1. Field of the Invention
The present invention relates generally to communications networks and more particularly to communications systems having various types of virtual local area networks and established rules of precedence for matching a communication packet with a particular virtual local area network.
2. Discussion of the Related Art
Local area networks (LANs) are used to facilitate communications between a number of users. Individual LANs may be bridged together to allow a larger number of users to communicate amongst themselves. These bridged LANs may be further interconnected with other bridged LANs using routers to form even larger communications networks.
FIG. 1 depicts an exemplary interconnected bridged LAN system. The numerals 10, 20, 30, etc., are used to identify individual LANs Bridges between LANs are designated by the numerals 5, 15, 25 and 35. A router between bridged LAN 100 and bridged LAN 200 is identified with the reference numeral 300. In the bridged LAN system depicted, a user A is able to communicate with a user B without leaving the LAN 10. If user A desires to communicate with user C in LAN 20 or user D in LAN 30, the communication is transmitted via bridges 5 and 15.
If user A desires to communicate with user E, the communication must be routed via router 300 to bridged LAN 200. As will be understood by those skilled in the art, bridges operate at layer 2 of the OSI network model and transparently bridge two LANs. It is transparent to users A and C that communications between them are ported over bridge 5 because layer 2 bridges do not modify packets, except as necessary to comply with the type of destination LAN. However, if user A wishes to communicate with user E, the communication must be ported via router 300 which operates at level 3 of the network model. Accordingly, communications over routers flow at a much slower rate than communications over a bridge, and, therefore communications are regulated by the routers.
Therefore, LAN network administrators generally attempt to connect together those users who frequently communicate with each other in bridged LANs. However, if the bridged LAN becomes too large, it becomes unscalable and may experience various well-known problems. Accordingly, routers are used to interconnect bridged LANs so that the bridged LANs themselves can be kept to an acceptable size. This results in delays in communications between users which are transmitted via the router 300. If, for example, in FIG. 1, user E and user A need to communicate frequently, it would be advantageous to interconnect LAN 10 and LAN 50 via a bridge rather than the router 300. This would require the rewiring of the system which is costly and may be impracticable under many circumstances, such as, if users A and E will only need to frequently communicate for a limited period of time.
Virtual LANs (VLANS) have recently been developed to address the deficiencies in interconnected bridged LAN systems of the type depicted in FIG. 1. VLANs allow LANs to be bridged in virtually any desired manner, i.e., independent of physical topology, with switches operating at layer 2. Hence, the switches are transparent to the user. Furthermore, the bridging of LANs can be changed as desired without the need to rewire the network. Because members of one VLAN cannot transmit to the members of another VLAN, a firewall is effectively established to provide security which would not be obtainable in a hardwired interconnected bridged LAN system. Accordingly, VLAN systems provide many advantages over interconnected bridged LANs.
For example, as shown in FIG. 2, individual LANs 10, 20, 30, 40, 50, 60, 70, 80, 90 (10-90) are interconnected by layer 2 switches 5xe2x80x2, 15xe2x80x2, 25xe2x80x2, 35xe2x80x2, 45xe2x80x2, (5xe2x80x2-55xe2x80x2). A network management station (NMS) 290 controls the interconnection of the individual LANs such that LANs can be easily bridged to other LANs on a long term or short term basis without the need to rewire the network. As depicted in FIG. 2, the NMS 290 has configured two VLANs by instructing, e.g., programming, and thereby configuring the switches 5xe2x80x2-55xe2x80x2 such that LANs 10-60 are bridged together by switches 5xe2x80x2, 15xe2x80x2, 55xe2x80x2, 35xe2x80x2 to form VLAN 100xe2x80x2 and LANs 70-90 are bridged together by switches 45xe2x80x2 and 55xe2x80x2 to form VLAN 200xe2x80x2. This is possible because, unlike the bridges 5-35 of FIG. 1, which include only two ports, and accordingly are able to only transfer information from one LAN to another LAN, the switches 5xe2x80x2-55xe2x80x2 are multi-ported and programmable by the NMS 290 such that the network can be configured and reconfigured in any desired manner by simply changing the switch instructions.
As shown in FIG. 2, the switch 55xe2x80x2 has been instructed to transmit communications from user A of LAN 10 to user E of LAN 50, since both users are configured within VLAN 100xe2x80x2. User A, however, is not allowed to communicate with users H or F since these users are not configured within the VLAN 100xe2x80x2 user group. This does not, however, prohibit users F and H, both of whom are members of VLAN 200xe2x80x2, from communicating with one another via switches 45xe2x80x2 and 55xe2x80x2.
If it becomes desirable to change the network configuration, this is easily accomplished by issuing commands from NMS 290 to the applicable switches 5xe2x80x2-55xe2x80x2. For example, if desired, user H could be easily added to VLAN 100xe2x80x2 by simply reconfiguring VLAN 100xe2x80x2 from the NMS 290. The NMS 290 issues an instruction to switch 55xe2x80x2, instructing switch 55xe2x80x2 to allow communications to flow between users A-D and E and user H via switch 55xe2x80x2, i.e., to include LAN 90 in VLAN 100xe2x80x2 and remove it from VLAN 200xe2x80x2.
Because the switches 5xe2x80x2-55xe2x80x2 are layer 2 switches, a bridge formed by the switch is transparent to the users within the VLAN. Hence, the transmission delays normally associated with routers, such as the router 300 of FIG. 1, are avoided. The flexibility of the VLAN lies in its"" ability to have its"" network configuration controlled through software on the NMS 290. More particularly, in accordance with its"" programmed instructions, the NMS 290 generates and transmits signals to instruct the switches 5xe2x80x2-55xe2x80x2 to form the desired VLAN configurations.
In a conventional LAN protocol, a communication packet 400, as shown in FIG. 3, includes a destination address 118 having six bytes, a source address 116, and message data 112. The packet 400 also includes an indication of the applicable LAN protocol identifier 114.
FIG. 5 is a schematic of a conventional VLAN system. The VLAN system includes LANs 205-260 which are connected by switches 270-280 to a high-speed LAN backbone or trunk 265. An NMS 290 is interconnected to the switches 270-280 via LAN 260. The NMS 290 is interconnected via LAN 260 as an example and could be interconnected to switches 270-280 via any of the LANs 205-260. A trunk station 285 is connected to the high-speed LAN backbone 265 via a trunk port 315. The LANs 205-215, and 230-235 have designated members F-J. LANs connect to each of the switches 270-280 by a plurality of access ports 305. For example, switch 270 is connected via access ports 305 to LANs 205-220.
Each switch is capable of interconnecting a LAN connected via an access port 305 with another LAN connected via an access port 305. For example, switch 270 can be instructed by the NMS 290 to interconnect LAN 205 to LAN 215 by configuring a VLAN including LANs 205 and 215, thereby enabling communications between members F and H.
Each switch is also capable of interconnecting a LAN connected by an access port 305 with a LAN connected to another switch by an access port 305 via high-speed LAN backbone 265. For example, Switches 270 and 275 can be instructed by the NMS 290 to interconnect LANs 205 and 230 by configuring a VLAN including LANs 205 and 230, thereby enabling communications between member E of LAN 205 and member I of LAN 230.
FIG. 4 depicts a VLAN communications packet 400xe2x80x2 which is similar to the LAN communications packet 400 depicted in FIG. 3, except that a VLAN header has been added to the packet. The VLAN header is added by the initial switch to which the message packet is directed. The VLAN header identifies the resulting packet as a xe2x80x9cVLANxe2x80x9d or xe2x80x9ctaggedxe2x80x9d packet, and represents the particular VLAN from which the packet originated. The VLAN header, as shown, includes a destination address 126 which is the same address as the destination address 118, a source address 124 which is the same as source address 116, a protocol identifier 122, and a VLAN tag 120 identifying the applicable VLAN.
For example, if LANs 205, 220 and 230 of FIG. 5 are within a single VLAN and member E of LAN 205 desires to communicate with member I of LAN 230, the message 400 of FIG. 3 is directed to access port 305 of the switch 270. The switch determines, based upon instructions previously received from the NMS 290, that the LAN 205 falls within the applicable VLAN and, accordingly, adds the appropriate VLAN header to the packet to form packet 400xe2x80x2, as shown in FIG. 4. The packet 400xe2x80x2 is then directed via trunk port 315 to the high-speed backbone LAN 265 and detected by switches 275 and 280.
Because switch 280 lacks any access ports connected to LANs within the applicable VLAN, switch 280 discards the packet 400xe2x80x2. Switch 275, however, identifies the VLAN header of packet 400xe2x80x2 as associated with a VLAN which includes LAN 230. The switch 275 accordingly removes the VLAN header and directs the packet, which now appears as packet 400 of FIG. 3, to LAN 230 over which the member I receives the message.
Many trunk stations, such as trunk station 285, are incapable of recognizing VLAN headers. Further, since no programmable switch is disposed between a trunk station and the trunk, communications, i.e. packets, with a VLAN header will be ignored and/or discarded by the trunk station. Hence, in a conventional VLAN system, such as that shown in FIG. 5, the trunk stations, e.g., trunk station 285, form part of a default group.
The default group is a group of system users or end stations not within any VLAN. For a communication packet sent by a system user within the default group, the initial switch to which the packet is directed determines that the system user does not fall within any VLAN, and consequently does not add a VLAN header.
The NMS 290 of the system shown in FIG. 5 is capable of configuring different types of VLANs as is understood by those skilled in the art. For example, VLANs may be port-based, address-based, protocol-based, port and protocol-based, or address and protocol-based. When the NMS 290 configures a VLAN, the NMS instructs the appropriate switches to identify the VLAN for packets received at the switch. Identifying the appropriate VLAN for a packet enables the switch to transmit the packet over the appropriate VLAN.
For a port-based VLAN, the NMS configures the VLAN to include LANs connected at certain access ports 305 of certain switches. The NMS instructs each certain switch to identify the VLAN for a packet based upon the access port at which the packet is received.
For an address-based VLAN, the NMS configures the VLAN to include certain addresses. If a switch is connected to a LAN at an access port 305 that includes one of the certain addresses, the NMS instructs the switch to identify the VLAN for a packet when received at the access port based upon the source address 116 included in the packet.
For a protocol-based VLAN, the NMS 290 configures the VLAN based upon a system user""s ability to transmit and receive communications following a particular protocol, whether that protocol is proprietary or open. The NMS instructs the switches to identify the VLAN based upon the protocol identifier 114 included in the packet received at an access port 305.
For port and protocol-based VLANs, the NMS 290 instructs the switches that include certain access ports to identify the VLAN for a packet based upon the access port at which the packet is received and the protocol identifier 114 included in the packet received. For address and protocol-based VLANs, the NMS 290 instructs the switches connected to certain addresses to identify the VLAN for the packet based on the source address 116 and the protocol identifier 114 included in the packet.
FIG. 6 depicts a system with various LANs 205-260 configured into a number of different types of VLANs 800-1200 by the NMS 290 in a conventional manner. VLAN 800 is a port-based VLAN including LANs 210, 235, and 240. VLAN 900 is an address-based VLAN including addresses K, V, L, N, U, Q, R, S, and T. VLAN 1000 is a protocol-based VLAN including protocol P1. Protocol-based VLAN 1000 is not explicitly depicted in FIG. 6 because any packet may be identified with VLAN 1000 if the packet includes a protocol identifier for protocol P1. As the name xe2x80x9cprotocol-basedxe2x80x9d implies, VLAN 1000 is independent of the address of the system user, or the port connected to the LAN on which the system user resides. VLAN 1100 is a port and protocol-based VLAN including LANs 235, 240, 245, and 250 and protocol P1. Finally, VLAN 1200 is an address and protocol-based VLAN including addresses K, L, M, U, Q, T and protocol P1.
The depiction of VLANs 100 and 1200 in FIG. 6 is for description purposes only because the VLAN is also determined by the protocol P1. For a packet transmitted from one of the LANs 235-250 to be identified with port and protocol-based VLAN 1100, the packet must include a protocol identifier for protocol P1. Similarly, for a packet transmitted from one of the addresses K, L, M, U, Q, or T to be identified with address and protocol-based VLAN 1200, the packet must include a protocol identifier for protocol P1. LANs 1100 and 1200 are depicted as such in FIG. 6 to illustrate the configuration of different types of VLANs.
As can be seen from the system of FIG. 6, some of the VLANs overlap. For example, a packet transmitted from address K will be identified with address-based VLAN 900, and port-based VLAN 800 because address K resides on LAN 210, which is included in VLAN 800. Furthermore, if a packet transmitted from address K includes a protocol identifier for protocol P1, the packet may be identified with VLAN 1000. Another example of overlap affects packets transmitted from LAN 240 which will be identified with port-based VLAN 800 and may be also identified with protocol-based VLAN 1000 and port and protocol-based VLAN 1100 if the packet includes a protocol identifier for protocol P1. The problems associated with overlap are discussed below.
In view of the different types of VLANs, each of the switches 270-280 must be programmed to consider all of the various communications characteristics which are necessary to associate a communication packet received at an access port. For example, switch 270 is programmed to consider the port, the address, as well as the protocol to determine if a communication received via one of its access ports should be tagged with a VLAN header representing VLAN 800, 900, 1000, or 1200. Switch 275 must be programmed to consider the port, the address, and the protocol to determine if a communication received via one of its access ports should be tagged with a VLAN header representing VLAN 800, 900, 1000, 1100, or 1200. Switch 280 must be programmed to consider the port, the address, and the protocol to determine if a communication received via one of its access ports should be tagged with a VLAN header representing VLAN 900, 1000, 1100, or 1200.
In each case presented above, it should be noted that switches must be programmed to consider some characteristics jointly. For example, switches 270 and 280 must be programmed to consider jointly the address and protocol to ensure that communications received from address K or addresses Q and T are properly tagged with a VLAN header representing VLAN 1200. Switches 275 and 280 must be programmed to consider jointly the port and protocol to ensure that communications received from LANs 235 and 240, or 245 and 250, respectively, are properly tagged with a VLAN header representing VLAN 1100.
Although it is known to configure different types of VLANs within a VLAN system based upon characteristics such as those previously described, problems arise in attempting to implement such systems. More particularly, under certain circumstances, overlap of VLANs may occur such as depicted in FIG. 6. Overlap occurs when a communication packet received at a switch can be identified with more than one VLAN. When overlap occurs, a switch may become confused as to which VLAN of multiple VLANs of different types should be identified for transmission of a received communication. Consequently, the switch will be confused as to which VLAN header should be added to the communication.
Overlap can cause a degree of uncertainty as to which of the users in a system of multiple VLANs may be able to communicate with each other and which users cannot communicate with each other. More critically, because of overlap, the goal of the network manager in configuring these VLANs may not be realized. Specifically, certain parts of the network which should be able to communicate with each other may not be able to do so, while other parts of the network which were not intended to be allowed to communicate with each other may be able to do so.
For example, in the FIG. 6 VLAN configurations, when switch 275 receives a communication with a protocol identifier for protocol P1 from LAN 235, it could choose to classify the communication in either VLAN 800, 1000, or 1100 because 235 will be programmed to consider the port, the protocol, and the port and protocol jointly. Similarly, when switch 280 receives a communication with a protocol identifier for protocol P1 from the system user at address Q on LAN 245, it may choose to classify it in either VLAN 900, 1000, 1100, or 1200 because switch 280 will be programmed to consider the address, the protocol, the port and protocol jointly, and the address and protocol jointly. Whatever choice is made by switch 275 and 280 in the scenarios described above will limit connectivity of attached system users in different ways. Therefore, these areas of overlap must be resolved in a deterministic manner, and in the same way by each switch, in order to have meaningful configurations and communications capability.
Accordingly, a need exists for a VLAN system that is capable of configuring various types of VLANs while ensuring that communications received from areas of VLAN overlap are clearly associated, tagged, and transmitted with the proper VLAN tag resulting in system behavior that is predictable and is in accordance with the expectations of network connectivity at the time of configuration of these VLANs.
Accordingly, the present invention provides rules of precedence for directing communications within different types of VLANs, in order to provide for predictable and desirable network behavior when there are areas of the network in which there is overlap in VLAN configurations, and to allow conflict resolutions by switches in the VLAN system.
Advantageously, switches are provided that route communications to addressees, within a VLAN system capable of configuring multiple types of VLANs, based upon predefined rules of precedence.
Advantageously, switches route communications to addressees, within a VLAN system capable of configuring multiple types of VLANs, in a secure manner. Physical security is ensured by giving a higher precedence to port-based VLAN classifications than to other types of VLAN classifications.
In accordance with the present invention, a switch is provided for use in a virtual communications system having multiple local area networks interconnected by multiple switches so as to be configurable into different types of virtual local area networks. The different types of virtual local area networks may include, for example, port-based networks, address-based networks, protocol-based networks, port and protocol-based networks, and address and protocol-based networks. The switch is preferably a multi-ported reconfigurable switch and includes a first communications port, e.g. an access port, connected directly to a local area network and a second communications port, e.g. a trunk port, interconnected with other system switches typically via a backbone LAN or trunk. A switch control detects a communication from the local area network at the first port and identifies a virtual local area network over which the communication is to be transmitted based upon rules of precedence for different types of virtual local area networks. The rules of precedence preferably provide (I) the port and protocol-based virtual networks precedence over the port-based virtual networks, (ii) the port-based virtual networks precedence over the address and protocol-based virtual networks, (iii) the address and protocol-based virtual networks precedence over the address-based virtual networks, and (iv) the address-based virtual networks precedence over the protocol-based virtual networks.
Typically, the communication will include at least a source address and a protocol identifier, which the switch control detects, along with the port at which the communication is received, to identify the VLAN. After the VLAN has been identified, the switch control adds a VLAN tag representing the identified VLAN to form a VLAN communication. The switch control then directs the VLAN communication to the second communication port for transmission over the identified virtual local area network.
In accordance with other aspects of the invention, a virtual communications system can be implemented using multiple switches of the type described above. A network manager, interconnected to the multiple switches, is capable of configuring virtual local area networks of differing types a described above.