Case5:14-cv-05343-PSG Document1-10 Filed12/05/14 Page1 of 22
`
`Exhibit 10
`
`
`
`
`
`
`
`
`
`

`
`Case5:14-cv-05343-PSG Document1-10 Filed12/05/14 Page2 of 22
`111111
`1111111111111111111111111111111111111111111111111111111111111
`US007200145Bl
`
`c12) United States Patent
`Edsall et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7,200,145 Bl
`*Apr. 3, 2007
`
`(54) PRIVATE VLANS
`
`OTHER PUBLICATIONS
`
`(75)
`
`Inventors: Thomas J. Edsall, Cupertino, CA (US);
`Marco Foschiano, San Jose, CA (US);
`Michael Fine, San Francisco, CA (US);
`Thomas Nosella, Sunnyvale, CA (US)
`
`(73) Assignee: Cisco Technology, Inc., San Jose, CA
`(US)
`
`( *) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 302 days.
`
`This patent is subject to a terminal dis(cid:173)
`claimer.
`
`(21) Appl. No.: 10/840,212
`
`(22) Filed:
`
`May 5, 2004
`
`(51)
`
`Int. Cl.
`H04L 12156
`(2006.01)
`(52) U.S. Cl. ....................... 370/389; 370/401; 709/225
`(58) Field of Classification Search ................ 370/389,
`370/392, 401, 464, 465; 709/218, 221, 225
`See application file for complete search history.
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`5,959,989 A
`6,058,429 A
`6,111,876 A
`6,147,995 A
`6,208,649 B1
`6,304,901 B1
`6,560,236 B1
`
`9/1999 Gleeson et a!.
`5/2000 Ames eta!.
`8/2000 Frantz et a!.
`1112000 Dobbins et a!.
`3/2001 Kloth
`10/2001 McCloghrie et a!.
`5/2003 Varghese et al.
`
`Tanenbaum, Andrew, Computer Networks, Third Edition, Prentice
`Hall, 1996, pp. 417-419.
`
`Primary Examiner-Buy D. Vu
`Assistant Examiner-Toan Nguyen
`(74) Attorney, Agent, or Firm-Cesari and McKenna LLP
`
`(57)
`
`ABSTRACT
`
`The invention uses a layer 2 switch (L2 switch), or bridge,
`to separate user's message traffic by use of Virtual Local
`Area Networks (VLANs) defined within the switch. Three
`new types of ports are defined, "promiscuous" ports "iso(cid:173)
`lated" ports, and "community" ports. Three types ofVLANs
`internal to the switch are defined, "primary" VLANs, "iso(cid:173)
`lated" VLANs and "community" VLANs. The promiscuous
`ports are connected to layer 3 or layer 4 devices. Isolated
`ports and community ports are connected to individual
`user's servers, etc., and maintain traffic for each user sepa(cid:173)
`rate from other users. The primary VLAN connects to all
`promiscuous ports, to all isolated ports, and to all commu(cid:173)
`nity ports. The primary VLAN is a one way connection from
`promiscuous ports to isolated or community ports. An iso(cid:173)
`lated VLAN connects to all promiscuous ports and to all
`isolated ports. The isolated VLAN is a one way connection
`from an isolated port to the promiscuous ports. A community
`VLAN is defined as connecting to a group of community
`ports, and also connecting to all of the promiscuous ports.
`The group of community ports is referred to as a "commu(cid:173)
`nity" of community ports. A community VLAN is a one way
`connection from a community of ports to the promiscuous
`ports, but allows a packet received by one community port
`to be transmitted out of the switch, through the other
`community ports connected to that community VLAN.
`
`46 Claims, 8 Drawing Sheets
`
`COMMUNITY OR
`ISOlATED PORTS
`
`USER#M
`
`120
`
`122
`
`126
`
`132
`
`

`
`Case5:14-cv-05343-PSG Document1-10 Filed12/05/14 Page3 of 22
`
`U.S. Patent
`
`Apr. 3, 2007
`
`Sheet 1 of 8
`
`US 7,200,145 Bl
`
`100
`
`NETWORK
`CLOUD
`
`NETVVORK
`CLOUD
`
`L3/L4
`DEVICE
`
`140
`
`152
`...------'-----..., ~ ...------'-----...,
`L3/L4
`L3/L4
`DEVICE
`DEVICE
`
`108
`NJ PROMISCUOUS PORTS
`1043-
`r-'"'"----'"""--....LC£a..,.
`
`102
`
`L2 SWITCH
`
`146
`
`114
`USER #1
`
`120
`
`124
`
`SERVER
`USER#1
`
`SERVER
`USER#2
`
`122
`
`126
`
`COMMUNITY OR
`ISOLATED PORTS
`
`USER#M
`
`130----
`
`'----y--/
`136
`
`SERVER
`USER #M
`
`132
`
`FIG. 1
`
`

`
`Case5:14-cv-05343-PSG Document1-10 Filed12/05/14 Page4 of 22
`
`U.S. Patent
`
`Apr. 3, 2007
`
`Sheet 2 of 8
`
`US 7,200,145 Bl
`
`PROMISCUOUS PORTS
`
`#A
`220-
`
`#B
`
`~222
`
`/
`
`.
`
`.A . .
`
`232
`.
`
`#N
`224-
`
`'"'\
`
`.
`
`102 ~
`
`---230
`PRIMARY
`VLAN
`
`240-
`ISOLATED
`VLAN
`
`L2 SWITCH
`
`TED
`ISOLA
`PORTS
`
`USER# 1
`
`2
`
`3
`
`204- 206~ 2oa~ 210~ 212~
`
`~214
`
`. .
`.
`4 s"~N
`230
`
`FIG. 2
`
`

`
`Case5:14-cv-05343-PSG Document1-10 Filed12/05/14 Page5 of 22
`
`U.S. Patent
`
`Apr. 3, 2007
`
`Sheet 3 of 8
`
`US 7,200,145 Bl
`
`PROMISCUOUS PORTS
`
`#A
`320-
`
`#B
`
`~--"-322
`
`.A,
`
`232
`.
`
`/
`
`.
`
`#N
`324-
`
`'
`.
`
`102 -
`
`~--"-330
`PRIMARY
`VLAN
`
`,,
`
`L2 SWITCH
`
`COM. VLAN#3
`COM. VLAN#2
`
`COM. VLAN#1
`
`r-
`
`354-
`
`352- --..
`
`~-------
`
`'-----
`
`~350
`
`NITY
`COMMU
`PORTS
`
`304~ 306- 308~ 310~ 312-
`
`~314
`
`.
`
`. .
`
`USER# 1
`
`2
`
`3
`
`4
`
`FIG. 3
`
`

`
`Case5:14-cv-05343-PSG Document1-10 Filed12/05/14 Page6 of 22
`
`U.S. Patent
`
`Apr. 3, 2007
`
`Sheet 4 of 8
`
`US 7,200,145 Bl
`
`402 "\
`
`404 "\
`
`400
`406 )"\
`
`410 '"\
`
`412 ""\
`
`PREAMBLE
`
`L2 HEADER
`
`L3 HEADER
`
`DATA
`
`TRAILING
`FIELDS
`
`PACKET
`
`FIG. 4
`
`502 "\
`L3 LAYER
`INTERFACE
`NUMBER
`
`500
`
`504 \
`PRIMARY
`VLAN
`NUMBER
`
`506 \
`ISOLATED OR COMMUNITY
`VLAN
`NUMBER
`
`510-<
`
`I
`512)
`
`I
`514/
`
`I--
`
`I--
`
`~-
`
`516
`518
`520
`
`~22
`
`. . .
`
`PROMISCUOUS PORT
`ASSIGNMENT TABLE
`FOR OUTGOING TRAFFIC
`
`FIG. 5
`
`

`
`Case5:14-cv-05343-PSG Document1-10 Filed12/05/14 Page7 of 22
`
`U.S. Patent
`
`Apr. 3, 2007
`
`Sheet 5 of 8
`
`US 7,200,145 Bl
`
`560A
`5608
`560C
`5600
`
`570A
`5708
`570C
`
`-- .
`
`.--..
`
`-- !
`
`-
`
`r-
`
`550
`
`552 '\
`PRIMARY
`VLAN
`
`554 \
`SECONDARY
`VLANs
`
`560
`
`570
`
`580
`
`2
`
`2
`2
`2
`
`3
`3
`3
`
`•
`
`.
`
`•
`
`20
`21
`22
`23
`
`30
`31
`32
`.
`.
`.
`
`TRUNK TYPE PROMISCUOUS
`PORT VLAN MAPPING TABLE
`
`FIG. 5A
`
`

`
`Case5:14-cv-05343-PSG Document1-10 Filed12/05/14 Page8 of 22
`
`U.S. Patent
`
`Apr. 3, 2007
`
`Sheet 6 of 8
`
`US 7,200,145 Bl
`
`602 >"\
`VLAN
`DESIGNATION
`(COLOR)
`
`604
`t""'\
`
`605
`'"""'\
`
`606
`'\
`
`608 ''\
`
`610 '"""'\
`
`612 :"""'\
`
`PORT
`NO OTHER L2 HEADER L3 HEADER
`
`DATA
`
`TRAILING
`FIELDS
`
`PACKETS INTERNAL TO L2 SWITCH
`
`FIG. 6
`
`

`
`Case5:14-cv-05343-PSG Document1-10 Filed12/05/14 Page9 of 22
`
`U.S. Patent
`
`Apr. 3, 2007
`
`Sheet 7 of 8
`
`US 7,200,145 Bl
`
`702 .,
`
`PORT No.
`
`700
`
`706 '-~
`ISOLATED OR COMMUNITY
`VLAN
`
`\
`)
`712
`
`(
`\
`716
`
`ISOLATED OR COMMUNITY PORT
`ASSIGNMENT TABLE
`
`FIG. 7
`
`

`
`Case5:14-cv-05343-PSG Document1-10 Filed12/05/14 Page10 of 22
`
`U.S. Patent
`
`Apr. 3, 2007
`
`Sheet 8 of 8
`
`US 7,200,145 Bl
`
`BACKBONE
`TO
`INTERNET
`
`800
`
`'\
`
`846
`844
`
`848
`
`DISTRIBUTION
`SWITCH
`L2
`
`808
`
`850
`
`834
`
`830
`
`806
`
`DISTRIBUTION
`SWITCH
`L2
`
`864
`
`866
`
`TRUNK
`CONNECTION
`
`860
`
`862
`
`802
`
`ACCESS
`SWITCH
`L2
`
`810
`
`814
`
`ACCESS
`SWITCH
`L2
`
`804
`
`l
`818
`
`816
`
`820
`
`ISOLATED
`PORTS
`
`FIG. 8
`
`

`
`Case5:14-cv-05343-PSG Document1-10 Filed12/05/14 Page11 of 22
`
`US 7,200,145 Bl
`
`1
`PRIVATE VLANS
`
`BACKGROUND OF THE INVENTION
`
`2
`A better way to keep the message traffic of different users
`separate in a computer network is needed, particularly a
`method which can scale to a large number of users.
`
`SUMMARY OF THE INVENTION
`
`1. Field of the Invention
`The invention relates to Virtual Local Area Networks
`(VLANs), and more particularly to the use of VLANs to
`establish separation between different users of a shared
`switch.
`2. Background Information
`It is today a common computer network engineering
`practice to separate packet traffic belonging to different users
`by use of a router, a Layer 3 (L3) device. Separation of
`users' traffic is accomplished by assigning each user to a 15
`different subnetwork (subnet). A subnet is identified by a
`unique L3 address. The router then transmits a particular
`user's packets out through a port assigned to that subnet.
`However, only a limited number of bits in the L3 address
`(for example IP address) are assigned to the subnet, and so 20
`only a limited number of subnets may be addressed by a
`particular router. Subnet design is described by Andrew
`Tanenbaum in his book Computer Networks, Third Edition,
`published by Prentice Hall, Copyright date 1996, all disclo(cid:173)
`sures of which are incorporated herein by reference, par- 25
`ticularly at pages 417-419. For example, if 6 bits are
`assigned to a subnet mask, then only 62 different subnets
`may be addressed (0 and 64 are reserved). Further, for every
`subnet assigned two addresses are wasted, for example the
`multicast and broadcast addresses.
`As an exan1ple of many users of a switch who require that
`their message traffic be kept separate, an Internet service
`provider (ISP) may have many customers who want to
`connect to a server farm. Access to the ISP is through a
`router connected to a common external computer network,
`for exan1ple the worldwide Internet. The router must route
`each customer's traffic to that customer's local area network
`in such a man11er as to maintain protection and privacy
`between the data of different customers. It is desirable for an
`ISP to prevent traffic originating from one customer's server 40
`from being received by another customer's server.
`A second example of many users of a computer network
`who must have their traffic separated in order to guarantee
`privacy and protection is the use of a television cable
`Internet distribution system. Each home is assigned a sepa(cid:173)
`rate subnet so that routers may route only a particular
`customer's message traffic to that customer. This subnet
`routing prevents, for example, one customer looking at
`another customer's message traffic by use of, for exan1ple, a
`network snifter.
`A third exan1ple is a server farm, for example a multiclient
`backup service. Each client's message traffic arrives at a
`router. The router uses a subnet mask to keep the traffic of
`each client separate from the traffic of another client, as it
`routes the traffic to the client's backup server.
`A limitation in the use of subnets, and subnet masks, in a
`multiclient environment is that there is only a limited
`number of subnets which can be defined from standard
`Layer 3 addresses. In modern computer network systems,
`this numerical limitation severely restricts the number of
`individual users who can be serviced, and also have their
`message traffic maintained separate. Further, the manage(cid:173)
`ment of a large number of subnets by a network manager
`becomes burdensome, especially in the event that the net(cid:173)
`work has thousands of customers whose packet traffic must
`be kept separate.
`
`35
`
`30
`
`The invention uses a layer 2 switch (L2 switch), or bridge,
`to separate user's message traffic by use of Virtual Local
`Area Networks (VLANs) defined within the switch. Three
`10 new types of ports are defined, "promiscuous" ports, "iso(cid:173)
`lated" ports, and "community" ports. Three types ofVLANs
`internal to the switch are defined, "primary" VLANs, "iso(cid:173)
`lated" VLANs and "community" VLANs.
`The promiscuous ports are connected to layer 3 or layer
`4 devices, for example routers which may in turn connect to
`the worldwide Internet, load balancers which also may
`connect to the worldwide Internet, administrative work
`stations such as used by network administrators, back up
`devices, etc. Isolated ports and community ports are con-
`nected to individual user's servers, etc., and maintain traffic
`for each user separate from other users.
`Isolated ports and community ports exchange packets
`with the promiscuous ports by use of the VLANs internal to
`the switch. The difference between isolated and community
`ports is that an isolated port cannot transfer packets to
`another isolated port, however a community port has a
`designated number of community ports to which it can
`transfer packets.
`A primary VLAN internal to the switch is defined as
`follows. The primary VLAN connects to all promiscuous
`ports, to all isolated ports, and to all community ports. The
`primary VLAN receives packets from outside of the switch
`arriving at any of the promiscuous ports, and transfers the
`packets to the isolated or community ports. However, an
`isolated or community port cannot receive traffic from the
`external LAN connected to it, and transfer the packets to the
`primary VLAN. The primary VLAN is a one way connec(cid:173)
`tion from promiscuous ports to isolated or community ports.
`An isolated VLAN is defined as connecting to all pro-
`miscuous ports and connecting to all isolated ports. An
`isolated VLAN receives packets arriving from outside of the
`switch at an isolated port, and transfers the packets to the
`promiscuous ports. An isolated VLAN does not carry pack-
`45 ets received by a promiscuous port from outside of the
`switch. Also, an isolated VLAN does not deliver any packets
`to another isolated port. The isolated VLAN is a one way
`connection from an isolated port to the promiscuous ports.
`A community VLAN is defined as connecting to a group
`50 of community ports, and also connecting to all of the
`promiscuous ports. The group of community ports is
`referred to as a "community" of community ports. The
`community VLAN transfers a packet received from outside
`the switch at a community port to all of the promiscuous
`55 ports, and also transfers the packet to the other community
`ports attached to that community VLAN. A plurality of
`"communities" of community ports may be defined, and
`each community of ports has its own assigned community
`VLAN. A community VLAN cannot transfer packets
`60 received from outside of the switch at a promiscuous port.
`A community VLAN is a one way connection from a
`community of ports to the promiscuous ports, but allows a
`packet received by one community port to be transmitted out
`of the switch, through the other community ports connected
`65 to that community VLAN.
`These new types ofVLANs and ports are implemented, in
`part, by particular settings of the Color Blocking Logic
`
`

`
`Case5:14-cv-05343-PSG Document1-10 Filed12/05/14 Page12 of 22
`
`US 7,200,145 Bl
`
`3
`(CBL) logic circuits used by normal ports of an L2 switch
`which supports VLANs, and also by use of assignment
`tables.
`Traffic generated by different user's servers is kept sepa(cid:173)
`rate from other user's servers, by each user having his own 5
`isolated port or community of community ports.
`The VLANs defined in a first L2 switch chassis can be
`trunked to other L2 switch chassis using ordinary trunking
`technology, in order to increase the number of ports.
`Alternatively, a single L2 switch, or a network oftrunked 10
`L2 switches, may have its promiscuous ports divided into
`subsets. Each subset of promiscuous ports is then associated
`with its subset of isolated ports and community ports, along
`with the necessary VLANs.
`Other and further aspects of the present invention will 15
`become apparent during the course of the following descrip(cid:173)
`tion and by reference to the accompanying drawings.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`Referring now to the drawings, in which like numerals
`represent like parts in the several views:
`FIG. 1 is a block diagram of a computer network in
`accordance with the invention;
`FIG. 2 is a block diagram of a L2 switch in accordance
`with the invention;
`FIG. 3 is a block diagram of a L2 switch in accordance
`with the invention;
`FIG. 4 is a field diagram of a layer 3 packet;
`FIG. 5 is an assignment table for a promiscuous port for
`outgoing traffic, in accordance with the invention;
`FIG. SA is a Trunk Type Promiscuous Port VLAN Map(cid:173)
`ping Table, in accordance with the invention;
`FIG. 6 is a field diagram of a VLAN packet internal to a
`L2 switch;
`FIG. 7 is a port assignment table for an isolated or
`community port;
`FIG. 8 is a block diagram of a two level layer 2-switch
`network in accordance with the invention.
`
`DETAILED DESCRIPTION OF AN
`ILLUSTRATIVE EMBODIMENT
`
`4
`administrator and permits the administrator to view all, or at
`least many, of the occurrences on the network. Promiscuous
`Port A 104 connects to layer 3 or layer 4 device (L3/L4
`device) A 140, and L3/L4 device 140 connects to network
`cloud 142. Promiscuous port B 106 connects to L3/L4
`device 143, and L3/L4 device 143 connects to network cloud
`144. Promiscuous port N 108 connects to L3/L4 device 146.
`L3/L4 device 146 connects to network cloud 148.
`Three dots 150 indicate that L2 switch 102 may have a
`plurality of promiscuous ports, etc. Three dots 152 indicate
`a plurality of L3/L4 devices, connected to the promiscuous
`ports, portA 104, port B 106, port N 108, etc. Three dots 149
`indicate that the L3/L4 devices may connect to a plurality of
`network clouds 142, 144, 148, etc.
`Network clouds 142, 144, 148 may be different network
`clouds, for example each may comprise a backup device for
`a particular user server. Alternatively, each network cloud
`142, 144, 148 may represent the worldwide Internet. Further,
`each network cloud 142, 144, 148, may represent a particu-
`20 lar device, may represent several particular devices, and may
`also represent the worldwide Internet, etc.
`Turning now to FIG. 2, the interior of L2 switch 102 is
`shown. Isolated port 204, 206, 208, 210, 212, 214 are labeled
`progressively as user #1, 2, 3, 4, 5, N, etc., and each may
`25 connect to a different user. Isolated ports 204, 206, 208, etc.
`correspond to isolated ports 114, 116, 118, etc. shown in
`FIG. 1. Promiscuous ports, port A 220, port B 222, port N
`224, connect to various L3/L4 devices (not shown in FIG.
`2), such as devices 140, 143, 146, etc. Promiscuous ports
`30 220, 222, 224, etc. correspond to promiscuous ports 104,
`106, and 108, etc. as shown in FIG. 1.
`Three dots 230 indicate a plurality of users, each con(cid:173)
`nected to an isolated port 204, 206, 208, 210, 212, 214, etc.
`Three dots 232 indicate a plurality of promiscuous ports,
`35 220, 222, 224, etc. and indicate that L2 switch 102 may have
`a plurality of promiscuous ports.
`The VLANs utilized by L2 switch 102 are described
`below.
`VLAN 230 is a primary VLAN, and connects to promis-
`40 cuous ports 220, 222, 224, etc., and also connects to each of
`the isolated ports 204, 206, 208, ... 214, etc. Primary VLAN
`230 carries packet traffic from the promiscuous ports to
`isolated ports. Primary VLAN 230 is configured to reject
`any packets arriving at an isolated port from the external
`45 local area network connected to the isolated port.
`During ordinary operation, any packet received by a
`promiscuous port from the L3/L4 device is transmitted on
`the primary VLAN, and may be received by any isolated ort
`or community port having a destination for that packet on an
`so external LAN connected thereto.
`Isolated VLAN 240 connects to isolated ports 204, 206,
`208, . . . 214, etc., and also connects to each of the
`promiscuous ports 224, 222, ... 220, etc. Isolated VLAN
`240 carries packet traffic from isolated ports to the promis-
`55 cuous ports. Isolated VLAN 240 is configured to reject any
`traffic arriving from a promiscuous port. Also, isolated
`VLAN 240 is configured so that it carmot deliver any
`packets to an isolated port. That is, packets transferred onto
`isolated VLAN 240 by an isolated port cannot be received
`60 by another isolated port. Packets transferred onto isolated
`VLAN 240 from an isolated port are received by promis(cid:173)
`cuous ports 220, 222, 224, etc., and from the promiscuous
`ports may be transferred to network clouds, for example,
`network cloud 142, 144, 148.
`Mechanisms, for example, color blocking logic (CBL)
`and assignment tables, may be used to permit primary
`VLAN 230 to transfer packets from promiscuous ports to
`
`Turning now to FIG. 1, computer network 100 is shown.
`L2 switch 102 has promiscuous ports, port A 104, port B
`106, port N 108, etc. Promiscuous port 108 is indicated as
`"N", indicating that an arbitrary number of promiscuous
`ports may be employed by L2 switch 102.
`L2 switch 102 also has isolated or community ports, port
`#1 114 is connected to user #1 VLAN 120, and user #1
`VLAN 120 connects to user #1 server 122. Isolated or
`community port #2 116 connects to user #2 VLAN 124, and
`user #2 VLAN 124 connects to user #2 server 126. Isolated
`or community port #M 118 is labeled "M" to indicate that L2
`switch 102 may have an arbitrary number of isolated or
`community ports. Isolated or community port #M 118 con(cid:173)
`nects to user #M VLAN 130, and user #M VLAN 130
`connects to user #M server 132. "Three dots" 134 indicate
`that L2 switch 102 may have a plurality of isolated or
`community ports, etc. "Three dots" 136 indicate that a
`plurality of user servers, each connected to a different
`isolated or community port, etc.
`The promiscuous ports 104, 106, 108, etc. connect to
`layer 3 or layer 4 devices 140,143,146. Examples of layer 3
`or layer 4 devices comprise routers, load balancers, admin- 65
`istrative work stations, back-up devices, etc. An administra(cid:173)
`tive work station is a work station utilized by a network
`
`

`
`Case5:14-cv-05343-PSG Document1-10 Filed12/05/14 Page13 of 22
`
`US 7,200,145 Bl
`
`5
`isolated ports, and prohibit an isolated port from transmit(cid:173)
`ting onto primary VLAN 230. Also, mechanisms within L2
`switch 102 such as CBL and assignment tables may be used
`to permit isolated VLAN 240 to transfer packet traffic from
`an isolated port to a promiscuous port, and prevent isolated 5
`VLAN 240 from transferring a packet to an isolated port.
`Community VLANs implemented in L2 switch 102 are
`described next.
`A community VLAN connects to a designated group of
`community ports, and to all of the promiscuous ports. A
`community port receives a packet from outside of switch
`102 and transfers the packet to the community VLAN. A
`packet transferred to the community VLAN from a com(cid:173)
`munity port is received by all of the community ports
`connected to the community VLAN, and also all of the
`promiscuous ports receive the packet from the community
`VLAN. The promiscuous ports then transfer the packet out
`of the L2 switch. A Community VLAN is configured to
`reject any traffic arriving from a promiscuous port.
`Turning now to FIG. 3, community VLAN #1 350,
`community VLAN #2 352, and, community VLAN #3 354
`are shown. Community VLAN #1 350 is shown connected
`to community ports 306, and 308. Community VLAN #1
`350 permits community ports connected thereto to exchange
`packets. For example, a packet entering L2 switch 102 from
`user #2 at community port 306 is transferred by community
`VLAN #1 350 to the other community ports, for example
`community ports 308, etc., connected to community VLAN
`#1 350, and is also transferred to all of the promiscuous
`ports, ports 320, 322, 324 ....
`Community VLAN #2 352 is shown connected to com(cid:173)
`munity port 310 and 312. A packet originating from user #4
`or user #5 will enter L2 switch 102 at either community port
`310, 312, respectively, and will be transferred by community
`VLAN #2 352 to the other isolated port, and to all of the 35
`promiscuous ports 320, 322, ... 324, etc.
`As a further example of a community VLAN, community
`VLAN #3 354 is shown. Community VLAN 354 is shown
`connected to community port 304 and community port 314.
`Community VLAN #3 354 also connects to all of the
`promiscuous ports 320, 322, ... 324, etc.
`In the present description, the isolated ports are shown in
`FIG. 2, and the community ports are shown in FIG. 3.
`Switch 102 may have, for example, both isolated ports and
`community ports. In this case, both of the port arrangements
`of FIG. 2 and of FIG. 3 are implemented within L2 switch
`102. In a second exemplary embodiment, L2 switch 102
`may have only isolated ports as shown in FIG. 2. In a third
`exemplary embodiment, L2 switch 102 may have only
`community ports as shown in FIG. 3.
`A terminology which can be used is to refer to the isolated
`VLAN and the community VLAN as a "secondary" VLAN.
`Using this terminology, a primary VLAN takes packets from
`the promiscuous ports to either the isolated ports or the 55
`community ports. In contrast, the secondary VLAN takes
`packets from either the isolated ports or community ports to
`the promiscuous ports.
`Turning now to FIG. 4, a field diagram 400 of a typical L2
`packet which reaches an L2 switch from a network cloud is 60
`shown. Field 402 is the preamble. Field 404 contains the L2
`header. Field 406 contains the L3 header. Data carried by
`packet 400 is in field 410. Trailing fields 412 contain fields
`typically trailing the data fields of a typical data packet, and
`normally include a cyclical redundancy check (CRC) field. 65
`The field diagram of a packet shown in FIG. 4 also
`represents the fields in a packet departing from L3/L4 device
`
`6
`104, etc. to network cloud 142, or any of the other network
`clouds from one of the other L3/L4 devices.
`Turning now to FIG. 5, "Promiscuous Port Assignment
`Table for Outgoing Traffic" 500 is shown with three col(cid:173)
`unms. Table 500 is a conceptual table which is an aid to
`understanding the invention. Data shown in table 500 may
`be held, in a particular implementation, in a variety of
`places. For example some data is in the header of a received
`packet, some data may be held in hardware such as memory
`10 in an ASIC chip in the interface, or further, some of the data
`may be held in a software lookup table in the memory for a
`processor of the router. As a further example, an implemen(cid:173)
`tation may use a table such as Table 500 in main memory for
`a processor of the router. Colunm 502 contains a layer 3
`15 interface number. Column 504 contains a primary VLAN
`assignment number. Colunm 506 contains an isolated or
`community VLAN assigrillent number.
`A primary VLAN Assigrillent Number, as held in column
`504, is a designation which is written into a field of a packet
`20 transferred from layer 2 switch 102 to L3/L4 device 140, or,
`for example, any of the other L3/L4 devices 143, 146, etc.,
`using standard L2 switch to L3/L4 device protocol. For
`example, the Primary VLAN Number may be written into
`the L3 data field 410 as part of a Layer 4 (L4) header using
`25 a standard VLAN protocol. The receiving network device
`reads the primary VLAN number from the header, writes it
`into colunm 504, and makes a one-to-one correspondence
`with a layer 3 interface number (L3 Interface Number)
`which is written into colunm 502. Table 500 then may have
`30 multiple entries in colunm 506 for a many to one correspon(cid:173)
`dence. That is, there may be many entries in column 506,
`one for the isolated VLAN, and one entry for each commu(cid:173)
`nity VLAN associated with that primary VLAN.
`Rows, for example, row 510 of promiscuous port assign(cid:173)
`ment table 500 for to outgoing traffic, contain an entry for
`each Layer 3 Interface Number. A Layer 3 Interface Number
`corresponds to a L3 destination address to which a Layer
`3/Layer 4 (L3/L4) device 140, etc., transfers data packets in
`computer network 100.
`In operation, a packet arrives at a promiscuous port on an
`isolated VLAN or a community VLAN for transmission out
`ofL2 switch 102. A process enters Promiscuous Port Assign(cid:173)
`ment Table for Outgoing Traffic 500 through either the
`isolated VLAN number or the community VLAN number,
`thereby obtaining the corresponding L3 Interface Number
`from colunm 502 of the entry. The Primary VLAN directs
`the packet from the L2 switch 102 to the proper L3/L4
`device 140, etc., using a protocol for transfer of packets from
`a L2 switch to a L3/L4 device. The L3/L4 device then
`interprets the Primary VLAN and directs the packet to the
`appropriate destination address in Network Cloud 142, etc.
`Alternatively, the Primary VLAN of the destination com(cid:173)
`puter could be held in Colunm 504 of Promiscuous Port
`Assignment Table for Outgoing Traffic 500, and the packet
`transferred, for example by TCP/IP, from L2 switch 102 to
`the L3/L4 device.
`In the conceptual table "Promiscuous Port Assignment
`Table for Outgoing Traffic", Table 500 there is a one-to-one
`correspondence between a Primary VLAN number and a L3
`Interface number. An L3 Interface, designated by L3 Inter(cid:173)
`face Number, is usually associated to a subnet, that is to a
`whole group of addresses. Once the packets reach an L3
`Interface, then are normally routed by the router without any
`remaining knowledge of the Private VLANs. At the L3
`Interface there is no distinction between normal traffic, and
`traffic coming from a private VLAN.
`
`40
`
`45
`
`50
`
`

`
`Case5:14-cv-05343-PSG Document1-10 Filed12/05/14 Page14 of 22
`
`US 7,200,145 Bl
`
`7
`During operation, a packet such as network packet 400
`shown in FIG. 4, is received by an L3/L4 device, for
`example, L3/L4 device 140, etc. from a network cloud, for
`example, network cloud 142. The received packet has the
`field structure as shown in fields 400 of FIG. 4. The network 5
`packet is transferred by the receiving L3/L4 device to L2
`switch 102. L2 switch 102 receives the packet on a promis(cid:173)
`cuous port, for example, port 104, 106, ... , 108. Upon
`receipt by a promiscuous port, the packet is transferred to
`primary VLAN 230, 330 as shown in FIG. 2 or FIG. 3
`respectively. The packet then is transferred to each of the
`isolated ports 204, 206, 208 ... 214, etc and community
`ports 304, ... 314, etc. The packet is transmitted out of the
`appropriate isolated port or community port by the L2
`switch 102 using standard forwarding mechanisms, for
`example by TCP/IP.
`A typical entry for a Primary VLAN is shown at entry
`510. Entry 510 shows the one-to-one correspondence
`between the L3 Interface Number held in field 512 and the
`Primary VLAN Number held in field 514. Associated with
`entry 510 are a plurality of entries for isolated or community
`VLANs, as shown in fields 516, 518, 520, and a possible
`extension to further "many" entries shown by "three dots"
`522.
`As an example, primary VLANs and secondary VLANs
`(that is Isolated or Community VLANs) are programmed in
`the router using Color Blocking Logic (CBL). A special
`value is programmed for all primary and secondary VLANs.
`For example, a value of "forwarding" as defined in the
`Spanning Tree Protocol Standard IEEE 802. ID may be
`used. This exemplary assigmnent allows the hardware to let
`all the traffic from those VLANs out of the port, and also to
`accept the ingress traffic for the primary VLANs.
`In the event that the port needs to be able to map
`many-secondaries-to-one-primary only,
`this exemplary
`mapping method is sufficient to define the promiscuous port.
`A port having mapping of many-secondaries-to-one-primary
`only port is referred to as a "non-trunk" promiscuous port.
`Alternatively, in the event that the port needs to be able to
`map many-secondaries-to-different-primaries,
`then an
`explicit table such as "Trunk Type Promiscuous Port VLAN
`Mapping Table" 550 as given in FIG. SA may be employed
`to provide the required mapping. A port which maps many(cid:173)
`secondaries-to-different-primaries is referred to as a "trunk"
`type promiscuous port. Turning now to FIG. SA, colunm 552
`holds an indicia of the Primary VLAN. Column 554 contains
`an indicia of the Secondary VLANs (either Isolated or
`Community VLANs) corresponding to the Primary VLAN.
`For example, entries 560 refer to Primary VLAN number
`"2". Entries 570 refer to Primary VLAN number "3", etc.
`Primary VLAN "2" is shown associated with: Secondary
`VLAN "20" at entry 560A; Secondary VLAN "21" at entry
`560B; Secondary VLAN "22" at entry 560C; Secondary
`VLAN "23" at entry 560D, etc.
`Further, Primary VLAN "3" is shown associated with: 55
`Secondary VLAN "30" at entry 570A; Secondary VLAN
`"31" at entry 570B; with Secondary VLAN "32" at entry
`570C, etc. Entries 580, represented by "three dots" in both
`colunm 552 and 554, indicate that a further plurality of
`Primary VLANs may each be associated with its particular 60
`plurality of secondary VLANs by use of "Trunk Type
`Promiscuous Port VLAN Mapping Table" 550.
`Turning now to FIG. 6, packet 600 is shown. Packet 600
`is the VLAN packet travelling inside L2 switch 102. Fields
`of packet 600 are shown. Field 602 contains the VLAN 65
`designation to which the packet is transferred. VLAN des(cid:173)
`ignations are sometimes referred to as a "color", as is
`
`8
`indicated in field 602. Field 604 contains the port number of
`the port designated to receive that particular packet. Field
`605 contains any other fields carried by the packet as it
`travels through the internals of L2 switch 102.
`When packet 600 represents a packet received at a pro-
`miscuous port, then field 604 contains the port number of the
`isolated port 204, 206, 208, ... 214, etc., or community port
`304, 306, ... 314, etc., to which the packet is directed. The
`port circuitry reads field 604 and the correct port then
`10 receives the pa