1. Field of the Invention
The present invention is related to a communications system, and more particularly, to a communications system which provides virtual private network services.
2. Description of the Related Art
A new type of network services called “virtual private network” (VPN) has been deployed in recent years. VPN refers collectively to such services that enable us to connect and expand our private networks by incorporating a part of someone else's network (e.g., telephone carriers' or Internet providers') as an alternative to leased line services. With VPN techniques, a company with many offices all over the country to construct a large private network by interconnecting their local area networks (LANs) with the Internet. In general, VPNs are broadly divided into two groups: those based on layer 3 (network layer) and those based on layer 2 (data link layer).
FIG. 27 illustrates a configuration of a VPN 400 operating with layer-3 protocols (hereafter “layer-3 VPN”), where two end nodes 41 and 42 are connected via two intermediary nodes 401 and 402. As FIG. 27 shows, the intermediary nodes 401 and 402 have a protocol stack up to the layer 3.
Transport of Internet Protocol (IP) packets is one of the specific services that layer-3 VPNs can offer. Networks of this type are called “IP-VPNs,” among which those using multi-protocol label switching (MPLS) techniques are of particular interest. MPLS IP-VPNs add a destination label to every IP packet, and the intermediary nodes forward labeled packets to the next hop according to their label values.
FIG. 28 shows a configuration of a VPN 300 operating with layer-2 protocols (hereafter “layer-2 VPN”), where two end nodes 31 and 32 are connected via two intermediary nodes 301 and 302. As FIG. 28 shows, the intermediary nodes 301 and 302 have a protocol stack up to the layer 2.
Such a layer-2 VPN provides virtual LAN (VLAN) services, for example, which enable a logical grouping of user stations regardless of their physical locations on the network. With VLAN techniques, remote offices using Ethernet (registered trademark of Xerox Corporation) can be connected with each other.
While IP-based or Internet-based layer-3 VPNs are currently dominant in terms of real-world implementations, layer-2 VPNs are facing increasing demands today. This is because layer-2 VPNs provide inter-office connections no matter what layer-3 protocols are employed in the user network. That is, layer-2 VPNs are advantageous over layer-3 VPNs when it comes to flexible virtual networking.
Conventional VPN techniques, however, only allow layer-2 and layer-3 VPNs to be implemented in physically separate networks. If these two types of VPNs were able to operate on a single integrated network, their services would be more flexible and expandable. The reality is contrary. It is not an easy task to construct such a network that allows combined use of layer-2 and layer-3 VPNs. A simple integration of layer-2 equipment into existing layer-3 VPN facilities would end up with a costly, inflexible system. In other words, we must not overlook cost-effectiveness and efficiency when building a combined VPN environment.
Another challenge is how to implement traffic engineering functions of layer-3 VPN in a combined VPN environment. Traffic engineering provides, for example, an automatic load balancing mechanism that deals with increased packet traffic on a particular route by splitting it into other less-congested routes, which layer-2 VPNs do not support. The combined VPN environment has to make such control functions act upon both layer-2 and layer-3 packets. Otherwise, a single link failure would lead to a long disruption of communication service, and a traffic congestion problem could result in delayed or lost data.