Apparatus and method creating virtual routing domains in an internet protocol network
First Claim
1. A method for creating virtual routing domains in an internet protocol network comprising:
- mapping ingress interface and tunneling protocol identifying information for a network flow to a virtual routing domain identifier, the virtual routing domain identifier associated with a particular customer; and
using application information within the network flow to identify a destination for the network flow, the destination associated with a second virtual routing domain identifier; and
determining how to forward the network flow based on the second virtual routing domain identifier.
4 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus is described that allow the creation of virtual routing domains in an IP network. These virtual routing domains allow individual networks to be configures so that it appears that its routing domain covers the entire IP address space. A network processing system is used to implement the virtual routing domains and to allow network traffic to cross the individual routing domains. The network processing system is able to use application layer information to allow the crossing of virtual routing domain boundaries. By examining application layer information the network processing system is able to look up customer/user information and use that information to determine destination virtual routing domains and route otherwise unroutable addresses between domains.
242 Citations
32 Claims
-
1. A method for creating virtual routing domains in an internet protocol network comprising:
-
mapping ingress interface and tunneling protocol identifying information for a network flow to a virtual routing domain identifier, the virtual routing domain identifier associated with a particular customer; and
using application information within the network flow to identify a destination for the network flow, the destination associated with a second virtual routing domain identifier; and
determining how to forward the network flow based on the second virtual routing domain identifier. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A network processing system in an internet protocol network passing network traffic made up of individual flows, the network including one or more customer networks employing layer two tunneling protocols, each having layer two tunneling protocol identifying information, the network processing system comprising:
-
ingress ports for receiving the network traffic;
at least one processor operable to associate the input port and layer two tunneling protocol information for flows over the network to a virtual routing domain identifier, the at least one processor also operable to associate application information in the flows with a second virtual domain identifier, the second virtual domain identifier determining egress treatment for the flows; and
egress ports for forwarding the network traffic. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A virtual proxy in a network processing system, comprising:
-
an identifier unique to the virtual proxy such that network traffic meeting predetermined criteria pass through the virtual proxy;
session routing information for the network passing through the virtual proxy, the session routing information providing specialized routing information for the network traffic; and
bandwidth enforcement protocols operable to insure that the network traffic passing through the virtual proxy does not exceed a predetermined limit. - View Dependent Claims (18, 19, 20, 21)
-
-
22. A method of protecting a network from denial of service attacks comprising:
-
providing two or more virtual proxies on a network processing system on the network, such that each of the two or more virtual proxies services a subset of network addresses and ports serviced by the network processing system; and
provisioning a maximum bandwidth for each of the two or more virtual proxies such that a denial of service attack may not exceed the maximum bandwidth for one virtual proxy of the two or more virtual proxies thereby protecting each of the remaining virtual proxies from the denial of service attack - View Dependent Claims (23, 24, 25, 26)
-
-
27. A network processing system for use in a network comprising:
-
a plurality of network addresses assigned to the network processing system; and
one or more virtual proxies, each virtual proxy configured to service a subset of the plurality of network addresses wherein each of the one or more virtual proxies are operable to define maximum resource limits for network traffic passing through it, and wherein at least one of the one or more virtual proxies includes session routing information providing specialized routing information specific to the network traffic passing through that virtual proxy. - View Dependent Claims (28, 29, 30, 31, 32)
-
Specification