1. Technical Field
The invention relates to VLANs. More particularly, the invention relates to a bridged cryptographic VLAN.
2. Description of the Prior Art
Basic VLAN Concepts
FIG. 1 shows a simple port-based VLAN 10, comprised of two VLANs, i.e. VLAN A 13 and VLAN B 15. The VLAN to which an untagged frame received at a port belongs is determined by the Port VLAN ID (PVID) assigned to the receiving port, or by the VLAN ID (VID) associated with the link-layer protocol carried in the frame (see IEEE Std 802.1v-2001, Virtual Bridged Local Area Networks—Amendment 2: VLAN Classification by Protocol and Port). There must be a way to convey VLAN information between the bridges 12, 14 because they are connected by a trunk link 16 that can carry frames from more than one VLAN. A VLAN tag is added to every frame for this purpose. Such frames are called VLAN-tagged frames.
Trunk Links
A trunk link is a LAN segment used for VLAN multiplexing between VLAN bridges (see IEEE Std 802.1v-2001, Virtual Bridged Local Area Networks—Amendment 2: VLAN Classification by Protocol and Port). Every device attached to a trunk link must be VLAN-aware. This means that they understand VLAN membership and VLAN frame formats. All frames, including end station frames, on a trunk link are VLAN-tagged, meaning that they carry a non-null VID. There can be no VLAN-unaware end stations on a trunk link.
The trunk link 16 in FIG. 1 is a multiplexed LAN segment shared by two bridges 12, 14. In general, many VLAN-aware bridges may be attached to a trunk link.
The access links 11 are LAN segments that do not multiplex VLANs. Instead, each access link carries untagged frames or VLAN-tagged frames belonging to a single VLAN. If frames are tagged then all frames on the segment carry the same VID and end stations on the LAN segment must be VLAN aware.
Various limitations are encountered with the current state of VLAN art. One problem is that of cryptographic separation of VLANs over trunk links. The introduction of a scheme to solve such problem itself raises the issue of efficient frame transfer between encrypted and unencrypted LAN segments which represent a single VLAN.