This invention relates to a network and to an edge router. More particularly, the invention relates to a network for forming a VPN (Virtual Private Network) on a shared network and communicating over the VPN, and to an edge router in a network for forming a VPN on a shared network, forming a core network of the VPN by a label switching network and forming an access network, which is for accessing the core network, by a VLAN (Virtual LAN).
In order to construct a network (an intranet) within an enterprise, it is necessary to interconnect the home office, business offices, branches, factories and research labs, etc., scattered over a number of areas. With the age of internationalization upon us, there is a need for intranets that are connected widely to business sites overseas without being closed solely within one's own country. When an intranet is thus spread over a wide area, it becomes necessary to implement the same system environment at both the home and remote offices. VPNs (Virtual Private Networks) have been developed and adopted widely for this purpose. A VPN is a virtual private network that can be set up on a shared network (a wide-area network such as the Internet) and can be utilized without the user being aware of the fact that the shared network is being utilized. A VPN is constructed on a wide-area network (WAN) utilizing an access server, a WAN router and a VPN-dedicated devices. Techniques for constructing a VPN include a method using a VLAN (Virtual LAN) in accordance with IEEE 802.1Q, a method based upon IPsec and a method using MPLS (MultiProtocol Label Switching), etc.
VLANs form network-connected devices into groups without relation to their physical wiring and constructions, and each group is formed within an area that is reached by Layer-2 MAC frames. The sending and receiving of frames is performed within the same group and the broadcasting of frames also takes place within the same group. Communication with a different VLAN group general requires the intermediary of a router having a relay function in Layer 3.
Schemes for implementing a VLAN include (1) port-based VLAN, (2) MAC-address database VLAN and (3) policy-based VLAN. Among these, port-based VLAN is a scheme for forming a VLAN group statically on a switching hub on a per-physical-port basis. MAC-address database VLAN is a scheme which forms a VLAN group based upon MAC addresses possessed by terminals. The pertinent VLAN group is recognized based upon the MAC address of the originating source contained in a received packet.
FIG. 18 shows an example of the structure of port-based VLAN according to the prior art. Here terminals such as personal computers are connected to respective ones of a plurality of LAN ports P1 to P6 of a switching hub SHB. The LAN ports P1 to P3 belong to group 1 and the LAN ports P3 to P6 belong to group 2. Broadcast frames transmitted from terminals in group 1 are broadcast only to terminals in group 1, and broadcast frames transmitted from terminals in group 2 are broadcast only to terminals in group 2. The sending and receiving of frames is performed only within the same group, and communication between the different groups 1, 2 requires the intervention of a router, not shown. Prior to grouping, broadcast frames needed to be relayed to all terminals. By grouping, however, broadcast frames now need only be relayed within the group. This makes it possible to alleviate the load on the network. Moreover, since a frame is not transmitted from one group to another, security can be maintained.
A VLAN can be designed in such a manner that a LAN port is placed in multiple groups, as is the case with LAN port P3 in FIG. 19. Further, grouping is not limited to a single switching hub. As shown in FIG. 19, it is possible to group ports belonging to a plurality of switching hubs SHB1 to SHB3. More specifically, ports P1 to P3 of each of the switching hubs SHB1 to SHB3 are grouped, a VLAN ID (VID: Virtual LAN Identifier) specific to each group is assigned to each group, and a tagging scheme described below is adopted to construct a plurality of VLANs (VLAN1 to VLAN3) that bridge a plurality of devices. As a result of this arrangement, terminals belonging to the same VLAN can communicate with one another, regardless of where they are installed, just as if they were connected to the same physical network.
The tagging scheme mentioned above is a technique standardized by IEEE 802.1Q. In accordance with tagging, a VID is assigned to a MAC frame in the manner of a tag. The tag is carried with the MAC frame along with the packet. An L2 switch (switching hub) that has received a tagged MAC frame analyzes the content of the tag and relays the frame to the appropriate port belonging to the VLAN.
FIG. 20 illustrates the format of a MAC frame in a VLAN (compliant with IEEE 802.1Q) according to the prior art. Here Ml represents a MAC destination address (MAC DA); M2 a MAC source address (MAC SA); M3 a tag; M4 type; and M5 an IP packet (composed of an IP header, TCP header and data field). The tag M3 consists of four bytes and has (1) a TPID (Tag Protocol Identifier), (2) user priority, (3) a CFI (Canonical Format Indicator), (4) a VID (Virtual LAN Identifier), (5) length and (6) an RIF (Routing Information Field). The value of TPID, which is a hexadecimal number, is fixed at 81-00 (IEEE 802.1Q tag type). User priority expresses the order of priority of the frame using three bits. The CFI indicates the absence or presence of an RIF in the tag header. The VID is a 12-bit virtual-LAN identifier; a total of 2012=4096 VIDs can be specified.
FIG. 21 illustrates an example of VLAN implementation according to the prior art. Shown in FIG. 21 are a first switching hub SHB1 in which personal computer terminals PC1, PC2 are connected to ports P1, P2, respectively; a second switching hub SHB2 in which personal computer terminals PC3, PC4 are connected to ports P1, P2, respectively; a third switching hub SHB3 in which the first and second switching hubs SHB1, SHB2 are connected to ports P1, P2, respectively; and a router RT connected to port P3 of the third switching hub SHB3. The first and second switching hubs SHB1, SHB2 are connected to the third switching hub SHB3 via their respective ports P3.
The first and third personal computer terminals PC1, PC3 construct a first VLAN (VID=10), the second and fourth personal computer terminals PC2, PC4 construct a second VLAN (VID=20), and the ports P1 to P3 of each of the first switching hubs SHB1 to SHB3 are grouped as indicated by the VID values in FIG. 21. The ports having two VID values each belong to two groups. In an instance where the personal computer terminal PC1 transmits a packet to the personal computer terminal PC3, the personal computer terminal PC1 transmits a packet having the MAC address of the personal computer terminal PC3 placed in its header as the destination address. Upon receiving this packet at port P1, the first switching hub SHB1 finds the VID (=10) of the VLAN to which the port P1 belongs from a predetermined table, assigns a tag inclusive of VD=10 to the received packet and transmits the packet from port P3 of VID=10. The tagged packet is then transmitted to the second switching hub SHB2 via the ports P1, P2 of third switching hub SHB3. When the tagged packet arrives at the second switching hub SHB2, the latter removes the tag and transmits the packet to the personal computer terminal PC3 from port P1 (VID=10).
On the other hand, if the personal computer terminal PC1 transmits a packet to the personal computer terminal PC4 in the other group, the personal computer terminal PC1 transmits a packet having the MAC address (Layer-2 address) of the router RT placed in its Layer-2 header as the destination address and having a Layer-3 address (IP address) of the personal computer terminal PC4 placed in its Layer-3 header (IP header). Upon receiving this packet at port P1, the first switching hub SHB1 finds the VID (=10) of the VLAN to which the port P1 belongs from the table, assigns a tag inclusive of VD=10 to the received packet and transmits the packet from port P3 of VID=10. The third switching hub SHB3 transmits the received packet as is from its port P3 of VID=10. Upon receiving the packet, the router RT changes the VID value from 10 to 20 and changes the destination MAC address of the packet to the MAC address of the personal computer terminal PC4 by referring to the Layer-3 address of the destination and then transmits the packet from its port P1. The tagged packet is then transmitted to the second switching hub SHB2 via the ports P3, P2 of the third switching hub SHB3.
In accordance with the above-described VLAN, the foundation for next-generation LANs can be constructed flexibly while preserving the existing assets of an enterprise information system (intranet), and it is possible to achieve streamlining by integrating network administration and operation.
A method based upon MPLS (MultiProtocol Label Switching) is available as a method of constructing a VPN. MPLS is a protocol that introduces the concept of a path (a virtual communication path) into an IP network where the concept of a connection does not exist. The MPLS network adds a new field “label”, which is for identifying the connection, onto an IP packet, and the network router transmits the IP packet upon popping, pushing or swapping the label value of the “label” field. In accordance with MPLS, an IP connection-type service can be provided. Moreover, security can be assured on a per-connection basis and an IP private-line service, which serves as a substitute for a private line, can be provided efficiently by an IP network. This is a method having a very high degree of scalability. Further, a method of constructing a VPN using MPLS has been disclosed as RFC 2547BGP/MPLS VPNs. An IP VPN can be constructed on the Internet by this RFC method.
MPLS is situated intermediate Layer 2 and the IP layer. An ordinary router executes forwarding processing by referring to the IP header of an IP packet. However, a router which supports MPLS executes forwarding based upon the label provided between the IP header and L2 header without referring to the IP header.
FIG. 22 is a diagram useful in describing MPLS. Routers for MPLS are indicated at numerals 1 to 5. MPLS routers 1 and 5 constitute edge routers for making a connection to the outside of the MPLS network, and MPLS routers 2 to 4 constitute core routers within the MPLS network. A terminal device on the transmitting side is connected to the edge router 1 via a LAN or the like, and a terminal device at the destination having an IP address 10.1.100.0/24 is connected to the edge router 5 via a router and a LAN. If the two terminal devices are to communicate, an LSP (Label Switched Path) is set up between the edge routers 1, 5, to which the terminals are connected, in accordance with an LDP (Label Distribution Protocol) and through use of a label, and label tables 1a to 4a are formed in the MPLS routers 1 to 4, respectively, that form this LSP.
If a MAC frame containing an IP packet enters from a terminal device on the transmitting side under these conditions, the edge router 1 refers to the table 1a, attaches a shim header (described later), which is the MPLS header, to the MAC frame, attaches (pushes) “39”, which serves as the label, to the label field of the shim header, and then directs the frame to the next MPLS router 2. The latter refers to the table 2a, swaps label “37” for label “39” and then directs the frame to the next MPLS router 3. The latter refers to the table 3a, swaps label “36” for label “37” and then directs the frame to the next MPLS router 4. The latter refers to the table 4a, finds a label “pop” that conforms to the label “36”, nulls (pops) this label and then directs the frame to the next router 5. Upon receiving the frame having the null label, the edge router 5 removes the shim header of the MPLS from the MAC frame and directs the frame to the terminal device at the destination.
An LSR (Label Switching Router), which is a router for MPLS, is arranged to decide a route upon referring to IP-layer route information, such as routing table information, and to affix a label to this route. In other words, an LSR generates a label path automatically, in accordance with the LDP (Label Distribution Protocol), along a route decided by the IP routing protocol (IS-IS, OSPF, etc.).
FIG. 23 is a diagram useful in describing the manner in which a label path is set up. The MPLS router (LSR) 5, which is the edge router on the side of the destination terminal device, finds the upstream MPLS router (LSP) 4 in the direction of the MPLS router (LSR) 1 on the transmitting side using a routing protocol such as OSPF (Open Shortest Path First), requests the MPLS router (LSP) 4 to null the label and to then transmit the frame, and sends the IP address (=10.1.100.0/24) of the destination terminal device.
As a result, the MPLS router (LSR) 4 finds the available label value (=36), finds the MPLS router (LSP) 3 in the direction of the MPLS router (LSR) 1 on the transmitting side using the routing protocol, requests the MPLS router (LSP) 3 to make the label “36”and to then transmit the frame, and sends the IP address (=10.1.100.0/24) of the destination terminal device. The MPLS router (LSP) 4 creates the label table 4a. The latter includes (1) the local label (=36), (2) the outgoing label (=pop label), (3) a prefix (=10.1.100.0/24), (4) an outgoing interface (=Ethernet 6) for interfacing the MPLS router (LSR) 5, and (5) next hop [=the IP address of the MPLS router (LSR) 5]. The MPLS router (LSR) 3 and the MPLS router (LSR) 2 similarly create the label tables 3a, 2a, respectively, and the MPLS router (LSR) 1, which is the edge router, creates the label table 1a. 
If under these conditions a MAC frame having an IP packet the destination IP address of which is 10.1.100.0/24 enters the edge router 1 from the terminal on the transmitting side, the MPLS header is assigned to the frame, the frame is transmitted over the MPLS network while the label value of the label field is pushed, swapped and popped, and the frame is transmitted to the destination terminal device upon having its MPLS header removed by the edge router 5a, as described above in conjunction with FIG. 22.
FIG. 24 is a diagram useful in describing the structure of a shim header, which is the MPLS header, and the position at which the shim header is inserted into a Layer-2 frame (MAC frame). Characters M1, M2, M4 and M5 in FIG. 24 represent a MAC destination address (MAC DA), a MAC source address (MAC SA), type and IP packet (IP header, TCP header, data), respectively. A shim header M6 is inserted between the Layer-2 header and the IP header. The shim header M6 has a 20-bit label field, a 3-bit EXP field, a 1-bit S field and an 8-bit TTL field.
With MPLS, shim headers can be stacked and such stacking makes it possible to construct a VPN. More specifically, as shown in (A) of FIG. 25, two shim headers M6, M7 are forwarded upon being stacked in one IP frame. As shown in (B) of FIG. 25, the label (Layer-1 label) of the first shim header M6 is used for forwarding within the MPLS network, and the label (Layer-2 label) of the second shim header M7 is used to identify the VPN line connected to the edge routers 1 and 5. That is, the second label is used for VPN identification. The second label can also be used to identify the user line.
FIG. 26 is a diagram useful in describing MPLS/VPN for implementing an IP-VPN by stacking two labels in accordance with the prior art. Here it is assumed that the user of a VPN A communicates via the edge routers 1 and 5. The edge routers 1, 5 assign VPN-IDs (VPN identifiers) per individual user-line interfaces beforehand. In FIG. 26, the edge router 1 assigns a VPN-ID of 13 to a network address 192.168.0. X possessed by the VPN-A site, and the edge router 5 assigns a VPN-ID of 13 to a network address 192.168.1. X possessed by the VPN-A site and assigns a VPN-ID of 14 to a network address ZZZ.ZZZ.Z.Z possessed by a VPN-V site.
Next, in accordance with an iBGP (interior Border Gateway Protocol), the edge router 5 on the receiving side reports the label information to the edge router 1 on the transmitting side per combination of VPN-ID and network address. The iBGP is a protocol for exchanging route information and the like over a TCP connection. The routers situated at the edge of the MPLS network send and receive VPN information to and from each other without the intervention of a core router. In the illustrated example, the edge router 5 on the receiving side uses iBGP to notify the edge router 1 on the transmitting side that the label of “192.168.1. X, VPN-ID=13” is “3” and that the label of “ZZZ.ZZZ.Z.Z, VPN-ID=14” is “4”. On the basis of this information, the edge router 1 creates label tables 1a, 1b on a per-VPN-ID basis.
In concurrence with the foregoing, each MPLS router sets up a label table for forwarding the packet within the MPLS network by the LDP (Label Distribution Protocol), as described above in connection with FIGS. 22 and 23. As a result, “5” is reported from the core router 2 to the edge router 1 as the label for MPLS forwarding of the destination 192.168.1. X, “5” is reported as the label for MPLS forwarding of the destination ZZZ.ZZZ.Z.Z and these are added to the label tables 1a, 1b. 
If an IP packet enters from the user site (transmission source VPN-ID=13) of VPN A under conditions in which the table 1a has been created as set forth above, the edge router 1 refers to the table 1a based upon the transmission source VPN=13 and destination address 192.168.1. X, finds the label (=3) for VPN identification and the label (=5) for MPLS forwarding, attaches these two labels to the packet and transmits the packet to the core router 2. The latter refers to the label (=5) for MPLS forwarding and executes forwarding processing. If the packet arrives, the edge router 1 on the receiving side refers to the label (=3) for VPN identification, determines that the VPN is VPN A, removes the label and sends the packet only to the user site of VPN A.
It should be noted that the foregoing is an example in which two label tables are provided. In actuality, edge routers are provided with tables the number of which is equivalent to the number of source VPN-IDs and each table holds VPN identification labels and MPLS forwarding labels mapped to combinations of transmission source VPN-IDs and destination IP addresses.
FIG. 27 is a diagram useful in describing MPLS/VPNs according to the prior art. This is an example in which an MPLS network is constructed by the network of a communications provider. Shown in FIG. 27 are an MPLS network 11 belonging to the provider, provider edge routers (PE routers) 12, 13, 14 situated at the edge of the MPLS network, core routers 15 to 18 situated with in the MPLS network, customer systems (intranets) 21 to 24, and customer edge routers (CE routers) 25 to 28 situated at the edges of the customer systems. The PE routers 12 to 14 are routers which support Layer-2 MPLS and are VPN-aware. The PE router on the transmitting side adds a VPN identification label (VPN-ID) and an MPLS forwarding label, which have been set in a table beforehand, to a packet that enters from the CE router. Upon receiving this packet, the PE router on the receiving side sends the packet to the customer system that corresponds to the VPN identification label (VPN-ID). In the example of FIG. 27, the VPN A is formed by the customer systems 21, 22 and the VPN B is formed by the customer systems 23, 24. Accordingly, the terminal devices of each customer system in VPN A can access only the terminal devices in VPN A and cannot access the terminal devices in VPN B. Similarly, the terminal devices in VPN B can access only the terminal devices in VPN B.
Thus, if the same VPN-ID is assigned only to the same enterprise group, it is possible to construct an IP-VPN in which this group will not be accessed from another enterprise group and cannot transmit data to another enterprise group. Hence, the IP-VPN is closed within the same enterprise group.
The VLAN-based method of constructing a VPN is advantageous in that a VPN can be constructed easily and with little investment in equipment by assigning a unique VID to each customer on the network. However, the VID field is a maximum of 12 bits, meaning that only 4096 VIDs can be set if this is expressed as a decimal number. As a consequence, if users requesting VIDs in 1excess of 4096 appear, the system will no longer be able to cope, it will not be possible to meet the demand for networks of larger scale and scalability will be inadequate.
With the MPLS-based method of constructing a VPN, on the other hand, the label area expressing the VPN identifier is composed of 20 bits. This is advantageous in that as compared with VLAN-based construction, many more VPNs can be set up, it will be possible to cope with the growth of the Internet and greater scalability can be provided. However, with the MPLS-based method of constructing a VPN, a costly MPLS-capable router must be installed close to the user and it is necessary that one port of an edge router be prepared for the user. The problem which arises is a very large investment for equipment.