The present invention relates to networks, and more particularly to establishing connectivity in networks.
Some networks restrict connectivity for security reasons or in order to reduce network traffic. Thus, some stations in the network are allowed to communicate with each other, while other stations are not. Connectivity could be allowed or disallowed by establishing physical communication links between stations that are allowed to communicate and by not providing physical links between stations that are not allowed to communicate. However, this is impractical because it requires a separate configuration of physical links for each set of connectivity constraints. Therefore, techniques have been developed to establish or change network connectivity by issuing commands to appropriate network devices.
This is illustrated in FIGS. 1 and 2. (These figures also illustrate some aspects of the invention and thus are not prior art.) Network 110 is an enterprise network suitable for interconnecting a large organization. Network 110 includes "layer 2 domains" 116P, 116Q, 116R, 116S, 116T. (The term "layer 2" refers to the data link layer of the OSI reference model described in D. Bierer et al., "NetWare.RTM. 4 for Professionals" (1993), pages 1-9 incorporated herein by reference.) Stations 124 that belong to the same layer 2 domain 116 (e.g. stations 124.1, 124.2 in domain 116P) can communicate with each other using their MAC addresses ("layer 2" addresses). A MAC (Medium Access Controller) address is a physical address burned into the station's network interface card (NIC) or established by setting NIC switches. Some or all of domains 116 may include one or more network switches 128 (not to be confused with NIC switches). Switches 128 of each domain 116 forward traffic between stations 124 using the stations' MAC addresses.
Stations in different layer 2 domains (e.g. stations 124.1, 124.3) cannot communicate with each other using exclusively MAC addresses. They communicate using their IP addresses which are logical addresses. Routers 130.1, 130.2, 130.3 route traffic between the domains 116 based on the stations' IP addresses, translating between IP addresses and MAC addresses as needed.
Within some domains 116, connectivity can be restricted using virtual LANs (or VLANs). For example, domain 116P contains three VLANs 140a, 140b, 140c (FIG. 2). Stations 124 in domain 116P can communicate with each other at layer 2 (i.e., using their layer 2 addresses) only if they belong to the same VLAN. Thus, as shown in FIG. 1, stations 124.1, 124.2 belong to VLAN 140a and hence can communicate.
VLANs are implemented by the LAN switches 128. More particularly, switches 128 will forward a packet only between stations within the same VLAN. (Switches 128 are called "VLAN-capable" because they are capable to restrict traffic to a VLAN. Some layer 2 domains, for example, domain 116S or 116T, may include no VLAN-capable switches.)
Connectivity between different layer 2 domains is restricted by routers 130. Routers 130 use access control lists (ACLs) that define connectivity restrictions based on IP addresses. See, for example, K. Siyan and C. Hare, "Internet Firewalls and Network Security" (1995), pages 187-192.
Creating access control lists and defining VLANs can be a confusing and laborious process for a network administrator. This process has to be often repeated in dynamic network environments in which stations, users and network services move from place to place, or get transferred from one organization to another without physically moving, or become added or deleted.
It is therefore desirable to facilitate establishing connectivity in networks.