(12) United States Patent
`Singla et a].
`
`(10) Patent N0.2
`(45) Date of Patent:
`
`US 7,546,458 B1
`Jun. 9, 2009
`
`US007546458B1
`
`(54) METHOD FOR ORGANIZING VIRTUAL
`NETWORKS WHILE OPTIMIZING
`
`SECURITY
`
`(75) IIWBIIIOFSI Amall Slngla, FTP/mom, CA (Us);
`AndreWM- Davfdsons San J05?’ CA
`(Us); MlcllaelFmes San P91101500’ CA
`(5:); Km“ Hayes’ Mountam View’ CA
`(
`)
`(73) Assigneez Atheros Communications, Inc‘, Santa
`Clara, CA (U S)
`
`( * ) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U_S_C_ 154(1)) by 1613 days_
`
`p10‘Z
`
`(22) Filed:
`
`Oct. 18, 2002
`
`5,978,378 A * 11/1999 Van Seters et a1. ........ .. 370/401
`5,983,350 A * 11/1999 Minear etal. ............... .. 726/11
`
`6,304,973 B1 * 10/2001 Williams ..................... .. 726/3
`
`709/238
`6,308,218 B1* 10/2001 Vasa .............. ..
`.... .. 705/3
`6,804,656 B1 * 10/2004 Rosenfeld et a1. .
`370/386
`2002/0146002 A1 * 10/2002 Sato ............... ..
`2002/0146026 A1* 10/2002 Unitt et a1. ................ .. 370/428
`2003/0120763 A1* 6/2003 Volpano ................... .. 709/223
`2003/0145118 A1* 7/2003 Volpano et a1.
`709/249
`2005/0157688 A1* 7/2005 Rydnell et a1. ............ .. 370/338
`
`OTHER PUBLICATIONS
`
`IBM technical Disclosure Bulletin, Mar. 2002, “Use ofVirtual Local
`Ar N
`k '
`Sh d1 f
`S
`M l '
`l C
`ea etWor s1na are n rastructure to upport ut1pe us
`tomers at LOW C081,” Mar. 1, 2002,1313. 1-3.*
`
`* .
`
`“ed by exammer
`
`.
`
`_
`_
`Related U-s- APPhcatmn Data
`(60) Provisional application No. 60/377,906, ?led on May
`4,
`
`Primary ExamineriEmmanuel L Moise
`Assistant ExamineriMichael PyZocha
`‘312mm?’ glgkelml Or F W miBever’ Hoffman & Harms’
`; eane e .
`arms
`
`(51) Int CL
`(2006.01)
`H04L 9/00
`(2006.01)
`H04K 1/00
`(2006 01)
`G06F 15/173
`7'13/166_ 380/255 709/223
`52 U 5 Cl
`’
`’
`(
`)
`_'
`'
`' """ "_' """ "_ """ "
`(58) Field of Classl?catlon Search ............... .. 713/166;
`_
`_
`70902;; 380/255
`See apphcanon ?le for Complete Search hlstory'
`References Cited
`
`(56)
`
`U.S. PATENT DOCUMENTS
`
`5,684,800 A 11/1997 Dobbins et a1.
`
`(57)
`
`ABSTRACT
`
`.
`.
`.
`1
`.
`.
`b
`An access point in a Wire ess communication system can e
`con?gured to include multiple virtual LANS (VLANs) based
`on security levels, thereby allowing secure traf?c to be iso
`lated from insecure traf?e Con?guring the access point can
`include assigning a security level to each VLAN and setting a
`security association for each station associated With the
`access point. Based on this security association, each station
`can be assigned to an appropriate VLAN.
`
`17 Claims, 3 Drawing Sheets
`
`300
`
`/
`
`Set Defaull/Multi-Cast
`Keys
`301
`
`1
`
`Enable
`Encryption
`302
`
`1
`
`Assign Security Levels
`To VLANs
`3 03
`
`1
`
`Enable Access Control
`304
`
`1
`
`Set Security Associations
`For Stations
`305
`
`STARWOOD Ex 1010, page 1
`
`

`
`US. Patent
`
`Jun. 9, 2009
`
`Sheet 1 of3
`
`US 7,546,458 B1
`
`09900090 00090900
`
`Figure 1
`
`STARWOOD Ex 1010, page 2
`
`

`
`US. Patent
`
`Jun. 9, 2009
`
`Sheet 2 of3
`
`US 7,546,458 B1
`
`Network Port
`208
`
`AES
`VLAN
`201
`
`(7
`
`WEP
`VLAN
`207
`
`7
`
`F igure 2
`
`STARWOOD Ex 1010, page 3
`
`

`
`US. Patent
`
`Jun. 9, 2009
`
`Sheet 3 0f 3
`
`US 7,546,458 B1
`
`300
`
`Figure 3
`
`Set Default/Multi-Cast
`Keys
`3 01
`
`l
`
`Enable
`Encryption
`302
`
`i
`Assign Security Levels
`To VLANs
`303
`
`1
`
`Enable Access Control
`304
`
`l
`
`Set Security Associations
`For Stations
`305
`
`STARWOOD Ex 1010, page 4
`
`

`
`US 7,546,458 B1
`
`1
`METHOD FOR ORGANIZING VIRTUAL
`NETWORKS WHILE OPTIMIZING
`SECURITY
`
`RELATED APPLICATIONS
`
`This application claims priority to US. Provisional Appli
`cation Ser. No. 60/377,906 Which Was ?led on May 4, 2002.
`
`BACKGROUND OF THE INVENTION
`
`2
`Increasingly, users Want to encrypt their communications,
`especially in Wireless environments, Which are particularly
`susceptible to interception. The 1999 IEEE 802.11 standard
`includes encryption as a service. HoWever, this encryption
`methodology provides only loW-level security. Therefore, a
`need arises for implementing higher-level security encryption
`methodologies into VLANs.
`
`SUMMARY OF THE INVENTION
`
`In accordance With one feature of the invention, an access
`device in a Wireless communication system can be con?gured
`to include multiple virtual LANS (VLANs) based on security
`levels, thereby alloWing secure tra?ic to be isolated from
`insecure tra?ic. Con?guring the access device can include
`assigning a security level to eachVLAN and setting a security
`association for each station associated With the access device.
`The security association can include security algorithms (i.e.
`a cipher suite), end point designations, key length (Wherein a
`key is a given length of random data), predetermined key
`rotations, and/or liveness. Each station can be assigned to an
`appropriate VLAN based on its security association.
`In one embodiment, setting security associations, e.g. key
`maps, for the stations can be triggered by an access control
`enable command. This command can further indicate
`Whether unencrypted tra?ic from a transmitting station
`should be ?ltered, i.e. not forWard to the receiving station.
`A VLAN identi?cation (VID) identi?es each VLAN. In
`one embodiment, the VID could be incorporated into the
`transmitting data frame. Additionally, certain functions on the
`access device, such as con?guration and management func
`tions, can be designated to be accessible via a particular
`VLAN during the assignment step. In accordance With one
`aspect of the invention, a neW security level can be assigned to
`any VLAN. In one embodiment, a default VLAN can be
`provided.
`A Wireless communication system can include an access
`point and a plurality of stations associated With the access
`point, each station being assigned to a VLAN based on its
`security association. Various security levels can be used in
`accordance With the invention. For example, current encryp
`tion standards includeAES, WEP and/or no encryption. Other
`embodiments of the invention can provide VLANs With dif
`ferent encryption standards.
`
`BRIEF DESCRIPTION OF THE FIGURES
`
`FIG. 1 illustrates three logically de?ned sub-netWorks.
`FIG. 2 illustrates an access point (AP) With multiple
`VLANS, Wherein each VLAN has an associated security
`level.
`FIG. 3 illustrates a How chart With exemplary steps for
`con?guring an AP to include multipleVLANs based on secu
`rity levels.
`
`DETAILED DESCRIPTION OF THE FIGURES
`
`In accordance With one feature of the invention, a Wireless
`access point (AP) platform can support multiple VLANs
`based on the level of security provided. Speci?cally, VLAN
`membership of a Wireless station to a particular VLAN is
`based on the security association that the station uses over the
`Wireless link. For example, using security VLANs, an AP
`could place more secure Wireless stations directly onto a
`sensitive internal corporate sub-netWork, Whereas less secure
`Wireless stations could be assigned to a VLAN that functions
`outside the corporate sub-netWork’s ?reWall. In this manner,
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`1. Field of the Invention
`The present invention relates generally to the ?eld of Wire
`lessly connected computer netWorks and particularly the
`assignment of netWorked computers to sub-netWorks based
`on the security level of the connection enabled by each net
`Worked computer.
`2. Description of the Related Art
`Current technology has alloWed the global expansion of
`proprietary networks, thereby creating the potential for a
`dispersed Workforce. To e?iciently incorporate individuals
`from different physical locations into coordinated Work
`groups, specialiZed sub-netWorks, called Virtual Local Area
`Networks (VLANs), can be used. VLANs are logically, rather
`than physically, de?ned sub-netWorks. VLANs, Which can
`include any type of data tra?ic creators (e.g. portable and
`desktop computers, servers, printers, or other peripherals) can
`be de?ned according to various policies or selection param
`eters.
`In one embodiment, VLAN technology alloWs a system
`administrator to group ports of various sWitches and the users
`associated With such ports into de?ned communities. For
`example, FIG. 1 illustrates three logically de?ned sub-net
`Works, i.e. VLANs 101, 102, and 103. The computer icons,
`shoWn in VLANs 101, 102, and 103, represent users Within
`those sub-netWorks. In this embodiment, the netWork
`includes tWo sWitches 104 and 105, each sWitch having eight
`ports (shoWn as circles). VLAN 101 comprises four ports of
`sWitch 104 and three ports of sWitch 105; VLAN 102 com
`prises tWo ports of sWitch 104 and ?ve ports of sWitch 105;
`and VLAN 103 comprises tWo ports of sWitch 104 and Zero
`ports of sWitch 105. In this netWork con?guration, each
`VLAN alloWs communication betWeen its oWn users (i.e. as if
`the users Were on a common LAN), but restricts communi
`cation betWeen users of different VLANs. VLANs 101, 102,
`and 103 could represent various groups Within a company,
`such as engineering, sales, and accounting. When a user
`moves from one port to another, the system administrator can
`recon?gure the VLAN membership to include that user.
`In another embodiment, VLAN membership can be based
`on a MAC-layer address. In a MAC address-based VLAN,
`users can be initially con?gured to be in at least one VLAN,
`thereby alloWing the subsequent tracking of such users. When
`the user changes location, the VLAN con?guration may
`change, or remain constant, the VLAN con?guration may
`change based on the MAC-layer address. US. Pat. No. 5,684,
`800 provides an illustrative explanation of the operation and
`con?guration of MAC address-based VLANs and is incorpo
`rated by reference herein.
`Advantageously, VLANs are supported over all IEEE 802
`LAN MAC protocols. Moreover, VLANs can provide l:N
`communication (i.e. shared media traf?c) as Well as 1:1 com
`munication (i.e. point-to-point traf?c). Additional advantages
`of VLANs, as Well as the standardized format for frame
`tagging of VLANs, are provided in the IEEE 802.1Q standard
`published in 1999.
`
`50
`
`55
`
`60
`
`65
`
`STARWOOD Ex 1010, page 5
`
`

`
`US 7,546,458 B1
`
`3
`the corporate network can be kept completely secure While
`still providing the bene?ts of Wireless connectivity to all users
`Within physical proximity of the AP.
`Various levels of encryption currently can be used in accor
`dance With security VLANs. For example, the Advanced
`Encryption Standard (AES) speci?es a cryptographic algo
`rithm that can provide a 128-, 192-, or 256-bit key. In general,
`the larger the key siZe, the greater the level of security pro
`vided. Another encryption standard, called the Wired Equiva
`lent Protocol (WEP), can provide a 64-, 128-, or 152-bit key.
`HoWever, each WEP key includes 24 bits that are not user
`controlled. Thus, to more accurately compare WEP to AES,
`the WEP key can be thought of as including 40, 104, or 128
`bits. Therefore, for purposes of description herein, AES and
`WEP Will be used as exemplary encryption standards repre
`senting “high” and “loW” security levels, respectively. In
`accordance With other embodiments of the invention, differ
`ent encryption standards offering different levels of security
`can also be used.
`FIG. 2 illustrates anAP 200 having anAES VLAN 201 and
`a WEP VLAN 207. In this embodiment, AES VLAN 201
`includes stations 202, 203, and 204, Whereas WEP VLAN
`207 includes stations 205 and 206. In accordance With one
`feature of the invention, frames from one station can be for
`Warded to other stations Within the group of Wireless devices
`associated With AP 200, called a Basic Service Set (BSS),
`only if the other stations are in the sameVLAN. Thus, stations
`202, 203, and 204 can communicate With each other through
`AP 200. Similarly, stations 205 and 206 can communicate
`through AP 200. HoWever, if the stations are in different
`VLANs, then AP 200 ?lters the frame, i.e. does not alloW the
`frame to be transmitted. Thus, for example, if station 205
`attempts to send a frame using WEP to station 203, Which
`communicates using AES, then AP 200 Would ?lter that
`frame.
`In one embodiment, a VLAN Identi?er (VID) facilitates
`identi?cation of that VLAN. Speci?cally, a VID can be
`included in a VLAN tag, Which in turn can be incorporated
`into a transmitting data frame. In this manner, each frame
`indicates its level of encryption security. In one embodiment,
`a VLAN can alloW multiple or even all security levels (and
`thus, the associated VLAN tag Would indicate all levels of
`encryption security in Which the station can communicate).
`For example, a station could have the capability to commu
`nicate in a VLAN using both AES and/or WEP. Or a station
`could have the capability to communicate in a VLAN using
`AES and/or no encryption security.
`In one embodiment, a con?gured AP can determine the
`security association of a station using the VID in the frame
`and a look-up table of VIDs and security associations. Know
`ing the VID and/ or the security association alloWs the AP to
`change the VLAN of a station should the need arise or to
`match the security level of the transmitting station With the
`security level of the VLAN.
`In one embodiment, frames received at a netWork port 208,
`eg an Ethernet port, using a VLAN tag With no correspond
`ing VID can be ?ltered. In another embodiment, the VLAN
`tag corresponding to a designated encryption standard can be
`set to “invalid,” thereby causing all frames using that desig
`nated encryption standard to be ?ltered.
`In one embodiment, the VLANs can be implemented via
`softWare, Which is executed by a microprocessor or central
`processing unit (CPU) Within the AP. To correctly con?gure a
`VLAN operation, the netWork port of the AP needs to be
`connected to devices that can understand VLAN tags, e. g. an
`IEEE 802.1Q-compliant device. These devices can include
`bridges, routers, or hosts. Multiple VLANs can be aggregated
`
`50
`
`55
`
`60
`
`65
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`4
`onto the netWork port (also called a trunk port), thereby
`effectively combining the tra?ic load of the stations.
`FIG. 3 illustrates a How chart 300 With exemplary steps for
`con?guring an AP to include multipleVLANs based on secu
`rity levels. FloW chart 300 is herein described in conjunction
`With pseudo code (immediately folloWing) that can imple
`ment this con?guration. Note that a code line starting With a
`# is a comment line, Whereas a code line Without a # is a
`command.
`
`# In this example, the AP is connected to a sWitch via a trunk
`port.
`# On the sWitch, the vlan is the default (1).
`
`# VLAN 16 is set up, and connected to the internal netWork.
`[10.10.16.X]
`# VLAN 2 is set up, and connected to the external netWork.
`[192.168.1.X]
`# VLAN 3 is set up, and connected to another external net
`Work. [192.168.2.X]
`# set your default key
`
`# your WEP and AES clients must have this as their Shared
`Key #1
`
`set key 1 40 1234567890
`
`set key 1 default
`
`# set your default AES-VLAN key
`
`# your AES clients must have this as their Shared Key #2
`
`set key 2 128 1234567890abcdef1234567890abcdef
`
`set key 2 default AES-VLAN
`
`# alloW encryption
`set encryption enable
`
`# set your cipher to alloW both WEP and AES
`
`set cipher auto
`
`# VLANs are set in decimal numbers.
`
`set vlan eth 1
`
`set vlan ap 16
`
`set vlan aes 16
`
`set vlan Wep 2
`
`set vlan clear 3
`
`# set acl control mode
`
`# if you “set acl strict”, then clear clients Will be dropped
`
`set acl enable
`
`# set your unique station keys
`
`set acl keymap 00:03:7 F:00:00:01 104 1234567890abc
`def1234567890
`
`128
`
`F:00:00:02
`
`00:03:7
`keymap
`acl
`set
`1234567890abcdef1234567890abcdef
`As indicated in the initial comment lines of the pseudo
`code, the AP can be connected to a sWitch via a trunk port. In
`this particular sWitch, the default setting is a VLAN. In this
`embodiment, three VLANs Will be con?gured. To facilitate
`this con?guration, each VLAN is assigned an arbitrary num
`ber, i.e. VLAN 16, VLAN 2, or VLAN 3. Each of these
`VLANs Will be associated With a speci?c netWork. For
`
`STARWOOD Ex 1010, page 6
`
`

`
`5
`example, VLAN 16 Will be associated With an internal net
`work, Which has a designated number 10.10.16.X. Similarly,
`VLAN 2 Will be associated With an external network, Which
`has a designated number 192.168.1.X, and VLAN 3 Will be
`associated With another external netWork, Which has a desig
`nated number 192.168.2.X. As explained in further detail
`beloW, VLANs 16, 2, and 3 Will be associated With AES,
`WEP, and Clear (i.e. unencrypted) security levels, respec
`tively.
`The “set key 1” commands set a default encryption key
`(step 301), Which can be used by both the WEP and AES
`clients. Note that a default key can be considered a multi-cast
`key in the context of the security VLANs. If WEP andAES are
`assigned to separate VLANs, as shoWn in this embodiment,
`an additional default key can be set for the AES VLAN. In this
`embodiment, an additional default key can be programmed
`for AES by appending “AES-VLAN” to the end of the default
`command (i.e. “set key 2 default AES-VLAN”). Note that
`AES encryption uses longer keys than WEP encryption, eg
`128 versus 40 bits, as previously described.
`At this point, encryption can be enabled in step 302 as
`triggered by the “set encryption enable” command. The “set
`cipher auto” command alloWs the AP to automatically nego
`tiate the appropriate security association With each station
`based on that station’s capability. The security levels and
`associated VIDs for the VLANs can be assigned in step 303.
`For example, the “set vlan aes 16” command indicates that the
`AES tra?ic corresponds to VLAN 16; the “set vlan Wep 2”
`command indicates that WEP traf?c corresponds to VLAN 2;
`and the “set vlan clear 3” command indicates that unen
`crypted tra?ic corresponds to VLAN 3.
`Additionally, the “set vlan ap 16” command indicates that
`to access the con?guration and management functions on the
`AP, the AP is also placed onVLAN 16. This command alloWs
`a system administrator to change settings on the AP. Prefer
`ably, the AP node is placed on the most secure VLAN to
`provide optimal security. Finally, the “set vlan eth 1” com
`mand indicates that for any untagged traf?c received on the
`Ethernet port of the AP, that traf?c is assumed to have tag “1”.
`As this number does not correspond to any VID, a tag 1
`essentially ?lters out that traf?c.
`The “set acl enable” command alloWs the AP to enable
`access control in step 304. This access control can include
`setting security associations in step 305 for stations assigned
`to VLANs 2, 3, and 16. In one embodiment, setting a security
`association could include setting a key map for each station.
`Exemplary “set acl keymap” commands from tWo stations are
`provided to the AP in this case.
`In one embodiment, if no VLANs are explicitly created by
`a system administrator during the initial AP con?guration
`(step 303), then the VLAN assignment of each security level
`can be automatically determined by the setting of the encryp
`tion mode. For example, in one default con?guration after
`enabling encryption (step 302), the WEP and AES security
`levels can be assigned to VLAN 1 and the Clear security level
`can be assigned to VLAN Oxff, i.e. an invalid VLAN. Note
`that if encryption is not enabled, then the WEP and AES
`security levels can be assigned to VLAN Oxff and the Clear
`security level can be assigned to VLAN 1 . To provide optimal
`system ?exibility, these default settings can be changed With
`the “set VLA ” commands (step 303).
`Examples of additional VLAN con?guration commands
`folloWing the initial AP con?guration are provided beloW in
`pseudo code. Note that commands are preceded With arroWs,
`Whereas system (i.e. AP) responses have no arroWs. In this
`case, no VLANs have been created during the initial AP
`con?guration.
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`US 7,546,458 B1
`
`-> get encryption
`Encryption: Enabled
`
`-> get vlan
`
`Ethernet Port Native Vlan: 1
`
`AP’s local Vlan: 1
`
`AES Vlan: 1
`
`WEP Vlan: 1
`
`Clear Vlan: INVALID (tra?ic Will be ?ltered)
`
`-> set vlan aes 3
`
`-> set vlan clear 2
`
`-> set vlan Wep 1
`
`-> set vlan eth 3
`
`-> set vlan ap 3
`
`20
`
`-> get vlan
`
`Ethernet Port Native Vlan: 3
`
`AP’s local Vlan: 3
`
`25
`
`AES Vlan: 3
`
`WEP Vlan: 1
`
`Clear Vlan: 2
`
`30
`
`-> del vlan
`
`-> get vlan
`
`Ethernet Port Native Vlan: 1
`
`35
`
`AP’s local Vlan: 1
`
`AES Vlan: 1
`
`WEP Vlan: 1
`
`Clear Vlan: INVALID (tra?ic Will be ?ltered)
`In this embodiment, the “get encryption” command
`requests that the AP indicate Whether encryption is enabled.
`In this case, as shoWn by the system response, encryption is
`enabled. The “get vlan” command displays the VLAN secu
`rity levels for speci?ed VLANs. In this case, all Ethernet, AP
`local, AES, and WEP security levels have been assigned
`VLAN 1, Whereas the Clear security level has been assigned
`to VLAN Oxff.
`In accordance With one feature of the invention, settings
`can be adjusted by using a “set vlan” command to modify
`VLAN security for a speci?ed VLAN. For example, the “set
`vlan aes 3” and “set vlan eth 3” commands can alloW AES and
`Ethernet tra?ic on a neW VLAN, i.e. VLAN 3. Similarly, a
`“set vlan ap 3” command may be used to alloW the con?gu
`ration and management functions on the AP to be accessed on
`VLAN 3. The “set vlan Wep 1” command explicitly de?nes
`WEP tra?ic for VLAN 1 (the default VLAN). The “set vlan
`clear 2” assigns invalid tra?ic to a neW VLAN, i.e. VLAN 2.
`Note that the “get vlan” command folloWing the “set vlan”
`commands re?ect the neWly set VLANs. In one embodiment,
`a “del vlan” command Will delete any previously set VLANs,
`Wherein after the “get vlan” command, the system can
`respond With the default VLANs of the AP.
`In one embodiment, frames arriving untagged, i.e. Without
`a VLAN tag, on an Ethernet port can be assigned a default
`VID for that port (PVID). The AP can also be designated as
`
`STARWOOD Ex 1010, page 7
`
`

`
`US 7,546,458 B1
`
`7
`belonging to the default VID. Note that frames belonging to
`the port’s default VLAN are transmitted untagged onto the
`port.
`Providing security VLANs advantageously alloWs users to
`deploy neW cryptographic standards While still supporting the
`old standards. With different standards available, companies
`can provide different access to different users, thereby isolat
`ing secure tra?ic from insecure tra?ic. Security VLANs can
`also provide users With different levels of authorization, e.g.
`access control, thereby enhancing system ?exibility.
`Although illustrative embodiments of the invention have
`been described in detail herein With reference to the accom
`panying ?gures, it is to be understood that the invention is not
`limited to those precise embodiments. They are not intended
`to be exhaustive or to limit the invention to the precise forms
`disclosed. As such, many modi?cations and variations Will be
`apparent. For example, users can refer to hosts, bridges, rout
`ers, and/ or computers. Moreover, security levels can refer to
`domains, strength, speed of performance, and/or levels of
`authoriZation (i.e. access control). Finally, access points can
`refer to any access devices. Accordingly, it is intended that the
`scope of the invention be de?ned by the folloWing Claims and
`their equivalents.
`
`The invention claimed is:
`1. A method of con?guring an access device to include
`multiple virtual LANS (V LANs) based on security levels, the
`method comprising:
`enabling encryption in the access device;
`selectively assigning one of a predetermined security level,
`multiple security levels, and no security level to each
`VLAN; and
`setting a security association for each station associated
`With the access device, Wherein the security association
`of a station determines its assigned VLAN.
`2. The method of claim 1, further including setting a multi
`cast key for each security level before enabling encryption.
`3. The method of claim 1, further including enabling access
`control before setting the security association for each station.
`4. The method of claim 3, Wherein enabling access control
`includes ?ltering unencrypted communication from any sta
`tion.
`5. The method of claim 1, Wherein setting a security asso
`ciation includes setting key maps for stations associated With
`the access device.
`6. The method of claim 1, Wherein selectively assigning
`includes designating a VLAN identi?cation (V ID) for each
`VLAN.
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`8
`7. The method of claim 1, Wherein selectively assigning
`includes alloWing certain functions on the access device to be
`accessible via a designated VLAN.
`8. The method of claim 1, Wherein selectively assigning
`includes ?ltering untagged traf?c received on a netWork port
`on the access device.
`9. The method of claim 1, further including reassigning a
`neW security level to at least one VLAN.
`10. The method of claim 1, Wherein selectively assigning
`includes accessing a default VLAN con?guration based on
`encryption mode.
`11. The method of claim 10, Wherein the default VLAN
`con?guration includes:
`assigning security levels With encryption to a default
`VLAN; and
`assigning security levels Without encryption to an invalid
`VLAN.
`12. The method of claim 1, further including:
`deleting any previously-set VLANs; and
`reverting to any default VLANs.
`13. A method of isolating more secure traf?c from less
`secure tra?ic in a Wireless communication system, the
`method comprising:
`building an association betWeen multiple virtual LANS
`(V LANs) and security levels, Wherein a ?rst VLAN
`having a ?rst security level facilitates the more secure
`traf?c and a second VLAN having a second security
`level facilitates the less secure tra?ic, Wherein each
`security level is selectable betWeen a single security
`level, multiple security levels, and no security level.
`14. The method of claim 13, Wherein the multiple security
`levels include at least tWo of ABS, WEP, and unencrypted.
`15. The method of claim 13, Wherein building includes
`con?guring an access device.
`16. The method of claim 15, Wherein con?guring includes:
`assigning a security level to each VLAN; and
`setting a security association for each station associated
`With the access device, Wherein the security association
`of a station determines its assigned VLAN.
`17. A Wireless communication system comprising:
`an access device; and
`a plurality of stations associated With the access device,
`each station being assigned to a virtual LAN (VLAN)
`based on a security level associated With that station,
`each security level being user-selectable betWeen a
`single security level, multiple security levels, and no
`security level.
`
`STARWOOD Ex 1010, page 8