The present invention relates generally to networks of the type that connect two or more data processing elements to one another for data communication. More particularly, the invention relates to a method and apparatus for dividing a physical network into a number of separate, "virtual" networks and work groups. Communication is then allowed only between elements that are members of the same virtual network and workgroup.
The recent growth of the personal computer market has been accompanied by the desire to interconnect numbers of personal computers for resource sharing, distributed processing, and like data processing functions. Such interconnectivity is often accomplished using local area network (LAN) or wide area network (WAN) topologies. A LAN topology typically interconnects data processing equipment in a limited geographic area by such physical media as twisted pair wiring or coaxial cable and various connective devices such as repeaters, routers, and bridges. Information is communicated by message packets.
Repeaters operate to repeat information from one transmitting medium to all others to which the repeater connects; that is, a repeater connects segments of the same network to form an extended network, and message packets received by the repeater are repeated to all connected segments. Bridges, on the other hand, connect separate LANs. Bridges typically operate to pass message packets on one LAN to another LAN if the destination of that message packet is not located on the source LAN, examining the message packet to determine onto which network the message packet should be forwarded.
Routers also connect separate LANs. They are capable of communicating with end nodes and other routers, by which communication they determine internal routing tables. Message packets are forwarded based upon destination address contained in the message packets and these routing tables.
Since bridges and routers are capable of selective communication of message traffic, they do perform some message security functions. One limitation of this is that end nodes (the data processing elements interconnected by the network) on the same local area network (LAN) have access to all message packets sent to any one of them.
Recent advances in the industry have provided repeaters with the ability to perform security functions in order to preclude connected end nodes from receiving message packet. Examples of such message security is found in U.S. Pat. Nos. 5,177,788, 5,161,192, and 4,901,348. A message packet received by a repeater will be examined for source and/or destination information contained in the message packet. Based upon that examination, a determination is made as to which ports of the device will be allowed to re-send the message packet, and which will be precluded from re-sending.