FIG. 1 shows a generic description of a broadband network for providing telephone, internet and TV/video services to subscribers in a number of locations. A series of service providers provide the various services (SP1, SP2, SP3) to the network 10 via conventional access points 12. The network 10 provides connects these to subscribers via routers 14 located close to the subscribers. These can include business locations that can include routers in commercial property 16, and domestic subscribers with routers located in a central office 18 for a neighbourhood of separate dwellings (houses 17), or in a single building 19 such as an apartment building. The network operator manages the network function by the use of a control and provisioning system 20.
Certain users, particularly business users, like to be able to operate local area networks (LANs). To support this while still having connectivity to a wider network, a series of products and solutions are currently available to allow Layer 2 LANs and virtual LANs (VLANs) to be provided. VLANs allow an effectively separate LAN to be established within a single physical infrastructure. A simple VLAN system is shown in FIG. 2 and comprises a local (layer 2) switch 2 that has a number of connections 4 to the various users connected to the VLAN and a physical connection 6 to a port on the router 14. The router will have a fixed number of ports available for such connections. One example, the ASR4K of Packetfront has 32 ports available. The router 14 provides layer 3 interfaces 8 for the connected VLANS and is connected to the wider network 10. The local switch 2, user connections 4 and connection 6 to interface 8 define a Layer 2 segment VLAN.
The system of FIG. 2 has one VLAN connected via the local switch 2. However, it can often be desirable to operate more than one VLAN from a local switch. Details of the general approach for such solutions can be found in the white paper ‘Layer 2 Virtual Private Networks’, December 2005 from World Wide Packets Inc of Spokane Valley Wash. USA (see http://www.wwp.com/technology/white-papers/L2-VPN-WhitePaper.pdf). Local switch devices, such as the LightningEdge devices from World Wide Packets, allow several VLANs to be connected to a router for access to a wider network. In accordance with the appropriate standards (IEEE 802.1Q), tags are associated with each VLAN as identifiers. Up to 4094 tags/VLANs are available for each device. When these devices are connected to routers (e.g. router 14 of FIG. 1), the routers typically assign a logical layer 3 interface for each VLAN. Therefore, including the tag in the addressing for data allows it to be directed to the appropriate VLAN.
Various proposals have been made for connecting to VLANs. In US2007/058638, a routing mechanism provides network segmentation preservation by route distribution with segment identification, policy distribution for a given VPN segment, and encapsulation/decapsulation for each segment using an Ethernet VLAN_ID, indicative of the VPN segment (subnetwork). Encapsulated segmentation information in a message packet identifies which routing and forwarding table is employed for the next hop. A common routing instance receives the message packets from the common interface, and indexes a corresponding VRF table from the VLAN ID, or segment identifier, indicative of the subnetwork (e.g. segment). In this manner, the routing instance receives the incoming message packet, decapsulates the VLAN ID in the incoming message packet, and indexes the corresponding VRF and policy ID from the VLAN ID, therefore employing a common routing instance over a common subinterface for a plurality of segments (subnetworks) coupled to a particular forwarding device (e.g. VPN router). The system described in U.S. Pat. No. 7,200,145 uses a layer 2 switch (L2 switch), or bridge, to separate user's message traffic by use of Virtual Local Area Networks (VLANs) defined within the switch. Three new types of ports are defined, “promiscuous” ports “isolated” ports, and “community” ports. Three types of VLANs internal to the switch are defined, “primary” VLANs, “isolated” VLANs and “community” VLANs. The promiscuous ports are connected to layer 3 or layer 4 devices. Isolated ports and community ports are connected to individual user's servers, etc., and maintain traffic for each user separate from other users. The primary VLAN connects to all promiscuous ports, to all isolated ports, and to all community ports. The primary VLAN is a one way connection from promiscuous ports to isolated or community ports. An isolated VLAN connects to all promiscuous ports and to all isolated ports. The isolated VLAN is a one way connection from an isolated port to the promiscuous ports. A community VLAN is defined as connecting to a group of community ports, and also connecting to all of the promiscuous ports. The group of community ports is referred to as a “community” of community ports. A community VLAN is a one way connection from a community of ports to the promiscuous ports, but allows a packet received by one community port to be transmitted out of the switch, through the other community ports connected to that community VLAN.
A number of problems exist with current approaches for connecting multiple VLAN systems. One is that assigning a separate logical layer 3 interfaces to each VLAN can quickly use up memory in the router, especially for lower end routers with limited memory. Another is that VLAN to VLAN communication can require the use of a Layer 2 switch which sits between the local switch and the router. As such a communication path avoids the router; it can also avoid router functions such as filters and firewalls which can be undesirable.
It is an object of the invention to provide a technique which allows direct access for all VLANs to the router without these problems.