1. Field of the Invention
The invention relates to Virtual Local Area Networks (VLANs), and more particularly to the use of VLANs to establish separation between different users of a shared switch.
2. Background Information
It is today a common computer network engineering practice to separate packet traffic belonging to different users by use of a router, a Layer 3 (L3) device. Separation of users"" traffic is accomplished by assigning each user to a different subnetwork (subnet). A subnet is identified by a unique L3 address. The router then transmits a particular user""s packets out through a port assigned to that subnet. However, only a limited number of bits in the L3 address (for example IP address) are assigned to the subnet, and so only a limited number of subnets may be addressed by a particular router. Subnet design is described by Andrew Tanenbaum in his book Computer Networks, Third Edition, published by Prentice Hall, Copyright date 1996, all disclosures of which are incorporated herein by reference, particularly at pages 417-419. For example, if 6 bits are assigned to a subnet mask, then only 62 different subnets may be addressed (0 and 64 are reserved). Further, for every subnet assigned two addresses are wasted, for example the multicast and broadcast addresses.
As an example of many users of a switch who require that their message traffic be kept separate, an Internet service provider (ISP) may have many customers who want to connect to a server farm. Access to the ISP is through a router connected to a common external computer network, for example the worldwide Internet. The router must route each customer""s traffic to that customer""s local area network in such a manner as to maintain protection and privacy between the data of different customers. It is desirable for an ISP to prevent traffic originating from one customer""s server from being received by another customer""s server.
A second example of many users of a computer network who must have their traffic separated in order to guarantee privacy and protection is the use of a television cable Internet distribution system. Each home is assigned a separate subnet so that routers may route only a particular customer""s message traffic to that customer. This subnet routing prevents, for example, one customer looking at another customer""s message traffic by use of, for example, a network snifter.
A third example is a server farm, for example a multiclient backup service. Each client""s message traffic arrives at a router. The router uses a subnet mask to keep the traffic of each client separate from the traffic of another client, as it routes the traffic to the client""s backup server.
A limitation in the use of subnets, and subnet masks, in a multiclient environment is that there is only a limited number of subnets which can be defined from standard Layer 3 addresses. In modem computer network systems, this numerical limitation severely restricts the number of individual users who can be serviced, and also have their message traffic maintained separate. Further, the management of a large number of subnets by a network manager becomes burdensome, especially in the event that the network has thousands of customers whose packet traffic must be kept separate.
A better way to keep the message traffic of different users separate in a computer network is needed, particularly a method which can scale to a large number of users.
The invention uses a layer 2 switch (L2 switch), or bridge, to separate user""s message traffic by use of Virtual Local Area Networks (VLANs) defined within the switch. Three new types of ports are defined, xe2x80x9cpromiscuousxe2x80x9d ports, xe2x80x9cisolatedxe2x80x9d ports, and xe2x80x9ccommunityxe2x80x9d ports. Three types of VLANs internal to the switch are defined, xe2x80x9cprimaryxe2x80x9d VLANs, xe2x80x9cisolatedxe2x80x9d VLANs and xe2x80x9ccommunityxe2x80x9d VLANs.
The promiscuous ports are connected to layer 3 or layer 4 devices, for example routers which may in turn connect to the worldwide Internet, load balancers which also may connect to the worldwide Internet, administrative work stations such as used by network administrators, back up devices, etc. Isolated ports and community ports are connected to individual user""s servers, etc., and maintain traffic for each user separate from other users.
Isolated ports and community ports exchange packets with the promiscuous ports by use of the VLANs internal to the switch. The difference between isolated and community ports is that an isolated port cannot transfer packets to another isolated port, however a community port has a designated number of community ports to which it can transfer packets.
A primary VLAN internal to the switch is defined as follows. The primary VLAN connects to all promiscuous ports, to all isolated ports, and to all community ports. The primary VLAN receives packets from outside of the switch arriving at any of the promiscuous ports, and transfers the packets to the isolated or community ports. However, an isolated or community port cannot receive traffic from the external LAN connected to it, and transfer the packets to the primary VLAN. The primary VLAN is a one way connection from promiscuous ports to isolated or community ports.
An isolated VLAN is defined as connecting to all promiscuous ports and connecting to all isolated ports. An isolated VLAN receives packets arriving from outside of the switch at an isolated port, and transfers the packets to the promiscuous ports. An isolated VLAN does not carry packets received by a promiscuous port from outside of the switch. Also, an isolated VLAN does not deliver any packets to another isolated port. The isolated VLAN is a one way connection from an isolated port to the promiscuous ports.
A community VLAN is defined as connecting to a group of community ports, and also connecting to all of the promiscuous ports. The group of community ports is referred to as a xe2x80x9ccommunityxe2x80x9d of community ports. The community VLAN transfers a packet received from outside the switch at a community port to all of the promiscuous ports, and also transfers the packet to the other community ports attached to that community VLAN. A plurality of xe2x80x9ccommunitiesxe2x80x9d of community ports may be defined, and each community of ports has its own assigned community VLAN. A community VLAN cannot transfer packets received from outside of the switch at a promiscuous port. A community VLAN is a one way connection from a community of ports to the promiscuous ports, but allows a packet received by one community port to be transmitted out of the switch, through the other community ports connected to that community VLAN.
These new types of VLANs and ports are implemented, in part, by particular settings of the Color Blocking Logic (CBL) logic circuits used by normal ports of an L2 switch which supports VLANs, and also by use of assignment tables.
Traffic generated by different user""s servers is kept separate from other user""s servers, by each user having his own isolated port or community of community ports.
The VLANs defined in a first L2 switch chassis can be trunked to other L2 switch chassises using ordinary trunking technology, in order to increase the number of ports.
Alternatively, a single L2 switch, or a network of trunked L2 switches, may have its promiscuous ports divided into subsets. Each subset of promiscuous ports is then associated with its subset of isolated ports and community ports, along with the necessary VLANs.