U.S. patent application number 09/796922 was filed with the patent office on 2002-03-28 for point-to-multipoint virtual circuits for metropolitan area networks.
Invention is credited to Jain, Vipin, Jaszewski, Gary, Klessig, Robert W., Seaman, Michael J..
Application Number | 20020038253 09/796922 |
Document ID | / |
Family ID | 26882122 |
Filed Date | 2002-03-28 |
United States Patent
Application |
20020038253 |
Kind Code |
A1 |
Seaman, Michael J. ; et
al. |
March 28, 2002 |
Point-to-multipoint virtual circuits for metropolitan area
networks
Abstract
A point to multipoint communication channel in a metropolitan
area network among a plurality of demarcation points having unique
addresses is provided, which includes identifying a particular
demarcation point as a root of the channel, and a plurality of
client demarcation points as leaves of the channel; and configuring
so that client demarcation points can only exchange packets with
the root demarcation point, and not with other client demarcation
points; and so that the root demarcation point can exchange packets
with the plurality of client demarcation points. The channel is
managed using source address filtering at switches on the leaves of
the channel and a switch at the root of the channel.
Inventors: |
Seaman, Michael J.;
(Mountain View, CA) ; Jain, Vipin; (Santa Clara,
CA) ; Jaszewski, Gary; (Los Gatos, CA) ;
Klessig, Robert W.; (Los Altos Hills, CA) |
Correspondence
Address: |
HAYNES BEFFEL & WOLFELD LLP
P O BOX 366
HALF MOON BAY
CA
94019
US
|
Family ID: |
26882122 |
Appl. No.: |
09/796922 |
Filed: |
March 1, 2001 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
09796922 |
Mar 1, 2001 |
|
|
|
09634566 |
Aug 9, 2000 |
|
|
|
60186470 |
Mar 2, 2000 |
|
|
|
Current U.S.
Class: |
705/26.1 ;
709/238; 709/252 |
Current CPC
Class: |
G06Q 30/0601 20130101;
G06Q 30/02 20130101 |
Class at
Publication: |
705/26 ; 709/238;
709/252 |
International
Class: |
G06F 017/60; G06F
015/173; G06F 015/16 |
Claims
What is claimed is:
1. A method of providing a point to multipoint communication
channel in a metropolitan area network among a plurality of
demarcation points having unique addresses, comprising: identifying
a particular demarcation point in the network as a root of the
channel, and a plurality of client demarcation points in the
network as leaves of the channel; and configuring switches in the
network so that client demarcation points can only exchange packets
on the network with the particular demarcation point, and not with
other client demarcation points; and so that the particular
demarcation point can exchange packets on the network with the
plurality of client demarcation points.
2. The method of claim 1, wherein a switch attached to a respective
client demarcation point in the plurality of client demarcation
points is configured to recognize addresses of the particular
demarcation point and of the respective client demarcation point,
to forward onto the network packets received on ports coupled to
the respective client demarcation points carrying source addresses
equal to the address of the respective client demarcation point and
a destination address which is one of a multicast address, a
broadcast address and the address of the particular demarcation
point, to forward onto a port coupled to the respective demarcation
points packets received on ports coupled to the network carrying
the source addresses of the particular demarcation point, and
destination addresses equal to one of a multicast address, a
broadcast address and the address of the respective client
demarcation point, and to discard other packets.
3. The method of claim 1, wherein a switch coupled to the
particular demarcation point identified as the root is configured
to the recognize the address of the particular demarcation point
and addresses of the plurality of client demarcation points, to
forward on a port coupled to the network packets received on a port
coupled to the particular demarcation point carrying the source
address of the particular demarcation point and one of a multicast
address, a broadcast address and the address of one of the
plurality of client demarcation points, and to discard other
packets, to forward on a port coupled to the particular demarcation
point packets received on a port coupled to the network carrying
the source address of one of the plurality of client demarcation
points and a destination address equal to one of a multicast
address, a broadcast address and the address of the particular
demarcation point, and to discard other packets.
4. The method of claim 1, wherein said configuring includes
allocating the particular demarcation point identified as the root
and the plurality of client demarcation points a virtual LAN
identifier.
5. The method of claim 1, wherein the switches execute a
communication protocol for a switched LAN with multicast
capability.
6. The method of claim 1, wherein the switches execute a protocol
compliant with an Ethernet standard.
7. The method of claim 1, wherein the network includes a service
interface unit, the service interface unit having a service
interface coupled via a link to a customer device having an unique
MAC address, and having a network interface coupled via a link to
one of said switches, and wherein said demarcation points comprise
service interfaces on service interface units.
8. The method of claim 1, wherein the switches execute a layer two
protocol for routing traffic among said demarcation points.
9. The method of claim 1, including: organizing switches according
to a network architecture and placing security functions within
that architecture; assuring a unique identity for each device
connected to a service interface anywhere within the network; and
checking said identities at points identified within the network
architecture.
10. The method of claim 9, wherein said network architecture
includes a switched network managed according to a spanning tree
protocol.
11. The method of claim 9, wherein said network architecture
includes a switched network managed according to a spanning tree
protocol, and wherein the architecture includes a plurality of
switches organized in to access switches and interior switches, the
access switches coupled to service interface units acting as
demarcation points and the interior switches interconnecting the
access switches, and wherein said security functions are places in
the access switches, and wherein said unique identity is provided
by MAC addresses of devices coupled to the service interface
units.
12. A metropolitan area network including a point-to-multipoint
channel, comprising: a plurality of communication links which
traverse a metropolitan area; a plurality of switches coupled to
the communication links, the switches including access switches and
interior switches; and a plurality of demarcation points coupled to
access switches in the plurality of switches, the demarcation
points comprising service interfaces to the network having unique
addresses; wherein the plurality of access switches are configured
to identify a particular demarcation point in the plurality of
demarcation points as a root of the channel, and a plurality of
client demarcation points in the plurality of demarcation points as
leaves of the channel, and so that client demarcation points can
only exchange packets on the network with the particular
demarcation point, and not with other client demarcation points;
and so that the particular demarcation point can exchange packets
on the network with the plurality of client demarcation points.
13. The network of claim 12, wherein an access switch attached to a
respective client demarcation point in the plurality of client
demarcation points is configured to recognize addresses of the
particular demarcation point and of the respective client
demarcation point, to forward onto the network packets received on
ports coupled to the respective client demarcation points carrying
source addresses equal to the address of the respective client
demarcation point and a destination address which is one of a
multicast address, a broadcast address and the address of the
particular demarcation point, to forward onto a port coupled to the
respective demarcation points packets received on ports coupled to
the network carrying the source addresses of the particular
demarcation point, and destination addresses equal to one of a
multicast address, a broadcast address and the address of the
respective client demarcation point, and to discard other
packets.
14. The network of claim 12, wherein an access switch coupled to
the particular demarcation point identified as the root is
configured to the recognize the address of the particular
demarcation point and addresses of the plurality of client
demarcation points, to forward on a port coupled to the network
packets received on a port coupled to the particular demarcation
point carrying the source address of the particular demarcation
point and one of a multicast address, a broadcast address and the
address of one of the plurality of client demarcation points, and
to discard other packets, to forward on a port coupled to the
particular demarcation point packets received on a port coupled to
the network carrying the source address of one of the plurality of
client demarcation points and a destination address equal to one of
a multicast address, a broadcast address and the address of the
particular demarcation point, and to discard other packets.
15. The network of claim 12, wherein the plurality of switches
execute a communication protocol for a switched LAN with multicast
capability.
16. The network of claim 12, wherein the plurality of switches
execute a protocol compliant with an Ethernet standard.
17. The network of claim 12, wherein the network includes a service
interface unit, the service interface unit having a service
interface coupled via a link to a customer device having an unique
MAC address, and having a network interface coupled via a link to
one of said access switches, and wherein said demarcation points
comprise service interfaces on service interface units.
18. The network of claim 12, wherein the plurality of switches
execute a layer two protocol for routing traffic among said
demarcation points.
19. The network of claim 12, wherein the plurality of switches are
configured to execute a spanning tree protocol.
Description
PROVISIONAL APPLICATION DATA
[0001] The present application claims the benefit under 35 U.S.C.
.sctn.111(b) and 35 U.S.C. .sctn.119(e) of the provisional
application No. 60/186,470, filed Mar. 2, 2000, entitled BROADBAND
SERVICE NETWORK AND E-COMMERCE PROVISIONING SYSTEM, naming
inventors Michael Seaman, Vipin Jain, Gary Jaszewski, Bob Klessig,
Peter Van Peenen, and David Braginsky.
CONTINUING APPLICATION DATA
[0002] The present application is a continuation-in-part of
co-pending U.S. patent application Ser. No. 09/634,566, filed: Aug.
9, 2000, entitled E-COMMERCE SYSTEM FACILITATING SERVICE NETWORKS
INCLUDING BROADBAND COMMUNICATION SERVICE NETWORKS, which is
incorporated by reference as if fully set forth herein.
BACKGROUND OF THE INVENTION
[0003] 1. Field of the Invention
[0004] The present invention relates to broadband communication
services, and more particularly to configuration of metropolitan
area communication networks supporting secure point-to-multipoint
channels.
[0005] 2. Description of Related Art
[0006] A point-to-multipoint connection is used to connect one
routed point to many routed points and is especially useful to
deliver services to multiple customers simultaneously while
maintaining isolation among customers themselves.
[0007] In a metropolitan area, high bandwidth communication
services interconnect customers in a variety of configurations. In
an enterprise data network, protocols, like Ethernet, supporting
multicast addressing are widely deployed because isolation among
uses of the network is not always critical. In such networks, fiber
optic connections between packet switches are usually made point to
point in a `redundant, dual-homed, tree like` topology to
facilitate rapid reconfiguration with the minimum loss of service.
The revised spanning tree protocol under standardization in IEEE
802.1 is a suitable protocol for establishing the failover rules in
the network. The recently completed link aggregation standard, IEEE
Std. 802.3ad, is another--providing for resiliency of parallel
links. These technologies in high bandwidth configurations, are
being applied in the metropolitan area network environment as
well.
[0008] Protocols used in these environments, such as Ethernet,
supporting the use of multicast messages allow customers using the
network, who may be unknown to other customers, to see the
multicast traffic unless complex security provisions like firewalls
are installed in the network. In networks to which the public is
allowed to subscribe, such security measures may be difficult to
implement.
[0009] However, multicast technologies are very effective for some
kinds of network traffic. In the case of an Internet Service
Provider, a subscription based audio program provider, or other
customer of the Metropolitan Area Network that includes many
independent customers to whom a single message could be sent from a
single service provider attachment to the network, for example, the
multicast can be very useful. Also, customers that might be
configured to receive multicast messages should be prevented from
sending multicasts or other messages to the other subscribers to
the multicast service, unless separate arrangements are made.
However, there have not been commercially feasible ways to
implement secure point-to-multipoint messaging systems in public
networks that support multicast messages.
[0010] It is desirable therefore to provide a technique for
establishing secure point-to-multipoint channels in a network
topology that is easy to configure, scalable and efficient.
SUMMARY
[0011] This invention comprises a method for configuring a network,
and a network configured according to such method, providing secure
point-to-multipoint communication channels supporting multicast
messages only from the root of the channel.
[0012] A method of providing a point to multipoint communication
channel in a metropolitan area network among a plurality of
demarcation points having unique addresses, according to the
present invention includes identifying a particular demarcation
point in the network as a root of the channel, and a plurality of
client demarcation points in the network as leaves of the channel;
and configuring switches in the network so that
[0013] client demarcation points can only exchange packets on the
network with the particular demarcation point, and not with other
client demarcation points; and so that
[0014] the particular demarcation point can exchange packets on the
network with the plurality of client demarcation points.
[0015] In one embodiment, a switch attached to a respective client
demarcation point in the plurality of client demarcation points is
configured to recognize addresses of the particular demarcation
point and of the respective client demarcation point, for source
address filtering. The switches at the leaves are configured to
forward onto the network packets received on ports coupled to the
respective client demarcation points carrying source addresses
equal to the address of the respective client demarcation point and
a destination address which is one of a multicast address, a
broadcast address and the address of the particular demarcation
point, to forward onto a port coupled to the respective demarcation
points packets received on ports coupled to the network carrying
the source addresses of the particular demarcation point, and
destination addresses equal to one of a multicast address, a
broadcast address and the address of the respective client
demarcation point, and to discard other packets.
[0016] Further, a switch coupled to the particular demarcation
point identified as the root is configured to recognize the address
of the particular demarcation point and addresses of the plurality
of client demarcation points for source address filtering. The
switch at the root is configured to forward on a port coupled to
the network packets received on a port coupled to the particular
demarcation point carrying the source address of the particular
demarcation point and one of a multicast address, a broadcast
address and the address of one of the plurality of client
demarcation points, to forward on a port coupled to the particular
demarcation point packets received on a port coupled to the network
carrying the source address of one of the plurality of client
demarcation points and a destination address equal to one of a
multicast address, a broadcast address and the address of the
particular demarcation point, and to discard other packets.
[0017] According to one aspect of the invention, a communication
system is provided using technology that has been developed within
the communications, enterprise data networking, electronic
commerce, and carrier service provider industries to provide
service in new ways, supporting secure point-to-multipoint
channels, and other connectivity options in a manner particularly
complementary to a provisioning process and system described in the
above referenced application entitled E-COMMERCE SYSTEM
FACILITATING SERVICE NETWORKS INCLUDING BROADBAND COMMUNICATION
SERVICE NETWORKS.
[0018] Provision of multiple connectivity options across a packet
switched network, is supported by the network, including
point-to-multipoint services. The network supports point-to-point
connectivity between a pair of service interfaces, multipoint to
multipoint switched LAN like connectivity between a set of service
interfaces, and point to multipoint connectivity. The
point-to-multipoint connectivity provides for the equipment
attached at one service interface, the `root,` to be able to
transmit to one or all other interfaces while equipment attached at
those interfaces can only transmit to the root. This functionality
supports serving many of a service provider's customers through a
single connection to the network.
[0019] Security arrangements for a packet switched data
transmission network using LAN switches are provided. The network
makes use of packet data switching equipment that is typically used
in private data networks. While such equipment has facilities that
can be used to construct ad-hoc security arrangements, a systematic
approach to security is provided by the present invention.
[0020] The network ensures that no data is ever delivered to a
service interface other than the service interface(s) explicitly
authorized by the customer whose network attached equipment
transmits the data, and that no data is received on a service
interface other than data from the service interface(s) explicitly
authorized by the customer whose network attached equipment is
receiving the data.
[0021] The mechanisms that the system uses to ensure such secure
delivery include:
[0022] (a) The organization of switches within the network
architecture and the placement of security functions within that
architecture.
[0023] (b) Assuring a unique identity for each device connected to
a service interface anywhere within the network.
[0024] (c) Checking that identity at points identified within the
network (see a. above)
[0025] (d) Ensuring that the identity of each of the
customers/parties controlling the assignment of service interfaces
and the connections between them is securely known.
[0026] (e) Providing for the known delegation of control within the
constraints imposed by (d) above.
[0027] The network architecture in a preferred emibodiment
organizes switches into demarcation devices, access switches and
interior switches.
[0028] Demarcation devices (also referred to herein as service
interface units) are typically, but not necessarily, located on a
single customer's premises. It is assumed that that customer will
secure physical access to his or her own premises. Each demarcation
device supports one or more of service interfaces, identifiable by
unique addresses such as Ethernet MAC addresses, that the customer
uses to connect to the network, and one or more `drops` that
connect to access ports on access switches.
[0029] Access switches are located on premises physically secured,
linked by a communication media of choice, including for example
fiber optic cable, to a collocation site in the metropolitan area
network. In addition to access ports coupled to the demarcation
devices, the access switches have interior network ports that
connect to interior switches at the collocation sites within the
network.
[0030] Interior switches form the heart of the network, typically
in collocation sites of the metropolitan area network, having ports
coupled to the interior ports of the access switches.
[0031] The identity of the connected device is ascertained by
observing packets transmitted by the device at the service
interface of the demarcation device. Each packet contains a source
address, such as a source MAC address. The MAC address is captured
by the service interface and a notification sent to the system
managing the network using normal network management protocols. The
management system assures itself that the MAC address is unique.
Filters are configured on access ports of the access switches to
ensure that only packets with source addresses checked in this way
are accepted from the attached demarcation device. Similarly only
packets from source addresses that are permitted to transmit to the
demarcation device are allowed to egress from the access port to
the demarcation device.
[0032] Interior switches do not filter or otherwise constrain
connections on the basis of the identities of devices attached to
either the transmitting or receiving service interfaces. This
allows the active topology maintained by interior switches to scale
independently of the number of active connections through the
network, and to reconfigure rapidly since information concerning
individual connections does not have to be communicated or changed
during reconfiguration.
[0033] A range of options is offered to customers to control
changes to the source MAC address used on the interface, including
automatic configuration, latching of a learnt address, explicit
manual configuration, and identification of attempts at intrusion
into the network.
[0034] The system is capable of extension to allow additional
security protocols to establish the identity of the connecting
system. Once that identity has been established, the MAC address of
the transmitting system is used, as described above, to secure
connections.
[0035] Disconnection and reconnection of the device can be
detected, even if the same MAC address is used throughout. This
protects against attempts to masquerade once a device identity has
been established.
[0036] A foundation of industry standard products and practices in
the following areas is used to construct the novel networks,
including for one example:
[0037] Fiber optic transmission technology using WDM (wave division
multiplexing) to carry additional bandwidth through the use of many
`colors` of light on a single fiber, controlled and
[0038] Gigabit (or higher) ethernet packet switching technology to
accept and deliver IP data from and to customers, providing a
highly reliable service.
[0039] Electronic commerce technology to allow customers and their
authorized agents to order, configure, and manage the
communications services delivered and to enter into business
agreements with other suppliers of services using the system's
communication services.
[0040] In each of these areas a number of novel practices and
inventions support and advance the communications network and
services.
[0041] Configuration of links and link segments to facilitate rapid
reconfiguration of interconnected packet switches is provided in
support of the commercial provisioning system.
[0042] A set of rules and heuristics is provided for the use and
configuration of fiber optic transmission facilities, purchased or
leased in ring configurations, as a set of links comprising
selected concatenated segments from a set of rings. The resulting
configurations have benefits in networks including:
[0043] 1) They allow the use of high bandwidth low cost enterprise
data packet switching equipment in the collocation facilities,
while providing high network availability through the use of rapid
reconfiguration with redundant links and switches.
[0044] 2) They allow the use of general mesh topologies to support
redundancy, rather than restriction to rings or rings with
extraordinary interconnection arrangements.
[0045] In addition to realizing these topologies by concatenating
physical segments from rings, equipment is provided so that a link
can comprise logical segments, each consisting for example of a
wavelength of light transmitted and received by WDM (wavelength
division multiplexing) equipment attached to the physical fiber
segment running between two locations on a ring. Electronic
switching of the transmitted information stream at each ring node
from one wavelength on a segment to another wavelength on the next,
or to an attached device, allows for electronic rearrangement of
the set of links connected to each packet switch in the
network.
[0046] Modification of the Spanning Tree for resilient redundant
connection of an edge device, such as a demarcation device, to a
network is provided in some embodiments in support of efficient
provisioning. The IEEE 802.1 Spanning Tree provides for redundant
connections within a network, where data transmitted from one
attachment to the network to another is constrained to follow a
loop free path. It reduces the physical topology of the network to
an active topology that is both loop free (`tree`) and fully
connected (`spanning`).
[0047] In the network, `demarcation devices` situated on individual
customer's premises can provide for redundant connections to the
rest of the network. Selection of one link in preference to another
can be achieved by use of the spanning tree or a similar protocol.
However, only traffic that is transmitted by or destined for a
given customer is allowed to reach that customer's demarcation
device (a packet switch). It is not desirable that a demarcation
device act as a transit link in the network, that would be used to
ensure fill connectivity from one part of the network to another,
either during a reconfiguration of the network or while the active
topology is stable. Rather the network should partition if there is
no connectivity other than through a demarcation devices between
the two halves.
[0048] In the past, the simple selection of one link or another for
connection to the interior of a network has been performed by a
simple physical layer redundancy scheme that interrogates the
health of the links from a demarcation device switch to the
network. One link is configured as a primary link and the secondary
link is activated only if the primary fails a simple connectivity
test to the remainder of the network, e.g. loss of the transmitted
light signal.
[0049] The system improves on this prior arrangement, while not
allowing the demarcation device to participate in the active
topology of the network, by choosing the active link from the
demarcation device to the network on the basis of the spanning tree
information received by the device, but not allowing it to forward
or generate spanning tree information. This arrangement protects
against a failure in the network that causes the switch connected
to by the demarcation device to be separated from the main body of
the network.
[0050] Spatial reuse in a packet based data network with a ring
topology is accomplished in the preferred network configuration.
The network architecture uses packet switches with rapid
reconfiguration protocols and VLAN technology to constrain packets
that might otherwise be broadcast or flooded to the necessary paths
between access ports in the network. Thus a combination of existing
standard technologies serves to support the same robust efficient
communications goals sought by new non-standard equipment.
[0051] Other aspects and advantages of the present invention can be
seen on review of the figures, the detailed description and the
claims, which follow.
BRIEF DESCRIPTION OF THE FIGURES
[0052] FIG. 1 is a diagram of a commercial communication service
with an Internet based provisioning server according to the present
invention.
[0053] FIG. 2 is a block diagram of a network supporting
point-to-multipoint channel according to the present invention.
[0054] FIG. 3 illustrates a generic access connection to a secure
MAN according to the present invention.
[0055] FIG. 4 illustrates a basic single tenant access
arrangement.
[0056] FIG. 5 illustrates a redundant switch access service with
parallel drops.
[0057] FIG. 6 illustrates a parallel single tenant access service
with two drops coupled to a single access switch.
[0058] FIG. 7 illustrates a fully redundant single tenant access
service according to one aspect of the invention.
[0059] FIG. 8 illustrates a multi-tenant access arrangement for use
with the secure MAN of the present invention.
[0060] FIG. 9 illustrates another example multi-tenant access
arrangement.
[0061] FIG. 10 illustrates a collocation facility access
arrangement for connection to the secure MAN of the present
mention.
[0062] FIG. 11 illustrates another example collocation facility
access arrangement.
[0063] FIG. 12 illustrates an example of the use of point-to-point
virtual connection services according to the present invention.
[0064] FIG. 13 shows an example of a multipoint-to-multipoint
virtual connection service.
[0065] FIG. 14 illustrates a point-to-multipoint virtual connection
service for a secure MAN network according to the present
invention.
[0066] FIG. 15 illustrates the use of tagged and non-tagged service
interfaces for access to a secure MAN network according to the
present invention.
[0067] FIG. 16 shows a format for a packet transmitted within the
secure MAN network of the present invention.
[0068] FIG. 17 illustrates a simplified secure MAN network, and
configuration of a virtual connection is within such network.
[0069] FIG. 18 illustrates a simplified secure MAN network as in
FIG. 31, with another example configuration of a virtual
connection.
[0070] FIG. 19 illustrates a simplified secure MAN network as in
FIG. 31, showing configuration for a point-to-multipoint virtual
connection.
[0071] FIG. 20 illustrates a simplified secure MAN network as in
FIG. 31, showing configuration for a multipoint-to-multipoint
virtual connection.
[0072] FIG. 21 illustrates tree topology of a four collocation
site, fiber MAN, showing an architecture for the interior switches
of the network of the present invention.
[0073] FIG. 22 illustrates a fiber MAN network physically laid out
as a ring, and partitioned as segments of the secure MAN of the
present invention.
DETAILED DESCRIPTION
[0074] FIG. 1 illustrates a communications service example, based
on provisioning links among a variety of customers within a secure
metropolitan area network MAN. In FIG. 1, a secure MAN based upon a
layer two protocol, preferably Ethernet or other protocol
supporting multicast messaging, is represented by cloud 60. A
number of customers, including Internet service provider 61,
outsourcing vendor 62, "enterprise 1" with a North campus 63, a
West campus 24, and a South campus 25, and "enterprise" 2 66 and
enterprise 3 67, are coupled to the secure MAN 60 by appropriate
physical and logical interfaces. A provisioning server 71 is
coupled to the secure MAN 60, either using the secure MAN medium or
by other communication channels to the switches and other resources
in the secure MAN, and facilitates transactions among the customers
of the secure MAN 60 for establishing communication channels, such
as the virtual connections discussed above, and provisioning of
services agreed to by the customers with the resources of the
secure MAN 60. In one embodiment, configuring and allocating of
services within the secure MAN 60 to support the links among the
customers, is managed by the provisioning server using a management
protocol such as Telnet or SNMP, under which filters and other
control data structures in the switches are configured. In this
manner, the provisioning server is available via the internet to
customers and potential customers of the secure MAN 60, using
standard technology.
[0075] Virtual connection services allow rich connectivity among
all customer locations on the secure MAN network. Examples
include:
[0076] A mesh connected, multipoint-to-multipoint virtual
connection service 35 dedicated to a single enterprise for
connecting campuses together.
[0077] A point-to-multipoint virtual connection service 76
connecting an Internet Service Provider to customers.
[0078] A point-to-point virtual connection service 77 connecting an
enterprise location to an outsourcing vendor.
[0079] A point-to-point virtual connection service 78 connecting
two enterprises.
[0080] A single customer can have simultaneous intra-enterprise and
extra-enterprise communications using the secure MAN, provisioned
according to the present invention.
[0081] A detailed description of one example of the secure MAN
provisioning embodiment is provided in the above referenced
application entitled, E-COMMERCE SYSTEM FACILITATING SERVICE
NETWORKS INCLUDING BROADBAND COMMUNICATION SERVICE NETWORKS, which
is incorporated by reference as if fully set forth herein.
[0082] FIG. 2 is a block diagram of a network configured according
to the present invention to support point-to-multipoint virtual
connections, among a plurality of customers of a public
metropolitan area network. The customers have local networks 100,
101, 102, and 103. Each of the customers includes customer
equipment, such as a router (not shown), having unique MAC
addresses, connected by a link to a port on a service interface
unit. Thus, the customer 100 is connected by links 100-1 and 100-2
to the service interface unit 105. The customer 100 connected by
links 100-3 and 100-4 to the service interface unit 106. The
customer 101 is connected by link 101-1 to the service interface
unit 107. The customer 102 connected by the links 102-1 and 102-2
to service interface unit 108. Customer 103 is connected by link
103-1 to service interface unit 109. The service interface units
comprise switches at customer premises in which demarcation points
for access to the metropolitan area network are established. Each
of the links 100-1 through 100-4, 101-1, 102-1, 102-2, and 103-1
are connected at the custom side to ports on customer devices
having unique MAC addresses. Thus the demarcation points for the
network can be considered ports on the service interface unit
characterized by the unique MAC addresses of the attached customer
equipment.
[0083] The service interface units 105-109 are connected by
point-to-point links to access switches 110, 111, 112 in the
network. Thus, service interface unit 105 is coupled by links 105-1
and 105-2 to the access switch 110. Service interface unit 105 is
coupled by the link 105-3 to the access switch 111. Service
interface unit 106 is coupled by the link 106-1 to the access
switch 110, and by link 106-2 to the access switch 111. Service
interface unit 107 is coupled by the link 107-1 to the access
switch 111, and by the link 107-2 to the access switch 112. Service
interface unit 108 is coupled by the link 108-1 to the access
switch 111, and by the link 108-2 to the access switch 112. Service
interface unit 109 is coupled by the link 109-1 and by the link
109-2 to the access switch 112. The service interface units 105-19
are managed so that only one of the links between the service
interface units and an access switch in the network is active at
anytime. A modified spanning tree protocol is utilized to select
the active link as described below.
[0084] The access switches 110-112 are coupled to interior switches
of the metropolitan area network 115. Examples of preferred
architectures of the interior switches are described with reference
to FIGS. 21 and 22 below.
[0085] According to the preferred embodiment of the present
invention, the security arrangements for the point-to-multipoint
virtual channels is deployed in the access switches 110-112 via
source address filtering based upon the unique MAC addresses of the
demarcation points at service interface units in the network.
[0086] In the example of FIG. 2, a point-to-multipoint channel is
established between the link 101-1 at service interface unit 107 as
the root R of the channel, and the links 100-1, 102-1, and 103-1 at
the service interface units 105, 108 and 109, respectively, as the
clients CL at leaves of the channel. The access switches 110, 111,
112 are configured with source address filtering tables supporting
the point-to-multipoint channels, according to the Tables 3 and 4
below.
[0087] The access switches are configured so that client
demarcation points, at links 100-1, 102-1 and 103-1 in this
example, can only exchange packets on the network with the
particular demarcation point, at link 101-1 in this example,
designated as the root, and not with other client demarcation
points; and so that the particular demarcation point can exchange
packets, including multicast packets, on the network with the
plurality of client demarcation points.
[0088] In one embodiment, an access switch at a leaf, that is
actively attached to a client demarcation point, is configured to
recognize addresses of the particular demarcation point and of the
attached client demarcation point, for source address filtering.
The access switch at the leaf is configured to forward onto the
network packets received on ports coupled to the client demarcation
point carrying source addresses equal to the address of the client
demarcation point and a destination address which is one of a
multicast address, a broadcast address and the address of the
particular demarcation point, to forward onto a port coupled to the
client demarcation point packets received on ports coupled to the
network carrying the source addresses of the particular demarcation
point, and a destination address equal to one of a multicast
address, a broadcast address and the address of the client
demarcation point, and to discard other packets.
[0089] Further, an access switch at the root, that is actively
attached to the particular demarcation point, is configured to
recognize the address of the particular demarcation point and
addresses of the plurality of client demarcation points for source
address filtering. The access switch at the root is configured to
forward on a port coupled to the network packets received on a port
coupled to the particular demarcation point carrying the source
address of the particular demarcation point and one of a multicast
address, a broadcast address and the address of one of the
plurality of client demarcation points, to forward on a port
coupled to the particular demarcation point packets received on a
port coupled to the network carrying the source address of one of
the plurality of client demarcation points and a destination
address equal to one of a multicast address, a broadcast address
and the address of the particular demarcation point, and to discard
other packets.
[0090] The generic Access Service is depicted in FIG. 3, including
a demarcation device 200, a secure network switch 201 and
customer-owned equipment 202.
[0091] A demarcation device 200 is always situated between
customer-owned equipment and a secure MAN switch. The demarcation
device 200 connects to custoner-owned equipment 202 through one or
more service interfaces 203. The demarcation device 200 converts
between the physical layer of the drop 204 and that of the service
interfaces 203. The demarcation device 200 also performs
surveillance and maintenance functions.
[0092] The drop 204 will typically use a fiber optic link with at
least 1 Gbps bandwidth although other transmission technologies may
be used, e.g., high bandwidth wireless transmission. The type of
transmission used is transparent to the customer.
[0093] The service interface 203 is the point at which
customer-owned equipment 202, typically an internet protocol IP or
multiprotocol router, is attached. This interface 203 runs IP over
10/100/1000 Mbps Ethernet for example, using either a copper or
fiber physical layer. An auto-sensing 10/100 Ethernet service
interface may also be used. Also, other higher speed Ethernet
technologies could be used.
[0094] In the secure MAN, `demarcation devices` situated on
individual customer's premises can provide for redundant
connections to the rest of the network. Selection of one link in
preference to another can be achieved by use of the spanning tree
or a similar protocol. However, only traffic that is transmitted by
or destined for a given customer is allowed to reach that
custoner's demarcation device (a packet switch). It is not
desirable that a demarcation device act as a transit link in the
network, ensuring full connectivity from one part of the network to
another, either during a reconfiguration of the network or while
the active topology is stable. Rather the network should partition
if there is no other connectivity between the two halves.
[0095] In the past, the simple selection of one link or another for
connection to the interior of a network has been performed by a
simple physical layer redundancy scheme that interrogates the
health of the links from a demarcation device switch to the
network. One link is configured as a primary link and the secondary
link is activated only if the primary fails a simple connectivity
test to the remainder of the network, e.g. loss of the transmitted
light signal.
[0096] One embodiment of the secure MAN improves on this prior
arrangement, while not allowing the demarcation device to
participate in the active topology of the network, by choosing the
active link from the demarcation device to the network on the basis
of the spanning tree information received by the device, but not
allowing it to forward or generate spanning tree information. This
arrangement protects against a failure in the network that causes
the switch connected to by the demarcation device to be separated
from the main body of the network.
[0097] There are several alternative access arrangements possible,
examples of which are shown in FIGS. 4-9. FIG. 4 shows a basic
single tenant access arrangement. In this case, the customer-owned
equipment 202 is located in a building solely occupied and
controlled by the customer. The demarcation device 200 is also
located within the customer premises as shown in FIG. 4. The
demarcation device 200 is dedicated to the customer. The single
tenant customer has several options for the use of multiple drops
to improve service availability.
[0098] One option involves use of a Redundant Switch Access Service
as shown in FIG. 5, in which a second drop 210 is connected from
the demarcation device 200 to a different secure MAN Switch 211.
This is done to maximize diversity. A failure of a drop, the
switch, or the switch port will result in data flowing over the
drop to be rerouted over the redundant drop in a very short time,
e.g., less than 50 ms.
[0099] In Redundant Switch Single Tenant Access Service, the drops
will typically reside within the same physical path from the
customer premises to the first splice point at which point they
will follow diverse physical paths.
[0100] Parallel Single Tenant Access Service is another
alternative, as shown in FIG. 6. In this case, drops 204 and 212
terminate on the same secure MAN switch 201. Unlike Redundant
Single Tenant Access Service, the multiple drops 204, 212 can be
used for load sharing in that data can flow over the drops
simultaneously. In the event of a failure of a drop or the switch
port, data flowing over the drop will be rerouted to the other drop
in a very short time, e.g., less than 50 ms. In Parallel Single
Tenant Access Service, the drops will typically reside within the
same physical path from the customer premises to the
point-of-presence of the first secure MAN switch.
[0101] Ather access service option is Fully Redundant Single Tenant
Access Service as illustrated in FIG. 7, including redundant
demarcation devices 200, 220 and redundant switches 204, 221 with
redundant drops 204, 222, 223, 224 for each demarcation
device-access switch pair. Fully Redundant Single Tenant Access
Service protects against the same failures that Redundant Switch
Single Tenant Access Service does and in addition protects against
failure of a demarcation device and the failure of the
customer-owned equipment attached to a service interface. Both
service interfaces 203, 225 are activated for customer use but the
ability to simultaneously use them will depend on the details of
the routing protocol being used by the customer. Similarly the
ability of the customer-owned equipment to detect a failure and
start using a service interface on the other demarcation device
will depend on the details of the routing protocol being used by
the customer.
[0102] In Fully Redundant Single Tenant Access Service, the drops
will typically reside within the same fiber optic cable from the
customer premises to the first splice point at which point they
will follow diverse physical paths.
[0103] In other situations Multi-Tenant Access is used as shown in
FIG. 8. In this case, there is a single building or campus with
multiple customers. Some secure MAN Equipment will be in space not
controlled by the customer. For example, the equipment could be in
space leased from the landlord. In this example, the demarcation
devices 300, 301 reside within the space of the customers, and are
coupled to switch 302 which may or may not be located at the
customer premises.
[0104] Another example is shown in FIG. 9, in which the demarcation
devices 303, 304 are centrally located, and coupled to access
switch 305 which may or may not be located at the customer
premises.
[0105] In both of the above examples, each demarcation device is
dedicated to a single customer. In addition, the secure MAN
Services that a customer sees across the service interface is the
same no matter which configuration is used.
[0106] There are other possibilities including a mix of centralized
and distributed demarcation devices. It may also be possible and/or
desirable to share a demarcation device among more than one
customer.
[0107] In another situation collocation facility access is used as
shown in FIGS. 10 and 11. In some ways Collocation Facility Access
is like multi-tenant access. However, the secure MAN service
provider will have leased space in the facility in which the
customer demarcation device is placed. The preferred configuration
for a collocation facility is shown in FIG. 10. The demarcation
device 320 is in the customer's rack 321 and dual connected back to
different switches 322, 323 located in a secure MAN rack 324 at a
collocation site. These connections are effected by Gigabit
Ethernet multi-mode fiber cross-connects. The customer-owned
equipment connects to the demarcation device with the appropriate
Ethernet cable. Additional customers may use the same collocation
facility, as shown by demarcation device 326 in rack 325.
[0108] In some cases, the customer may not want to accommodate the
demarcation device in his or her rack space. In this case, the
configuration is that shown in FIG. 11. The demarcation device 330
is in the secure MAN rack and is dual connected to the two switches
331, 332 in the rack. The customer-owned equipment 333, 334 is
connected to the demarcation device 330 via an appropriate Ethernet
cross-connect. In large collocation facilities, this cross-connect
will typically be multimode fiber. A demarcation device 330 can be
used for supporting multiple customers.
[0109] Once customers have established connections to the secure
MAN network, links among them are established using the
provisioning system referenced above. Links in this example
embodiment are referred to as virtual connections.
[0110] Virtual connection service provides the transfer of data
between multiple service interfaces. Three kinds of virtual
connection services in this example, include point-to-point,
point-to-multipoint, and multipoint-to-multipoint.
[0111] In point-to-point virtual connections, an internet protocol
IP packet delivered across a service interface is delivered to
exactly one other service interface. Of course, in addition to IP,
other higher layer protocols may be utilized for virtual
connections of all types. This service is like a physical wire.
[0112] FIG. 12 shows an example of the use of point-to-point
virtual connection services within the secure MAN network 350. For
a point-to-point virtual connection, a service interface for
customer equipment 400 is connected by link 405 to a service
interface for customer equipment 401; a service interface for
customer equipment 401 is connected by a link 406 to a service
interface for customer equipment 402; and a service interface for
customer equipment 402 is connected by a link 407 to a service
interface for customer equipment 400.
[0113] In multipoint-to-multipoint virtual connections, multiple
service interfaces are interconnected. A customer-owned equipment
device attached to one of these interfaces can send IP packets to
any of the other interfaces that have been assigned to the virtual
connection service. This service is similar to Frame Relay where
multiple destinations, each specified by a DLCI value, can be
reached via a single physical interface.
[0114] FIG. 13 shows an example of the use of a
multipoint-to-multipoint virtual connection service. In FIG. 13, a
service interface for customer equipment 400, a service interface
for customer equipment 401, and a service interface for customer
equipment 403 are interconnected by a multipoint-to-multipoint link
410 within the secure MAN network 350.
[0115] In point-to-multipoint virtual connections, multiple service
interfaces are interconnected. One interface is configured as the
root and the remaining interfaces are called leaves. FIG. 14
illustrates a point-to-multipoint link 415 within the secure MAN
network 350. A service interface coupled to customer owned
equipment 401 is designated root of the point-to-multipoint link
415. Service interfaces coupled to the customer equipment 400 and
403 respectively are designated leaves of the point-to-multipoint
link 415. A customer-owned equipment device 401 attached to the
root interface can send IP packets to any of the leaf interfaces. A
customer-owned equipment 400, 403 device attached to a leaf
interface can only send IP packets to the root interface. This
service combines the logical addressing features of Frame Relay
with the security features of a physical wire. The advantage to a
service provider is that he can send packets to multiple
subscribers securely while each subscriber is protected from
deliberate or accidental transmission to the other subscribers.
[0116] Multiple virtual connection services can be implemented on a
single service interface, by tagging virtual connections. This is
accomplished in this example embodiment by making use of IEEE
802.1Q VLAN tagging. Furthermore, virtual connection services
between tagged and non-tagged service interfaces are supported.
Non-tagged service interfaces support a single virtual connection
connection. FIG. 15 shows an example of virtual connection services
connecting between tagged and non-tagged service interfaces. In
FIG. 15, customer equipment locations 500, 501 and 502 are
connected by the point-to-point virtual connections 505, 506, 507
and 508 within the secure MAN network 350. Customer equipment 501
has three non-tagged service interfaces 510 supporting three
virtual connections 505, 506 and 508. Customer equipment 501
includes service interface 511 which has three VLAN tags assigned
to it, supporting virtual connections 505, 506 and 507. Customer
equipment 502 includes service interface 512 having two VLAN tags
assigned to it, supporting virtual connections 507 and 508.
[0117] In the provisioning of virtual connections, a variety of
parameters relevant to the control of traffic on the wire are
assigned in some situations. For example, a virtual connection
service preferably has at least one bandwidth profile associated
with it. The amount of bandwidth is provisioned at the customer's
request and the price of the virtual connection service will be
related to the "size" of the profile and the degree that the
customer's actual transmitted traffic conforms to the profile. In
return for abiding by the traffic profile, the customer receives a
commitment on performance of the virtual connection service.
[0118] Another parameter associated with virtual connections is
class of service in some embodiments. Virtual connection services
can carry multiple classes of service. The class of service for
each packet is indicated by the DS byte in the IP header as per the
DiffServ standard. See, [RFC2475] D. Black, S. Blake, M. Carlson,
E. Davies, Z. Wang, and W. Weiss, "An Architecture for
Differentiated Services", Internet RFC 2475, December 1998; and
[RFC2474] K. Nichols, S. Blake, F. Baker, and D. Black, "Definition
of the Differentiated Services Field (DS Field) in the IPv4 and
IPv6 Headers", Internet RFC 2474, December 1998. Each class of
service has a set of performance objectives that address topics
such as availability, delay, and loss. The performance objectives
only apply while the traffic being offered to the virtual
connection service conforms to the bandwidth profile.
[0119] Allocation And Configuration Of Secure MAN resources
[0120] Virtual connection services can be automatically provisioned
as described above. This allows a network manager to control secure
MAN services, from his or her own workstation. For example, a new
virtual connection service can be established or an existing one
can be modified in this fashion. Logical provisioning is supported
by actual allocation and configuration of the resources of the
secure MAN. In this example, the allocation and configuration is
accomplished as described below.
[0121] Virtual connections are established by Physical Layer (layer
1) and data link layer (layer 2) contructs. Two physical layers are
available in this example for service interfaces. The first is Fast
Ethernet (100 Mb) as defined IEEE Std. 802.3. The second physical
layer is Gigabit Ethernet (1 Gb) as defined in IEEE Std. 802.3.
[0122] Virtual connection service allows the exchange of IP packets
among two or more service interfaces. Virtual connection services
are established through the provisioning service. The wires are
established at layer 2 using MAC addresses of the demarcation
devices and VLAN tags.
[0123] The source and destination MAC addresses and the value of
the DSCP in the IP header govern the handling of an IP packet
submitted over a service interface. The details of this process are
described in this section. Service performance objectives are also
described in this section.
[0124] Two types of layer 2 protocols are supported; non-tagged and
tagged. Non-tagged services. FIG. 16 illustrates the format of an
IP packet has used in the secure MAN network of the present
invention. The packet includes a destination MAC address which is
six bytes in length, a source MAC address 551 which is the six
bytes in length, a Type/Length field 552 which is two bytes in
length, an IP packet payload 553 which is between 46 and 1500 bytes
in length, and a frame check sequence field 554 which is four bytes
in length.
[0125] Valid packets for the purposes of the secure MAN have a
value of the Type/Length field greater than 0.times.5DC:
0.times.0800 designating an IP datagram and, 0.times.0806
designating an Address Resolution Protocol packet, or 0.times.0835
designating a Reverse Address Resolution Protocol packet. If the
value of the Type/Length field is not one of these values, the
packet is not considered properly formatted in this example.
[0126] When a unicast MAC address is used in the destination MAC
address field, it must be a globally administered MAC address for
the packet to be considered properly formatted. Similarly, the
unicast MAC address in the source MAC address field must be a
globally administered MAC address for the packet to be considered
properly formatted.
[0127] A packet sent from the customer-owned equipment to a
non-tagged service interface with an IEEE802.1Q tag is not properly
formatted.
[0128] Tagged packets include in addition a VLAN tag field
recognized in the network, for the packet to be considered
valid.
[0129] The basic connectivity of all virtual connection services
can be described as follows. If the customer-owned equipment sends
an invalid packet, it is discarded. If the customer-owned equipment
sends a valid packet, the service delivers the packet to the
appropriate destination service interface(s) for the configured
virtual connections identified by the packet addresses. Packets
delivered to a destination service interface have the same format
as that on the source service interface. In the case of a packet
sent between non-tagged service interfaces, the contents of the
delivered packet are unchanged.
[0130] For a packet to be delivered across by the service, it must
be properly formatted and have a recognized source MAC address.
Such a packet is called a valid packet. The secure MAN network
discards all invalid packets sent across a service interface by
customer-owned equipment.
[0131] A MAC address becomes recognized in one of two ways: using
dynamic source MAC address or latched source MAC address processes.
Each technique is described in the following sections.
[0132] In the case of the dynamic source MAC address process, the
secure MAN network observes the source MAC address being used at
the service interface. When a particular source MAC address is
first observed on the service interface, the packets carrying the
MAC address, either as Source or Destination, will be discarded for
a period of time not to exceed 5 seconds, for example. This is done
to allow secure MAN to make security checks and ensure the
uniqueness of the MAC address. If the new MAC address is already
being recognized at another service interface, the resolution is as
described below.
[0133] If a particular source MAC address is observed and a
different MAC address has been recognized for less than 5 minutes
for example, the service interface is declared to be in the
"Onlooker" state. The use of the Onlooker state is to prevent a
repeater hub from being attached to a service interface with more
than one customer-owned equipment attached. While the service
interface is in this state, all packets sent to and from the
service interface are discarded. The state is maintained until a
MAC address remains continuously recognized for 5 minutes.
[0134] The recognized MAC address becomes unrecognized if the
customer-owned equipment disconnects from the service
interface.
[0135] In the case of the latched source MAC address process, when
a MAC address is "latched" on a given Service interface, its MAC
address will be recognized at the service interface no matter what
other source MAC addresses are observed on the service interface in
question or on any other service interface within the metropolitan
area.
[0136] A MAC address can become latched in two ways. In the first
method, the customer uses the provisioning system to latch the
currently recognized MAC address. In the second method, the
customer uses the provisioning system to put the service interface
in "latched" mode. Then the source MAC address in the next properly
formatted packet becomes the recognized and latched MAC address for
the service interface provided it is unique across all service
interfaces within the metropolitan area. If the new source MAC
address is already being recognized at another service interface,
the conflict is resolved as described below.
[0137] When the MAC address is first recognized, packets carrying
the MAC address, either as source or destination, will be discarded
for a period of time not to exceed 5 seconds, for example.
[0138] When a MAC address is "proposed" for recognition through any
of the above methods, there is a check to see if the same MAC
address is recognized at any other service interface in the
metropolitan area. If there is a conflict, an error condition is
noted by the network management system.
[0139] If the old and new service interfaces belong to different
Accounts, the MAC address remains recognized at the old service
interface.
[0140] If the old and new service interfaces belong to the same
account, the MAC address will be recognized at either the new or
old service interface.
[0141] The choice of the service interface where the MAC address
will be recognized shown in Table 1 is dependent on the method used
to establish recognition at the old service interface and the
method being used at the new service interface.
1TABLE 1 Service Interface Where MAC Address is Recognized-Single
Account Old service interface Latched Dynamic New service interface
Latched Old New service service interface interface Dynamic Old See
Text service interface
[0142] The case where both recognitions are based on dynamic
learning is a special case. If the MAC address had been recognized
at the old service interface for more than 1 minute, the MAC
address becomes recognized at the new service interface. Else, the
MAC address remains recognized at the old service interface. The
reason for this procedure is to distinguish between duplicate MAC
addresses and the legitimate move of customer-owned equipment from
one service interface to another.
[0143] The system also checks for duplicate MAC addresses across
metropolitan areas. However, this need not be done in real time.
Furthermore, if a conflict is discovered across metropolitan areas,
the customers involved will be notified. This will be done by
notifying the contacts for the service interfaces as defined in the
account provisioned for the service interface. The MAC addresses
involved will continue to be recognized thus connectivity will not
be impacted.
[0144] For point-to-point service, two service interfaces are
associated. Packets sent into one of the service interfaces can
only be delivered to the other service interface and vice-versa.
The rules for delivery or discard for a packet sent into a service
interface are based on the source and destination MAC addresses of
the packets. These rules are laid out in Table 2.
2TABLE 2 Delivery and Discard for point-to-point virtual connection
service Source MAC Destination address MAC address Result
Unrecognized Any Discard or Recognized at other than the Source
service interface Recognized at Unicast and Discard Source service
not Recognized interface at other service interface Recognized at
Unicast and Deliver Source service Recognized at interface other
service interface Recognized at Multicast Deliver Source service
interface Recognized at Broadcast Deliver Source service
interface
[0145] For point-to-multipoint service, two or more service
interfaces are associated. One of the service interfaces is
designated as the Root while each remaining service interface is
designated as a Leaf. The rules for delivery and discard for
packets sourced at the Root are detailed in Table 3. The rules for
delivery and discard for packets sourced at a Leaf are laid out in
Table 4.
3TABLE 3 Delivery and Discard for the Root service interface Source
MAC Destination address MAC address Result Unrecognized Any Discard
or Recognized at other than the Root service interface Recognized
at Unicast and Discard Root service not Recognized interface at a
Leaf service interface Recognized at Unicast and Deliver Root
service Recognized at to the Leaf interface a Leaf service service
interface interface Recognized at Multicast Deliver Root service to
all Leaf interface service interface Recognized at Broadcast
Deliver Root service to all Leaf interface service interface
[0146]
4TABLE 4 Delivery and Discard for a Leaf service interface Source
MAC Destination address MAC address Result Unrecognized Any Discard
or Recognized at other than the Source service interface Recognized
at Unicast and Discard Source service not Recognized interface at
the Root service interface Recognized at Unicast and Deliver Source
service Recognized at to the Root interface the Root service
service interface interface Recognized at Multicast Deliver Source
service to the Root interface service interface Recognized at
Broadcast Deliver Source service to the Root interface service
interface
[0147] In multipoint-to-multipoint service, two or more service
interfaces are associated. When there are only two service
interfaces, the result is very similar to point-to-point virtual
connection service. Most customers will have three or more service
interfaces associated for this service. The rules for delivery and
discard are presented in Table 5.
5TABLE 5 Delivery and Discard for mesh multipoint-to-multipoint
virtual connection service Source MAC Destination address MAC
address Result Unrecognized Any Discard or Recognized at other than
the Source service interface Recognized at Unicast and Discard
Source service not Recognized interface at an associated service
interface Recognized at Unicast and Deliver Source service
Recognized at to the interface an associated associated service
interface service interface Recognized at Multicast Deliver Source
service to all other interface associated service interfaces
Recognized at Broadcast Deliver Source service to all other
interface associated service interfaces
[0148] Multiple classes of service are supported. Virtual
connection service treats packets with different classes of service
differently. The net effect is that the performance objectives vary
by class of service.
[0149] There are two alternative methods in this example secure MAN
network for determining the class of service for a packet:
[0150] A service interface can be configured such that all packets
transmitted from the customer-owned equipment are treated with a
specified class of service.
[0151] The Differentiated Services byte (DS byte) in the IP header
identifies the class of service for a packet.
[0152] Examples of class of service include standard data service
and expedited service. Standard data service is the service that
gives the lowest level of performance and corresponds to what is
currently available in IP networks. When the class is determined by
the DS byte, the value 00000000 (binary) identifies fast data
service. This is also the default Class of Service.
[0153] When fast data service is provisioned within an instance of
virtual connection service, a bandwidth profile is specified. This
causes the reserving of appropriate resources within the secure MAN
network. When a fast data service packet is sent across the service
interface into the secure MAN network, the virtual connection
service will treat the packet as follows:
[0154] If the packet conforms to the bandwidth profile, the
performance objectives for fast data service apply.
[0155] Else, no performance objectives apply.
[0156] Expedited service has significantly better performance
objectives than fast data service. The values of the DS Byte for
this class are 10111000 (binary) and 10100000 (binary).
[0157] When expedited service is provisioned within an instance of
virtual connection service, a bandwidth profile is specified. This
causes the reserving of appropriate resources within the secure MAN
network. When a secure MAN Expedited Service packet is sent across
the service interface into the secure MAN network, the virtual
connection service will treat the packet as follows:
[0158] If the packet conforms to the bandwidth profile, the
performance objectives for expedited service apply.
[0159] Else, no performance objectives apply.
[0160] In each instance of virtual connection service where the DS
byte is used to determine the class of service for a packet, a
minimum bandwidth profile and allocation of network resources are
made for expedited service. The customer can increase this
allocation through the provisioning system but the allocation can
never be reduced below this minimum.
[0161] Additional classes of service and unrecognized DSCPs may
also be provided for in the secure MAN.
[0162] When the DS byte is being used to determine the class of
service, a packet sent across the service interface into the secure
MAN network that has a DS byte value other than those specified is
treated as a standard data service packet. Additional classes of
service may be supported in the future.
[0163] Bandwidth profile is one parameter which may be associated
with a virtual connection, or with other aspects of an account in
the provisioning system. A bandwidth profile denoted BW(A, B) is
based on two parameters:
[0164] B-the Maximum Burst Size (bytes)
[0165] A-the Average Bandwidth (bytes/msec)
[0166] Let {t.sub.i} denote the times that packets are received
(arrival of the last bit) by the SIU and let {l.sub.i} be the
lengths of the packets in bytes. Two quantities, b(t.sub.i) and
b'(t.sub.i) are computed and the conformance of each packet to the
Bandwidth Profile is determined by the following algorithm:
[0167] Step 1: Set
b'(t.sub.i)=min{b(t.sub.i)+A(t.sub.i-t.sub.i-l),B}.
[0168] Step 2: If l.sub.i.ltoreq.b'(t.sub.i), then the i.sup.th
packet is conforming to the Bandwidth Profile and set
b(t.sub.i)=b'(t.sub.i)-l.sub.- i; else the i.sup.th packet is not
conforming and set b(t.sub.i)=b'(t.sub.i).
[0169] The bandwidth profile can be thought of as a token bucket.
Every millisecond, tokens, each representing a byte are added to
the bucket at a rate equal to the average bandwidth. Each time a
packet is received, tokens equal to the length of the packet are
removed from the bucket. An arriving packet is conforming if the
bucket contains at least the length of the packet in tokens.
[0170] Implementations of virtual connections that are part of
secure MAN transmission service with respect to the switches in the
secure MAN like that shown in FIGS. 17-20 are described in the
following sections.
[0171] There are three types of virtual connection in this example,
including point-to-point virtual connection, point-to-multipoint
virtual connection and multipoint-to-multipoint virtual
connection.
[0172] Point-to-point virtual connections serve unicast IP packets
from one routed point and addressed to the other routed point,
which are delivered to the other routed point, as are broadcast and
multicast packets. Non-IP packets are discarded by this example
service. It is envisioned that IP technology and services will
evolve with time without departing from the present invention.
[0173] When a point-to-point virtual connection is provisioned,
endpoints of virtual connection (service interfaces that will be
attached to this virtual connection and demarcation devices
attached to those service interfaces) are identified. Point of
Presence POP switches, also called access switches and switch ports
connected to demarcation devices are also identified.
[0174] Selection and configuration of a VLAN in support of virtual
connections in this example secure MAN is done using network zones.
Network Zones are defined in order to optimize VLAN
broadcast/multicast containment. Demarcation devices are grouped
within Network Zones. Typically, the grouping will correspond to
geographic location, but this is not a requirement.
[0175] To assign a VLAN ID to Virtual connection, the Network Zones
in which endpoints of the virtual connection reside are identified.
It is determined if both endpoints are in the same zone or not.
Each Network Zone in a metro area has some number, say 50, VLANs
assigned to it. Some of the assigned VLANs, say 25 VLANs, are
designated as IntraZone VLANs and are used for point-to-point
virtual connections that originate and terminate in the same zone.
The others of the assigned VLANs are designated as InterZone VLANs
and are used for point-to-point virtual connections that span
multiple zones. VLANs must be assigned such that no two Virtual
connections configured in any one demarcation device use the same
VLAN id. Otherwise, cross talk between the two Virtual connections
will occur.
[0176] Conceptually, VLAN assignments can be maintained in a table
in order to satisfy the requirements for mutual exclusion and
network optimization. Table 6 is illustrative of VLAN assignment
maintenance:
6 TABLE 6 Metro Virtual Demarcation VLAN id Area id connection id
id 2 10 LW0001 D0001 2 10 LW0001 D0002 27 10 LW0002 D0001 27 10
LW0002 D0005 52 10 LW0003 D0001 52 10 LW0003 D0004
[0177] The following equations are used to calculate the VLAN ID
that is to be configured on service interfaces being provisioned
for a IntraZone point-to-point virtual connection.
[0178] Let D1 and D2 denote the demarcation devices corresponding
to the first and second endpoints specified in a point-to-point
provisioning request respectively.
[0179] The VLAN ID will be assigned from the range of IDs assigned
to the Zone for IntraZone use. The starting value of the range is
computed from the following formula, where Network Zone Number is a
unique number assigned to the Network Zone in a metropolitan
area:
Vid-Min.sub.intraZonevirtual connection=((Network Zone
Number-1)MODULO 20)*50+2
[0180] Service center IDs (also called network zone IDs) may be
assigned sequentially in a metro area starting with 1. This makes
the maintenance and calculations easy. If not assigned
sequentially, a mapping table is created that maps a service center
ID to a VLAN ID address space.
[0181] Once the VLAN ID range is identified, the lowest VLAN ID
that is not in use on both D1 and D2 is used.
[0182] The highest permissible VLAN ID value for Intrazone
Point-to-Point Virtual connection is Vid-Min+25.
[0183] The following equation is used to calculate the VLAN ID that
is to be configured on service interfaces being provisioned for a
InterZone point-to-point virtual connection.
[0184] Let D1 and D2 denote the demarcation devices corresponding
to the first and second endpoints specified in a point-to-point
provisioning request respectively. A VLAN ID will be selected from
the least used range of the two participating Zones. The starting
value of the range associated with D1 and D2 are computed from the
following formulas:
Vid-Min-D1.sub.InterZonevirtual connection=((Network Zone
Number(D1)-1)MODULO 20)*50+27
Vid-Min-D2.sub.InterZonevirtual connection=((Network Zone
Number(D2)-1)MODULO 20)*50+27
[0185] For each demarcation device, find the lowest VLAN ID in the
computed range, that is not already in use within the device.
[0186] From the two possible VLAN ID values, choose the lowest ID
with respect to the range of each. For example, if the computed
Vid-Min-D1 value is 27, with 27-30 in use on D1, and Vid-Min-D2 is
127, with 127-128 in used, the VLAN ID 129 will be assigned, since
its value with respect to 127 (2) is lower than ID 31 with respect
to 27 (4).
[0187] Selected VLAN is configured on identified demarcation
devices; identified service interfaces are configured in the new
VLAN. Service interfaces are configured to receive only untagged
frames and only the selected VLAN is allowed out of service
interfaces (untagged). Network ports (towards secure MAN network)
on demarcation devices are configured in the new VLAN allowing only
tagged frames to pass through.
[0188] A selected VLAN is configured on identified POP switches (if
not already configured). The access port on the POP switch
connected to identified demarcation device is configured in the
selected VLAN allowing only tagged frames in and out of the port.
If POP switch supports the Generic VLAN Registration Protocol GVRP,
the upstream port(s) will propagate this VLAN to local switches.
Upstream switches will propagate this VLAN in other parts of the
network. The upstream ports (from the POP switch) will also process
the incoming GVRP requests.
[0189] If GVRP is not supported by a POP (and/or local/regional)
switch, VLANs are configured manually on all switches and ports in
the path between the endpoints of the virtual connection (including
redundant paths). By "manual configuration," it is meant that the
configuration files are not self-propagating, such as in a protocol
like GVRP, but require some user intervention to set up and/or
modify across the network.
[0190] Security filters are configured as part of the process of
provisioning virtual connections. When the customer endpoint
(demarcation device MAC address) is known on a service interface
being provisioned, the MAC address is configured in a source
address filter on the access port on the POP switch. This filter
forces packets out of the port coupled to a customer access point
(if on the same POP switch) or network port (if not on the same POP
switch). This source address filter is also configured on the
network port of the other POP switch (connected to other endpoint
of virtual connection, if required) forcing packets out of the
correct access port.
[0191] If the customer endpoint is unknown at the current time, the
above filter configuration is done after a successful
authentication has been performed after learning the endpoint MAC
address.
[0192] Examples of secure MAN configurations for point-to-point
virtual connections are given in FIGS. 17-20.
[0193] FIG. 17 illustrates a secure MAN arranged in one example
configuration. The secure MAN includes a plurality of demarcation
devices, in this example demarcation devices 600, 601, 602 and 603
are illustrated. The demarcation devices are connected to point of
presence POP switches in the secure MAN. Thus, the demarcation
devices 600, 601 are coupled to the POP switch 605 across lines 606
and 607 respectively. Demarcation device 602 is coupled to POP
switch 608 across line 609. Demarcation device 603 is coupled to
POP switch 610 across line 611. The POP switches 604, 608, 610 are
connected to local layer 2 switches 614 and 612. Though local layer
2 switches 614, 612 coupled to a regional layer 2 switch 613. The
regional layer 2 switch 613 may be coupled to other regional sites
by a long haul network or otherwise as indicated by the arrow 615.
Switches 613, 612, 614, 605, 608, 610 may be in collocation
sites.
[0194] The hierarchy illustrated in FIG. 17 is merely one example.
A wide variety of architectures for the switches could be utilized
according to the present invention. For example, a regional switch
may also act as a POP switch, and local switches may not be used.
For simplicity, redundancy is omitted from the example, although
such redundancy would be implemented in many instances of the
invention.
[0195] Two virtual connections V1, V2 are illustrated in FIG. 17.
Virtual connection V1 is a point-to-point channel between the
service interface Ri on demarcation device 600 and R3 on
demarcation device 601. The virtual connection V2 is a
point-to-point channel between the service interface R2 on
demarcation device 600, and the service interface R4 on demarcation
device 602.
[0196] Each of the layer 2 switches in the network illustrated can
be implemented using a basic layer 2 architecture such as that
illustrated in connection with the POP switch 605. Each port of the
switch includes a source address and destination address filter
620. Also, associated with the switch 605 is a VLAN filter 621. The
demarcation devices 600-603 include client side ports, such as the
ports R1 through R4, and one or more service access port and such
as the port coupled to line 606. In one embodiment, the client side
ports and receive layer 2 packets carrying source and destination
addresses followed by Type field and an Internet Protocol payload
as well-known the art. At the demarcation device 600, a VLAN tag is
added to the frame, to associate the tag with a virtual
connection.
[0197] In operation, the demarcation device 600 sends a frame from
port R1 out on line 606 and carrying the VLAN tag V1. The
source/destination address filters (e.g. 620) in the switch 605 are
configured to recognize the source and destination addresses of the
frame. The frame will be accepted in the switch at the port only if
it has a recognized source address on that port. The VLAN filter
621 on the switch 605 will identify the outgoing ports on the
switch 605 which are configured to receive the packet carrying that
VLAN tag and that source address. Thus, a port coupled to line 620
passes the packet received from the port R1 on line 620 to the
local layer 2 switch 614. Likewise, the port coupled to line 607
passes the packet carrying the VLAN tag V1 towards the port R3. The
VLAN filter 621 recognizes the packet as a member of the virtual
connection V1, and allows it to be sent outgoing on the port
coupled to line 620 and on the port coupled line 607.
[0198] For the virtual connection V2, the source and destination
address filter 620 accepts the packet at switch 605. The VLAN
filter 621 limits the outgoing path for the packet to the port
connected to line 620. The packet is forwarded up the tree towards
the local layer 2 switch 614. Layer 2 switch 614 allows the packet
to be transmitted only on line 625 to the POP layer 2 switch
608.
[0199] As can be seen in FIG. 17, virtual connections remain
confined to their logic Network Zone delimited by the local
switches 611, 612, i.e., V1 and V2 never cross the Network Zone 1
boundary above local switch 1. The upstream port on local switch 1
is not a member of V1 or V2. Therefore packets in V1 and V2 are not
forwarded by local switch 1 on its upstream port to the regional
switch. At the same time, source address filters ensure delivery of
packets to only the correct recipient.
[0200] In FIG. 18, the network switch and access point
configuration and VLAN ID assignment remains the same. However, a
point-to-point virtual connection is provisioned between R1 and R3
in the Network Zone served by local switch 614 while another
virtual connection is provisioned between R2 and R5 served by local
switch 614 and local switch 612 respectively, and thus across
Network Zones. For simplicity, redundancy is omitted. VLAN ID V26
is selected for non-local virtual connection from R2 to R5.
[0201] Only VLAN 26 crosses the Network Zone boundry. Local VLANs
in Network Zone 1 remain local. Local switch 1 propagates V26 to
its upstream regional switch thus creating a forwarding path across
the regional switch 613 to local switch 612 and demarcation device
603.
[0202] For the embodiment of FIG. 18, packets from the port
connected to R1 in the virtual connection V1 are accepted in the
source and destination address filter 620 of POP switch 605 and
allowed to pass on the port connected to line 623 up to the layer 2
switch 614. The packets are blocked by the VLAN filter 621 on the
other ports of the POP switch 605. At the switch 614, the packet
from a virtual connection V1 is allowed out on the port coupled to
line 625, and not on other ports. At switch 608, the packet in the
virtual connection V1 is allowed out on the line 609 to the
demarcation device 602, and onto the destination R3. Similar
filtering occurs in the reverse direction from the end station R3
to the end station R1. Packets within the virtual connection V26
are allowed into the switch 605, and propagated to the switch 614.
At switch 614, packets for virtual connection V26 are passed up to
the switch 613, where they are propagated through of switch 612,
switch 610 and onto the demarcation device 603 where they are
delivered to the destination R5. The logical construct of network
zones being defined by a layer of switches in a network, such as
the switches 614 and 612 in his example, can be used for the
management of the VLAN IDs, and other network addressing functions.
In some embodiments of the network, no such network zone logical
construct is necessary.
[0203] In a point-to-multipoint virtual connection, a unicast IP
packet injected by the root node and destined to one of the leaf
nodes is delivered to the leaf node while a multicast/broadcast
packet is delivered to all leaf nodes. Unicast multicast and
broadcast packets injected by a leaf node and destined to the root
node are delivered to the root node. No packets from one leaf node
are delivered to another leaf node though.
[0204] When a point-to-multipoint virtual connection is
provisioned, the endpoints (service interfaces that will be
attached to this virtual connection and demarcation devices
attached to those service interfaces) are identified. POP switches
(and access ports) connected to those demarcation devices are also
identified.
[0205] A separate VLAN is used for each point-to-multipoint virtual
connection. The lowest VLAN ID available in the range assigned to
point-to-multipoint virtual connection is used to provision this
virtual connection.
[0206] The selected VLAN is configured on the demarcation devices
necessary to support the virtual connection; identified service
interfaces are configured in the new VLAN. Service interfaces on
the customer side are configured to receive only untagged frames
and only the selected VLAN is allowed out of service interfaces
(untagged). Network ports (towards the secure MAN network) on
demarcation devices are configured in the new VLAN allowing only
tagged frames to pass through.
[0207] The selected VLAN is configured on the POP switch (if not
already configured). The access port on POP switch connected to the
demarcation device is also configured in the selected VLAN allowing
only tagged frames in and out of the port. If the POP switch
supports GVRP, the upstream port(s) will propagate this VLAN to
other parts of the network. The upstream ports will also process
the incoming GVRP requests.
[0208] If GVRP is not supported by a POP switch (and/or
local/regional switches), VLANs are configured manually on all
switches and ports in the path between the root node and each leaf
node on the virtual connection (including the redundant paths).
[0209] The configuration of security filters for a
point-to-multipoint virtual connection is described with reference
to the example in FIG. 19, which shows the same network switch
configuration as FIGS. 17 and 18.
[0210] Generally, if the root node endpoint R2 (router MAC address)
is known on a service interface being provisioned at demarcation
device 603, the MAC address is configured in a source address
filter on the access port on POP switch 610 (leading to the root
node) allowing packets to be forwarded. For each known leaf node
(whose MAC address is known) that resides on the same POP switch
610 as the root node, a source address filter (with leaf node's
address) is configured on the leaf node port on the POP switch
forcing packets to egress from the port leading to the root
node.
[0211] For each known leaf node R4, R1 (whose MAC address is known)
that resides on a different POP switch than the root node, a VLAN
filter and/or a source address filter (with leaf node's address) is
on the network port of the root POP switch 603, is/are configured
allowing packets to egress from the port leading to the root node
615. On every POP switch 608, 600 that leads to one of the leaf
nodes, a source address filter (with leaf node's address) on the
access port is/are configured, allowing packets out of the network
port. A source address filter (with root node's address) on the
network port of the same POP switch and/or a VLAN filter also
allows the packets to egress from the correct leaf node port.
[0212] If a customer endpoint (root node/leaf node) is unknown at
the current time, the above filter configuration is done after a
successful authentication when address of the endpoint is
learned.
[0213] FIG. 19 shows a point-to-multipoint virtual connection from
R2 to R1 and R4. As can be seen, the VLAN V1 crosses those branches
that lead to member ports (root/leaf nodes). Security source
address filters on POP switches ensure that the root node can reach
all the leaf nodes (R1, R4) while leaf nodes (R1, R4) can only
reach the root node (R2).
[0214] A multipoint-to-multipoint virtual connection is used to
connect multiple routed points together and is especially useful to
extend a campus LAN (minus bridging over the secure MAN network).
The definition and implementation is described below for one
embodiment.
[0215] In a multipoint-to-multipoint virtual connection, a unicast
IP packet injected by a member and destined to one of the other
members is delivered to the other member while a
multicast/broadcast packet is delivered to all the members.
[0216] When a multipoint-to-multipoint virtual connection is
provisioned, the endpoints (service interfaces) that will be
attached to this virtual connection and demarcation devices
attached to those service interfaces are identified. POP switches
(and access ports) connected to demarcation devices are also
identified.
[0217] A separate VLAN is used for each multipoint-to-multipoint
virtual connection. The highest VLAN ID available in the range
assigned to multipoint-to-multipoint virtual connection is used to
provision this virtual connection. Selecting the highest available
VLAN ID for a multipoint-to-multipoint virtual connection makes
point-to-multipoint and multipoint-to-multipoint virtual
connections consume VLAN IDs from opposite sides. Based on the
customer demand, one type of virtual connections may consume more
VLAN IDs than the other. If all the available VLAN IDs are
consumed, they wrap around and start sharing already used VLAN IDs.
It stretches the broadcast domain, but does not affect the service
availability or security of secure MAN service.
[0218] The selected VLAN is configured on demarcation devices;
identified service interfaces are configured in the new VLAN.
Service interfaces are configured to receive only untagged frames
and only the selected VLAN is allowed out of service interfaces
(untagged). Network ports (towards the secure MAN network) on
demarcation devices are configured in the new VLAN allowing only
tagged frames to pass through.
[0219] The selected VLAN is configured on the POP switch (if not
already configured). The access port on POP switch connected to the
demarcation device is also configured in the selected VLAN allowing
only tagged frames in and out of the port. If POP switch supports
GVRP, the upstream port(s) will propagate this VLAN to other parts
of the network. The upstream ports will also process the incoming
GVRP requests.
[0220] If GVRP is not supported by a POP switch (and/or
local/regional switches), VLANs are configured manually on all
switches and ports in the path between all pairs of members on the
virtual connection (including redundant paths).
[0221] Configuration of source address security filters can be
understood with reference to the example in FIG. 20. Generally, if
the endpoint RI (e.g., router MAC address) is known on a service
interface being provisioned, the MAC address is configured in a
source address filter 620 on the access port on the POP switch 605.
A source filter is also configured on the network port of those POP
switches 608, 610 that lead to other member nodes on this virtual
connection. This filter along with MAC address lookup on the egress
POP switch will correctly deliver the unicast packets to the
correct member node and multicast/broadcast packets to all member
nodes on that switch.
[0222] If the customer endpoint is unknown at the current time, the
above filter configuration is done after a successful
authentication when address of the endpoint is learned.
[0223] FIG. 20 shows a multipoint-to-multipoint virtual connection
among R1, R2, and R4. As can be seen, the assigned VLAN V1 is
configured in the VLAN filters 621, to reach all member nodes while
source address security filters on POP switches 605, 608, 610 allow
any member to talk to any other member.
[0224] FIG. 21 shows a spanning tree configuration for interior
switches according to a preferred embodiment. The solid filled
circles on the switches correspond to designated ports according to
the Spanning Tree Protocol. The unfilled circles on the switches
correspond to root ports, and the ports marked by parallel lines
crossing the link are alternate ports in a blocking mode. The root
of the tree is switch P1. Switch P1 has designated ports coupled
via links 1-2, 2-1, 1-3, and 5-1, to root ports on switches P2, P2,
P3, and P5, respectively. Also, it includes a designated port
coupled via an internal link to an alternate port on switch P8.
Switch P2 has designated ports coupled to root ports via links 6-2
and 2-4 on switches P6 and P4, respectively. Also, a designated
port on switch P2 is coupled to an alternate port on switch P7.
Switch P3 has a designated port coupled via link 3-7 to a root port
on switch P7. Also, a designated port on switch P3 is coupled via
an internal link to an alternate port on switch P6. A designated
port on switch P4 is coupled via link 4-8 to a root port on switch
P8. Also a designated port on switch P4 is coupled via an internal
link to an alternate port on switch P5.
[0225] FIG. 22 illustrates a fiber ring network extending around a
path of about 20 miles, which is made of bundles of fibers laid in
right of ways within a metropolitan area. Segments of the ring are
logically partitioned as segments of an ethernet network,
configured as a tree, rather than a ring, illustrating a layout
according to the present invention other than the cross-connected
broken ring. Switches in the tree comprise standard 100 Megabit,
Gigabit or higher ethernet switches configured according to the
Spanning Tree Protocol, or variations of the Spanning Tree
Protocol.
[0226] In FIG. 22, switch P1 is a root of the tree, labeled P1, 0,
P1 to indicate that the root of the tree is P1, the distance to the
root is 0, and the upstream (toward the root) switch is P1. The
interconnection of the tree can be understood by the upstream links
for the switches. Thus there are no upstream links from switch P1.
Switch P2 (P1, 1, P1) is connected by fibers F1 and F2 to switch
P1. Switch P3 (P1, 2, P2) is connected by fiber F7 to switch P2.
Fibers I1 and I2 are configured as backup links to switch P1 from
switch P3. Switch P4 is connected by fibers F3 and F4 to switch P1.
Fibers 13 and 14 are connected as backup links to switch P2 from
switch P4. Switch P5 is connected by fibers F5 and F6 to switch P1.
Fiber F8 is connected as a backup link from switch P5 to switch P2.
Switch P6 is connected by fibers F9 and F10 to switch P2. Fiber F12
is a backup link from switch P6 to switch P5. Switch P7 is
connected by fiber F11 to switch P3. Fibers 15 and 16 act as backup
links to switch P5 from switch P7. Switch P8 is connected by fiber
F13 to switch P5. Fibers I7and 18 are connected as backup links
from switch P8 to switch P6.
[0227] The fibers F1 to F13 and I1 to I8 comprise dark fibers in
the fiber ring, which have been partitioned as point to point fiber
segments in the tree as shown. Thus, fiber of a single ring can be
re-used spatially. That is segments of a single ring can be used
independently for point-to-point links in the tree.
[0228] While the present invention is disclosed by reference to the
preferred embodiments and examples detailed above, it is to be
understood that these examples are intended in an illustrative
rather than in a limiting sense. It is contemplated that
modifications and combinations will readily occur to those skilled
in the art, which modifications and combinations will be within the
spirit of the invention and the scope of the appended claims.
* * * * *