The present invention relates to private networks such as enterprise networks. In particular, the invention relates to methods and devices for creating subgroups within private networks.
There is a need for internal grouping of network nodes within private networks. Grouping network nodes may be necessary to enforce internal security, to provide certain groups with higher quality of service, or otherwise to distinguish certain classes of users. For example, grouping network nodes can allow only finance group employees to view data available from a financial server and allow only engineering group employees to view data available from an engineering server. Grouping network nodes can provide higher quality of service to users working on important or data-intensive projects. Alternatively, grouping network nodes can allow employees to access all resources on a network, while restricting guests logging in from the Internet to a subset of the available resources.
Under some conditions, virtual subsets of network nodes within local area networks (sometimes referred to as VLANs) serve this need for internal separation of network nodes. VLANs can segregate traffic in a local area network by dedicating different VLANs to different purposes. As set forth in detail in U.S. Pat. No. 5,742,604 at col. 5, line 1 through col. 7, line 44 and FIGS. 3-6, which are incorporated herein by reference, VLANs were implemented using a VLAN identifier or “tag” in the layer 2 frame header, while leaving other layers of a packet unchanged. This tag is used to make switching decisions at a packet level equivalent to layer 2 of the Open System Interconnection (OSI) reference model. Although prior art VLAN tags are numerical codes, they are described, for simplicity, in terms of colors, presumably based on the custom of color-coding physical files. For example a “red” VLAN tag may be used for engineering, a “blue” VLAN tag may be used for marketing and a “yellow” VLAN tag may be used for finance.
VLANs are currently being used only in a local environment (e.g., inside a building). The backbone of such networks is routed based on an equivalent to layer 3 of the ISO reference model, such as the Internet protocol (IP) layer of the TCP/IP protocol or the FC-4 layer of the Fiber Channel protocol. Consequently, the routers in the network's backbone may not propagate the layer 2 VLAN tagging. Therefore, the capability of traffic segregation using VLAN tags is lost when packets are sent over such a backbone. If the routers in such a network do propagate the layer 2 VLAN tagging and the tags are transmitted to another network, various difficulties may result. For example, a code which defines an engineering VLAN in one local environment will probably not be the same code which defines an engineering VLAN in another local environment.