The present invention relates generally to computer communication systems, and more particularly to internetworking Frame Relay devices over an Internet Protocol network using a Virtual Private Network.
In today""s information age, it is very common for computers and computer peripherals to be internetworked over a communication network. One popular networking application allows multiple customers to use the communication network simultaneously. Network resources are allocated to each customer in such a way that each customer appears to have its own private network. For convenience, the network resources allocated to each customer are referred to collectively as a Virtual Private Network (VPN).
FIG. 1 shows an exemplary communication system 100 in which two CPE nodes (102, 106) are interconnected over a VPN.(104). The VPN (104) is maintained by a service provider, which may be the customer itself or a third-party service provider. The service provider may maintain multiple VPNs over a single communication network.
The VPN (104) includes a number of interconnected edge nodes. Each CPE node (102, 106) interfaces with the VPN (104) through one of the interconnected edge nodes. The edge nodes enable the CPE nodes (102, 106) to communicate over the VPN (104).
In a common networking application, each CPE node (102, 106) interfaces with VPN (104) using Frame Relay connections. Each CPE node (102, 106) interfaces with an edge node through a Frame Relay interface. Frame Relay virtual circuits are maintained through the Frame Relay Local Management Interface (LMI).
In addition to using Frame Relay for accessing the VPN (104), the edge nodes may also communicate using Frame Relay. FIG. 2 shows an exemplary communication network 200 in which the edge nodes are interconnected over a Frame Relay backbone network (204). For convenience, only two edge nodes (202, 206) and two CPE nodes (102, 106) are shown, although the VPN (104) will typically include additional edge nodes and CPE nodes. In the exemplary communication network 200, the CPE node (102) interfaces with the VPN (104) over a Frame Relay connection to the edge node (202), while the CPE node (106) interfaces with the VPN (104) over a Frame Relay connection to the edge node (206). The CPE nodes (102, 106) communicate over a Frame Relay virtual circuit between the edge node (202) and the edge node (206).
With the increasing popularity of Internet Protocol (IP) networking, it is common for the service provider to migrate the VPN (104) from Frame Relay to IP. However, in order to maintain compatibility with existing customers and provide easy configuration for new customers, it is desirable for the CPE nodes (102, 106) to continue accessing the VPN (104) using Frame Relay connections.
FIG. 3 shows an exemplary communication network 300 in which the edge nodes are interconnected over an IP backbone network (304). For convenience, only two edge nodes (302, 306) and two CPE nodes (102, 106) are shown, although the VPN (104) will typically include additional edge nodes and CPE nodes. In the exemplary communication network 300, the CPE node (102) interfaces with the VPN (104) over a Frame Relay connection to the edge node (302), while the CPE node (106) interfaces with the VPN (104) over a Frame Relay connection to the edge node (306). The CPE nodes (102, 106) communicate over an IP tunnel between the edge node (302) and the edge node (306).
One way to provide VPN connectivity between the various CPE nodes using Frame Relay connections is for each CPE node (102, 106) to use a single Frame Relay virtual circuit for all communications. Unfortunately, this requires the edge node to demultiplex data traffic that arrives over the single Frame Relay virtual circuit.
Another way to provide VPN connectivity between the various CPE nodes using Frame Relay connections is for each CPE node (102, 106) to use a single Frame Relay virtual circuit for each remote edge node. Unfortunately, this requires the Frame Relay virtual circuits to be provisioned in each edge node initially and after any changes in VPN topology.
In accordance with one aspect of the invention, virtual circuits are dynamically allocated based upon address resolution requests. An address resolution request causes a communication path to be created from a source node to a destination node across the VPN. In particular, the source node sends the address resolution request to a local edge node over an interface. The address resolution request identifies the destination node as an intended destination node. The local edge node forwards the address resolution request to all remote edge nodes in the VPN. The local edge node and the particular remote edge node that supports the destination node establish a tunnel. The local edge node allocates a first virtual circuit for the source node, and maps the first virtual circuit to the tunnel. Similarly, the remote edge node allocates a second virtual circuit for the destination node, and maps the second virtual circuit to the tunnel. When the source node sends a unicast protocol message over the first virtual circuit, the local edge node determines the tunnel that is mapped to the first virtual circuit, and forwards the unicast protocol message over the tunnel. Upon receiving the unicast protocol message over the tunnel, the remote edge node determines that the second virtual circuit is mapped to the tunnel, and forwards the unicast protocol message to the destination node over the second virtual circuit.
In this way, virtual circuits are dynamically allocated based upon address resolution requests so that the virtual circuits need not be provisioned in each edge node.