Process and apparatus for the operation of virtual private networks on a common data packet communication network
First Claim
1. A process for operation of a plurality of layer-3 virtual private networks on a common data packet communication network, comprising the steps of:
- allocating a disjoint partial address space of a predetermined homogeneous total address space of the common data packet communication network to each of the virtual private networks so as to separate the plural virtual private networks;
assigning a virtual private network identification number to each virtual private network to identify the disjoint partial address space of the each virtual private network, said virtual private network identification number comprising as part of an address of every one of plural individual subscribers of the each virtual private network and starting at a fixed bit position in an individual subscriber address of each of the plural individual subscribers of the each layer-3 virtual private network; and
filtering data packets and routing information moving through the communication network using routers of the data packet communication network based on the virtual private network identification number.
1 Assignment
0 Petitions
Accused Products
Abstract
Economical and dependable networking of spatially separated branches of an organization is made possible for a plurality of individual subscribers with spatially separated branches by means of an arrangement and process for the operation of layer-3 virtual private networks (VPN A, VPN B) on a common data packet.communication network (e.g. OSI L3 data packet communication network 1). A logical separation of the layer-3 VPNs (VPNA, VPNB) is accomplished by allocating disjoint partial address spaces of a given homogeneous total address space to these L3 VPNs. A virtual private network identification number VPN ID is assigned to each L3 VPN and used to identify the disjoint partial address space by forming a part of the address. The VPN ID characterizing the L3 VPN starts at a fixed bit position in the individual subscriber address of each individual subscriber of the L3 VPN and may have a variable or a fixed length. Secure separation of the L3 VPNs is implemented by filtering of routing information and/or data packets based on the VPN ID.
110 Citations
18 Claims
-
1. A process for operation of a plurality of layer-3 virtual private networks on a common data packet communication network, comprising the steps of:
-
allocating a disjoint partial address space of a predetermined homogeneous total address space of the common data packet communication network to each of the virtual private networks so as to separate the plural virtual private networks;
assigning a virtual private network identification number to each virtual private network to identify the disjoint partial address space of the each virtual private network, said virtual private network identification number comprising as part of an address of every one of plural individual subscribers of the each virtual private network and starting at a fixed bit position in an individual subscriber address of each of the plural individual subscribers of the each layer-3 virtual private network; and
filtering data packets and routing information moving through the communication network using routers of the data packet communication network based on the virtual private network identification number. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A process for operation of a plurality of layer-3 virtual private networks on a common data packet communication network, comprising the steps of:
-
allocating a disjoint partial address space of a predetermined homogeneous total address space of the common data packet communication network to each of the virtual private networks so as to separate the plural virtual private networks;
assigning a virtual private network identification number to each virtual private network to identify the disjoint partial address space of the each virtual private network, said virtual private network identification number comprising as part of an address of every one of plural individual subscribers of the each virtual private network and starting at a fixed bit position in an individual subscriber address of each of the plural individual subscribers of the each layer-3 virtual private network, wherein the virtual private network identification number is of variable length; and
filtering data packets and routing information moving through the communication network using routers of the data packet communication network based on the virtual private network identification number.
-
-
10. A system comprising:
-
a common data packet communication network;
a plurality of layer-3 virtual private networks connected to the data packet communication network, each said virtual private network comprising a plurality of individual subscribers such having an individual subscriber address, being separated from one another by a disjoint partial address space of a total address space of said common data packet communication network, assigned to each said virtual private network and being identified by a virtual private network identification number that forms part of and starts at a fixed bit position in an individual subscriber address of each individual subscriber of said each virtual private network; and
means for filtering data packets and routing information moving through the communication network in routers of said common data packet communication network based on the virtual private network identification number. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
means for checking authorization of the individual subscribers of the plural layer-3 virtual private networks for authorization to access predetermined central services; and
means for separating the central services for different ones of the plural layer-3 virtual private networks based on the virtual private network identification number in a sender address of the individual subscribers and on a destination address of the central service.
-
-
13. The system in accordance with claim 12, wherein said common data packet communication network comprises one of an open systems interconnection protocol, IPv4 protocol, IPv6 protocol and IPX protocol network.
-
14. The system in accordance with claim 10, further comprising a dispatcher process for assigning service queries to virtual private network specific service processes based on the virtual private network identification number.
-
15. The system in accordance with claim 10, further comprising a domain name service dispatcher for assigning a domain name service query to virtual private network specific service processes based on the virtual private network identification number of a sender.
-
16. The system in accordance with claim 10, wherein said data communication network comprises an open systems interconnection layer-3 data packet communication network.
-
17. The system in accordance with claim 10, wherein the virtual private network identification number is of fixed length.
-
18. A system comprising:
-
a common data packet communication network;
a plurality of layer-3 virtual private networks connected to the data packet communication network, each said virtual private network comprising a plurality of individual subscribers such having an individual subscriber address, being separated from one another by a disjoint partial address space of a total address space of said common data packet communication network, assigned to each said virtual private network and being identified by a viral private network identification number that forms part of and starts at a fixed bit position in an individual subscriber address of each individual subscriber of said each virtual private network, wherein the virtual private network identification number is of variable length; and
means for filtering data packets and routing information moving through the communication network in routers of said common data packet communication network based on the virtual private network identification number.
-
Specification