1. Field of the Invention
The present invention relates to using one or more virtual private networks (VPNs) based on layer 2 protocols on a packet switching infrastructure that belongs to a trusted service provider; and in particular to configuring each customer interface to a provider edge network node for over-subscribed VPN operation involving more network resources than can be supported at the same time.
2. Description of the Related Art
Networks of general purpose computer systems and other devices connected by external communication links are well known and widely used in commerce. The networks often include one or more network devices that facilitate the passage of information between the computer systems and other devices. A network node is a network device or computer system or other device connected by the communication links.
Information is exchanged between network nodes according to one or more of many well known, new or still developing protocols. In this context, a “protocol” consists of a set of rules defining how the nodes interact with each other based on information sent over the communication links. The protocols are effective at different layers of operation within each node, from generating and receiving physical signals of various types, to selecting a link for transferring those signals, to the format of information indicated by those signals, to identifying which software application executing on a computer system sends or receives the information. The conceptually different layers of protocols for exchanging information over a network are described in the Open Systems Interconnection (OSI) Reference Model. The OSI Reference Model is generally described in more detail in Section 1.1 of the reference book entitled Interconnections Second Edition, by Radia Perlman, published September 1999, which is hereby incorporated by reference as though fully set forth herein.
Communications between nodes are typically effected by exchanging discrete packets of data. Each packet typically comprises 1] header information associated with a particular protocol, and 2] payload information that follows the header information and contains information that may be processed independently of that particular protocol. In some protocols, the packet includes 3] trailer information following the payload and indicating the end of the payload information. The header includes information such as the source of the packet, its destination, the length of the payload, and other properties used by the protocol. Often, the data in the payload for the particular protocol includes a header and payload for a different protocol associated with a different, usually higher layer of the OSI Reference Model. The header for a particular protocol typically indicates a type for the next protocol contained in its payload. The payload protocol is said to be encapsulated in the header protocol. The headers included in a packet traversing multiple heterogeneous networks, such as the Internet, typically include a physical (layer 1) header, a data-link (layer 2) header, an internetwork (layer 3) header and a transport (layer 4) header, as defined by the Open Systems Interconnection (OSI) Reference Model.
The layer 2 tunneling protocol (L2TP) is a link layer (layer 2) protocol established to provide a persistent virtual circuit as a tunnel between two end nodes of a trusted sub-network. In network parlance, a tunnel for data is simply a protocol that encapsulates that data. The persistent tunnel, or virtual circuit on a packet switched network is often called a pseudo-wire. L2TP facilitates the tunneling of point to point protocol (PPP) packets across an intervening network in a way that is as transparent as possible to both end-users and applications. Using L2TP tunneling, an Internet Service Provider (ISP), or other access service provider, can create a pseudo wire to link a customer's remote sites or remote users with corporate home networks. More recent versions of L2TP facilitate tunneling of a number of data link types, including, but not limited to, Point to Point Protocol (PPP), Frame Relay (FR), Asynchronous Transfer Mode (ATM), High Level Data Link Control (HDLC) and Ethernet. L2TP is described at the time of this writing in Internet Engineering Task Force (IETF) request for comments (RFC) 2661 which can be found in a file named rfc2661.txt, which can be found, along with other RFC files, at the World Wide Web domain www.ietf.org in the file directory named rfc. The entire contents of RFC 2661 are hereby incorporated by reference as if fully set forth herein. L2TPv3 is described in RFC 3817 available in file rfc3817.txt in the same directory. The entire contents of RFC 3817 are hereby incorporated by reference as if fully set forth herein.
Some protocols follow a layer 2 protocol and precede a layer 3 protocol; and are said to be layer 2.5 protocols. For example, the multi-protocol layer switching (MPLS) is a layer 2.5 protocol that provides for the designation, routing, forwarding and switching of traffic flows through a network and supports the transfer of multiple data link (layer 2) types. MPLS is described at the time of this writing in IETF RFC 3031 and RFC 3032 which can be found in files named rfc3031.txt and rfc3031.tx, the entire contents of which are hereby incorporated by reference as if fully set forth herein.
A virtual private network (VPN) is a technology to logically separate the data packets traveling over the same physical network, so that a user of one VPN does not see the data communicated between users of a different VPN. Access service providers frequently offer to customers VPNs that are implemented as one or more pseudo wires on a packet switched network (PSN) infrastructure, such as a network of routers using the Internet Protocol (IP) as a layer 3 protocol or using MPLS as a layer 2.5 protocol. A common approach for providing the tunneling functions for a VPN is to use the layer 2 tunneling of L2TPv3 as a payload in IP data packets. In some approaches, a protocol for Any Transport over MPLS (AToM) available from CISCO SYSTEMS™, Inc. of San Jose Calif. is used to support layer 2 tunneling in a payload in MPLS data packets. Then layer 2 protocols, such as PPP, FR, ATM, HDLC, Ethernet are used in these tunnels to transmit customer data or control plane information over the VPN.
A customer contracts with a service provider, such as an ISP, to provide a VPN among customer sites and to support certain kinds and amounts of data traffic over that VPN. In response, the service provider configures interfaces to customer equipment on several intermediate network nodes at the edge of the service provider network (so-called “provider edge nodes,” PE, or simply “edge nodes”). Each interface is configured to communicate the type of traffic designated for that interface and encapsulate it in one or more tunnels, each tunnel directed to one of one or more other interfaces on other edge nodes of the service provider network. In the parlance of this technology, configuring each affected interface on each affected edge node provisions the VPN.
A PE interface to customer equipment (CE) is called an attachment circuit (AC) or port. Each physical interface can support one or more logical attachment circuits. For example, a single physical interface for ATM traffic can support multiple ATM virtual circuits, which may be directed to different VPNs; each ATM virtual circuit is considered a different attachment circuit to be configured. Configuration data specifies values for one or more parameters for each attachment circuit (AC). The parameters and values depend on the layer 2 protocol to be supported in the VPN, the topology of the VPN, and the tunneling protocol used to establish the pseudo wires. Example configuration data for a logical ATM AC specifies a percentage of total bandwidth devoted to the logical AC, a cell-packing value, the other PE devices in the topology, and a control plane protocol to establish and maintain pseudo wires among the connected PE.
Currently, provisioning the VPN is a manual process, in which a network administrator determines which data packets on each interface are sent out on which link to the provider network using which designations to be recognized by a subsequent intermediate nodes and edge node as a separate tunnel. The manual provisioning process is tedious and error prone. Furthermore, when a new piece of customer equipment is connected to an edge node, that equipment is unable to communicate over the VPN unless and until the human administrator provisions the VPN to add the new interface. Thus the process is subject to delays. The delays grow in severity as the human administrator becomes busier. The tedium and propensity for error increase with the complexity of the VPN topology (e.g., as the numbers of interfaces and edge nodes increase).
In some cases, for example when a customer has many remote sites or several customers share the same attachment circuit, the number of logical ACs to be carried from CE to PE exceeds the number that can be simultaneously supported by the physical media. For example the maximum data rate (e.g., expressed in bytes per second) for each of several ACs exceeds the bandwidth capacity of the physical link. In such circumstances, prior approaches have introduced a second physical link to carry the excess traffic that can not be carried by the first link.
There are several disadvantages with this approach. For example, if the excess is small, a relatively high capacity link and interface that are devoted to the excess traffic are underutilized. This is wasteful of valuable network resources and expensive for the service provider. Furthermore, it is often the case that all ACs between one pair of CE and PE are not used simultaneously. For example, traffic between offices on the same side of the world peak at local time business hours and may be unused for multiple hours at night. Conversely, traffic with a remote site may be concentrated during two time periods when one office is closing and the other is opening. Thus ACs devoted to this enterprise are not all used at the same time, and network resources devoted to such traffic is underutilized. In such circumstances it is desirable to over-subscribe the link between a CE and PE, i.e., to allow a customer or set of customers to subscribe for more ACs than can be simultaneously carried by one or more physical links.
In one approach, certain ACs are provisioned for certain times of day. A problem with this approach is that traffic is not completely predictable. Thus it is desirable to provision the ACs on demand. A problem with provisioning ACs on demand with current provisioning techniques is that those techniques are manual, slow and error-prone and are not likely to reliably and timely respond to AC configuration and VPN provisioning demands.
Based on the foregoing description, there is a clear need for techniques to provision on demand more VPNs on a provider's network edge node than can be carried simultaneously by one link between the customer equipment and provider edge without the deficiencies of prior art approaches. In particular, there is a clear need for techniques to provision on demand automatically, i.e., without human intervention, more ACs on one link than that link can simultaneously support.