1. Field of the Invention
The present invention relates to routers, particularly, a router that interconnects Virtual Private Networks (VPNs) to build a network system via the Internet, a method of packet forwarding control to be used on the router, and a method of registering routing and related settings with the router.
2. Description of Related Art
When networking a plurality of intra-corporation networks existing in different areas, corporations conventionally used private lines to interconnect these networks, thus forming a network system that is isolated from external networks (to ensure network security). This, however, posed a problem that the use of private lines increases the networking cost. As a result, along with the prevalence of the Internet that can be used at a low charge, there have been increasing needs for an art of forming a low-cost Virtual Private Network (hereinafter referred to as VPN) by using the Internet. This art is to virtually build private networks via the Internet by using the Internet Protocol (IP) facilities provided by IP networks and the facilities of lower layer protocols below IP. This art enables building a safe network that is isolated from external networks and can provide quality assurance service of any level even via the Internet.
One implementation method of reliable data transmission across a VPN is such that data encapsulation is performed at the entrance to a network of an Internet service provider (hereinafter referred to as ISP) that provides the VPN. The encapsulated data is transferred across the ISP's network, according to the capsule header, and this header is removed at the exit of the network. By using VPN-specific encapsulation headers for datagrams that pass across the Internet, VPNs with ensured security can be formed. Practically used encapsulation protocols are IP capsule, Multi Protocol Over ATM (MPOA), Multi Protocol Label Switching (MPLS), and other ones. The Internet Engineering Task Force (IETF) and other organizations for standardization are working toward the standardization of the encapsulation protocols as of May 2000.
IP addresses are divided into global IP addresses and private IP addresses. Global IP addresses are globally defined unique addresses, whereas private IP addresses can be freely defined by a corporation. Private IP addresses are often used in intra-corporation networks. Thus, it is desirable that private IP addresses can be used when corporations use VPN service. If there are a plurality of VPNs and private IP addresses are used in the VPNs, it may happen that an IP address used in one VPN is also used in another VPN. If IP address duplication exists among a plurality of VPNs, a router that is placed at the entrance to the ISP network and interconnects Local Area Networks (LANs) belonging to the VPNs (this router is hereinafter referred to as a VPN edge router) must hold routing tables separately created for the VPNs in order to properly forward packets across the VPNs. Upon the reception of a packet, the VPN edge router finds one of the VPNs to which one of the LANs belongs across which the packet passed. Then, the VPN edge router searches the routing table for the thus found VPN, determines the forwarded-to-destination of the packet across the ISP network, and encapsulates the packet. Because the VPN edge router holds the routing tables separately created for the VPNs, even if it receives packets passed across different VPNs, but having a same destination IP address, it can forward the packets to their correct destinations without mistaking one for another.
As a method of identifying the above VPNs, for example, the method is known in which a VPN ID is assigned to a user line interface for unique VPN identification and VPN identification is performed by VPN ID, as described in the Oct. 18, 1999, issue of “Nikkei Communication,” p. 100. According to this method, VPN identification is performed on a physical interface by interface basis, wherein correspondence of one physical interface to one VPN is required.
In the above method, however, it is required that one physical line connects a corporate network to the ISP network. In order to connect one corporate network to a plurality of VPNs, as many physical lines as the number of the VPNs must be prepared. At the same time, the VPN edge router that interconnects the VPNs must have as many physical interfaces as the number of the VPNs. Consequently, a problem arises that expansion of VPNs interconnected by the VPN edge router expands the physical interfaces of the VPN edge router and eventually additional routers are required.
In a case where an ATM network or a frame relay network provided another ISP or carrier is used as intermediate access means from a corporate network to the ISP network that provides VPN service, a plurality of logical channels are multiplexed and terminated to one physical interface at the entrance of the ISP network. These multiplexed logical channels cannot be identified by VPN identification by physical interface and this is another problem due to the limitation of the previous VPN identification method.