This invention relates to Virtual Private Networks (VPNs) and methods of their operation. More particularly, this invention relates to methods and apparatus enabling Network Service Providers (NSPs) to provide virtual local area networks (VLANs) services to groups of customers.
Transparent LAN Service (TLS) is a data service offered by carriers (such as Bell(trademark) Canada, ATandT(trademark) and MCIWORLDCOM(trademark)) today through equipment provided by a variety of manufacturers (such as, for example, Nortel Networks(trademark)). The TLS provides native LAN connectivity between several LANs at geographically dispersed sites. The demand for TLS is growing rapidly.
A TLS is typically offered in a metropolitan area including neighboring municipalities. The service and the network to provide the service can be characterized as a virtual private networking service. An individual customer""s transparent LAN or VPN, comprised of many LAN sites dispersed across a geographical area, must be secure and separated from other customer""s transparent LANs. A customer""s sites scattered across a metro area are linked together by the TLS forming a VPNxe2x80x94a group of interconnected LANs that appears to the user as a single, co-located LANxe2x80x94and are isolated from other VPNs provided by the TLS carrier.
Typically a user""s interface to a Transparent LAN Service is a conventional LAN networking protocol such as, for example, Ethernet. TLS is transparent in that the customer appears to access to its own networking media (such as Ethernet) when in reality the media is a shared network with mechanisms to separate the traffic from different VPNs.
Many conventional implementations of the TLS service have been provided using a connection oriented approach. This connection oriented approach typically involves the use of Asynchronous Transfer Mode (ATM) service access Multiplexers (MUXes), ATM switches and Synchronous Optical Network (SONET) add/drop multiplexers (ADMs). However, this connection oriented approach encounters severe scaling problems due, in part, to Permanent Virtual Circuit (PVC) proliferation. Provisioning a fully associated or meshed connection oriented network (that is each node, such as a LAN, is able to communicate with each other node or LAN in the VPN) results in a significant increase in the number of connections, such as PVCs. Moreover, typical PVCs are provisioned to a customer based on a customer""s maximum bandwidth requirement. However, since data traffic is typically xe2x80x9cburstyxe2x80x9d and the dedicated circuits or connections typically provide a fixed bandwidth, the dedicated connections are frequently operating below capacity.
Moreover, the EEE 802.1 standard, the contents of which are hereby incorporated herein, defines a protocol that enables an Ethernet LAN to be partitioned in multiple virtual LANs (VLANs) through the use of a VLAN tag carried in the header of each frame of data. The VLAN tag identifies the VLAN for which the data frame is intended. However, this VLAN tag, defined in the IEEE 802.1 standard as having a twelve bit capacity, limits the number of distinct VLANs, that a carrier, also known as a Network Service Provider (NSP), can accommodate to 4095 (212xe2x88x921) VLANs.
Accordingly, a TLS service that enables a carrier to support many (i.e., more than 4095) Virtual Private Networks (VPNs) and a TLS which is scalable and easy to administer is desired.
A method and an apparatus is disclosed providing Virtual Private Networks (VPNs) to be provisioned over a connectionless network. The method and apparatus provides for a large number VPNs to be provisioned (at least 224 VPNs and as many as approximately 240 VPNs).
Conventional LAN data frames (such as Ethernet frames) are received by an apparatus (an interWAN Packet Transportxe2x80x94iPT card) embodying one aspect of the invention. This receiving or xe2x80x9cingressxe2x80x9d iPT card connects a conventional LAN to a wide area transport media such as, for example, a SONET network. Each LAN data frame received will include a destination address of the ultimate destination (for example, a destination media access controlxe2x80x94MACxe2x80x94address, which is a hardware level address that uniquely identifies each node in a network). Based on the destination address incorporated in the LAN data frame, the iPT card will attempt to retrieve address information corresponding to an xe2x80x9cegressxe2x80x9d iPT card from a stored database (the egress iPT card being connected to the LAN including the ultimate destination). If the ingress iPT card""s database has such information, then the LAN data frame is encapsulated in a packet including the retrieved address information. If the egress iPT card is connected to the same transport media as the ingress iPT card (e.g., the iPT cards are connected to the same SONET ring), the address information may include a destination MAC address for the egress iPT card. If the egress iPT is not connected to the same transport media as the ingress iPT card (e.g., the two iPT cards are connected to separate SONET rings), the address information may also contain a secondary destination address such as, for example, an Internet Protocol (IP) address in addition to the other information (e.g., the MAC address of the egress iPT card). The encapsulated LAN data frame will then be routed to the egress iPT card and then to its ultimate destination.
In the event that the ingress iPT card does not include an entry corresponding to the address specified in the destination address portion of the received LAN data frame, a multicast address will be used to encapsulate the received LAN data frame. These multicast encapsulated data frames are then transmitted to all egress iPT cards servicing the particular VPN.
On receipt of an encapsulated LAN data frame, an egress iPT card strips off the header portion, thereby regenerating the original LAN data frame, and forwards this regenerated LAN data frame to its ultimate destination. The header stripped from the encapsulated LAN data frame received by the egress iPT card is then used to populate the egress iPT card""s database. This database uses the address information of the source of the LAN data frame (i.e., the source address of the original sending entity and the address information of the ingress iPT card) for LAN data frames received by the egress iPT card for transmission to another iPT card.
According to one aspect of the invention, there is provided a system of providing communication between a first and a second Local Area Network (LAN), the first and second LANs interconnected by a connectionless network, the system comprising: a first network interface connecting the first LAN to the connectionless network, the first receiving device for: receiving conventional LAN data frames; determining an address of a second network interface responsive to destination information in the received conventional LAN data frames, the second network interface connecting the second LAN to the connectionless network; and encapsulating the conventional LAN data frames received at the first network interface with the address of the second network interface; a router for routing the conventional LAN data frames encapsulated with the address to the second network interface over the connectionless network; the second network interface connecting the second LAN to the connectionless network, the second network interface for: receiving conventional LAN data frames encapsulated with the address; re-generating the conventional LAN data frames from the conventional LAN data frames encapsulated with the address; and transmitting the re-generated conventional LAN data frames to the second LAN; and wherein the determining comprises: determining an identifier uniquely identifying a virtual private network (VPN) comprising at least the first and second LANs; accessing a routing table stored at the first network interface; where possible, retrieving, from the routing table a unique address of the second network interface responsive to a destination address stored in the received LAN data frames and the determined identifier, the unique address comprising an EP address; and if the routing table does not contain the unique address for the destination information, retrieving a multicast address, the multicast address representative of all LANs forming part of the VPN and comprises an IP multicast address; and wherein the encapsulating comprises encapsulating the conventional LAN data frames with the determined identifier and one of the unique address of the second network interface and the multicast address.
According to one aspect of the invention, there is provided a device providing communication between a first and a second Local Area Network (LAN), the first and second LANs in communication by a connectionless network, the device comprising: an input interface in communication with the first LAN; an output interface in communication with the connectionless network; a storage media storing data frames received from the first LAN received via the input interface, data packets and frames for transmission to the second LAN through the output interface; and a processor, the processor adapted to: receive conventional LAN data frames received from the first LAN through the input interface, the received data frames destined for the second LAN; determine, responsive to the received conventional LAN data frames, routing information for routing the received conventional LAN data frames to the second LAN, the routing information comprising an Internet Protocol (IP) address; encapsulate the received conventional LAN data frames with the routing information; transmit the encapsulated conventional LAN data frames to the connectionless network over the output interface; receive encapsulated conventional LAN data frames from the connectionless network from the output interface; generate conventional LAN data frames from the received encapsulated conventional LAN data frames; and transmit the generated conventional LAN data frames to the first LAN by the input interface.
According to one aspect of the invention, there is provided a method of transmitting conventional Local Area Network (LAN) data frames from a first to a second LAN, the first and second LAN interconnected by a connectionless medium, the method comprising: receiving the conventional LAN data frames from the first LAN destined for the second LAN; determining, responsive to the received conventional LAN data frames, routing information for transmittal of the conventional LAN data frames to the second LAN; encapsulating the received conventional LAN data frames with the routing information; transmitting the encapsulated received conventional LAN data frames to the connectionless medium; receiving encapsulated conventional LAN data frames from the connectionless medium destined for the first LAN; generating conventional LAN data frames responsive to the received encapsulated conventional LAN data frames; and transmitting the generated conventional LAN data frames to the first LAN; wherein the determining routing information comprises: determining an identifier uniquely identifying a VPN comprising the first LAN and second LAN; determining from the received conventional LAN data frames the destination for the received conventional LAN data frames; and retrieving, from a database and responsive to the determined destination, an Internet Protocol (IP) address of an egress location forming part of the connectionless medium servicing the determined destination, if the database does not contain an entry for the determined destination, the retrieved address comprising an IP multicast address comprising egress locations servicing the VPN.
According to one aspect of the invention, there is provided a method for facilitating communication in a virtual private network (VPN), the VPN comprising a plurality of local area networks (LANs) each interconnected through a network interface to a connectionless network, comprising, at a first network interface of a first LAN of the VPN: receiving conventional LAN data frames on the first LAN, the conventional LAN data frames having destination information; determining an identifier uniquely identifying the VPN; searching a routing table with the destination information and the identifier for a unique IP address of another network interface of another LAN of the VPN; if the routing table does not contain the unique address, retrieving a multicast IP address for all network interfaces of the plurality of LANs of the VPN; encapsulating the conventional LAN data frames with the identifier and one of the unique IP address and the multicast IP address; and transmitting the encapsulated frames on the connectionless network.
According to one aspect of the invention, there is provided a first network interface for a first local area network (LAN) of a virtual private network (VPN), the VPN comprising a plurality of LANs each interconnected through a network interface to a connectionless network, comprising: means for receiving conventional LAN data frames on the first LAN, the conventional LAN data frames having destination information; means for determining an identifier uniquely identifying the VPN; means for searching a routing table with the destination information and the identifier for a unique address of another network interface of another LAN of the VPN, the unique address comprising an EP address of the another network interface; means for, if the routing table does not contain the unique address, retrieving a multicast address for all network interfaces of the plurality of LANs of the VPN, the multicast address for the all network interfaces comprising a multicast IP address; means for encapsulating the conventional LAN data frames with the identifier and one of the unique address and the multicast address; and means for transmitting the encapsulated frames on the connectionless network.
According to one aspect of the invention, there is provided a Virtual Private Network (VPN) data signal embodied on a carrier wave, the VPN data signal generated from a received conventional LAN data frame, the conventional LAN data frame comprising a LAN destination address, a LAN source address, a LAN payload and a LAN error checking portion, the VPN data signal comprising: an egress destination address of an egress network interface, the egress network interface servicing an egress destination corresponding to the LAN destination address and wherein the egress destination address comprises an Internet Protocol (IP) address; an ingress source address of an ingress network interface, the ingress network interface servicing an ingress source corresponding to the LAN source address and wherein the ingress source address comprises an IP address; the LAN destination address; the LAN source address; the LAN payload; and an error checking portion generated from the egress destination address, the ingress source address, the LAN destination address; and the LAN source address and the LAN payload.
According to one aspect of the invention, there is provided a system of providing communication between a first and a second Local Area Network (LAN), the first and second LANs interconnected by a connectionless network, the system comprising: a first network interface connecting the first LAN to the connectionless network, the first receiving device for: receiving conventional LAN data frames; determining an address of a second network interface responsive to destination information in the received conventional LAN data frames, the second network interface connecting the second LAN to the connectionless network; and encapsulating the conventional LAN data frames received at the first network interface with the address of the second network interface; a router for routing the conventional LAN data frames encapsulated with the address to the second network interface over the connectionless network; the second network interface connecting the second LAN to the connectionless network, the second network interface for: receiving conventional LAN data frames encapsulated with the address; re-generating the conventional LAN data frames from the conventional LAN data frames encapsulated with the address; and transmitting the re-generated conventional LAN data frames to the second LAN; and wherein the determining an address comprises: determining an identifier uniquely identifying a virtual private network (VPN) comprising at least the first and second LANs; accessing a routing table stored at the first network interface; where possible, retrieving, from the routing table a unique address of the second network interface responsive to a destination address stored in the received LAN data frames and the determined identifier; and if the routing table does not contain the unique address for the destination information, retrieving a multicast address, the multicast address representative of all LANs forming part of the VPN and comprises an IP multicast address; and wherein the encapsulating comprises encapsulating the conventional LAN data frames with the determined identifier and one of the unique address of the second network interface and the multicast address; and wherein the routing comprises: receiving the encapsulated conventional LAN data frames at a first Network Network Interface (NNI) of the router; modifying the encapsulated conventional LAN data frames to have a conventional LAN data frame header and LAN data frame payload, the modified encapsulated conventional LAN data frame recognizable by a conventional routing switch of the router; routing, by the routing switch, the modified encapsulated LAN data frame to a second NNI of the router; generating, at the second NNI, an encapsulated conventional LAN data frame from the modified encapsulated data LAN data frame; and transmitting the generated encapsulated conventional LAN data frame to the second network interface.
Other aspects and features of the present invention will become apparent to those ordinarily skilled in the art upon review of the following description of specific embodiments of the invention in conjunction with the accompanying figures.