A virtual private network (VPN) is a private communications network often used within a company, or by several different companies or organizations, to communicate confidentially over a publicly-accessible network. VPN message traffic can be carried over a public networking infrastructure, such as the Internet, using standard protocols, or over a service provider's private network. A VPN typically involves two parts: a protected “inside” network, which provides physical and administrative security to protect the transmission, and a less trustworthy, “outside” network.” Many VPNs use network tunneling techniques, such as Multiprotocol Label Switching (MPLS) tunnels.
Virtual routing and forwarding (VRF) is commonly used in routing VPN traffic. VRF allows multiple instances of a routing table to co-exist within the same router at the same time. Typically, each VPN has its own routing table, as well as rules for determining how packets on the VPN are to be forwarded. Because the VRF instances are independent, the same or overlapping IP addresses may be used in different VPN instances without conflicting with one other.
VRF has been integrated with network address translation (NAT) to permit access to shared services from multiple VPNs, even when the devices in the different VPNs have overlapping IP addresses. A NAT-enabled gateway, such as a suitably-configured router located between the public Internet and a service provider's access network, rewrites the source and/or destination addresses of Internet Protocol (IP) packets that pass through the gateway. A small range of global IP addresses or a single global IP address is assigned by the gateway to represent the devices on each VPN. Each device on the VPN is given a local IP address that is used only within that VPN. When a local computer attempts to communicate with a remote computer situated outside the local network, the intermediary device matches the local IP address of the local computer to one of the global IP addresses. The intermediary device replaces the local address in data packets sent by the local computer with the matched global IP address, which is then used in communication on the public Internet. The gateway correlates the assigned global IP addresses with VPN information so that return traffic from the public Internet is routed back to the local IP address on the proper VPN.
The present invention will be more fully understood from the following detailed description of the embodiments thereof, taken together with the drawings in which: