiment of a data cell.

5 is a block diagram of one preferred embodiment of the look-up engine of FIG.

6 is a block diagram of the source address memory of FIG. 5;

7 is a flow diagram of the preferred operation of the lookup engine of FIG. 5 in first head mode.

8 is a flow chart of the preferred operation of the lookup engine of FIG. 5 in last head mode.

9 is a flow chart of a preferred operation of the lookup engine of FIG. 5 in a secure program mode.

* Description of the symbols for the main parts of the drawings *

110, 120, 130, 210, 260: data exchange device

111, 112 ... 117, 118, 121 ... 124, 131, 132 ... 142, 143: Computer

221, 222 ... 232, 233, 271, 272 ... 282, 283: ports

150: switch bus 160, 170: uplink

202a, 202b: Packets 212, 262: External Physical Layer

236, 286: lookup engine 234, 284, 524: receive FIFO

242, 292: transmit FIFO 244, 294: broadcast buffer

246, 296: external memory 238, 288: bus interface

240, 290: buffer manager 252: switch arbitration

510: Transmission buffer manager 530: CAM

540: CAM Manager

Referring to Fig. 1, a preferred embodiment of a switched network 100 including three data exchange devices 110, 120, 130 will be described. The data exchange devices 110, 120, 130 are connected via a switch bus 150, thereby allowing the data exchange devices 110, 120, 130 to share data. The data exchange devices 110, 120, 130 are each connected to a plurality of computers or other devices. Specifically, the data exchange device 110 is connected to the computer 111-118 (113-116 is not shown). The data exchange device 120 is connected to the computers 121-124. The data exchange device 130 is connected to a computer 131-143 (133-141 not shown).

Data exchange devices 110, 120, 130 are configured to route packet data between the computers. For example, computer 111 may transmit a data packet with a destination address that matches the destination address of computer 122. When properly routed, this packet passes through the data exchange 110, through the switch bus 150, through the data exchange 120 and to the computer 122. Other computers can communicate in a similar manner.

In one preferred embodiment, the network 100 is configured to allow any computer to communicate with other computers. However, as the number of computers increases, so does the network traffic. Thus, in another preferred embodiment, the network 100 is configured to define a plurality of virtual LANs (VLANs). Through the first VLAN, computers 111, 118, 122, 131, 143 (respectively indicated by hatching) can communicate. Through the second VLAN, computers 112, 117, 121, 123, 124, 132, 142 can communicate. By dividing the network 100 into two VLANs, traffic for each is reduced. This network may be further divided into additional VLANs, depending on the particular network request.

Each computer shown in FIG. 1 may include a subnetwork of a computer or other device. Thus, data exchange devices 110, 120, 130 may operate to interconnect sub-networks.

Data exchange devices 110 and 120 each include uplinks 160 and 170, respectively. Uplinks 160 and 170 provide access to higher level networks, such as enterprise networks. The data exchange device 110, 120 transmits the packet to the upper level network via the uplinks 160, 170, respectively, if the destination address of the packet does not match by another computer connected to the switch bus 150. will be. In addition, the data exchange devices 110 and 120 will transmit multicast and broadcast packets on the uplinks 160 and 170, respectively.

2, another preferred embodiment of a switched network 200 is described. The switched network 200 includes a first data exchange 210 and a second data exchange 260. As shown, the data exchange devices 210 and 260 each include several functional blocks that enable high speed routing of packet data. This functional block may be implemented using commercially available components such as a controller or processor, or may be specifically designed to perform the functions described herein.

The data exchanger 210 and the data exchanger 260 are each provided with a plurality of ports for connecting to an external network device. More specifically, the data exchange device 210 is provided with ports 221-233 (ports 223-231 are not shown), and the data exchange device 260 has ports 271-283 (ports 273-281). Is not shown). Ports 221-233 are each connected to an external physical layer 212. As shown, the external physical layer 212 may be configured as a single device to operatively connect each port to a physical network. In addition, the physical layer 212 may be configured with a number of separate devices to each operatively connect a single port to the network. Physical layer 212 provides a physical connection to the network, and provides a media independent interface to ports 221-223. Each of the ports 271-283 is connected to an external physical layer 262. External physical layer 262 provides the same functionality as physical layer 212. Each of the ports 221-233, 271-283 provides a media access control function for sending and receiving data over the network.

The data exchanger 210 is connected to the data exchanger 260 via a switch bus 250 and a switch arbitration link 252. As described below, packet data received via the port by the data exchange 210 may be transmitted to the data exchange 260 via the switch bus 250. The data exchange 260 may in turn transmit this packet data through one of the ports in the data exchange 260. In this way, a network device connected to one of the ports 221-233 may transmit data to the device connected to one of the ports 271-283. Similarly, a network device connected to one of the ports 271-283 may transmit data to the device connected to one of the ports 221-233. Although only two data exchangers are shown, additional data exchangers may be connected via switch bus 250 and switch arbitration link 252.

The data exchange 210 includes a receive FIFO 234, a transmit FIFO 242, and a broadcast buffer 244. Receive FIFO 234 is connected to each of ports 221-233 to receive packet data. Receive FIFO 234 provides temporary storage of frame data before transmitting this data over switch bus 250.

The transmit FIFO 242 is connected to each of the ports 221-233 to transmit unicast frame data. Transmit FIFO 242 includes a separate FIFO for each port. The transmit FIFO 242 moves data from the external memory 246 to the appropriate port using the destination address of the unicast frame data, via the appropriate FIFO.

The broadcast buffer 244 is connected to each of the ports 221-233 to transmit broadcast and multicast frame data. Broadcast buffer 244 includes 10 Mb / s and 100 Mb / s FIFOs. These FIFOs also move data from external memory 246 to the appropriate ports.

Bus interface 238 transmits data from receive FIFO 234 to switch bus 250. Bus interface 238 provides a low voltage high band driver for transferring data over switch bus 250. Bus interface 238 also reads data from switch bus 250. The bus interface 238 provides the header data to the lookup engine 236 and provides the frame data to the transmit buffer 242 and the broadcast buffer 244.

As described below, the bus interface 238 accesses the lookup engine 236 to determine whether to accept data from the switch bus and maintain a routing table. If this data is accepted, the bus interface 238 uses the header data to provide a routing command to the buffer manager 240.

Based on this routing instruction, buffer manager 240 stores this data in external memory 246. The buffer manager 240 also tracks the amount of memory used and controls queues in the external memory 246. This queue is used to store data for congested ports.

The data exchange device 260 includes functional blocks that operate similarly to the functional blocks of the data exchange device 210. Specifically, data exchange device 260 includes a receive FIFO 284, a lookup engine 286, a bus interface 288, a buffer manager 290, a transmit FIFO 292, a broadcast buffer 294, and An external memory 296. These blocks are the same as receive FIFO 234, lookup engine 236, bus interface 238, buffer manager 240, transmit FIFO 242, broadcast buffer 244, and external memory 246, respectively. Function in a way.

The path when a single unicast packet travels from data exchange 210 to data exchange 260 is described. First, the packet 202a is received by the external physical layer 212. If properly operated, the first packet will be completely received before other packets are received by the same port. The outer physical layer 212 converts the packet 202a into frame data, which is provided to the port 221 via a media independent interface. This conversion converts media dependent packet data into a nibble wide NRZ format.

Port 221 monitors incoming data for the start-of-frame delimiter (SFD). Upon receiving the SFD, port 221 divides this frame data into 48 bit cells. This cell is then forwarded to the receive FIFO 234. If the number of cells in the receive FIFO 234 exceeds the drain threshold, the data exchange 210 asserts a switch bus request over the switch arbitration link 252. If the data exchanger gets the arbitration, the data exchanger will transmit the first cell 204a stored in the receive FIFO 234 via the switch bus 250. Receive FIFO 234 will continue to transmit cells until all cells have been transmitted.

The data exchange 260 monitors the switch bus 250. The lookup engine 286 analyzes the first cell 204b to determine whether the destination address field matches the destination address field of any active device connected to the ports 271-283. In this example, lookup engine 286 determines that the destination address field matches the destination address field of the active device connected to port 282. In response, the lookup engine 286 provides a match signal to the data exchange device 210 and instructs the buffer manager 290 to reserve a buffer in the memory 296. The buffer in memory 296 is large enough to store the entire frame in consecutive memory locations. When subsequent cells are received from the same frame, the buffer manager 290 sequentially stores the cells in consecutive memory locations.

When the number of cells stored in the buffer exceeds the drain threshold, data is passed to the transmit FIFO 292. The transmit FIFO 292 has a separate FIFO for each of the ports 271-283. This data is provided to the transmit FIFO associated with port 282. The transmit FIFO associated with port 282 converts 48 bit wide data into nibble wide data. This data is provided to the physical layer 262 via a media independent interface. Physical layer 262 converts this data into packet 202b, which is transmitted over a network connection.

Broadcast or multicast packets have a similar data flow. The buffer manager 290 stores cell data in contiguous memory locations in memory 296. When the number of cells stored in memory 296 exceeds the drain threshold, this data is delivered to broadcast buffer 294 instead of transmit FIFO 292. The broadcast buffer 294 includes a 10 Mb / s buffer or a 100 Mb / s buffer. These buffers all provide data to ports 271-283. According to the external physical layer 262, each port provides either the 10 Mb / s or 100 Mb / s data to the physical layer 262 via a media independent interface. Physical layer 262 converts this data into packets, which are transmitted over each network connection.

Referring to Fig. 3, the preferred processing for the ports 221-233 to divide the frame data into cells is described. Data frame 310 begins with a preamble field 312, an SFD field 314, a destination address field 316, and a source address field 318. In addition, the data frame 310 includes a field 320, which may include priority, type, length, VLAN, or other data. The data frame 310 further includes a variable length data field 322, and an end of frame delimiter (EFD) field 323.

When a frame is received through the port, it is divided into 48-bit wide cells. For example, data frame 310 is divided into cells C1, C2, ... CN. The first cell C1 will include a destination field 316, but will not include subsequent cells (ie, C2,..., CN). Typically, the destination address field allows the network to route data to the appropriate destination. However, when subsequent cells do not include a destination address field, they cannot be routed based on the destination address field. Thus, source port identifiers are added to these cells. At that time, these cells are routed based on the source port identifier.

In FIG. 4, a cell 410 is shown. Cell 410 includes a source information field 412 and a data field 414. In a preferred embodiment, each data exchange has up to 13 ports, and up to 13 data exchanges may be serially connected together via a switch bus. Thus, the maximum number of ports is 156, and an eight-bit source information field 412 is sufficient to uniquely identify each source port. Source information field 412 also includes speed and type information related to the source port. The speed information identifies whether the source port is operating at 10 Mb / s, 100 Mb / s, or other speed. The type information indicates whether this cell data is part of an ATM OC3 frame, an ATM OC12 frame, a spare frame, or another type of frame. Data field 414 includes a 48-bit portion of the frame, eg, one of cells C1... CN of FIG. 3. In addition, the source information field 412 may include other type information, such as information used to identify the appropriate VLAN.

As described above, the incoming frame data is divided into cells and placed in the receive FIFO. These cells are then transmitted over the switch bus and received by other data exchanges. While receiving the cells, the data exchange maintains a routing table, which associates the source identification field with the frame destination. When only the first cell contains a destination address field, the routing table allows this data exchange to properly route subsequent cells, which subsequent cells do not have a destination address field.

As discussed above, the lookup engine 236 must determine whether to accept the data sent over the switch bus 250. To determine, the lookup engine 236 must monitor the address of the device currently connected to the data exchange 210. Accordingly, lookup engine 236 manages a group of active device addresses.

In FIG. 5, a preferred embodiment of the lookup engine 236 of FIG. 2 is described. The lookup engine 236 must learn, store, and manage address, port, and VLAN information, and use it in packet forwarding decisions. The lookup engine 236 forwards or filters packets based on configuration information, packet type, stored address, port, and VLAN information. When the lookup engine 236 receives packet information past the buffer 512 via the switch bus, the lookup engine determines to which port this packet should be sent (if any). If the lookup engine determines that this packet should be sent to, then the lookup engine informs the transmitting FIFO 242. More specifically, the content addressable memory (CAM) manager 540 informs the transmit buffer manager 510 by inserting a port bit mask into the info field of the first cell of this packet. The CAM manager 540 provides this port bit mask via block 514.

When the lookup engine 236 receives packet information from the network device through the buffer 524, the lookup engine determines source port, address, and priority information. Based on this information, the lookup engine 236 determines the priority for loading into the FIFO 522. Before transmitting over the switch bus, the lookup engine 236 adds VLAN and priity information through block 520.

The lookup engine 236 performs a lookup at the CAM 530 on packet information from both the receive FIFO 234 and the switch bus. Lookup for packet information from receive FIFO 234 is performed for VLAN and / or pristitution substitution prior to transmission on the switch bus. This packet information is then provided to the switch bus. Thereafter, the packet information transmitted by the data exchanger is monitored by the same data exchanger and another data exchanger. Lookup for packet information from the switchbus is performed for forwarding and MAC learning (learning) decisions. Running and forwarding are described in more detail later.

When a packet is received from the switch bus, the packet's (1) destination address; (2) VLAN tags; And (3) based on the uplink ID, the CAM 530 allows the lookup engine 236 to make forwarding decisions. CAM 530 includes four separate CAMs: source address memory 532, with (1) a port ID number tag used to forward unicast packets; (2) VLAN memory 534, having a port mask tag for mapping packets tagged with a VLAN; (3) an uplink memory 536 having a port address tag used to determine to which uplink port a packet (with an unknown destination address or broadcast) should be sent; And (4) multicast memory 538 having a VLAN ID tag field for implementing a multicast video stream using a VLAN or associating a VLAN with a particular translation.

The source address memory 532 may support a source address for each data exchange device. There is a dedicated location for each port (13 in total). There are 115 floating memory locations that can be shared among 13 ports. These 115 locations can be used on a first-come first-serve (FCFS) basis, or each port can be assigned the maximum number it can use. Each port may be configured to have a maximum address quota of 4, 8, 16, or 24. This quota feature can be enabled on a per-port basis by setting the quota enable bit in the configuration register 542. The maximum number of locations reserved for a given port is programmable through the quarter field in the configuration register 542. The data exchange maintains a CAM location usage counter (CLU) for each of its ports. The CLU is accessible by the host software. This counter reflects the number of source address memory locations allocated to that port. If the CLU counter for a given port is the same as the quota programmed for that port, the memory location available for that port is exhausted.

There are 192 locations in VLAN memory 534. The lookup is performed at the transmitting side of the switch bus by the destination data exchange. The VLAN membership of the packet received from the switch bus is compared with the contents of the VLAN memory to determine its VLAN membership. If the destination data exchange detects a group address resolution protocol request for a change in VLAN membership, or if the destination data exchange detects a VLAN mismatch, the packet is sent to the 13th. Port or optionally an uplink port. This allows the management entity to process this packet as desired. In addition, the management entity must initialize the membership of the specified VLAN.

The content of uplink memory 536 is programmed in the configuration for host interface 544. The content of the uplink memory represents the address of the high level network.

Within the multicast memory 538, there are 192 locations that can be programmed to associate a given multicast address or source-address / destination-address type hash with a particular VLAN. This memory may be used to associate based on priity. If a packet is received whose destination address matches the address included in multicast memory 538, those ports that are members of a particular VLAN will participate in frame transmission. The lookup of the multicast memory 538 is performed at the receiving side of the switch bus by the source data exchange.

Each of the memories 532, 534, 536, 538 has a valid tag bit associated with each of those entries. The valid tag bit indicates that the associated data is valid. In addition, each of the memories 534, 536, 538 has an activity bit associated with each entry. These are used to monitor the usage of associated entries.

Upon receiving a packet from a port, the data exchanger divides this packet into cells and forwards the packet over the switch bus to the appropriate port. The other data exchange must monitor the switch bus to determine if the destination address of this packet matches the destination address of the device connected to one of its ports. If so, the data exchange receives this packet data and forwards it to the appropriate port. To determine whether to forward this packet to a particular port, this data exchange manages memories 532, 534, 536, 538.

Referring to Fig. 6, a preferred embodiment of the source address memory 532 is described. As mentioned above, the source address memory is divided into a plurality of places, each configured to store information related to one source address. Each memory location is a source address field 610, a static field 612, an alias field 614, a valid field 616, an ACT field 618, and a port field 620. It includes.

Source address field 610 holds the source address of the network device. Valid field 616 indicates whether the memory location holds valid data. At initialization, all valid fields are cleared. These fields are set as the source address information is added to the associated memory location.

Static field 612 indicates whether the associated memory location holds static data or dynamic data. If the static field 612 is set to static, the associated memory location cannot be overwritten with new data. When operating in the program mode, this field is set after receiving address information from the host processor. Thus, if an error condition such as a loop is not detected, the associated memory location will not be overwritten.

The alias field 614 indicates whether data sent to the associated address should also be sent to the alias address. Alias addresses allow other nodes to monitor traffic.

Activity field 618 is set whenever the associated address receives data. This allows the background process to determine which address is currently active. In last-heard learning mode, the oldest run address may be overwritten. The port field 622 identifies which port is connected to the device with the associated source address.

The address information of the source address memory 532 must be run or programmed. As shown in FIG. 5, the lookup engine 236 may run address information by monitoring network traffic via the receive FIFO 234. Alternatively, lookup engine 236 may be programmed via host interface 544.

The lookup engine 236 may include these four running and programming modes, namely (1) first-heard mode; (2) last-herd mode; (3) program mode; And (4) secure program mode. Each port is individually configurable to select one of these four modes. This mode is selectable via host interface 544 by setting configuration register 542.

First-learning stores the source address of the node connected to that port. This will store as many addresses as the memory location is allocated (in addition to one reserved memory location per port, there is an additional quota reserved for the port). Once the memory location allocated for the port is exhausted, any new addresses will not run. At that time, any new source address will be considered intrusion. The source address is not running, but the source address mismatch (SAM) bit is set in the status register. In addition, the source address is captured in the address register.

Referring to Fig. 7, the preferred operation of the data exchange device in the first-herd mode will be described. The data exchange starts at block 710 entering an idle state. In the idle state, the data exchange monitors for incoming packets on that port. Upon receiving the packet, the data exchange proceeds to block 712. Here, the data exchange device stores the incoming packet data in the FIFO. In block 714, the data exchange device compares the source address of the received packet with a source address contained within the memory. If this comparison occurs, the data exchange sends this packet through the switch bus to another port when the band is allowed. The data exchange then returns to the idle state at block 710.

However, if this comparison does not occur, the data exchange determines if the memory is full. If full, the data exchange sends the received packet, but no new source address is running. The source address is stored in the address register and the SAM bit is set in the memory status register. At that time, the data exchange device returns to the idle state at block 710.

Otherwise, if the memory is not full at block 716, the data exchange adds a source address to the memory. When the band is allowed, the data exchange sends packets through the switch bus to another port.

The last-hard running mode will also store the source address of the node connected to that port. This will store as many addresses as the memory location is allocated. If the memory location allocated for a port is exhausted, any new address may overwrite the previously run location for that port. The place to be overwritten is determined by a background process that cycles through all the places, performing a read of the tag field to determine the port ID and determine whether the address is a static entry.

This background process reads the tag bits associated with each memory entry, which (when set) are overwritten when the location has been programmed by the host processor and configured for "static", ie last-hard running mode. Indicates no. For each port, there is an 8-bit register that is a pointer to the next memory location that should be used for last-herd overwrites. The background process reads the location and if this port is in last-herd mode, it checks to see if the overwrite pointer register is valid. Otherwise, and if this location is not specified statically, it updates the overwrite pointer. Quotas, static bits, and run modes must be programmed so that the ports in this run mode always have a non-static location available. Otherwise, the new address will not run.

This process also invalidates the entry for the port that lost the link. In this case, the overwrite pointer will not be updated to this place, and this process will check if this pointer already contains this place. If so, this process invalidates the entry.

Referring to Fig. 8, the preferred operation of the data exchange device in the last-hard mode will be described. The data exchange starts at block 810 entering the idle mode. In the idle state, the data exchange monitors for incoming packets on that port. Upon receiving the packet, the data exchange proceeds to block 812. Here, the data exchange device stores the incoming packet data in the FIFO. At block 814, the data exchange device compares the packet's source address with a source address in memory. If the source address matches this one address, the data exchange transmits through the switch bus to another port when the band is allowed. At that time, the data exchange device returns to the idle state at block 810.

However, if the source address does not match any address contained in the memory, the data exchange device determines whether the memory is full. If not, the data exchange adds the source address to the memory at block 820. Then, when the band is allowed, the data exchange device sends a packet through the switch bus to another port. The data exchange then returns to the idle state at block 810.

Otherwise, if the memory is full at block 816, the data exchange overwrites the source address stored in memory with the new source address of the received packet. When the band is allowed, the data exchanger sends a packet through the switch bus to another port. The data exchange then returns to the idle state at block 810.

The third mode, the program mode, allows the host processor to manually write the source address via the host interface. When combined with the previously mentioned modes, no actual running takes place. In this mode, the received frame is considered integral if the source address does not match in memory. If an integrity is detected, the source address is not running, but the mismatch bits are set in the memory status register and the source address is captured in the address register. In program mode, the port is disabled upon intrusion detection.

The secure program mode is the same as the program mode except when an integrity is detected, and the port on which the integrity packet was received is disabled. The discrepancy bit is set in the memory status register and the source address is stored in the address register. In the preferred embodiment, when the port is disabled, it can no longer send or receive data. Alternatively, the port may be disabled by removing only one of the transmit and receive functions.

9, a preferred operation of the data exchange device in the secure program mode will be described. The data exchange starts at 910. Here, the data exchange device receives the programmed address from the host processor through the serial interface. The programmed address is stored in memory. After all the programmed addresses have been loaded, the data exchange waits to enter an idle state at block 912. In the idle state, the data exchange monitors for incoming packets on that port. Upon receipt of the packet, the data exchange proceeds to block 914. Here, the data exchange device stores the incoming packet data in the reception FIFO. At block 916, the data exchange compares the source address of the received packet with a programmed address contained within the memory. If this comparison occurs, then at block 920 the data exchange sends a packet to the other port over the switch bus when the band is allowed. At that time, the data exchange device returns to the idle state at block 912.

However, if the source address does not match any programmed address contained in the memory at block 916, the data exchange proceeds to block 918. Here, the data exchange device discards the received packet. The source address is stored in the address register and the mismatch bits are set in the memory status register. The data exchange also disables this port so that additional packets cannot be sent or received through that port. At that time, the data exchange device returns to the idle state at block 912. This port is in the disabled state until reset by the host processor or upon reset of the data exchange device.

In another preferred embodiment, at block 918, the data exchange forwards the received packet. The data exchange also disables this port so that packets cannot be sent through this port. However, additional packets may be received through this port.

In running mode, addresses are not running from packets received with CRC, frame alignment, or size errors. This is accomplished by delaying the transfer of the run address to the source address memory until the EOF cell of the packet is received from the switch bus and found to be error free. Matching of the source address of the packet is performed while the SOF cell and the source address are stored in the SRAM. This source address is written into the source address memory when the entire packet is received without error (EOF cell).

The lookup engine 236 forwards the packet received from the switch bus based on the destination address and the VLAN tag. The destination port of the packet is determined when the first SOF cell is received away from the switch bus. At that time, subsequent cells are forwarded based on the source port ID in the information field.

In more detail, the lookup engine monitors the switch bus for the SOF cell. Upon receipt of the SOF cell, the lookup engine compares its destination address field with that contained in the source address memory. If this comparison occurs, the rest of the packet data is received, and the packet is forwarded to the appropriate port based on the forwarding information included in the CAM.

The CAM manager 540 manages the allocation and deallocation of CAM addresses. The list of CAM locations not currently used (and available for any port) is stored in SRAM. Upon reset, the SRAM is initialized with points to each of the locations in the CAM that are not currently reserved for a particular port.

Each CAM location has an associated valid bit that can be reset to indicate that when an match should no longer be used. It also has a frame activity bit that is set whenever there is a source address match on this address. This bit is also periodically reset by the CAM manager and used to determine the aging of the address.

Although the embodiments described herein relate to a data exchange apparatus having a specific structure, the present invention can be implemented in various other network devices without departing from the scope of the present invention. Such other network devices may implement the invention using the functional blocks described herein, or may implement other configurations that perform the same functions. Those skilled in the art will clearly understand from the embodiments described herein that many modifications are possible without departing from what is disclosed herein. All embodiments and all such modifications are intended to be included within the scope of the following claims.

According to the present invention, it is possible to provide a network device that prevents unauthorized users from accessing network resources and also increases network bandwidth resources so that more users can share the resources.

Claims (5)

A memory configured to store a plurality of programmed addresses; A port configured to receive and transmit packet data including a source address over a network; And A controller operatively coupled with the port and memory, the controller configured to compare the source address with a plurality of programmed addresses, Said controller disabling said port when a source address does not match any of a plurality of programmed addresses. The method of claim 1, Wherein said memory, port, and controller together constitute a network switch. The method of claim 1, And the memory comprises a content addressable memory (CAM). A register configured to select from a plurality of operating modes including a secure program mode; A port operatively associated with the register and configured to receive over the network packet data comprising a source address; And A memory operatively coupled with the register and configured to store a plurality of programmed addresses, and comparing the source address with a plurality of programmed addresses to disable the port upon detection of a mismatch. A network device for receiving and transmitting packet data to be spoken. Receiving packet data including a source address through a first port; Comparing the source address with a plurality of programmed addresses; And And disabling the first port when the comparing step results in a mismatch.