Multiplex communications – Pathfinding or routing – Switching a message which includes an address header
Reexamination Certificate
2000-02-25
2004-09-07
Pham, Chi (Department: 2667)
Multiplex communications
Pathfinding or routing
Switching a message which includes an address header
C370S392000
Reexamination Certificate
active
06788681
ABSTRACT:
FIELD OF THE INVENTION
This invention relates to Virtual Private Networks (VPNs) and methods of their operation. More particularly, this invention relates to methods and apparatus enabling Network Service Providers (NSPs) to provide virtual local area networks (VLANs) services to groups of customers.
BACKGROUND TO THE INVENTION
Transparent LAN Service (TLS) is a data service offered by carriers (such as Bell™ Canada, AT&T™ and MCIWORLDCOM™) today through equipment provided by a variety of manufacturers (such as, for example, Nortel Networks™). The TLS provides native LAN connectivity between several LANs at geographically dispersed sites. The demand for TLS is growing rapidly.
A TLS is typically offered in a metropolitan area including neighboring municipalities. The service and the network to provide the service can be characterized as a virtual private networking service. An individual customer's transparent LAN or VPN, comprised of many LAN sites dispersed across a geographical area, must be secure and separated from other customer's transparent LANs. A customer's sites scattered across a metro area are linked together by the TLS forming a VPN—a group of interconnected LANs that appears to the user as a single, co-located LAN—and are isolated from other VPNs provided by the TLS carrier.
Typically a user's interface to a Transparent LAN Service is a conventional LAN networking protocol such as, for example, Ethernet. TLS is transparent in that the customer appears to access to its own networking media (such as Ethernet) when in reality the media is a shared network with mechanisms to separate the traffic from different VPNs.
Many conventional implementations of the TLS service have been provided using a connection oriented approach. This connection oriented approach typically involves the use of Asynchronous Transfer Mode (ATM) service access Multiplexers (MUXes), ATM switches and Synchronous Optical Network (SONET) add/drop multiplexers (ADMs). However, this connection oriented approach encounters severe scaling problems due, in part, to Permanent Virtual Circuit (PVC) proliferation. Provisioning a fully associated or meshed connection oriented network (that is each node, such as a LAN, is able to communicate with each other node or LAN in the VPN) results in a significant increase in the number of connections, such as PVCs. Moreover, typical PVCs are provisioned to a customer based on a customer's maximum bandwidth requirement. However, since data traffic is typically “bursty” and the dedicated circuits or connections typically provide a fixed bandwidth, the dedicated connections are frequently operating below capacity.
Moreover, the EEE 802.1 standard, the contents of which are hereby incorporated herein, defines a protocol that enables an Ethernet LAN to be partitioned in multiple virtual LANs (VLANs) through the use of a VLAN tag carried in the header of each frame of data. The VLAN tag identifies the VLAN for which the data frame is intended. However, this VLAN tag, defined in the IEEE 802.1 standard as having a twelve bit capacity, limits the number of distinct VLANs, that a carrier, also known as a Network Service Provider (NSP), can accommodate to 4095 (2
12
−1) VLANs.
Accordingly, a TLS service that enables a carrier to support many (i.e., more than 4095) Virtual Private Networks (VPNs) and a TLS which is scalable and easy to administer is desired.
SUMMARY OF THE INVENTION
A method and an apparatus is disclosed providing Virtual Private Networks (VPNs) to be provisioned over a connectionless network. The method and apparatus provides for a large number VPNs to be provisioned (at least 2
24
VPNs and as many as approximately 2
40
VPNs).
Conventional LAN data frames (such as Ethernet frames) are received by an apparatus (an interWAN Packet Transport—iPT card) embodying one aspect of the invention. This receiving or “ingress” iPT card connects a conventional LAN to a wide area transport media such as, for example, a SONET network. Each LAN data frame received will include a destination address of the ultimate destination (for example, a destination media access control—MAC—address, which is a hardware level address that uniquely identifies each node in a network). Based on the destination address incorporated in the LAN data frame, the iPT card will attempt to retrieve address information corresponding to an “egress” iPT card from a stored database (the egress iPT card being connected to the LAN including the ultimate destination). If the ingress iPT card's database has such information, then the LAN data frame is encapsulated in a packet including the retrieved address information. If the egress iPT card is connected to the same transport media as the ingress iPT card (e.g., the iPT cards are connected to the same SONET ring), the address information may include a destination MAC address for the egress iPT card. If the egress iPT is not connected to the same transport media as the ingress iPT card (e.g., the two iPT cards are connected to separate SONET rings), the address information may also contain a secondary destination address such as, for example, an Internet Protocol (IP) address in addition to the other information (e.g., the MAC address of the egress iPT card). The encapsulated LAN data frame will then be routed to the egress iPT card and then to its ultimate destination.
In the event that the ingress iPT card does not include an entry corresponding to the address specified in the destination address portion of the received LAN data frame, a multicast address will be used to encapsulate the received LAN data frame. These multicast encapsulated data frames are then transmitted to all egress iPT cards servicing the particular VPN.
On receipt of an encapsulated LAN data frame, an egress iPT card strips off the header portion, thereby regenerating the original LAN data frame, and forwards this regenerated LAN data frame to its ultimate destination. The header stripped from the encapsulated LAN data frame received by the egress iPT card is then used to populate the egress iPT card's database. This database uses the address information of the source of the LAN data frame (i.e., the source address of the original sending entity and the address information of the ingress iPT card) for LAN data frames received by the egress iPT card for transmission to another iPT card.
According to one aspect of the invention, there is provided a system of providing communication between a first and a second Local Area Network (LAN), the first and second LANs interconnected by a connectionless network, the system comprising: a first network interface connecting the first LAN to the connectionless network, the first receiving device for: receiving conventional LAN data frames; determining an address of a second network interface responsive to destination information in the received conventional LAN data frames, the second network interface connecting the second LAN to the connectionless network; and encapsulating the conventional LAN data frames received at the first network interface with the address of the second network interface; a router for routing the conventional LAN data frames encapsulated with the address to the second network interface over the connectionless network; the second network interface connecting the second LAN to the connectionless network, the second network interface for: receiving conventional LAN data frames encapsulated with the address; re-generating the conventional LAN data frames from the conventional LAN data frames encapsulated with the address; and transmitting the re-generated conventional LAN data frames to the second LAN; and wherein the determining comprises: determining an identifier uniquely identifying a virtual private network (VPN) comprising at least the first and second LANs; accessing a routing table stored at the first network interface; where possible, retrieving, from the routing table a unique address of the second network interface responsive to a destination address stored in the receive
Bottorff Paul
Cobbold Mark
Hurren Alan J.
Regan Joseph M.
Jones Prenell
Nortel Networks Limited
Pham Chi
LandOfFree
Virtual private networks and methods for their operation does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Virtual private networks and methods for their operation, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Virtual private networks and methods for their operation will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3256566