U.S. patent application number 09/796842 was filed with the patent office on 2002-02-21 for use of active topology protocols, including the spanning tree, for resilient redundant connection of an edge device.
Invention is credited to Jain, Vipin, Seaman, Michael J..
Application Number | 20020023170 09/796842 |
Document ID | / |
Family ID | 26882122 |
Filed Date | 2002-02-21 |
United States Patent
Application |
20020023170 |
Kind Code |
A1 |
Seaman, Michael J. ; et
al. |
February 21, 2002 |
Use of active topology protocols, including the spanning tree, for
resilient redundant connection of an edge device
Abstract
A method for configuring a network, and a network configured
according to such method, provide resilient, redundant connection
to an edge device. The system, while not allowing the edge device
to participate in the active topology of the network, chooses the
active link from the edge device to the network on the basis of the
spanning tree information received by the device, but does not
allow it to forward or generate spanning tree information. The
method manages the redundant connections of an edge device between
a first network and a second network, where the second network is
managed according to a spanning tree protocol in which spanning
tree configuration messages propagate among switches in the second
network. The redundant connections are made via a plurality of
ports on the edge device coupled to the second network. The edge
device monitors spanning tree configuration messages at least one
port of the plurality of ports on the edge device coupled to the
second network; selects a port in the plurality of ports on the
edge device coupled to the second network as an active port for
traffic between the second network and the edge device, in response
to the spanning tree configuration messages; and prevent traffic
ingressing at any port coupled to the second network from egressing
at any port coupled to the second network. The selected active port
is the port having a least cost path to a root of the second
network according to the spanning tree protocol.
Inventors: |
Seaman, Michael J.;
(Mountain View, CA) ; Jain, Vipin; (Santa Clara,
CA) |
Correspondence
Address: |
HAYNES BEFFEL & WOLFELD LLP
P O BOX 366
HALF MOON BAY
CA
94019
US
|
Family ID: |
26882122 |
Appl. No.: |
09/796842 |
Filed: |
March 1, 2001 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
09796842 |
Mar 1, 2001 |
|
|
|
09634566 |
Aug 9, 2000 |
|
|
|
60186470 |
Mar 2, 2000 |
|
|
|
Current U.S.
Class: |
709/235 ;
709/238 |
Current CPC
Class: |
G06Q 30/02 20130101;
G06Q 30/0601 20130101 |
Class at
Publication: |
709/235 ;
709/238 |
International
Class: |
G06F 015/16; G06F
015/173 |
Claims
What is claimed is:
1. A method of managing redundant connection of an edge device and
a network managed according to an active topology protocol in which
active topology configuration messages propagate among switches in
the network, and in which a plurality of ports on the edge device
are coupled to the network, comprising: monitoring active topology
configuration messages at least one port of the plurality of ports
on the edge device coupled to the network; selecting a port in the
plurality of ports on the edge device coupled to the network as an
active port for traffic between the network and the edge device, in
response to the active topology configuration messages; and
preventing traffic ingressing at any port coupled to the network
from egressing at any port coupled to the network.
2. The method of claim 1, wherein the active topology protocol
comprises a spanning tree protocol, and the active port is selected
by selecting a port which would have a least cost path to a root of
the network according to the spanning tree protocol.
3. The method of claim 1, wherein the active topology protocol
comprises a spanning tree protocol is compliant with an IEEE 802.1
standard spanning tree protocol.
4. The method of claim 1, including executing a communication
protocol for a switched local area network.
5. The method of claim 1, including executing a protocol compliant
with an Ethernet standard in the edge device.
6. The method of claim 1, wherein the edge device comprises a
service interface unit, the service interface unit having a service
interface coupled via a link to a customer device having an unique
MAC address.
7. A method of managing redundant connection of an edge device on a
network managed according to a spanning tree protocol in which
spanning tree configuration messages propagate among switches in
the network, and in which a plurality of ports on the edge device
are coupled to the network, comprising: monitoring spanning tree
configuration messages at least one port of the plurality of ports
on the edge device coupled to the network; selecting a port in the
plurality of ports on the edge device coupled to the network as an
active port for traffic between the network and the edge device and
another port in the plurality of ports as backup port, in response
to the spanning tree configuration messages, wherein the active
port is selected by selecting a port which would have a least cost
path to a root of the network according to the spanning tree
protocol; and preventing traffic ingressing at the active port
coupled to the network from egressing at the backup port coupled to
the network.
8. The method of claim 7, wherein the spanning tree protocol is
compliant with an IEEE 802.1 standard spanning tree protocol.
9. The method of claim 7, including executing a communication
protocol for a switched local area network.
10. The method of claim 7, including executing a protocol compliant
with an Ethernet standard in the edge device.
11. The method of claim 7, wherein the edge device comprises a
service interface unit, the service interface unit having a service
interface coupled via a link to a customer device having an unique
MAC address.
12. A communication network, comprising: a plurality of
communication links; a plurality of switches coupled to the
communication links, the switches executing an active topology
protocol; and a plurality of edge devices, at least one edge device
in the plurality of edge devices having a port coupled via a link
to a customer device, and having a plurality of network interfaces
coupled via respective links to a switch or to switches in the
plurality of switches, the at least one edge device configured to
monitor the active topology protocol to select a network interface
in the plurality of network interfaces as an active port for
traffic between the switch or switches and the edge device, in
response to the active topology protocol; and to prevent traffic
ingressing at any network interface in the plurality of network
interfaces from egressing at any network interface.
13. The network of claim 12, wherein the active topology protocol
comprises a spanning tree protocol, and the active port is selected
by selecting a network interface which would have a least cost path
to a root of the spanning tree according to the spanning tree
protocol.
14. The network of claim 12, wherein the active topology protocol
comprises a spanning tree protocol compliant with an IEEE 802.1
standard spanning tree protocol.
15. The network of claim 12, wherein said plurality of switches
execute a communication protocol for a switched LAN with multicast
capability.
16. The network of claim 12, wherein said plurality of switches
execute a protocol compliant with an Ethernet standard.
17. A metropolitan area network, comprising: a plurality of
communication links which traverse a metropolitan area; a plurality
of switches coupled to the communication links, the switches
executing a spanning tree protocol, and including access switches
and interior switches; and a plurality of service interface units,
at least one service interface unit in the plurality of service
interface units having a service interface coupled via a link to a
customer device with an unique MAC address, and having a plurality
of network interfaces coupled via respective links to an access
switch or to access switches in the plurality of switches, the at
least one service interface unit configured to monitor spanning
tree configuration messages at least one port of the plurality of
network interfaces; to select a network interface in the plurality
of network interfaces as an active port for traffic between the
access switch or switches and the service interface unit in
response to the spanning tree configuration messages; and to
prevent traffic ingressing at any network interface in the
plurality of network interfaces from egressing at any network
interface.
18. The network of claim 17, wherein the active port is selected by
selecting a network interface which would have a least cost path to
a root of the spanning tree according to the spanning tree
protocol.
19. The network of claim 17, wherein the spanning tree protocol is
compliant with an IEEE 802.1 standard spanning tree protocol.
20. The network of claim 17, wherein said plurality of switches
execute a communication protocol for a switched LAN.
21. The network of claim 17, wherein said plurality of switches
execute a protocol compliant with an Ethernet standard.
Description
PROVISIONAL APPLICATION DATA
[0001] The present application claims the benefit under 35 U.S.C.
.sctn.111(b) and 35 U.S.C. .sctn.119(e) of the provisional
application no. 60/186,470, filed Mar. 2, 2000, entitled BROADBAND
SERVICE NETWORK AND E-COMMERCE PROVISIONING SYSTEM, naming
inventors Michael Seaman, Vipin Jain, Gary Jaszewski, Bob Klessig,
Peter Van Peenen, and David Braginsky.
CONTINUING APPLICATION DATA
[0002] The present application is a continuation-in-part of
co-pending U.S. patent application No. 09/634,566, filed: Aug. 9,
2000, entitled E-COMMERCE SYSTEM FACILITATING SERVICE NETWORKS
INCLUDING BROADBAND COMMUNICATION SERVICE NETWORKS, which is
incorporated by reference as if fully set forth herein.
BACKGROUND OF THE INVENTION
[0003] 1. Field of the Invention
[0004] The present invention relates to configuration of edge
devices for networks, including broadband communication networks,
and more particularly to configuration of networks managed
according to an active topology protocol, including the spanning
tree protocol.
[0005] 2. Description of Related Art
[0006] In an enterprise data network, devices are often connected
into switched networks configured by an active topology protocol,
such as the Spanning Tree Protocol IEEE802.1D. In high data rate
networks using active topology protocols, connections between
packet switches are sometimes made by point to point links, using
for example fiber optic cable, in a `redundant, dual-homed, tree
like` topology to facilitate rapid reconfiguration with the minimum
loss of service. The revised spanning tree protocol under
standardization in IEEE 802.1w is a suitable protocol for
establishing the failover rules in the network. The recently
completed link aggregation standard, IEEE Std. 802.3ad, is
another--providing for resiliency of parallel links. These
technologies in high bandwidth configurations, are being applied in
the metropolitan area network environment as well.
[0007] The IEEE 802.1 spanning tree provides for redundant
connections within a network, where data transmitted from one
attachment to the network to another is constrained to follow a
loop free path. It reduces the physical topology of the network to
an active topology that is both loop free (`tree`) and fully
connected (`spanning`).
[0008] Redundant connection of the edge devices to the active
topology network creates a possibility of a loop forming through
the edge device to maintain the spanning tree. Thus in the prior
art, edge devices coupled to the spanning tree network, have not
participated in the tree, so that they do not become transit nodes
for traffic of the network. In the past, the selection of one link
or another for connection to the interior of a network, has been
performed by a simple physical layer redundancy scheme that
interrogates the health of the links from an edge switch to the
network. One link is configured as a primary, or active, link and
the secondary link is activated only if the primary fails a simple
connectivity test to the remainder of the network, e.g. loss of the
transmitted light signal. However, this fails to select the best
route for the connection to the root of the tree in an active
topology, like that provided by the spanning tree.
[0009] It is desirable therefore to provide a technique for
selecting an active port for connection of an edge device to a
spanning tree network or other active topology network, which is
easy to configure, scalable and efficient.
SUMMARY
[0010] This invention comprises a method for configuring a network,
and a network configured according to such method, providing
resilient, redundant connection to an edge device. The system
improves on the prior art arrangements, while not allowing the edge
device to participate in the active topology of the network managed
for example according to a spanning tree protocol, by choosing the
active link from the edge device to the network on the basis of the
active topology information received by the device, but not
allowing it to forward or generate active topology information.
This arrangement protects against a failure in the network that
causes the switch connected to by the edge device to be separated
from the main body of the network, by allowing the edge device to
use the active topology information propagated in the network to
select a link to the network based upon changes that occur remote
from the switch to which it has immediate connection.
[0011] According to one embodiment of the invention, the method
manages the redundant connections of an edge device between a first
network and a second network, where the second network is managed
according to a spanning tree protocol in which spanning tree
configuration messages propagate among switches in the second
network. The redundant connections are made via a plurality of
ports on the edge device coupled to the second network. The method
comprises
[0012] monitoring spanning tree configuration messages at least one
port of the plurality of ports on the edge device coupled to the
second network;
[0013] selecting a port in the plurality of ports on the edge
device coupled to the second network as an active port for traffic
between the second network and the edge device, in response to the
spanning tree configuration messages; and
[0014] preventing traffic ingressing at any port coupled to the
second network from egressing at any port coupled to the second
network.
[0015] The active port is selected in a preferred embodiment by
selecting a port having a least cost path to a root of the second
network according to the spanning tree protocol. The edge device
does not propagate, nor generate spanning tree configuration
messages.
[0016] According to one aspect of the invention, a communication
system is provided using technology that has been developed within
the communications, enterprise data networking, electronic
commerce, and carrier service provider industries. The system is
configured to provide service in new ways, supporting secure
point-to-multipoint channels, and other connectivity options in a
manner particularly complementary to a provisioning process and
system described in the above referenced application entitled
E-COMMERCE SYSTEM FACILITATING SERVICE NETWORKS INCLUDING BROADBAND
COMMUNICATION SERVICE NETWORKS.
[0017] The network architecture in a preferred embodiment organizes
switches into demarcation devices, access switches and interior
switches.
[0018] Demarcation devices (also referred to herein as service
interface units) are edge devices typically, but not necessarily,
located on a single customer's premises. Each demarcation device
supports one or more of service interfaces, identifiable by unique
addresses such as Ethernet MAC addresses, by which a customer
network is connected to the active topology network, and one or
more `drops` that connect to access ports on access switches.
[0019] Access switches are located on premises physically secured,
linked by a communication media of choice, including for example
fiber optic cable, to a collocation site in the metropolitan area
network. In addition to access ports coupled to the demarcation
devices, the access switches have interior network ports that
connect to interior switches at the collocation sites within the
network.
[0020] Interior switches form the heart of the network, typically
in collocation sites of the metropolitan area network, having ports
coupled to the interior ports of the access switches.
[0021] The identity of the connected device on a service interface
is ascertained by observing packets transmitted by the device at
the service interface of the demarcation device. Each packet
contains a source address, such as a source MAC address. The MAC
address is captured by the service interface and a notification
sent to the system managing the network using normal network
management protocols. The management system assures itself that the
MAC address is unique. Filters are configured on access ports of
the access switches to ensure that only packets with source
addresses checked in this way are accepted from the attached
demarcation device. Similarly only packets from source addresses
that are permitted to transmit to the demarcation device are
allowed to egress from the access port to the demarcation
device.
[0022] Interior switches do not filter or otherwise constrain
connections on the basis of the identities of devices attached to
either the transmitting or receiving service interfaces. This
allows the active topology maintained by interior switches to scale
independently of the number of active connections through the
network, and to reconfigure rapidly since information concerning
individual connections does not have to be communicated or changed
during reconfiguration.
[0023] Modification of the spanning tree for resilient redundant
connection of an edge device, such as a packet switch positioned as
a demarcation device, to a network is provided according to the
present invention. In the network, demarcation devices can provide
for redundant connections to the rest of the network. Selection of
one link in preference to another can be achieved by use of the
spanning tree or another active topology protocol. However, only
traffic that is transmitted by or destined for a given customer is
allowed to reach that customer's demarcation device. It is not
desirable that a demarcation device act as a transit link in the
network, that would be used to ensure full connectivity from one
part of the network to another, either during a reconfiguration of
the network or while the active topology is stable. Rather the
network should partition if there is no connectivity other than
through a demarcation devices between the two halves.
[0024] A range of options is offered to customers to control
changes to the source MAC address used on the service interfaces of
demarcation devices including automatic configuration, latching of
a learnt address, explicit manual configuration, and identification
of attempts at intrusion into the network.
[0025] The system is capable of extension to allow additional
security protocols to establish the identity of the connecting
system. Once that identity has been established, the MAC address of
the transmitting system is used, as described above, to secure
connections.
[0026] Disconnection and reconnection of the device can be
detected, even if the same MAC address is used throughout. This
protects against attempts to masquerade once a device identity has
been established.
[0027] A foundation of industry standard products and practices in
the following areas is used to construct the novel networks,
including for one example:
[0028] Fiber optic transmission technology using WDM (wave division
multiplexing) to carry additional bandwidth through the use of many
`colors` of light on a single fiber, controlled and
[0029] Gigabit (or higher) Ethernet packet switching technology to
accept and deliver IP data from and to customers, providing a
highly reliable service.
[0030] Electronic commerce technology to allow customers and their
authorized agents to order, configure, and manage the
communications services delivered and to enter into business
agreements with other suppliers of services using the system's
communication services.
[0031] In each of these areas a number of novel practices and
inventions support and advance the communications network and
services.
[0032] Configuration of links and link segments to facilitate rapid
reconfiguration of interconnected packet switches is provided in
support of the commercial provisioning system.
[0033] A set of rules and heuristics is provided for the use and
configuration of fiber optic transmission facilities, purchased or
leased in ring configurations, as a set of links comprising
selected concatenated segments from a set of rings. The resulting
configurations have benefits in networks including:
[0034] 1) They allow the use of high bandwidth low cost enterprise
data packet switching equipment in the collocation facilities,
while providing high network availability through the use of rapid
reconfiguration with redundant links and switches.
[0035] 2) They allow the use of general mesh topologies to support
redundancy, rather than restriction to rings or rings with
extraordinary interconnection arrangements.
[0036] In addition to realizing these topologies by concatenating
physical segments from rings, equipment is provided so that a link
can comprise logical segments, each consisting for example of a
wavelength of light transmitted and received by WDM (wavelength
division multiplexing) equipment attached to the physical fiber
segment running between two locations on a ring. Electronic
switching of the transmitted information stream at each ring node
from one wavelength on a segment to another wavelength on the next,
or to an attached device, allows for electronic rearrangement of
the set of links connected to each packet switch in the
network.
[0037] Spatial reuse in a packet based data network with a ring
topology is accomplished in the preferred network configuration.
The network architecture uses packet switches with rapid
reconfiguration protocols and VLAN technology to constrain packets
that might otherwise be broadcast or flooded to the necessary paths
between access ports in the network. Thus a combination of existing
standard technologies serves to support the same robust efficient
communications goals sought by new non-standard equipment.
[0038] Security arrangements for a packet switched data
transmission network using LAN switches are provided. The network
makes use of packet data switching equipment that is typically used
in private data networks. While such equipment has facilities that
can be used to construct ad-hoc security arrangements, a systematic
approach to security is provided by the present invention.
[0039] The network ensures that no data is ever delivered to a
service interface other than the service interface(s) explicitly
authorized by the customer whose network attached equipment
transmits the data, and that no data is received on a service
interface other than data from the service interface(s) explicitly
authorized by the customer whose network attached equipment is
receiving the data.
[0040] The mechanisms that the system uses to ensure such secure
delivery include:
[0041] (a) The organization of switches within the network
architecture and the placement of security functions within that
architecture.
[0042] (b) Assuring a unique identity for each device connected to
a service interface anywhere within the network.
[0043] (c) Checking that identity at points identified within the
network (see a. above)
[0044] (d) Ensuring that the identity of each of the
customers/parties controlling the assignment of service interfaces
and the connections between them is securely known.
[0045] (e) Providing for the known delegation of control within the
constraints imposed by (d) above.
Other aspects and advantages of the present invention can be seen
on review of the figures, the detailed description and the claims,
which follow.
BRIEF DESCRIPTION OF THE FIGURES
[0046] FIG. 1 is a diagram of a commercial communication service
with an Internet based provisioning server according to the present
invention.
[0047] FIG. 2 is a block diagram of a network managed according to
an active topology protocol, and including edge devices with
resilient, redundant connections to the network, according to the
present invention.
[0048] FIG. 3 is a diagram illustrating an edge device architecture
according to the present invention.
[0049] FIG. 4 shows a network configured according to a spanning
tree protocol, with edge devices according to the present
invention.
[0050] FIG. 5 illustrates a redundant switch access service with
parallel drops.
[0051] FIG. 6 illustrates a parallel single tenant access service
with two drops coupled to a single access switch.
[0052] FIG. 7 illustrates a fully redundant single tenant access
service according to one aspect of the invention.
[0053] FIG. 8 illustrates a collocation facility access arrangement
for connection to the secure MAN of the present mention.
[0054] FIG. 9 illustrates another example collocation facility
access arrangement.
[0055] FIG. 10 illustrates a fiber MAN network physically laid out
as a ring, and partitioned as segments of the secure MAN of the
present invention.
DETAILED DESCRIPTION
[0056] FIG. 1 illustrates a communications service example, based
on provisioning links among a variety of customers within a secure
metropolitan area network MAN. In FIG. 1, a secure MAN based upon a
layer two packet switched protocol, preferably Ethernet, and in
which the switches are managed by an active topology protocol such
as the spanning tree protocol, is represented by cloud 60. A number
of customers, including Internet service provider 61, outsourcing
vendor 62, "enterprise 1" with a North campus 63, a West campus 24,
and a South campus 25, and "enterprise" 2 66 and enterprise 3 67,
are coupled to the secure MAN 60 by appropriate physical and
logical interfaces. A provisioning server 71 is coupled to the
secure MAN 60, either using the secure MAN medium or by other
communication channels to the switches and other resources in the
secure MAN, and facilitates transactions among the customers of the
secure MAN 60 for establishing communication channels, such as the
virtual connections discussed above, and provisioning of services
agreed to by the customers with the resources of the secure MAN 60.
In one embodiment, configuring and allocating of services within
the secure MAN 60 to support the links among the customers, is
managed by the provisioning server using a management protocol such
as Telnet or SNMP, under which filters and other control data
structures in the switches are configured. In this manner, the
provisioning server is available via the Internet to customers and
potential customers of the secure MAN 60, using standard
technology.
[0057] Virtual connection services allow rich connectivity among
all customer locations on the secure MAN network. Examples
include:
[0058] A mesh connected, multipoint-to-multipoint virtual
connection service 35 dedicated to a single enterprise for
connecting campuses together.
[0059] A point-to-multipoint virtual connection service 76
connecting an Internet Service Provider to customers.
[0060] A point-to-point virtual connection service 77 connecting an
enterprise location to an outsourcing vendor.
[0061] A point-to-point virtual connection service 78 connecting
two enterprises.
[0062] A single customer can have simultaneous intra-enterprise and
extra-enterprise communications using the secure MAN, provisioned
according to the present invention.
[0063] Edge devices (not shown) between the customer networks or
devices, and the secure MAN support security processes for the MAN,
and include redundant connections to switches in the network in a
preferred configuration for improved reliability and
efficiency.
[0064] A detailed description of one example of the secure MAN
provisioning embodiment is provided in the above referenced
application entitled, E-COMMERCE SYSTEM FACILITATING SERVICE
NETWORKS INCLUDING BROADBAND COMMUNICATION SERVICE NETWORKS, which
is incorporated by reference as if fully set forth herein.
[0065] FIG. 2 is a block diagram of a network configured according
to the present invention to support point-to-multipoint virtual
connections, among a plurality of customers of a public
metropolitan area network. The customers have local networks 100,
101, 102, and 103. Each of the customers includes customer
equipment, such as a router (not shown), having unique MAC
addresses, connected by a link to a port on a service interface
unit. Thus, the customer 100 is connected by links 100-1 and 100-2
to the service interface unit 105. The customer 100 connected by
links 100-3 and 100-4 to the service interface unit 106. The
customer 101 is connected by link 101-1 to the service interface
unit 107. The customer 102 connected by the links 102-1 and 102-2
to service interface unit 108. Customer 103 is connected by link
103-1 to service interface unit 109. The service interface units
comprise switches at customer premises in which demarcation points
for access to the metropolitan area network are established. Each
of the links 100-1 through 100-4, 101-1, 102-1, 102-2, and 103-1
are connected at the customer side to ports on customer devices
having unique MAC addresses. Thus the demarcation points for the
network can be considered ports on the service interface unit
characterized by the unique MAC addresses of the attached customer
equipment.
[0066] The service interface units 105-109 are connected by
point-to-point links to access switches 110, 111, 112 in the
network. Thus, service interface unit 105 is coupled by links 105-1
and 105-2 to the access switch 110. Service interface unit 105 is
coupled by the link 105-3 to the access switch 111. Service
interface unit 106 is coupled by the link 106-1 to the access
switch 110, and by link 106-2 to the access switch 111. Service
interface unit 107 is coupled by the link 107-1 to the access
switch 111, and by the link 107-2 to the access switch 112. Service
interface unit 108 is coupled by the link 108-1 to the access
switch 111, and by the link 108-2 to the access switch 112. Service
interface unit 109 is coupled by the link 109-1 and by the link
109-2 to the access switch 112. The service interface units 105-109
are managed so that only one of the links between the service
interface units and an access switch in the network is active at
anytime. A modified spanning tree protocol is utilized to select
the active link as described below.
[0067] The access switches 110-112 are coupled to interior switches
of the metropolitan area network 115.
[0068] According to the preferred embodiment of the present
invention, the security arrangements for the virtual channels are
deployed in the access switches 110-112 via source address
filtering based upon the unique MAC addresses of the demarcation
points at service interface units in the network.
[0069] The following excerpt from the IEEE Draft P802.1w/D9, from
pages 37-38, provides background concerning operation of one
standard spanning tree protocol, known as the Rapid Spanning Tree
Algorithm, used for managing an active topology of the network
including the access switches and interior switches.
[0070] The Rapid Spanning Tree Algorithm assigns one of the
following Port Roles to each Bridge Port: Root Port, Designated
Port, Alternate Port, or Backup Port. A fifth role, Disabled Port,
identifies a Port as having no role within the operation of
Spanning Tree. Port Role assignments for ports throughout the
Bridged Local Area Network are determined by: a) A unique Bridge
Identifier associated with each Bridge, b) A Path Cost associated
with each Bridge Port, c) A Port Identifier associated with each
Bridge Port, as follows.
[0071] The Bridge with the best Bridge Identifier is selected as
the Root Bridge. The unique Bridge Identifier for each Bridge is
derived, in part, from the Bridge Address (7.12.5) and, in part,
from a manageable priority component (9.2.5). The relative priority
of Bridges is determined by the numerical comparison of the unique
identifiers, with the lower numerical value indicating the better
identifier. Every Bridge has a Root Path Cost associated with it.
For the Root Bridge this is zero. For all other Bridges it is the
sum of the Path Costs for each Bridge Port receiving frames on the
least cost path from the Root Bridge to that Bridge. The Path Cost
associated with each Port may be manageable. Additionally, 17.28.2
recommends default values for the Path Costs associated with Ports
attached to LANs of specific MAC types and speeds.
[0072] The Bridge Port on each Bridge receiving the frames on the
least cost path from the Root Bridge is assigned the role of Root
Port for that Bridge (the Root Bridge does not have a Root Port).
If a Bridge has two or more ports with the same least Path Cost sum
from the Root, then the port with the best Port Identifier is
selected as the Root Port. Part of the Port Identifier is fixed and
is different for each Port on a Bridge, and part is a manageable
priority component (9.2.7). The relative priority of Ports is
determined by the numerical comparison of the unique identifiers,
with the lower numerical value indicating the better
identifier.
[0073] Each LAN in the Bridged Local Area Network also has an
associated Root Path Cost. This is the Root Path Cost of the lowest
cost Bridge with a Bridge Port connected to that LAN. This Bridge
is selected as the Designated Bridge for that LAN. If there are two
or more Bridges with the same Root Path Cost, then the Bridge with
the best priority (least numerical value) is selected as the
Designated Bridge. The Bridge Port on the Designated Bridge that is
connected to the LAN is assigned the role of Designated Port for
that LAN. If the Designated Bridge has two or more ports connected
to the LAN, then the Bridge Port with the best priority Port
Identifier (least numerical value) is selected as the Designated
Port. In a Bridged Local Area Network whose physical topology is
stable, i.e. the Rapid Spanning Tree Algorithm has communicated
consistent information throughout the network, every LAN has one
and only one assigned Designated Port, and every Bridge with the
exception of the Root Bridge has a Root Port connected to a
LAN.
[0074] Any operational Bridge Port that is not assigned a Port Role
of Root Port or Designated Port is a Backup Port if that Bridge is
the Designated Bridge for the attached LAN, and an Alternate Port
otherwise. An Alternate Port offers an alternate path in the
direction of the Root Bridge to that provided by the Bridge's own
Root Port, whereas a Backup Port acts as a backup for the path
provided by a Designated Port in the direction of the leaves of the
Spanning Tree. Backup Ports exist only where there are two or more
connections from a given Bridge to a given LAN; hence, they (and
the Designated Ports that they back up) can only exist where two
ports are connected together in loopback by a point to point link,
or where the Bridge has two or more connections to a shared media
LAN segment.
[0075] NOTE--The distinction between the Alternate and Backup Port
Roles does not appear in the Spanning Tree Algorithm and Protocol
described in Clause 8. This distinction is introduced in RSTP in
order to make it possible to describe the possibility of rapidly
transitioning an Alternate Port to Forwarding on failure of the
Root Port.
[0076] (IEEE Draft P802.1w/D9"Supplement to ISO/IEC 15802-3 (IEEE
Std 802. 1D), Information technology--Telecommunications and
information exchange between systems--Local and metropolitan area
networks--Common specifications--Part 3: Media Access Control (MAC)
Bridges: Rapid Reconfiguration," Sponsor: LAN MAN Standards
Committee of the IEEE Computer Society, Jan. 12, 2001, pages 37-38.
(numerical references in parenthesis in the quote are to sections
of P802.1w/D9))
[0077] IEEE Draft P802.1w/D9 and IEEE Std 802.1D are incorporated
by reference as if fully set forth herein, providing examples of
spanning tree protocols, and of 802.1 standard spanning tree
protocols.
[0078] According to the present invention, the spanning tree
protocol (or another active topology protocol) is used on edge
devices, which act as an interface between customer equipment and a
network executing the active topology protocol, to selected an
active connection to the network. In this example, the spanning
tree protocol is run to select a Root Port, and to use the selected
port as the active connection to the network. However, no packets
ingressing at a port coupled to the spanning tree network are
allowed to egress at any port coupled to the spanning tree network.
Ports coupled to the spanning tree network that are not selected as
the active port, are placed in blocking state, and provide a backup
connection to the spanning tree network. No traffic is allowed to
traverse the edge device, except that destined to the customer
equipment, or originating in the customer equipment. The edge
device, and the customer equipment are therefore protected from
becoming a link between portions of the spanning tree network,
while taking advantage of the intelligence of the spanning tree
protocol to make efficient choices of active links to the network.
If the spanning tree costs of the ports change, then the ports
coupled to the spanning tree network in the blocking state may be
selected as the active port.
[0079] FIG. 3 illustrates a basic configuration of a network using
the modified spanning tree protocol of the present invention. A
Metropolitan Area Network 120 includes interior switches 121 and
122, operating a layer two protocol, such as Gigabit Ethernet, with
switches configured using the spanning tree protocol. Access
switches 123 and 124 are coupled to the interior switches 121 and
122 by a redundant, route diverse collection of links 125, 126, 127
and 128. The access switches include resources for source address
filtering to provide for provisioning of secure communication
channels among customers of the network, as described in the above
cross-referenced application. Service interface unit 129 is coupled
to the access switches by links 131 and 132. Other service
interface units may also be coupled to the access switches 123 and
124.
[0080] The access switches and the interior switches participate in
the spanning tree, and propagate spanning tree configuration
messages, known as BPDUs, to support the dynamic configuration of
the switches in the spanning tree network. Thus, the best route to
the root of the network can change in response to events remote
from the service interface unit 129. The service interface unit 129
selects an active link based upon the spanning tree information
received from the access switches 123 and 124. Thus, service
interface unit 129 selects either link 131 or link 132 as an active
link in response to the spanning tree configuration messages
received at one or both of the network interfaces coupled to the
links 131 and 132. The service interface unit is configured to
prevent any packet ingressing on the links 131 and 132 from
egressing on the links 131 and 132. In one embodiment, packets
ingressing at a port on the edge device are associated with a port
number. The edge device is configured so that the ingress port
number is used as a filter to prevent egress of packets on other
ports coupled to the spanning tree network. Thus, no transit path
can be established between the links 131 and 132. In this manner,
traffic from access switch 124, will not follow the route 136 on
link 132 to service interface unit 129, and on link 131 to access
switch 123 in its route to the root of the tree, even if this route
136 would otherwise be the least cost route according to the
spanning tree.
[0081] FIG. 4 shows one example network topology with spanning tree
configuration information, according to a preferred embodiment in
which the interior switches comprise high speed Ethernet switches
in collocation sites in a metropolitan area network. The network
includes a plurality of fiber segment extending between collocation
sites. The fiber segments are arranged for configuration as a ring,
but partitioned and managed according to a spanning tree protocol.
The switches P5 and P6 correspond to the interior switches 121 and
122 of FIG. 3.
[0082] In FIG. 4, the filled circle, unfilled circle, and parallel
line markings correspond to the designated port, root port, and
alternate port in the blocking state, respectively, according to
the spanning tree protocol. In this example, the switch P1 is the
root of the tree. The switch P1 has five designated ports. One
designated port is coupled to an alternate port on switch P3 via an
internal link. Another designated port on switch P1 is coupled to a
root port on switch P2 via a link 2-1. Another designated port on
switch P1 is coupled to a root port on switch P5 via link 5-1. A
fourth designated port on switch P1 is coupled to a root port on
switch P4 via a link 1-4. A fifth designated port on switch P1 is
coupled to a root port on P2 via a link 1-2. A designated port on
switch P6 is coupled via a link 6-3 to a root port on switch P3. A
designated port on switch P5 is coupled to an alternate port on
switch P6 via an internal link. A designated port on switch P2 is
coupled to a root port on switch P6 via link 2-6. A designated port
on switch P2 is coupled via an internal link to an alternate port
on switch P4.
[0083] The access switches 123 and 124, and the service interface
unit 129 have the same reference numerals as used in FIG. 3. Switch
P5 has designated ports coupled via links 125 and 128 to root ports
on access switches 123 and 124 respectively. Switch P6 has
designated ports coupled via links 126 and 127 to ports in a
blocking state on access switches 123 and 124, respectively, acting
as backup links. The spanning tree configuration information is
propagated to the service interface unit 129, which elects the
network interface coupled to link 131 as the active link, and the
network interface coupled to link 132 as the backup link. This
could be changed for example if the link 125 were broken, making
the port coupled to link 126 become selected as the root port on
switch 123. The best route to the root for the service interface
unit 129 would change from link 131 to link 132, in this case;
because the route through access switch 124, and interior switch P5
to the root P1, is a lower cost path than the route through access
switch 123 on link 126, interior switch P6, and interior switch P2
to the root P1.
[0084] FIG. 5 shows configuration of an access service for a
spanning tree network according to the present invention, and
includes a demarcation device 200, a secure network switch 201 and
customer-owned equipment 202. The demarcation device 200 supports a
plurality of service interfaces to customer equipment in this
example.
[0085] A demarcation device 200 is typically situated between
customer-owned equipment and a secure MAN access switch. The
demarcation device 200 connects to customer-owned equipment 202
through one or more service interfaces 203. The demarcation device
200 converts between the physical layer of the drop 204 and that of
the service interfaces 203. The demarcation device 200 also
performs surveillance and maintenance functions.
[0086] The drop 204 will typically use a fiber optic link with at
least 1 Gbps bandwidth although other transmission technologies may
be used, e.g., high bandwidth wireless transmission. The type of
transmission used is transparent to the customer.
[0087] The service interface 203 is the point at which
customer-owned equipment 202, typically an internet protocol IP or
multiprotocol router, is attached. This interface 203 runs IP over
10/100/1000 Mbps Ethernet for example, using either a copper or
fiber physical layer. An auto-sensing 10/100 Ethernet service
interface may also be used. Also, other higher speed Ethernet
technologies could be used.
[0088] In the secure MAN, the `demarcation devices` situated on
individual customer's premises can provide for redundant
connections to the rest of the network. Selection of one link in
preference to another can be achieved by use of the spanning tree
or a similar protocol. However, only traffic that is transmitted by
or destined for a given customer is allowed to reach that
customer's demarcation device (a packet switch). It is not
desirable that a demarcation device act as a transit link in the
network, ensuring full connectivity from one part of the network to
another, either during a reconfiguration of the network or while
the active topology is stable. Rather the network should partition
if there is no other connectivity between the two halves.
[0089] In the past, the simple selection of one link or another for
connection to the interior of a network has been performed by a
simple physical layer redundancy scheme that interrogates the
health of the links from a demarcation device switch to the
network. One link is configured as a primary link and the secondary
link is activated only if the primary fails a simple connectivity
test to the remainder of the network, e.g. loss of the transmitted
light signal.
[0090] One embodiment of the secure MAN improves on this prior
arrangement, while not allowing the demarcation device to
participate in the active topology of the network, by choosing the
active link from the demarcation device to the network on the basis
of the spanning tree information received by the device, but not
allowing it to forward or generate spanning tree information. This
arrangement protects against a failure in the network that causes
the switch connected to by the demarcation device to be separated
from the main body of the network.
[0091] The access option of FIG. 5 involves use of a redundant
switch access service, in which a second drop 210 is connected from
the demarcation device 200 to a different secure MAN switch 211.
This is done to maximize diversity. A failure of a drop, the
switch, or the switch port will result in data flowing over the
drop to be rerouted over the redundant drop in a very short time,
e.g., less than 50 ms.
[0092] In redundant switch single tenant access service, the drops
will typically reside within the same physical path from the
customer premises to the first splice point at which point they
will follow diverse physical paths.
[0093] Parallel single tenant access service is another
alternative, as shown in FIG. 6. In this case, drops 204 and 212
terminate on the same secure MAN switch 201. Unlike redundant
single tenant access service, the multiple drops 204, 212 can be
used for load sharing in that data can flow over the drops
simultaneously. In the event of a failure of a drop or the switch
port, data flowing over the drop will be rerouted to the other drop
in a very short time, e.g., less than 50 ms. In parallel single
tenant access service, the drops will typically reside within the
same physical path from the customer premises to the
point-of-presence of the first secure MAN switch.
[0094] Another access service option is fully redundant single
tenant access service as illustrated in FIG. 7, including redundant
demarcation devices 200, 220 and redundant switches 204, 221 with
redundant drops 204, 222, 223, 224 for each demarcation
device-access switch pair. Fully redundant single tenant access
service protects against the same failures that redundant switch
single tenant access service does and in addition protects against
failure of a demarcation device and the failure of the
customer-owned equipment attached to a service interface. Both
service interfaces 203, 225 are activated for customer use but the
ability to simultaneously use them will depend on the details of
the routing protocol being used by the customer. Similarly the
ability of the customer-owned equipment to detect a failure and
start using a service interface on the other demarcation device
will depend on the details of the routing protocol being used by
the customer.
[0095] In fully redundant single tenant access service, the drops
will typically reside within the same fiber optic cable from the
customer premises to the first splice point at which point they
will follow diverse physical paths.
[0096] In both of the above examples, each demarcation device is
dedicated to a single customer. In addition, the secure MAN
Services that a customer sees across the service interface is the
same no matter which configuration is used.
[0097] In another situation co-location facility access is used as
shown in FIGS. 8 and 9. In some ways collocation facility access is
like multi-tenant access. However, the secure MAN service provider
will have leased space in the facility in which the customer
demarcation device is placed. The preferred configuration for a
collocation facility is shown in FIG. 8. The demarcation device 320
is in the customer's rack 321 and dual connected back to different
switches 322, 323 located in a secure MAN rack 324. These
connections are effected by Gigabit Ethernet multi-mode fiber
cross-connects. The customer-owned equipment connects to the
demarcation device with the appropriate Ethernet cable. Additional
customers may use the same co-location facility, as shown by
demarcation device 324 in rack 325.
[0098] In some cases, the customer may not want to accommodate the
demarcation device in his or her rack space. In this case, the
configuration is that shown in FIG. 9. The demarcation device 330
is in the secure MAN rack and is dual connected to the two switches
331, 332 in the rack. The customer-owned equipment 333, 334 is
connected to the demarcation device 330 via an appropriate Ethernet
cross-connect. In large collocation facilities, this cross-connect
will typically be multimode fiber. A demarcation device 330 can be
used for supporting multiple customers.
[0099] There are other possibilities including a mix of centralized
and distributed demarcation a devices. It may also be possible
and/or desirable to share a demarcation device among more than one
customer.
[0100] Once customers have established connections to the secure
MAN network, links among them are established using the
provisioning system referenced above. Links in this example
embodiment are referred to as virtual connections.
[0101] Virtual connection service provides the transfer of data
between multiple service interfaces. Three kinds of virtual
connection services in this example, include point-to-point,
point-to-multipoint, and multipoint-to-multipoint.
[0102] In point-to-point virtual connections, an internet protocol
IP packet delivered across a service interface is delivered to
exactly one other service interface. Of course, in addition to IP,
other higher layer protocols may be utilized for virtual
connections of all types. This service is like a physical wire.
[0103] Virtual connections among customers in the preferred
embodiment are established by Physical Layer (layer 1) and data
link layer (layer 2) contructs.
[0104] FIG. 10 illustrates a fiber ring network extending around a
path of about 20 miles, which is made of bundles of fibers laid in
right of ways within a metropolitan area. Segments of the ring are
logically partitioned as segments of an ethernet network,
configured as a tree, rather than a ring, illustrating a layout
according to the present invention other than the cross-connected
broken ring. Switches in the tree comprise standard 100 Megabit,
Gigabit or higher ethernet switches configured according to the
Spanning Tree Protocol, or variations of the Spanning Tree
Protocol.
[0105] In FIG. 10, switch P1 is a root of the tree, labeled P1, 0,
P1 to indicate that the root of the tree is P1, the distance to the
root is 0, and the upstream (toward the root) switch is P1. The
interconnection of the tree can be understood by the upstream links
for the switches. Thus there are no upstream links from switch P1.
Switch P2 (P1,1,P1) is connected by fibers F1 and F2 to switch P1.
Switch P3 (P1,2,P2) is connected by fiber F7 to switch P2. Fibers
I1 and I2 are configured as backup links to switch P1 from switch
P3. Switch P4 is connected by fibers F3 and F4 to switch P1. Fibers
I3 and I4 are connected as backup links to switch P2 from switch
P4. Switch P5 is connected by fibers F5 and F6 to switch P1. Fiber
F8 is connected as a backup link from switch P5 to switch P2.
Switch P6 is connected by fibers F9 and F10 to switch P2. Fiber F12
is a backup link from switch P6 to switch P5. Switch P7 is
connected by fiber F11 to switch P3. Fibers I5 and I6 act as backup
links to switch P5 from switch P7. Switch P8 is connected by fiber
F13 to switch P5. Fibers I7 and I8 are connected as backup links
from switch P8 to switch P6.
[0106] The fibers F1 to F13 and I1 to I8 comprise dark fibers in
the fiber ring, which have been partitioned as point to point fiber
segments in the tree as shown. Thus, fiber of a single ring can be
re-used spatially. That is segments of a single ring can be used
independently for point-to-point links in the tree.
[0107] The interior switches are managed according to the spanning
tree protocol. However, edge devices, such as the demarcation
devices described above, execute the modified spanning tree process
to select an active link to the network, without the possibility of
becoming a transit link for the interior switches.
Conclusion
[0108] The present invention provides a system facilitating high
data bandwidth interconnection between private networked locations
to those who choose not to operate their own facilities. It
provides security, performance reporting, and bandwidth management
to all its customers. Furthermore, provisioning of connections in
the secure MAN is simplified, automatic, and accomplished with very
low transaction costs.
[0109] While the present invention is disclosed by reference to the
preferred embodiments and examples detailed above, it is to be
understood that these examples are intended in an illustrative
rather than in a limiting sense. It is contemplated that
modifications and combinations will readily occur to those skilled
in the art, which modifications and combinations will be within the
spirit of the invention and the scope of the appended claims.
* * * * *