1. Field of the Invention
The invention relates generally to communication networks, and more particularly to an apparatus, method, and data structure for providing secure internetworking of packet-based LAN and WAN segments by establishing temporary connections which are protocol independent and transparent to the end systems.
2. Discussion of the Related Art
Secure Fast Packet Switching is a new technology that provides the same or better reliability and security as routers and with much greater packet switching performance, without an increase in cost.
SFPS provides for high performance packet switching based on source and destination MAC IDsxe2x80x94the unique medium access control (MAC) address assigned to each end system by the IEEE. End-to-end connections are determined by a network management application that provides security and best path routing determinations based on a number of constraints. By switching packets based only on MAC layer information, the network infrastructure can remain protocol insensitive. This allows the network to provide an equal QOS to users sending packets based on NetBIOS, LAT, IP, IPX, SNA, or any other protocol. As protocols evolve the network and its management infrastructure will not have to be reworked to support the new protocols.
More specifically, the system uses source and destination MAC addresses (i.e., physical layer addresses) which alone, or in combination with the input port on the switch, form a unique xe2x80x9cconnection identifierxe2x80x9d for any communication exchange between end systems to be connected through an SFPS device. A specific example is as follows:
input port=2
source MAC address=00:00:1D:01:02:03
destination MAC address=00:00:1D:11:22:33;
together, these form a xe2x80x9ctuplexe2x80x9d bound to a specific unidirectional flow from source address to destination address. All packets that have this tuple are automatically switched according to the operation of the SFPS.
A secure fast packet switch is described in U.S. Pat. No. 5,485,455, which is incorporated herein by reference in its entirety.
In the ""455 patent, a connection database containing connection table is disclosed that contains entries for each end system pair (i.e., source address (SA)/destination address (DA)) that can communicate with each other.
It would be desirable to provide a way of reducing the number of connection table entries required so as to in turn reduce the amount of memory required in the secure fast packet switch.
Broadly, the present invention relates to a method and apparatus for reducing the number of entries required in the connection table described in the ""455 patent, while still maintaining all of the benefits of the secure fast packet switch. In one embodiment of the invention, the number of entries required is one half the number of entries that would be required if the connection table had a single connection entry for every SA/DA pair. This results in a 50% savings in the amount of memory required. Advantageously, the reduction in the amount of memory required means that twice as many SA/DA pairs can be stored in the connection table, thus doubling the effective capacity of the database memory associated with the secure fast packet switch.
The present invention improves upon the system disclosed in the ""455 patent by providing in a secure fast packet switch having a plurality of input ports and a plurality of output ports, a method of determining which port in the plurality of output ports data that is received on one input port in the plurality of input ports is to be sent to, the method including the steps of determining a physical layer address of a sending node, determining a physical layer address of a receiving node, determining an input port in the plurality of input ports that the data was received on, determining if the physical layer address of the sending node and the physical layer address of the receiving node are an allowed combination, determining the magnitude of the node identification number of the sending node, determining the magnitude of the node identification number of the receiving node, obtaining outbound port information from a first predetermined location in a data structure stored in a memory if the magnitude of the node identification number of the sending node is greater than the magnitude of the node identification number of the receiving node, and obtaining outbound port information from a second predetermined location in the data structure stored in the memory if the magnitude of the node identification number of the sending node is less than the magnitude of the node identification number of the receiving node.
In another embodiment of the invention, the method further includes the step of obtaining input port information from a third predetermined location in the data structure stored in the memory if the magnitude of the node identification number of the sending node is greater than the magnitude of the node identification number of the receiving node.
In another embodiment of the invention, the method further includes the step of obtaining input port information from a third predetermined location in the data structure stored in the memory if the magnitude of the node identification number of the sending node is less than the magnitude of the node identification number of the receiving node.
In accordance with another aspect of the invention, a data structure is provided, the data structure including a first field in a first predetermined location in the data structure, the first field containing data identifying a first input port in the switch, a second field in a second predetermined location in the data structure, the second field containing data identifying a second input port in the switch, a third field in a third predetermined location in the data structure, the third field containing data identifying first output port in the switch, and a fourth field in a fourth predetermined location in the data structure, the fourth field containing data identifying a second output port in the switch.