A data network typically includes several nodes connected together by a data transport medium. One common method of transmitting data between the nodes is to break the data up into discrete "packets" of data. Packets can be transported over the medium by any one of a variety of transport techniques. In applications utilizing packetized data, data to be transported first is broken up into discrete packets of data, then transmitted through the network medium, and finally reassembled at a destination node. In accordance with current packet protocol, each packet generally comprises a header and an information field. The header contains the information used to transport the cell from one node to the next while the packet data is contained in the information field. Among other information in the header is the destination address of the data packet.
A local area network (i.e., "LAN") is a type of local data network commonly used in a single office or building. LANs are an efficient mechanism for maximizing use of network resources by members of the LAN. Simple LANs typically include two or more nodes (e.g., a server, computer, printer, or other resource) that are interconnected by a common physical connection such as, for example, a hub. Data switches also may be connected to the hub for directing data traffic and for connecting the LAN to other data networks.
LANs can be inconvenient and expensive to maintain. For example, moving a user to another location within a relatively large office building often requires that the LAN be rewired and reconfigured. This can be cumbersome and expensive. The art has responded to this problem by developing virtual local area networks (i.e. "VLANs").
A VLAN is generally defined as a group of nodes interconnected by software to form a single logical broadcast domain. VLANs may be connected to nodes that are members of any number of physical LAN segments. Among many advantages, VLANs enable network administrators to create logical groupings of users and network resources, thereby allowing remote users and resources to appear as if they are members of a single LAN. This enables companies and other organizations to build dynamic, flexible, and distributed LANs, thus simplifying physical moves of a user in a network.
VLANs may be formed by defining logical groups of users within the VLAN. One such VLAN, known as a "port-based" VLAN, defines the VLAN as a collection of switch ports on one or more switches across a hub. Users connected to those defined switch ports therefore are members of the defined VLAN. Broadcast messages directed to that VLAN may be transmitted through the defined switch ports only. Known port-based VLANs typically are implemented on a switch to include a default VLAN, in addition to other VLANs that may be formed on the switch. During manufacture, the default VLAN is defined as every port on a single switch. The number of switch ports defining the default VLAN decreases, however, as ports on the switch are used for defining other VLANs. Accordingly, on an exemplary eight-port switch having a first VLAN defined by ports one and two, the default VLAN will be defined by remaining ports three through eight.
Known port-based default VLANs have data leakage problems that can compromise the security of data transmitted across a network. Specifically, port-based default VLANs transmit a data packet to every switch port when that packet is received by the default VLAN and is destined for a port that is not in the default VLAN. Continuing with the above example, a data packet received on a port defining the default VLAN (i.e., one of ports three through eight) and destined for another port also on the default VLAN will be transmitted to the destination port only. In the event that the data packet was destined for a port on the first VLAN (i.e., port one or two), however, the packet would be transmitted to all of the ports on the switch, thus creating the above mentioned security problem.
Accordingly, it would be desirable to provide a port-based default VLAN that prevents such leakage problems between VLANs. It is among the general objects of this invention to provide such a device and method.