This invention relates to switches used in local and wide area networks, and network systems including such switches.
Because of their convenience, speed, and all-hour availability, automated teller machines (xe2x80x9cATMs,xe2x80x9d also called xe2x80x9cautomatic teller machinesxe2x80x9d) are fast becoming an ubiquitous sight in many places other than banks. Aside from the traditional services available at ATMs, such as withdrawing and depositing cash, requesting balances, making loan payments, and transferring funds, ATMs can also be used for providing postage stamps and dispensing discount coupons. Other future convenient uses are being planned. This expansion of services, coupled with the ability of ATM owners to charge users fees, will result in increasing numbers of ATMs being installed at retail locations remote from any bank.
Many retail stores in which ATMs may be located already have communications networks installed because of credit card processing requirements or because the retail stores are part of communications links to other stores in a retail chain. For stores that are part of a retail chain, such an existing network promotes, for example, uniform pricing strategies and ordering procedures and monitoring of the chain""s inventories, whether held at a central warehouse or at other stores in the chain.
Because ATM data traffic contains sensitive information, there are security considerations involved in installing ATMs in remote locations. One way to keep data traffic from an ATM secure is to use a dedicated network connection. FIG. 1A shows retail location 100 in which a connection from customer local area network (xe2x80x9cLANxe2x80x9d) 110 to customer network data center 130 already exists through router 120. Customer LAN 110 may include cash registers, credit card terminals, and other store-based machines connected to a customer network. Router 120 manages communications between customer LAN 110 and customer network data center 130. A dedicated ATM connection requires connecting ATM LAN 140 to ATM network data center 160 via additional router 150 and other equipment not shown. ATM LAN 140 is depicted in FIG. 1A as a single ATM but could include one or more ATMs. An example of ATM network data center 160 is a data center operated by Electronic Data Systems Corporation, assignee of the present invention.
A dedicated ATM network connection in retail location 100 which already has a customer LAN in place would be secure, but it would require a duplication of the equipment and facilities used for the network already in place. This duplication could easily cost a proprietor as much as $15,000 or more, and would be more than double the cost of the existing installation. In addition, there would be twice as much equipment to control and monitor.
Because adding a separate data network connection for an ATM would not be cost-effective for a proprietor, an alternative is to share existing resources between the two LANs. This can be done by combining the ATM LAN traffic and customer LAN traffic onto a single wide area network (xe2x80x9cWANxe2x80x9d) connection, and from there communicating with the customer network and the ATM network data centers. A conventional way of combining data traffic is by using a shared Ethernet hub, as pictured in FIG. 1B. In that figure, ATM LAN 140 and customer LAN 110 are connected to shared Ethernet LAN 170, which is connected to shared hub 180. Shared hub 180 is connected to WAN 190 via router 120, and WAN 190 is connected to customer network data center 130 and ATM network data center 160. WAN 190 may also be a frame relay network or a satellite network. Using an Ethernet LAN allows any device attached to the LAN to receive all data flowing on the LAN. In order to control this traffic, each data packet header contains the address of the destination machine. Ethernet protocols send data packet information to all the machines on the same network, and each machine receives the information destined for it based on the destination address.
In exchange for the small expense of adding a shared hub and an Ethernet LAN, this network combination has only one router and one connection to a network. The system of FIG. 1B is much less expensive than the separate networks of FIG. 1A, and its installation and management are simplified.
This system, however, is not secure. Even though only the machine having the address matching the address of the packet header is supposed to accept the packet, it is possible in this system for a machine operating in xe2x80x9cpromiscuousxe2x80x9d mode to accept all packets regardless of the address in the packet header. It is fairly easy for anyone to observe the data traffic flowing over this Ethernet, and programs to accomplish this are easily available on the Internet, for instance. Also freely available throughout the Internet are other methods of attacking an ATM LAN, such as wiretapping the phone line over which the ATM LAN operates. Wiretapping monitors data traffic over a phone line and can make a standalone ATM vulnerable by placing a tap anywhere between the ATM and the host computer.
Therefore, to have an ATM LAN share facilities with a customer LAN is problematicxe2x80x94the customer can interact with the ATM and can see and intercept ATM data. Within a retail location, the risk is great that a disgruntled employee or thief will attempt to exploit an installed ATM LAN with a minimal risk of being caught. Anyone with a laptop computer can easily obtain access to the ATM LAN. In addition, once the Ethernet LAN is compromised, the WAN too is compromised because an intruder will have easy access to the wider network. The goodwill of the ATM network administrator will eventually suffer.
Because of this lack of security and broadcast control, it is not acceptable to use a shared Ethernet LAN. One solution to these security problems is to use an Ethernet switch with virtual LAN (xe2x80x9cVLANxe2x80x9d) capabilities. A virtual (or logical) LAN is a local area network that maps workstations connected to it on a basis other than by geographic location, such as, for example, by department, type of user, or primary application. The VLAN controller is able to reconfigure the connections in order to manage load balancing and bandwidth allocation more easily than by using a physical picture of the LAN. Network management software keeps track of relating the virtual picture of the local area network with the actual physical arrangement.
A VLAN may encompass one or more switch ports and it may operate between any port or ports. This ensures that stations connected to ports that are not members of the VLAN do not receive broadcasts, and data traffic produced by a station in one VLAN is delivered only to stations within that same VLAN. Implementing secure VLANs makes network administration more efficient and secure.
Setting up VLANs in such circumstances solves the problem of isolating the ATM LAN data and preventing unauthorized access to ATM LAN data. However, other issues arise with respect to administering ATM LANs in locations remote from the network administration center. Two features of network administration that are used to adequately manage, maintain, and monitor a network are Simple Network Management Protocol (xe2x80x9cSNMPxe2x80x9d) and Remote Network Monitoring Specification (xe2x80x9cRMONxe2x80x9d).
SNMP is a simple request and response Internet protocol used for governing network management. Among other things, SNMP is used for alert and alarm notification. For instance, if a remote ATM is replaced by another device, SNMP will detect an error and report back to the network administrator that the port to which the ATM was connected has been closed and that the device connected to that port is reporting a media access control (xe2x80x9cMACxe2x80x9d) address that does not match the ATM""s MAC address. SNMP will also detect if there is loss of connectivity to the ATM. Other examples are: determining whether a machine needs service if it resets; and detecting an event that is unusual or improper based on the circumstances, such as a device being active at 3 o""clock in the morning in a store that is only open until midnight.
SNMP is a standard Internet protocol, defined in several Requests for Comments (xe2x80x9cRFCsxe2x80x9d). There are two versions of SNMPxe2x80x94version 1 (xe2x80x9cSNMPv1xe2x80x9d) and version 2 (xe2x80x9cSNMPv2xe2x80x9d). RFC 1157, entitled xe2x80x9cA Simple Network Management Protocol,xe2x80x9d is one of the RFCs that define SNMPv1; RFCs 1441-1452 define SNMPv2.
RMON is an extension of SNMP and allows network administrators to monitor a network remotely, for instance, from the system headquarters or from the ATM network data center. Using RMON, administrators can monitor, for example, how much traffic is coming from the ATM LAN and how much is coming from the customer LAN when both LANs are located at a customer""s remote site. Having a remote monitoring capability improves planning, billing, troubleshooting, and network performance tuning. RMON is a standard Internet specification, defined in RFC 1757. There is also a later version of RMON called RMON 2, defined in RFC 2021.
Switches having both of these capabilities are found in the prior art. For instance, NBase Communications of Chatsworth, Calif., manufactures the NH 2032 Ethernet/Fast Ethernet switch. This switch contains sixteen dual-speed ports (operating at 10 Mbps and 100 Mbps) and has the capability to include as many as sixteen additional Ethernet/Fast Ethernet and other type ports. The NH 2032 also supports VLANs. The switch""s dimensions are approximately 48 cm Wxc3x9748 cm Dxc3x979 cm H (19xe2x80x3 Wxc3x9719xe2x80x3 Dxc3x973.5xe2x80x3 H), and the switch is designed to fit into a standard 19xe2x80x3-wide rack that sits in a central network site.
For several reasons, this type of switch cannot be used in a customer""s location to provide switching for an ATM LAN and a customer LAN. First, because of its size, the switch must be rack-mounted, and a rack is generally not available in a remote retail location. Second, even if a rack were available, the switch would likely be in an area of the store accessible to the public, or at least accessible to store employees, such as in a storage room. In such a situation, having access to the rack provides unmonitored and unauthorized access to the ATM LAN data traffic.
A smaller switch, one that can be secured with an ATM or can fit inside a locked ATM, is needed. Switches of that size existxe2x80x94however, their features are limited. One switch, Cisco 1548 Micro Switch 10/100, manufactured by Cisco Systems, Inc., of San Jose, Calif., is approximately 28 cm Wxc3x9723 cm Dxc3x978 cm H (11xe2x80x3 Wxc3x979xe2x80x3 Dxc3x973xe2x80x3 H), potentially small enough to fit into a locked ATM. It contains eight dual-speed ports operating at 10 and 100 Mbps. It supports SNMP, but it does not support VLANs or RMON, features that are desirable when installing an ATM LAN in a remote retail store location.
It would, therefore, be advantageous to have a switch that addresses the above-noted problems and drawbacks of currently available Ethernet switches. It would be advantageous to provide a switch that is small enough to be secured with a network device, such as an ATM, preferably by being locked inside the network device, and that has network management, remote monitoring, and virtual LAN capabilities, so that only authorized personnel would have access to the switch and to the data going through it.
In accordance with the present invention, a switch having an Ethernet switching section is provided for connecting network devices. The switch includes at least three ports connected to the switching section and a network management module which is also connected to the switching section. The switch is capable of arranging the ports to operate in virtual local area networks. The switch is secured with a network device, and is preferably located within the network device.
Preferably, the switch also includes a monitoring module. It is preferable that the monitoring module support RMON and the network management module operate according to SNMP.
Preferably, one of the ports is connected to a router, one of the ports is connected to an ATM or an ATM LAN, and one of the ports is connected to a customer LAN. The customer LAN preferably includes at least one cash register, and may also include a credit card terminal. Alternatively, the credit card terminal may be attached to a fourth port separate from the cash register. Preferably, the switch arranges the router port and the ATM LAN port into one VLAN and arranges the router port and the customer LAN port into another VLAN. In addition, the second VLAN can include the port to which the credit card terminal is attached, or a third VLAN can include the router port and the credit card terminal port.
In accordance with the invention, a system for switching data traffic over a communications network includes a switch having at least three ports, that supports SNMP and RMON, and is capable of arranging its ports into VLANs. A network device is connected to each of at least three of the ports, and two VLANs are arranged, each VLAN including at least two of the ports. The switch is secured with at least one of the network devices.
In a preferred system embodiment, a router which routes signals to an external network is connected to the first port and is included in two VLANs. One VLAN also includes the second port, and the other VLAN also includes the third port, allowing the system to switch between the two VLANs to enable the external network to communicate alternately with the network devices connected to the second and third ports. Preferably, an ATM or ATM LAN is connected to the second port and a customer LAN is connected to the third port.
In another embodiment, the switch has a fourth port, and a third VLAN includes the first port (connected to the router) and the fourth port. Preferably, the fourth port of the first switch is connected to a port of a second four-port switch, network devices are connected to ports of the second switch, and ports of the second switch are arranged into VLANs.
In another system embodiment, one VLAN includes the first three ports of the switch, and a second VLAN includes the third and fourth ports. This configuration can arrange into the first VLAN a LAN, a router connected to an external network, and a LAN supervisor, and into the second VLAN the supervisor and a server.
In another configuration of this latter two-VLAN arrangement, one network user is connected to the first port, a router that routes signals to a wide area network is connected to the second port, a second user is connected to the third port, and a second router, which routes signals to an external network, is connected to the fourth port.
For a better understanding of the invention, together with other and further objects, reference is made to the following description, taken in connection with the accompanying drawings, and its scope will be pointed out in the appended claims.