The technology of virtual private networks (VPNs) is used in a known way for remote communication with the apparatuses of a local area network (LAN) using a stand-alone device, and also enables two LANs to be connected up together so that their apparatuses can communicate transparently as if they were connected to the same LAN.
The implementation of VPNs can be used, for example, for real-time, secured communication between individuals sharing a same field of interest while at the same time using the internet infrastructure which has low reliability but is inexpensive.
Consider a set of houses or office buildings communicating with one another and forming a community of geographically distant sites, each site being equipped with a LAN to which Ethernet terminals are connected. These local area networks are formed by a set of Ethernet segments that may be connected to one another by local bridges. Each member site of a community is connected to one or more other remote sites which are members of this same community by means of a WAN (Wide Area Network) or MAN (Metropolitan Area Network) type network to which it is connected by a specific interface compliant with the specifications of the protocols used on this WAN or MAN network.
Conventionally, LANs belonging to distinct remote sites are dynamically interconnected to one another for the execution of communications requests coming from applications that are being executed on the Ethernet terminals. These local networks then communicate by means of remote bridges.
The remote bridges are firstly connected to a LAN via a level 2 interface and also connected to one another via level 2 tunnels, i.e. the link layer level (level two according to the OSI model sub-dividing communications protocols into seven layers) which communicate via WAN or MAN type networks mentioned here above. Each of these level 2 tunnels is set up between two apparatuses called tunnel end-points (or TEPs) each connected to one of the two directly interconnected LANs.
The tunnel end-points implement the remote-bridge function and the function of tunneling link-level messages such as Ethernet frames sent out by Ethernet terminals connected to these local area networks. The term “tunneling” is understood to mean a particular encapsulation or packaging of data, creating these tunnels supported by WAN or MAN type intermediate networks which may be IP networks.
It is important to note that, in the context of this invention, the meshing constituted by all the tunnels set up within a community between a set of directly interconnected distant sites is generally not a complete meshing (i.e., in principle, there is no tunnel between a given local area network and each of the other local area networks of the community). Despite this partial mesh between the sites, each site of a community can communicate with each other site of the community thanks to a relay function supported by each tunnel end-point.
This relay function for a tunnel end-point sets up a connection between two level 2 tunnels and enables indirect communication between two sites of a community that are not directly interconnected by a tunnel.
The implementation of this relay function therefore requires the use of three tunnel end-point apparatuses in order to enable communication between applications executed on two Ethernet terminals respectively connected to a first and second LAN network representing two remote sites not directly connected by a tunnel. These communications ensured by means of a relay function support both peer-to-peer type and client-server type applications architectures.
These three tunnel end-points can be sub-divided as follows: the two LAN tunnel end-points to which the Ethernet terminals supporting the applications (or communications programs) are connected, as well as a third intermediate tunnel end-point ensuring said relay function. This third tunnel end-point is directly connected via two level two tunnels to the two above-mentioned remote tunnel end-points.
In such a partially meshed network of a community of LANs interconnected by level 2 tunnels, it is possible to discover all the direct paths (without relay function) and indirect paths (thanks to the relay function fulfilled by certain tunnel end-points) between any two remote LANs. The term “path” is understood to mean a set of network infrastructure elements such as interconnection devices and links used to obtain the transfer from a first sub-network (or LAN) to a second sub-network (or LAN) and from the second sub-network (or LAN) to the first sub-network (or LAN). This is done while preventing the formation of data paths loops which would make the global community network less efficient, or even inoperative, by means of well-known algorithms for eliminating data path loops.
A first known algorithm for eliminating data path loops consists in deactivating the relay function of certain tunnel end-points in which the initial state of the relay function is active by default. This processing can be used to find out which relay functions of certain tunnel end-points are to be activated in order to enable communications between all the possible couples within the community, a couple being formed by a source tunnel end-point and a destination tunnel end-point.
However, one problem will arise in the case of a topology of a network system comprising one or more sites having a LAN interfaced with MAN or WAN networks by means of at least two tunnel end-points, also called multi-TEP LANs. Indeed, the process of tracing the global topology of the network will identify those sites having a multi-TEP LAN with at least two tunnel end-points in a manner identical to a set of two LANs interconnected by a tunnel set up between two tunnel end-points of two remote sites.
The execution of the algorithm by the deactivation of certain relays will then leave these multi-TEP LANs in a state in which the traffic entering via the tunnel of one tunnel end-point will be transmitted locally on the multi-TEP LAN to the other tunnel end-points and therefore retransmitted (relayed) via their respective tunnels. For, these other tunnel end-points are unable to distinguish traffic emitted locally by an Ethernet terminal attached to the multi-TEP LAN from traffic coming from an Ethernet terminal attached to a remote LAN by another tunnel end-point. Thus, data path loops will persist.
The US patent document 2006/0285498 (Hewlett Packard) implements an algorithm of this kind for eliminating data path loops by the deactivation of certain relays. This document furthermore proposes a method according to which a switch can discover a broadcasting path from the switch to a set of switches connected by means of a path trace-route message called a “broadcast trace route” generated from a first switch. However, this method cannot be used to take account of a community with a network configuration including multi-TEP LANs or a LAN having several connections to the MAN network or to the WAN network set up via several tunnel end-points connected to the same local LAN. Thus, data path loops will persist.
A second well known loop elimination algorithm relates to the STP (Spanning Tree Protocol) algorithm. The local bridges according to the IEEE 802.1D standard and the remote bridges according to the IEEE 802.1G standard resolve the problem of detection and elimination of the logic loops in a network whose segments are connected to one another by respectively local and remote bridges via the use of this STP algorithm. This entirely distributed algorithm is executed in parallel on each of the bridges. It can be defined as a dialogue protocol between all these bridges used to eliminate redundant links and retain only the links that are more interesting (having faster communications lines, lower-cost communications lines etc). When there are numerous paths, the algorithm chooses the most efficient one of them and closes the other paths. If the path is faulty, it automatically reconfigures the network so that another path becomes active in order to continue the operations.
As the English name suggests, this STP algorithm will set up a spanning tree in a meshed network and invalidate all the links that do not form part of this network.
However, for an efficient design of the physical topology of a meshed network, it is necessary to preserve a redundancy of physical paths if one of the links should go out of operation. This is why there is a need for a “Spanning Tree” (IEEE 802.1D) type algorithm setting up the unicity of the logic path between two nodes of the network but with a possibility of updating when one of the physical links, supported by a path, has just become unusable.
Another algorithm, or called RSTP (Rapid Spanning Tree Protocol) algorithm, is a development of the STP algorithm. It produces a faster convergence of the algorithm with a change in topology, for example when there is a failure of a physical link or the creation of a new physical link or yet again the insertion of a new bridge into the network. The IEEE 802.1D-2004 standard now includes RSTP and makes STP obsolete. However, if RSTP is applied in the context of the invention, this RSTP algorithm will process each of the tunnel end-points as a remote bridge and, therefore, for certain tunnel end-points, it will block the input traffic and output traffic on a tunnel end-point of a network LAN A. This makes this tunnel port unusable for direct communications (without relay functions) from another network LAN B directly interconnected to this LAN A via a tunnel. The communications between the two networks LAN A and LAN B will then have to go on an indirect path via a tunnel end-point whose relay function is activated, thus using a less efficient and less reliable path.
Finally, another algorithm called an MSTP (Multiple Spanning Tree Protocol) specified in IEEE 802.1s and then merged with IEEE 802.1Q-2003 defines an extension to the RSTP protocol to increase the utility of the concept of virtual local area networks (VLANs). This MSTP configures a network spanning tree specific to each VLAN and blocks a set of redundant links independently for each tree corresponding to a VLAN.
As described here above, the STP algorithm and its variants (RSTP, MSTP) no longer authorize input and output traffic pertaining to tunnel bridges that do not belong to the best path computed by the algorithm for a communication between a network LAN A and a network LAN B. This therefore makes these tunnel ports unusable for direct communications (without relays) from another network LAN C directly interconnected with the LAN A via a tunnel. Although LAN A and LAN C are directly interconnected by a tunnel, communications between these networks would then have to pass via a tunnel end-point whose relay function is activated, thus constituting a less efficient and less reliable path.