TECHNICAL FIELD

[001] The embodiments herein relate to facilitation of static MAC movement and, more particularly, to enabling static MAC movement within a network.

BACKGROUND

[002] A Virtual LAN is a group of hosts with a common set of requirements. Regardless of their physical domain, these hosts communicate as if they are attached to same broadcast domain. VLAN allows end stations to be grouped together even if they are not located on the same switch.

[003] When multiple devices are connected to a Virtual LAN, an identifier is required to uniquely identify each device. Media Access Control (MAC) address is such an identifier using which devices connected to a Virtual network can be uniquely identified. MAC addresses on a given PORT and a VLAN can also be used to provide port security. There are two types of MAC addresses namely Static MAC addresses and Dynamic MAC addresses. The static MAC address is manually configured. They are stored in an address table and are added to switch running configuration. The dynamic MAC address is dynamically learned. They are stored only in the address table and are removed when the link between the port and the device goes down, the dynamic MAC address ages out or the switch restarts. In a Secured network to which multiple devices are trying to connect through different ports available, if a device's MAC address is configured to a particular port and the number of allowed MACs on the Port is restricted, then only that particular device can access the configured port. In this way, unauthorized devices can be effectively prevented from accessing that port.

[004] However, the static MACs are permanent in nature. Once configured, they shall be bound to a port for a given VLAN. Even if in certain cases, configuration of the same MAC address in multiple ports is required, generally bridging systems do not allow the static MAC address to be used across ports of the same group. Any such movement will be considered as a security breach.

SUMMARY

[005] In view of the foregoing, an embodiment herein provides a method for enabling a device to connect to an edge port in a port group. The method further comprises steps of making an entry for the MAC address of the device as ACTIVE in the software table and a hardware table, making an entry for the MAC address as DUPLICATE in software table of other ports and removing MAC address from a hardware table of other ports if the MAC address has previously connected to the other ports.

When a device try to connect to a port in a port group, the method mark an entry for the MAC address of the device as "ACTIVE" in the software table as well as the hardware table of the network device. Further, the method make an entry for the MAC address of the device as "DUPLICATE" in the software table of all other ports to which the device has earlier configured to. Further, the method removes MAC address of the device from hardware table of all other ports to which the device has earlier configured to.

[006] Further, a network device is present with atleast one edge port. The network device further comprises means configured for making an entry for MAC address of a device as "ACTIVE" in the software table if the device try to connect to the port, making an entry for the MAC address as DUPLICATE in software table of other ports and removing MAC address from a hardware table of other ports if the MAC address has previously connected to the other ports. When a device try to connect to a port in a port group, the network device mark an entry for the MAC address of the device as "ACTIVE" in the software table as well as the hardware table of the network device. Further, the network device make an entry for the MAC address of the device as "DUPLICATE" in the software table of all other ports to which the device has earlier configured to. Further, the network device removes MAC address of the device from hardware table of all other ports to which the device has earlier configured to.

[007] These and other aspects of the embodiments herein will be better appreciated and understood when considered in conjunction with the following description and the accompanying drawings.

BRIEF DESCRIPTION OF THE FIGURES

[008] The embodiments herein will be better understood from the following detailed description with reference to the drawings, in which:

[009] FIG. 1 illustrates a block diagram of the VLAN as disclosed in the embodiments herein;

[0010] FIG. 2 illustrates a block diagram which illustrates the MAC management module and its components as disclosed herein; and

[0011] FIG. 3 illustrates a flow chart which describes the various steps involved in the system disclosed in the embodiments herein.

DETAILED DESCRIPTION OF EMBODIMENTS

[0012] The embodiments herein and the various features and advantageous details thereof are explained more fully with reference to the non-limiting embodiments that are illustrated in the accompanying drawings and detailed in the following description. Descriptions of well-known components and processing techniques are omitted so as to not unnecessarily obscure the embodiments herein. The examples used herein are intended merely to facilitate an understanding of ways in which the embodiments herein may be practiced and to further enable those of skill in the art to practice the embodiments herein. Accordingly, the examples should not be construed as limiting the scope of the embodiments herein.

[0013] The embodiments herein disclose a system for static MAC movement by disclosing a combination of software and hardware as disclosed in the embodiments herein. Referring now to the drawings, and more particularly to FIGS. 1 through 3, where similar reference characters denote corresponding features consistently throughout the figures, there are shown embodiments.

[0014] FIG. 1 illustrates a block diagram of the VLAN as disclosed in the embodiments herein. The system further comprises an edge port group associated with a VLAN 101, multiple ports 102 associated with the network device 101 and connected to devices 104, MAC address 103 associated with each device 104 and a MAC management module 105. In an embodiment, the edge port group is a secured port group. In another embodiment, device 104 may refer to any or all of laptops, desktop computers, portable devices such as tablets, mobile phones, PDAs or any other device that is capable of connecting to a VLAN. Static MAC addresses are manually configured to the ports and are permanent in nature. A device can access a port in a VLAN only if the MAC address of that device is configured to be permitted to connect to that port in the particular VLAN. The system will deny permission and discard traffic from a device which tries to access any port in the VLAN, if the device does not have its MAC address configured on the Port and VLAN. In an embodiment, static MAC movement within a network device 101 is managed by a dedicated MAC management module 105. This way the network device 101 achieves port security and hence permits secured access.

[0015] The system described in fig. 1 comprises a network device 101 with four ports PI, P2, P3 and P4 102. The number of ports depicted herein is merely exemplary and the network device may have any number of ports present. These ports are secured ports, which may participate in Authentication, Authorization and Accounting (AAA) & HIC authentication. The administrator of the network device 101 has configured the MAC addresses 103 belonging to the devices 104 on the port group associated to a VLAN "V", where ports PI, P2, P3 and P4 are connected to devices 104 LI, L2, L3 and L4 respectively. The MAC addresses 103 of devices LI, L2, L3 and L4 are Ml, M2, M3 and M4 respectively. Embodiments disclosed herein enable the devices to access any one of the ports in a particular network device 101, if MAC address of that device 104 is configured to be allowed to move within these ports in the same network device 101. Further, the MAC management module 105 effectively manages static MAC movement across the ports present in that particular network device 101.

[0016] FIG. 2 illustrates a block diagram which illustrates the MAC management module and its components as disclosed herein. The MAC management module 105 further comprises a controller 201, packet receptor module 202, source learning module 203, security interface module 204 and memory 205. Once a device with a particular MAC address attempts to connect to a port of the network device 101, the controller 201 checks if the MAC address had been previously registered with the network device 101. This is done by the controller 201 checking if the MAC address of that particular device is present in the memory, within the hardware table of the network device 101. If the MAC address has not been previously registered, the controller 201 checks in the software table in CPU if the MAC address is authorized to access the network device 101. If the MAC address is not authorized to access the network device 101, the controller 201 refuses to connect the MAC address to the network device 101. If the MAC address is authorized to connect to the network device 101, the controller 201 stores the MAC address in the memory 205. The memory 205 comprises of a software table and a hardware table specific to each port within the network device 101. The controller 201 stores the MAC address in the hardware and update the status of that particular device in the software table as ACTIVE against the port which the device is attempting to connect to. If the MAC address has previously registered with the network device 101, the controller 201 checks as to which port was the MAC address previously connected. If the MAC address was previously connected to a different port from the port where the connection is being attempted to, the controller 201 checks if the MAC address is present in the software table associated with the port (the entry for the MAC address may or may not be present in the hardware table). If the MAC address is present in the software table associated with that port with a status as DUPLICATE, which means that the MAC is allowed to access this Port, then the controller 201 updates the status of the MAC address in the software table of the port to ACTIVE and makes an entry for the MAC address in the hardware table of the port. The controller 201 further permits the device with that MAC address to connect to that port. Once the device with the MAC address has connected to the port, the controller 201 sets the status of the MAC address in the software table of the ports where the same MAC address was previously registered as DUPLICATE and deletes the MAC address from the hardware table of the previous port.

[0017] A packet receptor module 202 is for facilitating the packet data transfer from the hardware to the controller on the CPU.

[0018] A security interface module 203 is present within the MAC management module 105. This module contains all the security protocols that ensure secured data transfer. Further, the security interface module 203 is responsible for AAA communication and HIC authentication.

[0019] FIG. 3 illustrates a flow chart which describes the various steps involved in the system disclosed in the embodiments herein. The MAC management module 105 maintains (301) a database in the memory which contains details of permitted MAC addresses belonging to devices 104 which are previously configured to the network device 101. In an embodiment, a new device 104 is configured to the network device 101 by programming its MAC address to the database of the network device 101. In another embodiment, the database comprises two tables; a software table and a hardware table. In another embodiment, whenever a new device 104 is configured to a network device 101, the device's 104 MAC address is marked in the software table. Later, when a device 104 tries to access any port within that network device 101, the MAC management module 105 checks (302) if that device 104 is previously registered with that network device 101. This is done by checking if the MAC address of that particular device is present in the hardware table. In an embodiment, the MAC address of a device 104 is checked into the hardware table at the instant the device 104 gets connected to a particular port in the port group. If the MAC address of that particular device 104 is found to be not registered with the database of network device 101, the system then traps the MAC to CPU and checks (303) if the MAC address is permitted to access the network. In an embodiment, the system verify if a device 104 has permission to access a network by pointing packets arriving from that particular device to a AAA server. In another embodiment, the MAC management module 105 has access to a set of MAC addresses in the database for which access will never be granted due to certain reasons. In another embodiment, the reasons may include security reasons or any other reason which may cause harm to the system. If the MAC management module 105 finds out that the MAC address of the device has no permission to access the network device 101, then that device 104 is discarded (304). If the MAC address is permitted to access the network, then the MAC management module 105 checks (305) if the MAC address of that particular device is present in hardware of any port other than the newly configured network. If the MAC address is present in Hardware table of any other ports, the MAC management module 105 deletes (306) such entries from Hardware tables of ports other than newly configured port. In an embodiment, a device 104 can have any one of the two statuses namely ACTIVE and DUPLICATE in the software table against each of the ports the device has been configured to. The MAC management module 105 then configures (307) the MAC address of the device to the Hardware of new port and updates (308) status of new port as "ACTIVE" in the software table. In 305, if the entry is not present in hardware table of any other port, control goes to 308. Then the MAC management module 105 update (309) status of all other ports to which MAC address of that particular device has already been configured as "DUPLICATE". Further, the device 104 is allowed (310) to communicate. The various actions in method 300 may be performed in the order presented, in a different order or simultaneously. Further, in some embodiments, some actions listed in FIG. 3 may be omitted.

[0020] The embodiments disclosed herein can be implemented through at least one software program running on at least one hardware device and performing network management functions to control the network elements. The network elements shown in Figs. 1 and 2 include blocks which can be at least one of a hardware device, or a combination of hardware device and software module.

[0021] The embodiment disclosed herein specifies a system for permitting static MAC movement. The mechanism allows a device configured to a network device 101, access that particular network device 101 through any allowed port present in that network device 101 providing a system thereof. Therefore, it is understood that the scope of the protection is extended to such a program and in addition to a computer readable means having a message therein, such computer readable storage means contain program code means for implementation of one or more steps of the method, when the program runs on a server or mobile device or any suitable programmable device. The method is implemented in a preferred embodiment through or together with a software program written in e.g. Very high speed integrated circuit Hardware Description Language (VHDL) another programming language, or implemented by one or more VHDL or several software modules being executed on at least one hardware device. The hardware device can be any kind of device which can be programmed including e.g. any kind of computer like a server or a personal computer, or the like, or any combination thereof, e.g. one processor and two FPGAs. The device may also include means which could be e.g. hardware means like e.g. an ASIC, or a combination of hardware and software means, e.g. an ASIC and an FPGA, or at least one microprocessor and at least one memory with software modules located therein. Thus, the means are at least one hardware means and/or at least one software means. The method embodiments described herein could be implemented in pure hardware or partly in hardware and partly in software. The device may also include only software means. Alternatively, the invention may be implemented on different hardware devices, e.g. using a plurality of CPUs.

[0022] The foregoing description of the specific embodiments will so fully reveal the general nature of the embodiments herein that others can, by applying current knowledge, readily modify and/or adapt for various applications such specific embodiments without departing from the generic concept, and, therefore, such adaptations and modifications should and are intended to be comprehended within the meaning and range of equivalents of the disclosed embodiments. It is to be understood that the phraseology or terminology employed herein is for the purpose of description and not of limitation. Therefore, while the embodiments herein have been described in terms of preferred embodiments, those skilled in the art will recognize that the embodiments herein can be practiced with modification within the spirit and scope of the claims as described herein.

WE CLAIMS;-

1. A method for enabling a device to connect to an edge port in a network device, said method comprising:

making an entry for MAC address of said device marked as ACTIVE in software table and hardware table of said port, upon said device trying to connect to said port; and

making an entry for said MAC address marked as DUPLICATE in software table of other ports and removing entry of said MAC address from hardware tables of other ports in said network device, if said MAC address has previously connected to said other ports.

2. The method, as claimed in claim 1, wherein said edge port is a secured port.

3. The method, as claimed in claim 1, wherein a check is made if said MAC address is authorized to connect to said network device.

4. The method, as claimed in claim 1, wherein said device communicates with said network device using said port, on receiving an indication from said network device.

5. The method, as claimed in claim 1, wherein said network rejects said device if said device is not permitted to access said network.

6. A network device with at least one edge port, said network device comprising at least one means configured for making an entry for MAC address of a device marked as ACTIVE in software table and hardware table of said port, on said device trying to connect to said port; and making an entry for said MAC address marked as DUPLICATE in software table of other ports and removing entry of said MAC address from hardware tables of other ports in said network device, if said MAC address has previously connected to said other ports.

7. The network device, as claimed in claim 6, wherein said network device is configured for checking if said MAC address is authorized to connect to said network device.

8. The network device, as claimed in claim 6, wherein said network device is configured for rejecting said device with said MAC address if said MAC address is not authorized to connect to said network device.