A network switch, such as a bridge (layer 2 switch) or a router (layer 3 switch), is a device that determines the destination of individual data packets (such as Ethernet frames) and selectively forwards them across a local area network (LAN) according to the best route for their destination. The best route is typically associated with one of a number of ports on the switch, which are the switch's external interface to the network. The port is a mission critical part of a network because the port oftentimes is an uplink, collapsing thousands of users in a local area network (LAN) onto a backbone such as the Internet.
The port may also be used to control access to the LAN and LAN resources through the use of port-based network access control protocols. One such protocol is the Institute of Electrical and Electronics Engineers (IEEE) Ethernet-based standard for port-based network access control, IEEE 802.1X. The IEEE 802.1X standard specifies a general method for the provision of port-based network access control. Among other uses, the IEEE 802.1X protocol may be used to authenticate and authorize devices and device users that are connected to a LAN port, where the LAN port is a single point of attachment to the LAN infrastructure, such as a port of a Media Access Control (MAC) Bridge or, in the case of a wireless LAN, an association between an end station and an IEEE 802.11 access point in the wireless LAN.
Once the connected device has been authenticated, the switch must be provisioned with the appropriate network resources based on the type of device and/or identity of the user. Provisioning the switch primarily involves configuring the port to which a device is connected with the proper configuration and policy data for that device and/or device user.
In today's complex converged network environments that support both wired and wireless access to a variety of resources, including voice, video, and data, ensuring that the switch is properly provisioned can be burdensome. For example, in order to provision the switch with the correct network resources, quality of service, and security policy for successful voice operation, the switch port to which a VoIP phone is connected must be configured with the appropriate Link Layer Data Protocol (LLDP) parameters, Virtual Local Area Network (VLAN) name, port VLAN ID, power conservation mode, call server name, 802.1Q framing parameter, and Access Control List (ACL).
Managing the deployment of network configuration and policy data to insure that a switch is properly provisioned has typically been the responsibility of proprietary centralized network management systems (NMS), such as the network management system sold under the trademark “EpiCenter” by Extreme Networks, Inc., of Santa Clara, Calif., the assignee of the present application. The NMS typically operates in conjunction with an authentication server, such as the RADIUS server, to dynamically deploy the proper configuration and policy data to the switch upon successful authentication and authorization of the device and/or user on the network.
One of the challenges presented by relying on the NMS to deploy the proper policy and configuration data to the switch is the delay between the time that the device and/or user is detected/authenticated, and the time that the policy is deployed on the switch. Such a delay can expose the LAN to malicious attack which may result is a denial or degradation of service on the LAN.