The present invention relates to methods and apparatus for controlling computer network security.
A conventional switch is a multiport network device that can be used to connect elements of a communication network. Fundamentally, the switch operates to provide routing services for transporting packets through the switch on toward a destination.
A Layer 2 switch provides Ethernet frame forwarding based completely on a media access control (MAC) addresses contained in each frame and associated with the destination. Accordingly, a conventional Layer 2 switch will provide packet forwarding if the switch knows the destination's location (or based on assumptions of a destination's location). A conventional Layer 2 switch may be programmed with such information or learn dynamically. A MAC table (or L2 Forwarding Table) is the repository of the learned information, allowing for routing decisions to be made based on the destination MAC address to a proper port of the device.
In addition to switching, Layer 2 switches can perform access control using, for example, access control lists (ACLs). ACLs can be used to identify frames according to their MAC addresses, VLAN IDs, protocol types (for non-IP frames), IP addresses, protocols, and Layer 4 port numbers. ACLs can be used to stop the forwarding process.
As a final matter, Layer 2 switches can include other control lists that can be used to control quality of service (QoS). QoS ACLs can be used to classify incoming frames according to quality of service (QoS) parameters, to police or control the rate of traffic flows, and to mark QoS parameters in outbound frames.
A multilayer switch (or one that conforms to the multilayer switching (MLS) protocol) can be used to perform switching at different levels, using two different types of information as a basis for forwarding decisions. One example is a Layer 2/Layer3(L2/L3) switch. In a conventional L2/L3 switch, each packet is pulled off an ingress queue and inspected for both Layer 2 and Layer 3 destination addresses. The decision where to forward the packet is based on two address tables (an L2 forwarding table and a L3 forwarding table). How or whether to forward the packet is still based on access control list results. For the L2 forwarding decision, the destination MAC address is used as an index to the L2 forwarding table. If the frame contains a Layer 3 packet to be forwarded, the destination MAC address is that of a Layer 3 port on the switch. Similarly, the L3 forwarding table is consulted, using the destination IP address as an index. The longest match in the table is found (both address and mask), and the resulting next-hop Layer 3 address is obtained. The L3 forwarding table can also contain each next-hop entry's Layer 2 MAC address and the egress switch port (and VLAN ID), so that further table lookups are not necessary.