Method and apparatus for preventing DOS attacks on trunk interfaces

Assignee

• Cisco Technology, Inc. · US

Inventors

• Premkumar Jonnala · Secunderabad, IN
• Neha M. Shah · Santa Clara, US
• Sivakumar Narayanan · Santa Clara, US
• Adam James Sweeney · San Jose, US
• Silviu Dobrota · San Jose, US

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L2463/141
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A method of protecting a data network from denial of service (DOS) attacks is described. The method may use various network tools to selectively block or disable portions of a data trunk experiencing a DOS attack, thereby preventing the DOS attack from reaching at least some resources on the network. In one embodiment, a network switch identifies a virtual LAN (VLAN) carrying suspect data on a data trunk. The network switch then adjusts a spanning tree for the network so that one or more ports on the compromised VLAN are blocked or disabled, while non-compromised VLANs are allowed to continue carrying data. Other approaches are also presented for avoiding the loss of valid data when a network blocks one or more VLANs or other portions of a network in response to a DOS attack or other intrusion.