In today's data networking, the general goal is to send data traffic from a host machine to another machine via some combination of network elements (e.g., routers, switches, etc.). The route the traffic follows when forwarded between two host machines is referred to as a “datapath.” Unless the two hosts are directly connected, some set of Control-plane Protocols (for instance, OSPF, ISIS, MPLS RSVP or MPLS LDP) are used among the network elements to understand the connectivity among the network elements and to construct the datapaths for a host in one network subnet (100) to communicate with intermediate network elements (104a-104n, and generally 104) and hosts in other network subnets (108). FIG. 1 generally illustrates the arrangement of these elements.
Each network element forwards the data transmitted from a previous device using different criteria determined by the Control-Protocol for that datapath onto the next network segment, where a network segment is the connection between any two devices, either between a host and its connected network element, or between two directly connected network elements. For example, a network element may determine how to forward a data packet by examining the Layer 2, Layer 3 or MPLS header of the incoming data packet, and either encapsulate the data packet into a different data-format, decapsulate the data packet by removing the outer header of the data packet, or simply forward the data packet without changing the data packet header format.
FIG. 2 generally illustrates the datapath of a Multi-Protocol Label Switching (MPLS) network that facilitates a Layer Three Virtual Private Network (L3VPN) for encrypted, private communications. This technology transmits data packets over MPLS Label Switched Paths (LSPs) tunnels and packet forwarding is managed at the network layer (OSI Layer 3) based on knowledge of neighboring nodes in the network and other network characteristics. L3VPN network elements consist of customer edge nodes (CE) (usually a router) 204a and 204b located at a customer's premise that provides an interface between the customer's internal local network and the internet service provider's core network, provider edge nodes (PEs) 208a and 208b which interface between the CE nodes and service providers, and the provider nodes (P) 212 which make up the provider's network.
In the case of a L3VPN, the two end points are the two host machines 100. A CE router forwards the IP data packets sent by the connected host 100 to the remote CE router via the directly connected PE router. The PE router encapsulates each IP data packet using two MPLS labels and forwards the MPLS encapsulated IP data packets to the remote PE router (which is the remote end-point of the MPLS “tunnel”) via one or more P nodes. The P nodes forward the MPLS encapsulated IP data packets by examining and swapping the outer (and not the inner) MPLS label towards the remote PE router. When the remote PE router receives the MPLS encapsulated IP data packet, it removes the MPLS header (and hence restoring the data packets to its original IP format) and forwards it to the destination CE router, which in turn, forwards the IP data packets to its connected host. FIG. 3 illustrates and example of IP traffic forwarding with firewall filtering implemented.
In this example, Router3 operates as the gateway connecting the internal network (Router1 and Router2) to the public Internet. Router3 communicates with Router1 and Router2 and all other internal routers using OSPF, whereas Router3 communicates with Router4 using BGP. Router4 connects to the rest of the Internet. Router3 is configured with a firewall feature to discard unintended user data between the internal network and the Internet.
Both of these examples illustrate the datapaths being set up with more than one Control-Plane Protocols. In the IP traffic forwarding with Firewall Filtering case, the Firewall is a service chained inline to the datapath as well.