Domain isolation through virtual network machines

US 7,908,395 B1
Filed: 10/09/2007
Issued: 03/15/2011
Est. Priority Date: 12/24/1998
Status: Expired due to Term

First Claim

Patent Images

1. A network comprising:

a set of subscriber end stations;

a first virtual network;

a set of layered virtual networks, wherein each of the set of layered virtual networks comprises a plurality of nodes and links, wherein each of the set of layered virtual networks is isolated from each other and the first virtual network, and wherein the set of layered virtual networks is layered on top of the first virtual network; and

a single network device coupled between nodes of the set of different layered virtual networks and the set of subscriber end stations, and coupled to the first virtual network, the single network device having,a first independently administrable virtual network database,a set of independently administrable network databases, wherein each of the independently administrable network databases is separate from the first independently administrable virtual network database and other ones of the set of independently administrable network databases,a virtual network machine, communicatively coupled to the first virtual network, wherein the virtual network machine is one of a virtual router and a virtual bridge, and the virtual network machine communicates traffic within the first virtual network according to control and policy information in the first independently administrable virtual network database and with accounting for the virtual network machine, anda set of virtual bridges to communicate a plurality of independent information flows through the single network device, wherein each of the set of virtual bridges belongs to a different one of the layered virtual networks, wherein the set of virtual bridges are virtually independent but share a set of physical resources of the single network device, wherein each of the set of virtual bridges includes a different one of the set of independently administrable network databases with control and policy information for that virtual bridge, wherein the control and policy information comprises layer 2 addressing, layer 2 connectivity, tunneling configuration, and tunneling protocols, wherein each of the set of virtual bridges communicates different ones of the plurality of independent information flows through a tunnel coupled to that virtual bridge based on the control and policy information in the respective independently administrable network database, wherein the set of the virtual bridges performs accounting by recording subscriber end station activity represented by the plurality of independent information flows.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and device for communicating information resources between subscriber end stations and nodes belonging to different network domains is described. The device instantiates different virtual network machines for different network domains using separate independently administrable network databases. Each of the administrable chores of the separate independently administrable network databases includes the assignment of access control and the configuration of the policies for those network databases. The policies include traffic filtering policies to indicate what kind of information payloads can be carried, traffic and route filtering policies to indicate what paths through the network will be used for each payload carried. Each of the network domains includes one of the different virtual network machines and each of the different network domains is virtually isolated from other network domains.

93 Citations

View as Search Results

15 Claims

1. A network comprising:
- a set of subscriber end stations;
  
  a first virtual network;
  
  a set of layered virtual networks, wherein each of the set of layered virtual networks comprises a plurality of nodes and links, wherein each of the set of layered virtual networks is isolated from each other and the first virtual network, and wherein the set of layered virtual networks is layered on top of the first virtual network; and
  
  a single network device coupled between nodes of the set of different layered virtual networks and the set of subscriber end stations, and coupled to the first virtual network, the single network device having,a first independently administrable virtual network database,a set of independently administrable network databases, wherein each of the independently administrable network databases is separate from the first independently administrable virtual network database and other ones of the set of independently administrable network databases,a virtual network machine, communicatively coupled to the first virtual network, wherein the virtual network machine is one of a virtual router and a virtual bridge, and the virtual network machine communicates traffic within the first virtual network according to control and policy information in the first independently administrable virtual network database and with accounting for the virtual network machine, anda set of virtual bridges to communicate a plurality of independent information flows through the single network device, wherein each of the set of virtual bridges belongs to a different one of the layered virtual networks, wherein the set of virtual bridges are virtually independent but share a set of physical resources of the single network device, wherein each of the set of virtual bridges includes a different one of the set of independently administrable network databases with control and policy information for that virtual bridge, wherein the control and policy information comprises layer 2 addressing, layer 2 connectivity, tunneling configuration, and tunneling protocols, wherein each of the set of virtual bridges communicates different ones of the plurality of independent information flows through a tunnel coupled to that virtual bridge based on the control and policy information in the respective independently administrable network database, wherein the set of the virtual bridges performs accounting by recording subscriber end station activity represented by the plurality of independent information flows.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The network of claim 1, wherein the virtual network machine control and policy information comprises layer 2 addressing, layer 2 connections, traffic filter policies, bridging configuration, bridge filters, layer 3 addressing, layer 3 connections, address translation policies, routing configuration, routing protocols, route filters and policies, tunneling configuration, and tunneling protocols.
  - 3. The network of claim 1, wherein the virtual bridge control and policy information further comprises traffic filter policies, bridging configuration, and bridge filters.
  - 4. The network of claim 1, wherein each of the set of virtual bridges communicates the plurality of independent information flows according to layer 2 wide area network protocols.
  - 5. The network of claim 1, wherein a same administrative authority administers more than one of the different layered virtual networks.

6. A single network device to act as an intermediate station comprising:
- a first independently administrable virtual network database;
  
  a set of independently administrable network databases, wherein each of the independently administrable network databases are separate from each other and the first independently administrable virtual network database; and
  
  a non-transitory machine-readable medium having stored therein a set of instructions to cause the single network device to,instantiate a virtual network machine communicatively coupled to a first virtual network, wherein the virtual network machine is one of a virtual router and a virtual bridge, and the virtual network machine communicates traffic within the first virtual network according to control and policy information in the first independently administrable virtual network database and with accounting for the virtual network machine,instantiate a plurality of virtual bridges to communicate a plurality of independent information flows through the single network device, wherein the plurality of virtual bridges are virtually independent but share a set of physical resources, wherein each of the plurality of virtual bridges belongs to a different layered virtual network, wherein the different layered virtual networks are layered on the first virtual network, wherein each of the plurality of virtual bridges includes a different one of the set of independently administrable network databases, wherein each of the set of independently administrable network databases includes control and policy information defined for its one of the different layered virtual networks, wherein the control and policy information comprises layer 2 addressing, layer 2 connectivity, tunneling configuration, and tunneling protocols, and wherein each of the different layered virtual networks is isolated from other ones of the different layered virtual networks, andfor each of the different layered virtual networks, instantiate at least one tunnel communicatively coupled to one of the plurality of virtual bridges belonging to that layered virtual network,communicate different ones of the plurality of information flows through the tunnels of the different ones of the plurality of virtual bridges based on the control and policy information in the independently administrable databases of those virtual bridges, andperform accounting by recording user activity represented by the plurality of information flows.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The single network device of claim 6, wherein the virtual network machine control and policy information comprises layer 2 addressing, layer 2 connections, traffic filter policies, bridging configuration, bridge filters, layer 3 addressing, layer 3 connections, address translation policies, routing configuration, routing protocols, route filters and policies, tunneling configuration, and tunneling protocols.
  - 8. The single network device of claim 6, wherein the virtual bridge control and policy information further comprises traffic filter policies, bridging configuration, and bridge filters.
  - 9. The single network device of claim 6, wherein each of the plurality of virtual bridges communicates different ones of the plurality of information flows according to layer 2 wide area network protocols.
  - 10. The single network device of claim 6, wherein a same administrative authority can administer more than one of the different layered virtual networks.

11. A computerized method comprising:
- instantiating in a single network device a virtual network machine communicatively coupled to a first virtual network, wherein the virtual network machine is one of a virtual router and a virtual bridge, and the virtual network machine forwards traffic within the first virtual network according to control and policy information in an independently administrable virtual network database and with accounting for the virtual network machine;
  
  instantiating in the single network device a plurality of virtual bridges to communicate a plurality of independent information flows through the single network device, wherein the plurality of virtual bridges are virtually independent but share a set of physical resources, wherein each of the plurality of virtual bridges belongs to a different layered virtual network, wherein the different layered virtual networks are layered on the first virtual network, wherein each of the different layered virtual networks is isolated from other ones of the different layered virtual networks, wherein each of the plurality of virtual bridges includes a different independently administrable network database in the single network device, wherein the independently administrable network databases are separate from each other and the virtual network database, wherein each of the independently administrable network databases includes control and policy information defined for its one of the different layered virtual networks, and wherein the control and policy information comprises layer 2 addressing, layer 2 connectivity, tunneling configuration, and tunneling protocols; and
  
  for each of the different layered virtual networks, instantiating at least one tunnel communicatively coupled to the one of the plurality of virtual bridges belonging to that layered virtual network,communicating different ones of the plurality of independent information flows through the tunnels of the different ones of the plurality of virtual bridges based on the control and policy information in the independently administrable network databases of those virtual bridges,performing accounting by recording user activity represented by the plurality of information flows.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computerized method of claim 11, wherein the virtual network machine control and policy information comprises layer 2 addressing, layer 2 connections, traffic filter policies, bridging configuration, bridge filters, layer 3 addressing, layer 3 connections, address translation policies, routing configuration, routing protocols, route filters and policies, tunneling configuration, and tunneling protocols.
  - 13. The computerized method of claim 11, wherein the virtual bridge control and policy information further comprises traffic filter policies, bridging configuration, and bridge filters.
  - 14. The computerized method of claim 11, wherein each of the plurality of virtual bridges communicates different ones of the plurality of independent information flows according to layer 2 wide area network protocols.
  - 15. The computerized method of claim 11, wherein an administrative authority can administer one or more of the set of other virtual networks.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ericsson AB (Telefonaktiebolaget LM Ericsson)
Original Assignee
Ericsson AB (Telefonaktiebolaget LM Ericsson)
Inventors
Salkewicz, William
Primary Examiner(s)
Flynn; Nathan
Assistant Examiner(s)
PATEL, CHIRAG R

Application Number

US11/869,746
Time in Patent Office

1,253 Days
Field of Search

709/238, 370/401
US Class Current

709/238
CPC Class Codes

G06F 21/44   Program or device authentic...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/00   Arrangements for maintenanc...

Domain isolation through virtual network machines

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

93 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

Domain isolation through virtual network machines

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

93 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others