In a typical campus network environment, a set of related local area networks (LANs) are often co-located in a common geographic area. In such a campus environment, each of the LANs, or subnetworks, may define single or multiple groups of users interconnected in a switched Ethernet framework. Campus LANs at different locations within an organization are typically interconnected via an Enterprise WAN or Service Provider network. Virtual Private Networks (VPNs) have traditionally been used by Service Providers to isolate different customers from each other over their networks. ATM and Frame Relay mechanisms provide Layer 2 VPN traffic isolation, where as IPSec and MPLS typically provide L3 VPN traffic isolation between customers. The need for traffic isolation or segmentation within Campus networks is increasing because of both additional security requirements and because more Enterprise organizations are acting as Service Providers for their departments, guests, subsidiaries, etc. Many enterprises wish to run multiple logically isolated networks within the same campus or data center environment. This is typically achieved through the use of layer 2 Virtual LAN (VLAN) technology where groups of devices and users are assigned to VLANs represented by a given VLAN Identifier (VLAN ID) in the Ethernet frame. The use of VLAN technology to create many, parallel, network-wide segments becomes cumbersome, unreliable, and prone to configuration error. The scope of VLAN segmentation is usually bounded to a site, building, or section of a building to isolate layer 2 traffic, broadcast domains, and spanning tree domains. Historically, an enterprise has turned to Layer 3 (L3) routing (e.g. routing based on IP addresses) to interconnect VLANs and used L3 and L4 filters or access control lists to provide traffic separation and isolation. As the enterprise began to distribute IP services such as Voice-Over-IP (VoIP) end-points, additional security controls, guest VLANs, and quarantine VLANs through out the campus and data center, the use of traffic filtering technology made traffic isolation between the user VLANs more complicated.
Specifically, the use of Layer 3 (L3) access control lists (e.g. IP address filtering) between the VLANs made management and security much more cumbersome. The net effect is the trend towards implementation of L3 VPN methods deeper into the campus and data center. The L3 VPN methods in use today require VLANs to be assigned to VPNs, a unique routing process per VPN, and some form of tunneling technology (GRE, IPSec, MPLS) to be used to provide traffic separation between VPNs across the network. The multiple instances of Interior Gateway Protocol (IGP) processes, Border Gateway Protocol (BGP) processes, tunnel adjacencies, and/or MPLS adds significant complexity to the implementation of traffic segmentation across a switched campus infrastructure.
Some enterprises have implemented Multi-VRF technology with VLAN segmentation as a means of providing the VPN services in lieu of MPLS. This solution requires multiple sub-interfaces and multiple routing instances (e.g. routing processes) to correspond to each of the virtual route forwarding tables defined for each of the VPNs. Establishing multiple sub-interfaces and routing instances (one per VPN) invokes substantial computing overhead and multiplies the provisioning complexity. The individual routing instances maintain the virtual route forwarding table (VRF) and routing policy for each VPN. The individual VRFs are accessed through conventional sub-interfaces upon which traffic is received and forwarded. In other words, each VPN partition providing traffic segmentation requires a unique routing instance, a set of distinct sub-interfaces, and an associated routing policy. In other words, each conventional VPN subnetwork triggers another IGP routing instance. A more efficient network segmentation model is required that simplifies the provisioning and optimizes the computational requirements.