A Local Area Network (LAN) interconnects network-enabled devices, such as laptops, printers, tablets, or servers, within a limited geographic area, such as a school, office building, residence, or campus. As more network-enabled devices connect to a LAN, it becomes beneficial to separate this LAN into more manageable and policy driven segments. A Virtual Local Area Network (VLAN) provides this segmentation. By segmenting network-enabled devices together by function or requirements, specific policies can be defined to help with service levels, security, and congestion. For example, a network-enabled device that should be allowed access to an accounting server should be placed on an Accounting VLAN; a network-enabled device on a different VLAN, such as a Development VLAN, would have policies applied that would not allow it to access the same accounting server.
There are several well-known processes of assigning network-enabled devices to the appropriate VLAN. Some of these processes involve matching a user, device type, or required function to a known VLAN. In all instances of these processes, the VLAN assignment is predefined, and rules are implemented to match the network-enabled device to the predefined VLAN. For instance, within an office building, there could be three defined VLANs, each with its own function, such as a Voice-Over-IP (VOIP) VLAN, a Production VLAN, and a Guest VLAN.
If a VOIP telephone connects to such a network, a request could be sent to an authentication server. This authentication server could identify the device as a VOIP telephone by a media access (MAC) address or device profile. The authentication server could instruct the connecting network equipment (e.g., network switch, access point, etc.) to place the VOIP telephone into the VOIP VLAN. When a different class of network-enabled device, such as an employee laptop, connects to the same connecting network equipment, a similar request could be sent to an authentication server. The authentication server may ask for additional credentials, such as a username or password. Once the authentication server has validated the credentials, it could instruct the connecting network equipment to place this network-enabled device into the Production VLAN. And lastly, if yet a third class of network-enabled device were to connect to the same connecting network equipment, a request could be sent to an authentication server. In this instance, if the authentication server is unable to identify the device class, device type, or device user, it could instruct the connecting network equipment to place the network-enabled device into the Guest VLAN.
According to an example embodiment, a computer-implemented method for virtual local area network (VLAN) assignment comprises identifying, automatically, whether a network-enabled device is associated with a previously assigned VLAN for a network. The network-enabled device has passed authentication. The authentication is responsive to a request sent from the network-enabled device to network equipment for access to the network. The computer-implemented method further comprises, based on a result of the identifying, automatically (i) selecting a VLAN from a pool of dynamically assignable VLANs, (ii) associating the VLAN selected with the network-enabled device, and (iii) instructing the network equipment to assign the network-enabled device to the VLAN selected from the pool.
According to an example embodiment, (i), (ii), and (iii) may be performed, automatically, based on the result indicating that there is no previously assigned VLAN associated with the network-enabled device. In an event the result indicates that the network-enabled device is associated with the previously assigned VLAN, the computer-implemented method may further comprise instructing the network equipment to assign the network-enabled device to the previously assigned VLAN.
According to an example embodiment, (i), (ii), and (iii) may be performed, automatically, based on the result indicating that a) there is no previously assigned VLAN associated with the network-enabled device and b) the network-enabled device is not associated with another network-enabled device that has received a respective VLAN assignment.
In an event the result indicates that there is no previously assigned VLAN associated with the network-enabled device and that the network-enabled device is associated with a different network-enabled device that is associated with a respective VLAN from the pool, the computer implemented method may not perform (i), (ii), and (iii) and may further comprise associating the network-enabled device with the respective VLAN associated with the different network-enabled device and instructing the network equipment to assign the network-enabled device to the respective VLAN.
The pool of dynamically assignable VLANs may be stored in a database. The identifying may include retrieving data from the database and identifying whether the network-enabled device is associated with the previously assigned VLAN based on the data retrieved.
The computer-implemented method may further comprise maintaining the pool of dynamically assignable VLANs based on at least one timer and refreshing a timer of the at least one timer based on receipt of a refresh signal. The timer may be associated with the VLAN selected. The computer-implemented method may further comprise, in response to a timeout of the timer, dissociating the VLAN selected from the network-enabled device and all other network-enabled devices associated with the VLAN selected. The dissociating may cause the VLAN selected to be returned to the pool as an unused VLAN. The timeout may be due to lack of receipt of the refresh signal. The computer-implemented method may further comprise, in response to the dissociating, instructing the network equipment to de-assign the network-enabled device from the VLAN selected.
The selecting may include ensuring that the VLAN selected from the pool of dynamically assignable VLANs is not associated with another network-device that is not associated with the network device. The selecting may further include ensuring that the VLAN selected is not in a lockout period.
The computer-implemented method may further comprise associating the VLAN selected with the network-enabled device and a credential of a user of the network-enabled device.
The computer-implemented method may further comprise associating the VLAN selected with a media access control (MAC) address of the network-enabled device, embedded identity document (EID) corresponding to an embedded subscriber identity module (eSIM) of the network-enabled device, or other unique identifier of the network-enabled device.
According to another example embodiment, a system for virtual local area network (VLAN) assignment comprises at least one processor and at least one memory. The at least one memory has encoded thereon a sequence of instructions which, when loaded and executed by the at least one processor, causes the at least one processor to identify, automatically, whether a network-enabled device is associated with a previously assigned VLAN for a network. The network-enabled device has passed authentication. The authentication is responsive to a request sent from the network-enabled device to network equipment for access to the network. Based on a result of the identifying, the sequence of instructions further causes the processor to automatically (i) select a VLAN from a pool of dynamically assignable VLANs, (ii) associate the VLAN selected with the network-enabled device, and (iii) instruct the network equipment to assign the network-enabled device to the VLAN selected from the pool.
The system may be a cloud-based system.
Alternative system embodiments parallel those described above in connection with the example computer-implemented method embodiment.
A non-transitory computer-readable medium for virtual local area network (VLAN) assignment has encoded thereon a sequence of instructions which, when loaded and executed by at least one processor, causes the at least one processor to identify, automatically, whether a network-enabled device is associated with a previously assigned VLAN for a network. The network-enabled device has passed authentication. The authentication is responsive to a request sent from the network-enabled device to network equipment for access to the network. Based on a result of the identifying, the sequence of instructions further causes the processor to automatically (i) select a VLAN from a pool of dynamically assignable VLANs, (ii) associate the VLAN selected with the network-enabled device, and (iii) instruct the network equipment to assign the network-enabled device to the VLAN selected from the pool.
Alternative non-transitory computer-readable medium embodiments parallel those described above in connection with the example computer-implemented method embodiment.
It should be understood that example embodiments disclosed herein can be implemented in the form of a method, apparatus, system, or computer readable medium with program codes embodied thereon.
The foregoing will be apparent from the following more particular description of example embodiments, as illustrated in the accompanying drawings in which like reference characters refer to the same parts throughout the different views. The drawings are not necessarily to scale, emphasis instead being placed upon illustrating embodiments.
A description of example embodiments follows.
Conventional processes provide a means to associate known and unknown network-enabled devices to a static, known, predefined, currently used, and pre-policied VLAN. A known device is one in which an authentication server is able to identify the device as previously registered and a VLAN assignment is pre-existing, while an unknown device is one in which the authentication server has no knowledge of the device and would generally place this device in a “guest” VLAN, such as the Guest VLAN described above. There are times that assigning network-enabled devices to dynamic, unknown, undefined, currently unused and/or un-policied VLANs are beneficial. For instance, perhaps the guest VLAN had a network policy applied that restricted access from any network-enabled device on this VLAN only to communicate with the Internet. If a network-enabled device were to be placed within this VLAN, this device would not have access to communicate with any other device within the VLAN. If this network-enabled device had a need to communicate with a second network-enabled device within this VLAN, such as a laptop connecting to a network-enabled display screen, each of these devices would need to join a VLAN that allows communication between the two. The administrator of the network would need to create a new VLAN, apply policy to the new VLAN, inform the authentication server of the new VLAN, and associate the new VLAN to the network-enabled devices that need to communicate in the authentication server.
Described herein is a unique method to allow for a known or unknown device to be assigned to a currently unused VLAN, automatically, and enable functionality by way of network policy.
An example embodiment of a process to assign a network-enabled device to a currently unused VLAN utilizes standards-based network communications protocols and common data storage techniques. This process provides a mechanism to assign a network-enabled device to a VLAN where:
According to an example embodiment. a provisioning system may be configured to perform such a process and to provide a mechanism to define a list or range of VLANs that may be considered dynamically assignable by the process. The process may be interchangeably referred to herein as a dynamic VLAN process or dynamic VLAN configuration process (DVCP). The provisioning system may also be configured to define a default VLAN should there be no available dynamic VLANs. The provisioning system may also be configured to employ a set of maintenance routines to determine if a dynamically assignable VLAN is currently in use and not available to assign to a newly authenticated network-enabled device. An example embodiment of such a provisioning system is disclosed below with regard to
Continuing with
The network-enabled device 104 may be a wireless device, the network 106 may be a wireless network, and the network equipment 110 may be an access point (AP), for non-limiting examples. The network-enabled device 104 may have a user interface (not shown) that is accessible to a user 116 of the network-enabled device 104. Alternatively, the network-enabled device 104 may not have a user interface. The network-enabled device 104 may be a smartphone, tablet computer, laptop computer, desktop computer, printer, Internet-of-Things (IoT) device, or other network-enabled device of the user 116 for non-limiting examples. The provisioning system 102 may be a cloud-based provisioning system for non-limiting example.
When the network-enabled device 104 requests access to the network 106, it may go through at least one authentication process to validate that the network-enabled device 106 is allowed to access the network 108. The at least one authentication process may be performed by the provisioning system 102 or another computer-based system. For non-limiting example, the at least one authentication process may perform authentication of the network-enabled device 104, such as disclosed in U.S. Pat. No. 11,317,285, filed on Sep. 30, 2020, entitled “Wireless Network Provisioning Using a Pre-Shared Key,” the entire teachings of which are incorporated herein by reference, or via another authentication process known in the art for non-limiting examples.
The network equipment 110 may be configured to forward the request 108 via the network 106 to the provisioning system 102. Once the network-enabled device 104 passes authentication, the provisioning system 102 may employ an example embodiment of a dynamic VLAN configuration process (DVCP) that may be engaged to provide authorization 118 to the network-enabled device 104 via the network equipment 110. This authorization 118 may include and return a VLAN identifier, such as the VLAN 112, to the network equipment 110 from which the network-enabled device 104 is requesting access. The authorization 118 may include other pieces of information or instructions to the network equipment 110 to control the flow of data to or from the network-enabled device 104. These other pieces of information or instructions may include, but are not limited to, bandwidth restrictions, access time restrictions, source-destination filtering, or any other standard network policy that may be typically applied to a network, such as the network 106. As disclosed above, an example embodiment of a DVCP process may be performed by the provisioning system 102. Example embodiments with regard to such a process are disclosed below with regard to
If, however, there is no VLAN predefined for the network-enabled device 104, the process workflow may include checking for whether an access venue, such as the network 106, supports DVCP (212). For example, the provisioning system 102 may be configured to perform a check to identify if the current network, that is, the network 106, provides support for DVCP. If the network does not support DVCP, the provisioning system 102 may be configured to check to see if the current network, that is, the network 106, supports a dynamic VLAN pool system (214), which is a common VLAN assignment system designed to balance the number of devices connected to a VLAN. The dynamic VLAN pool system may be configured to utilize only the media access control (MAC) address of attached network-enabled devices and apply a VLAN to the network-enabled device 104 by MAC address range.
If the current network does not support a dynamic VLAN pool system, then the provisioning system 102 may be configured to instruct the network equipment 110, from which the network-enabled device 104 is requesting access, to assign (218) the network-enabled device 104 to a “default” VLAN for the current network, and the process workflow thereafter ends (210) in the example embodiment. If, however, the current network does support a dynamic VLAN pool system, then the provisioning system 102 does not return any VLAN information to the network equipment 110, from which the network-enabled device 104 is requesting access, and defers VLAN assignment to the dynamic VLAN pool system (216), and the process workflow thereafter ends (210) in the example embodiment.
If the current network does provide support for DVCP, the provisioning system 102 may proceed to select a VLAN from a DVCP pool (220) based on a check to see if there has already been a VLAN assigned to associated network-enabled devices (222). Network-enabled devices may be associated by, but not limited to, a user, a unique device identifier, a password, an access location, or a unique user identifier. If a VLAN has previously been assigned to an associated network-enabled device, such as the network-enabled device 104, and that assignment is still active, then the provisioning system 102 may be further configured to instruct the network equipment 110, from which the network-enabled device 104 is requesting access, to assign (228) the network-enabled device 104 to the previously assigned VLAN, by returning (230) such VLAN to the network equipment 110. In addition, the provisioning system 102 may be configured to reset two timers used for maintaining health and status of assigned VLANs. The first timer may be a Zombie timer used to timeout the VLAN assignment if the provisioning system 102 has not received a refresh assignment signal for same. The second timer may be an In-Zombie timer used to remove all associations to the assigned VLAN if no refresh signals have been received. The provisioning system 102 may be further configured to instruct the network equipment 110 to apply any restrictions or policies defined for the network-enabled device 104. The process workflow thereafter ends (210) in the example embodiment.
If, however, the check at (222) determines that a VLAN has not been identified as previously assigned to an associated network-enabled device, such as the network-enabled device 104, then the provisioning system 102 may be configured to select (224) a VLAN from a database that includes a list of VLAN identifiers predefined for use as dynamically assignable. Such a list may be referred to herein as a pool of dynamically assignable VLANs, such as the pool 114. As part of selecting this VLAN, the provisioning system 102 may be configured to check to make sure this VLAN has not been assigned to other non-associated network-enabled devices and that this VLAN is not in a lockout period, also called a Zombie period.
Such lockout period may be defined in the instance that all network-enabled devices assigned to this VLAN have left the network 106 but have a high likelihood of returning in a short period of time, or within the definable Zombie period. Once a VLAN has been selected and has passed all checks, then the provisioning system 102 may be configured to instruct the network equipment 110, from which the network-enabled device 104 is requesting access, to assign (228) the network-enabled device 104 to the selected VLAN 112. In addition, the provisioning system 102 may be configured to reset the Zombie timer and the In-Zombie timer used for maintaining the health and status of assigned VLANs. As such, a DVCP VLAN has been returned (230) and the process workflow thereafter ends (210) in the example embodiment.
If, however, a check (226) determines that a dynamically assignable VLAN is not available, for at least one reason, the provisioning system 102 may be configured to check (214) to see if the current network (access venue) supports a dynamic VLAN pool system, as disclosed above. If the current network does not support a dynamic VLAN pool system, then the provisioning system 102 may be configured to instruct the network equipment 110, from which the network-enabled device 104 is requesting access, to assign the network-enabled device 104 to the default VLAN for the current network 106, thereby returning the default VLAN (218) as disclosed above. If, however, the current network 106 does support a dynamic VLAN pool system, then the provisioning system 102 does not return any VLAN information to the network equipment 110, from which the network-enabled device 104 is requesting access, and defers VLAN assignment to the dynamic VLAN pool system (216) as disclosed above, and the process workflow thereafter ends (210) in the example embodiment.
As disclosed above, the provisioning system 102 may be configured to employ a set of maintenance routines (methods) to determine if a dynamically assignable VLAN is currently in use and not available to assign to the authenticated network-enabled device 104. Such maintenance is disclosed below with regard to
When the Zombie timer reaches its definable max time, it is considered in Timeout. The Zombie timer could timeout because there have been no refresh signals received by the system before the Zombie timer reaches its maximum allowable time. When the Zombie timer times out, the provisioning system 102 may be configured to reset and start the In-Zombie timer, as disclosed below with regard to
With reference back to
With reference to
The methods 300, 310, 320, and 330 for DVCP maintenance, disclosed above with regard to
Example embodiments disclosed herein may be configured using a computer program product; for example, controls may be programmed in software for implementing example embodiments. Further example embodiments may include a non-transitory computer-readable medium that contains instructions that may be executed by a processor, and, when loaded and executed, cause the processor to complete methods described herein. It should be understood that elements of the block and flow diagrams may be implemented in software or hardware, such as via one or more arrangements of circuitry of
In addition, the elements of the block and flow diagrams described herein may be combined or divided in any manner in software, hardware, or firmware. If implemented in software, the software may be written in any language that can support the example embodiments disclosed herein. The software may be stored in any form of computer readable medium, such as random-access memory (RAM), read-only memory (ROM), compact disk read-only memory (CD-ROM), and so forth. In operation, a general purpose or application-specific processor or processing core loads and executes software in a manner well understood in the art. It should be understood further that the block and flow diagrams may include more or fewer elements, be arranged or oriented differently, or be represented differently. It should be understood that implementation may dictate the block, flow, and/or network diagrams and the number of block and flow diagrams illustrating the execution of embodiments disclosed herein.
The teachings of all patents, published applications and references cited herein are incorporated by reference in their entirety.
While example embodiments have been particularly shown and described, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the scope of the embodiments encompassed by the appended claims.
This application claims the benefit of U.S. Provisional Application No. 63/366,742, filed on Jun. 21, 2022. The entire teachings of the above application are incorporated herein by reference.
Number | Date | Country | |
---|---|---|---|
63366742 | Jun 2022 | US |