Layer 2 forwarding devices, such as Ethernet switches, typically forward packets based on layer 2 destination addresses. For example, a layer 2 forwarding device may perform a lookup in a layer 2 forwarding table based on a layer 2 destination address in a received packet or frame. If the layer 2 destination address is present in the table, the packet or frame is forwarded to the output port associated with the entry. If the destination address is not present in the forwarding table, the frame is typically flooded to all ports other than the port on which the frame was received. Similarly, when a packet is addressed to a broadcast layer 2 address, the packet is typically flooded to all output ports other than the port on which the packet was received.
IEEE standard 802.1Q specifies that a virtual local area network (VLAN) identifier may be placed in a layer 2 frame and used to limit the broadcast domain of the layer 2 frame. For example, if a layer 2 frame includes a VLAN tag and a broadcast MAC address, the layer 2 frame will only be flooded over ports of a device that are associated with the VLAN tag in the frame. Similarly, when a layer 2 frame is addressed to a non-broadcast layer 2 address, and an entry is not present for the address in the layer 2 forwarding table, the packet is only flooded over ports that are associated with the VLAN corresponding to the VLAN tag. Thus, a VLAN is one way to limit the broadcast domain of a layer 2 frame.
The IEEE 802.ae standard describes a mechanism for encrypting layer 2 frames for transmission over a layer 2 network. The standard requires that the entire frame other than the layer 2 header and some additional fields be encrypted. According to the standard, the 802.1Q VLAN tag is encrypted. Thus, when a layer 2 frame that is encrypted according to the 802.ae standard is transmitted over a broadcast network, such as a metro Ethernet, there is no visible VLAN tag for which the broadcast domain can be restricted. This can be problematic if it is desirable for different VLANs to be transmitted to different devices connected to a transport network. For example, it may be desirable to send layer 2 frames across the transport network from site A to site B, but not to site C. However, because the transport network treats all layer 2 frames as being part of the same VLAN, the frames will be flooded to site B and site C. If site B receives packets that are not destined for it, the packets will simply be discarded. However, site B must decrypt the packets and examine the 802.1Q VLAN identifiers to determine that the packets are not destined for site B.
Accordingly, in light of these difficulties associated with transmitting frames associated with different VLANs across a secure layer 2 broadcast domain, there exists a need for improved methods, systems, and computer program products for transmitting and receiving frames associated with different VLANs over a secure layer 2 broadcast transport network.