Local Area Networks (LANs) are generally defined as a single broadcast domain. In this regard, if a user broadcasts information on their respective LAN, the broadcast will be received by every other user on that LAN. Broadcasts are prevented from leaving a LAN by using a router. A router is an intermediate station operating as a Network Layer relay device. A router functions as a sorter and interpreter as it examines addresses and passes data to their proper destinations. Software routers may be referred to as “gateways.” A bridge (or switch) is an internetworking device that relays frames among its ports based upon Data Link layer information. Unlike routers, bridges are protocol-independent. In this regard, bridges simply forward packets without analyzing and re-routing messages. Consequently, bridges are faster than routers, but are also less versatile. A router works at the Network Layer (layer 3 of the OSI model), while a bridge works at the Data Link Layer (layer 2). The Network Layer determines routing of packets of data from sender to receiver via the Data Link Layer and is used by the Transport Layer (layer 4). The most common Network Layer protocol is Internet Protocol (IP). IP is the Network Layer for the TCP/IP protocol suite widely used on Ethernet networks. IP is a connectionless, best-effort packet switching protocol that provides packet routing, fragmentation and re-assembly through the Data Link Layer.
One disadvantage of using a router as a means of preventing a broadcast from leaving a LAN is that routers usually take more time to process incoming data compared to a bridge or a switch. More importantly, the formation of broadcast domains depends on the physical connection of the devices in the network.
Virtual Local Area Networks (VLANs) provide an alternative to using routers to contain broadcast traffic. VLANs allow a LAN to be logically segmented into different broadcast domains. Accordingly, workstations do not have to be physically located together. For example, users on different floors of the same building, or users in different buildings can belong to the same LAN. VLANs also allow broadcast domains to be defined without using routers. Bridging software is used instead to define which workstations are to be included in the broadcast domain. Routers are only used to communicate between two VLANs.
VLANs offer a number of advantages over traditional LANs, including improved performance, the formation of virtual workgroups, simplified administration, reduced costs, and enhanced security.
With regard to performance, where network traffic includes a high percentage of broadcasts and multicasts, VLANs can reduce the need to send such traffic to unnecessary destinations. Moreover, the use of VLANs reduces the number of routers needed, since VLANs create broadcast domains using switches instead of routers. It should be understood that the term “switch” is used interchangeably herein with the term “bridge.”
Virtual Workgroups can be easily established. To contain broadcasts and multicasts within a workgroup, a VLAN can be set up to place members of a workgroup together. There is no need to physically move members of the workgroup closer together.
Administration is also simplified by use of VLANs. In this regard, if a user is moved within a VLAN, it is not necessary to re-cable, provide new station addressing, or reconfigure hubs and routers. In addition, depending on the type of VLAN, other administrative work can be reduced or eliminated.
As to security, sensitive data may be periodically broadcast on a network. In such cases, placing only those users who can have access to that data on a VLAN can reduce the chances of an outsider gaining access to the data. VLANs can also be used to control broadcast domains, set up firewalls, restrict access, and inform the network manager of an intrusion.
Operation of a typical VLAN will now be briefly described. When a LAN bridge receives data from a workstation, it tags the data with a VLAN identifier indicating the VLAN from which the data came. This is called explicit tagging. It is also possible to determine to which VLAN the data received belongs using implicit tagging. In implicit tagging the data is not tagged, but the VLAN from which the data came is determined based on other information like the port on which the data arrived. Tagging can be based on the port from which it came, the source Media Access Control (MAC) field, the source network address, or some other field or combination of fields. To be able to do the tagging of data using any of the methods, the bridge would have to keep an updated database containing a mapping between VLANs and whichever field is used for tagging. For example, if tagging is by port, the database should indicate which ports belong to which VLAN. This database is commonly referred to as a “filtering database.” Bridges would have to be able to maintain this database and all the bridges on the LAN must have consistent information in each of their databases. The bridge determines where the data is to go next based on normal LAN operations. Once the bridge determines where the data is to go, it now needs to determine whether the VLAN identifier should be added to the data and sent. If the data is to go to a device that knows about VLAN implementation (VLAN-aware), the VLAN identifier is added to the data. If it is to go to a device that has no knowledge of VLAN implementation (VLAN-unaware), the bridge sends the data without the VLAN identifier.
Standard IEEE 802.1Q provides a standard for implementation of compatible VLAN products. In accordance with this IEEE standard, VLAN membership can be classified by several means, including port, MAC address, and protocol type, as will be discussed in detail below:
(1) Layer 1 VLAN: Membership by Port
Membership in a VLAN can be defined based on the ports that belong to the VLAN. For example, in a bridge with four ports, ports 1, 2, and 4 belong to VLAN 1 and port 3 belongs to VLAN 2.
TABLE 1PortVLAN1, 2, and 4132The main disadvantage of this approach is that it does not allow for user mobility. If a user moves to a different location away from the assigned bridge, the VLAN must be reconfigured.(2) Layer 2 VLAN: Membership by MAC Address
In this case, membership in a VLAN is based on the MAC address of the workstation. The switch tracks the MAC addresses which belong to each VLAN. Since MAC addresses form a part of the workstation's network interface card, when a workstation is moved, no reconfiguration is needed to allow the workstation to remain in the same VLAN. This is unlike Layer 1 VLANs where membership tables must be reconfigured.
TABLE 2MAC AddressVLAN12123541451211238923487374323045834758445254835734758431One drawback to this approach is that VLAN membership must be assigned initially. In networks with thousands of users, this is no easy task. Also, in environments where notebook PCs are used, the MAC address is associated with the docking station and not with the notebook PC. Consequently, when a notebook PC is moved to a different docking station, its VLAN membership must be reconfigured.(3) Layer 2 VLAN: Membership by Protocol Type
VLAN membership for Layer 2 VLANs can also be based on the protocol type field found in the Layer 2 header.
TABLE 3ProtocolVLANIP1IPX2(4) Layer 3 VLAN: Membership by IP Subnet Address
In this case, membership is based on the Layer 3 header. The network IP subnet address can be used to classify VLAN membership.
TABLE 4IP SubnetVLAN23.2.24126.21.352Although VLAN membership is based on Layer 3 information, this has nothing to do with network routing and should not be confused with router functions. In this method, IP addresses are used only as a mapping to determine membership in VLANs. No other processing of IP addresses is done. In Layer 3 VLANs, users can move their workstations without reconfiguring their network addresses. A notable drawback is that an IEEE 802.11 station may not generate an IP packet each time that it roams.(5) Higher Layer VLANs
It is also possible to define VLAN membership based on applications or service, or any combination thereof. For example, file transfer protocol (FTP) applications can be executed on one VLAN and telnet applications on another VLAN. The 802.1Q draft standard defines Layer 1 and Layer 2 VLAN's only. Protocol type based VLAN's and higher layer VLAN's have been allowed for, but are not defined in this standard. As a result, these VLAN's will remain proprietary.
Devices on a VLAN can be connected in three ways (i.e., trunk link, access link, and hybrid link) based on whether the connected devices are VLAN-aware or VLAN-unaware. As noted above, VLAN-aware device is one which understands VLAN memberships (i.e. which users belong to a VLAN) and VLAN formats. All the devices connected to a trunk link, including workstations, must be VLAN-aware. All frames on a trunk link must have a special header attached. These special frames are called tagged frames. An access link connects a VLAN-unaware device to the port of a VLAN-aware bridge. All frames on access links must be implicitly tagged (untagged). The VLAN-unaware device can be a LAN segment with VLAN-unaware workstations or it can be a number of LAN segments containing VLAN-unaware devices (legacy LAN). A hybrid link is a combination of the previous two links. This is a link where both VLAN-aware and VLAN-unaware devices are attached. A hybrid link can have both tagged and untagged frames, but all the frames for a specific VLAN must be either tagged or untagged. It should also be understood that a network can have a combination of all three types of links.
It should be appreciated that VLANs have long been used in wired networks, which are typically static networks. Furthermore, wired networks use a wired switch, wherein broadcasts are segmented by physical wire. In contrast, implementation of VLANs in wireless networks has been limited by the fact that these networks are dynamic, and that broadcast domains must be segmented. Accordingly, the present invention addresses the limitations of the prior art to provide a system for partitioning a network using encryption states and/or encryption keys, as a means for establishing a VLAN in a wireless communication environment.