Communications networks continue to grow and improve in today's world. A common issue in such networks is how to control usage of network resources by users.
As used herein, a “network” or a “communications network” is group of two or more devices interconnected by one or more segments of transmission media on which information may be exchanged between the devices. There are a variety of types of networks, including, but not limited to, telecommunications networks, data communications networks and combinations thereof. As used herein, a “network device” is a device configured as part of a network, and the terms “comprising”, “including”, “carrying”, “having”, “containing”, “involving”, and the like are to be understood to be open-ended, i.e., to mean including but not limited to.
As used herein, a “network resource” is a resource included as part of a communications network, including network devices, information stored on the network devices and bandwidth available on the transmission medium or mediums of the network. Such network devices may be and/or include any of a variety of types of devices, including, among other things, switching devices, workstations, personal computers, terminals, laptop computers, end stations, servers, gateways, registers, directories, databases, printers, fax machines, telephones, transmitters, receivers, repeaters, and any combinations thereof. Such transmission mediums may be any of a variety of types of mediums, including, but not limited to, electrical cables or wires, fiber optic cables, and air, on which carrier waves are transmitted.
As used herein, a “switching device” is a device that serves as an interface between a plurality of transmission mediums, for example, two or more electrical cables or wires, two or more fiber optic cables, two or more carrier waves or two or more of any combination thereof.
As used herein, “plurality” means two or more. Typically, a switching device is part of a network and has a plurality of physical ports, wherein at least one of the physical ports is operative to receive packets from a first transmission medium and at least one other of the physical ports is operative to transmit packets on a second transmission medium. Types of switching devices include, but are not limited to, switches, hubs, routers, and bridges. A general purpose computer may be configured to serve as a switching device.
As used herein, a “physical port” is a physical component of a device that receives and/or transmits packets. As used herein, a “virtual port” is a logical module resident on a network device that represents a communication channel (e.g., a time slot or frequency channel) of communications received on a transmission medium at a physical port. Thus, multiple virtual ports may be defined for a physical port, where each virtual port represents a different communication channel corresponding to the physical port.
As used herein, a “logical port” is an abstraction representing an endpoint to a higher layer (e.g., transport or application layer) logical connection on a device. A port number for a logical port may represent the type of the logical port in accordance with a standard or protocol. For example, port 80 is typically used to specify a logical port serving as an endpoint to an HyperText Transfer Protocol (HTTP) connection.
Controlling usage of network resources may include, but is not limited to: denying one or more packets access to any network resources beyond a network device (i.e., dropping the packet); regulating bandwidth on the network consumed by packets received from the user, for example, by assigning priorities to received packets or applying rate limiting to received packets; denying access to certain network resources, for example, by assigning a Virtual Local Area Network (VLAN) to the packet; and routing the packet. VLANs are described in more detail in IEEE 802.1Q: IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks, Dec. 8, 1998, the entire contents of which are hereby incorporated by reference. Assigning a VLAN to a packet and/or assigning a priority to a packet, may be referred to herein as “classifying” a packet. As used herein, a “packet” is a unit of communication exchanged between devices.
FIG. 1 is a block diagram illustrating an example of a communications network 100. Network 100 may include one or more interconnected Local Area Networks (LANs), Metropolitan Area Networks (MANs), or combinations thereof. Further, network 100 may serve as a communications network for a business organization or other type of enterprise, and as such may be considered an “enterprise” network.
Network 100 may include a plurality of devices of varying type, including any of network entry devices 114, 116, 120, 124 and 144, printer 122, fax machine 123, application server 134, switching device 136, device 138 and authentication server 142. Switching device 136 may be configured as a core switching device that serves as a more centralized switching device for network 100 than the network entry devices.
A network entry device may include one or more port modules, and one or more of these port modules may be an entry port module.
As used herein, a “port module” of a switching device includes a physical port of the device and port processing logic associated with the physical port. Such port processing logic may include switching logic, memory, and one or more processors for configuring the port module and for processing packets sent to and received at the port module. Such port processing logic may be divided into one or more virtual ports, each virtual port corresponding to a communication channel of the physical port. The port processing logic may include separate switching logic, memory and processors for each virtual port or may share such components between one or more virtual ports. Further, the switching logic, memory and processors of a port module may be shared with several other port modules. A port module may be implemented as part of a port interface card (PIC), which may include one or more port modules.
As used herein, an “entry port” is a physical port of a network device that serves as a user's entry point into a network. Thus, to communicate with devices on the network, a user's device may transmit one or more packets to an entry port. Further, as used herein, an “entry port module” is a port module of a network device that includes an entry port.
As used herein, a “network entry device” is a network device that includes at least one entry port module. Thus, from the perspective of other devices, a network entry device serves as an entry point to the network for at least one user. A network entry device may reside at an edge or boundary of the communications network and provide connectivity between network resources of the communications network and devices located external to the communications network. Such network entry device may be any of a variety of types of devices, for example, a switching device.
As used herein, a “user device” is a device used by a user of a communications network to perform at least one of the following: receive a packet from the network and send a packet to the network. Types of user devices may include, but are not limited to, workstations, terminals, personal computers, laptops, telephones, pagers, BlackBerry™ brand devices, and personal digital assistants (PDAs).
An entry port module may be coupled to a user device by a shared transmission medium or a dedicated transmission medium. As used herein, a “shared transmission medium” is a transmission medium connected to a port module of a first device and over which multiple other devices may exchange packets with the first device. For example, a gateway server for an enterprise network may have a port module connected to the Internet by a T-3 cable, over which several users of the enterprise network may exchange packets with the Internet. Another example is an Ethernet cable connected to multiple user devices of a LAN.
In contrast to a shared transmission medium, a dedicated transmission medium is a transmission medium that is connected to a port module of a first device at one end over which only one other device may exchange packets. For example, a user device may be directly-coupled to a switching device by a dedicated transmission medium.
As used herein, two devices are “directly-coupled” if no intervening device is communicatively disposed between the two devices that, for packets exchanged between the two devices, is operative to change the content of such packets or to make decisions regarding forwarding such packets. For example, two devices are directly-coupled if they are connected by: a single segment of transmission medium (e.g., fiber optic cable, electrical cable or air) and no device is communicatively disposed between the two devices; two or more serially-connected segments of transmission medium connected by one or more repeaters; and two or more serially-connected segments of transmission medium connected by one or more transceiver pairs. An example of two devices that are not directly-coupled would include two devices with a switch communicatively disposed between them.
Referring to FIG. 1, network entry device 114 may include an entry port module 108 that is connected to user devices 102 and 104 by a shared wire-based transmission medium 106. As used herein, a “wire-based transmission medium” is a transmission medium that is not air, for example, an optical cable or an electrical wire or cable. Accordingly, a “shared wire-based transmission medium” is a wire-based transmission medium that connects two or more devices.
Entry port module 113 of network entry device 114 may be connected to user device 110 by a dedicated wire-based transmission medium 112.
Entry port module 118 of network entry device 116 is connected to user devices by a shared wireless (i.e., air) transmission medium 119, which by nature is a shared transmission medium. Multiple user devices may concurrently exchange packets with the entry port module 118, establishing communication channels using known or later developed multiplexing schemes (e.g., time division, frequency division, code division, or combinations thereof). Accordingly, port module 118 may include a plurality of virtual ports, each virtual port corresponding to one of the communication channels. It should be noted that such multiplexing schemes, as well as others such as space division multiplexing, may be used on any port module (e.g., 108, 118 and 146) on which multiple users share a transmission medium.
Entry port module 146 of network entry device 144 is connected to user device 150 by the Internet 148 and shared transmission medium 152.
Entry port modules 126, 128 and 130 of network entry device 124 may be connected to user device 133 by a Public Switched Telephone Network (PSTN) 132 and by shared transmission mediums 154. Although transmission mediums 154 are shared, any of ports 126, 128 and 130 may be configured along with devices to which they are coupled on the PSTN to make any of transmission mediums 154 dedicated to user device 133 for the duration of a session, such as a telephone call during which data is exchanged.
Any of the network entry devices 114, 116, 124 and 144 may be coupled by different port modules to both shared and dedicated transmission mediums as well as wire-based and wireless transmission mediums.
One technique used to control usage of network resources is to apply user authentication to restrict access to network resources. Technologies that employ user authentication techniques include, among others, network operating systems (NOSs) (e.g., Netware by Novell and Windows NT), Remote Authentication Dial-In User Service (RADIUS) and IEEE 802.1X: Port Based NetworkAccess Control, 2001. RADIUS is described in Request For Comments (RFC) 2138, entitled Remote Authentication Dial In User Service (RADIUS) by C. Rigney et al., promulgated by the Internet Engineering Task Force (IETF), published April, 1997, and available as of the date of this filing at: http://www.ietf.org/rfc/rfc2138.txt? number=2138., the entire contents of which are hereby incorporated by reference. IEEE 802.1X, , the entire contents of which are hereby incorporated by reference, defines a standard for providing port-based network access control on a Media Access Control (MAC) bridge.
Typically, such authentication technologies require a user to initially log-in to a network, for example, by entering a username, password and possibly other credentials, before having access to information stored on the network. Logging in may include exchanging packets between a device of the user (e.g., user device 102, 104, 110, 133 or 150) and one or more network devices (e.g., switching device 136 and authentication server 142), and these packets may be transmitted through a network device (e.g., 114, 116, 124 or 144) serving as the user's entry point in to the network.
After a user (e.g., 102) has successfully logged in, however, the user typically is free to use at least some network resources beyond the network device serving as the user's entry point (e.g., 114). For example, the user may be allowed to consume bandwidth and processing resources on switching devices (e.g., 136) to communicate with other devices on the network (e.g., application server 134), and allowed to access applications and information provided on the network.
Although some applications resident on network devices (e.g., application server 134) may require additional authentication of a user before providing the user access to certain information, the user still is allowed to use network resources beyond the user's entry point before the authentication is performed. Specifically, the user consumes bandwidth on transmission media between the user's device and the network device on which the application resides, consumes processing power on switching devices between the user device and the network device, and consumes processing power on the network device itself as it executes the application.
Another technique for controlling usage of network resources is based on network infrastructure. For example, a network topology may be configured such that there is no possible transmission path between two or more devices. Further, switching devices on the network may be configured to forward packets received at the switching device based on the physical port at which the packet was received. For example, a switching device may be configured not to allow a physical port to receive any packets, or to forward all packets received at one physical port to another physical port on the switching device, or to assign or append the same VLAN header to all packets received at a particular physical port. A VLAN header may include a VLAN identifier and a priority, for example, as described in more detail in IEEE 802.1Q.
Such techniques, however, do not take into consideration the identities of the users that transmitted the packets. Thus, controlling the usage of network resources cannot be based on the identities of those users. Accordingly, if a user accesses such communications network from a different port, possibly from even a different network device, the user may be permitted a different usage of network resources. This problem becomes more significant as the use of mobile user devices and the implementation of wireless networks becomes more prevalent, because users are more likely to access a network from a different point in such wireless networks.
Another technique for controlling usage of network resources is to analyze information included in packets and forward the received packets based on the information. For example, some switching devices may be configured to examine information included in a received packet, for example, a source Media Access Control (MAC) address, a destination MAC address, or a protocol, and forward the packet or assign a VLAN header to the packet based on this information, for example, as described in more detail in IEEE 802.1Q. A switching device configured as such may serve as an entry point to the network for one or more users.
Such technique, however, does not take into consideration the identities of the users that transmit the packets, and, therefore, usage of network resources cannot be controlled at a switching device based on such identities.
Use of a firewall (e.g., firewall 140) is another example of a technique for controlling usage of network resources by analyzing information included in packets and forwarding the received packets based on the information. A firewall resident on a device (e.g., device 138) of a private network (e.g., 100) may include one or more programs configured to analyze packets transmitted from a device of an authorized user (e.g., user device 102 or 133) of the private network, and to determine whether and/or how much usage of resources external to the private network is allowed for the authorized user. For example, the authorized user may attempt to access a web page by transmitting a packet destined for the Internet (e.g., Internet 148). The firewall may be configured to intercept such packets and determine whether to allow the packets to proceed on to the Internet, or apply some form of rate limiting to limit the amount of bandwidth the user can use in communicating with the web site.
Such firewall may perform similar analysis to incoming packets from users (e.g., user 150) outside of the private network to control usage of resources of the private network. For example, the firewall may be configured to prevent unauthorized users from accessing network resources, and may be configured to establish a Virtual Private Network (VPN) across one or more publicly-accessible networks (e.g., the Internet) with a user device.
Similar to as described above for applications employing user authentication, a problem with typical firewalls is that users are allowed to use network resources beyond their respective entry points to the network before the firewall is ever enforced. Specifically, for each packet transmitted by a user, the user consumes bandwidth on transmission media between the network device serving as the user's entry point and the network device on which the firewall resides, consumes processing power on switching devices between the user device and the network device, and consumes processing power on the network device on which the firewall resides while executing the programs of the firewall.
Thus, although several techniques are known for controlling usage of network resources by a user, none of these known techniques are capable of controlling usage of network resources by a user, after the user has been authenticated, based on an identity of the user, without using any of the network resources beyond the user's entry point.
Another problem with typical communications networks is that network administrators may have to administer the configuration of the network at a relatively high technological level. For example, although a network administrator may be more concerned with higher level network issues such as implementing a most efficient network topology or installing a network firewall, a network administrator may be bogged down in the details of defining rules for assigning VLANs to packets received at devices on the networks. Assigning such rules may require a high level of technical knowledge of the format of the packet and which field of the packet to examine to determine a VLAN. Besides not having the time for such low level detail, a network administrator may not have the technical skill to adequately address such low level detail.
Another problem with typical communications networks is that network administrators may have to administer the configuration of a network on a per instance or per element basis. Thus, network administrators may have to configure each switching device or each port of a switching device individually. Such administration is problematic, as it requires the network administrator to duplicate the steps involved in configuring a parameter repeatedly for each element of the network. For example, the network administrator may continuously implement seemingly unrelated instances of a rule for assigning a VLAN to packets without any understanding that: a) many of the rules have been used numerous times before, and will be used many times again, and b) groups of the rules are related to each other and may be deployed in concert to deliver a specified behavior.