Local Area Networks (LANs) connect computing systems together at the Layer-2 level. The term “Layer 2” refers to the second layer in the protocol stack defined by the well-known Open Systems Interface (OSI) model, also known as the logical link, data link, or Media Access Control (MAC) layer. Each computing system connects to a LAN through a MAC device. Multiple LANs can be connected together using MAC bridges, as set forth in the IEEE Standard for Information Technology, Telecommunications and Information Exchange between Systems, Local and Metropolitan Area Networks, Common Specifications, Part 3: Media Access Control (MAC) Bridges, published as ANSI/IEEE Standard 802.1D (2004), which is incorporated herein by reference. (The 802.1D standard, as well as other IEEE standards cited herein, is available at standards.ieee.org/catalog/.) MAC bridges that implement the 802.1D standard allow MAC devices attached to physically separated LANs to appear to each other as if they were attached to a single LAN. The bridge includes two or more MAC devices that interconnect the bridge ports to respective LANs.
MAC bridges maintain a forwarding database (FDB) to map destination MAC addresses of the frames they receive to bridge network interfaces (also referred to as ports). The bridge builds the forwarding database by means of a learning process, in which it associates the source MAC address of each incoming frame with the interface on which the frame was received. When the bridge receives an incoming frame whose destination address is not found in the database, it floods (i.e., broadcasts) the frame through all its available interfaces, except the one through which the frame arrived. Other MAC bridges that do not recognize the destination address will further flood the frame to all the relevant interfaces. Through the flooding mechanism, the frame will eventually traverse all interconnected bridges at least once, and will ultimately reach its destination.
Layer-2 bridged networks are generally configured to provide multipoint-to-multipoint connectivity among stations (i.e., computers) in the network. Some applications, however, require that certain stations in the network be separated and prevented from communicating directly with one another. For example, access networks deployed by Internet service providers (ISPs) are meant to provide connectivity between subscribing customer premises and ISP equipment, which provides access to the Internet and other network services. The ISP typically uses an aggregation network to aggregate and concentrate customer traffic to and from access routers that are connected to the public network. For security and other reasons, the ISP may wish to prevent customer premises from communicating directly with one another via the aggregation network.
Melsen et al. describe one method for preventing direct communication between subscribers in “MAC-Forced Forwarding: A Method for Subscriber Separation on an Ethernet Access Network,” published by the Internet Engineering Task Force (IETF) as Request for Comments (RFC) 4562 (June, 2006), which is incorporated herein by reference. (This RFC, as well other documents published by the IETF that are cited hereinbelow, is available at www.ietf.org.) The method described in this RFC is based on an Address Resolution Protocol (ARP) proxy function that prohibits Ethernet MAC address resolution between hosts located within the same Internet Protocol version 4 (IPv4) subnet but at different customer premises. The effect of this proxy function is to direct all upstream traffic to an IPv4 gateway, which provides IP-layer connectivity between the hosts.
Melsen et al. describe a number of other solutions that may be deployed to prevent Layer-2 visibility between stations in an Ethernet access network. One possibility is to use the Point-to-Point Protocol over Ethernet (PPPoE), as defined by Mamakos et al. in IETF RFC 2516 (February, 1999). Melsen et al. point out, however, that this solution does not support efficient multicast, since frames must be replicated on each PPPoE session to all hosts in a given multicast group. Another possibility is to use a different Virtual Local Area Network (VLAN) for each customer premises network, as described by McPherson et al. in IETF RFC 3069 (February, 2001). According to Melsen et al., this solution also requires replication of multicast frames, is limited in scalability, and increases complexity of provisioning.