The present invention relates generally to an apparatus and a method for detecting machine addresses in a bridged network environment, and for provisioning a bridging device for use in said environment.
Network interface devices are commonly used in large telecommunications and computer networks to provide an interface between two or more smaller subnetworks or subnets. Such interface devices include hardware and software bridges and routers. A bridge is a hardware or software-based network device with a local end and a remote end. The bridge is typically used to connect two disparate or geographically distant networks (a near end network and a far end network), or to divide up a larger network into smaller subnets for reasons of manageability and to minimize unnecessary data traffic throughout the entire network. When powered on, or initialized, the bridge searches for or otherwise determines all of the local machines and devices on its subnet, i.e. connected to its local end. Typically during the process the bridge creates a xe2x80x9clearned tablexe2x80x9d which includes an entry for each machine on its local subnet. The learned table may be supplemented with a xe2x80x9cprovisioned tablexe2x80x9d, which is typically a table of entries for machines on the local subnet that has been explicitly specified either by an operator or by a software program. The entries in the provisioned table are not usually detected or learned as are the entries in the learned table. Provisioned tables are most often used when security demands that only provisioned or authorized devices be allowed to use the bridge, or when it is desired that certain important devices may be added to the local subnet at a later stage, or in instances that certain devices on the local subnet may be intermittently turned off or removed. To ensure the bridge always know about these devices, a record is stored in the provisioned table.
In operation, both the learned table (if present) and the provisioned table (if present) are used to control the flow of traffic across the bridge. When the bridge receives a data packet on the local subnet which specifies a destination media access control address, it checks all of its machine tables to see if an entry exists for the destination machine to indicate the destination machine is also on the local subnet (i.e., connected to the local end of the bridge). If an entry exists the bridge does nothing further with the packet. If an entry does not exist the bridge sends the packet to its remote end. This process sends the packet across, for example, an electrical or optical cable to another, remote network. The bridge doesn""t care whether the remote network exists, or whether the source machine is present there all it knows is that the source machine is not on its local subnet and that it should forward the data packet onwards.
Some bridge devices operate between disparate networks. In the context of this application disparate networks are those which operate on different protocols, for example one network may operate using ATM protocol while the other uses IP protocol. In this scenario the bridge may be incorporated into, or combined with, another device or devices which handle the translation from one protocol to another. An example of such a device is the Ethernet line unit (ELU) made by Alcatel USA, Plano, Tex. The ELU is itself typically incorporated into a Litespan Terminal Unit (LTU), also made by Alcatel USA. Together the LTU and ELU allow a subscriber network or LAN (such as a home or office) to connect to an ATM network and thereafter to other ATM devices, such as switches and routers.
When bridging Ethernet frames between a subscriber LAN and the ATM network, Ethernet bridges need to know which frames to ignore, because they are destined for another unit on the subscriber""s LAN, and which frames to forward toward the ATM network, because they are destined for a unit not on the subscriber""s LAN. Most bridges make this determination by examining the destination MAC address of the frame and comparing it to an internal table of MAC addresses known to be located on the LAN side of the bridge. In conventional bridges, the MAC address table can be built either manually (in which case someone pre-programs them into the tablexe2x80x94a xe2x80x9cprovisionedxe2x80x9d method), or automatically (by learning the MAC addresses from the source MAC address present in each Ethernet frame it detectsxe2x80x94a xe2x80x9clearningxe2x80x9d method). Many bridges incorporate both a provisioned mac-address table (PMT) and a learned mac-address table (LMT).
Learned tables typically invalidate their entries after a predetermined time-out in order to self-adjust to changing hardware on the networks, so if a permanent entry is desired, it must be provisioned into the PMT. Typically, this provisioning is undertaken remotely by a central operator, or locally on-site by a field technician. The operator or technician must normally review a list of machines that are to be provisioned and enter them one-by-one into the PMT. The initial provisioning procedure is by itself time-consuming, and hence a very expensive process. In addition, the often repetitive nature of such a chore leads to errors in provisioning the table. A simple mis-keyed character can produce a PMT error that causes an entire LAN connection to fail. Such errors are often difficult to track down or locate, and can cause considerable network down-time. Furthermore, correcting then may require additional trips by the technician to the actual bridge site, which adds to the total cost of installing and maintaining the bridge and associated network.
In accordance with the present invention, roughly described, a network bridging element (NBE) is provided with a provisioned MAC-address table (PMT) that is provisioned using a novel time window discovery method, with coordination of the network administrator and an access management system. The network bridging element (NBE) may comprise a full bridge, a half-bridge, or any equivalent bridging or routing device. xe2x80x9cFullxe2x80x9d or xe2x80x9clocalxe2x80x9d bridges are commonly defined as having two or more LAN ports and act as a bridge between two or more LAN""s. xe2x80x9cHalfxe2x80x9d or xe2x80x9cremotexe2x80x9d bridges have both a LAN and a WAN port and communicate with a counterpart bridge device via a WAN (such as an ATM network). When taken together the two matching half-bridges constitute a full bridge. In effect, the actual bridge may be considered to comprise the half-bridge on the local LAN plus the half-bridge on the remote LAN plus the wires (or leased lines) that connect them. In the context of this application an NBE may refer to either a full bridge, half-bridge, or an equivalent device, and the invention may be used in a similar fashion with any such device. As used herein the term access management system is used to describe a system or method used to configure network devices over a wide area network.
In one embodiment of the invention the bridge is allowed within a specified time period or time window to learn MAC addresses for a provisioned, as opposed to the learned, table. During this time window, the designated device, (which may for example be a standard Windows-based computer, a server system, or any equivalent network device) is powered on and made to send Ethernet frames, so that the bridge can learn the MAC address of the designated device. One way of achieving this is by using an Internet or TCP/IP command. Similarly a ping command (ICMP) can send a request to the bridge. Alternatively, the designated device can be turned from an xe2x80x9coffxe2x80x9d to an xe2x80x9conxe2x80x9d setting while the window is active. Taking the example of a Windows domain this process may cause the computer to use for example the NetBEUI protocol to send Ethernet frames to discover a domain DHCP host. The bridge will then detect these Ethernet frames. Using any of these methods, or their equivalents, will allow the bridge to learn the computer""s MAC address. After the window is expired, or terminated by the access management system, the bridge will be turned back to a regular learning mode to learn additional MAC addresses for the learned table in the traditional manner.
The present invention addresses the problems associated with manually provisioning a bridge device address table, and reduces the possibility of error in creating such a table. This leads to considerable reductions in time and cost spent on installing and maintaining distributed networks connected or in communication with each other via a bridge device.
In another embodiment the invention comprises a system and a method for creating a device address table or PMT that supports security features which prohibit un-provisioned or un-authorized devices on a distributed network from actually using or sending data via the bridge.