Virtual private networks and methods for their operation
First Claim
1. A system of providing communication between a first and a second Local Area Network (LAN), said first and second LANs interconnected by a connectionless network, said system comprising:
- a first network interface connecting said first LAN to said connectionless network, said first receiving device for;
receiving conventional LAN data frames;
determining an address of a second network interface responsive to destination information in said received conventional LAN data frames, said second network interface connecting said second LAN to said connectionless network; and
encapsulating said conventional LAN data frames received at said first network interface with said address of said second network interface;
a router for routing said conventional LAN data frames encapsulated with said address to said second network interface over said connectionless network;
said second network interface connecting said second LAN to said connectionless network, said second network interface for;
receiving conventional LAN data frames encapsulated with said address;
re-generating said conventional LAN data frames from said conventional LAN data frames encapsulated with said address; and
transmitting said re-generated conventional LAN data frames to said second LAN; and
wherein said determining comprises;
determining an identifier uniquely identifying a virtual private network (VPN) comprising at least said first and second LANs;
accessing a routing table stored at said first network interface;
where possible, retrieving, from said routing table a unique address of said second network interface responsive to a destination address stored in said received LAN data frames and said determined identifier, said unique address comprising an IP address; and
if said routing table does not contain said unique address for said destination information, retrieving a multicast address, said multicast address representative of all LANs forming part of said VPN and comprises an IP multicast address; and
wherein said encapsulating comprises encapsulating said conventional LAN data frames with said determined identifier and one of said unique address of said second network interface and said multicast address.
8 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for providing a Virtual Private Network (VPN) over a connectionless network connecting a plurality of Local Area Networks (LANs), such as an Ethernet network, is disclosed. The method and apparatus comprises associated each VPN with a unique identifier and each LAN of the VPN with a interface device connecting the LAN to the connectionless network, which may be for example, a Synchronous Optical Network (SONET). The interface device may service a plurality of LANs. Accordingly, each LAN is associated with a User-Network Interface that forms part of the interface device. Each data packet destined for a second LAN, such Ethernet frames, received by the interface device for a first LAN is encapsulated with, if known, a Media Access Control (MAC) address of the interface device connected to the second LAN, the VPN'"'"'s unique identifier, and the port on the interface device connected to the second LAN. Additionally, the corresponding MAC and port address of the first interface device is also used to encapsulate the Ethernet frames. If the MAC and port address is not known (i.e., it is not stored in a database on the first interface device), the first interface device multicasts an encapsulated Ethernet packet to the entire VPN. The first interface device maintains (i.e., updates and appends) its database of MAC and port addresses in response to encapsulated data frames received by the first interface device.
289 Citations
46 Claims
-
1. A system of providing communication between a first and a second Local Area Network (LAN), said first and second LANs interconnected by a connectionless network, said system comprising:
-
a first network interface connecting said first LAN to said connectionless network, said first receiving device for;
receiving conventional LAN data frames;
determining an address of a second network interface responsive to destination information in said received conventional LAN data frames, said second network interface connecting said second LAN to said connectionless network; and
encapsulating said conventional LAN data frames received at said first network interface with said address of said second network interface;
a router for routing said conventional LAN data frames encapsulated with said address to said second network interface over said connectionless network;
said second network interface connecting said second LAN to said connectionless network, said second network interface for;
receiving conventional LAN data frames encapsulated with said address;
re-generating said conventional LAN data frames from said conventional LAN data frames encapsulated with said address; and
transmitting said re-generated conventional LAN data frames to said second LAN; and
wherein said determining comprises;
determining an identifier uniquely identifying a virtual private network (VPN) comprising at least said first and second LANs;
accessing a routing table stored at said first network interface;
where possible, retrieving, from said routing table a unique address of said second network interface responsive to a destination address stored in said received LAN data frames and said determined identifier, said unique address comprising an IP address; and
if said routing table does not contain said unique address for said destination information, retrieving a multicast address, said multicast address representative of all LANs forming part of said VPN and comprises an IP multicast address; and
wherein said encapsulating comprises encapsulating said conventional LAN data frames with said determined identifier and one of said unique address of said second network interface and said multicast address. - View Dependent Claims (2, 3, 4, 5)
a Media Access Control (MAC) address of said second network interface; and
wherein said retrieving of said unique address of said second network interface comprises determining, responsive to said identifier identifying said VPN, a destination port on said second network interface servicing said VPN and wherein said encapsulating comprises encapsulating said conventional LAN data frames with said determined destination port.
-
-
3. The system of claim 2 wherein said LAN data frames are Ethernet data packets.
-
4. The system of claim 1 wherein said IP address corresponds to a destination port of said second network interface.
-
5. The system of claim 1 wherein said connectionless network is a Synchronous Optical Network (SONET) network comprising at least one local ring and wherein said first network interface is in communication with a local ring of said SONET network and said second network interface is in communication with said local ring or another local ring of said SONET network.
-
6. A device providing communication between a first and a second Local Area Network (LAN), said first and second LANs in communication by a connectionless network, said device comprising:
-
an input interface in communication with said first LAN;
an output interface in communication with said connectionless network;
a storage media storing data frames received from said first LAN received via said input interface, data packets and frames for transmission to said second LAN through said output interface; and
a processor, said processor adapted to;
receive conventional LAN data frames received from said first LAN through said input interface, said received data frames destined for said second LAN;
determine, responsive to said received conventional LAN data frames, routing information for routing said received conventional LAN data frames to said second LAN, said routing information comprising an Internet Protocol (IP) address;
encapsulate said received conventional LAN data frames with said routing information;
transmit said encapsulated conventional LAN data frames to said connectionless network over said output interface;
receive encapsulated conventional LAN data frames from said connectionless network from said output interface;
generate conventional LAN data frames from said received encapsulated conventional LAN data frames; and
transmit said generated conventional LAN data frames to said first LAN by said input interface. - View Dependent Claims (7, 8, 9, 10, 11, 12)
update said routing table responsive to said received encapsulated conventional LAN data frames.
-
-
10. The device of claim 9 wherein said processor is further adapted to:
where said routing table contains no routing information associated with said second LAN, encapsulate said received conventional LAN data frames with said routing information with an IP multicast address.
-
11. The device of claim 10 wherein said conventional LAN data frames are Ethernet frames.
-
12. The device of claim 11 wherein said connectionless network is a Synchronous Optical Network (SONET) network comprising at least one local ring and wherein said output interface is in communication with a local ring of said SONET network and said second LAN is in communication with said local ring or another local ring of said SONET network.
-
13. A method of transmitting conventional Local Area Network (LAN) data frames from a first to a second LAN, said first and second LAN interconnected by a connectionless medium, said method comprising:
-
receiving said conventional LAN data frames from said first LAN destined for said second LAN;
determining, responsive to said received conventional LAN data frames, routing information for transmittal of said conventional LAN data frames to said second LAN;
encapsulating said received conventional LAN data frames with said routing information;
transmitting said encapsulated received conventional LAN data frames to said connectionless medium;
receiving encapsulated conventional LAN data frames from said connectionless medium destined for said first LAN;
generating conventional LAN data frames responsive to said received encapsulated conventional LAN data frames; and
transmitting said generated conventional LAN data frames to said first LAN;
wherein said determining routing information comprises;
determining an identifier uniquely identifying a VPN comprising said first LAN and second LAN;
determining from said received conventional LAN data frames the destination for said received conventional LAN data frames; and
retrieving, from a database and responsive to said determined destination, an Internet Protocol (IP) address of an egress location forming part of said connectionless medium servicing said determined destination, if said database does not contain an entry for said determined destination, said retrieved address comprising an IP multicast address comprising egress locations servicing said VPN. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
updating said database of said ingress location with address information stored in said receiving conventional LAN data frames.
-
-
18. The method of claim 16 further comprising:
updating said database of said egress location with address information stored in said received encapsulated conventional LAN data frames.
-
19. The method of claim 18 wherein said address information stored in said received encapsulated conventional LAN data frames comprises an address of a sending device forming part of said first LAN and an IP address of said ingress location.
-
20. The method of claim 18 wherein said IP address of said egress location identifies a destination port of said egress location and said IP address of said ingress location identifies a source port of said ingress location.
-
21. A method for facilitating communication in a virtual private network (VPN), said VPN comprising a plurality of local area networks (LANs) each interconnected through a network interface to a connectionless network, comprising, at a first network interface of a first LAN of said VPN:
-
receiving conventional LAN data frames on said first LAN, said conventional LAN data frames having destination information;
determining an identifier uniquely identifying said VPN;
searching a routing table with said destination information and said identifier for a unique IP address of another network interface of another LAN of said VPN;
if said routing table does not contain said unique address, retrieving a multicast IP address for all network interfaces of said plurality of LANs of said VPN;
encapsulating said conventional LAN data frames with said identifier and one of said unique IP address and said multicast IP address; and
transmitting said encapsulated frames on said connectionless network. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 39, 40, 41, 42, 43, 44, 45, 46)
receiving encapsulated frames from said connectionless network;
for each of said received encapsulated frames;
generating a conventional LAN data frame from said received encapsulated frame; and
transmitting said generated conventional LAN data frame to said first LAN.
-
-
23. The method of claim 22 further comprising on generating a conventional LAN data frame from said received encapsulated frame, updating said routing table with source address information stored in said conventional LAN data frame.
-
24. The method of claim 23 wherein said source address information stored in said conventional LAN data frames comprises source MAC address information.
-
25. The method of claim 23 further comprising on receipt of said encapsulated frames, updating said routing table with source information stored in said encapsulated LAN data frames.
-
26. The method of claim 25 wherein said source information stored in said encapsulated LAN data frames comprises a source MAC address of a device forming part of said second LAN and an address information associated with a network interface of said second LAN.
-
27. The method of claim 26 wherein said address information associated with said network interface of said second LAN comprises an IP address of one of said network interface of said second LAN and a destination port of said network interface of said second LAN.
-
28. The method of claim 26 wherein said address information associated with said network interface of said second LAN comprises a network interface MAC address.
-
39. The method of claim 21 wherein said encapsulating also encapsulates address information for said first network interface.
-
40. The method of claim 39 further comprising:
-
receiving an indication a new device has been added to said first LAN and a media access control (MAC) address for said new device;
generating a control message containing said new device MAC address and said address information for said first network interface;
encapsulating said control message in said multicast IP address; and
transmitting said control message on said connectionless network.
-
-
41. The method of claim 39 further comprising:
-
receiving an indication a device has been removed from said first LAN;
generating a control message containing said a media access control (MAC) address for said removed device and said address information for said first network interface;
encapsulating said control message in said multicast IP address; and
transmitting said control message on said connectionless network.
-
-
42. The method of claim 23 wherein said encapsulating also encapsulates address information for said first network interface and further comprising:
-
after updating said routing table with source address information on receipt of said convention LAN data frames, transmitting to said multicast IP address a control message including said address information for said first network interface;
after sending said control message, queuing conventional LAN data frames destined for said source address until a reply to said control message is received.
-
-
43. The method of claim 39 further comprising:
periodically broadcasting a loopback message to said first LAN, said loopback message comprising said address information for said first network interface and said identifier uniquely identifying said VPN.
-
44. The method of claim 39 further comprising:
-
receiving at said first network interface a loopback message, said received loopback message having been generated by a generating network interface and broadcast into a LAN associated with said generating network interface; and
indicating an error condition.
-
-
45. The method of claim 44 wherein said indicating an error condition comprises shutting down said first network interface.
-
46. The method of claim 44 wherein said received loopback message comprises address information for said generating network interface and further comprising:
-
determining whether a network interface address of said received loopback message is said first network interface address and, if so, shutting down said first network interface to messaging traffic;
periodically broadcasting a loopback message to said first LAN, said loopback message comprising said address information for said first network interface;
after broadcasting a pre-determined number of loopback messages, if no loopback message is received, reactivating said first network interface to handle messaging traffic.
-
-
29. A first network interface for a first local area network (LAN) of a virtual private network (VPN), said VPN comprising a plurality of LANs each interconnected through a network interface to a connectionless network, comprising:
-
means for receiving conventional LAN data frames on said first LAN, said conventional LAN data frames having destination information;
means for determining an identifier uniquely identifying said VPN;
means for searching a routing table with said destination information and said identifier for a unique address of another network interface of another LAN of said VPN, said unique address comprising an IP address of said another network interface;
means for, if said routing table does not contain said unique address, retrieving a multicast address for all network interfaces of said plurality of LANs of said VPN, said multicast address for said all network interfaces comprising a multicast IP address;
means for encapsulating said conventional LAN data frames with said identifier and one of said unique address and said multicast address; and
means for transmitting said encapsulated frames on said connectionless network. - View Dependent Claims (30)
means for receiving encapsulated frames from said connectionless network;
for each of said received encapsulated frames;
means for generating a conventional LAN data frame from said received encapsulated frame; and
means for transmitting said generated conventional LAN data frame to said first LAN.
-
-
31. A Virtual Private Network (VPN) data signal embodied on a carrier wave, said VPN data signal generated from a received conventional LAN data frame, said conventional LAN data frame comprising a LAN destination address, a LAN source address, a LAN payload and a LAN error checking portion, said VPN data signal comprising:
-
an egress destination address of an egress network interface, said egress network interface servicing an egress destination corresponding to said LAN destination address and wherein said egress destination address comprises an Internet Protocol (IP) address;
an ingress source address of an ingress network interface, said ingress network interface servicing an ingress source corresponding to said LAN source address and wherein said ingress source address comprises an IP address;
said LAN destination address;
said LAN source address;
said LAN payload; and
an error checking portion generated from said egress destination address, said ingress source address, said LAN destination address; and
said LAN source address and said LAN payload.- View Dependent Claims (32, 33, 34, 35, 36, 37)
-
-
38. A system of providing communication between a first and a second Local Area Network (LAN), said first and second LANs interconnected by a connectionless network, said system comprising:
-
a first network interface connecting said first LAN to said connectionless network, said first receiving device for;
receiving conventional LAN data frames;
determining an address of a second network interface responsive to destination information in said received conventional LAN data frames, said second network interface connecting said second LAN to said connectionless network; and
encapsulating said conventional LAN data frames received at said first network interface with said address of said second network interface;
a router for routing said conventional LAN data frames encapsulated with said address to said second network interface over said connectionless network;
said second network interface connecting said second LAN to said connectionless network, said second network interface for;
receiving conventional LAN data frames encapsulated with said address;
re-generating said conventional LAN data frames from said conventional LAN data frames encapsulated with said address; and
transmitting said re-generated conventional LAN data frames to said second LAN; and
wherein said determining an address comprises;
determining an identifier uniquely identifying a virtual private network (VPN) comprising at least said first and second LANs;
accessing a routing table stored at said first network interface;
where possible, retrieving, from said routing table a unique address of said second network interface responsive to a destination address stored in said received LAN data frames and said determined identifier, said unique address comprising an IP adderess; and
if said routing table does not contain said unique address for said destination information, retrieving a multicast address, said multicast address representative of all LANs forming part of said VPN and comprises an IP multicast address; and
wherein said encapsulating comprises encapsulating said conventional LAN data frames with said determined identifier and one of said unique address of said second network interface and said multicast address; and
wherein said routing comprises;
receiving said encapsulated conventional LAN data frames at a first Network Network Interface (NNI) of said router;
modifying said encapsulated conventional LAN data frames to have a conventional LAN data frame header and LAN data frame payload, said modified encapsulated conventional LAN data frame recognizable by a conventional routing switch of said router;
routing, by said routing switch, said modified encapsulated LAN data frame to a second NNI of said router;
generating, at said second NNI, an encapsulated conventional LAN data frame from said modified encapsulated data LAN data frame; and
transmitting said generated encapsulated conventional LAN data frame to said second network interface.
-
Specification