A communication network includes a collection of interconnected network devices, which allow users to access data. A popular network is the Internet. The Internet is a worldwide system of interconnected networks that allow data (“packets”) to pass between network boundaries. The Internet uses an Internet Protocol (IP) to provide routing and forwarding services. A common network device that provides IP services is a router. A router routes and forwards packets using an optimal path. A common function performed on the IP network is router management. Router management is the process of configuring a router to provide necessary services.
Typically, router management can be performed using either an out-of-band or an in-band management configuration. FIG. 1 illustrates a prior art out-of-band management configuration 100 for a router 102 connected to a separate management network 104. An out-of-band management configuration requires a separate network (i.e., connections and communication lines) instead of using existing data links of the routers to facilitate the router management process. Referring to FIG. 1, router 102 includes two sets of data links, which are core input/output data links 120 and customer input/output data links 122. Each of these two sets of data links can receive and transmit packets. In addition, router 102 includes management ports 124, router configuration management module 110, and routing and forwarding module 112. Management devices 106 manage and communicate with router 102 via management network 104 and management ports 124.
Router configuration module 110 receives management commands from management devices 106 and perform management operations for router 102 using the received management commands. For example, a user of one of the management devices 106 can input a management command via a command line interface (CLI) to router 102. Routing and forwarding module 112 receives packets on data links 120 and 122 and selectively routes and forwards the packets on data links 120 and 122.
FIG. 2 illustrates a prior art network 200 for a plurality of routers 102-1 through 102-7 using an out-of-band network management configuration. Router 102 of FIG. 1 can represent the plurality of routers 102-1 through 102-7 of FIG. 2. Data links are normally grouped in pairs of one input data link and one output data link. Each pair having one bi-directional data path between two network devices. This is illustrated in FIG. 2 by showing bi-directional customer input/output data links 220 and 222. The plurality of routers 102-1 through 102-7 can selectively forward data packets from any input data link to any output data link in accordance with the source and destination information contained in the data packet.
Referring to FIG. 2, a plurality of management links 226 couple routers 102-1 through 102-7 with management devices 106. Management links 226 transmit management commands from management devices 106 to routers 102-1 through 102-7 via management network 104. Furthermore, management devices 106 can receive responses such as, for example, status of management command actions, alarms, traps, or notifications from routers 102-1 through 102-7 via management links 226 and management network 104. Hence, configuration 100 and network 200 provide out-of-band management because management communication is carried on a separate network 104 instead of using existing data links.
A disadvantage of using out-of-band management is that it requires a separate management network. That is, separate management network 104 requires extra equipment, additional configuration, and extra data links to connect routers 102-1 through 102-7 to management devices 106. Although out-of-band management can be made secure by using separate management network 104, separate management network 104 adds another layer of complexity for managing network devices.
FIG. 3 illustrates a prior art in-band management configuration 300 for router 302 having an internal management connection 311. An in-band management configuration uses current network infrastructure to facilitate the router management process. Referring to FIG. 3, router 302 includes internal management connection 311 between routing and forwarding module 312 and router configuration management module 310. Router 302 also includes management ports 324, core input/output data links 320, and customer input/output data links 322. Thus, router 302 can receive management commands using the current network infrastructure (i.e., by using core input/output data links 320).
FIG. 4 illustrates a prior art in-band management configuration 400 for router 402 supporting virtual private network (VPN) modules 431A through 431C having an internal management connection 411. A VPN is a private data network that makes use of the currently implemented network by using a tunneling protocol for security purposes. VPN data links 422A through 422C connect with VPN modules 431A through 431C, respectively. The VPN module 431A facilitates private communication on data links 422A either on this router, or attached to the same modules on different routers. The same applies to the other VPN modules and corresponding links.
Referring to FIG. 4, router 402 includes internal management connection 411 between generic routing and forwarding module 412 and router configuration management module 410. Router 402 also includes management ports 424, core data links 420, VPN data links 422A through 422C, and data links 423. Thus, router 402 can also receive management commands using the current network infrastructure (i.e., by using core data links 420).
A disadvantage of using the prior art an in-band management schemes is a lack of security for carrying management traffic. That is, the management traffic or commands are carried on non-secure data links (e.g., core data links 420). Thus, prior art in-band management configuration schemes are susceptible to unauthorized management entry or interception of management commands.