In layer 2 switching devices, such as Ethernet switches, when a packet or frame is received at a port, a lookup is typically performed in a layer 2 forwarding table. The lookup is performed based on the layer 2 destination address in the frame. If an entry for the destination address is present in the table, the frame may be forwarded to the output port or ports corresponding to the entry. If an entry for the frame is not present in the table, the frame may be flooded on all output ports other than the port on which the frame was received.
Virtual local area networks (VLANs) can be used to limit the layer 2 flooding domain of a frame. For example, if a layer 2 frame includes a VLAN tag, and an entry is not located for the layer 2 destination address of the frame during the forwarding table lookup, the frame may be flooded only to ports that are members of the same VLAN as the VLAN tag identified in the frame.
Another lookup that typically occurs when a frame arrives at a layer 2 packet forwarding device is referred to as a learning phase lookup. During the learning phase, when a frame arrives at a port of a layer 2 switching device, the layer 2 source address in the frame is read. A lookup may be performed in the layer 2 forwarding table using the layer 2 source address to determine whether a forwarding table entry exists for the layer 2 source address. If a forwarding table entry corresponding to the layer 2 source address is not present in the forwarding table, the layer 2 source address is learned by adding it to the forwarding table with forwarding information for the entry set to the port on which the frame was received. This information may be communicated to the other ports in the switch so that packets having layer 2 destination addresses corresponding to the learned source address can be forwarded to the correct port. If the layer 2 source address is already present in the forwarding table, it has already been learned, and the learning phase ends.
In some instances, it may be desirable to implement layer 2 port blocking. For example, it may be desirable to allow ports A and B to communicate with each other but not with port C, even though ports A-C are all members of the same VLAN. One method for implementing such port blocking is to hard-wire the layer 2 switching device so that frames from one port only go to ports with which the port is allowed to communicate. Such a solution lacks granularity and flexibility. For example, it may be desirable to allow some packets from port A to be forwarded to port C and to block other packets from being forwarded from port A to port C.
Two other methods for providing layer 2 port blocking are referred to by the assignee of the subject matter described herein as limit learning and MAC lockdown. According to limit learning, a set number of MAC addresses that can be learned is configured on a per VLAN basis. Once that number of MAC addresses has been learned, if a frame arrives with a new MAC source address, a black hole entry is added to the forwarding table for that MAC source address so that any packet received with a MAC destination address corresponding to the black hole entry will be discarded. In the MAC lock down feature, an operator issues a run time command to a layer 2 switch to lock down a layer 2 forwarding table so that no additional entries can be learned after the command. Subsequent MAC addresses that are attempted to be learned are added as black hole entries to the table, so that packets with MAC destination addresses corresponding to the black hole entries will be discarded.
While these security features are each suitable for their intended purpose, there exists a long felt need for improved methods, systems, and computer program products for implementing selective layer 2 port blocking using layer 2 source addresses.