United States Patent (19)
`Carter et al.
`
`US005386470A
`Patent Number:
`Date of Patent:
`
`11
`45
`
`5,386,470
`*Jan. 31, 1995
`
`(54 REPEATERS FOR SECURE LOCAL AREA
`NETWORKS
`75) Inventors: Steven H. Carter, Great Missenden;
`Terence D. Lockyer, Luton;
`Christopher J. Gahan, Kings
`Langley, all of Great Britain
`73). Assignee: - - - - 3Com Ireland, Dublin, Ireland
`* Notice: The portion of the term of this patent
`subsequent to Nov. 3, 2009, has been
`disclaimed.
`21 Appl. No.: 111,012
`22 Filed:
`Aug. 24, 1993
`Related U.S. Application Data
`Continuation of Ser. No. 913,475, Jul. 15, 1992, aban
`doned, which is a continuation of Ser. No. 609,791,
`Nov. 7, 1990, Pat. No. 5,161,192.
`Foreign Application Priority Data
`30
`Dec. 6, 1989 GB United Kingdom ................. 8927623
`51) Int. Cl. ......................... H04B 3/36; HO4B 3/58;
`H04L 25/20, H04L 25/52
`52 U.S. Cl. .......................................... 380/48; 380/9;
`380/23; 380/49; 375/3; 375/4; 379/338;
`379/339; 455/7; 455/14; 455/15; 340/825.54
`58) Field of Search ..................... 380/2, 4, 23, 25, 48,
`380/49, 50,340/825.54, 35, 75,97; 375/3, 4;
`379/338,339; 455/7, 9, 14, 15
`References Cited
`U.S. PATENT DOCUMENTS
`4,449,247 5/1984 Waschka, Jr. .......................... 455/9
`4,626,845 12/1986 Ley ..................
`4,627,052 12/1986 Hoare et al. ..................... 370/85.13
`4,672,572 6/1987 Alsberg ................................. 380/23
`4,692,918 9/1987 Elliott et al. ..................... 370/85.13
`4,783,657 11/1988 Bouchard et al. ..
`... 340/825.52
`4,887,075 12/1989 Hirasawa .............
`... 340/825.03
`4,901,348 2/1990 Nichols et al
`... 380/6
`4,939,747 7/1990 Adler ......
`. 375/3.1
`4,974,190 11/1990 Curtis..........
`... 307/571
`5,161,192 11/1992 Carter et al. .......................... 380/48
`5,177,788 i/1993 Schanning et al. ................... 380/23
`
`56)
`
`-
`
`63)
`
`OTHER PUBLICATIONS
`Brian P. Schanning, Secure Relays: An Alternative
`Approcach to Lansec, Apr. 3, 1989, pp. 31-52.
`"StarLAN” Specification excerpts of Draft C "Unap
`proved Draft” Oct. 1985, IEEE C351m3puter Society.
`Conard K. Kwok, Biswanath Mukherjee, On Transpar
`ent Bridging of CSMA/CD Networks, 1989 IEEE pp.
`5.7.1-5.7.6.
`Japanese Abstract of 59-63839; vol. 8, No. 167; 02 Aug.
`84.
`C. Kwok et al, "On Transparent Bridging of
`CSMA/CO Networks'; Dallas Globecom '89, vol. 1,
`pp. 5.7.1-5.7.6; 27-30 Nov. '89.
`J. Weinstein, "Bridging to a Better Lan', vol. XXII,
`No. 2, Feb. 1989: “Micro-Mini Systems', pp. 86-88.
`European Search Report EP 90 31 2060.
`Primary Examiner-Bernarr E. Gregory
`Attorney, Agent, or Firm-Haynes & Davis
`57
`ABSTRACT
`A multiport repeater for a local area network installa
`tion has (in addition to its conventional functions)
`means for storing access rules for the items of equip
`ment connected to it. It reads a portion of each frame,
`which may be all or part of the destination address
`segment and/or of the source address segment and/or
`of the control segment of each incoming data frame, or
`it could be aframe or protocol identifier incorporated in
`opening bytes of the data segment. It compares the data
`that it reads with the stored access rules to determine
`whether the frame is permitted or not. If not, the re
`peater modifies the frame which it is in the course of
`re-transmitting, for example by overwriting it with
`meaningless digits or by encrypting it. It may also re
`port the source address, destination address and reason
`for deciding to modify the frame to the network con
`troller.
`
`53 Claims, 5 Drawing Sheets
`
`
`
`Ex.1005
`CISCO SYSTEMS, INC. / Page 1 of 13
`
`

`

`U.S. Patent
`
`Jan. 31, 1995
`
`Sheet 1 of 5
`
`5,386,470
`
`FIG.1
`
`MAU 1
`
`MPR 2
`
`MAU 14
`
`Ex.1005
`CISCO SYSTEMS, INC. / Page 2 of 13
`
`

`

`U.S. Patent
`
`Jan. 31, 1995
`
`Sheet 2 of 5
`
`5,386,470
`
`FROM INFO,
`BUS
`
`5
`
`PRT 1 PRT I/F
`S1
`
`5
`
`PRT 2 Pr/f
`
`
`
`
`
`
`
`
`
`PORT 3 PRT I/F
`S3
`
`5
`
`PORT ||PORT/F
`SN
`
`|
`
`SELECT
`21
`
`11
`
`/WRITING
`SEQUENCE
`GEN,
`
`CORRUPT
`
`21. MUX
`
`DATA
`SELECT
`
`EN
`
`W
`
`
`
`JAM
`PREAMBLE
`GEN,
`
`lik -
`
`Ex.1005
`CISCO SYSTEMS, INC. / Page 3 of 13
`
`

`

`U.S. Patent
`
`Jan. 31, 1995
`
`Sheet 3 of 5
`
`5,386,470
`
`s
`
`X
`
`s
`
`FIG.2 (cont.)
`
`s
`
`s
`
`d
`
`s a.
`
`t
`
`s 8. es s A. 4xx 4& h
`
`s
`
`B
`
`s
`
`s
`
`16
`
`Rx DATA
`T OTHER
`MODULE
`Rx CCK
`TO THER
`MODULE
`
`
`
`
`
`
`
`14
`
`I/FEd DA
`
`COUNTERS
`EN
`
`CK
`S
`H
`F
`T
`R
`
`D
`
`19
`
`DA
`L
`
`C
`H
`
`SA
`l
`A
`T
`s
`
`I/FF
`17
`
`SA
`
`ILLEGAL
`FRAME
`
`T
`INF
`BUS
`
`DELAY
`
`COMPARATRS
`
`
`
`ADDRESS
`ADDRESS DATA BASE Ko DOWN
`LOAD
`
`18
`
`TIMING
`
`CONTRL
`
`STATE
`
`FRPS I/F =PORT IDE
`
`Ex.1005
`CISCO SYSTEMS, INC. / Page 4 of 13
`
`

`

`U.S. Patent
`
`Jan. 31, 1995
`
`Sheet 4 of 5
`
`5,386,470
`
`
`
`
`
`FRM INFO,
`BUS
`
`5
`
`PORT | PRT IVF
`S.
`
`S
`
`PORT 2PORT I/F
`S2
`
`PORT 3 PRT I/F s"
`
`ENCRYTED
`DATA
`
`5
`
`PORT 4. PORT I/F
`SN
`
`
`
`
`
`|
`
`.
`
`SELECT
`21.
`
`JAM
`PREAMBLE
`GEN,
`
`Ex.1005
`CISCO SYSTEMS, INC. / Page 5 of 13
`
`

`

`U.S. Patent
`
`Jan. 31, 1995
`
`Sheet 5 of 5
`
`5,386,470
`
`
`
`
`
`
`
`
`
`o
`
`s ed o un
`
`Out
`
`no
`
`CK
`S
`H I
`F
`T
`R
`
`19
`
`- DELAY
`
`FIG.3 (cont.)
`
`ae uno ump
`
`e O up
`
`o
`
`o
`
`m o
`
`to as uno r
`
`Rx DATA
`TO THER
`MDULE
`Rx CLOCK
`TO THER
`MDULE
`
`16
`
`COUNTERS
`EN
`
`
`
`
`
`
`
`14
`
`I/FX DA
`
`I/FX SA
`
`DA
`l
`A
`T
`s
`
`SA
`l
`A
`H
`
`17
`
`CMPARATORS
`
`ILLEGAL
`FRAME
`East
`ADDRESS
`ADDRESS DATA BASE KCO DOWN
`LOAD
`
`TO
`INFO
`BUS
`
`18
`
`TIMING
`
`CONTROL SE
`
`o an
`
`es gos
`
`s m
`
`up s
`
`-
`
`O
`
`s
`
`0. so as us
`
`an
`
`o o
`
`as an
`
`d
`
`FRPS 1/f EPORT IDE
`
`Ex.1005
`CISCO SYSTEMS, INC. / Page 6 of 13
`
`

`

`1.
`
`REPEATERS FOR SECURE LOCAL AREA
`NETWORKS
`
`This application is a continuation of Ser. No.
`07/913,475, filed Jul. 15, 1992, now abandoned, which is
`a continuation of Ser. No. 07/609,791, filed Nov. 7,
`1990, now U.S. Pat. No. 5,161,192.
`FIELD OF THE INVENTION
`This invention relates to local area networks for pro
`viding intercommunication between computers and/or
`other network connected devices (hereinafter called
`data termination equipment and abbreviated to DTE).
`More particularly, it is concerned with networks of the
`15
`kind in which DTE's are connected (normally via a
`media attachment Unit (MAU), also called a trans
`ceiver) to a common transmission medium such as a
`coaxial cable, a twisted pair cable or an optical fiber and
`in which digital repeaters (usually multiport repeaters,
`20
`MPR's) are used to restore digital signals that have been
`attenuated or otherwise degraded and to provide for
`branching when required. The invention includes im
`proved repeaters and the networks in which they are
`used.
`25
`The invention is primarily (but not exclusively) con
`cerned with networks operating Carrier Sense Multiple
`Access
`techniques
`with
`collision
`detection
`(CSMA/CD). The best-known networks of this type
`are those specified by the International Standards Orga
`30
`nization as ISO 8802/3 networks and by Xerox Corpo
`ration as 'ETHERNET' networks.
`In such systems, data is transmitted in frames which
`have a limited range of lengths and are normally made
`up of a meaningless preamble (for establishing Synchro
`35
`nization), a start-of-frame indicator, a destination ad
`dress segment, a source address segment, a control seg
`ment (indicating, for instance, the frame length), a seg
`ment of data (often beginning with a frame or protocol
`identification) to be transmitted to the DTE identified
`by the address identification, and a frame check seg
`ment for verifying accuracy of transmission.
`MPR's repeat frames received on an input port indis
`criminately to all their output ports and necessarily
`(because of delay limits imposed by the network specifi
`45
`cations) begin to retransmit before the complete frame
`has been received.
`A local area network as so far described is insecure, in
`the sense that any DTE can transmit data to any other
`and that an eavesdropper gaining access to the transmis
`50
`sion medium can read all the data.
`DISCUSSION OF RELATED ART
`In known systems, a measure of security may be
`achieved by physically subdividing the transmission
`medium into groups using components called “bridges'
`which receive and store computer data frames and can
`then analyze them and determine whether they are
`authorized frames and if so to which of its output ports
`they need to be re-transmitted. However, bridges are
`much more expensive than MPR's and introduce a
`delay in excess of the frame length.
`SUMMARY OF THE INVENTION
`The present invention provides repeaters with secu
`65
`rity features such that in a local area network in which
`they are used the expense and signal delay inherent in
`the use of bridges can be avoided, or at least minimized.
`
`5,386,470
`2
`In accordance with the invention, a repeater is char
`acterized by having (in addition to whatever known
`repeater functions are desired) means for storing access
`rules for the DTE's connected to the repeater; means
`for reading at least one portion of the frame selected
`from the destination address segment, the source ad
`dress segment, the control segment and the frame or
`protocol identifier (if present) of each incoming data
`frame and comparing the portion or portions so read
`with the stored access rules to determine whether the
`O
`frame is permitted or not; and means for modifying (by
`corrupting or encrypting) the frame in retransmission if
`the repeater determines that the frame is not permitted.
`When the portion of the frame selected to be read is
`in the control segment, it may be the whole segment or
`it may be only a part of the segment that is relevant to
`the decision to be made. In most (but not necessarily all)
`other cases, the whole of the appropriate address seg
`ment or of the identifier should be read.
`The access rules may be written to their storing
`means in various ways, depending (among other things)
`on the level of security required. For example, a degree
`of security can be achieved by allowing a learning per
`iod when the network is first set up in which the re
`peater "self-learns” which DTE's are connected to each
`of its ports and thus sets up its own access rules for each
`port forbidding the transmission thereafter of any frame
`with a source address not corresponding with a DTE
`not connected to that port during the learning period.
`More sophisticated rules can be loaded (or self
`learned rules can be edited) using data provided as con
`trol frames from a network manager, or if the possibility
`of the network manager being misused or counterfeited
`needs to be allowed for, from a special input device (a
`key pad or a mobile memory device, for instance) cou
`pled to the repeater itself and protected from misuse
`either by password protection or by removing the input
`device once the access rules have been written. In ex
`treme cases, the means provided in the repeater for
`coupling the input device could be destroyed after use,
`or the rules could be inserted as a pre-programmed
`ROM encapsulated along with key components of the
`repeater to prevent substitution.
`Either one or both of the destination address segment
`and the source identification segment may be read and
`compared with the stored access rules, depending on
`the nature of the rules to be applied. For example, if the
`physical connections are such that all the DTE's con
`nected to a particular input port (or group of ports) of a
`repeater have unlimited access to the network, then
`there is no point in comparing the destination address
`segments of frames received on that port, and it is only
`necessary to check the source address segment to verify
`that the DTE in question is authorized to be connected
`there. Similarly, if physical security can be relied on to
`prevent unauthorized connections and all the DTE's
`connected to a port (of group of ports) have the same
`(but limited) access to other parts of the network, then
`only the destination address segment needs to be read
`and compared.
`Subject to the limitations set by comparison time and
`storage space, each DTE may have its own access rules,
`independently of all the others, or if the DTE's are
`organized in groups with common access rules, then it is
`possible for individual DTE's to be allocated to more
`than one of the groups; for example, a departmental
`accountant's terminal could have access to all the other
`terminals within his department and also to other ac
`
`5
`
`55
`
`Ex.1005
`CISCO SYSTEMS, INC. / Page 7 of 13
`
`

`

`15
`
`5,386,470
`3
`4.
`of a multiport repeater that are relevant to the under
`countants' terminals outside the department, without
`standing of the present invention, and FIG. 3 is a block
`the need to give unnecessary access between the re
`maining terminals of those two groups.
`diagram of an alternative embodiment of the present
`Ideally, all the data contained in an unauthorized
`invention.
`frame should be modified, and this presents no problems 5
`DESCRIPTION OF PREFERRED
`if the destination address segment shows the frame to be
`EMBODIMENTS
`unauthorized; if however it is the source address, the
`control frame or the frame or protocol identifier seg
`The network of FIG. 1 comprises 14 items of data
`termination equipment, DTE 1 to DTE 14 (which may
`ment that shows the frame to be unauthorized, the time
`for example be general purpose personal computers,
`taken to make comparisons may be such that a few bytes 10
`dedicated word processors, printers, disc drives etc.),
`of data may be retransmitted without modification. If
`this is considered unacceptable, high-speed comparison
`and a network controller C. Each of these is connected
`algorithms may be used and/or the system protocol
`through its own media access unit MAU 1 to MAU 15
`may be modified so that there will be an appropriate
`to one or other of three multiport repeaters MPR 1,
`number of meaningless bytes at the beginning of the
`MPR2 and MPR3; these are in turn interconnected by
`the remaining repeater MPR 4.
`data segment.
`Data may be modified, when required, by corrupting
`FIG. 2 shows one module serving ports 1 to 4 of an
`it, as by overwriting a series of binary digits selected
`MPR, the assumption for the purpose of illustration
`from all 1's, all 0's, cyclically repeated sequences and
`being that there is at least one other module serving
`pseudo-random sequences. The first two require no
`further ports, and that the access rules will be the same
`more complex generating means than a simple logic
`for all the ports connected to this module.
`gate, say a non-exclusive OR gate, receiving the incom
`The most basic conventional function of the MPR is
`ing data on one input and a permitted/not permitted
`served by the inputs received on any one of ports 1 to 4
`flipflop signal on its other input so as to pass the data to
`passing via respective port interface units 5 and multi
`output if the flipflop is set "permitted' but a continuous 25
`plexers 6 and 7 to a first in/first out memory 8. This is
`“high” or “low” output if it is set “not permitted”.
`inert until enabled by a signal from the start of frame
`Cyclically repeated or pseudo-random sequences can
`detector 9, and then begins to store the incoming data.
`be read from memory or generated when required by
`In the meantime, a preamble generator 10 has begun to
`output a preamble signal through the multiplexer 11 to
`conventional means.
`Data may alternatively be modified by encrypting it 30
`all of the port interfaces, which will pass it to their
`respective ports except in the case of the port receiving
`in a manner that cannot be decrypted by the DTE's of
`the incoming signal. Preamble transmission continues
`the network, except possibly one or a few authorized
`until a counter 12 indicates that the prescribed length of
`DTE's (for instance the network controller).
`preamble has been outputted. Provided there are then at
`If desired, a repeater which detects an unauthorized
`frame may, in addition to modifying the unauthorized 35
`least 3 bits of data in the memory 8, the multiplexer 11
`is switched to begin reading out the data stored in the
`frame, switch off the port on which such a frame was
`memory, and in the ordinary way will continue to do so
`received and/or the port to which the DTE it was
`addressed to is connected. Preferably it only does so if
`until the complete frame has been received into and
`it knows that the port concerned is not connected to
`then read from the memory 8.
`another repeater.
`However, in accordance with the invention, the in
`40
`coming signal is also passed via a shift register 13 which
`On occasion, an unauthorized person gaining access
`to a network may not be concerned with transmitting
`extracts the destination address and the source address
`unauthorized data, nor reading data from the network,
`in parallel form to latches 14 and 15 which are switched
`but to prevent proper functioning of the network. One
`by counters 16 enabled by the start of frame signal from
`easy way of so "jamming' a conventional network is to
`detector 9. These are passed to comparators 17 and
`45
`inject into the network a rapid succession of frames that
`compared with the access rules previously stored in a
`conform to the system protocol, so that any other user
`database 18 for example by self-learning on the basis of
`the identity of equipment connected to the ports of the
`seeking to transmit will encounter a "collision'. As a
`precaution against this form of abuse, the repeater in
`repeater during an initial learning period; or by writing
`from one of the following: a network manager; an input
`accordance with the invention may additionally be
`50
`device coupled to the repeater (and removing the input
`fitted with a timer (or frame counter) device arranged
`to limit the number of consecutive frames that will be
`device once the access rules have been written); or an
`input device that has password protection.
`accepted on any one port and to switch off that port if
`If the comparators indicate that the frame is not in
`the limit is exceeded.
`If desired, the repeater in accordance with the inven- 55
`accordance with the rules contained in the database,
`tion may be switchable (e.g. by a local, key-operated
`then a signal is output via a delay 19 (serving to ensure
`switch or by a control frame from a network manager)
`that the source address will never be corrupted) to the
`between secure operation in accordance with the inven
`multiplexer 7, and cause it to transmit, for the remainder
`tion and ordinary, insecure operation; the latter may be
`of the length of the frame, a meaningless sequence of
`desirable, for example, during fault testing and identifi- 60
`digits (such as all 1's, all 0's, a cyclically repeated se
`quence or a pseudo-random sequence) available to it
`Cation.
`from a sequence generator 20 instead of the incoming
`signal. Preferably when such a signal is given, data is
`also transmitted to the network controller Cidentifying
`the port on which the frame concerned was received,
`the destination address and source address of the frame
`and the reason for the decision that the frame was unau
`thorized. If desired, this signal may be separated from
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`The invention will be further described by way of
`example with reference to the accompanying drawings 65
`in which FIG. 1 is a diagram of a network in accor
`dance with the invention incorporating four multiport
`repeaters, and FIG. 2 is a block diagram of those parts
`
`Ex.1005
`CISCO SYSTEMS, INC. / Page 8 of 13
`
`

`

`15
`
`5,386,470
`5
`6
`the system data signals into a separate signalling me
`repeater in accordance with the invention loaded with
`dium, designated on the diagram as an information bus.
`analagous rules to provide additional security.
`In addition, the repeater port on which the unautho
`Note that, in this example, the network has been so
`rized frame was received, and/or the repeater port to
`arranged that each destination address and each source
`which the addressed DTE is connected, may be
`address is either accepted or rejected unconditionally.
`switched off.
`This has the advantage of requiring the shortest pro
`Instead of substituting the output of sequence genera
`cessing time, and consequently allowing an unautho
`tor 20 for the content of the unauthorized frame, the
`rized frame to be modified from as nearly as possible the
`unauthorized frame may be modified by encrypting it in
`beginning of its data segment. It is however possible,
`a manner that cannot be decrypted by the DTE's of the
`O
`subject to process time limitations, to provide condi
`network, except for the network controller or a security
`tional rules allowing certain destination addresses to be
`unit. This enables the controller or a security unit to be
`accessed from some but not all of the DTE's connected
`informed of the content of the modified frame with
`to the module in question.
`facility.
`What we claim as our invention is:
`As shown in FIG. 3, to encrypt an unauthorized
`1. In a network communicating data frames having an
`frame, encrypter 20' is provided in place of overwriting
`identifiable destination on communication media having
`sequence generator 20. The multiplexer 7 stays the same
`a particular media access protocol, a repeater compris
`as in FIG. 2. Encrypted data generator 20' has clock,
`1ng:
`SFC, and the received data fed into it. Encrypted data
`at least first and second ports for connection to the
`generator 20' then produces an encrypted data stream
`20
`communication media of the network;
`synchronized with the start of the data frame which is
`a frame regenerator connected between the first and
`fed into multiplexer 7. The encrypted data is selected
`second ports that repeats an incoming frame from
`via the select signal as in FIG. 2. The remainder of the
`the first port to supply a regenerated frame for
`FIG. 3 circuit functions as described above with refer
`retransmission on the second port within a time
`ence to FIG. 2.
`25
`interval which begins before the complete incom
`The repeater provides in addition conventional facili
`ing frame has been received by the first port;
`ties for detecting a collision and transmittingjam signals
`access rule logic coupled with the first port to detect
`in response to it, for extending signal fragments arising
`incoming frames having destinations not autho
`from collisions and for disabling a port on which exces
`rized for the second port; and
`sive collisions or frame lengths exceeding the protocol
`30
`an override circuit, coupled to the frame regenerator
`limit are indicative of faulty equipment. The repeater
`and to the access rule logic, to modify the regener
`may also include a timer or frame counting device ar
`ated frame in response to indication by the access
`ranged to switch off any port in which a number of
`rule logic that the incoming frame has a destination
`consecutive frames exceeding a preset limit is received.
`not authorized for the second port.
`Suppose, by way of example, that DTE's 1 to 5 need
`35
`2. The repeater of claim 1, wherein the access rule
`to communicate with each other but with none of the
`logic, comprises:
`other DTEs. DTE's 6 to 9 similarly need access only to
`sampling circuitry to sample a destination field in an
`each other but DTE 10 needs access not only to DTE 6
`incoming frame;
`to 9 but also DTEs 11 to 14; obviously, all the DTE's
`a destination table store to store a list of at least one
`need to be in communication with the network control
`authorized destination in the network for access
`ler C. This could be achieved by connecting MAUs 1 to
`through the second port;
`5 to one module (or to separate modules with the same
`a comparator, coupled with the sampling circuitry
`instructions in their address rule databases) in MPR. 1,
`and the destination table store, which supplies an
`MAU 6 to 9 to one module and MAU 10 to a separate
`unauthorized frame signal when the destination of
`module in MPR2 and similarly MAUs 11 to 14 to one
`45
`the incoming frame falls outside the list of at least
`module and MAU 15 to a second module in MPR 3. In
`one authorized destination; and wherein
`MPR 1, the address database needs to be loaded with
`the override circuit is responsive to the unauthorized
`rules accepting destination addresses corresponding to
`frame signal to begin modifying the regenerated
`the network controller C and to its own DTE's 1 to 5
`frame.
`but no other, and may optionally be loaded with the
`50
`3. The repeater of claim 2, wherein the unauthorized
`source addresses of its own DTE's 1-5 in order to reject
`frame signal is supplied in time to modify substantially
`signals from an additional DTE connected to it without
`all data in the regenerated frame.
`authority. The first module of MPR2 is correspond
`4. The repeater of claim 2, further including:
`ingly loaded. The second module of MPR 2, on the
`a circuit to learn a destination accessible through the
`other hand, is loaded with rules accepting destination
`55
`second port of the repeater in response to frames
`addresses corresponding to MAU’s 6 to 9 and 11 to 14
`received on the second port during a learning inter
`as well as to the network controllers MAU 15 (and if
`required to accept no source address except that of
`val and to store the learned destination in the desti
`DTE 10).
`nation table store.
`5. The repeater of claim 2, wherein the network com
`The first module of MPR 3 is loaded with rules ac
`60
`cepting destination addresses corresponding to any of
`municates data frames having a preset format, the preset
`MAU’s 10-15 (and optionally to accept only source
`format having a beginning of the frame and a destina
`addresses corresponding to MAU’s 11 to 14); and the
`tion address field near the beginning of the frame, and
`second module of MPR3 is loaded to accept any desti
`wherein the destination table store stores a list of at least
`nation address (and preferably to accept no source ad
`one destination address.
`65
`dress except that of the network controller C).
`6. The repeater of claim 1, wherein the override cir
`MPR 4 may, if physical security is reliable, be a con
`cuit modifies the regenerated frame by corrupting at
`ventional MPR without security features; or it may be a
`least most of the data in the regenerated frame.
`
`Ex.1005
`CISCO SYSTEMS, INC. / Page 9 of 13
`
`

`

`O
`
`15
`
`20
`
`5,386,470
`8
`7
`7. For a network communicating data frames having
`a frame regenerator connected between the first and
`second ports that repeats an incoming frame from
`an identifiable destination on communication media
`the first port to supply a regenerated frame for
`having a carrier sense multiple access with collision
`retransmission on the second port within a time
`detection (CSMA/CD) media access protocol, a multi
`port repeater comprising:
`interval which begins before the complete incom
`ing frame has been received by the first port;
`a plurality of ports for connection to the communica
`access rule logic coupled with the first port to detect
`tion media of the network;
`incoming frames having sources not authorized for
`a frame regenerator connected to the plurality of
`the first port; and
`ports that repeats an incoming frame from a partic
`an override circuit, coupled to the frame regenerator
`ular port in the plurality of ports to supply respec
`and to the access rule logic, to modify the regener
`tive regenerated frames for retransmission on other
`ated frame in response to indication by the access
`ports in the plurality of ports within a time interval
`rule logic that the incoming frame has a source not
`which begins before the complete incoming frame
`authorized for the first port.
`has been received by the particular port;
`14. The repeater of claim 13, wherein the access rule
`access rule logic, coupled with the plurality of ports,
`logic, comprises:
`to detect whether the incoming frame from the
`sampling circuitry to sample a source field in an in
`particular port has a destination not authorized for
`coming frame;
`retransmission on the other ports on a per port
`a source table store to store a list of at least one autho
`basis; and
`rized source for the first port;
`an override circuit, coupled to the frame regenerator
`a comparator, coupled with the sampling circuitry
`and the access rule logic, responsive to detection
`and the source table store, which supplies an unau
`by the access rule logic on a per port basis that the
`thorized frame signal when the source of the in
`incoming frame has a destination not authorized for
`coming frame falls outside the list of at least one
`retransmission on a given port in the plurality of
`authorized source; and wherein
`25
`ports to modify the regenerated frame for retrans
`the override circuit is responsive to the unauthorized
`mission on the given port.
`frame signal to begin modifying the regenerated
`8. The multiport repeater of claim 7, wherein the
`frame.
`access rule logic, comprises:
`15. The repeater of claim 14, wherein the unautho
`sampling circuitry to sample a destination field in the
`rized frame signal is supplied in time to modify substan
`incoming frame;
`tially all data in the regenerated frame.
`a destination table store, storing respective lists of at
`16. The repeater of claim 14, further including:
`least one authorized destination in the network for
`a circuit to learn at least one source connected to the
`access through the respective ports in the plurality
`first port of the repeater in response to frames re
`of ports;
`ceived on the first port during a learning interval
`35
`a comparator, coupled with sampling circuitry and
`and to store the at least one learned source in the
`the destination table store, which supplies an unau
`source table store.
`thorized frame signal for given ports in the plural
`17. The repeater of claim 14 wherein the network
`ity of ports when the destination of the incoming
`communicates data frames having a preset format, the
`frame falls outside the list of at least one authorized
`preset format having a beginning of the frame and a
`40
`destination for the given ports; and wherein
`Source address field near the beginning of the frame,
`the override circuitry is responsive to the unautho
`and wherein the source table storestores a list of at least
`rized frame signal for the given ports.
`one source address.
`9. The multiport repeater of claim 8, wherein the
`18. The multiport repeater of claim 13, further includ
`unauthorized frame signal is supplied in time to modify
`ing a circuit for switching off the first port in response
`45
`substantially all data in the regenerated frame.
`to detection of an incoming frame on the first port hav
`10. The multiport repeater of claim 8, further includ
`ing a source not authorized for the first port.
`1ng:
`19. The repeater of claim 13, wherein the override
`a circuit for learning destinations accessible through
`circuit modifies the regenerated frame by corrupting at
`the respective ports in the plurality of ports in
`least most of the data in the regenerated frame.
`response to data frames received on the respective
`20. For a network communicating data frames having
`ports during a learning interval and storing the
`an identifiable source on communication media having a
`learned destinations in the destination table store.
`carrier sense multiple access with collision detection
`11. The multiport repeater of claim 8, wherein the
`(CSMA/CD) media access protocol, a multiport re
`network communicates data frames having a preset
`peater comprising:
`format, the preset format having a beginning of the
`a plurality of ports for connection to the communica
`frame and a destination address field near the beginning
`tion media of the network;
`of the frame, and wherein the destination table store
`a frame regenerator connected to the plurality of
`stores a list of destination addresses.
`ports that repeats an incoming frame from a partic
`12. The multiport repeater of claim 7, wherein the
`ular port in the plurality of ports to supply respec
`60
`override circuit modifies the regenerated frame by cor
`tive regenerated frames for retransmission on other
`rupting at least most of the data in the regenerated
`ports in the plurality of ports within a time interval
`which begins before the complete incoming frame
`frame.
`13. In a network communicating data frames having
`has been received by the particular port;
`an identifiable source on communication media having a
`access rule logic, coupled with the plurality of ports,
`65
`particular media access protocol, a repeater comprising:
`to detect whether the inco