1. Field of the Invention
The present invention relates to the field of data communications. More specifically, the present invention relates to a method and frame format for preserving in a data frame the virtual local area network (VLAN) associated with the data frame as determined by a network device from which the data frame was received when transmitting the data frame over a communications medium shared among multiple VLANs. The method and frame format are equally applicable when the network device uses criteria in addition to or instead of the ingress port to associate a VLAN with the data frame.
2. Description of the Related Art
A small baseband local area network (LAN) typically connects a number of nodes, e.g., a server and workstations, to a shared communications medium wherein all nodes compete for available bandwidth on the shared communications medium. In an Ethernet or Institute of Electrical and Electronics Engineers (IEEE) 802.3 standard local area network, when a node transmits a unicast data frame on the network, every node coupled to the shared medium receives and processes the data frame to determine if it is the node to which the data frame is destined. Moreover, when a station transmits a broadcast data frame on the network, all nodes see the data frame and must process it to determine whether they should respond to the broadcasting node. As the number of nodes coupled to the medium increase, data traffic can become congested, resulting in an undesirable level of collisions and network related delays in transmitting data frames, which in turn results in network and node performance degradation.
A common prior art method of reducing congestion is to separate a LAN into multiple LAN segments by way of a network device, such as a bridge or network switch, operating at the Media Access Control (MAC) sublayer of the Data Link layer (layer 2) of the International Standards Organization (ISO) Open Systems Interconnection (OSI) reference model. While all nodes in the data network may still belong to the same broadcast domain, that is, each node still transmits and receives broadcast data frames to/from all nodes on all LAN segments in the network, nodes sharing the same LAN segment see only unicast data frames generated by or destined to a node on the same LAN segment. Given that the bulk of data traffic on a LAN is unicast in nature, segmentation may somewhat reduce collisions and traffic related performance problems.
However, as the number of LAN segments and nodes per segment increases in the same broadcast domain, the nodes can become overburdened processing broadcast data frames. It may be desirable under such circumstances to separate the growing data network into multiple broadcast domains. One possible approach to creating multiple broadcast domains is to separate one or more LAN segments using a network device such as a router, operating at the Network layer (layer 3) of the OSI reference model. With reference to FIG. 1, a data network 10 is illustrated wherein a number of internet-working devices are installed to reduce traffic levels on each LAN segment. A router 100 separates LAN segments 103, 110 and 120 into one broadcast domain 11, and LAN segments 105, 130 and 140 into another broadcast domain 12.
For example, router 100 only forwards a unicast data frame from a node on LAN segments 103, 110 or 120 that is specifically addressed (at layer 3 of the OSI model) to a node on LAN segments 105, 130 or 140, and vise versa. Network devices 101 and 102 may be, for example, network switches. Network switch 101 separates LAN segments 103, 110 and 120 to reduce unicast traffic on each segment while the segments still remain in the same broadcast domain 11. Network switch 102 functions in a similar manner with respect to LAN segments 105, 130 and 140.
LAN segments 110, 120, 130 and 140 may have multiple nodes attached. For example, LAN segment 110 has nodes 111 and 112 coupled to it, and functions, therefore, as a shared communications medium, wherein the nodes share the available bandwidth (e.g., 10 million bits per second in a traditional Ethernet carrier sense, multiple access data bus with collision detection [CSMA/CD]). LAN segments 103 and 105, on the other hand, are dedicated LAN segments, therefore, nodes 104 and 106 have all available bandwidth to themselves. For example, nodes 104 and 106 may be servers requiring greater bandwidth. Dedicated LAN segments 103 and 105 may be any technology supporting delivery of Ethernet or IEEE 802 LLC data frames including CSMA/CD or Fiber Distributed Data Interface (FDDI) segments operating at 100 million bits per second, or Asynchronous Transfer Mode LAN emulation service running over segments operating at 155 million bits per second.
The router 100 has the further advantage of allowing for the implementation of policy restrictions among network administrator-defined groups in the network. For example, it may be desirable to prohibit nodes in broadcast domain 12 from communicating with nodes in broadcast domain 11 using any protocol except those specifically allowed by the network administrator.
However, as can be seen in FIG. 1, data network 10 involves significant hardware and software expenses associated with two network switches, a router, and the multiple communication lines required to achieve multiple broadcast domains. Moreover, a significant amount of administrative overhead is required to maintain the configuration and operation of the internetworking devices as required, for example, when a node is moved from one segment to another segment in the same or different broadcast domain. Thus, it is desirable to implement the data network 10 of FIG. 1 using a single network switch and virtual local area networks (VLANs).
FIG. 2A illustrates data network 10 using a single network switch 200 and virtual local area networks (VLANs) to create multiple broadcast domains 11 and 12. A VLAN is a logical local area network comprised of a plurality of physical local area networks as determined by some network administrator-defined criteria, e.g., grouping local area networks based on geographical topology of the data network, or business units/functions of a company, such as finance or engineering departments. Such VLANs are generally configured based on the points where the physical LANs enter a switched network. For example, network switch 200 is configured such that ports 201 through 203 and 207 belong to VLAN 210, and ports 204-206 belong to VLAN 220. LAN segments 103, 110 and 120 coupled to ports 201-203, respectively, belong to VLAN 210. LAN segments 130, 140 and 105 coupled to ports 204, 207, and 205, respectively, belong to VLAN 220. The configuration of data network 10 in FIG. 2A is relatively less expensive than the configuration of data network 10 in FIG. 1 in that only one switch is required. Moreover, since VLANs are configured at network switch 200, a network administrator can maintain configuration and operation of the network without concern for moving a node from one LAN segment to another LAN segment in the same VLAN.
When the system grows beyond the capacity of a single switch or when geographical constraints create a need for switching capacity at more than one site, additional switches are added to the network. FIG. 2B shows the addition of switch 300 to the network shown in FIG. 2A. LAN segment 190 is used to link switch 300 to switch 200. Switch 300 supports segments 150 and 160 in VLAN 210 and segments 170 and 180 in VLAN 220.
In the prior art, when switch 200 receives a broadcast packet from VLAN 210, station 104, it forwards the packet out all of its other VLAN 210 ports (202, 203 and 207) and also forwards it from port 208 to switch 300. Switch 300 examines the MAC source address (i.e., the ISO layer 2 source address) and based on a prior exchange of information with switch 200 is able to determine the proper VLAN to use for frames from that source address, in this case, VLAN 210. Based on this determination, switch 300 forwards the frame to all of its VLAN 210 ports (e.g., ports 302 and 303).
The success of this approach depends on prohibiting frames having the same MAC source address from appearing on multiple VLANs. However, the prohibition makes this approach unusable in some networks. To work around this problem, some prior art implementations use additional fields within the packet, such as the ISO layer 3 source address, to resolve ambiguities. However, even this approach does not work in all cases, as there are many types of frames which do not contain sufficient information to make a reliable VLAN determination. Examples of such frames include Internet Protocol (IP) BOOTP requests, IPX Gel Nearest Server requests and frames from non-routable protocols.
All messages (in the form of a data frame) transferred between nodes of the same VLAN are transmitted at the MAC sublayer of the Data Link layer of the OSI reference model, based on each node's MAC layer address. However, there is no connectivity between nodes of different VLANs within network switch 200 or 300.
For example, with reference to FIG. 2A, even though all physical LAN segments 103, 105, 120, 130, and 140 are connected to ports on network switch 200, the VLAN configuration of switch 200 is such that nodes in one VLAN cannot communicate with nodes in the other VLAN via network switch 200. For example, node 104 can communicate with node 122 but cannot communicate with node 142 by way of switch 200. Rather, router 100 connects VLAN 210 to VLAN 220 via communications mediums 101 and 102 respectively, so that node 104 can communicate with node 142. Messages transferred between nodes of different VLANs are most often transmitted at the Network layer of the OSI reference model, based on the Network layer address of each node, e.g., an Internet Protocol (IP) address. Router 100 also allows a network administrator to configure appropriate policy restrictions and security rules to reduce unnecessary or unwanted traffic in data network 10.
Using a routing function to transfer data frames between VLAN 210 and VLAN 220 as illustrated in FIG. 2B is inappropriate, however, for data frames of protocol suites that do not support a network layer protocol, e.g., DEC LAT or NetBIOS. To deal with this problem, routers commonly provide a capability for bridging frames of non-routable protocols. For example, assume node 106 in VLAN 220 uses the DEC LAT protocol in an attempt to transmit a data frame to a node in VLAN 210. Switch 200 receives the data frame from node 106 over dedicated communications medium 105 and transfers it to router 100 via communications medium 102. Router 100, not being able to route DEC LAT traffic, may bridge the data frame back to switch 200 via communications medium 101. Switch 200 receives the data frame and, because the data frame is bridged instead of routed, the source MAC address is unchanged. Switch 200 has now received on both ports 205 (in VLAN 220) and 207 (in VLAN 210) a data frame having the MAC address for node 106, and cannot, therefore, unambiguously determine over which port node 106 is connected, or which VLAN should be associated with node 106. Therefore, switch 200 is unable to inform switch 300 of which VLAN should be associated with the MAC address of node 106.
Another circumstance which creates difficulties in establishing a MAC address to VLAN mapping is when a routing protocol, e.g., the DecNet routing protocol, transmits data frames using the same source MAC address on both communications mediums 101 and 102.
Yet another drawback of the configuration of data network 10 as illustrated in FIG. 2A is that a communications link is needed between network switch 200 and router 100 for each virtual local area network (VLAN). As the number of physical LAN segments and VLAN segments increase, and as the distance between LANs increase necessitating utilization of metropolitan- and wide-area communications mediums/facilities, the monetary and administrative expense required to maintain data network 10 also increases. As illustrated in FIG. 3, one means of reducing this expense is to combine multiple communications links into a single shared communications medium 300 between switch 200 and router 100. The same problems which prevented switch 300 in FIG. 2B from reliably determining the proper VLAN for frames received over segment 190 also prevent switch 200 in FIG. 3 from reliably associating VLANs with data frames received over segment 300. Thus, a means is needed to identify the virtual local area network (VLAN) from which a frame originated when transferring the frame over a communications medium shared among multiple VLANs.
One such prior art method identifying the VLAN associated with a MAC address of a node involves creating and maintaining a lookup table on each network device in the data network. The lookup table contains entries associating the MAC address of a node with the port on the network device over which the node is reachable. The node may be coupled to a shared or dedicated communications medium which is further coupled to the port. Each entry also contains a VLAN identifier identifying the virtual local area network (VLAN) assigned to the port. If multiple network devices exist in the data network, as illustrated in FIG. 3, they may utilize a protocol to exchange lookup tables so that each device knows which VLAN is assigned to each port on each device and what nodes (identified by their respective MAC addresses) are reachable via each port as well as which nodes belong to the same VLAN and are allowed, therefore, to communicate with each other.
A prior art method of reliably identifying the VLAN from which a data frame originated utilizes a management defined field (MDF) of an IEEE standard 802.10 Secure Data Exchange (SDE) Protocol Data Unit (PDU). The MDF allows the transfer of proprietary information that may facilitate the processing of a data frame. The prior art method uses the MDF to store a VLAN identifier as the data frame is transferred from a network device over a communications medium shared among multiple VLANs so that when another network device receives a data frame from the shared communications medium, it can determine the VLAN associated with the data frame and determine whether to forward the frame accordingly, depending on the VLANs configured for each port on the network device.
FIG. 4 illustrates the frame format for an IEEE 802.3 MAC/802.10 SDE data frame utilizing the MDF to identify the VLAN associated with the data frame. Portion 401 of data frame 400 is the IEEE 802.3 media access control (MAC) header, comprising a 6 byte destination MAC address field, and 6 byte source MAC address field, and a 2 byte length field. Portion 402 indicates the IEEE 802.10 secure data exchange (SDE) clear header, comprising the SDE designator field 404 containing a special destination service access point (DSAP), source service access point (SSAP), and control field for SDE frames, a security association identifier (SAID) field 405, and the management defined field (MDF) 406. The remainder of the original data frame, comprising its IEEE 802.2 LLC header followed by the user data, is included in field 403.
A VLAN identifier representing the VLAN associated with the data frame received by the network device is placed in the MDF 406 by the MAC layer and other relevant hardware and software in the network device. When the frame is subsequently transmitted across a shared communications medium, such as when switch 300 of FIG. 2B forwards over shared communications medium 190 a data frame destined for a node coupled to a port associated with a different VLAN on switch 200, switch 200 is able to determine the VLAN from which the data frame was received by switch 300 and forward it accordingly to router 100 (if, indeed, inter-VLAN communication is required). Router 100 then routes the data frame back to switch 200, where switch 200 then determines whether to forward the frame to the appropriate port based on the VLAN identifier in the MDF and destination MAC address in the destination MAC address field.
However, the frame format illustrated in FIG. 4 supports only the IEEE 802.3 media access control standards. An Ethernet-based data frame is considered nonstandard by the IEEE, and, therefore, cannot utilize the IEEE 802.10 header, or any other IEEE based header to preserve the VLAN, except through the use of an additional layer of encapsulation. IEEE Recommended Practice 802.1H is one way of performing this additional encapsulation. This extra layer of encapsulation reduces the efficiency of bandwidth utilization and adds complexity to the implementation. Thus, a method and frame format for identifying the VLAN associated with a data frame received at a network switch from either an Ethernet LAN or an IEEE 802.3 LAN is needed to support the existing infrastructure of Ethernet networks in a data network transmitting data frames from multiple VLANs across a shared communications medium. This will allow compatibility with Ethernet-based nodes on the same shared media with nodes supporting VLAN identification.