Techniques for zero touch provisioning of edge nodes for a virtual private network

US 20060190570A1
Filed: 06/01/2005
Published: 08/24/2006
Est. Priority Date: 02/19/2005
Status: Active Grant

First Claim

Patent Images

1. A method for configuring a network interface on an intermediate network node at an edge of a provider network to support a virtual private network, comprising the steps of:

storing configuration data at a server on a host computer on a provider network, determining whether conditions are satisfied for sending the configuration data to a particular node at an edge of the provider network; and

if it is determined that conditions are satisfied for sending the configuration data, then sending the configuration data to the particular node to cause the particular node to configure a particular interface without human intervention for a particular virtual private network over the provider network based on the configuration data, wherein;

the provider network is a packet-switched network;

the particular virtual private network is a link layer virtual private network;

the particular node is different from the host; and

the particular interface is for a direct communication link to a customer network node outside the provider network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for configuring a network interface to support a virtual private network includes storing configuration data at a server on a host computer on the provider network. It is determined whether conditions are satisfied for sending the configuration data to a particular node at an edge of the provider network. If it is determined that conditions are satisfied, then the configuration data is sent to the particular node to cause the particular node to configure a particular interface for supporting a virtual private network over the provider network based on the configuration data without human intervention. The provider network is a packet-switched network and the particular virtual private network is a link layer virtual private network. The particular node is different from the host. The particular interface is for a direct communication link to a customer network node outside the provider network.

67 Citations

View as Search Results

72 Claims

1. A method for configuring a network interface on an intermediate network node at an edge of a provider network to support a virtual private network, comprising the steps of:
- storing configuration data at a server on a host computer on a provider network, determining whether conditions are satisfied for sending the configuration data to a particular node at an edge of the provider network; and
  
  if it is determined that conditions are satisfied for sending the configuration data, then sending the configuration data to the particular node to cause the particular node to configure a particular interface without human intervention for a particular virtual private network over the provider network based on the configuration data, wherein;
  
  the provider network is a packet-switched network;
  
  the particular virtual private network is a link layer virtual private network;
  
  the particular node is different from the host; and
  
  the particular interface is for a direct communication link to a customer network node outside the provider network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. A method as recited in claim 1, said step of determining whether conditions are satisfied for sending the configuration data further comprising determining whether a request message is received from the particular node.
  - 3. A method as recited in claim 1, wherein the particular interface is a virtual circuit of a plurality of virtual circuits on the same physical circuit.
  - 4. A method as recited in claim 1, wherein the particular interface is a physical circuit.
  - 5. A method as recited in claim 1, said step of determining whether conditions are satisfied for sending the configuration data further comprising determining whether a request message is received from the particular node in response to a change at the particular node.
  - 6. A method as recited in claim 1, wherein the configuration data includes a mapping between a customer identification for the particular interface and a particular virtual private network.
  - 7. A method as recited in claim 1, wherein the configuration data includes values for service parameters that are specific to the particular interface.
  - 8. A method as recited in claim 1, wherein the configuration data includes values for the type of virtual private network among a plurality of types that include at least two of a virtual private wire service (VPWS), a virtual private local area network service (VPLS) and an inter-local access and transport area private line service (IPLS).
  - 9. A method as recited in claim 1, wherein the configuration data includes a mapping between the particular virtual private network and a different node on the edge of the provider network to which the particular node should establish a tunnel for the particular private network.
  - 10. A method as recited in claim 1, wherein the configuration data includes a property for a tunnel for the particular virtual private network from the particular node to a different node on an edge of the provider network from a plurality of properties that include at least one of an identifier for the tunnel and a service level for traffic through the tunnel.
  - 11. A method as recited in claim 1, wherein the configuration data sent to the particular node is less than all configuration data for provisioning all interfaces on the particular node.
  - 12. A method as recited in claim 1, wherein the configuration data sent to the particular node is less than all configuration data for provisioning all interfaces that belong to the particular virtual private network on the particular node for the particular node.
  - 13. A method as recited in claim 1, wherein the server is a Remote Access Dial-In Service (RADIUS) Server.
  - 14. A method as recited in claim 13, said step of sending the configuration data further comprises sending a RADIUS authentication acceptance response that includes a RADIUS attribute for a virtual private network identification that indicates a collection of one or more tunnels for the particular virtual private network on the provider network.
  - 15. A method as recited in claim 13, said step of sending the configuration data further comprises sending a RADIUS authentication acceptance response that includes a RADIUS attribute for an attachment identification that indicates both an identification for the particular virtual private network to which the particular interface belongs and an interface identification that uniquely indicates the particular interface among interfaces that belong to the particular virtual private network.
  - 16. A method as recited in claim 14, said step of determining whether conditions are satisfied for sending the configuration data further comprising determining whether a RADIUS user authentication request message is received from the particular node, which request includes a RADIUS user name attribute with data that indicates an interface name.
  - 17. A method as recited in claim 14, said step of determining whether conditions are satisfied for sending the configuration data further comprising determining whether a RADIUS user authentication request message is received from the particular node, which request includes a RADIUS user name attribute with data that indicates a network access identifier (NAI) associated with the customer network node.
  - 18. A method as recited in claim 13, wherein the configuration data includes a RADIUS attribute for a different node on the edge of the provider network that is different from the particular node and that is included in the particular virtual private network.
  - 19. A method as recited in claim 18, said step of determining whether conditions are satisfied for sending the configuration data further comprising determining whether a RADIUS user authentication request message is received from the particular node, which request includes a RADIUS user name attribute with data that indicates the particular virtual private network.
  - 20. A method as recited in claim 13, wherein the configuration data includes a RADIUS attribute for a tunnel from the particular node to a different node on the edge of the provider network.
  - 21. A method as recited in claim 20, said step of determining whether conditions are satisfied for sending the configuration data further comprising determining whether a RADIUS user authentication request message is received from the particular node, which request includes a RADIUS user name attribute with data that indicates the different node on the edge of the provider network.
  - 22. A method as recited in claim 1, wherein the server is a Simple Network Management Protocol (SNMP) Server.

23. A method for configuring a network interface on an intermediate network node at an edge of a provider network to support a virtual private network, comprising the steps of:
- determining on a particular node at an edge of a provider network whether conditions are satisfied for configuring a particular interface on the particular node for a virtual private network over the provider network;
  
  if it is determined that conditions are satisfied, then sending, to a first server on a first host computer of the provider network, interface identification data that uniquely indicates the particular interface;
  
  in response to sending the interface identification data, receiving configuration data from a second server on a second host computer of the provider network; and
  
  configuring the particular interface for the virtual private network based on the configuration data without human intervention, wherein the provider network is a packet-switched network;
  
  the particular virtual private network is a link layer virtual private network;
  
  the particular node is different from the first host and the second host; and
  
  the particular interface is for a direct communication link to a customer network node outside the provider network.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 24. A method as recited in claim 23, wherein the first server is the same as the second server.
  - 25. A method as recited in claim 23, further comprising receiving data at the particular node that indicates an address on the provider network for the first server.
  - 26. A method as recited in claim 23, wherein the particular interface is a virtual circuit of a plurality of virtual circuits on the same physical circuit.
  - 27. A method as recited in claim 23, wherein the particular interface is a physical circuit.
  - 28. A method as recited in claim 23, said step of determining whether conditions are satisfied for configuring the particular interface further comprising determining whether a particular signal is received on the particular interface.
  - 29. A method as recited in claim 23, said step of determining whether conditions are satisfied for configuring the particular interface further comprising determining whether a message that indicates the particular interface is received from a third server on a third host computer of the provider network, wherein the particular node is different from the third host.
  - 30. A method as recited in claim 23, wherein the first server is a Remote Access Dial-In Service (RADIUS) Server and the second server is the RADIUS server.
  - 31. A method as recited in claim 30, said step of sending the interface identification data further comprises sending a RADIUS authentication request that includes a RADIUS user name attribute with data that indicates at least one of a unique name for the particular interface and a unique name for customer equipment to which the particular interface is directly linked.
  - 32. A method as recited in claim 30, said step of receiving the configuration data further comprising receiving a RADIUS authentication acceptance response that includes a RADIUS attribute for a virtual private network identification that indicates a collection of one or more tunnels for the particular virtual private network.
  - 33. A method as recited in claim 30, said step of receiving the configuration data further comprises receiving a RADIUS authentication acceptance response that includes a RADIUS attribute for an attachment identification that indicates both an identification for the particular virtual private network to which the particular interface belongs and an interface identification that uniquely indicates the particular interface among interfaces that belong to the particular virtual private network.
  - 34. A method as recited in claim 32, said step of receiving configuration data further comprising:
    - determining whether the RADIUS authentication acceptance response includes data that indicates a different node at an edge of the provider network; and
      
      if it is determined that the RADIUS authentication acceptance response does not include data that indicates the different node, then performing the steps of sending a RADIUS authentication request that includes a RADIUS user name attribute with data that indicates the virtual private network identification, and receiving another RADIUS authentication acceptance response that includes a RADIUS attribute with node identification data that indicates the different node.
  - 35. A method as recited in claim 32, said step of receiving configuration data further comprising:
    - determining whether the RADIUS authentication acceptance response includes data that indicates a property of a tunnel from the particular node to a different node at an edge of the provider network; and
      
      if it is determined that the RADIUS authentication acceptance response does not include data that indicates the property of the tunnel, then performing the steps of sending a RADIUS authentication request that includes a RADIUS user name attribute with data that indicates the different node, and receiving another RADIUS authentication acceptance response that includes a RADIUS attribute with data that indicates a property of the tunnel.

36. An apparatus for configuring a network interface on an intermediate network node at an edge of a provider network to support a virtual private network, comprising the steps of:
- means for storing configuration data at a server on a host computer on a provider network, means for determining whether conditions are satisfied for sending the configuration data to a particular node at an edge of the provider network; and
  
  means for sending the configuration data to the particular node to cause the particular node to configure a particular interface without human intervention for a particular virtual private network over the provider network based on the configuration data, if it is determined that conditions are satisfied for sending the configuration data, wherein;
  
  the provider network is a packet-switched network;
  
  the particular virtual private network is a link layer virtual private network;
  
  the particular node is different from the host; and
  
  the particular interface is for a direct communication link to a customer network node outside the provider network.

37. An apparatus for configuring a network interface on an intermediate network node at an edge of a provider network to support a virtual private network, comprising the steps of:
- means for determining on a particular node at an edge of a provider network whether conditions are satisfied for configuring a particular interface on the particular node for a virtual private network over the provider network;
  
  means for sending, to a first server on a first host computer of the provider network, interface identification data that uniquely indicates the particular interface, if it is determined that conditions are satisfied;
  
  means for receiving configuration data from a second server on a second host computer of the provider network, in response to sending the interface identification data; and
  
  means for configuring the particular interface for the virtual private network based on the configuration data without human intervention, wherein the provider network is a packet-switched network;
  
  the particular virtual private network is a link layer virtual private network;
  
  the particular node is different from the first host and the second host; and
  
  the particular interface is for a direct communication link to a customer network node outside the provider network.

38. An apparatus for configuring a network interface on an intermediate network node at an edge of a provider network to support a virtual private network, comprising:
- a network interface that is coupled to a provider network for communicating therewith a data packet;
  
  one or more processors;
  
  a computer-readable medium; and
  
  one or more sequences of instructions stored in the computer-readable medium, which, when executed by the one or more processors, causes the one or more processors to carry out the steps of;
  
  storing configuration data;
  
  determining whether conditions are satisfied for sending the configuration data to a different node at an edge of the provider network; and
  
  if it is determined that conditions are satisfied for sending the configuration data, then sending the configuration data to the different node to cause the different node to configure a particular interface without human intervention for a particular virtual private network over the provider network based on the configuration data, wherein;
  
  the provider network is a packet-switched network;
  
  the particular virtual private network is a link layer virtual private network; and
  
  the particular interface is for a direct communication link to a customer network node outside the provider network.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59)
- - 39. An apparatus as recited in claim 38, said step of determining whether conditions are satisfied for sending the configuration data further comprising determining whether a request message is received from the particular node.
  - 40. An apparatus as recited in claim 38, wherein the particular interface is a virtual circuit of a plurality of virtual circuits on the same physical circuit.
  - 41. An apparatus as recited in claim 38, wherein the particular interface is a physical circuit.
  - 42. An apparatus as recited in claim 38, said step of determining whether conditions are satisfied for sending the configuration data further comprising determining whether a request message is received from the particular node in response to a change at the particular node.
  - 43. An apparatus as recited in claim 38, wherein the configuration data includes a mapping between a customer identification for the particular interface and a particular virtual private network.
  - 44. An apparatus as recited in claim 38, wherein the configuration data includes values for service parameters that are specific to the particular interface.
  - 45. An apparatus as recited in claim 38, wherein the configuration data includes values for the type of virtual private network among a plurality of types that include at least two of a virtual private wire service (VPWS), a virtual private local area network service (VPLS) and an inter-local access and transport area private line service (IPLS).
  - 46. An apparatus as recited in claim 38, wherein the configuration data includes a mapping between the particular virtual private network and a different node on the edge of the provider network to which the particular node should establish a tunnel for the particular private network.
  - 47. An apparatus as recited in claim 38, wherein the configuration data includes a property for a tunnel for the particular virtual private network from the particular node to a different node on an edge of the provider network from a plurality of properties that include at least one of an identifier for the tunnel and a service level for traffic through the tunnel.
  - 48. An apparatus as recited in claim 38, wherein the configuration data sent to the particular node is less than all configuration data for provisioning all interfaces on the particular node.
  - 49. An apparatus as recited in claim 38, wherein the configuration data sent to the particular node is less than all configuration data for provisioning all interfaces that belong to the particular virtual private network on the particular node for the particular node.
  - 50. An apparatus as recited in claim 38, wherein execution of the one or more sequences of instructions further causes the one or more processors to carry out the steps of a Remote Access Dial-In Service (RADIUS) Server.
  - 51. An apparatus as recited in claim 50, said step of sending the configuration data further comprises sending a RADIUS authentication acceptance response that includes a RADIUS attribute for a virtual private network identification that indicates a collection of one or more tunnels for the particular virtual private network on the provider network.
  - 52. An apparatus as recited in claim 50, said step of sending the configuration data further comprises sending a RADIUS authentication acceptance response that includes a RADIUS attribute for an attachment identification that indicates both an identification for the particular virtual private network to which the particular interface belongs and an interface identification that uniquely indicates the particular interface among interfaces that belong to the particular virtual private network.
  - 53. An apparatus as recited in claim 51, said step of determining whether conditions are satisfied for sending the configuration data further comprising determining whether a RADIUS user authentication request message is received from the particular node, which request includes a RADIUS user name attribute with data that indicates an interface name.
  - 54. An apparatus as recited in claim 51, said step of determining whether conditions are satisfied for sending the configuration data further comprising determining whether a RADIUS user authentication request message is received from the particular node, which request includes a RADIUS user name attribute with data that indicates a network access identifier (NAI) associated with the customer network node.
  - 55. An apparatus as recited in claim 50, wherein the configuration data includes a RADIUS attribute for a different node on the edge of the provider network that is different from the particular node and that is included in the particular virtual private network.
  - 56. An apparatus as recited in claim 55, said step of determining whether conditions are satisfied for sending the configuration data further comprising determining whether a RADIUS user authentication request message is received from the particular node, which request includes a RADIUS user name attribute with data that indicates the particular virtual private network.
  - 57. An apparatus as recited in claim 50, wherein the configuration data includes a RADIUS attribute for a tunnel from the particular node to a different node on the edge of the provider network.
  - 58. An apparatus as recited in claim 57, said step of determining whether conditions are satisfied for sending the configuration data further comprising determining whether a RADIUS user authentication request message is received from the particular node, which request includes a RADIUS user name attribute with data that indicates the different node on the edge of the provider network.
  - 59. An apparatus as recited in claim 38, wherein execution of the one or more sequences of instructions further causes the one or more processors to carry out the steps of a Simple Network Management Protocol (SNMP) Server.

60. An apparatus for configuring a network interface on an intermediate network node at an edge of a provider network to support a virtual private network, comprising:
- a provider network interface that is coupled to a provider network for communicating therewith a data packet;
  
  a customer network interface for coupling to customer premises equipment outside the provider network for communicating therewith a data packet;
  
  one or more processors;
  
  a computer-readable medium; and
  
  one or more sequences of instructions stored in the computer-readable medium, which, when executed by the one or more processors, causes the one or more processors to carry out the step of;
  
  determining whether conditions are satisfied for configuring a particular interface on the customer network interface for a virtual private network over the provider network;
  
  if it is determined that conditions are satisfied, then sending, to a first server on a first host computer of the provider network, interface identification data that uniquely indicates the particular interface;
  
  in response to sending the interface identification data, receiving configuration data from a second server on a second host computer of the provider network; and
  
  configuring the particular interface for the virtual private network based on the configuration data without human intervention, wherein the provider network is a packet-switched network, the particular virtual private network is a link layer virtual private network, and the apparatus is different from the first host computer and the second host computer.
- View Dependent Claims (61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72)
- - 61. An apparatus as recited in claim 60, wherein the first server is the same as the second server.
  - 62. An apparatus as recited in claim 60, wherein execution of the one or more sequences of instructions further causes the one or more processors to perform the step of receiving data at the particular node that indicates an address on the provider network for the first server.
  - 63. An apparatus as recited in claim 60, wherein the particular interface is a virtual circuit of a plurality of virtual circuits on the customer network interface.
  - 64. An apparatus as recited in claim 60, wherein the particular interface is the customer network interface.
  - 65. An apparatus as recited in claim 60, said step of determining whether conditions are satisfied for configuring the particular interface further comprising determining whether a particular signal is received on the particular interface.
  - 66. An apparatus as recited in claim 60, said step of determining whether conditions are satisfied for configuring the particular interface further comprising determining whether a message that indicates the particular interface is received from a third server on a third host computer of the provider network, wherein the particular node is different from the third host.
  - 67. An apparatus as recited in claim 60, wherein the first server is a Remote Access Dial-In Service (RADIUS) Server and the second server is the RADIUS server.
  - 68. An apparatus as recited in claim 67, said step of sending the interface identification data further comprises sending a RADIUS authentication request that includes a RADIUS user name attribute with data that indicates at least one of a unique name for the particular interface and a unique name for customer equipment to which the particular interface is directly linked.
  - 69. An apparatus as recited in claim 67, said step of receiving the configuration data further comprising receiving a RADIUS authentication acceptance response that includes a RADIUS attribute for a virtual private network identification that indicates a collection of one or more tunnels for the particular virtual private network.
  - 70. An apparatus as recited in claim 67, said step of receiving the configuration data further comprises receiving a RADIUS authentication acceptance response that includes a RADIUS attribute for an attachment identification that indicates both an identification for the particular virtual private network to which the particular interface belongs and an interface identification that uniquely indicates the particular interface among interfaces that belong to the particular virtual private network.
  - 71. An apparatus as recited in claim 69, said step of receiving configuration data further comprising:
    - determining whether the RADIUS authentication acceptance response includes data that indicates a different node at an edge of the provider network; and
      
      if it is determined that the RADIUS authentication acceptance response does not include data that indicates the different node, then performing the steps of sending a RADIUS authentication request that includes a RADIUS user name attribute with data that indicates the virtual private network identification, and receiving another RADIUS authentication acceptance response that includes a RADIUS attribute with node identification data that indicates the different node.
  - 72. An apparatus as recited in claim 69, said step of receiving configuration data further comprising:
    - determining whether the RADIUS authentication acceptance response includes data that indicates a property of a tunnel from the particular node to a different node at an edge of the provider network; and
      
      if it is determined that the RADIUS authentication acceptance response does not include data that indicates the property of the tunnel, then performing the steps of sending a RADIUS authentication request that includes a RADIUS user name attribute with data that indicates the different node, and receiving another RADIUS authentication acceptance response that includes a RADIUS attribute with data that indicates a property of the tunnel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Luo, Wei, Townsley, William Mark, Booth, Earl Hardin III, Weber, Greg

Granted Patent

US 7,535,856 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/220
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 12/4691   GVRP [GARP VLAN registratio...

H04L 41/0806   for initial configuration o...

H04L 41/0866   Checking the configuration

H04L 41/0886   Fully automatic configuration

H04L 41/0895   Configuration of virtualise...

H04L 63/0272   Virtual private networks

Techniques for zero touch provisioning of edge nodes for a virtual private network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

67 Citations

72 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for zero touch provisioning of edge nodes for a virtual private network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

67 Citations

72 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links