Abstract: A wireless computer network includes components cooperating together to prevent access intrusions by detecting unauthorized devices connected to the network, disabling the network connections to the devices, and then physically locating the devices. The network can detect both unauthorized client stations and unauthorized edge devices such as wireless access points (APs). The network can detect intruders by monitoring information transferred over wireless channels, identifying protocol state machine violations, tracking roaming behavior of clients, and detecting network addresses being improperly used in multiple locations. Upon detecting an intruder, the network can automatically locate and shut off the physical/logical port to which the intruder is connected.

Abstract: A wireless computer network includes components cooperating together to prevent access intrusions by detecting unauthorized devices connected to the network, disabling the network connections to the devices, and then physically locating the devices. The network can detect both unauthorized client stations and unauthorized edge devices such as wireless access points (APs). The network can detect intruders by monitoring information transferred over wireless channels, identifying protocol state machine violations, tracking roaming behavior of clients, and detecting network addresses being improperly used in multiple locations. Upon detecting an intruder, the network can automatically locate and shut off the physical/logical port to which the intruder is connected.

Abstract: A method and system for an aggregated virtual local area network (VLAN) architecture in which several VLANs in a network share the same default router address and subnet mask, but remain isolated from one another's network traffic. Instead of the traditional method of assigning one subnet to a VLAN, each VLAN is assigned only a portion of a subnet's IP address space, and is further grouped into a super-VLAN uniquely associated with that subnet. Intra-VLAN traffic is forwarded only to host IP addresses assigned to that same VLAN according to a VLAN identifier carried in the data packet. Inter-VLAN traffic is processed by a virtual router interface which routes the data packet by applying the routing configuration for the subnet uniquely associated with the super-VLAN, according to a super-VLAN identifier carried in the data packet.

Abstract: Devices, systems and related methods are disclosed for improving operational security of a network and/or network devices, such as wireless access points (APs). In the disclosed systems, a network device is not fully operational until it is attached to a network and downloads sensitive information. The information is stored in the network device so that when the device is disconnected from the network, the sensitive information is erased from the device, making the device inoperative and removing sensitive information, such as passwords, network security keys, or the like. Disabling the network device in this manner not only prevents the theft of sensitive network access information, by also discourages theft of the device itself because it cannot be used on another network without the configuration information. In addition to downloading configuration information, the network device can also download an executable image that is likewise not permanently resident on the device.

Abstract: A network switch having a unified, adaptive management paradigm for wireless network devices is disclosed. The switch includes configurable ports for connecting devices. A software application running on the switch allows a network administrator to selectively configure each port to support either a wired device or wireless device. Configuration information and software images that are needed for operation of the wireless device are associated with the port. When a wireless device is first plugged into the switch port, it downloads its configuration directly from the switch port. By storing the configuration information and images at the switch and automatically downloading them to the wireless devices, the task of configuring the devices is greatly simplified for the network administrator. This is particularly advantageous in heterogeneous network environments that support both wired and wireless devices, and where wireless device are readily moved to different ports.

Abstract: A method and system is provided for a virtual local network to span multiple loop free network topology domains. According to one aspect of the invention, a network contains at least two loop free network topology domains and a virtual local area network spanning at least a portion of each of the two domains. According to one aspect of the invention, a network architecture comprises a plurality of nodes connected by paths, a first physical broadcast domain and a second physical broadcast domain each comprising a separate subset of the plurality of nodes, and a logical broadcast domain comprising a node from each subset.

Abstract: A method and system for an aggregated virtual local area network (VLAN) architecture in which several VLANs in a network share the same default router address and subnet mask, but remain isolated from one another's network traffic. Instead of the traditional method of assigning one subnet to a VLAN, each VLAN is assigned only a portion of a subnet's IP address space, and is further grouped into a super-VLAN uniquely associated with that subnet. Intra-VLAN traffic is forwarded only to host IP addresses assigned to that same VLAN according to a VLAN identifier carried in the data packet. Inter-VLAN traffic is processed by a virtual router interface which routes the data packet by applying the routing configuration for the subnet uniquely associated with the super-VLAN, according to a super-VLAN identifier carried in the data packet. The routing configuration used by the virtual router interface includes routing protocols, static routes, redundant router protocols and access-lists.

Abstract: A flexible, policy-based, mechanism for managing, monitoring, and prioritizing traffic within a network and allocating bandwidth to achieve true quality of service (QoS) is provided. According to one aspect of the present invention, a method is provided for managing bandwidth allocation in a network that employs a non-deterministic access protocol, such as an Ethernet network. A packet forwarding device receives information indicative of a set of traffic groups, such as: a MAC address, or IEEE 802.1p priority indicator or 802.1Q frame tag, if the QoS policy is based upon individual station applications; or a physical port if the QoS policy is based purely upon topology. The packet forwarding device additionally receives bandwidth parameters corresponding to the traffic groups.

Abstract: A flexible, policy-based, mechanism for managing, monitoring, and prioritizing traffic within a network and allocating bandwidth to achieve true quality of service (QoS) is provided. According to one aspect of the present invention, a method is provided for managing bandwidth allocation in a network that employs a non-deterministic access protocol, such as an Ethernet network. A packet forwarding device receives information indicative of a set of traffic groups, such as: a MAC address, or IEEE 802.1p priority indicator or 802.1Q frame tag, if the QoS policy is based upon individual station applications; or a physical port if the QoS policy is based purely upon topology. The packet forwarding device additionally receives bandwidth parameters corresponding to the traffic groups.

Abstract: A flexible, policy-based, mechanism for managing, monitoring, and prioritizing traffic within a network and allocating bandwidth to achieve true quality of service (QoS) is provided. According to one aspect of the present invention, a method is provided for managing bandwidth allocation in a network that employs a non-deterministic access protocol, such as an Ethernet network. A packet forwarding device receives information indicative of a set of traffic groups, such as: a MAC address, or IEEE 802.1p priority indicator or 802.1Q frame tag, if the QoS policy is based upon individual station applications; or a physical port if the QoS policy is based purely upon topology. The packet forwarding device additionally receives bandwidth parameters corresponding to the traffic groups.

Abstract: A flexible, policy-based, mechanism for managing, monitoring, and prioritizing traffic within a network and allocating bandwidth to achieve true quality of service (QoS) is provided. According to one aspect of the present invention, a method is provided for managing bandwidth allocation in a network that employs a non-deterministic access protocol, such as an Ethernet network. A packet forwarding device receives information indicative of a set of traffic groups, such as: a MAC address, or IEEE 802.1p priority indicator or 802.1Q frame tag, if the QoS policy is based upon individual station applications; or a physical port if the QoS policy is based purely upon topology. The packet forwarding device additionally receives bandwidth parameters corresponding to the traffic groups.