WO2003073283A1 - System and method for routing a cross segments of a network switch - Google Patents

System and method for routing a cross segments of a network switch Download PDF

Info

Publication number
WO2003073283A1
WO2003073283A1 PCT/US2003/004878 US0304878W WO03073283A1 WO 2003073283 A1 WO2003073283 A1 WO 2003073283A1 US 0304878 W US0304878 W US 0304878W WO 03073283 A1 WO03073283 A1 WO 03073283A1
Authority
WO
WIPO (PCT)
Prior art keywords
frame
network
subnet
switch
port
Prior art date
Application number
PCT/US2003/004878
Other languages
French (fr)
Inventor
Michael S. Goldflam
Original Assignee
Globespanvirata Incorporated
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US10/063,468 external-priority patent/US20030210696A1/en
Application filed by Globespanvirata Incorporated filed Critical Globespanvirata Incorporated
Priority to AU2003216304A priority Critical patent/AU2003216304A1/en
Publication of WO2003073283A1 publication Critical patent/WO2003073283A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • H04L12/467Arrangements for supporting untagged frames, e.g. port-based VLANs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/60Software-defined switches
    • H04L49/604Hybrid IP/Ethernet switches
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/20Support for services
    • H04L49/201Multicast operation; Broadcast operation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/20Support for services
    • H04L49/205Quality of Service based
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/25Routing or path finding in a switch fabric
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/35Switches specially adapted for specific applications
    • H04L49/354Switches specially adapted for specific applications for supporting virtual local area networks [VLAN]

Definitions

  • the present invention relates generally to providing connectivity between segments of a network, and more particularly to using a switch to route data between segments of a network.
  • the gateway When providing connectivity between various network components of one or more networks connected to a gateway, it is often desirable to segregate groups of one or more network components into separate subnets. By providing separate subnets, various higher-level functions or operations can be performed by the gateway on data transmitted between the subnets. For example, the gateway could place an email server in a different subnet than an intranet of personal computers, thereby providing a secure network segment (also known as a "demilitarized zone" or secure perimeter network) between the intranet of personal computers (PCs) and the email server. As a result, external network components can access the internal email server without being able to access the intranet of PCs. Likewise, segments of a network can be separated into different subnets to prevent a high data flow on one network segment from degrading the bandwidth of another network segment.
  • a secure network segment also known as a "demilitarized zone" or secure perimeter network
  • the disclosed technique mitigates or solves the above-identified limitation in known implementations, as well as other unspecified deficiencies in the known implementations.
  • the switch chip can be adapted to prevent the forwarding of data between the Ethernet segments that are to be routed or otherwise processed at a higher-level. All frames that are to be routed or further processed are provided to, and processed by, the host processor. This includes unicast, multicast, and broadcast packets.
  • the switch chip is adapted to identify from which Ethernet segment a frame was received before passing data up through a network layer stack, such as Internet Protocol (IP).
  • IP Internet Protocol
  • implementations of the present invention generally identify the Ethernet segment by which the switch chip is to output frames from the host processor, including unicast, multicast, and broadcast packets.
  • a gateway for routing frames across multiple subnets is provided, the gateway being in electrical communication with a plurality of network segments, and each network segment is associated at least one of the subnets.
  • the gateway comprises a processor and a network switch in electrical communication with the processor and having a plurality of ports, each port associated with one of the network segments, the network switch being adapted to receive, at a first port, a frame from a first network segment associated with a first subnet, associate a source indicator with the frame, the source indicator including an identifier representative of the first subnet, and provide the frame and the source indicator to the processor when an intended destination of the frame is a second subnet different from the first subnet.
  • the processor is adapted to perform at least one higher-level function with the frame based at least in part on the source indicator to generate a modified frame.
  • a gateway coupled to the first and second network segments is provided in accordance with another embodiment of the present invention.
  • the gateway comprises a network switch in bidirectional communication with a processor, wherein the network switch is adapted to provide a frame received via a first port and a source indicator to the processor when an intended destination of the frame includes the second subnet, the source indicator being representative of the first subnet, and wherein the processor is adapted to perform at least one higher-level function using the frame based at least in part on the source indicator to generate a modified frame.
  • a network switch having at least three ports is provided in accordance with at least one embodiment of the present invention.
  • Each port is coupled to a separate network segment, the at least three ports including a first port coupled to a first network segment, the first network segment being associated with a first subnet, a second port coupled to a second network segment, the second network segment being associated with a second subnet, and a third port coupled to a processor, where the first port is adapted for bi-directional communication between the third port and the first network segment and the second port is adapted for bidirectional communication between the third port and the second network segment.
  • the network switch is adapted to associate a source indicator with a frame received from the first port, the source indicator representing the first subnet, and provide the frame and the source indicator to the processor via the third port when an intended destination of the frame is the second subnet.
  • a processor in electrical communication with the network switch is provided in accordance with yet another embodiment of the present invention.
  • the processor is adapted to receive a frame and a source indicator associated with the frame from the network switch, the source indicator being representative of a source subnet of the frame, perform at least one higher-level function with the frame based at least in part on the source indicator to generate a modified frame and associate a destination indicator with the modified frame, the destination indicator being representative of at least one intended destination subnet of the modified frame.
  • the processor is further adapted to provide the modified frame and the destination indicator to the network switch for output to the at least one intended destination subnet.
  • a method to route at least one frame from a first subnet to a second subnet using a network switch comprises the steps of receiving, at a first port of the network switch, a frame from a first network segment associated with the first subnet, wherein an intended destination of the frame includes a second network segment associated with the second subnet, providing the frame and a source indicator from the network switch to a processor, the source indicator representing of the first subnet, and performing, at the processor, at least one higher-level function with the frame based at least in part on the source indicator to generate a modified frame.
  • a method for routing frames of data across switched Ethernet segments comprises the steps of receiving, at a first port of an Ethernet switch, a frame from a first Ethernet segment, wherein the first port is associated with a first VLAN and where the frame is intended for receipt by a network component of a second Ethernet segment associated with a second VLAN, associating, at the Ethernet switch, a source indicator with the frame, the source indicator including a first VID associated with the first VLAN, and providing the frame and the source indicator from the Ethernet switch to an application stack of a processor via a first channel, wherein the first channel is associated with the first VID.
  • the method further comprises the steps of performing, at the application stack, at least one higher-level function based at least in part on the source indicator to generate a modified frame, associating a destination indicator with the modified frame, wherein the destination indicator includes a second VID associated with the second VLAN, and providing the modified frame and the destination indicator from the application stack to the network switch.
  • the method additionally includes the step of providing the modified frame to a second port of the network switch associated with the second VLAN for output to the second Ethernet segment based at least in part on the second VID of the destination indicator.
  • Figure 1 is a block diagram illustrating a system for routing data across multiple network segments in accordance with at least one embodiment of the present invention
  • Figure 2 is a block diagram illustrating a mechanism for associating the ports of a network switch with different virtual local area networks in accordance with at least one embodiment of the present invention.
  • Figure 3 is a block diagram illustrating a mechanism for providing frames from one network segment to another network segment using virtual local area networks in accordance with at least one embodiment of the present invention.
  • FIGS 1-3 illustrate a method and a system for using a network switch to route frames between network segments.
  • one or more frames from one network segment are provided to one of a plurality of ports of a network switch.
  • the network switch provides the each frame to a processor as it is received when the source and destination of the frame are on different subnets or the frame is intended for the processor.
  • the processor in one embodiment, then performs one or more higher-level functions using a received frame, such as routing, Internet Protocol Security (IPSec) or network address translation (NAT).
  • IPSec Internet Protocol Security
  • NAT network address translation
  • the processor After modifying the frame as a result of the performance of the one or more higher-level functions, the processor provides the modified frame back to the network switch for output on a port connected to the intended destination of the frame.
  • the network switch utilizes port- based virtual local area networks (VLANs) to prevent frames received at one port of the network switch from being directly sent out another port when the frames have different source and destination subnets.
  • VLANs virtual local area networks
  • the network switch can use the VLANs to indicate to the processor the source subnet of the frame.
  • each port of the network switch can be assigned to a certain VLAN (representing a certain subnet), and as a frame is received at a certain port, the network switch associates the port's VLAN identification (VID) with the frame to indicate the source VLAN/subnet of the frame.
  • VID VLAN identification
  • the processor can use the VLAN capability of the network switch to indicate to the network switch the particular port or ports that is to be used to output a frame to one or more network segments attached to the particular port/ports. In this case, the processor can associate the VID of the destination VLAN/subnet with a frame and provide this destination indicator and the frame to the network switch.
  • the network switch using the VID of the destination indicator, outputs the frame on the one or more ports associated with the VLAN having the VID of the destination indicator.
  • frame refers to any logical segmentation of data transmitted over a networked medium, and usually includes a source address, a destination address, a data payload, and an error correction field, as well as various other fields. Examples of frames include Ethernet frames, IP packets, Asynchronous Transfer Mode (ATM) frames, and the like.
  • ATM Asynchronous Transfer Mode
  • the system 100 includes one or more subnets 102-106 connected to a gateway 120.
  • the subnets 102-106 each can include one or more network segments having one or more network components, where a network component can include any component or device adapted to communicate with another component or device over a network, such as a server, a hub, a router, a bridge, a switch, a terminal, a PC, and the like.
  • the subnet 102 includes a wide area network (WAN) 150 and the subnet 104 includes a data server 108, such as a file transfer protocol (FTP) server or simple mail transfer protocol (SMTP) server.
  • the subnet 106 includes two network segments, one including PCs 110-114 connected via a hub 122 to the gateway 120 and a PC 116 connected separately to the gateway 120.
  • the number and type of subnets connected to the gateway 120 and/or the number and type of network components of the subnets are illustrated for exemplary purposes.
  • the present invention may be implemented with any number or type of subnets and any combination of network components on a subnet using the guidelines provided herein.
  • the gateway 120 can include any of a variety of devices utilized to connect two or more networks or subnets together, such as a digital subscribe line (xDSL) modem, a firewall, a gateway, a router, a bridge, and the like.
  • the gateway 120 can include a combination bridge/router adapted to provide a communication link between the Internet (one embodiment of the WAN 150 of the subnet 102) and the network components of the subnets 104, 106.
  • the gateway 120 includes a network switch 130 connected to a communications processor 140.
  • the switch 130 includes a plurality of ports 132-138, each coupled to one of the network segments or network components of the subnets 102-106.
  • the ports 132-138 can include ports adapted to support any of a variety of network architectures, such as Ethernet, token ring, asynchronous transfer mode (ATM), and the like.
  • ATM asynchronous transfer mode
  • One example of an appropriate switch 130 is an Ethernet switch having the trade designation KS8993 available from Kendin Communications, Inc. of Sunnyvale, California.
  • the number of ports of the switch 130 is exemplary. Implementations of the present invention can utilize network switches having any number of ports without departing from the spirit or the scope of the present invention.
  • the communications processor 140 can include any of a variety of processing devices adapted to modify frames of data for networking purposes, where modification of frames can include, but is not limited to, routing frames, switching frames, bridging frames, as well as performing higher-level functions, such as network address translation (NAT) or encryption.
  • the communications processor 140 herein referred to as the processor 140, can include a processor specifically designed for communications processing, such as an application specific integrated circuit (ASIC), a general purpose processor adapted to execute a set of executable instructions appropriate for handling of network data, a communications-specific microprocessor or microcontoller, or a combination thereof.
  • ASIC application specific integrated circuit
  • One such implementation includes a communications processor available under the trade designation Helium 200 from GlobeSpanVirata, Inc. of Red Bank, New Jersey.
  • the processor 140 can be implemented as a combination of discrete logic components.
  • the gateway 120 can be adapted to perform a variety of functions within the system 100.
  • the gateway 120 is adapted to route frames between separate subnets.
  • the gateway 120 can be utilized to route frames from the network components of the subnets 104, 106 to the WAN 105 of the subnet 102, and vice versa.
  • the gateway 120 can be adapted to function as a bridge by bridging frames between network segments of the same subnet.
  • frames received via the port 138 from the PC 116 can be bridged to the PC 110 via the port 136 and the hub 122.
  • Frames from the PCs 110-114 likewise can be bridged to the PC 116 via ports 136, 138 of the gateway 120.
  • the gateway 120 can perform various higher-level operations while switching/bridging/routing frames between network segments.
  • the gateway 120 can act as a firewall between the WAN 150 and the subnets 104, 106 by providing network address translation (NAT) on frames from the subnets 104, 106 to the WAN 150 and on frames from the WAN 150 intended for one or more of the network components of the subnets 104, 106.
  • the gateway 120 can be adapted to implement the subnet 104 as a secure perimeter network, thereby allowing external access to the data server 108 from the subnet 102 without sacrificing the security of the subnet 106.
  • the gateway 120 can be adapted to provide a variety of other higher-level functions, whereby a higher-level function, as defined herein, includes any function, process, or operation performed at Layer 3 (the Network layer) or higher of the Open Systems Interconnection (OSI) Network Model.
  • Higher-level functions can include routing, NAT, Internet Protocol Security (IPSec), encryption, filtering, and the like.
  • each frame received at any of the ports 132-138 is filtered based at least in part on its intended destination. If the final destination of a received frame is located on the same network segment as the source of the frame, the switch 130 can be adapted to drop the frame. For example, if the PC 110 were to transmit a frame intended for the PC 114, the frame typically would be received by one port of the hub 122 and retransmitted out all of the other ports of the hub 122, one of which is connected to the port 136.
  • the switch 130 when the switch 130 receives this frame, it can determine from its learning table, for example, that the source and destination of the frame are on the same network segment, so the switch 130 can drop the frame. If the intended destination of a received frame is located on the same subnet but a different network segment, then the switch 130 can be adapted to forward (i.e., switch) the frame between the source port and the destination port. For example, assume the PC 116 transmits a frame intended for the PC 112. The frame is received at the port 138 of the switch 130. The switch 130, noting that the port (port 138) associated with the source and the port (port 136) associated with the destination (port 136) are in the same subnet 106, forwards the frame directly from port 138 to port 136 for output.
  • the switch 130 when a frame received at the switch 130 has an intended destination that is in a different subnet than the source of the frame or when the frame is intended for the processor 140, the switch 130, in at least one embodiment, is adapted to provide the frame to the processor 140 via the port 142.
  • the processor 140 then can perform one or more higher-level functions (which typically modify the frame) and then provide the modified frame back to the switch 130 for output on the port associated with the intended destination of the modified frame. For example, assume that PC 116 transmits a frame intended for the server 108. Since the PC 116 and the server 108 are on different subnets, the switch 130, in one embodiment, is adapted to provide the frame to the processor 140 for routing of the frame, as well as any other appropriate higher-level functions.
  • modify can include any of a variety of functions or processes performed on a frame by the processor 140.
  • the processor 140 typically replaces the media access control (MAC) header and updates the Time to Live field and checksum in the IP header when routing an Ethernet frame from one subnet to another.
  • MAC media access control
  • the processor 140 typically modifies the source or destination IP address along with other fields within the frame.
  • the higher-level functions provided by the processor 140 can include frame/packet filtering, network address translation (NAT), IPSec, implementation of a firewall between the WAN 150 and the subnets 104, 106, and the like.
  • NAT network address translation
  • IPSec network address translation
  • a frame received at port 132 that is intended for subnet 104 would be directly provided to port 134 if the switch 130 operated as a conventional network switch.
  • the processor 140 can perform a desired operation on the frame, such as NAT, before providing the frame back to the network switch 130 for output on port 134.
  • the processor 140 modifies/processes the frame by replacing the MAC header and updating the IP header and provides the modified frame to the switch 130. Additionally, in at least one embodiment, the processor 140 associates a destination indicator with the modified frame that is used by the switch 130 to determine which of ports 132-138 the modified frame is to be output on. Using this destination indicator, the switch 130 determines that the intended destination of the frame is connected to the port 134 and therefore provides the modified frame to the port 134 for output to the server 108.
  • the switch 130 In another example, assume that a frame from the PC 116 is received by the switch 130 via the port 138, where the frame is intended for a data server on the WAN 150 of the subnet 102.
  • the switch 130 noting that the source subnet and the destination subnet are different, then forwards the frame to the processor 140 via the port 142 along with a source indicator representative of the source subnet of the frame.
  • the gateway 120 is implemented as a firewall between the WAN 150 and the subnets 104, 106.
  • the processor 140 noting the source subnet, performs a NAT operation on the frame and provides the modified frame to the switch 130 along with a destination indicator that the frame is intended for output via the port 132. Based at least in part on this destmation indicator, the switch 130 outputs the modified frame on the port 132 for reception by the data server on the WAN 150.
  • frames received at the switch 130 may be intended for the processor 140.
  • the gateway 120 could be adapted to monitor the status of the network components of the system 100.
  • the processor 140 could be adapted to generate "ping" packets to test the connectivity between the processor 140 and the components 108, 110-116, and 150. Upon receipt of a ping packet, each of these components typically would send a response packet to the processor 140 via the network switch 130. Accordingly, the processor 140 can be viewed as a network segment for the provision of frames by the network switch 130.
  • the switch 130 can be adapted to forward the frame to the processor 140 as though the processor 140 were another network segment.
  • FIGs 2-3 various mechanisms to route data between the subnets 102-106 are illustrated in accordance with at least one embodiment of the present invention.
  • various embodiments of the present invention are discussed herein in the context of Ethernet network architectures, such as lOBaseT, 100BaseTX, 100BaseFX, and the like.
  • the present invention may be implemented using other network architectures known to those skilled in the art. Accordingly, any reference made herein to an Ethernet architecture also applies to other network architectures, unless otherwise noted.
  • the switch 130 is adapted to provide all frames received at the ports 132-138 that have different source and destination subnets, as well as frames intended for the processor 140, to the processor 140 for the application of one or more higher-level functions.
  • the switch 130 can be adapted to associate a source indicator with the frame prior to providing the frame to the processor 140.
  • the processor 140 can then utilize this indicator value to determine the source subnet of the frame and handle the frame accordingly.
  • the processor 140 can be adapted to include a destination indicator with a frame that has been handled by the processor before the frame is provided back to the switch 130.
  • the switch 130 in this case, can use the destination indicator to determine which of the ports 132-138 is to be used to output the frame to its intended destination.
  • a virtual local area network (VLAN) scheme is utilized to provide the source indicator and/or the destination indicator.
  • the switch 130 is adapted to support port-based VLANs, such as a VLAN implementation in accordance with the IEEE 802. lq standard.
  • the switch 130 can assign the ports 132-138 to one or more VLANs.
  • the ports 132-138 are assigned to a VLAN based at least in part on the subnet associated with each port. In the illustrated embodiment, since the port 132 is associated with the subnet 102 and the port 134 is associated with the subnet 104, the port 132 is assigned to the VLAN 202 and the port 134 is assigned to the VLAN 204.
  • the ports 136, 138 can be assigned to the same VLAN.
  • the ports 136, 138 and their associated subnet 106 of the exemplary implementation illustrated in Figure 1 are omitted for ease of illustration.
  • network switches implementing VLANs are prevented from forwarding frames between ports having mutually exclusive VLAN memberships.
  • the port 132 belongs to a different VLAN than the port 134, there typically is no way for frames from the WAN 150 to be forwarded directly to the data server 108 by the switch 130.
  • frames from the data server 108 are not forwarded directly to the WAN 150 by the switch 130.
  • ports 136, 138 belong to a same VLAN, a frame received at one of the ports 136, 138 can be forwarded by the switch 130 directly to the other port without necessitating the involvement of the processor 140.
  • ports 132, 134 have a mutually exclusive VLAN membership, frames typically are not directly switched between port 132 and port 134 of the switch 130. Likewise, since ports 136, 138 belong to a different VLAN than either the port 132 or the port 134, frames typically cannot be directly switched between ports 136, 138 and either port 132 or port 134. Since the processor 140, in one embodiment, directs the switch 130 to assign the port 142 to all of the VLANs of the ports 132-138, frames having differing source and destination subnets and frames intended for the processor 140 (i.e., frames that need to be routed and/or otherwise modified) can be provided from the source port to port 142 for output to the processor 140.
  • port 132 is assigned to the VLAN 202
  • the port 134 is assigned to the VLAN 204
  • the port 142 is assigned to both the VLAN 202 and the VLAN 204. Accordingly, any frame received via the port 132 that needs to be routed or modified is forwarded to the port 142 since the port 132 and the port 142 belong to the same VLAN 202.
  • any frame received via the port 134 that needs to be routed or modified is provided to the port 142 since they also share the same VLAN 204.
  • all frames received at the ports 132, 134 that need to be routed or modified are forwarded to the processor 140 via the port 142 and are prevented from being provided directly to the other port.
  • the line 222 demonstrates that frames received at port 132 (from VLAN 202) are provided from the port 132 to the port 142 since they both are in the same VLAN. Likewise, frames from the port 142 intended for the WAN 150 can be forwarded from the port 142 to the port 132 due to their mutual VLAN membership.
  • the line 224 illustrates a similar frame transfer between the data server 108 connected to the port 134 and the processor 140 connected to the port 142. Since the port 142 is a member of the VLAN 204, frames received at the port 134 can be forwarded to the port 142, and vice versa.
  • the switch 130 in one embodiment, is adapted to prevent the direct transfer (illustrated by line 226) of frames directly from the port 132 to the port 134 and from the port 134 to the port 132 since the ports 132, 134 are members of different VLANs.
  • FIG. 3 an exemplary operation of the gateway 120 is illustrated in accordance with at least one embodiment of the present invention wherein a frame 302 from the server 108 is routed by the gateway 120 for delivery to the WAN 150.
  • the data server 108 provides an Ethernet frame (frame 302) to the gateway 120, where the frame 302 is intended for receipt by a network component on the WAN 150.
  • the switch 130 identifies the source subnet based on the port (port 134) used to receive the frame and associates a source indicator 306 with the frame 302 based at least in part on the source subnet identified.
  • the switch 130 utilizes port-based VLANs, as discussed in Figure 2, to assign a VLAN identification (VID) to the source indicator 306 associated with the frame 302.
  • VID VLAN identification
  • the VID is added as an IEEE 802. lq VID value to the Tag Control Field following the source address field and the destination address field of the Ethernet frame.
  • the switch 130 could assign a VTD of 1 to the VLAN 202 and a VID of 2 to the VLAN 204.
  • any frame received via the port 132 is assigned a VID of 1 in the TCI field of the frame and a frame received via the port 134 is assigned a VID of 2 in its TCI field.
  • the VID can be added as an IEEE 802. lp priority value.
  • Other methods of indicating a VLAN to which a certain frame belongs may be used without departing from the spirit or the scope of the present invention.
  • the switch 130 provides the frame 302 (with the source indicator 306) to the port 142 for output to the processor 140.
  • the frame 302 is received at the processor 140 by an interface 324 implemented as part of, or connected to, the processor 140.
  • the interface 324 includes an Ethernet media access control (MAC) interface integrated as part of the processor 140 and the port 142 includes an interface compatible with the Ethernet MAC interface, such as a Media Independent Interface (Mil).
  • MAC Ethernet media access control
  • Mil Media Independent Interface
  • Certain implementations of the switch 130 can be adapted to convert one port into an interface compatible with an Ethernet MAC interface through an MIL
  • the switch 130 could include an Ethernet switch available under the trade name KS8995E from Kendin Communications, Inc.
  • This exemplary Ethernet switch includes five ports, where one of the five ports can be converted into a Mil compatible with an Ethernet MAC interface.
  • the four non-convertible ports can be implemented as the ports 132-138, and the fifth port can be converted to a Mil for implementation as the port 142 to interface with the Ethernet MAC interface (one embodiment of the interface 324) of the processor 140.
  • the processor 140 includes a switch driver 310 and an application stack 320 for handling and modifying frames received from the switch 130.
  • the switch driver 310 includes a device driver for the switch 130 that is adapted to receive a frame from the interface 324, remove or disassociate any indicators, such as the source indicator 306 from the frame, if necessary, and provide the frame to the application stack 320.
  • the application stack 320 includes one or more protocol stacks, such as an Internet Protocol (IP) stack, as well as any higher-level application layers.
  • IP Internet Protocol
  • the switch driver 310 and the application stack 320 can be implemented as software, firmware, hardware, or a combination therein.
  • the switch driver 310 includes a first set of executable instructions and the application stack 320 includes a second set of executable instructions, both sets performed by the processor 140.
  • the switch driver 310 In order to route across all of the ports of the switch 130, the switch driver 310 generally must bind multiple channels to the application stack 320, one channel for each of the ports 132, 134. Ports 136 and 138, in this example, are combined into a single channel since they are both associated with the same subnet. Accordingly, in at least one embodiment, the switch driver 310 includes a virtual driver 312 associated with the port 132 and a virtual driver 314 associated with the port 134 (as well as a virtual driver for the ports 136, 138 omitted for ease of illustration).
  • Each of the virtual drivers 312, 314 is bound to the application stack 320 as a separate channel, resulting in a separate channel between the switch driver 310 and the application stack 320 for each of the ports 132, 134. From the perspective of the application stack 320, two separate network interfaces are attached. Accordingly, the application stack 320 can route frames between the ports 132, 134 using the channels provided by the virtual drivers 312, 314.
  • the switch driver 310 can determine which one of the virtual drivers 312, 314 is associated with the port used to receive the frame 302. This can be accomplished by analyzing the source indicator 306. For example, if the switch 130 placed a VID value representing VLAN 204 into the TCI field of the frame 302, the switch driver 310 can access this value and determine the virtual driver associated with the VLAN 204, which, in this case, is the virtual driver 314. After the switch driver 310 identifies the virtual driver 314, the switch driver 310, in one embodiment, strips the source indicator 306 from the frame 302 and provides the frame 302 to the application stack 320 for bridging/routing/security processing and/or further processing.
  • the application stack 320 in at least one embodiment, is adapted to provide one or more desired higher-level functions in addition to being adapted to route/bridge/switch frames.
  • the application stack 320 can route the frame 302, perform NAT on the frame 302, filter the frame 302, encrypt the payload of the frame 302, and the like.
  • the modified frame is provided over the appropriate channel to the switch driver 310 as modified frame 304.
  • the channel associated with the destination address of the modified frame 304 (the address of the network component on WAN 150) is supported by the virtual driver 312. Accordingly, the application stack 320 provides the modified frame 304 to the switch driver 310 using the virtual switch driver 312.
  • the switch driver 310 associates a destination indicator 308 with the modified frame 304.
  • the destination indicator 308 in one embodiment can include an IEEE 802. lq VID value in the TCI field of frame 304 or an IEEE 802. lp priority value.
  • the destination indicator 308 instead indicates the destination subnet(s) of the modified frame 304 to the switch 130. Since, in this case, the modified frame 304 was received via a channel provided by the virtual driver 312, the switch driver 310 can include the VID value associated with the virtual driver 312 as the destination indicator 308 (such as the VID of the VLAN 202 of Figure 2). The switch driver 310 provides the modified frame 304, along with the destination indicator 308, to the port 142 of the switch 130 via the interface 324. The switch 130, upon receipt of the modified frame 304, analyzes the destination indicator 308 to determine the one or more output ports to be used to output the modified frame 304.
  • the destination indicator 308 of the modified frame 304 has a VID value associated with the VLAN 202, of which the ports 132, 142 are members. Since port 142 and the port 132 are members of the same VLAN, the switch 130 can remove or disassociate the destination indicator 308 from the modified frame 304 and provide the modified frame 304 to the port 132 for output to the WAN 150. Meanwhile, since the ports 134-138 are not members of the VLAN 202, the switch 130 avoids providing the frame 304 to the ports 134-138 for output. Although one mechanism to determine source and destination ports of a frame based at least in part on VLAN membership has been illustrated, other mechanisms may be utilized by those skilled in the art, using the guidelines provided herein.
  • the switch 130 can include a managed network switch, whereby a learning table built by the switch 130 can be provided to the switch driver 310. Therefore, when a frame is received by the switch driver 310 from the switch 130, the switch driver 310 can dete ⁇ nine the source port of the frame by using the source address of the frame and the learning table and provide the frame to the application stack 320 through the corresponding virtual driver. Likewise, when a unicast frame is received by the switch 130 from the switch driver 310, the switch 130 can determine the appropriate output port of the switch 130 based at least in part on the destination address of the frame and from the learning table. When a broadcast or multicast frame is received by the switch from the switch driver 310, the switch 130 will need an additional indicator as described above to ensure that the frame does not go out all ports of the switch 130.

Abstract

A method and a system for using a network switch (120) as in a gateway, to route frames between network segments associated with separate subnets (102, 104, 106) is disclosed. Frames from one network segment of a source subnet can be provided to one of a plurality of ports (132, 134, 136, 138) of a network switch (120). The network switch (120) provides the frames to a processor (140) with a source port indicator, whereupon the processor (140) performs any higher-level processing of the frames, such as routing, Internet Protocol Security (IPSec) or network address translation (NAT). After any applicable modification of the frame the processor (140) provides the modified frame with a destination port indicator back to the network switch (120) for output on one or more ports (132, 134, 136, 138) connected to one or more network segments (102, 104, 106) associated with the destination subnet.

Description

SYSTEM AND METHOD FOR ROUTING A CROSS SEGMENTS OF A NETWORK SWITCH
FIELD OF THE INVENTION
The present invention relates generally to providing connectivity between segments of a network, and more particularly to using a switch to route data between segments of a network. BACKGROUND OF THE INVENTION
When providing connectivity between various network components of one or more networks connected to a gateway, it is often desirable to segregate groups of one or more network components into separate subnets. By providing separate subnets, various higher-level functions or operations can be performed by the gateway on data transmitted between the subnets. For example, the gateway could place an email server in a different subnet than an intranet of personal computers, thereby providing a secure network segment (also known as a "demilitarized zone" or secure perimeter network) between the intranet of personal computers (PCs) and the email server. As a result, external network components can access the internal email server without being able to access the intranet of PCs. Likewise, segments of a network can be separated into different subnets to prevent a high data flow on one network segment from degrading the bandwidth of another network segment.
However, while using separate subnets for different network segments provides a number of advantages, known implementations for routing across separate subnets typically are relatively expensive due to their need for separate network controllers for each subnet. As a result, as the number of subnets increases, the cost and complexity of the gateway increases since additional network controllers must be added to the gateway.
In view of the limitations of known subnet routing implementations, an improved system and method for providing routing across network segments would be advantageous.
SUMMARY OF THE INVENTION
The disclosed technique mitigates or solves the above-identified limitation in known implementations, as well as other unspecified deficiencies in the known implementations.
- ! • The use of Institute of Electrical and Electronics Engineers (IEEE) 802. lq tagging, IEEE 802. lp priority fields, and VLAN capabilities of various Ethernet switch chips allows a host processor to route across the network interfaces of a switch chip. A host processor attached to a single interface of a switch chip can route across all interfaces by: identifying the interface that each frame is received from; directing the outgoing segment that each frame from the host processor must go out; and preventing the switch chip from directly forwarding frames between network interfaces.
Various implementations of the present invention can be adapted to utilize a switch chip by addressing three issues. First of all, the switch chip can be adapted to prevent the forwarding of data between the Ethernet segments that are to be routed or otherwise processed at a higher-level. All frames that are to be routed or further processed are provided to, and processed by, the host processor. This includes unicast, multicast, and broadcast packets. Secondly, the switch chip is adapted to identify from which Ethernet segment a frame was received before passing data up through a network layer stack, such as Internet Protocol (IP). Lastly, implementations of the present invention generally identify the Ethernet segment by which the switch chip is to output frames from the host processor, including unicast, multicast, and broadcast packets.
In accordance with one embodiment of the present invention, a gateway for routing frames across multiple subnets is provided, the gateway being in electrical communication with a plurality of network segments, and each network segment is associated at least one of the subnets. The gateway comprises a processor and a network switch in electrical communication with the processor and having a plurality of ports, each port associated with one of the network segments, the network switch being adapted to receive, at a first port, a frame from a first network segment associated with a first subnet, associate a source indicator with the frame, the source indicator including an identifier representative of the first subnet, and provide the frame and the source indicator to the processor when an intended destination of the frame is a second subnet different from the first subnet. Furthermore, the processor is adapted to perform at least one higher-level function with the frame based at least in part on the source indicator to generate a modified frame.
In a distributed network comprising a first network segment associated with a first subnet and a second network segment associated with a second subnet, a gateway coupled to the first and second network segments is provided in accordance with another embodiment of the present invention. The gateway comprises a network switch in bidirectional communication with a processor, wherein the network switch is adapted to provide a frame received via a first port and a source indicator to the processor when an intended destination of the frame includes the second subnet, the source indicator being representative of the first subnet, and wherein the processor is adapted to perform at least one higher-level function using the frame based at least in part on the source indicator to generate a modified frame.
In a distributed network comprising multiple network segments, a network switch having at least three ports is provided in accordance with at least one embodiment of the present invention. Each port is coupled to a separate network segment, the at least three ports including a first port coupled to a first network segment, the first network segment being associated with a first subnet, a second port coupled to a second network segment, the second network segment being associated with a second subnet, and a third port coupled to a processor, where the first port is adapted for bi-directional communication between the third port and the first network segment and the second port is adapted for bidirectional communication between the third port and the second network segment. The network switch is adapted to associate a source indicator with a frame received from the first port, the source indicator representing the first subnet, and provide the frame and the source indicator to the processor via the third port when an intended destination of the frame is the second subnet.
In a distributed network comprising multiple network segments coupled to a network switch, a processor in electrical communication with the network switch is provided in accordance with yet another embodiment of the present invention. The processor is adapted to receive a frame and a source indicator associated with the frame from the network switch, the source indicator being representative of a source subnet of the frame, perform at least one higher-level function with the frame based at least in part on the source indicator to generate a modified frame and associate a destination indicator with the modified frame, the destination indicator being representative of at least one intended destination subnet of the modified frame. The processor is further adapted to provide the modified frame and the destination indicator to the network switch for output to the at least one intended destination subnet.
In accordance with an additional embodiment of the present invention, a method to route at least one frame from a first subnet to a second subnet using a network switch is provided. The method comprises the steps of receiving, at a first port of the network switch, a frame from a first network segment associated with the first subnet, wherein an intended destination of the frame includes a second network segment associated with the second subnet, providing the frame and a source indicator from the network switch to a processor, the source indicator representing of the first subnet, and performing, at the processor, at least one higher-level function with the frame based at least in part on the source indicator to generate a modified frame.
In accordance with another embodiment of the present invention, a method for routing frames of data across switched Ethernet segments is provided. The method comprises the steps of receiving, at a first port of an Ethernet switch, a frame from a first Ethernet segment, wherein the first port is associated with a first VLAN and where the frame is intended for receipt by a network component of a second Ethernet segment associated with a second VLAN, associating, at the Ethernet switch, a source indicator with the frame, the source indicator including a first VID associated with the first VLAN, and providing the frame and the source indicator from the Ethernet switch to an application stack of a processor via a first channel, wherein the first channel is associated with the first VID. The method further comprises the steps of performing, at the application stack, at least one higher-level function based at least in part on the source indicator to generate a modified frame, associating a destination indicator with the modified frame, wherein the destination indicator includes a second VID associated with the second VLAN, and providing the modified frame and the destination indicator from the application stack to the network switch. The method additionally includes the step of providing the modified frame to a second port of the network switch associated with the second VLAN for output to the second Ethernet segment based at least in part on the second VID of the destination indicator.
One objective of at least one embodiment of the present invention is to allow a switch chip to be attached to a host processor to create a router that can route frames across each network interface attached to the switch chip. Another objective of at least one embodiment of the present invention is to minimize the cost of implementing subnets by reducing the number of network controllers necessary to support multiple subnets.
Still further features and advantages of the present invention are identified in the ensuing description, with reference to the drawings identified below. BRIEF DESCRIPTION OF THE DRAWINGS
The purposes and advantages of the present invention will be apparent to those of ordinary skill in the art from the following detailed description in conjunction with the appended drawings in which like reference characters are used to indicate like elements, and in which:
Figure 1 is a block diagram illustrating a system for routing data across multiple network segments in accordance with at least one embodiment of the present invention;
Figure 2 is a block diagram illustrating a mechanism for associating the ports of a network switch with different virtual local area networks in accordance with at least one embodiment of the present invention; and
Figure 3 is a block diagram illustrating a mechanism for providing frames from one network segment to another network segment using virtual local area networks in accordance with at least one embodiment of the present invention.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Figures 1-3 illustrate a method and a system for using a network switch to route frames between network segments. In at least one embodiment, one or more frames from one network segment are provided to one of a plurality of ports of a network switch. The network switch provides the each frame to a processor as it is received when the source and destination of the frame are on different subnets or the frame is intended for the processor. The processor, in one embodiment, then performs one or more higher-level functions using a received frame, such as routing, Internet Protocol Security (IPSec) or network address translation (NAT). After modifying the frame as a result of the performance of the one or more higher-level functions, the processor provides the modified frame back to the network switch for output on a port connected to the intended destination of the frame. In at least one embodiment, the network switch utilizes port- based virtual local area networks (VLANs) to prevent frames received at one port of the network switch from being directly sent out another port when the frames have different source and destination subnets.
Additionally, the network switch can use the VLANs to indicate to the processor the source subnet of the frame. In this case, each port of the network switch can be assigned to a certain VLAN (representing a certain subnet), and as a frame is received at a certain port, the network switch associates the port's VLAN identification (VID) with the frame to indicate the source VLAN/subnet of the frame. Likewise, the processor can use the VLAN capability of the network switch to indicate to the network switch the particular port or ports that is to be used to output a frame to one or more network segments attached to the particular port/ports. In this case, the processor can associate the VID of the destination VLAN/subnet with a frame and provide this destination indicator and the frame to the network switch. The network switch, using the VID of the destination indicator, outputs the frame on the one or more ports associated with the VLAN having the VID of the destination indicator. One advantage of at least one embodiment of the present invention is that the cost of implementing multiple subnets can be reduced since a separate network controller is not necessary for each subnet.
The term "frame," as used herein, refers to any logical segmentation of data transmitted over a networked medium, and usually includes a source address, a destination address, a data payload, and an error correction field, as well as various other fields. Examples of frames include Ethernet frames, IP packets, Asynchronous Transfer Mode (ATM) frames, and the like.
Referring now to Figure 1, a system 100 for routing data across segments of a network switch 130 is illustrated in accordance with at least one embodiment of the present invention. The system 100 includes one or more subnets 102-106 connected to a gateway 120. The subnets 102-106 each can include one or more network segments having one or more network components, where a network component can include any component or device adapted to communicate with another component or device over a network, such as a server, a hub, a router, a bridge, a switch, a terminal, a PC, and the like. In the illustrated embodiment, the subnet 102 includes a wide area network (WAN) 150 and the subnet 104 includes a data server 108, such as a file transfer protocol (FTP) server or simple mail transfer protocol (SMTP) server. The subnet 106 includes two network segments, one including PCs 110-114 connected via a hub 122 to the gateway 120 and a PC 116 connected separately to the gateway 120. The number and type of subnets connected to the gateway 120 and/or the number and type of network components of the subnets are illustrated for exemplary purposes. The present invention may be implemented with any number or type of subnets and any combination of network components on a subnet using the guidelines provided herein.
The gateway 120 can include any of a variety of devices utilized to connect two or more networks or subnets together, such as a digital subscribe line (xDSL) modem, a firewall, a gateway, a router, a bridge, and the like. To illustrate, the gateway 120 can include a combination bridge/router adapted to provide a communication link between the Internet (one embodiment of the WAN 150 of the subnet 102) and the network components of the subnets 104, 106. To facilitate communication between the WAN 150 and the subnets 102-106, in at least one embodiment, the gateway 120 includes a network switch 130 connected to a communications processor 140. In one embodiment, the switch 130, as illustrated, includes a plurality of ports 132-138, each coupled to one of the network segments or network components of the subnets 102-106. The ports 132-138 can include ports adapted to support any of a variety of network architectures, such as Ethernet, token ring, asynchronous transfer mode (ATM), and the like. One example of an appropriate switch 130 is an Ethernet switch having the trade designation KS8993 available from Kendin Communications, Inc. of Sunnyvale, California. As with the subnets, the number of ports of the switch 130 is exemplary. Implementations of the present invention can utilize network switches having any number of ports without departing from the spirit or the scope of the present invention.
The communications processor 140 can include any of a variety of processing devices adapted to modify frames of data for networking purposes, where modification of frames can include, but is not limited to, routing frames, switching frames, bridging frames, as well as performing higher-level functions, such as network address translation (NAT) or encryption. The communications processor 140, herein referred to as the processor 140, can include a processor specifically designed for communications processing, such as an application specific integrated circuit (ASIC), a general purpose processor adapted to execute a set of executable instructions appropriate for handling of network data, a communications-specific microprocessor or microcontoller, or a combination thereof. One such implementation includes a communications processor available under the trade designation Helium 200 from GlobeSpanVirata, Inc. of Red Bank, New Jersey. Alternatively, the processor 140 can be implemented as a combination of discrete logic components.
The gateway 120 can be adapted to perform a variety of functions within the system 100. For example, in one embodiment, the gateway 120 is adapted to route frames between separate subnets. To illustrate, the gateway 120 can be utilized to route frames from the network components of the subnets 104, 106 to the WAN 105 of the subnet 102, and vice versa. Likewise, the gateway 120 can be adapted to function as a bridge by bridging frames between network segments of the same subnet. In this case, frames received via the port 138 from the PC 116 can be bridged to the PC 110 via the port 136 and the hub 122. Frames from the PCs 110-114 likewise can be bridged to the PC 116 via ports 136, 138 of the gateway 120. Additionally, the gateway 120 can perform various higher-level operations while switching/bridging/routing frames between network segments. For example, the gateway 120 can act as a firewall between the WAN 150 and the subnets 104, 106 by providing network address translation (NAT) on frames from the subnets 104, 106 to the WAN 150 and on frames from the WAN 150 intended for one or more of the network components of the subnets 104, 106. Likewise, the gateway 120 can be adapted to implement the subnet 104 as a secure perimeter network, thereby allowing external access to the data server 108 from the subnet 102 without sacrificing the security of the subnet 106. The gateway 120 can be adapted to provide a variety of other higher-level functions, whereby a higher-level function, as defined herein, includes any function, process, or operation performed at Layer 3 (the Network layer) or higher of the Open Systems Interconnection (OSI) Network Model. Higher-level functions can include routing, NAT, Internet Protocol Security (IPSec), encryption, filtering, and the like.
In order to provide the routing, bridging, and other desired functionality of the gateway 120, in at least one embodiment, each frame received at any of the ports 132-138 is filtered based at least in part on its intended destination. If the final destination of a received frame is located on the same network segment as the source of the frame, the switch 130 can be adapted to drop the frame. For example, if the PC 110 were to transmit a frame intended for the PC 114, the frame typically would be received by one port of the hub 122 and retransmitted out all of the other ports of the hub 122, one of which is connected to the port 136. Accordingly, when the switch 130 receives this frame, it can determine from its learning table, for example, that the source and destination of the frame are on the same network segment, so the switch 130 can drop the frame. If the intended destination of a received frame is located on the same subnet but a different network segment, then the switch 130 can be adapted to forward (i.e., switch) the frame between the source port and the destination port. For example, assume the PC 116 transmits a frame intended for the PC 112. The frame is received at the port 138 of the switch 130. The switch 130, noting that the port (port 138) associated with the source and the port (port 136) associated with the destination (port 136) are in the same subnet 106, forwards the frame directly from port 138 to port 136 for output.
However, when a frame received at the switch 130 has an intended destination that is in a different subnet than the source of the frame or when the frame is intended for the processor 140, the switch 130, in at least one embodiment, is adapted to provide the frame to the processor 140 via the port 142. The processor 140 then can perform one or more higher-level functions (which typically modify the frame) and then provide the modified frame back to the switch 130 for output on the port associated with the intended destination of the modified frame. For example, assume that PC 116 transmits a frame intended for the server 108. Since the PC 116 and the server 108 are on different subnets, the switch 130, in one embodiment, is adapted to provide the frame to the processor 140 for routing of the frame, as well as any other appropriate higher-level functions. The term "modify", as utilized herein with respect to frames of data, can include any of a variety of functions or processes performed on a frame by the processor 140. To illustrate, the processor 140 typically replaces the media access control (MAC) header and updates the Time to Live field and checksum in the IP header when routing an Ethernet frame from one subnet to another. When performing a NAT operation, the processor 140 typically modifies the source or destination IP address along with other fields within the frame.
By routing frames having an intended destination on a different subnet than the source subnet through the processor 140, various higher-level functions can be provided that otherwise are generally not available from conventional network switches or bridges. The higher-level functions provided by the processor 140 can include frame/packet filtering, network address translation (NAT), IPSec, implementation of a firewall between the WAN 150 and the subnets 104, 106, and the like. To illustrate, a frame received at port 132 that is intended for subnet 104 would be directly provided to port 134 if the switch 130 operated as a conventional network switch. However, since the switch 130 is adapted to provide the frame to the processor 140 in accordance with one implementation of the present invention, the processor 140 can perform a desired operation on the frame, such as NAT, before providing the frame back to the network switch 130 for output on port 134.
For example, assume a frame received by the switch 130 from the PC 116 via the port 138 is provided to the processor 140. The processor 140, noting the intended destination of the frame (server 108 in this example), modifies/processes the frame by replacing the MAC header and updating the IP header and provides the modified frame to the switch 130. Additionally, in at least one embodiment, the processor 140 associates a destination indicator with the modified frame that is used by the switch 130 to determine which of ports 132-138 the modified frame is to be output on. Using this destination indicator, the switch 130 determines that the intended destination of the frame is connected to the port 134 and therefore provides the modified frame to the port 134 for output to the server 108.
In another example, assume that a frame from the PC 116 is received by the switch 130 via the port 138, where the frame is intended for a data server on the WAN 150 of the subnet 102. The switch 130, noting that the source subnet and the destination subnet are different, then forwards the frame to the processor 140 via the port 142 along with a source indicator representative of the source subnet of the frame. In this example, the gateway 120 is implemented as a firewall between the WAN 150 and the subnets 104, 106. Accordingly, the processor 140, noting the source subnet, performs a NAT operation on the frame and provides the modified frame to the switch 130 along with a destination indicator that the frame is intended for output via the port 132. Based at least in part on this destmation indicator, the switch 130 outputs the modified frame on the port 132 for reception by the data server on the WAN 150.
Additionally, in some cases, frames received at the switch 130 may be intended for the processor 140. For example, the gateway 120 could be adapted to monitor the status of the network components of the system 100. In this case, the processor 140 could be adapted to generate "ping" packets to test the connectivity between the processor 140 and the components 108, 110-116, and 150. Upon receipt of a ping packet, each of these components typically would send a response packet to the processor 140 via the network switch 130. Accordingly, the processor 140 can be viewed as a network segment for the provision of frames by the network switch 130. Accordingly, when a frame is received on a port associated with one subnet and the frame has the processor 140 as its intended destination, the switch 130 can be adapted to forward the frame to the processor 140 as though the processor 140 were another network segment. Referring now to Figures 2-3, various mechanisms to route data between the subnets 102-106 are illustrated in accordance with at least one embodiment of the present invention. For ease of illustration, various embodiments of the present invention are discussed herein in the context of Ethernet network architectures, such as lOBaseT, 100BaseTX, 100BaseFX, and the like. However, the present invention may be implemented using other network architectures known to those skilled in the art. Accordingly, any reference made herein to an Ethernet architecture also applies to other network architectures, unless otherwise noted. Referring to Figure 2, a mechanism to indicate the source port and/or destination port of a frame is illustrated. As discussed above, in at least one embodiment, the switch 130 is adapted to provide all frames received at the ports 132-138 that have different source and destination subnets, as well as frames intended for the processor 140, to the processor 140 for the application of one or more higher-level functions. In order to indicate the port at which a frame was received by the switch 130 (i.e., the source port) to the processor 140, the switch 130 can be adapted to associate a source indicator with the frame prior to providing the frame to the processor 140. The processor 140 can then utilize this indicator value to determine the source subnet of the frame and handle the frame accordingly. Similarly, the processor 140 can be adapted to include a destination indicator with a frame that has been handled by the processor before the frame is provided back to the switch 130. The switch 130, in this case, can use the destination indicator to determine which of the ports 132-138 is to be used to output the frame to its intended destination.
In at least one embodiment, a virtual local area network (VLAN) scheme is utilized to provide the source indicator and/or the destination indicator. In this case, the switch 130 is adapted to support port-based VLANs, such as a VLAN implementation in accordance with the IEEE 802. lq standard. In this case, the switch 130 can assign the ports 132-138 to one or more VLANs. In at least one embodiment, the ports 132-138 are assigned to a VLAN based at least in part on the subnet associated with each port. In the illustrated embodiment, since the port 132 is associated with the subnet 102 and the port 134 is associated with the subnet 104, the port 132 is assigned to the VLAN 202 and the port 134 is assigned to the VLAN 204. Likewise, since the ports 136, 138 (Figure 1) are associated with the same subnet (subnet 106, Figure 1), the ports 136, 138 can be assigned to the same VLAN. The ports 136, 138 and their associated subnet 106 of the exemplary implementation illustrated in Figure 1 are omitted for ease of illustration. In general, network switches implementing VLANs are prevented from forwarding frames between ports having mutually exclusive VLAN memberships. Accordingly, since the port 132 belongs to a different VLAN than the port 134, there typically is no way for frames from the WAN 150 to be forwarded directly to the data server 108 by the switch 130. Likewise, due to mutually exclusive VLAN memberships, frames from the data server 108 are not forwarded directly to the WAN 150 by the switch 130. However, because ports 136, 138 belong to a same VLAN, a frame received at one of the ports 136, 138 can be forwarded by the switch 130 directly to the other port without necessitating the involvement of the processor 140.
Since ports 132, 134 have a mutually exclusive VLAN membership, frames typically are not directly switched between port 132 and port 134 of the switch 130. Likewise, since ports 136, 138 belong to a different VLAN than either the port 132 or the port 134, frames typically cannot be directly switched between ports 136, 138 and either port 132 or port 134. Since the processor 140, in one embodiment, directs the switch 130 to assign the port 142 to all of the VLANs of the ports 132-138, frames having differing source and destination subnets and frames intended for the processor 140 (i.e., frames that need to be routed and/or otherwise modified) can be provided from the source port to port 142 for output to the processor 140.
As illustrated with reference to the VLAN membership table 206, port 132 is assigned to the VLAN 202, the port 134 is assigned to the VLAN 204, and the port 142 is assigned to both the VLAN 202 and the VLAN 204. Accordingly, any frame received via the port 132 that needs to be routed or modified is forwarded to the port 142 since the port 132 and the port 142 belong to the same VLAN 202. Likewise, any frame received via the port 134 that needs to be routed or modified is provided to the port 142 since they also share the same VLAN 204. As a result, all frames received at the ports 132, 134 that need to be routed or modified are forwarded to the processor 140 via the port 142 and are prevented from being provided directly to the other port. To illustrate, the line 222 demonstrates that frames received at port 132 (from VLAN 202) are provided from the port 132 to the port 142 since they both are in the same VLAN. Likewise, frames from the port 142 intended for the WAN 150 can be forwarded from the port 142 to the port 132 due to their mutual VLAN membership. The line 224 illustrates a similar frame transfer between the data server 108 connected to the port 134 and the processor 140 connected to the port 142. Since the port 142 is a member of the VLAN 204, frames received at the port 134 can be forwarded to the port 142, and vice versa. However, as discussed, the switch 130, in one embodiment, is adapted to prevent the direct transfer (illustrated by line 226) of frames directly from the port 132 to the port 134 and from the port 134 to the port 132 since the ports 132, 134 are members of different VLANs.
Referring now to Figure 3, an exemplary operation of the gateway 120 is illustrated in accordance with at least one embodiment of the present invention wherein a frame 302 from the server 108 is routed by the gateway 120 for delivery to the WAN 150. In the illustrated embodiment, the data server 108 provides an Ethernet frame (frame 302) to the gateway 120, where the frame 302 is intended for receipt by a network component on the WAN 150. Upon receipt of the frame 302, the switch 130 identifies the source subnet based on the port (port 134) used to receive the frame and associates a source indicator 306 with the frame 302 based at least in part on the source subnet identified. The switch 130, in at least one embodiment, utilizes port-based VLANs, as discussed in Figure 2, to assign a VLAN identification (VID) to the source indicator 306 associated with the frame 302. In one implementation, the VID is added as an IEEE 802. lq VID value to the Tag Control Field following the source address field and the destination address field of the Ethernet frame. For example, the switch 130 could assign a VTD of 1 to the VLAN 202 and a VID of 2 to the VLAN 204. Accordingly, any frame received via the port 132 is assigned a VID of 1 in the TCI field of the frame and a frame received via the port 134 is assigned a VID of 2 in its TCI field. Alternatively, the VID can be added as an IEEE 802. lp priority value. Other methods of indicating a VLAN to which a certain frame belongs may be used without departing from the spirit or the scope of the present invention.
Since, in this example, the port 142 belongs to the same VLAN (VLAN 204, Figure 2), the switch 130 provides the frame 302 (with the source indicator 306) to the port 142 for output to the processor 140. The frame 302 is received at the processor 140 by an interface 324 implemented as part of, or connected to, the processor 140. In at least one embodiment, the interface 324 includes an Ethernet media access control (MAC) interface integrated as part of the processor 140 and the port 142 includes an interface compatible with the Ethernet MAC interface, such as a Media Independent Interface (Mil). Certain implementations of the switch 130 can be adapted to convert one port into an interface compatible with an Ethernet MAC interface through an MIL For example, the switch 130 could include an Ethernet switch available under the trade name KS8995E from Kendin Communications, Inc. of Sunnyvale, California. This exemplary Ethernet switch includes five ports, where one of the five ports can be converted into a Mil compatible with an Ethernet MAC interface. The four non-convertible ports can be implemented as the ports 132-138, and the fifth port can be converted to a Mil for implementation as the port 142 to interface with the Ethernet MAC interface (one embodiment of the interface 324) of the processor 140. In at least one embodiment, the processor 140 includes a switch driver 310 and an application stack 320 for handling and modifying frames received from the switch 130. The switch driver 310 includes a device driver for the switch 130 that is adapted to receive a frame from the interface 324, remove or disassociate any indicators, such as the source indicator 306 from the frame, if necessary, and provide the frame to the application stack 320. The application stack 320 includes one or more protocol stacks, such as an Internet Protocol (IP) stack, as well as any higher-level application layers. The switch driver 310 and the application stack 320 can be implemented as software, firmware, hardware, or a combination therein. For example, in at least one embodiment, the switch driver 310 includes a first set of executable instructions and the application stack 320 includes a second set of executable instructions, both sets performed by the processor 140.
In order to route across all of the ports of the switch 130, the switch driver 310 generally must bind multiple channels to the application stack 320, one channel for each of the ports 132, 134. Ports 136 and 138, in this example, are combined into a single channel since they are both associated with the same subnet. Accordingly, in at least one embodiment, the switch driver 310 includes a virtual driver 312 associated with the port 132 and a virtual driver 314 associated with the port 134 (as well as a virtual driver for the ports 136, 138 omitted for ease of illustration). Each of the virtual drivers 312, 314 is bound to the application stack 320 as a separate channel, resulting in a separate channel between the switch driver 310 and the application stack 320 for each of the ports 132, 134. From the perspective of the application stack 320, two separate network interfaces are attached. Accordingly, the application stack 320 can route frames between the ports 132, 134 using the channels provided by the virtual drivers 312, 314.
Upon receipt of the frame 302 from the interface 324, the switch driver 310 can determine which one of the virtual drivers 312, 314 is associated with the port used to receive the frame 302. This can be accomplished by analyzing the source indicator 306. For example, if the switch 130 placed a VID value representing VLAN 204 into the TCI field of the frame 302, the switch driver 310 can access this value and determine the virtual driver associated with the VLAN 204, which, in this case, is the virtual driver 314. After the switch driver 310 identifies the virtual driver 314, the switch driver 310, in one embodiment, strips the source indicator 306 from the frame 302 and provides the frame 302 to the application stack 320 for bridging/routing/security processing and/or further processing.
The application stack 320, in at least one embodiment, is adapted to provide one or more desired higher-level functions in addition to being adapted to route/bridge/switch frames. For example, the application stack 320 can route the frame 302, perform NAT on the frame 302, filter the frame 302, encrypt the payload of the frame 302, and the like. After the frame 302 is processed/modified by the application stack 320, the modified frame is provided over the appropriate channel to the switch driver 310 as modified frame 304. In this case, the channel associated with the destination address of the modified frame 304 (the address of the network component on WAN 150) is supported by the virtual driver 312. Accordingly, the application stack 320 provides the modified frame 304 to the switch driver 310 using the virtual switch driver 312.
It will be appreciated that in order for the switch 130 to forward the modified frame 304 to the appropriate port, the switch 130 must have an indication of the desired output port/subnet. The typical indicator that used by a switch, the destination MAC address, is not sufficient when routing a frame across a network switch since broadcast, multicast and aged unicast addresses will go out ports that the frame is not intended for. Accordingly, in at least one embodiment, the switch driver 310 associates a destination indicator 308 with the modified frame 304. As with the source indicator 306, the destination indicator 308, in one embodiment can include an IEEE 802. lq VID value in the TCI field of frame 304 or an IEEE 802. lp priority value. However, unlike the source indicator 306 which indicated the source subnet of the frame 302 to the switch driver 130, the destination indicator 308 instead indicates the destination subnet(s) of the modified frame 304 to the switch 130. Since, in this case, the modified frame 304 was received via a channel provided by the virtual driver 312, the switch driver 310 can include the VID value associated with the virtual driver 312 as the destination indicator 308 (such as the VID of the VLAN 202 of Figure 2). The switch driver 310 provides the modified frame 304, along with the destination indicator 308, to the port 142 of the switch 130 via the interface 324. The switch 130, upon receipt of the modified frame 304, analyzes the destination indicator 308 to determine the one or more output ports to be used to output the modified frame 304. The destination indicator 308 of the modified frame 304, in this example, has a VID value associated with the VLAN 202, of which the ports 132, 142 are members. Since port 142 and the port 132 are members of the same VLAN, the switch 130 can remove or disassociate the destination indicator 308 from the modified frame 304 and provide the modified frame 304 to the port 132 for output to the WAN 150. Meanwhile, since the ports 134-138 are not members of the VLAN 202, the switch 130 avoids providing the frame 304 to the ports 134-138 for output. Although one mechanism to determine source and destination ports of a frame based at least in part on VLAN membership has been illustrated, other mechanisms may be utilized by those skilled in the art, using the guidelines provided herein. In an alternate embodiment, the switch 130 can include a managed network switch, whereby a learning table built by the switch 130 can be provided to the switch driver 310. Therefore, when a frame is received by the switch driver 310 from the switch 130, the switch driver 310 can deteπnine the source port of the frame by using the source address of the frame and the learning table and provide the frame to the application stack 320 through the corresponding virtual driver. Likewise, when a unicast frame is received by the switch 130 from the switch driver 310, the switch 130 can determine the appropriate output port of the switch 130 based at least in part on the destination address of the frame and from the learning table. When a broadcast or multicast frame is received by the switch from the switch driver 310, the switch 130 will need an additional indicator as described above to ensure that the frame does not go out all ports of the switch 130.
Other embodiments, uses, and advantages of the invention will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. The specification should be considered exemplary only, and the scope of the invention is accordingly intended to be limited only by the following claims and equivalents thereof.

Claims

WHAT IS CLAIMED IS:
1. A gateway for routing frames across multiple subnets, the gateway being in electrical communication with a plurality of network segments, each network segment associated at least one of the subnets, the gateway comprising: a processor; a network switch in electrical communication with the processor and having a plurality of ports, each port associated with one of the network segments, the network switch being adapted to: receive, at a first port, a frame from a first network segment associated with a first subnet; associate a source indicator with the frame, the source indicator including an identifier representative of the first subnet; provide the frame and the source indicator to the processor when an intended destination of the frame is a second subnet different from the first subnet; whereby the processor is adapted to perform at least one higher-level function with the frame based at least in part on the source indicator to generate a modified frame.
2. The gateway of Claim 1, wherein the processor is further adapted to: associate a destination indicator with the modified frame, the destination indicator including an identifier representative of the second subnet; and provide the modified frame and the destination indicator to the network switch.
3. The gateway of Claim 2, wherein the network switch is further adapted to provide the modified frame to a second port for output to a second network segment based at least in part on the destination indicator, the second network segment being associated with the second subnet.
4. The gateway of Claim 3, wherein the network switch is further adapted to provide the modified frame to a third port for output to a third network segment based at least in part on the first destination indicator, the third network segment being associated with the second subnet.
5. The gateway of Claim 2, wherein the identifier representative of the second subnet is one of a group consisting of: an IEEE 802. lq VID value and an IEEE 802. lp priority value.
6. The gateway of Claim 1, wherein the identifier representative of the first subnet is one of a group consisting of: an IEEE 802. lq VID value and an IEEE 802. lp priority value.
7. The gateway of Claim 1, wherein the network switch is further adapted to forward the frame to a second port for output to a second network segment when the intended destination of the frame is the first subnet, the second network segment being associated with the first subnet.
8. The gateway of Claim 1, wherein the at least one higher-level function is one of a group consisting of: routing, filtering, network address translation, IPSec, and providing a secure perimeter network.
9. The gateway of Claim 1, wherein the network switch includes an Ethernet switch.
10. The gateway of Claim 1, wherein the network switch is further adapted to prevent the frame from being switched directly between the plurality of ports of the switch.
11. In a distributed network comprising a first network segment associated with a first subnet and a second network segment associated with a second subnet, a gateway coupled to the first and second network segments, the gateway comprising a network switch in bidirectional communication with a processor, wherein the network switch is adapted to: provide a frame received via a first port and a source indicator to the processor when an intended destination of the frame includes the second subnet, the source indicator being representative of the first subnet; and wherein the processor is adapted to perform at least one higher-level function using the frame based at least in part on the source indicator to generate a modified frame.
12. The gateway of Claim 11, wherein the processor includes: an application stack; and a switch driver in electrical communication with the network switch and coupled to the application stack via multiple channels, each channel associated with a different subnet of the distributed network, wherein the switch driver is adapted to: select a channel based at least in part on the source indicator, wherein the selected channel is associated with the first subnet; and provide the frame to the application stack via the selected channel.
13. The gateway of Claim 12, wherein the application stack is adapted to perform the at least one higher-level function.
14. The gateway of Claim 13, wherein the higher-level function is one of a group consisting of: routing, filtering, network address translation, IPSec, and providing a secure perimeter network.
15. The gateway of Claim 11, wherein the processor is further adapted to provide the modified frame and a destination indicator to the network switch, the destination indicator being representative of the second subnet.
16. The gateway of Claim 15, wherein the processor includes: an application stack; and a switch driver in electrical communication with the network switch and coupled to the application stack via multiple channels, each channel associated with a different subnet of the distributed network, wherein the switch driver is adapted to: receive the modified frame from the application stack over a channel associated with the second subnet; associate the destination indicator with the modified frame, wherein a value of the destination indicator is based at least in part on the channel used to receive the frame; and provide the destination indicator and the modified frame to the network switch.
17. The gateway of Claim 16, wherein the application stack is adapted to perform the at least one higher-level function.
18. The gateway of Claim 17, wherein the higher-level function is one of a group consisting of: routing, filtering, network address translation, IPSec, and providing a secure perimeter network.
19. The gateway of Claim 15, wherein the network switch is further adapted to provide the modified frame to a second for output to the second network segment based at least in part on the destination indicator.
20. The gateway of Claim 15, wherein: the first port is assigned to a first VLAN; the second port is assigned to a second VLAN; and the third port is assigned to the first VLAN and the second VLAN.
21. The gateway of Claim 20, wherein the source indicator includes an IEEE 802. lq VID value associated with the first VLAN.
22. The gateway of Claim 11, wherein the higher-level function is one of a group consisting of: routing, filtering, network address translation, IPSec, and providing a secure perimeter network.
23. The gateway of Claim 11, wherein the network switch includes an Ethernet switch.
24. In a distributed network comprising multiple network segments, a network switch having at least three ports, each port coupled to a separate network segment, the at least three ports including: a first port coupled to a first network segment, the first network segment being associated with a first subnet; a second port coupled to a second network segment, the second network segment being associated with a second subnet; a third port coupled to a processor, where the first port is adapted for bidirectional communication between the third port and the first network segment and the second port is adapted for bi-directional communication between the third port and the second network segment; and the network switch being adapted to: associate a source indicator with a frame received from the first port, the source indicator representing the first subnet; and provide the frame and the source indicator to the processor via the third port when an intended destination of the frame is the second subnet.
25. The network switch of Claim 24, wherein the source indicator includes an IEEE 802. lq VID value associated with the source of the frame.
26. The network switch of Claim 24, wherein the source indicator includes an IEEE
802. lp priority value associated with the source of the frame.
27. The network switch of Claim 24, the network switch further being adapted to: receive a modified frame and a destination indicator from the processor, the destination representing the second subnet; and provide the modified frame to the second port for output to the second network segment based at least in part on the destination indicator.
28. The network switch of Claim 27, wherein the destination indicator includes at least one IEEE 802. lq VID value associated with the second subnet.
29. The network switch of Claim 27, wherein the destination indicator includes at least one IEEE 802. lp priority value associated with the second subnet.
30. The network switch of Claim 24, wherein the network switch includes an Ethernet switch.
31. The network switch of Claim 24, wherein the processor is to perform at least one higher-level function using the frame and the source indicator.
32. The network switch of Claim 8D, wherein the higher-level function is one of a group consisting of: routing, filtering, network address translation, IPSec, and providing a secure perimeter network.
33. The network switch of Claim 24, wherein the network switch is further adapted to prevent a frame from being directly switched between any of the first, second, and third ports.
34. In a distributed network comprising multiple network segments coupled to a network switch, a processor in electrical communication with the network switch, the processor being adapted to: receive a frame and a source indicator associated with the frame from the network switch, the source indicator being representative of a source subnet of the frame; perform at least one higher-level function with the frame based at least in part on the source indicator to generate a modified frame; associate a destination indicator with the modified frame, the destination indicator being representative of at least one intended destination subnet of the modified frame; and provide the modified frame and the destination indicator to the network switch for output to the at least one intended destination subnet.
35. The processor of Claim 34, wherein the source indicator includes an IEEE 802. lq
VID value associated with the source subnet.
36. The processor of Claim 35, wherein the destination indicator includes at least one an IEEE 802. lq VID value associated with the at least one intended destination subnet.
37. The processor of Claim 34, wherein the higher-level function is one of a group consisting of: routing, filtering, network address translation, IPSec, and providing a secure perimeter network.
38. A method to route at least one frame from a first subnet to a second subnet using a network switch, the method comprising the steps of: receiving, at a first port of the network switch, a frame from a first network segment associated with the first subnet, wherein an intended destination of the frame includes a second network segment associated with the second subnet; providing the frame and a source indicator from the network switch to a processor, the source indicator representing of the first subnet; performing, at the processor, at least one higher-level function with the frame based at least in part on the source indicator to generate a modified frame.
39. The method of Claim 38, further comprising the steps of: providing the modified frame and a destination indicator from the processor to the network switch, the destination indicator representing the second subnet; and providing the modified frame to a second port of the network switch for output to the second network segment based at least in part on the destination indicator.
40. The method of Claim 39, wherein the step of providing the frame to the second port includes selecting the second port from a plurality of ports of the network switch based at least in part on the destination indicator.
41. The method of Claim 39, wherein the intended destination of the frame further includes a third network segment associated with the second subnet.
42. The method of Claim 41, further comprising the step of providing the modified frame to a second port of the network switch for output to the third network segment based at least in part on the destination indicator.
43. The method of Claim 38, wherein the source indicator includes an IEEE 802. lq VID value associated with the second subnet.
44. The method of Claim 38, wherein the source indicator includes an IEEE 802. lp priority value associated with the second subnet.
45. The method of Claim 38, wherein the at least one higher-level function is one of a group consisting of: routing, filtering, IPSec, network address translation, and encryption.
46. The method of Claim 38, wherein the network switch includes an Ethernet switch.
47. A method for routing frames of data across switched Ethernet segments, the method comprising the steps of: receiving, at a first port of an Ethernet switch, a frame from a first Ethernet segment, wherein the first port is associated with a first VLAN and where the frame is intended for receipt by a network component of a second Ethernet segment associated with a second VLAN; associating, at the Ethernet switch, a source indicator with the frame, the source indicator including a first VID associated with the first VLAN; providing the frame and the source indicator from the Ethernet switch to an application stack of a processor via a first channel, wherein the first channel is associated with the first VID; performing, at the application stack, at least one higher-level function based at least in part on the source indicator to generate a modified frame; associating a destination indicator with the modified frame, wherein the destination indicator includes a second VID associated with the second VLAN; providing the modified frame and the destination indicator from the application stack to the network switch; and providing the modified frame to a second port of the network switch associated with the second VLAN for output to the second Ethernet segment based at least in part on the second VID of the destination indicator.
48. The method of Claim 47, wherein the at least one higher-level function is one of a group consisting of: routing, filtering, IPSec, network address translation, and encryption.
49. The method of Claim 47, wherein: the first VID includes a first IEEE 802. lq VID value associated with the first VLAN; and the second VID includes a second IEEE 802. lq VID value associated with the second VLAN.
50. The method of Claim 47, wherein the step of providing the frame and the source indicator to the application stack includes: providing the frame and the source indicator to a switch driver via a third port; and providing the frame from the switch driver to the application stack via the first channel.
51. The method of Claim 50, wherein the step of providing the modified frame and the destination indicator to the network switch includes: providing the modified frame from the application stack to the switch driver via a second channel, wherein the second channel is associated with the second
VLAN; and providing the modified frame and the destination indicator to the network switch via the third port.
52. The method of Claim 50, wherein: the first port and the third port are associated with the first VLAN; and the second port and the third port are associated with the second VLAN.
PCT/US2003/004878 2002-02-21 2003-02-21 System and method for routing a cross segments of a network switch WO2003073283A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2003216304A AU2003216304A1 (en) 2002-02-21 2003-02-21 System and method for routing a cross segments of a network switch

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US31911902P 2002-02-21 2002-02-21
US60/319,119 2002-02-21
US10/063,468 2002-04-25
US10/063,468 US20030210696A1 (en) 2002-04-25 2002-04-25 System and method for routing across segments of a network switch

Publications (1)

Publication Number Publication Date
WO2003073283A1 true WO2003073283A1 (en) 2003-09-04

Family

ID=27767317

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2003/004878 WO2003073283A1 (en) 2002-02-21 2003-02-21 System and method for routing a cross segments of a network switch

Country Status (2)

Country Link
AU (1) AU2003216304A1 (en)
WO (1) WO2003073283A1 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007075361A1 (en) 2005-12-20 2007-07-05 Honeywell International Inc. Apparatus and method for traffic filtering in a communication system
WO2008106907A1 (en) * 2007-03-02 2008-09-12 Siemens Aktiengesellschaft Destination port search in networks consisting of coupled subnetworks
EP2362608A1 (en) * 2010-02-26 2011-08-31 Connection Technology Systems Inc. Data packet forwarding method and network device using such method in network address translation mode
CN102215157A (en) * 2010-04-07 2011-10-12 康联讯科技股份有限公司 Data packet transmitting method and network device using same
US8259593B2 (en) 2005-06-29 2012-09-04 Honeywell International Inc. Apparatus and method for segmenting a communication network
US9450916B2 (en) 2014-08-22 2016-09-20 Honeywell International Inc. Hardware assist for redundant ethernet network
CN106209636A (en) * 2015-05-04 2016-12-07 杭州华三通信技术有限公司 From the multicast data packet forwarding method and apparatus of VLAN to VXLAN
CN106209689A (en) * 2015-05-04 2016-12-07 杭州华三通信技术有限公司 From the multicast data packet forwarding method and apparatus of VXLAN to VLAN
US9973447B2 (en) 2015-07-23 2018-05-15 Honeywell International Inc. Built-in ethernet switch design for RTU redundant system
US10341223B2 (en) 2015-05-04 2019-07-02 New H3C Technologies Co., Ltd. Multicast data packet forwarding

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6104700A (en) * 1997-08-29 2000-08-15 Extreme Networks Policy based quality of service
US6286052B1 (en) * 1998-12-04 2001-09-04 Cisco Technology, Inc. Method and apparatus for identifying network data traffic flows and for applying quality of service treatments to the flows
US6335935B2 (en) * 1998-07-08 2002-01-01 Broadcom Corporation Network switching architecture with fast filtering processor
US6339595B1 (en) * 1997-12-23 2002-01-15 Cisco Technology, Inc. Peer-model support for virtual private networks with potentially overlapping addresses
US6356951B1 (en) * 1999-03-01 2002-03-12 Sun Microsystems, Inc. System for parsing a packet for conformity with a predetermined protocol using mask and comparison values included in a parsing instruction

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6104700A (en) * 1997-08-29 2000-08-15 Extreme Networks Policy based quality of service
US6339595B1 (en) * 1997-12-23 2002-01-15 Cisco Technology, Inc. Peer-model support for virtual private networks with potentially overlapping addresses
US6335935B2 (en) * 1998-07-08 2002-01-01 Broadcom Corporation Network switching architecture with fast filtering processor
US6286052B1 (en) * 1998-12-04 2001-09-04 Cisco Technology, Inc. Method and apparatus for identifying network data traffic flows and for applying quality of service treatments to the flows
US6356951B1 (en) * 1999-03-01 2002-03-12 Sun Microsystems, Inc. System for parsing a packet for conformity with a predetermined protocol using mask and comparison values included in a parsing instruction

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8259593B2 (en) 2005-06-29 2012-09-04 Honeywell International Inc. Apparatus and method for segmenting a communication network
WO2007075361A1 (en) 2005-12-20 2007-07-05 Honeywell International Inc. Apparatus and method for traffic filtering in a communication system
US7688818B2 (en) 2005-12-20 2010-03-30 Honeywell International Inc. Apparatus and method for traffic filtering in a communication system
WO2008106907A1 (en) * 2007-03-02 2008-09-12 Siemens Aktiengesellschaft Destination port search in networks consisting of coupled subnetworks
EP2362608A1 (en) * 2010-02-26 2011-08-31 Connection Technology Systems Inc. Data packet forwarding method and network device using such method in network address translation mode
CN102215157A (en) * 2010-04-07 2011-10-12 康联讯科技股份有限公司 Data packet transmitting method and network device using same
US9450916B2 (en) 2014-08-22 2016-09-20 Honeywell International Inc. Hardware assist for redundant ethernet network
CN106209689A (en) * 2015-05-04 2016-12-07 杭州华三通信技术有限公司 From the multicast data packet forwarding method and apparatus of VXLAN to VLAN
CN106209636A (en) * 2015-05-04 2016-12-07 杭州华三通信技术有限公司 From the multicast data packet forwarding method and apparatus of VLAN to VXLAN
EP3292664A4 (en) * 2015-05-04 2018-03-14 New H3C Technologies Co., Ltd. Multicast data packet forwarding
EP3292666A4 (en) * 2015-05-04 2018-03-14 New H3C Technologies Co., Ltd. Multicast data packet forwarding
JP2018518926A (en) * 2015-05-04 2018-07-12 ニュー・エイチ・3・シィ・テクノロジーズ・カンパニー・リミテッドNew H3C Technologies Co., Ltd. Multicast data packet forwarding
US20180351878A1 (en) 2015-05-04 2018-12-06 New H3C Technologies Co., Ltd. Multicast data packet forwarding
CN106209689B (en) * 2015-05-04 2019-06-14 新华三技术有限公司 Multicast data packet forwarding method and apparatus from VXLAN to VLAN
US10326712B2 (en) 2015-05-04 2019-06-18 New H3C Technologies Co., Ltd. Multicast data packet forwarding
US10341223B2 (en) 2015-05-04 2019-07-02 New H3C Technologies Co., Ltd. Multicast data packet forwarding
CN106209636B (en) * 2015-05-04 2019-08-02 新华三技术有限公司 Multicast data packet forwarding method and apparatus from VLAN to VXLAN
US10511547B2 (en) 2015-05-04 2019-12-17 New H3C Technologies Co., Ltd. Multicast data packet forwarding
US9973447B2 (en) 2015-07-23 2018-05-15 Honeywell International Inc. Built-in ethernet switch design for RTU redundant system

Also Published As

Publication number Publication date
AU2003216304A1 (en) 2003-09-09

Similar Documents

Publication Publication Date Title
KR100612318B1 (en) Apparatus and method for implementing vlan bridging and a vpn in a distributed architecture router
US8576853B2 (en) Two-layer switch apparatus avoiding first layer inter-switch traffic in steering packets through the apparatus
EP1670187B1 (en) Tagging rules for hybrid ports
EP1557007B1 (en) Multi- tiered virtual local area network (vlan) domain mapping mechanism
US7486674B2 (en) Data mirroring in a service
US7643424B2 (en) Ethernet architecture with data packet encapsulation
US20030210696A1 (en) System and method for routing across segments of a network switch
US20050190788A1 (en) System and method for VLAN multiplexing
US7606229B1 (en) Generic bridge packet tunneling
US7286533B2 (en) Method and apparatus for routing data frames
US8526435B2 (en) Packet node for applying service path routing at the MAC layer
EP1913736B1 (en) Spanning tree bpdu processing method and apparatus facilitating integration of different native vlan configurations
US8437357B2 (en) Method of connecting VLAN systems to other networks via a router
WO2003073283A1 (en) System and method for routing a cross segments of a network switch
Cisco Configuring Transparent Bridging
Cisco Configuring Transparent Bridging
Cisco Configuring Transparent Bridging
Cisco Configuring Transparent Bridging
Cisco Configuring Transparent Bridging
Cisco Configuring Transparent Bridging
Cisco Configuring Transparent Bridging
Cisco Configuring Transparent Bridging
Cisco Configuring Transparent Bridging
Cisco Configuring Transparent Bridging
Cisco Configuring Transparent Bridging

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SC SD SE SG SK SL TJ TM TN TR TT TZ UA UG UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 2003571909

Country of ref document: JP

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP