1. Field of the Invention
The present invention relates generally to the field of wirelessly connected computer networks and particularly the assignment of networked computers to sub-networks based on the security level of the connection enabled by each networked computer.
2. Description of the Related Art
Current technology has allowed the global expansion of proprietary networks, thereby creating the potential for a dispersed workforce. To efficiently incorporate individuals from different physical locations into coordinated workgroups, specialized sub-networks, called Virtual Local Area Networks (VLANs), can be used. VLANs are logically, rather than physically, defined sub-networks. VLANs, which can include any type of data traffic creators (e.g. portable and desktop computers, servers, printers, or other peripherals) can be defined according to various policies or selection parameters.
In one embodiment, VLAN technology allows a system administrator to group ports of various switches and the users associated with such ports into defined communities. For example, FIG. 1 illustrates three logically defined sub-networks, i.e. VLANs 101, 102, and 103. The computer icons, shown in VLANs 101, 102, and 103, represent users within those sub-networks. In this embodiment, the network includes two switches 104 and 105, each switch having eight ports (shown as circles). VLAN 101 comprises four ports of switch 104 and three ports of switch 105; VLAN 102 comprises two ports of switch 104 and five ports of switch 105; and VLAN 103 comprises two ports of switch 104 and zero ports of switch 105. In this network configuration, each VLAN allows communication between its own users (i.e. as if the users were on a common LAN), but restricts communication between users of different VLANs. VLANs 101, 102, and 103 could represent various groups within a company, such as engineering, sales, and accounting. When a user moves from one port to another, the system administrator can reconfigure the VLAN membership to include that user.
In another embodiment, VLAN membership can be based on a MAC-layer address. In a MAC address-based VLAN, users can be initially configured to be in at least one VLAN, thereby allowing the subsequent tracking of such users. When the user changes location, the VLAN configuration may change, or remain constant, the VLAN configuration may change based on the MAC-layer address. U.S. Pat. No. 5,684,800 provides an illustrative explanation of the operation and configuration of MAC address-based VLANs and is incorporated by reference herein.
Advantageously, VLANs are supported over all IEEE 802 LAN MAC protocols. Moreover, VLANs can provide 1:N communication (i.e. shared media traffic) as well as 1:1 communication (i.e. point-to-point traffic). Additional advantages of VLANs, as well as the standardized format for frame tagging of VLANs, are provided in the IEEE 802.1Q standard published in 1999.
Increasingly, users want to encrypt their communications, especially in wireless environments, which are particularly susceptible to interception. The 1999 IEEE 802.11 standard includes encryption as a service. However, this encryption methodology provides only low-level security. Therefore, a need arises for implementing higher-level security encryption methodologies into VLANs.