With personal computer systems becoming increasingly pervasive, many companies have deployed local area networks (LANs) that connect all the computers at a given location. While such LANs allow the interchange of information between the local computers at one physical location, computers at different physical locations may need to exchange information in a similar manner. One solution to connecting computers at two different locations involves creating a physical connection between the two locations, such as by installing a copper or fiber optic cable between the locations. Alternately, a company can use an existing physical connection between two locations if one exists. Since the telephone companies (e.g., Pacific Bell and ATT) have pre-existing physical connections between most locations, one alternative to building and maintaining a physical connection between two locations is for a company to lease an existing physical connection or line from a telephone service provider. Typically, the leased line will be used exclusively by the lessor, thus allowing a company to create a wide area network (WAN) by leasing a connection between two local LANs. Moreover, such a leased line will provide secure private (i.e., not susceptible to monitoring or interception by third parties) communication and guaranteed bandwidth between the two locations.
A more recent alternative for companies to connect computers at two locations involves using a service provider's public network between the two locations. In this situation, a company will subscribe to the service provider's public network, and will establish at least one User-to-Network Interface (UNI) at each location to connect the LAN at that location to the public network. A Permanent Virtual Circuit (PVC) can the LAN at that location to the public network. A Permanent Virtual Circuit (PVC) can then be defined between the two UNIs, providing a virtual connection between the two locations that appears to be a dedicated, physically-connected circuit. Thus, a computer at one location can use the PVC to send information to a computer at the other location in the same manner that the computer would exchange information with a local computer. Having two or more private networks connected over a public network is referred to as a Virtual Private Network (VPN), and the customers using the public network are referred to as subscribers.
The use of VPNs rather than leased lines provides advantages to both the service provider and the subscriber. For the service provider, the use of VPNs provides flexibility. Since public networks are typically broadband packet-switched systems (e.g., frame relay or ATM), there are many possible pathways to send information from one location to another. This allows a service provider to dynamically vary the physical connection used to implement a PVC on a per-message or a per-packet basis, thus maximizing the overall network throughput. Since subscribers will rarely use their maximum bandwidth on a continuous basis, service providers can over-allocate the bandwidth on the public network and still provide sufficient levels of service. This in turn benefits the subscribers by lowering their cost of service. In addition, the redundant physical connections of a PVC enhances network reliability for subscribers.
However, while VPNs provide some advantages to subscribers, they also have various drawbacks. In particular, information which a subscriber may desire to keep private will be passing over a public network. Thus, extra measures must be taken by either the subscriber (e.g., encryption) or the service provider (e.g., restricted access to public network information) to ensure that private information passing over the public network remains private. In addition to these privacy issues, managing an enterprise (i.e., company-wide) network is much more difficult with a VPN than with leased lines because the subscriber does not have direct access to the various computers and connections that make up the service provider's public network. When a company owns all of the computers and the wiring between them, the company can monitor the flow of information on the network and remedy problems that arise. For example, network administrators can ensure that the network bandwidth is sufficient for the company's needs, and that the available bandwidth is not underutilized by the company. If a bandwidth problem is recognized, the company can physically add or remove cables to remedy the problem. Network administrators can also use Network Management Systems (NMSs) such as HP OpenView from Hewlett-Packard Company to view the status of the computers on a LAN, detect when problems occur (e.g., a computer becomes unavailable), and mitigate problems (e.g., route network traffic around a computer that has crashed).
While VPN subscribers would like to perform these same network management functions on their VPNs, the use of public networks creates significant hurdles in monitoring enterprise networks by receiving current network status information and in manipulating these networks to remedy problems. As a limited remedy, some service providers employ Customer Network Management (CNM) systems that provide limited information to subscribers about their PVCs on the public network. However, these CNM systems may provide only historical statistical data on a periodic basis (e.g., once a week or once a month). While these network traffic reports may be used by a network administrator to detect long-term systematic bandwidth problems, this level of information is not sufficient for a subscriber to view current status information and quickly resolve problems that arise.
Beyond the above problems inherent to the basic VPN configuration, several common situations exist that only exacerbate these problems. For example, many service providers have public networks that include hardware from multiple vendors. Since each vendor's system typically track only their own data, often with proprietary interfaces, a subscriber may receive network traffic reports for each vendor and be forced to integrate the information themselves. In addition, it is increasingly common for a PVC to stretch across multiple service providers. For example, a company with two geographically remote locations must commonly deal with local service providers at each location, and a long-distance service provider between them. The subscriber may thus receive network traffic reports from each service provider. Other situations which create problems for managing enterprise networks include PVCs with different owners at the two ends (e.g., an extranet with a company at one end and a subsidiary supplier at the other end), multiple PVCs that share a single UNI (e.g., one location with a single UNI and with multiple PVCs), and PVCs composed of multiple fractional PVCs.