US20020038253A1 - Point-to-multipoint virtual circuits for metropolitan area networks - Google Patents

Point-to-multipoint virtual circuits for metropolitan area networks Download PDF

Info

Publication number
US20020038253A1
US20020038253A1 US09/796,922 US79692201A US2002038253A1 US 20020038253 A1 US20020038253 A1 US 20020038253A1 US 79692201 A US79692201 A US 79692201A US 2002038253 A1 US2002038253 A1 US 2002038253A1
Authority
US
United States
Prior art keywords
network
demarcation
address
point
switches
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US09/796,922
Inventor
Michael Seaman
Vipin Jain
Gary Jaszewski
Robert Klessig
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qwest Communications International Inc
Original Assignee
TELSEON IP SERVICES Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by TELSEON IP SERVICES Inc filed Critical TELSEON IP SERVICES Inc
Priority to US09/796,922 priority Critical patent/US20020038253A1/en
Assigned to TELSEON IP SERVICES, INC. reassignment TELSEON IP SERVICES, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: JAIN, VIPIN, JASZEWSKI, GARY, KLESSIG, ROBERT W., SEAMAN, MICHAEL J.
Assigned to TELSEON IP SERVICES, INC. reassignment TELSEON IP SERVICES, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: JASZEWSKI, GARY
Publication of US20020038253A1 publication Critical patent/US20020038253A1/en
Assigned to ONFIBER COMMUNICATIONS, INC. reassignment ONFIBER COMMUNICATIONS, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: TELSEON IP SERVICES INC.
Assigned to COMERICA BANK reassignment COMERICA BANK SECURITY AGREEMENT Assignors: INFO-TECH COMMUNICATIONS, ONFIBER CARRIER SERVICES - VIRGINIA, INC., ONFIBER CARRIER SERVICES, INC., ONFIBER COMMUNICATIONS, INC.
Assigned to ONFIBER CARRIER SERVICES-VIRGINIA, INC., ONFIBER COMMUNICATIONS, INC., INFO-TECH COMMUNICATIONS, ONFIBER CARRIER SERVICES, INC. reassignment ONFIBER CARRIER SERVICES-VIRGINIA, INC. RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS). Assignors: COMERICA BANK
Assigned to QWEST COMMUNICATIONS INTERNATIONAL INC. reassignment QWEST COMMUNICATIONS INTERNATIONAL INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ONFIBER COMMUNICATIONS, INC.
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/02Marketing; Price estimation or determination; Fundraising
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/06Buying, selling or leasing transactions
    • G06Q30/0601Electronic shopping [e-shopping]

Definitions

  • the present invention relates to broadband communication services, and more particularly to configuration of metropolitan area communication networks supporting secure point-to-multipoint channels.
  • a point-to-multipoint connection is used to connect one routed point to many routed points and is especially useful to deliver services to multiple customers simultaneously while maintaining isolation among customers themselves.
  • Protocols used in these environments such as Ethernet, supporting the use of multicast messages allow customers using the network, who may be unknown to other customers, to see the multicast traffic unless complex security provisions like firewalls are installed in the network. In networks to which the public is allowed to subscribe, such security measures may be difficult to implement.
  • multicast technologies are very effective for some kinds of network traffic.
  • an Internet Service Provider a subscription based audio program provider, or other customer of the Metropolitan Area Network that includes many independent customers to whom a single message could be sent from a single service provider attachment to the network, for example, the multicast can be very useful.
  • customers that might be configured to receive multicast messages should be prevented from sending multicasts or other messages to the other subscribers to the multicast service, unless separate arrangements are made.
  • This invention comprises a method for configuring a network, and a network configured according to such method, providing secure point-to-multipoint communication channels supporting multicast messages only from the root of the channel.
  • a method of providing a point to multipoint communication channel in a metropolitan area network among a plurality of demarcation points having unique addresses includes identifying a particular demarcation point in the network as a root of the channel, and a plurality of client demarcation points in the network as leaves of the channel; and configuring switches in the network so that
  • client demarcation points can only exchange packets on the network with the particular demarcation point, and not with other client demarcation points; and so that
  • the particular demarcation point can exchange packets on the network with the plurality of client demarcation points.
  • a switch attached to a respective client demarcation point in the plurality of client demarcation points is configured to recognize addresses of the particular demarcation point and of the respective client demarcation point, for source address filtering.
  • the switches at the leaves are configured to forward onto the network packets received on ports coupled to the respective client demarcation points carrying source addresses equal to the address of the respective client demarcation point and a destination address which is one of a multicast address, a broadcast address and the address of the particular demarcation point, to forward onto a port coupled to the respective demarcation points packets received on ports coupled to the network carrying the source addresses of the particular demarcation point, and destination addresses equal to one of a multicast address, a broadcast address and the address of the respective client demarcation point, and to discard other packets.
  • a switch coupled to the particular demarcation point identified as the root is configured to recognize the address of the particular demarcation point and addresses of the plurality of client demarcation points for source address filtering.
  • the switch at the root is configured to forward on a port coupled to the network packets received on a port coupled to the particular demarcation point carrying the source address of the particular demarcation point and one of a multicast address, a broadcast address and the address of one of the plurality of client demarcation points, to forward on a port coupled to the particular demarcation point packets received on a port coupled to the network carrying the source address of one of the plurality of client demarcation points and a destination address equal to one of a multicast address, a broadcast address and the address of the particular demarcation point, and to discard other packets.
  • a communication system is provided using technology that has been developed within the communications, enterprise data networking, electronic commerce, and carrier service provider industries to provide service in new ways, supporting secure point-to-multipoint channels, and other connectivity options in a manner particularly complementary to a provisioning process and system described in the above referenced application entitled E-COMMERCE SYSTEM FACILITATING SERVICE NETWORKS INCLUDING BROADBAND COMMUNICATION SERVICE NETWORKS.
  • Provision of multiple connectivity options across a packet switched network is supported by the network, including point-to-multipoint services.
  • the network supports point-to-point connectivity between a pair of service interfaces, multipoint to multipoint switched LAN like connectivity between a set of service interfaces, and point to multipoint connectivity.
  • the point-to-multipoint connectivity provides for the equipment attached at one service interface, the ‘root,’ to be able to transmit to one or all other interfaces while equipment attached at those interfaces can only transmit to the root. This functionality supports serving many of a service provider's customers through a single connection to the network.
  • Security arrangements for a packet switched data transmission network using LAN switches are provided.
  • the network makes use of packet data switching equipment that is typically used in private data networks. While such equipment has facilities that can be used to construct ad-hoc security arrangements, a systematic approach to security is provided by the present invention.
  • the network ensures that no data is ever delivered to a service interface other than the service interface(s) explicitly authorized by the customer whose network attached equipment transmits the data, and that no data is received on a service interface other than data from the service interface(s) explicitly authorized by the customer whose network attached equipment is receiving the data.
  • the mechanisms that the system uses to ensure such secure delivery include:
  • the network architecture in a preferred emibodiment organizes switches into demarcation devices, access switches and interior switches.
  • Demarcation devices also referred to herein as service interface units
  • service interface units are typically, but not necessarily, located on a single customer's premises. It is assumed that that customer will secure physical access to his or her own premises.
  • Each demarcation device supports one or more of service interfaces, identifiable by unique addresses such as Ethernet MAC addresses, that the customer uses to connect to the network, and one or more ‘drops’ that connect to access ports on access switches.
  • Access switches are located on premises physically secured, linked by a communication media of choice, including for example fiber optic cable, to a collocation site in the metropolitan area network.
  • the access switches In addition to access ports coupled to the demarcation devices, the access switches have interior network ports that connect to interior switches at the collocation sites within the network.
  • Interior switches form the heart of the network, typically in collocation sites of the metropolitan area network, having ports coupled to the interior ports of the access switches.
  • the identity of the connected device is ascertained by observing packets transmitted by the device at the service interface of the demarcation device.
  • Each packet contains a source address, such as a source MAC address.
  • the MAC address is captured by the service interface and a notification sent to the system managing the network using normal network management protocols.
  • the management system assures itself that the MAC address is unique. Filters are configured on access ports of the access switches to ensure that only packets with source addresses checked in this way are accepted from the attached demarcation device. Similarly only packets from source addresses that are permitted to transmit to the demarcation device are allowed to egress from the access port to the demarcation device.
  • Interior switches do not filter or otherwise constrain connections on the basis of the identities of devices attached to either the transmitting or receiving service interfaces. This allows the active topology maintained by interior switches to scale independently of the number of active connections through the network, and to reconfigure rapidly since information concerning individual connections does not have to be communicated or changed during reconfiguration.
  • a range of options is offered to customers to control changes to the source MAC address used on the interface, including automatic configuration, latching of a learnt address, explicit manual configuration, and identification of attempts at intrusion into the network.
  • the system is capable of extension to allow additional security protocols to establish the identity of the connecting system. Once that identity has been established, the MAC address of the transmitting system is used, as described above, to secure connections.
  • Disconnection and reconnection of the device can be detected, even if the same MAC address is used throughout. This protects against attempts to masquerade once a device identity has been established.
  • Fiber optic transmission technology using WDM wave division multiplexing
  • Gigabit (or higher) ethernet packet switching technology to accept and deliver IP data from and to customers, providing a highly reliable service.
  • a set of rules and heuristics is provided for the use and configuration of fiber optic transmission facilities, purchased or leased in ring configurations, as a set of links comprising selected concatenated segments from a set of rings.
  • the resulting configurations have benefits in networks including:
  • a link can comprise logical segments, each consisting for example of a wavelength of light transmitted and received by WDM (wavelength division multiplexing) equipment attached to the physical fiber segment running between two locations on a ring.
  • WDM wavelength division multiplexing
  • Modification of the Spanning Tree for resilient redundant connection of an edge device, such as a demarcation device, to a network is provided in some embodiments in support of efficient provisioning.
  • the IEEE 802.1 Spanning Tree provides for redundant connections within a network, where data transmitted from one attachment to the network to another is constrained to follow a loop free path. It reduces the physical topology of the network to an active topology that is both loop free (‘tree’) and fully connected (‘spanning’).
  • ‘demarcation devices’ situated on individual customer's premises can provide for redundant connections to the rest of the network. Selection of one link in preference to another can be achieved by use of the spanning tree or a similar protocol. However, only traffic that is transmitted by or destined for a given customer is allowed to reach that customer's demarcation device (a packet switch). It is not desirable that a demarcation device act as a transit link in the network, that would be used to ensure fill connectivity from one part of the network to another, either during a reconfiguration of the network or while the active topology is stable. Rather the network should partition if there is no connectivity other than through a demarcation devices between the two halves.
  • the system improves on this prior arrangement, while not allowing the demarcation device to participate in the active topology of the network, by choosing the active link from the demarcation device to the network on the basis of the spanning tree information received by the device, but not allowing it to forward or generate spanning tree information.
  • This arrangement protects against a failure in the network that causes the switch connected to by the demarcation device to be separated from the main body of the network.
  • FIG. 1 is a diagram of a commercial communication service with an Internet based provisioning server according to the present invention.
  • FIG. 2 is a block diagram of a network supporting point-to-multipoint channel according to the present invention.
  • FIG. 3 illustrates a generic access connection to a secure MAN according to the present invention.
  • FIG. 4 illustrates a basic single tenant access arrangement.
  • FIG. 5 illustrates a redundant switch access service with parallel drops.
  • FIG. 6 illustrates a parallel single tenant access service with two drops coupled to a single access switch.
  • FIG. 7 illustrates a fully redundant single tenant access service according to one aspect of the invention.
  • FIG. 8 illustrates a multi-tenant access arrangement for use with the secure MAN of the present invention.
  • FIG. 9 illustrates another example multi-tenant access arrangement.
  • FIG. 10 illustrates a collocation facility access arrangement for connection to the secure MAN of the present mention.
  • FIG. 11 illustrates another example collocation facility access arrangement.
  • FIG. 12 illustrates an example of the use of point-to-point virtual connection services according to the present invention.
  • FIG. 13 shows an example of a multipoint-to-multipoint virtual connection service.
  • FIG. 14 illustrates a point-to-multipoint virtual connection service for a secure MAN network according to the present invention.
  • FIG. 15 illustrates the use of tagged and non-tagged service interfaces for access to a secure MAN network according to the present invention.
  • FIG. 16 shows a format for a packet transmitted within the secure MAN network of the present invention.
  • FIG. 17 illustrates a simplified secure MAN network, and configuration of a virtual connection is within such network.
  • FIG. 18 illustrates a simplified secure MAN network as in FIG. 31, with another example configuration of a virtual connection.
  • FIG. 19 illustrates a simplified secure MAN network as in FIG. 31, showing configuration for a point-to-multipoint virtual connection.
  • FIG. 20 illustrates a simplified secure MAN network as in FIG. 31, showing configuration for a multipoint-to-multipoint virtual connection.
  • FIG. 21 illustrates tree topology of a four collocation site, fiber MAN, showing an architecture for the interior switches of the network of the present invention.
  • FIG. 22 illustrates a fiber MAN network physically laid out as a ring, and partitioned as segments of the secure MAN of the present invention.
  • FIG. 1 illustrates a communications service example, based on provisioning links among a variety of customers within a secure metropolitan area network MAN.
  • a secure MAN based upon a layer two protocol, preferably Ethernet or other protocol supporting multicast messaging, is represented by cloud 60 .
  • a number of customers including Internet service provider 61 , outsourcing vendor 62 , “enterprise 1” with a North campus 63 , a West campus 24 , and a South campus 25 , and “enterprise” 2 66 and enterprise 3 67 , are coupled to the secure MAN 60 by appropriate physical and logical interfaces.
  • a provisioning server 71 is coupled to the secure MAN 60 , either using the secure MAN medium or by other communication channels to the switches and other resources in the secure MAN, and facilitates transactions among the customers of the secure MAN 60 for establishing communication channels, such as the virtual connections discussed above, and provisioning of services agreed to by the customers with the resources of the secure MAN 60 .
  • configuring and allocating of services within the secure MAN 60 to support the links among the customers is managed by the provisioning server using a management protocol such as Telnet or SNMP, under which filters and other control data structures in the switches are configured.
  • the provisioning server is available via the internet to customers and potential customers of the secure MAN 60 , using standard technology.
  • Virtual connection services allow rich connectivity among all customer locations on the secure MAN network. Examples include:
  • a point-to-multipoint virtual connection service 76 connecting an Internet Service Provider to customers.
  • a single customer can have simultaneous intra-enterprise and extra-enterprise communications using the secure MAN, provisioned according to the present invention.
  • FIG. 2 is a block diagram of a network configured according to the present invention to support point-to-multipoint virtual connections, among a plurality of customers of a public metropolitan area network.
  • the customers have local networks 100 , 101 , 102 , and 103 .
  • Each of the customers includes customer equipment, such as a router (not shown), having unique MAC addresses, connected by a link to a port on a service interface unit.
  • the customer 100 is connected by links 100 - 1 and 100 - 2 to the service interface unit 105 .
  • the customer 100 connected by links 100 - 3 and 100 - 4 to the service interface unit 106 .
  • the customer 101 is connected by link 101 - 1 to the service interface unit 107 .
  • the customer 102 connected by the links 102 - 1 and 102 - 2 to service interface unit 108 .
  • Customer 103 is connected by link 103 - 1 to service interface unit 109 .
  • the service interface units comprise switches at customer premises in which demarcation points for access to the metropolitan area network are established.
  • Each of the links 100 - 1 through 100 - 4 , 101 - 1 , 102 - 1 , 102 - 2 , and 103 - 1 are connected at the custom side to ports on customer devices having unique MAC addresses.
  • the demarcation points for the network can be considered ports on the service interface unit characterized by the unique MAC addresses of the attached customer equipment.
  • the service interface units 105 - 109 are connected by point-to-point links to access switches 110 , 111 , 112 in the network.
  • service interface unit 105 is coupled by links 105 - 1 and 105 - 2 to the access switch 110 .
  • Service interface unit 105 is coupled by the link 105 - 3 to the access switch 111 .
  • Service interface unit 106 is coupled by the link 106 - 1 to the access switch 110 , and by link 106 - 2 to the access switch 111 .
  • Service interface unit 107 is coupled by the link 107 - 1 to the access switch 111 , and by the link 107 - 2 to the access switch 112 .
  • Service interface unit 108 is coupled by the link 108 - 1 to the access switch 111 , and by the link 108 - 2 to the access switch 112 .
  • Service interface unit 109 is coupled by the link 109 - 1 and by the link 109 - 2 to the access switch 112 .
  • the service interface units 105 - 19 are managed so that only one of the links between the service interface units and an access switch in the network is active at anytime.
  • a modified spanning tree protocol is utilized to select the active link as described below.
  • the access switches 110 - 112 are coupled to interior switches of the metropolitan area network 115 . Examples of preferred architectures of the interior switches are described with reference to FIGS. 21 and 22 below.
  • the security arrangements for the point-to-multipoint virtual channels is deployed in the access switches 110 - 112 via source address filtering based upon the unique MAC addresses of the demarcation points at service interface units in the network.
  • a point-to-multipoint channel is established between the link 101 - 1 at service interface unit 107 as the root R of the channel, and the links 100 - 1 , 102 - 1 , and 103 - 1 at the service interface units 105 , 108 and 109 , respectively, as the clients CL at leaves of the channel.
  • the access switches 110 , 111 , 112 are configured with source address filtering tables supporting the point-to-multipoint channels, according to the Tables 3 and 4 below.
  • the access switches are configured so that client demarcation points, at links 100 - 1 , 102 - 1 and 103 - 1 in this example, can only exchange packets on the network with the particular demarcation point, at link 101 - 1 in this example, designated as the root, and not with other client demarcation points; and so that the particular demarcation point can exchange packets, including multicast packets, on the network with the plurality of client demarcation points.
  • an access switch at a leaf that is actively attached to a client demarcation point, is configured to recognize addresses of the particular demarcation point and of the attached client demarcation point, for source address filtering.
  • the access switch at the leaf is configured to forward onto the network packets received on ports coupled to the client demarcation point carrying source addresses equal to the address of the client demarcation point and a destination address which is one of a multicast address, a broadcast address and the address of the particular demarcation point, to forward onto a port coupled to the client demarcation point packets received on ports coupled to the network carrying the source addresses of the particular demarcation point, and a destination address equal to one of a multicast address, a broadcast address and the address of the client demarcation point, and to discard other packets.
  • an access switch at the root that is actively attached to the particular demarcation point, is configured to recognize the address of the particular demarcation point and addresses of the plurality of client demarcation points for source address filtering.
  • the access switch at the root is configured to forward on a port coupled to the network packets received on a port coupled to the particular demarcation point carrying the source address of the particular demarcation point and one of a multicast address, a broadcast address and the address of one of the plurality of client demarcation points, to forward on a port coupled to the particular demarcation point packets received on a port coupled to the network carrying the source address of one of the plurality of client demarcation points and a destination address equal to one of a multicast address, a broadcast address and the address of the particular demarcation point, and to discard other packets.
  • the generic Access Service is depicted in FIG. 3, including a demarcation device 200 , a secure network switch 201 and customer-owned equipment 202 .
  • a demarcation device 200 is always situated between customer-owned equipment and a secure MAN switch.
  • the demarcation device 200 connects to custoner-owned equipment 202 through one or more service interfaces 203 .
  • the demarcation device 200 converts between the physical layer of the drop 204 and that of the service interfaces 203 .
  • the demarcation device 200 also performs surveillance and maintenance functions.
  • the drop 204 will typically use a fiber optic link with at least 1 Gbps bandwidth although other transmission technologies may be used, e.g., high bandwidth wireless transmission.
  • the type of transmission used is transparent to the customer.
  • the service interface 203 is the point at which customer-owned equipment 202 , typically an internet protocol IP or multiprotocol router, is attached. This interface 203 runs IP over 10/100/1000 Mbps Ethernet for example, using either a copper or fiber physical layer. An auto-sensing 10/100 Ethernet service interface may also be used. Also, other higher speed Ethernet technologies could be used.
  • ‘demarcation devices’ situated on individual customer's premises can provide for redundant connections to the rest of the network. Selection of one link in preference to another can be achieved by use of the spanning tree or a similar protocol. However, only traffic that is transmitted by or destined for a given customer is allowed to reach that custoner's demarcation device (a packet switch). It is not desirable that a demarcation device act as a transit link in the network, ensuring full connectivity from one part of the network to another, either during a reconfiguration of the network or while the active topology is stable. Rather the network should partition if there is no other connectivity between the two halves.
  • One embodiment of the secure MAN improves on this prior arrangement, while not allowing the demarcation device to participate in the active topology of the network, by choosing the active link from the demarcation device to the network on the basis of the spanning tree information received by the device, but not allowing it to forward or generate spanning tree information.
  • This arrangement protects against a failure in the network that causes the switch connected to by the demarcation device to be separated from the main body of the network.
  • FIG. 4 shows a basic single tenant access arrangement.
  • the customer-owned equipment 202 is located in a building solely occupied and controlled by the customer.
  • the demarcation device 200 is also located within the customer premises as shown in FIG. 4.
  • the demarcation device 200 is dedicated to the customer.
  • the single tenant customer has several options for the use of multiple drops to improve service availability.
  • One option involves use of a Redundant Switch Access Service as shown in FIG. 5, in which a second drop 210 is connected from the demarcation device 200 to a different secure MAN Switch 211 . This is done to maximize diversity. A failure of a drop, the switch, or the switch port will result in data flowing over the drop to be rerouted over the redundant drop in a very short time, e.g., less than 50 ms.
  • the drops will typically reside within the same physical path from the customer premises to the first splice point at which point they will follow diverse physical paths.
  • Parallel Single Tenant Access Service is another alternative, as shown in FIG. 6.
  • drops 204 and 212 terminate on the same secure MAN switch 201 .
  • the multiple drops 204 , 212 can be used for load sharing in that data can flow over the drops simultaneously.
  • data flowing over the drop will be rerouted to the other drop in a very short time, e.g., less than 50 ms.
  • the drops will typically reside within the same physical path from the customer premises to the point-of-presence of the first secure MAN switch.
  • Ather access service option is Fully Redundant Single Tenant Access Service as illustrated in FIG. 7, including redundant demarcation devices 200 , 220 and redundant switches 204 , 221 with redundant drops 204 , 222 , 223 , 224 for each demarcation device-access switch pair.
  • Fully Redundant Single Tenant Access Service protects against the same failures that Redundant Switch Single Tenant Access Service does and in addition protects against failure of a demarcation device and the failure of the customer-owned equipment attached to a service interface.
  • Both service interfaces 203 , 225 are activated for customer use but the ability to simultaneously use them will depend on the details of the routing protocol being used by the customer. Similarly the ability of the customer-owned equipment to detect a failure and start using a service interface on the other demarcation device will depend on the details of the routing protocol being used by the customer.
  • the drops will typically reside within the same fiber optic cable from the customer premises to the first splice point at which point they will follow diverse physical paths.
  • Multi-Tenant Access is used as shown in FIG. 8.
  • Some secure MAN Equipment will be in space not controlled by the customer.
  • the equipment could be in space leased from the landlord.
  • the demarcation devices 300 , 301 reside within the space of the customers, and are coupled to switch 302 which may or may not be located at the customer premises.
  • demarcation devices 303 , 304 are centrally located, and coupled to access switch 305 which may or may not be located at the customer premises.
  • each demarcation device is dedicated to a single customer.
  • the secure MAN Services that a customer sees across the service interface is the same no matter which configuration is used.
  • Collocation Facility Access is like multi-tenant access.
  • the secure MAN service provider will have leased space in the facility in which the customer demarcation device is placed.
  • the preferred configuration for a collocation facility is shown in FIG. 10.
  • the demarcation device 320 is in the customer's rack 321 and dual connected back to different switches 322 , 323 located in a secure MAN rack 324 at a collocation site. These connections are effected by Gigabit Ethernet multi-mode fiber cross-connects.
  • the customer-owned equipment connects to the demarcation device with the appropriate Ethernet cable. Additional customers may use the same collocation facility, as shown by demarcation device 326 in rack 325 .
  • the customer may not want to accommodate the demarcation device in his or her rack space.
  • the configuration is that shown in FIG. 11.
  • the demarcation device 330 is in the secure MAN rack and is dual connected to the two switches 331 , 332 in the rack.
  • the customer-owned equipment 333 , 334 is connected to the demarcation device 330 via an appropriate Ethernet cross-connect. In large collocation facilities, this cross-connect will typically be multimode fiber.
  • a demarcation device 330 can be used for supporting multiple customers.
  • Virtual connection service provides the transfer of data between multiple service interfaces.
  • Three kinds of virtual connection services in this example include point-to-point, point-to-multipoint, and multipoint-to-multipoint.
  • IP packet delivered across a service interface is delivered to exactly one other service interface.
  • IP internet protocol
  • other higher layer protocols may be utilized for virtual connections of all types. This service is like a physical wire.
  • FIG. 12 shows an example of the use of point-to-point virtual connection services within the secure MAN network 350 .
  • a service interface for customer equipment 400 is connected by link 405 to a service interface for customer equipment 401 ;
  • a service interface for customer equipment 401 is connected by a link 406 to a service interface for customer equipment 402 ;
  • a service interface for customer equipment 402 is connected by a link 407 to a service interface for customer equipment 400 .
  • multipoint-to-multipoint virtual connections multiple service interfaces are interconnected.
  • a customer-owned equipment device attached to one of these interfaces can send IP packets to any of the other interfaces that have been assigned to the virtual connection service.
  • This service is similar to Frame Relay where multiple destinations, each specified by a DLCI value, can be reached via a single physical interface.
  • FIG. 13 shows an example of the use of a multipoint-to-multipoint virtual connection service.
  • a service interface for customer equipment 400 a service interface for customer equipment 401 , and a service interface for customer equipment 403 are interconnected by a multipoint-to-multipoint link 410 within the secure MAN network 350 .
  • FIG. 14 illustrates a point-to-multipoint link 415 within the secure MAN network 350 .
  • a service interface coupled to customer owned equipment 401 is designated root of the point-to-multipoint link 415 .
  • Service interfaces coupled to the customer equipment 400 and 403 respectively are designated leaves of the point-to-multipoint link 415 .
  • a customer-owned equipment device 401 attached to the root interface can send IP packets to any of the leaf interfaces.
  • a customer-owned equipment 400 , 403 device attached to a leaf interface can only send IP packets to the root interface.
  • This service combines the logical addressing features of Frame Relay with the security features of a physical wire. The advantage to a service provider is that he can send packets to multiple subscribers securely while each subscriber is protected from deliberate or accidental transmission to the other subscribers.
  • FIG. 15 shows an example of virtual connection services connecting between tagged and non-tagged service interfaces.
  • customer equipment locations 500 , 501 and 502 are connected by the point-to-point virtual connections 505 , 506 , 507 and 508 within the secure MAN network 350 .
  • Customer equipment 501 has three non-tagged service interfaces 510 supporting three virtual connections 505 , 506 and 508 .
  • Customer equipment 501 includes service interface 511 which has three VLAN tags assigned to it, supporting virtual connections 505 , 506 and 507 .
  • Customer equipment 502 includes service interface 512 having two VLAN tags assigned to it, supporting virtual connections 507 and 508 .
  • a virtual connection service preferably has at least one bandwidth profile associated with it.
  • the amount of bandwidth is provisioned at the customer's request and the price of the virtual connection service will be related to the “size” of the profile and the degree that the customer's actual transmitted traffic conforms to the profile.
  • the customer receives a commitment on performance of the virtual connection service.
  • Virtual connection services can carry multiple classes of service.
  • the class of service for each packet is indicated by the DS byte in the IP header as per the DiffServ standard. See, [RFC2475] D. Black, S. Blake, M. Carlson, E. Davies, Z. Wang, and W. Weiss, “An Architecture for Differentiated Services”, Internet RFC 2475, December 1998; and [RFC2474] K. Nichols, S. Blake, F. Baker, and D. Black, “Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers”, Internet RFC 2474, December 1998.
  • Each class of service has a set of performance objectives that address topics such as availability, delay, and loss. The performance objectives only apply while the traffic being offered to the virtual connection service conforms to the bandwidth profile.
  • Virtual connection services can be automatically provisioned as described above. This allows a network manager to control secure MAN services, from his or her own workstation. For example, a new virtual connection service can be established or an existing one can be modified in this fashion. Logical provisioning is supported by actual allocation and configuration of the resources of the secure MAN. In this example, the allocation and configuration is accomplished as described below.
  • Virtual connections are established by Physical Layer (layer 1 ) and data link layer (layer 2 ) contructs.
  • Layer 1 Physical Layer
  • layer 2 data link layer
  • Two physical layers are available in this example for service interfaces.
  • the first is Fast Ethernet (100 Mb) as defined IEEE Std. 802.3.
  • the second physical layer is Gigabit Ethernet (1 Gb) as defined in IEEE Std. 802.3.
  • Virtual connection service allows the exchange of IP packets among two or more service interfaces. Virtual connection services are established through the provisioning service. The wires are established at layer 2 using MAC addresses of the demarcation devices and VLAN tags.
  • the source and destination MAC addresses and the value of the DSCP in the IP header govern the handling of an IP packet submitted over a service interface. The details of this process are described in this section. Service performance objectives are also described in this section.
  • FIG. 16 illustrates the format of an IP packet has used in the secure MAN network of the present invention.
  • the packet includes a destination MAC address which is six bytes in length, a source MAC address 551 which is the six bytes in length, a Type/Length field 552 which is two bytes in length, an IP packet payload 553 which is between 46 and 1500 bytes in length, and a frame check sequence field 554 which is four bytes in length.
  • Valid packets for the purposes of the secure MAN have a value of the Type/Length field greater than 0 ⁇ 5DC: 0 ⁇ 0800 designating an IP datagram and, 0 ⁇ 0806 designating an Address Resolution Protocol packet, or 0 ⁇ 0835 designating a Reverse Address Resolution Protocol packet. If the value of the Type/Length field is not one of these values, the packet is not considered properly formatted in this example.
  • a unicast MAC address When a unicast MAC address is used in the destination MAC address field, it must be a globally administered MAC address for the packet to be considered properly formatted. Similarly, the unicast MAC address in the source MAC address field must be a globally administered MAC address for the packet to be considered properly formatted.
  • a packet sent from the customer-owned equipment to a non-tagged service interface with an IEEE802.1Q tag is not properly formatted.
  • Tagged packets include in addition a VLAN tag field recognized in the network, for the packet to be considered valid.
  • the basic connectivity of all virtual connection services can be described as follows. If the customer-owned equipment sends an invalid packet, it is discarded. If the customer-owned equipment sends a valid packet, the service delivers the packet to the appropriate destination service interface(s) for the configured virtual connections identified by the packet addresses. Packets delivered to a destination service interface have the same format as that on the source service interface. In the case of a packet sent between non-tagged service interfaces, the contents of the delivered packet are unchanged.
  • a packet to be delivered across by the service it must be properly formatted and have a recognized source MAC address. Such a packet is called a valid packet.
  • the secure MAN network discards all invalid packets sent across a service interface by customer-owned equipment.
  • a MAC address becomes recognized in one of two ways: using dynamic source MAC address or latched source MAC address processes. Each technique is described in the following sections.
  • the secure MAN network observes the source MAC address being used at the service interface.
  • the packets carrying the MAC address either as Source or Destination, will be discarded for a period of time not to exceed 5 seconds, for example. This is done to allow secure MAN to make security checks and ensure the uniqueness of the MAC address. If the new MAC address is already being recognized at another service interface, the resolution is as described below.
  • the service interface is declared to be in the “Onlooker” state.
  • the use of the Onlooker state is to prevent a repeater hub from being attached to a service interface with more than one customer-owned equipment attached. While the service interface is in this state, all packets sent to and from the service interface are discarded. The state is maintained until a MAC address remains continuously recognized for 5 minutes.
  • the recognized MAC address becomes unrecognized if the customer-owned equipment disconnects from the service interface.
  • a MAC address can become latched in two ways. In the first method, the customer uses the provisioning system to latch the currently recognized MAC address. In the second method, the customer uses the provisioning system to put the service interface in “latched” mode. Then the source MAC address in the next properly formatted packet becomes the recognized and latched MAC address for the service interface provided it is unique across all service interfaces within the metropolitan area. If the new source MAC address is already being recognized at another service interface, the conflict is resolved as described below.
  • the MAC address remains recognized at the old service interface.
  • the MAC address will be recognized at either the new or old service interface.
  • the system also checks for duplicate MAC addresses across metropolitan areas. However, this need not be done in real time. Furthermore, if a conflict is discovered across metropolitan areas, the customers involved will be notified. This will be done by notifying the contacts for the service interfaces as defined in the account provisioned for the service interface. The MAC addresses involved will continue to be recognized thus connectivity will not be impacted.
  • each service interface is designated as the Root while each remaining service interface is designated as a Leaf.
  • the rules for delivery and discard for packets sourced at the Root are detailed in Table 3.
  • the rules for delivery and discard for packets sourced at a Leaf are laid out in Table 4.
  • Root service interface Source MAC Destination address MAC address Result Unrecognized Any Discard or Recognized at other than the Root service interface Recognized at Unicast and Discard Root service not Recognized interface at a Leaf service interface Recognized at Unicast and Deliver Root service Recognized at to the Leaf interface a Leaf service service interface interface Recognized at Multicast Deliver Root service to all Leaf interface service interface Recognized at Broadcast Deliver Root service to all Leaf interface service interface
  • Virtual connection service treats packets with different classes of service differently. The net effect is that the performance objectives vary by class of service.
  • a service interface can be configured such that all packets transmitted from the customer-owned equipment are treated with a specified class of service.
  • the Differentiated Services byte (DS byte) in the IP header identifies the class of service for a packet.
  • class of service examples include standard data service and expedited service.
  • Standard data service is the service that gives the lowest level of performance and corresponds to what is currently available in IP networks.
  • the value 00000000 binary identifies fast data service. This is also the default Class of Service.
  • Expedited service has significantly better performance objectives than fast data service.
  • the values of the DS Byte for this class are 10111000 (binary) and 10100000 (binary).
  • Additional classes of service and unrecognized DSCPs may also be provided for in the secure MAN.
  • Bandwidth profile is one parameter which may be associated with a virtual connection, or with other aspects of an account in the provisioning system.
  • a bandwidth profile denoted BW(A, B) is based on two parameters:
  • the bandwidth profile can be thought of as a token bucket. Every millisecond, tokens, each representing a byte are added to the bucket at a rate equal to the average bandwidth. Each time a packet is received, tokens equal to the length of the packet are removed from the bucket. An arriving packet is conforming if the bucket contains at least the length of the packet in tokens.
  • Point-to-point virtual connections serve unicast IP packets from one routed point and addressed to the other routed point, which are delivered to the other routed point, as are broadcast and multicast packets. Non-IP packets are discarded by this example service. It is envisioned that IP technology and services will evolve with time without departing from the present invention.
  • Network Zones are defined in order to optimize VLAN broadcast/multicast containment. Demarcation devices are grouped within Network Zones. Typically, the grouping will correspond to geographic location, but this is not a requirement.
  • VLANs To assign a VLAN ID to Virtual connection, the Network Zones in which endpoints of the virtual connection reside are identified. It is determined if both endpoints are in the same zone or not. Each Network Zone in a metro area has some number, say 50, VLANs assigned to it. Some of the assigned VLANs, say 25 VLANs, are designated as IntraZone VLANs and are used for point-to-point virtual connections that originate and terminate in the same zone. The others of the assigned VLANs are designated as InterZone VLANs and are used for point-to-point virtual connections that span multiple zones. VLANs must be assigned such that no two Virtual connections configured in any one demarcation device use the same VLAN id. Otherwise, cross talk between the two Virtual connections will occur.
  • VLANs must be assigned such that no two Virtual connections configured in any one demarcation device use the same VLAN id. Otherwise, cross talk between the two Virtual connections will occur.
  • VLAN assignments can be maintained in a table in order to satisfy the requirements for mutual exclusion and network optimization.
  • Table 6 is illustrative of VLAN assignment maintenance: TABLE 6 Metro Virtual Demarcation VLAN id Area id connection id id 2 10 LW0001 D0001 2 10 LW0001 D0002 27 10 LW0002 D0001 27 10 LW0002 D0005 52 10 LW0003 D0001 52 10 LW0003 D0004
  • D 1 and D 2 denote the demarcation devices corresponding to the first and second endpoints specified in a point-to-point provisioning request respectively.
  • the VLAN ID will be assigned from the range of IDs assigned to the Zone for IntraZone use.
  • the starting value of the range is computed from the following formula, where Network Zone Number is a unique number assigned to the Network Zone in a metropolitan area:
  • V id ⁇ Min intraZonevirtual connection ((Network Zone Number ⁇ 1)MODULO 20)*50+2
  • Service center IDs may be assigned sequentially in a metro area starting with 1. This makes the maintenance and calculations easy. If not assigned sequentially, a mapping table is created that maps a service center ID to a VLAN ID address space.
  • VLAN ID range the lowest VLAN ID that is not in use on both D 1 and D 2 is used.
  • VLAN ID value for Intrazone Point-to-Point Virtual connection is Vid ⁇ Min+25.
  • D 1 and D 2 denote the demarcation devices corresponding to the first and second endpoints specified in a point-to-point provisioning request respectively.
  • a VLAN ID will be selected from the least used range of the two participating Zones.
  • the starting value of the range associated with D 1 and D 2 are computed from the following formulas:
  • V id ⁇ Min ⁇ D 1 InterZonevirtual connection ((Network Zone Number( D 1 ) ⁇ 1)MODULO 20)*50+27
  • V id ⁇ Min ⁇ D 2 InterZonevirtual connection ((Network Zone Number( D 2 ) ⁇ 1)MODULO 20)*50+27
  • VLAN ID 129 From the two possible VLAN ID values, choose the lowest ID with respect to the range of each. For example, if the computed Vid ⁇ Min ⁇ D 1 value is 27, with 27-30 in use on D 1 , and Vid ⁇ Min ⁇ D 2 is 127, with 127-128 in used, the VLAN ID 129 will be assigned, since its value with respect to 127 (2) is lower than ID 31 with respect to 27 (4).
  • Selected VLAN is configured on identified demarcation devices; identified service interfaces are configured in the new VLAN. Service interfaces are configured to receive only untagged frames and only the selected VLAN is allowed out of service interfaces (untagged). Network ports (towards secure MAN network) on demarcation devices are configured in the new VLAN allowing only tagged frames to pass through.
  • a selected VLAN is configured on identified POP switches (if not already configured).
  • the access port on the POP switch connected to identified demarcation device is configured in the selected VLAN allowing only tagged frames in and out of the port. If POP switch supports the Generic VLAN Registration Protocol GVRP, the upstream port(s) will propagate this VLAN to local switches. Upstream switches will propagate this VLAN in other parts of the network. The upstream ports (from the POP switch) will also process the incoming GVRP requests.
  • VLANs are configured manually on all switches and ports in the path between the endpoints of the virtual connection (including redundant paths).
  • manual configuration it is meant that the configuration files are not self-propagating, such as in a protocol like GVRP, but require some user intervention to set up and/or modify across the network.
  • Security filters are configured as part of the process of provisioning virtual connections.
  • the customer endpoint demarcation device MAC address
  • the MAC address is configured in a source address filter on the access port on the POP switch. This filter forces packets out of the port coupled to a customer access point (if on the same POP switch) or network port (if not on the same POP switch).
  • This source address filter is also configured on the network port of the other POP switch (connected to other endpoint of virtual connection, if required) forcing packets out of the correct access port.
  • FIGS. 17 - 20 Examples of secure MAN configurations for point-to-point virtual connections are given in FIGS. 17 - 20 .
  • FIG. 17 illustrates a secure MAN arranged in one example configuration.
  • the secure MAN includes a plurality of demarcation devices, in this example demarcation devices 600 , 601 , 602 and 603 are illustrated.
  • the demarcation devices are connected to point of presence POP switches in the secure MAN.
  • the demarcation devices 600 , 601 are coupled to the POP switch 605 across lines 606 and 607 respectively.
  • Demarcation device 602 is coupled to POP switch 608 across line 609 .
  • Demarcation device 603 is coupled to POP switch 610 across line 611 .
  • the POP switches 604 , 608 , 610 are connected to local layer 2 switches 614 and 612 .
  • Switches 613 , 612 , 614 , 605 , 608 , 610 may be in collocation sites.
  • the hierarchy illustrated in FIG. 17 is merely one example.
  • a wide variety of architectures for the switches could be utilized according to the present invention.
  • a regional switch may also act as a POP switch, and local switches may not be used.
  • redundancy is omitted from the example, although such redundancy would be implemented in many instances of the invention.
  • Virtual connection V 1 is a point-to-point channel between the service interface Ri on demarcation device 600 and R 3 on demarcation device 601 .
  • the virtual connection V 2 is a point-to-point channel between the service interface R 2 on demarcation device 600 , and the service interface R 4 on demarcation device 602 .
  • Each of the layer 2 switches in the network illustrated can be implemented using a basic layer 2 architecture such as that illustrated in connection with the POP switch 605 .
  • Each port of the switch includes a source address and destination address filter 620 .
  • a VLAN filter 621 associated with the switch 605 .
  • the demarcation devices 600 - 603 include client side ports, such as the ports R 1 through R 4 , and one or more service access port and such as the port coupled to line 606 .
  • the client side ports and receive layer 2 packets carrying source and destination addresses followed by Type field and an Internet Protocol payload as well-known the art.
  • a VLAN tag is added to the frame, to associate the tag with a virtual connection.
  • the demarcation device 600 sends a frame from port R 1 out on line 606 and carrying the VLAN tag V 1 .
  • the source/destination address filters (e.g. 620 ) in the switch 605 are configured to recognize the source and destination addresses of the frame.
  • the frame will be accepted in the switch at the port only if it has a recognized source address on that port.
  • the VLAN filter 621 on the switch 605 will identify the outgoing ports on the switch 605 which are configured to receive the packet carrying that VLAN tag and that source address.
  • a port coupled to line 620 passes the packet received from the port R 1 on line 620 to the local layer 2 switch 614 .
  • the port coupled to line 607 passes the packet carrying the VLAN tag V 1 towards the port R 3 .
  • the VLAN filter 621 recognizes the packet as a member of the virtual connection V 1 , and allows it to be sent outgoing on the port coupled to line 620 and on the port coupled line 607 .
  • the source and destination address filter 620 accepts the packet at switch 605 .
  • the VLAN filter 621 limits the outgoing path for the packet to the port connected to line 620 .
  • the packet is forwarded up the tree towards the local layer 2 switch 614 .
  • Layer 2 switch 614 allows the packet to be transmitted only on line 625 to the POP layer 2 switch 608 .
  • V 1 and V 2 never cross the Network Zone 1 boundary above local switch 1 .
  • the upstream port on local switch 1 is not a member of V 1 or V 2 . Therefore packets in V 1 and V 2 are not forwarded by local switch 1 on its upstream port to the regional switch.
  • source address filters ensure delivery of packets to only the correct recipient.
  • FIG. 18 the network switch and access point configuration and VLAN ID assignment remains the same. However, a point-to-point virtual connection is provisioned between R 1 and R 3 in the Network Zone served by local switch 614 while another virtual connection is provisioned between R 2 and R 5 served by local switch 614 and local switch 612 respectively, and thus across Network Zones. For simplicity, redundancy is omitted. VLAN ID V 26 is selected for non-local virtual connection from R 2 to R 5 .
  • VLAN 26 crosses the Network Zone boundry. Local VLANs in Network Zone 1 remain local. Local switch 1 propagates V 26 to its upstream regional switch thus creating a forwarding path across the regional switch 613 to local switch 612 and demarcation device 603 .
  • packets from the port connected to R 1 in the virtual connection V 1 are accepted in the source and destination address filter 620 of POP switch 605 and allowed to pass on the port connected to line 623 up to the layer 2 switch 614 .
  • the packets are blocked by the VLAN filter 621 on the other ports of the POP switch 605 .
  • the packet from a virtual connection V 1 is allowed out on the port coupled to line 625 , and not on other ports.
  • the packet in the virtual connection V 1 is allowed out on the line 609 to the demarcation device 602 , and onto the destination R 3 . Similar filtering occurs in the reverse direction from the end station R 3 to the end station R 1 .
  • Packets within the virtual connection V 26 are allowed into the switch 605 , and propagated to the switch 614 .
  • packets for virtual connection V 26 are passed up to the switch 613 , where they are propagated through of switch 612 , switch 610 and onto the demarcation device 603 where they are delivered to the destination R 5 .
  • the logical construct of network zones being defined by a layer of switches in a network, such as the switches 614 and 612 in his example, can be used for the management of the VLAN IDs, and other network addressing functions. In some embodiments of the network, no such network zone logical construct is necessary.
  • a unicast IP packet injected by the root node and destined to one of the leaf nodes is delivered to the leaf node while a multicast/broadcast packet is delivered to all leaf nodes.
  • Unicast multicast and broadcast packets injected by a leaf node and destined to the root node are delivered to the root node. No packets from one leaf node are delivered to another leaf node though.
  • a separate VLAN is used for each point-to-multipoint virtual connection.
  • the lowest VLAN ID available in the range assigned to point-to-multipoint virtual connection is used to provision this virtual connection.
  • the selected VLAN is configured on the demarcation devices necessary to support the virtual connection; identified service interfaces are configured in the new VLAN.
  • Service interfaces on the customer side are configured to receive only untagged frames and only the selected VLAN is allowed out of service interfaces (untagged).
  • Network ports (towards the secure MAN network) on demarcation devices are configured in the new VLAN allowing only tagged frames to pass through.
  • the selected VLAN is configured on the POP switch (if not already configured).
  • the access port on POP switch connected to the demarcation device is also configured in the selected VLAN allowing only tagged frames in and out of the port. If the POP switch supports GVRP, the upstream port(s) will propagate this VLAN to other parts of the network. The upstream ports will also process the incoming GVRP requests.
  • VLANs are configured manually on all switches and ports in the path between the root node and each leaf node on the virtual connection (including the redundant paths).
  • FIG. 19 shows the same network switch configuration as FIGS. 17 and 18.
  • the MAC address is configured in a source address filter on the access port on POP switch 610 (leading to the root node) allowing packets to be forwarded.
  • a source address filter is configured on the leaf node port on the POP switch forcing packets to egress from the port leading to the root node.
  • a VLAN filter and/or a source address filter (with leaf node's address) is on the network port of the root POP switch 603 , is/are configured allowing packets to egress from the port leading to the root node 615 .
  • a source address filter (with leaf node's address) on the access port is/are configured, allowing packets out of the network port.
  • a source address filter (with root node's address) on the network port of the same POP switch and/or a VLAN filter also allows the packets to egress from the correct leaf node port.
  • FIG. 19 shows a point-to-multipoint virtual connection from R 2 to R 1 and R 4 .
  • the VLAN V 1 crosses those branches that lead to member ports (root/leaf nodes).
  • Security source address filters on POP switches ensure that the root node can reach all the leaf nodes (R 1 , R 4 ) while leaf nodes (R 1 , R 4 ) can only reach the root node (R 2 ).
  • a multipoint-to-multipoint virtual connection is used to connect multiple routed points together and is especially useful to extend a campus LAN (minus bridging over the secure MAN network).
  • the definition and implementation is described below for one embodiment.
  • a unicast IP packet injected by a member and destined to one of the other members is delivered to the other member while a multicast/broadcast packet is delivered to all the members.
  • a separate VLAN is used for each multipoint-to-multipoint virtual connection.
  • the highest VLAN ID available in the range assigned to multipoint-to-multipoint virtual connection is used to provision this virtual connection. Selecting the highest available VLAN ID for a multipoint-to-multipoint virtual connection makes point-to-multipoint and multipoint-to-multipoint virtual connections consume VLAN IDs from opposite sides. Based on the customer demand, one type of virtual connections may consume more VLAN IDs than the other. If all the available VLAN IDs are consumed, they wrap around and start sharing already used VLAN IDs. It stretches the broadcast domain, but does not affect the service availability or security of secure MAN service.
  • the selected VLAN is configured on demarcation devices; identified service interfaces are configured in the new VLAN. Service interfaces are configured to receive only untagged frames and only the selected VLAN is allowed out of service interfaces (untagged). Network ports (towards the secure MAN network) on demarcation devices are configured in the new VLAN allowing only tagged frames to pass through.
  • the selected VLAN is configured on the POP switch (if not already configured).
  • the access port on POP switch connected to the demarcation device is also configured in the selected VLAN allowing only tagged frames in and out of the port. If POP switch supports GVRP, the upstream port(s) will propagate this VLAN to other parts of the network. The upstream ports will also process the incoming GVRP requests.
  • VLANs are configured manually on all switches and ports in the path between all pairs of members on the virtual connection (including redundant paths).
  • Configuration of source address security filters can be understood with reference to the example in FIG. 20.
  • the endpoint RI e.g., router MAC address
  • the MAC address is configured in a source address filter 620 on the access port on the POP switch 605 .
  • a source filter is also configured on the network port of those POP switches 608 , 610 that lead to other member nodes on this virtual connection. This filter along with MAC address lookup on the egress POP switch will correctly deliver the unicast packets to the correct member node and multicast/broadcast packets to all member nodes on that switch.
  • FIG. 20 shows a multipoint-to-multipoint virtual connection among R 1 , R 2 , and R 4 .
  • the assigned VLAN V 1 is configured in the VLAN filters 621 , to reach all member nodes while source address security filters on POP switches 605 , 608 , 610 allow any member to talk to any other member.
  • FIG. 21 shows a spanning tree configuration for interior switches according to a preferred embodiment.
  • the solid filled circles on the switches correspond to designated ports according to the Spanning Tree Protocol.
  • the unfilled circles on the switches correspond to root ports, and the ports marked by parallel lines crossing the link are alternate ports in a blocking mode.
  • the root of the tree is switch P 1 .
  • Switch P 1 has designated ports coupled via links 1 - 2 , 2 - 1 , 1 - 3 , and 5 - 1 , to root ports on switches P 2 , P 2 , P 3 , and P 5 , respectively. Also, it includes a designated port coupled via an internal link to an alternate port on switch P 8 .
  • Switch P 2 has designated ports coupled to root ports via links 6 - 2 and 2 - 4 on switches P 6 and P 4 , respectively. Also, a designated port on switch P 2 is coupled to an alternate port on switch P 7 .
  • Switch P 3 has a designated port coupled via link 3 - 7 to a root port on switch P 7 . Also, a designated port on switch P 3 is coupled via an internal link to an alternate port on switch P 6 .
  • a designated port on switch P 4 is coupled via link 4 - 8 to a root port on switch P 8 . Also a designated port on switch P 4 is coupled via an internal link to an alternate port on switch P 5 .
  • FIG. 22 illustrates a fiber ring network extending around a path of about 20 miles, which is made of bundles of fibers laid in right of ways within a metropolitan area. Segments of the ring are logically partitioned as segments of an ethernet network, configured as a tree, rather than a ring, illustrating a layout according to the present invention other than the cross-connected broken ring. Switches in the tree comprise standard 100 Megabit, Gigabit or higher ethernet switches configured according to the Spanning Tree Protocol, or variations of the Spanning Tree Protocol.
  • switch P 1 is a root of the tree, labeled P 1 , 0 , P 1 to indicate that the root of the tree is P 1 , the distance to the root is 0, and the upstream (toward the root) switch is P 1 .
  • the interconnection of the tree can be understood by the upstream links for the switches. Thus there are no upstream links from switch P 1 .
  • Switch P 2 (P 1 , 1 , P 1 ) is connected by fibers F 1 and F 2 to switch P 1 .
  • Switch P 3 (P 1 , 2 , P 2 ) is connected by fiber F 7 to switch P 2 .
  • Fibers I 1 and I 2 are configured as backup links to switch P 1 from switch P 3 .
  • Switch P 4 is connected by fibers F 3 and F 4 to switch P 1 .
  • Fibers 13 and 14 are connected as backup links to switch P 2 from switch P 4 .
  • Switch P 5 is connected by fibers F 5 and F 6 to switch P 1 .
  • Fiber F 8 is connected as a backup link from switch P 5 to switch P 2 .
  • Switch P 6 is connected by fibers F 9 and F 10 to switch P 2 .
  • Fiber F 12 is a backup link from switch P 6 to switch P 5 .
  • Switch P 7 is connected by fiber F 11 to switch P 3 .
  • Fibers 15 and 16 act as backup links to switch P 5 from switch P 7 .
  • Switch P 8 is connected by fiber F 13 to switch P 5 .
  • Fibers I 7 and 18 are connected as backup links from switch P 8 to switch P 6 .
  • the fibers F 1 to F 13 and I 1 to I 8 comprise dark fibers in the fiber ring, which have been partitioned as point to point fiber segments in the tree as shown.
  • fiber of a single ring can be re-used spatially. That is segments of a single ring can be used independently for point-to-point links in the tree.

Abstract

A point to multipoint communication channel in a metropolitan area network among a plurality of demarcation points having unique addresses is provided, which includes identifying a particular demarcation point as a root of the channel, and a plurality of client demarcation points as leaves of the channel; and configuring so that client demarcation points can only exchange packets with the root demarcation point, and not with other client demarcation points; and so that the root demarcation point can exchange packets with the plurality of client demarcation points. The channel is managed using source address filtering at switches on the leaves of the channel and a switch at the root of the channel.

Description

    PROVISIONAL APPLICATION DATA
  • The present application claims the benefit under 35 U.S.C. §111(b) and 35 U.S.C. §119(e) of the provisional application No. 60/186,470, filed Mar. 2, 2000, entitled BROADBAND SERVICE NETWORK AND E-COMMERCE PROVISIONING SYSTEM, naming inventors Michael Seaman, Vipin Jain, Gary Jaszewski, Bob Klessig, Peter Van Peenen, and David Braginsky. [0001]
  • CONTINUING APPLICATION DATA
  • The present application is a continuation-in-part of co-pending U.S. patent application Ser. No. 09/634,566, filed: Aug. 9, 2000, entitled E-COMMERCE SYSTEM FACILITATING SERVICE NETWORKS INCLUDING BROADBAND COMMUNICATION SERVICE NETWORKS, which is incorporated by reference as if fully set forth herein.[0002]
  • BACKGROUND OF THE INVENTION
  • 1. Field of the Invention [0003]
  • The present invention relates to broadband communication services, and more particularly to configuration of metropolitan area communication networks supporting secure point-to-multipoint channels. [0004]
  • 2. Description of Related Art [0005]
  • A point-to-multipoint connection is used to connect one routed point to many routed points and is especially useful to deliver services to multiple customers simultaneously while maintaining isolation among customers themselves. [0006]
  • In a metropolitan area, high bandwidth communication services interconnect customers in a variety of configurations. In an enterprise data network, protocols, like Ethernet, supporting multicast addressing are widely deployed because isolation among uses of the network is not always critical. In such networks, fiber optic connections between packet switches are usually made point to point in a ‘redundant, dual-homed, tree like’ topology to facilitate rapid reconfiguration with the minimum loss of service. The revised spanning tree protocol under standardization in IEEE 802.1 is a suitable protocol for establishing the failover rules in the network. The recently completed link aggregation standard, IEEE Std. 802.3ad, is another—providing for resiliency of parallel links. These technologies in high bandwidth configurations, are being applied in the metropolitan area network environment as well. [0007]
  • Protocols used in these environments, such as Ethernet, supporting the use of multicast messages allow customers using the network, who may be unknown to other customers, to see the multicast traffic unless complex security provisions like firewalls are installed in the network. In networks to which the public is allowed to subscribe, such security measures may be difficult to implement. [0008]
  • However, multicast technologies are very effective for some kinds of network traffic. In the case of an Internet Service Provider, a subscription based audio program provider, or other customer of the Metropolitan Area Network that includes many independent customers to whom a single message could be sent from a single service provider attachment to the network, for example, the multicast can be very useful. Also, customers that might be configured to receive multicast messages should be prevented from sending multicasts or other messages to the other subscribers to the multicast service, unless separate arrangements are made. However, there have not been commercially feasible ways to implement secure point-to-multipoint messaging systems in public networks that support multicast messages. [0009]
  • It is desirable therefore to provide a technique for establishing secure point-to-multipoint channels in a network topology that is easy to configure, scalable and efficient. [0010]
  • SUMMARY
  • This invention comprises a method for configuring a network, and a network configured according to such method, providing secure point-to-multipoint communication channels supporting multicast messages only from the root of the channel. [0011]
  • A method of providing a point to multipoint communication channel in a metropolitan area network among a plurality of demarcation points having unique addresses, according to the present invention includes identifying a particular demarcation point in the network as a root of the channel, and a plurality of client demarcation points in the network as leaves of the channel; and configuring switches in the network so that [0012]
  • client demarcation points can only exchange packets on the network with the particular demarcation point, and not with other client demarcation points; and so that [0013]
  • the particular demarcation point can exchange packets on the network with the plurality of client demarcation points. [0014]
  • In one embodiment, a switch attached to a respective client demarcation point in the plurality of client demarcation points is configured to recognize addresses of the particular demarcation point and of the respective client demarcation point, for source address filtering. The switches at the leaves are configured to forward onto the network packets received on ports coupled to the respective client demarcation points carrying source addresses equal to the address of the respective client demarcation point and a destination address which is one of a multicast address, a broadcast address and the address of the particular demarcation point, to forward onto a port coupled to the respective demarcation points packets received on ports coupled to the network carrying the source addresses of the particular demarcation point, and destination addresses equal to one of a multicast address, a broadcast address and the address of the respective client demarcation point, and to discard other packets. [0015]
  • Further, a switch coupled to the particular demarcation point identified as the root is configured to recognize the address of the particular demarcation point and addresses of the plurality of client demarcation points for source address filtering. The switch at the root is configured to forward on a port coupled to the network packets received on a port coupled to the particular demarcation point carrying the source address of the particular demarcation point and one of a multicast address, a broadcast address and the address of one of the plurality of client demarcation points, to forward on a port coupled to the particular demarcation point packets received on a port coupled to the network carrying the source address of one of the plurality of client demarcation points and a destination address equal to one of a multicast address, a broadcast address and the address of the particular demarcation point, and to discard other packets. [0016]
  • According to one aspect of the invention, a communication system is provided using technology that has been developed within the communications, enterprise data networking, electronic commerce, and carrier service provider industries to provide service in new ways, supporting secure point-to-multipoint channels, and other connectivity options in a manner particularly complementary to a provisioning process and system described in the above referenced application entitled E-COMMERCE SYSTEM FACILITATING SERVICE NETWORKS INCLUDING BROADBAND COMMUNICATION SERVICE NETWORKS. [0017]
  • Provision of multiple connectivity options across a packet switched network, is supported by the network, including point-to-multipoint services. The network supports point-to-point connectivity between a pair of service interfaces, multipoint to multipoint switched LAN like connectivity between a set of service interfaces, and point to multipoint connectivity. The point-to-multipoint connectivity provides for the equipment attached at one service interface, the ‘root,’ to be able to transmit to one or all other interfaces while equipment attached at those interfaces can only transmit to the root. This functionality supports serving many of a service provider's customers through a single connection to the network. [0018]
  • Security arrangements for a packet switched data transmission network using LAN switches are provided. The network makes use of packet data switching equipment that is typically used in private data networks. While such equipment has facilities that can be used to construct ad-hoc security arrangements, a systematic approach to security is provided by the present invention. [0019]
  • The network ensures that no data is ever delivered to a service interface other than the service interface(s) explicitly authorized by the customer whose network attached equipment transmits the data, and that no data is received on a service interface other than data from the service interface(s) explicitly authorized by the customer whose network attached equipment is receiving the data. [0020]
  • The mechanisms that the system uses to ensure such secure delivery include: [0021]
  • (a) The organization of switches within the network architecture and the placement of security functions within that architecture. [0022]
  • (b) Assuring a unique identity for each device connected to a service interface anywhere within the network. [0023]
  • (c) Checking that identity at points identified within the network (see a. above) [0024]
  • (d) Ensuring that the identity of each of the customers/parties controlling the assignment of service interfaces and the connections between them is securely known. [0025]
  • (e) Providing for the known delegation of control within the constraints imposed by (d) above. [0026]
  • The network architecture in a preferred emibodiment organizes switches into demarcation devices, access switches and interior switches. [0027]
  • Demarcation devices (also referred to herein as service interface units) are typically, but not necessarily, located on a single customer's premises. It is assumed that that customer will secure physical access to his or her own premises. Each demarcation device supports one or more of service interfaces, identifiable by unique addresses such as Ethernet MAC addresses, that the customer uses to connect to the network, and one or more ‘drops’ that connect to access ports on access switches. [0028]
  • Access switches are located on premises physically secured, linked by a communication media of choice, including for example fiber optic cable, to a collocation site in the metropolitan area network. In addition to access ports coupled to the demarcation devices, the access switches have interior network ports that connect to interior switches at the collocation sites within the network. [0029]
  • Interior switches form the heart of the network, typically in collocation sites of the metropolitan area network, having ports coupled to the interior ports of the access switches. [0030]
  • The identity of the connected device is ascertained by observing packets transmitted by the device at the service interface of the demarcation device. Each packet contains a source address, such as a source MAC address. The MAC address is captured by the service interface and a notification sent to the system managing the network using normal network management protocols. The management system assures itself that the MAC address is unique. Filters are configured on access ports of the access switches to ensure that only packets with source addresses checked in this way are accepted from the attached demarcation device. Similarly only packets from source addresses that are permitted to transmit to the demarcation device are allowed to egress from the access port to the demarcation device. [0031]
  • Interior switches do not filter or otherwise constrain connections on the basis of the identities of devices attached to either the transmitting or receiving service interfaces. This allows the active topology maintained by interior switches to scale independently of the number of active connections through the network, and to reconfigure rapidly since information concerning individual connections does not have to be communicated or changed during reconfiguration. [0032]
  • A range of options is offered to customers to control changes to the source MAC address used on the interface, including automatic configuration, latching of a learnt address, explicit manual configuration, and identification of attempts at intrusion into the network. [0033]
  • The system is capable of extension to allow additional security protocols to establish the identity of the connecting system. Once that identity has been established, the MAC address of the transmitting system is used, as described above, to secure connections. [0034]
  • Disconnection and reconnection of the device can be detected, even if the same MAC address is used throughout. This protects against attempts to masquerade once a device identity has been established. [0035]
  • A foundation of industry standard products and practices in the following areas is used to construct the novel networks, including for one example: [0036]
  • Fiber optic transmission technology using WDM (wave division multiplexing) to carry additional bandwidth through the use of many ‘colors’ of light on a single fiber, controlled and [0037]
  • Gigabit (or higher) ethernet packet switching technology to accept and deliver IP data from and to customers, providing a highly reliable service. [0038]
  • Electronic commerce technology to allow customers and their authorized agents to order, configure, and manage the communications services delivered and to enter into business agreements with other suppliers of services using the system's communication services. [0039]
  • In each of these areas a number of novel practices and inventions support and advance the communications network and services. [0040]
  • Configuration of links and link segments to facilitate rapid reconfiguration of interconnected packet switches is provided in support of the commercial provisioning system. [0041]
  • A set of rules and heuristics is provided for the use and configuration of fiber optic transmission facilities, purchased or leased in ring configurations, as a set of links comprising selected concatenated segments from a set of rings. The resulting configurations have benefits in networks including: [0042]
  • 1) They allow the use of high bandwidth low cost enterprise data packet switching equipment in the collocation facilities, while providing high network availability through the use of rapid reconfiguration with redundant links and switches. [0043]
  • 2) They allow the use of general mesh topologies to support redundancy, rather than restriction to rings or rings with extraordinary interconnection arrangements. [0044]
  • In addition to realizing these topologies by concatenating physical segments from rings, equipment is provided so that a link can comprise logical segments, each consisting for example of a wavelength of light transmitted and received by WDM (wavelength division multiplexing) equipment attached to the physical fiber segment running between two locations on a ring. Electronic switching of the transmitted information stream at each ring node from one wavelength on a segment to another wavelength on the next, or to an attached device, allows for electronic rearrangement of the set of links connected to each packet switch in the network. [0045]
  • Modification of the Spanning Tree for resilient redundant connection of an edge device, such as a demarcation device, to a network is provided in some embodiments in support of efficient provisioning. The IEEE 802.1 Spanning Tree provides for redundant connections within a network, where data transmitted from one attachment to the network to another is constrained to follow a loop free path. It reduces the physical topology of the network to an active topology that is both loop free (‘tree’) and fully connected (‘spanning’). [0046]
  • In the network, ‘demarcation devices’ situated on individual customer's premises can provide for redundant connections to the rest of the network. Selection of one link in preference to another can be achieved by use of the spanning tree or a similar protocol. However, only traffic that is transmitted by or destined for a given customer is allowed to reach that customer's demarcation device (a packet switch). It is not desirable that a demarcation device act as a transit link in the network, that would be used to ensure fill connectivity from one part of the network to another, either during a reconfiguration of the network or while the active topology is stable. Rather the network should partition if there is no connectivity other than through a demarcation devices between the two halves. [0047]
  • In the past, the simple selection of one link or another for connection to the interior of a network has been performed by a simple physical layer redundancy scheme that interrogates the health of the links from a demarcation device switch to the network. One link is configured as a primary link and the secondary link is activated only if the primary fails a simple connectivity test to the remainder of the network, e.g. loss of the transmitted light signal. [0048]
  • The system improves on this prior arrangement, while not allowing the demarcation device to participate in the active topology of the network, by choosing the active link from the demarcation device to the network on the basis of the spanning tree information received by the device, but not allowing it to forward or generate spanning tree information. This arrangement protects against a failure in the network that causes the switch connected to by the demarcation device to be separated from the main body of the network. [0049]
  • Spatial reuse in a packet based data network with a ring topology is accomplished in the preferred network configuration. The network architecture uses packet switches with rapid reconfiguration protocols and VLAN technology to constrain packets that might otherwise be broadcast or flooded to the necessary paths between access ports in the network. Thus a combination of existing standard technologies serves to support the same robust efficient communications goals sought by new non-standard equipment. [0050]
  • Other aspects and advantages of the present invention can be seen on review of the figures, the detailed description and the claims, which follow.[0051]
  • BRIEF DESCRIPTION OF THE FIGURES
  • FIG. 1 is a diagram of a commercial communication service with an Internet based provisioning server according to the present invention. [0052]
  • FIG. 2 is a block diagram of a network supporting point-to-multipoint channel according to the present invention. [0053]
  • FIG. 3 illustrates a generic access connection to a secure MAN according to the present invention. [0054]
  • FIG. 4 illustrates a basic single tenant access arrangement. [0055]
  • FIG. 5 illustrates a redundant switch access service with parallel drops. [0056]
  • FIG. 6 illustrates a parallel single tenant access service with two drops coupled to a single access switch. [0057]
  • FIG. 7 illustrates a fully redundant single tenant access service according to one aspect of the invention. [0058]
  • FIG. 8 illustrates a multi-tenant access arrangement for use with the secure MAN of the present invention. [0059]
  • FIG. 9 illustrates another example multi-tenant access arrangement. [0060]
  • FIG. 10 illustrates a collocation facility access arrangement for connection to the secure MAN of the present mention. [0061]
  • FIG. 11 illustrates another example collocation facility access arrangement. [0062]
  • FIG. 12 illustrates an example of the use of point-to-point virtual connection services according to the present invention. [0063]
  • FIG. 13 shows an example of a multipoint-to-multipoint virtual connection service. [0064]
  • FIG. 14 illustrates a point-to-multipoint virtual connection service for a secure MAN network according to the present invention. [0065]
  • FIG. 15 illustrates the use of tagged and non-tagged service interfaces for access to a secure MAN network according to the present invention. [0066]
  • FIG. 16 shows a format for a packet transmitted within the secure MAN network of the present invention. [0067]
  • FIG. 17 illustrates a simplified secure MAN network, and configuration of a virtual connection is within such network. [0068]
  • FIG. 18 illustrates a simplified secure MAN network as in FIG. 31, with another example configuration of a virtual connection. [0069]
  • FIG. 19 illustrates a simplified secure MAN network as in FIG. 31, showing configuration for a point-to-multipoint virtual connection. [0070]
  • FIG. 20 illustrates a simplified secure MAN network as in FIG. 31, showing configuration for a multipoint-to-multipoint virtual connection. [0071]
  • FIG. 21 illustrates tree topology of a four collocation site, fiber MAN, showing an architecture for the interior switches of the network of the present invention. [0072]
  • FIG. 22 illustrates a fiber MAN network physically laid out as a ring, and partitioned as segments of the secure MAN of the present invention.[0073]
  • DETAILED DESCRIPTION
  • FIG. 1 illustrates a communications service example, based on provisioning links among a variety of customers within a secure metropolitan area network MAN. In FIG. 1, a secure MAN based upon a layer two protocol, preferably Ethernet or other protocol supporting multicast messaging, is represented by [0074] cloud 60. A number of customers, including Internet service provider 61, outsourcing vendor 62, “enterprise 1” with a North campus 63, a West campus 24, and a South campus 25, and “enterprise” 2 66 and enterprise 3 67, are coupled to the secure MAN 60 by appropriate physical and logical interfaces. A provisioning server 71 is coupled to the secure MAN 60, either using the secure MAN medium or by other communication channels to the switches and other resources in the secure MAN, and facilitates transactions among the customers of the secure MAN 60 for establishing communication channels, such as the virtual connections discussed above, and provisioning of services agreed to by the customers with the resources of the secure MAN 60. In one embodiment, configuring and allocating of services within the secure MAN 60 to support the links among the customers, is managed by the provisioning server using a management protocol such as Telnet or SNMP, under which filters and other control data structures in the switches are configured. In this manner, the provisioning server is available via the internet to customers and potential customers of the secure MAN 60, using standard technology.
  • Virtual connection services allow rich connectivity among all customer locations on the secure MAN network. Examples include: [0075]
  • A mesh connected, multipoint-to-multipoint virtual connection service [0076] 35 dedicated to a single enterprise for connecting campuses together.
  • A point-to-multipoint [0077] virtual connection service 76 connecting an Internet Service Provider to customers.
  • A point-to-point virtual connection service [0078] 77 connecting an enterprise location to an outsourcing vendor.
  • A point-to-point virtual connection service [0079] 78 connecting two enterprises.
  • A single customer can have simultaneous intra-enterprise and extra-enterprise communications using the secure MAN, provisioned according to the present invention. [0080]
  • A detailed description of one example of the secure MAN provisioning embodiment is provided in the above referenced application entitled, E-COMMERCE SYSTEM FACILITATING SERVICE NETWORKS INCLUDING BROADBAND COMMUNICATION SERVICE NETWORKS, which is incorporated by reference as if fully set forth herein. [0081]
  • FIG. 2 is a block diagram of a network configured according to the present invention to support point-to-multipoint virtual connections, among a plurality of customers of a public metropolitan area network. The customers have [0082] local networks 100, 101, 102, and 103. Each of the customers includes customer equipment, such as a router (not shown), having unique MAC addresses, connected by a link to a port on a service interface unit. Thus, the customer 100 is connected by links 100-1 and 100-2 to the service interface unit 105. The customer 100 connected by links 100-3 and 100-4 to the service interface unit 106. The customer 101 is connected by link 101-1 to the service interface unit 107. The customer 102 connected by the links 102-1 and 102-2 to service interface unit 108. Customer 103 is connected by link 103-1 to service interface unit 109. The service interface units comprise switches at customer premises in which demarcation points for access to the metropolitan area network are established. Each of the links 100-1 through 100-4, 101-1, 102-1, 102-2, and 103-1 are connected at the custom side to ports on customer devices having unique MAC addresses. Thus the demarcation points for the network can be considered ports on the service interface unit characterized by the unique MAC addresses of the attached customer equipment.
  • The service interface units [0083] 105-109 are connected by point-to-point links to access switches 110, 111, 112 in the network. Thus, service interface unit 105 is coupled by links 105-1 and 105-2 to the access switch 110. Service interface unit 105 is coupled by the link 105-3 to the access switch 111. Service interface unit 106 is coupled by the link 106-1 to the access switch 110, and by link 106-2 to the access switch 111. Service interface unit 107 is coupled by the link 107-1 to the access switch 111, and by the link 107-2 to the access switch 112. Service interface unit 108 is coupled by the link 108-1 to the access switch 111, and by the link 108-2 to the access switch 112. Service interface unit 109 is coupled by the link 109-1 and by the link 109-2 to the access switch 112. The service interface units 105-19 are managed so that only one of the links between the service interface units and an access switch in the network is active at anytime. A modified spanning tree protocol is utilized to select the active link as described below.
  • The access switches [0084] 110-112 are coupled to interior switches of the metropolitan area network 115. Examples of preferred architectures of the interior switches are described with reference to FIGS. 21 and 22 below.
  • According to the preferred embodiment of the present invention, the security arrangements for the point-to-multipoint virtual channels is deployed in the access switches [0085] 110-112 via source address filtering based upon the unique MAC addresses of the demarcation points at service interface units in the network.
  • In the example of FIG. 2, a point-to-multipoint channel is established between the link [0086] 101-1 at service interface unit 107 as the root R of the channel, and the links 100-1, 102-1, and 103-1 at the service interface units 105, 108 and 109, respectively, as the clients CL at leaves of the channel. The access switches 110, 111, 112 are configured with source address filtering tables supporting the point-to-multipoint channels, according to the Tables 3 and 4 below.
  • The access switches are configured so that client demarcation points, at links [0087] 100-1, 102-1 and 103-1 in this example, can only exchange packets on the network with the particular demarcation point, at link 101-1 in this example, designated as the root, and not with other client demarcation points; and so that the particular demarcation point can exchange packets, including multicast packets, on the network with the plurality of client demarcation points.
  • In one embodiment, an access switch at a leaf, that is actively attached to a client demarcation point, is configured to recognize addresses of the particular demarcation point and of the attached client demarcation point, for source address filtering. The access switch at the leaf is configured to forward onto the network packets received on ports coupled to the client demarcation point carrying source addresses equal to the address of the client demarcation point and a destination address which is one of a multicast address, a broadcast address and the address of the particular demarcation point, to forward onto a port coupled to the client demarcation point packets received on ports coupled to the network carrying the source addresses of the particular demarcation point, and a destination address equal to one of a multicast address, a broadcast address and the address of the client demarcation point, and to discard other packets. [0088]
  • Further, an access switch at the root, that is actively attached to the particular demarcation point, is configured to recognize the address of the particular demarcation point and addresses of the plurality of client demarcation points for source address filtering. The access switch at the root is configured to forward on a port coupled to the network packets received on a port coupled to the particular demarcation point carrying the source address of the particular demarcation point and one of a multicast address, a broadcast address and the address of one of the plurality of client demarcation points, to forward on a port coupled to the particular demarcation point packets received on a port coupled to the network carrying the source address of one of the plurality of client demarcation points and a destination address equal to one of a multicast address, a broadcast address and the address of the particular demarcation point, and to discard other packets. [0089]
  • The generic Access Service is depicted in FIG. 3, including a [0090] demarcation device 200, a secure network switch 201 and customer-owned equipment 202.
  • A [0091] demarcation device 200 is always situated between customer-owned equipment and a secure MAN switch. The demarcation device 200 connects to custoner-owned equipment 202 through one or more service interfaces 203. The demarcation device 200 converts between the physical layer of the drop 204 and that of the service interfaces 203. The demarcation device 200 also performs surveillance and maintenance functions.
  • The [0092] drop 204 will typically use a fiber optic link with at least 1 Gbps bandwidth although other transmission technologies may be used, e.g., high bandwidth wireless transmission. The type of transmission used is transparent to the customer.
  • The [0093] service interface 203 is the point at which customer-owned equipment 202, typically an internet protocol IP or multiprotocol router, is attached. This interface 203 runs IP over 10/100/1000 Mbps Ethernet for example, using either a copper or fiber physical layer. An auto-sensing 10/100 Ethernet service interface may also be used. Also, other higher speed Ethernet technologies could be used.
  • In the secure MAN, ‘demarcation devices’ situated on individual customer's premises can provide for redundant connections to the rest of the network. Selection of one link in preference to another can be achieved by use of the spanning tree or a similar protocol. However, only traffic that is transmitted by or destined for a given customer is allowed to reach that custoner's demarcation device (a packet switch). It is not desirable that a demarcation device act as a transit link in the network, ensuring full connectivity from one part of the network to another, either during a reconfiguration of the network or while the active topology is stable. Rather the network should partition if there is no other connectivity between the two halves. [0094]
  • In the past, the simple selection of one link or another for connection to the interior of a network has been performed by a simple physical layer redundancy scheme that interrogates the health of the links from a demarcation device switch to the network. One link is configured as a primary link and the secondary link is activated only if the primary fails a simple connectivity test to the remainder of the network, e.g. loss of the transmitted light signal. [0095]
  • One embodiment of the secure MAN improves on this prior arrangement, while not allowing the demarcation device to participate in the active topology of the network, by choosing the active link from the demarcation device to the network on the basis of the spanning tree information received by the device, but not allowing it to forward or generate spanning tree information. This arrangement protects against a failure in the network that causes the switch connected to by the demarcation device to be separated from the main body of the network. [0096]
  • There are several alternative access arrangements possible, examples of which are shown in FIGS. [0097] 4-9. FIG. 4 shows a basic single tenant access arrangement. In this case, the customer-owned equipment 202 is located in a building solely occupied and controlled by the customer. The demarcation device 200 is also located within the customer premises as shown in FIG. 4. The demarcation device 200 is dedicated to the customer. The single tenant customer has several options for the use of multiple drops to improve service availability.
  • One option involves use of a Redundant Switch Access Service as shown in FIG. 5, in which a [0098] second drop 210 is connected from the demarcation device 200 to a different secure MAN Switch 211. This is done to maximize diversity. A failure of a drop, the switch, or the switch port will result in data flowing over the drop to be rerouted over the redundant drop in a very short time, e.g., less than 50 ms.
  • In Redundant Switch Single Tenant Access Service, the drops will typically reside within the same physical path from the customer premises to the first splice point at which point they will follow diverse physical paths. [0099]
  • Parallel Single Tenant Access Service is another alternative, as shown in FIG. 6. In this case, drops [0100] 204 and 212 terminate on the same secure MAN switch 201. Unlike Redundant Single Tenant Access Service, the multiple drops 204, 212 can be used for load sharing in that data can flow over the drops simultaneously. In the event of a failure of a drop or the switch port, data flowing over the drop will be rerouted to the other drop in a very short time, e.g., less than 50 ms. In Parallel Single Tenant Access Service, the drops will typically reside within the same physical path from the customer premises to the point-of-presence of the first secure MAN switch.
  • Ather access service option is Fully Redundant Single Tenant Access Service as illustrated in FIG. 7, including [0101] redundant demarcation devices 200, 220 and redundant switches 204, 221 with redundant drops 204, 222, 223, 224 for each demarcation device-access switch pair. Fully Redundant Single Tenant Access Service protects against the same failures that Redundant Switch Single Tenant Access Service does and in addition protects against failure of a demarcation device and the failure of the customer-owned equipment attached to a service interface. Both service interfaces 203, 225 are activated for customer use but the ability to simultaneously use them will depend on the details of the routing protocol being used by the customer. Similarly the ability of the customer-owned equipment to detect a failure and start using a service interface on the other demarcation device will depend on the details of the routing protocol being used by the customer.
  • In Fully Redundant Single Tenant Access Service, the drops will typically reside within the same fiber optic cable from the customer premises to the first splice point at which point they will follow diverse physical paths. [0102]
  • In other situations Multi-Tenant Access is used as shown in FIG. 8. In this case, there is a single building or campus with multiple customers. Some secure MAN Equipment will be in space not controlled by the customer. For example, the equipment could be in space leased from the landlord. In this example, the [0103] demarcation devices 300, 301 reside within the space of the customers, and are coupled to switch 302 which may or may not be located at the customer premises.
  • Another example is shown in FIG. 9, in which the [0104] demarcation devices 303, 304 are centrally located, and coupled to access switch 305 which may or may not be located at the customer premises.
  • In both of the above examples, each demarcation device is dedicated to a single customer. In addition, the secure MAN Services that a customer sees across the service interface is the same no matter which configuration is used. [0105]
  • There are other possibilities including a mix of centralized and distributed demarcation devices. It may also be possible and/or desirable to share a demarcation device among more than one customer. [0106]
  • In another situation collocation facility access is used as shown in FIGS. 10 and 11. In some ways Collocation Facility Access is like multi-tenant access. However, the secure MAN service provider will have leased space in the facility in which the customer demarcation device is placed. The preferred configuration for a collocation facility is shown in FIG. 10. The [0107] demarcation device 320 is in the customer's rack 321 and dual connected back to different switches 322, 323 located in a secure MAN rack 324 at a collocation site. These connections are effected by Gigabit Ethernet multi-mode fiber cross-connects. The customer-owned equipment connects to the demarcation device with the appropriate Ethernet cable. Additional customers may use the same collocation facility, as shown by demarcation device 326 in rack 325.
  • In some cases, the customer may not want to accommodate the demarcation device in his or her rack space. In this case, the configuration is that shown in FIG. 11. The [0108] demarcation device 330 is in the secure MAN rack and is dual connected to the two switches 331, 332 in the rack. The customer-owned equipment 333, 334 is connected to the demarcation device 330 via an appropriate Ethernet cross-connect. In large collocation facilities, this cross-connect will typically be multimode fiber. A demarcation device 330 can be used for supporting multiple customers.
  • Once customers have established connections to the secure MAN network, links among them are established using the provisioning system referenced above. Links in this example embodiment are referred to as virtual connections. [0109]
  • Virtual connection service provides the transfer of data between multiple service interfaces. Three kinds of virtual connection services in this example, include point-to-point, point-to-multipoint, and multipoint-to-multipoint. [0110]
  • In point-to-point virtual connections, an internet protocol IP packet delivered across a service interface is delivered to exactly one other service interface. Of course, in addition to IP, other higher layer protocols may be utilized for virtual connections of all types. This service is like a physical wire. [0111]
  • FIG. 12 shows an example of the use of point-to-point virtual connection services within the [0112] secure MAN network 350. For a point-to-point virtual connection, a service interface for customer equipment 400 is connected by link 405 to a service interface for customer equipment 401; a service interface for customer equipment 401 is connected by a link 406 to a service interface for customer equipment 402; and a service interface for customer equipment 402 is connected by a link 407 to a service interface for customer equipment 400.
  • In multipoint-to-multipoint virtual connections, multiple service interfaces are interconnected. A customer-owned equipment device attached to one of these interfaces can send IP packets to any of the other interfaces that have been assigned to the virtual connection service. This service is similar to Frame Relay where multiple destinations, each specified by a DLCI value, can be reached via a single physical interface. [0113]
  • FIG. 13 shows an example of the use of a multipoint-to-multipoint virtual connection service. In FIG. 13, a service interface for [0114] customer equipment 400, a service interface for customer equipment 401, and a service interface for customer equipment 403 are interconnected by a multipoint-to-multipoint link 410 within the secure MAN network 350.
  • In point-to-multipoint virtual connections, multiple service interfaces are interconnected. One interface is configured as the root and the remaining interfaces are called leaves. FIG. 14 illustrates a point-to-[0115] multipoint link 415 within the secure MAN network 350. A service interface coupled to customer owned equipment 401 is designated root of the point-to-multipoint link 415. Service interfaces coupled to the customer equipment 400 and 403 respectively are designated leaves of the point-to-multipoint link 415. A customer-owned equipment device 401 attached to the root interface can send IP packets to any of the leaf interfaces. A customer-owned equipment 400, 403 device attached to a leaf interface can only send IP packets to the root interface. This service combines the logical addressing features of Frame Relay with the security features of a physical wire. The advantage to a service provider is that he can send packets to multiple subscribers securely while each subscriber is protected from deliberate or accidental transmission to the other subscribers.
  • Multiple virtual connection services can be implemented on a single service interface, by tagging virtual connections. This is accomplished in this example embodiment by making use of IEEE 802.1Q VLAN tagging. Furthermore, virtual connection services between tagged and non-tagged service interfaces are supported. Non-tagged service interfaces support a single virtual connection connection. FIG. 15 shows an example of virtual connection services connecting between tagged and non-tagged service interfaces. In FIG. 15, [0116] customer equipment locations 500, 501 and 502 are connected by the point-to-point virtual connections 505, 506, 507 and 508 within the secure MAN network 350. Customer equipment 501 has three non-tagged service interfaces 510 supporting three virtual connections 505, 506 and 508. Customer equipment 501 includes service interface 511 which has three VLAN tags assigned to it, supporting virtual connections 505, 506 and 507. Customer equipment 502 includes service interface 512 having two VLAN tags assigned to it, supporting virtual connections 507 and 508.
  • In the provisioning of virtual connections, a variety of parameters relevant to the control of traffic on the wire are assigned in some situations. For example, a virtual connection service preferably has at least one bandwidth profile associated with it. The amount of bandwidth is provisioned at the customer's request and the price of the virtual connection service will be related to the “size” of the profile and the degree that the customer's actual transmitted traffic conforms to the profile. In return for abiding by the traffic profile, the customer receives a commitment on performance of the virtual connection service. [0117]
  • Another parameter associated with virtual connections is class of service in some embodiments. Virtual connection services can carry multiple classes of service. The class of service for each packet is indicated by the DS byte in the IP header as per the DiffServ standard. See, [RFC2475] D. Black, S. Blake, M. Carlson, E. Davies, Z. Wang, and W. Weiss, “An Architecture for Differentiated Services”, Internet RFC 2475, December 1998; and [RFC2474] K. Nichols, S. Blake, F. Baker, and D. Black, “Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers”, Internet RFC 2474, December 1998. Each class of service has a set of performance objectives that address topics such as availability, delay, and loss. The performance objectives only apply while the traffic being offered to the virtual connection service conforms to the bandwidth profile. [0118]
  • Allocation And Configuration Of Secure MAN resources [0119]
  • Virtual connection services can be automatically provisioned as described above. This allows a network manager to control secure MAN services, from his or her own workstation. For example, a new virtual connection service can be established or an existing one can be modified in this fashion. Logical provisioning is supported by actual allocation and configuration of the resources of the secure MAN. In this example, the allocation and configuration is accomplished as described below. [0120]
  • Virtual connections are established by Physical Layer (layer [0121] 1) and data link layer (layer 2) contructs. Two physical layers are available in this example for service interfaces. The first is Fast Ethernet (100 Mb) as defined IEEE Std. 802.3. The second physical layer is Gigabit Ethernet (1 Gb) as defined in IEEE Std. 802.3.
  • Virtual connection service allows the exchange of IP packets among two or more service interfaces. Virtual connection services are established through the provisioning service. The wires are established at [0122] layer 2 using MAC addresses of the demarcation devices and VLAN tags.
  • The source and destination MAC addresses and the value of the DSCP in the IP header govern the handling of an IP packet submitted over a service interface. The details of this process are described in this section. Service performance objectives are also described in this section. [0123]
  • Two types of [0124] layer 2 protocols are supported; non-tagged and tagged. Non-tagged services. FIG. 16 illustrates the format of an IP packet has used in the secure MAN network of the present invention. The packet includes a destination MAC address which is six bytes in length, a source MAC address 551 which is the six bytes in length, a Type/Length field 552 which is two bytes in length, an IP packet payload 553 which is between 46 and 1500 bytes in length, and a frame check sequence field 554 which is four bytes in length.
  • Valid packets for the purposes of the secure MAN have a value of the Type/Length field greater than 0×5DC: 0×0800 designating an IP datagram and, 0×0806 designating an Address Resolution Protocol packet, or 0×0835 designating a Reverse Address Resolution Protocol packet. If the value of the Type/Length field is not one of these values, the packet is not considered properly formatted in this example. [0125]
  • When a unicast MAC address is used in the destination MAC address field, it must be a globally administered MAC address for the packet to be considered properly formatted. Similarly, the unicast MAC address in the source MAC address field must be a globally administered MAC address for the packet to be considered properly formatted. [0126]
  • A packet sent from the customer-owned equipment to a non-tagged service interface with an IEEE802.1Q tag is not properly formatted. [0127]
  • Tagged packets include in addition a VLAN tag field recognized in the network, for the packet to be considered valid. [0128]
  • The basic connectivity of all virtual connection services can be described as follows. If the customer-owned equipment sends an invalid packet, it is discarded. If the customer-owned equipment sends a valid packet, the service delivers the packet to the appropriate destination service interface(s) for the configured virtual connections identified by the packet addresses. Packets delivered to a destination service interface have the same format as that on the source service interface. In the case of a packet sent between non-tagged service interfaces, the contents of the delivered packet are unchanged. [0129]
  • For a packet to be delivered across by the service, it must be properly formatted and have a recognized source MAC address. Such a packet is called a valid packet. The secure MAN network discards all invalid packets sent across a service interface by customer-owned equipment. [0130]
  • A MAC address becomes recognized in one of two ways: using dynamic source MAC address or latched source MAC address processes. Each technique is described in the following sections. [0131]
  • In the case of the dynamic source MAC address process, the secure MAN network observes the source MAC address being used at the service interface. When a particular source MAC address is first observed on the service interface, the packets carrying the MAC address, either as Source or Destination, will be discarded for a period of time not to exceed 5 seconds, for example. This is done to allow secure MAN to make security checks and ensure the uniqueness of the MAC address. If the new MAC address is already being recognized at another service interface, the resolution is as described below. [0132]
  • If a particular source MAC address is observed and a different MAC address has been recognized for less than 5 minutes for example, the service interface is declared to be in the “Onlooker” state. The use of the Onlooker state is to prevent a repeater hub from being attached to a service interface with more than one customer-owned equipment attached. While the service interface is in this state, all packets sent to and from the service interface are discarded. The state is maintained until a MAC address remains continuously recognized for 5 minutes. [0133]
  • The recognized MAC address becomes unrecognized if the customer-owned equipment disconnects from the service interface. [0134]
  • In the case of the latched source MAC address process, when a MAC address is “latched” on a given Service interface, its MAC address will be recognized at the service interface no matter what other source MAC addresses are observed on the service interface in question or on any other service interface within the metropolitan area. [0135]
  • A MAC address can become latched in two ways. In the first method, the customer uses the provisioning system to latch the currently recognized MAC address. In the second method, the customer uses the provisioning system to put the service interface in “latched” mode. Then the source MAC address in the next properly formatted packet becomes the recognized and latched MAC address for the service interface provided it is unique across all service interfaces within the metropolitan area. If the new source MAC address is already being recognized at another service interface, the conflict is resolved as described below. [0136]
  • When the MAC address is first recognized, packets carrying the MAC address, either as source or destination, will be discarded for a period of time not to exceed 5 seconds, for example. [0137]
  • When a MAC address is “proposed” for recognition through any of the above methods, there is a check to see if the same MAC address is recognized at any other service interface in the metropolitan area. If there is a conflict, an error condition is noted by the network management system. [0138]
  • If the old and new service interfaces belong to different Accounts, the MAC address remains recognized at the old service interface. [0139]
  • If the old and new service interfaces belong to the same account, the MAC address will be recognized at either the new or old service interface. [0140]
  • The choice of the service interface where the MAC address will be recognized shown in Table 1 is dependent on the method used to establish recognition at the old service interface and the method being used at the new service interface. [0141]
    TABLE 1
    Service Interface Where MAC Address is Recognized-Single Account
    Old service interface
    Latched Dynamic
    New service interface
    Latched Old New service
    service interface
    interface
    Dynamic Old See Text
    service
    interface
  • The case where both recognitions are based on dynamic learning is a special case. If the MAC address had been recognized at the old service interface for more than 1 minute, the MAC address becomes recognized at the new service interface. Else, the MAC address remains recognized at the old service interface. The reason for this procedure is to distinguish between duplicate MAC addresses and the legitimate move of customer-owned equipment from one service interface to another. [0142]
  • The system also checks for duplicate MAC addresses across metropolitan areas. However, this need not be done in real time. Furthermore, if a conflict is discovered across metropolitan areas, the customers involved will be notified. This will be done by notifying the contacts for the service interfaces as defined in the account provisioned for the service interface. The MAC addresses involved will continue to be recognized thus connectivity will not be impacted. [0143]
  • For point-to-point service, two service interfaces are associated. Packets sent into one of the service interfaces can only be delivered to the other service interface and vice-versa. The rules for delivery or discard for a packet sent into a service interface are based on the source and destination MAC addresses of the packets. These rules are laid out in Table 2. [0144]
    TABLE 2
    Delivery and Discard for point-to-point virtual connection service
    Source MAC Destination
    address MAC address Result
    Unrecognized Any Discard
    or Recognized at
    other than the
    Source service
    interface
    Recognized at Unicast and Discard
    Source service not Recognized
    interface at other service
    interface
    Recognized at Unicast and Deliver
    Source service Recognized at
    interface other service
    interface
    Recognized at Multicast Deliver
    Source service
    interface
    Recognized at Broadcast Deliver
    Source service
    interface
  • For point-to-multipoint service, two or more service interfaces are associated. One of the service interfaces is designated as the Root while each remaining service interface is designated as a Leaf. The rules for delivery and discard for packets sourced at the Root are detailed in Table 3. The rules for delivery and discard for packets sourced at a Leaf are laid out in Table 4. [0145]
    TABLE 3
    Delivery and Discard for the Root service interface
    Source MAC Destination
    address MAC address Result
    Unrecognized Any Discard
    or Recognized at
    other than the
    Root service
    interface
    Recognized at Unicast and Discard
    Root service not Recognized
    interface at a Leaf service
    interface
    Recognized at Unicast and Deliver
    Root service Recognized at to the Leaf
    interface a Leaf service service
    interface interface
    Recognized at Multicast Deliver
    Root service to all Leaf
    interface service
    interface
    Recognized at Broadcast Deliver
    Root service to all Leaf
    interface service
    interface
  • [0146]
    TABLE 4
    Delivery and Discard for a Leaf service interface
    Source MAC Destination
    address MAC address Result
    Unrecognized Any Discard
    or Recognized at
    other than the
    Source service
    interface
    Recognized at Unicast and Discard
    Source service not Recognized
    interface at the Root service
    interface
    Recognized at Unicast and Deliver
    Source service Recognized at to the Root
    interface the Root service service
    interface interface
    Recognized at Multicast Deliver
    Source service to the Root
    interface service
    interface
    Recognized at Broadcast Deliver
    Source service to the Root
    interface service
    interface
  • In multipoint-to-multipoint service, two or more service interfaces are associated. When there are only two service interfaces, the result is very similar to point-to-point virtual connection service. Most customers will have three or more service interfaces associated for this service. The rules for delivery and discard are presented in Table 5. [0147]
    TABLE 5
    Delivery and Discard for mesh
    multipoint-to-multipoint virtual connection service
    Source MAC Destination
    address MAC address Result
    Unrecognized Any Discard
    or Recognized at
    other than the
    Source service
    interface
    Recognized at Unicast and Discard
    Source service not Recognized
    interface at an associated
    service interface
    Recognized at Unicast and Deliver
    Source service Recognized at to the
    interface an associated associated
    service interface service
    interface
    Recognized at Multicast Deliver
    Source service to all other
    interface associated
    service
    interfaces
    Recognized at Broadcast Deliver
    Source service to all other
    interface associated
    service
    interfaces
  • Multiple classes of service are supported. Virtual connection service treats packets with different classes of service differently. The net effect is that the performance objectives vary by class of service. [0148]
  • There are two alternative methods in this example secure MAN network for determining the class of service for a packet: [0149]
  • A service interface can be configured such that all packets transmitted from the customer-owned equipment are treated with a specified class of service. [0150]
  • The Differentiated Services byte (DS byte) in the IP header identifies the class of service for a packet. [0151]
  • Examples of class of service include standard data service and expedited service. Standard data service is the service that gives the lowest level of performance and corresponds to what is currently available in IP networks. When the class is determined by the DS byte, the value 00000000 (binary) identifies fast data service. This is also the default Class of Service. [0152]
  • When fast data service is provisioned within an instance of virtual connection service, a bandwidth profile is specified. This causes the reserving of appropriate resources within the secure MAN network. When a fast data service packet is sent across the service interface into the secure MAN network, the virtual connection service will treat the packet as follows: [0153]
  • If the packet conforms to the bandwidth profile, the performance objectives for fast data service apply. [0154]
  • Else, no performance objectives apply. [0155]
  • Expedited service has significantly better performance objectives than fast data service. The values of the DS Byte for this class are 10111000 (binary) and 10100000 (binary). [0156]
  • When expedited service is provisioned within an instance of virtual connection service, a bandwidth profile is specified. This causes the reserving of appropriate resources within the secure MAN network. When a secure MAN Expedited Service packet is sent across the service interface into the secure MAN network, the virtual connection service will treat the packet as follows: [0157]
  • If the packet conforms to the bandwidth profile, the performance objectives for expedited service apply. [0158]
  • Else, no performance objectives apply. [0159]
  • In each instance of virtual connection service where the DS byte is used to determine the class of service for a packet, a minimum bandwidth profile and allocation of network resources are made for expedited service. The customer can increase this allocation through the provisioning system but the allocation can never be reduced below this minimum. [0160]
  • Additional classes of service and unrecognized DSCPs may also be provided for in the secure MAN. [0161]
  • When the DS byte is being used to determine the class of service, a packet sent across the service interface into the secure MAN network that has a DS byte value other than those specified is treated as a standard data service packet. Additional classes of service may be supported in the future. [0162]
  • Bandwidth profile is one parameter which may be associated with a virtual connection, or with other aspects of an account in the provisioning system. A bandwidth profile denoted BW(A, B) is based on two parameters: [0163]
  • B−the Maximum Burst Size (bytes) [0164]
  • A−the Average Bandwidth (bytes/msec) [0165]
  • Let {t[0166] i} denote the times that packets are received (arrival of the last bit) by the SIU and let {li} be the lengths of the packets in bytes. Two quantities, b(ti) and b′(ti) are computed and the conformance of each packet to the Bandwidth Profile is determined by the following algorithm:
  • Step 1: Set b′(t[0167] i)=min{b(ti)+A(ti−ti−l),B}.
  • Step 2: If l[0168] i≦b′(ti), then the ith packet is conforming to the Bandwidth Profile and set b(ti)=b′(ti)−li; else the ith packet is not conforming and set b(ti)=b′(ti).
  • The bandwidth profile can be thought of as a token bucket. Every millisecond, tokens, each representing a byte are added to the bucket at a rate equal to the average bandwidth. Each time a packet is received, tokens equal to the length of the packet are removed from the bucket. An arriving packet is conforming if the bucket contains at least the length of the packet in tokens. [0169]
  • Implementations of virtual connections that are part of secure MAN transmission service with respect to the switches in the secure MAN like that shown in FIGS. [0170] 17-20 are described in the following sections.
  • There are three types of virtual connection in this example, including point-to-point virtual connection, point-to-multipoint virtual connection and multipoint-to-multipoint virtual connection. [0171]
  • Point-to-point virtual connections serve unicast IP packets from one routed point and addressed to the other routed point, which are delivered to the other routed point, as are broadcast and multicast packets. Non-IP packets are discarded by this example service. It is envisioned that IP technology and services will evolve with time without departing from the present invention. [0172]
  • When a point-to-point virtual connection is provisioned, endpoints of virtual connection (service interfaces that will be attached to this virtual connection and demarcation devices attached to those service interfaces) are identified. Point of Presence POP switches, also called access switches and switch ports connected to demarcation devices are also identified. [0173]
  • Selection and configuration of a VLAN in support of virtual connections in this example secure MAN is done using network zones. Network Zones are defined in order to optimize VLAN broadcast/multicast containment. Demarcation devices are grouped within Network Zones. Typically, the grouping will correspond to geographic location, but this is not a requirement. [0174]
  • To assign a VLAN ID to Virtual connection, the Network Zones in which endpoints of the virtual connection reside are identified. It is determined if both endpoints are in the same zone or not. Each Network Zone in a metro area has some number, say 50, VLANs assigned to it. Some of the assigned VLANs, say 25 VLANs, are designated as IntraZone VLANs and are used for point-to-point virtual connections that originate and terminate in the same zone. The others of the assigned VLANs are designated as InterZone VLANs and are used for point-to-point virtual connections that span multiple zones. VLANs must be assigned such that no two Virtual connections configured in any one demarcation device use the same VLAN id. Otherwise, cross talk between the two Virtual connections will occur. [0175]
  • Conceptually, VLAN assignments can be maintained in a table in order to satisfy the requirements for mutual exclusion and network optimization. Table 6 is illustrative of VLAN assignment maintenance: [0176]
    TABLE 6
    Metro Virtual Demarcation
    VLAN id Area id connection id id
     2 10 LW0001 D0001
     2 10 LW0001 D0002
    27 10 LW0002 D0001
    27 10 LW0002 D0005
    52 10 LW0003 D0001
    52 10 LW0003 D0004
  • The following equations are used to calculate the VLAN ID that is to be configured on service interfaces being provisioned for a IntraZone point-to-point virtual connection. [0177]
  • Let D[0178] 1 and D2 denote the demarcation devices corresponding to the first and second endpoints specified in a point-to-point provisioning request respectively.
  • The VLAN ID will be assigned from the range of IDs assigned to the Zone for IntraZone use. The starting value of the range is computed from the following formula, where Network Zone Number is a unique number assigned to the Network Zone in a metropolitan area:[0179]
  • Vid−MinintraZonevirtual connection=((Network Zone Number−1)MODULO 20)*50+2
  • Service center IDs (also called network zone IDs) may be assigned sequentially in a metro area starting with 1. This makes the maintenance and calculations easy. If not assigned sequentially, a mapping table is created that maps a service center ID to a VLAN ID address space. [0180]
  • Once the VLAN ID range is identified, the lowest VLAN ID that is not in use on both D[0181] 1 and D2 is used.
  • The highest permissible VLAN ID value for Intrazone Point-to-Point Virtual connection is Vid−Min+25. [0182]
  • The following equation is used to calculate the VLAN ID that is to be configured on service interfaces being provisioned for a InterZone point-to-point virtual connection. [0183]
  • Let D[0184] 1 and D2 denote the demarcation devices corresponding to the first and second endpoints specified in a point-to-point provisioning request respectively. A VLAN ID will be selected from the least used range of the two participating Zones. The starting value of the range associated with D1 and D2 are computed from the following formulas:
  • Vid−Min− D 1 InterZonevirtual connection=((Network Zone Number(D 1)−1)MODULO 20)*50+27
  • Vid−Min− D 2 InterZonevirtual connection=((Network Zone Number(D 2)−1)MODULO 20)*50+27
  • For each demarcation device, find the lowest VLAN ID in the computed range, that is not already in use within the device. [0185]
  • From the two possible VLAN ID values, choose the lowest ID with respect to the range of each. For example, if the computed Vid−Min−D[0186] 1 value is 27, with 27-30 in use on D1, and Vid−Min−D2 is 127, with 127-128 in used, the VLAN ID 129 will be assigned, since its value with respect to 127 (2) is lower than ID 31 with respect to 27 (4).
  • Selected VLAN is configured on identified demarcation devices; identified service interfaces are configured in the new VLAN. Service interfaces are configured to receive only untagged frames and only the selected VLAN is allowed out of service interfaces (untagged). Network ports (towards secure MAN network) on demarcation devices are configured in the new VLAN allowing only tagged frames to pass through. [0187]
  • A selected VLAN is configured on identified POP switches (if not already configured). The access port on the POP switch connected to identified demarcation device is configured in the selected VLAN allowing only tagged frames in and out of the port. If POP switch supports the Generic VLAN Registration Protocol GVRP, the upstream port(s) will propagate this VLAN to local switches. Upstream switches will propagate this VLAN in other parts of the network. The upstream ports (from the POP switch) will also process the incoming GVRP requests. [0188]
  • If GVRP is not supported by a POP (and/or local/regional) switch, VLANs are configured manually on all switches and ports in the path between the endpoints of the virtual connection (including redundant paths). By “manual configuration,” it is meant that the configuration files are not self-propagating, such as in a protocol like GVRP, but require some user intervention to set up and/or modify across the network. [0189]
  • Security filters are configured as part of the process of provisioning virtual connections. When the customer endpoint (demarcation device MAC address) is known on a service interface being provisioned, the MAC address is configured in a source address filter on the access port on the POP switch. This filter forces packets out of the port coupled to a customer access point (if on the same POP switch) or network port (if not on the same POP switch). This source address filter is also configured on the network port of the other POP switch (connected to other endpoint of virtual connection, if required) forcing packets out of the correct access port. [0190]
  • If the customer endpoint is unknown at the current time, the above filter configuration is done after a successful authentication has been performed after learning the endpoint MAC address. [0191]
  • Examples of secure MAN configurations for point-to-point virtual connections are given in FIGS. [0192] 17-20.
  • FIG. 17 illustrates a secure MAN arranged in one example configuration. The secure MAN includes a plurality of demarcation devices, in this [0193] example demarcation devices 600, 601, 602 and 603 are illustrated. The demarcation devices are connected to point of presence POP switches in the secure MAN. Thus, the demarcation devices 600, 601 are coupled to the POP switch 605 across lines 606 and 607 respectively. Demarcation device 602 is coupled to POP switch 608 across line 609. Demarcation device 603 is coupled to POP switch 610 across line 611. The POP switches 604, 608, 610 are connected to local layer 2 switches 614 and 612. Though local layer 2 switches 614, 612 coupled to a regional layer 2 switch 613. The regional layer 2 switch 613 may be coupled to other regional sites by a long haul network or otherwise as indicated by the arrow 615. Switches 613, 612, 614, 605, 608, 610 may be in collocation sites.
  • The hierarchy illustrated in FIG. 17 is merely one example. A wide variety of architectures for the switches could be utilized according to the present invention. For example, a regional switch may also act as a POP switch, and local switches may not be used. For simplicity, redundancy is omitted from the example, although such redundancy would be implemented in many instances of the invention. [0194]
  • Two virtual connections V[0195] 1, V2 are illustrated in FIG. 17. Virtual connection V1 is a point-to-point channel between the service interface Ri on demarcation device 600 and R3 on demarcation device 601. The virtual connection V2 is a point-to-point channel between the service interface R2 on demarcation device 600, and the service interface R4 on demarcation device 602.
  • Each of the [0196] layer 2 switches in the network illustrated can be implemented using a basic layer 2 architecture such as that illustrated in connection with the POP switch 605. Each port of the switch includes a source address and destination address filter 620. Also, associated with the switch 605 is a VLAN filter 621. The demarcation devices 600-603 include client side ports, such as the ports R1 through R4, and one or more service access port and such as the port coupled to line 606. In one embodiment, the client side ports and receive layer 2 packets carrying source and destination addresses followed by Type field and an Internet Protocol payload as well-known the art. At the demarcation device 600, a VLAN tag is added to the frame, to associate the tag with a virtual connection.
  • In operation, the [0197] demarcation device 600 sends a frame from port R1 out on line 606 and carrying the VLAN tag V1. The source/destination address filters (e.g. 620) in the switch 605 are configured to recognize the source and destination addresses of the frame. The frame will be accepted in the switch at the port only if it has a recognized source address on that port. The VLAN filter 621 on the switch 605 will identify the outgoing ports on the switch 605 which are configured to receive the packet carrying that VLAN tag and that source address. Thus, a port coupled to line 620 passes the packet received from the port R1 on line 620 to the local layer 2 switch 614. Likewise, the port coupled to line 607 passes the packet carrying the VLAN tag V1 towards the port R3. The VLAN filter 621 recognizes the packet as a member of the virtual connection V1, and allows it to be sent outgoing on the port coupled to line 620 and on the port coupled line 607.
  • For the virtual connection V[0198] 2, the source and destination address filter 620 accepts the packet at switch 605. The VLAN filter 621 limits the outgoing path for the packet to the port connected to line 620. The packet is forwarded up the tree towards the local layer 2 switch 614. Layer 2 switch 614 allows the packet to be transmitted only on line 625 to the POP layer 2 switch 608.
  • As can be seen in FIG. 17, virtual connections remain confined to their logic Network Zone delimited by the [0199] local switches 611, 612, i.e., V1 and V2 never cross the Network Zone 1 boundary above local switch 1. The upstream port on local switch 1 is not a member of V1 or V2. Therefore packets in V1 and V2 are not forwarded by local switch 1 on its upstream port to the regional switch. At the same time, source address filters ensure delivery of packets to only the correct recipient.
  • In FIG. 18, the network switch and access point configuration and VLAN ID assignment remains the same. However, a point-to-point virtual connection is provisioned between R[0200] 1 and R3 in the Network Zone served by local switch 614 while another virtual connection is provisioned between R2 and R5 served by local switch 614 and local switch 612 respectively, and thus across Network Zones. For simplicity, redundancy is omitted. VLAN ID V26 is selected for non-local virtual connection from R2 to R5.
  • Only VLAN [0201] 26 crosses the Network Zone boundry. Local VLANs in Network Zone 1 remain local. Local switch 1 propagates V26 to its upstream regional switch thus creating a forwarding path across the regional switch 613 to local switch 612 and demarcation device 603.
  • For the embodiment of FIG. 18, packets from the port connected to R[0202] 1 in the virtual connection V1 are accepted in the source and destination address filter 620 of POP switch 605 and allowed to pass on the port connected to line 623 up to the layer 2 switch 614. The packets are blocked by the VLAN filter 621 on the other ports of the POP switch 605. At the switch 614, the packet from a virtual connection V1 is allowed out on the port coupled to line 625, and not on other ports. At switch 608, the packet in the virtual connection V1 is allowed out on the line 609 to the demarcation device 602, and onto the destination R3. Similar filtering occurs in the reverse direction from the end station R3 to the end station R1. Packets within the virtual connection V26 are allowed into the switch 605, and propagated to the switch 614. At switch 614, packets for virtual connection V26 are passed up to the switch 613, where they are propagated through of switch 612, switch 610 and onto the demarcation device 603 where they are delivered to the destination R5. The logical construct of network zones being defined by a layer of switches in a network, such as the switches 614 and 612 in his example, can be used for the management of the VLAN IDs, and other network addressing functions. In some embodiments of the network, no such network zone logical construct is necessary.
  • In a point-to-multipoint virtual connection, a unicast IP packet injected by the root node and destined to one of the leaf nodes is delivered to the leaf node while a multicast/broadcast packet is delivered to all leaf nodes. Unicast multicast and broadcast packets injected by a leaf node and destined to the root node are delivered to the root node. No packets from one leaf node are delivered to another leaf node though. [0203]
  • When a point-to-multipoint virtual connection is provisioned, the endpoints (service interfaces that will be attached to this virtual connection and demarcation devices attached to those service interfaces) are identified. POP switches (and access ports) connected to those demarcation devices are also identified. [0204]
  • A separate VLAN is used for each point-to-multipoint virtual connection. The lowest VLAN ID available in the range assigned to point-to-multipoint virtual connection is used to provision this virtual connection. [0205]
  • The selected VLAN is configured on the demarcation devices necessary to support the virtual connection; identified service interfaces are configured in the new VLAN. Service interfaces on the customer side are configured to receive only untagged frames and only the selected VLAN is allowed out of service interfaces (untagged). Network ports (towards the secure MAN network) on demarcation devices are configured in the new VLAN allowing only tagged frames to pass through. [0206]
  • The selected VLAN is configured on the POP switch (if not already configured). The access port on POP switch connected to the demarcation device is also configured in the selected VLAN allowing only tagged frames in and out of the port. If the POP switch supports GVRP, the upstream port(s) will propagate this VLAN to other parts of the network. The upstream ports will also process the incoming GVRP requests. [0207]
  • If GVRP is not supported by a POP switch (and/or local/regional switches), VLANs are configured manually on all switches and ports in the path between the root node and each leaf node on the virtual connection (including the redundant paths). [0208]
  • The configuration of security filters for a point-to-multipoint virtual connection is described with reference to the example in FIG. 19, which shows the same network switch configuration as FIGS. 17 and 18. [0209]
  • Generally, if the root node endpoint R[0210] 2 (router MAC address) is known on a service interface being provisioned at demarcation device 603, the MAC address is configured in a source address filter on the access port on POP switch 610 (leading to the root node) allowing packets to be forwarded. For each known leaf node (whose MAC address is known) that resides on the same POP switch 610 as the root node, a source address filter (with leaf node's address) is configured on the leaf node port on the POP switch forcing packets to egress from the port leading to the root node.
  • For each known leaf node R[0211] 4, R1 (whose MAC address is known) that resides on a different POP switch than the root node, a VLAN filter and/or a source address filter (with leaf node's address) is on the network port of the root POP switch 603, is/are configured allowing packets to egress from the port leading to the root node 615. On every POP switch 608, 600 that leads to one of the leaf nodes, a source address filter (with leaf node's address) on the access port is/are configured, allowing packets out of the network port. A source address filter (with root node's address) on the network port of the same POP switch and/or a VLAN filter also allows the packets to egress from the correct leaf node port.
  • If a customer endpoint (root node/leaf node) is unknown at the current time, the above filter configuration is done after a successful authentication when address of the endpoint is learned. [0212]
  • FIG. 19 shows a point-to-multipoint virtual connection from R[0213] 2 to R1 and R4. As can be seen, the VLAN V1 crosses those branches that lead to member ports (root/leaf nodes). Security source address filters on POP switches ensure that the root node can reach all the leaf nodes (R1, R4) while leaf nodes (R1, R4) can only reach the root node (R2).
  • A multipoint-to-multipoint virtual connection is used to connect multiple routed points together and is especially useful to extend a campus LAN (minus bridging over the secure MAN network). The definition and implementation is described below for one embodiment. [0214]
  • In a multipoint-to-multipoint virtual connection, a unicast IP packet injected by a member and destined to one of the other members is delivered to the other member while a multicast/broadcast packet is delivered to all the members. [0215]
  • When a multipoint-to-multipoint virtual connection is provisioned, the endpoints (service interfaces) that will be attached to this virtual connection and demarcation devices attached to those service interfaces are identified. POP switches (and access ports) connected to demarcation devices are also identified. [0216]
  • A separate VLAN is used for each multipoint-to-multipoint virtual connection. The highest VLAN ID available in the range assigned to multipoint-to-multipoint virtual connection is used to provision this virtual connection. Selecting the highest available VLAN ID for a multipoint-to-multipoint virtual connection makes point-to-multipoint and multipoint-to-multipoint virtual connections consume VLAN IDs from opposite sides. Based on the customer demand, one type of virtual connections may consume more VLAN IDs than the other. If all the available VLAN IDs are consumed, they wrap around and start sharing already used VLAN IDs. It stretches the broadcast domain, but does not affect the service availability or security of secure MAN service. [0217]
  • The selected VLAN is configured on demarcation devices; identified service interfaces are configured in the new VLAN. Service interfaces are configured to receive only untagged frames and only the selected VLAN is allowed out of service interfaces (untagged). Network ports (towards the secure MAN network) on demarcation devices are configured in the new VLAN allowing only tagged frames to pass through. [0218]
  • The selected VLAN is configured on the POP switch (if not already configured). The access port on POP switch connected to the demarcation device is also configured in the selected VLAN allowing only tagged frames in and out of the port. If POP switch supports GVRP, the upstream port(s) will propagate this VLAN to other parts of the network. The upstream ports will also process the incoming GVRP requests. [0219]
  • If GVRP is not supported by a POP switch (and/or local/regional switches), VLANs are configured manually on all switches and ports in the path between all pairs of members on the virtual connection (including redundant paths). [0220]
  • Configuration of source address security filters can be understood with reference to the example in FIG. 20. Generally, if the endpoint RI (e.g., router MAC address) is known on a service interface being provisioned, the MAC address is configured in a [0221] source address filter 620 on the access port on the POP switch 605. A source filter is also configured on the network port of those POP switches 608, 610 that lead to other member nodes on this virtual connection. This filter along with MAC address lookup on the egress POP switch will correctly deliver the unicast packets to the correct member node and multicast/broadcast packets to all member nodes on that switch.
  • If the customer endpoint is unknown at the current time, the above filter configuration is done after a successful authentication when address of the endpoint is learned. [0222]
  • FIG. 20 shows a multipoint-to-multipoint virtual connection among R[0223] 1, R2, and R4. As can be seen, the assigned VLAN V1 is configured in the VLAN filters 621, to reach all member nodes while source address security filters on POP switches 605, 608, 610 allow any member to talk to any other member.
  • FIG. 21 shows a spanning tree configuration for interior switches according to a preferred embodiment. The solid filled circles on the switches correspond to designated ports according to the Spanning Tree Protocol. The unfilled circles on the switches correspond to root ports, and the ports marked by parallel lines crossing the link are alternate ports in a blocking mode. The root of the tree is switch P[0224] 1. Switch P1 has designated ports coupled via links 1-2, 2-1, 1-3, and 5-1, to root ports on switches P2, P2, P3, and P5, respectively. Also, it includes a designated port coupled via an internal link to an alternate port on switch P8. Switch P2 has designated ports coupled to root ports via links 6-2 and 2-4 on switches P6 and P4, respectively. Also, a designated port on switch P2 is coupled to an alternate port on switch P7. Switch P3 has a designated port coupled via link 3-7 to a root port on switch P7. Also, a designated port on switch P3 is coupled via an internal link to an alternate port on switch P6. A designated port on switch P4 is coupled via link 4-8 to a root port on switch P8. Also a designated port on switch P4 is coupled via an internal link to an alternate port on switch P5.
  • FIG. 22 illustrates a fiber ring network extending around a path of about 20 miles, which is made of bundles of fibers laid in right of ways within a metropolitan area. Segments of the ring are logically partitioned as segments of an ethernet network, configured as a tree, rather than a ring, illustrating a layout according to the present invention other than the cross-connected broken ring. Switches in the tree comprise standard 100 Megabit, Gigabit or higher ethernet switches configured according to the Spanning Tree Protocol, or variations of the Spanning Tree Protocol. [0225]
  • In FIG. 22, switch P[0226] 1 is a root of the tree, labeled P1, 0, P1 to indicate that the root of the tree is P1, the distance to the root is 0, and the upstream (toward the root) switch is P1. The interconnection of the tree can be understood by the upstream links for the switches. Thus there are no upstream links from switch P1. Switch P2 (P1, 1, P1) is connected by fibers F1 and F2 to switch P1. Switch P3 (P1, 2, P2) is connected by fiber F7 to switch P2. Fibers I1 and I2 are configured as backup links to switch P1 from switch P3. Switch P4 is connected by fibers F3 and F4 to switch P1. Fibers 13 and 14 are connected as backup links to switch P2 from switch P4. Switch P5 is connected by fibers F5 and F6 to switch P1. Fiber F8 is connected as a backup link from switch P5 to switch P2. Switch P6 is connected by fibers F9 and F10 to switch P2. Fiber F12 is a backup link from switch P6 to switch P5. Switch P7 is connected by fiber F11 to switch P3. Fibers 15 and 16 act as backup links to switch P5 from switch P7. Switch P8 is connected by fiber F13 to switch P5. Fibers I7and 18 are connected as backup links from switch P8 to switch P6.
  • The fibers F[0227] 1 to F13 and I1 to I8 comprise dark fibers in the fiber ring, which have been partitioned as point to point fiber segments in the tree as shown. Thus, fiber of a single ring can be re-used spatially. That is segments of a single ring can be used independently for point-to-point links in the tree.
  • While the present invention is disclosed by reference to the preferred embodiments and examples detailed above, it is to be understood that these examples are intended in an illustrative rather than in a limiting sense. It is contemplated that modifications and combinations will readily occur to those skilled in the art, which modifications and combinations will be within the spirit of the invention and the scope of the appended claims. [0228]

Claims (19)

What is claimed is:
1. A method of providing a point to multipoint communication channel in a metropolitan area network among a plurality of demarcation points having unique addresses, comprising:
identifying a particular demarcation point in the network as a root of the channel, and a plurality of client demarcation points in the network as leaves of the channel; and
configuring switches in the network so that
client demarcation points can only exchange packets on the network with the particular demarcation point, and not with other client demarcation points; and so that
the particular demarcation point can exchange packets on the network with the plurality of client demarcation points.
2. The method of claim 1, wherein a switch attached to a respective client demarcation point in the plurality of client demarcation points is configured to recognize addresses of the particular demarcation point and of the respective client demarcation point, to forward onto the network packets received on ports coupled to the respective client demarcation points carrying source addresses equal to the address of the respective client demarcation point and a destination address which is one of a multicast address, a broadcast address and the address of the particular demarcation point, to forward onto a port coupled to the respective demarcation points packets received on ports coupled to the network carrying the source addresses of the particular demarcation point, and destination addresses equal to one of a multicast address, a broadcast address and the address of the respective client demarcation point, and to discard other packets.
3. The method of claim 1, wherein a switch coupled to the particular demarcation point identified as the root is configured to the recognize the address of the particular demarcation point and addresses of the plurality of client demarcation points, to forward on a port coupled to the network packets received on a port coupled to the particular demarcation point carrying the source address of the particular demarcation point and one of a multicast address, a broadcast address and the address of one of the plurality of client demarcation points, and to discard other packets, to forward on a port coupled to the particular demarcation point packets received on a port coupled to the network carrying the source address of one of the plurality of client demarcation points and a destination address equal to one of a multicast address, a broadcast address and the address of the particular demarcation point, and to discard other packets.
4. The method of claim 1, wherein said configuring includes allocating the particular demarcation point identified as the root and the plurality of client demarcation points a virtual LAN identifier.
5. The method of claim 1, wherein the switches execute a communication protocol for a switched LAN with multicast capability.
6. The method of claim 1, wherein the switches execute a protocol compliant with an Ethernet standard.
7. The method of claim 1, wherein the network includes a service interface unit, the service interface unit having a service interface coupled via a link to a customer device having an unique MAC address, and having a network interface coupled via a link to one of said switches, and wherein said demarcation points comprise service interfaces on service interface units.
8. The method of claim 1, wherein the switches execute a layer two protocol for routing traffic among said demarcation points.
9. The method of claim 1, including:
organizing switches according to a network architecture and placing security functions within that architecture;
assuring a unique identity for each device connected to a service interface anywhere within the network; and
checking said identities at points identified within the network architecture.
10. The method of claim 9, wherein said network architecture includes a switched network managed according to a spanning tree protocol.
11. The method of claim 9, wherein said network architecture includes a switched network managed according to a spanning tree protocol, and wherein the architecture includes a plurality of switches organized in to access switches and interior switches, the access switches coupled to service interface units acting as demarcation points and the interior switches interconnecting the access switches, and wherein said security functions are places in the access switches, and wherein said unique identity is provided by MAC addresses of devices coupled to the service interface units.
12. A metropolitan area network including a point-to-multipoint channel, comprising:
a plurality of communication links which traverse a metropolitan area;
a plurality of switches coupled to the communication links, the switches including access switches and interior switches; and
a plurality of demarcation points coupled to access switches in the plurality of switches, the demarcation points comprising service interfaces to the network having unique addresses;
wherein the plurality of access switches are configured to identify a particular demarcation point in the plurality of demarcation points as a root of the channel, and a plurality of client demarcation points in the plurality of demarcation points as leaves of the channel, and so that
client demarcation points can only exchange packets on the network with the particular demarcation point, and not with other client demarcation points; and so that
the particular demarcation point can exchange packets on the network with the plurality of client demarcation points.
13. The network of claim 12, wherein an access switch attached to a respective client demarcation point in the plurality of client demarcation points is configured to recognize addresses of the particular demarcation point and of the respective client demarcation point, to forward onto the network packets received on ports coupled to the respective client demarcation points carrying source addresses equal to the address of the respective client demarcation point and a destination address which is one of a multicast address, a broadcast address and the address of the particular demarcation point, to forward onto a port coupled to the respective demarcation points packets received on ports coupled to the network carrying the source addresses of the particular demarcation point, and destination addresses equal to one of a multicast address, a broadcast address and the address of the respective client demarcation point, and to discard other packets.
14. The network of claim 12, wherein an access switch coupled to the particular demarcation point identified as the root is configured to the recognize the address of the particular demarcation point and addresses of the plurality of client demarcation points, to forward on a port coupled to the network packets received on a port coupled to the particular demarcation point carrying the source address of the particular demarcation point and one of a multicast address, a broadcast address and the address of one of the plurality of client demarcation points, and to discard other packets, to forward on a port coupled to the particular demarcation point packets received on a port coupled to the network carrying the source address of one of the plurality of client demarcation points and a destination address equal to one of a multicast address, a broadcast address and the address of the particular demarcation point, and to discard other packets.
15. The network of claim 12, wherein the plurality of switches execute a communication protocol for a switched LAN with multicast capability.
16. The network of claim 12, wherein the plurality of switches execute a protocol compliant with an Ethernet standard.
17. The network of claim 12, wherein the network includes a service interface unit, the service interface unit having a service interface coupled via a link to a customer device having an unique MAC address, and having a network interface coupled via a link to one of said access switches, and wherein said demarcation points comprise service interfaces on service interface units.
18. The network of claim 12, wherein the plurality of switches execute a layer two protocol for routing traffic among said demarcation points.
19. The network of claim 12, wherein the plurality of switches are configured to execute a spanning tree protocol.
US09/796,922 2000-03-02 2001-03-01 Point-to-multipoint virtual circuits for metropolitan area networks Abandoned US20020038253A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US09/796,922 US20020038253A1 (en) 2000-03-02 2001-03-01 Point-to-multipoint virtual circuits for metropolitan area networks

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US18647000P 2000-03-02 2000-03-02
US63456600A 2000-08-09 2000-08-09
US09/796,922 US20020038253A1 (en) 2000-03-02 2001-03-01 Point-to-multipoint virtual circuits for metropolitan area networks

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US63456600A Continuation-In-Part 2000-03-02 2000-08-09

Publications (1)

Publication Number Publication Date
US20020038253A1 true US20020038253A1 (en) 2002-03-28

Family

ID=26882122

Family Applications (3)

Application Number Title Priority Date Filing Date
US09/796,922 Abandoned US20020038253A1 (en) 2000-03-02 2001-03-01 Point-to-multipoint virtual circuits for metropolitan area networks
US09/796,825 Expired - Lifetime US6826158B2 (en) 2000-03-02 2001-03-01 Broadband tree-configured ring for metropolitan area networks
US09/796,842 Abandoned US20020023170A1 (en) 2000-03-02 2001-03-01 Use of active topology protocols, including the spanning tree, for resilient redundant connection of an edge device

Family Applications After (2)

Application Number Title Priority Date Filing Date
US09/796,825 Expired - Lifetime US6826158B2 (en) 2000-03-02 2001-03-01 Broadband tree-configured ring for metropolitan area networks
US09/796,842 Abandoned US20020023170A1 (en) 2000-03-02 2001-03-01 Use of active topology protocols, including the spanning tree, for resilient redundant connection of an edge device

Country Status (2)

Country Link
US (3) US20020038253A1 (en)
EP (1) EP1132844A3 (en)

Cited By (80)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020009092A1 (en) * 2000-03-02 2002-01-24 Seaman Michael J. Broadband tree-configured ring for metropolitan area networks
US20020154622A1 (en) * 2001-04-18 2002-10-24 Skypilot Network, Inc. Network channel access protocol - slot scheduling
US20030157947A1 (en) * 2002-01-08 2003-08-21 Fiatal Trevor A. Connection architecture for a mobile network
US20040202185A1 (en) * 2003-04-14 2004-10-14 International Business Machines Corporation Multiple virtual local area network support for shared network adapters
US20040260814A1 (en) * 2003-06-18 2004-12-23 Utah State University Efficient unicast-based multicast tree construction and maintenance for multimedia transmission
US20050141523A1 (en) * 2003-12-29 2005-06-30 Chiang Yeh Traffic engineering scheme using distributed feedback
US20070294309A1 (en) * 2006-06-19 2007-12-20 International Business Machines Corporation Orchestrated peer-to-peer server provisioning
US20080001717A1 (en) * 2006-06-20 2008-01-03 Trevor Fiatal System and method for group management
US20090016526A1 (en) * 2004-10-20 2009-01-15 Seven Networks, Inc. Method and apparatus for intercepting events in a communication system
US7715379B2 (en) 2001-09-24 2010-05-11 Rumi Sheryar Gonda Method for supporting ethernet MAC circuits
US7751409B1 (en) * 2002-03-20 2010-07-06 Oracle America, Inc. Logical service domains for enabling network mobility
US20100182913A1 (en) * 2008-02-29 2010-07-22 Telefonakiebolaget L M Ericisson (Publ) Connectivity fault management for ethernet tree (e-tree) type services
US20110165889A1 (en) * 2006-02-27 2011-07-07 Trevor Fiatal Location-based operations and messaging
US20110179377A1 (en) * 2005-03-14 2011-07-21 Michael Fleming Intelligent rendering of information in a limited display environment
WO2011093882A1 (en) * 2010-01-29 2011-08-04 Hewlett-Packard Development Company, L.P. Configuration of network links in a virtual connection environment
US8010082B2 (en) 2004-10-20 2011-08-30 Seven Networks, Inc. Flexible billing architecture
US8064583B1 (en) 2005-04-21 2011-11-22 Seven Networks, Inc. Multiple data store authentication
US8069166B2 (en) 2005-08-01 2011-11-29 Seven Networks, Inc. Managing user-to-user contact with inferred presence information
US8078158B2 (en) 2008-06-26 2011-12-13 Seven Networks, Inc. Provisioning applications for a mobile device
US8107921B2 (en) 2008-01-11 2012-01-31 Seven Networks, Inc. Mobile virtual network operator
US8116214B2 (en) 2004-12-03 2012-02-14 Seven Networks, Inc. Provisioning of e-mail settings for a mobile terminal
US8166164B1 (en) 2010-11-01 2012-04-24 Seven Networks, Inc. Application and network-based long poll request detection and cacheability assessment therefor
US8190701B2 (en) 2010-11-01 2012-05-29 Seven Networks, Inc. Cache defeat detection and caching of content addressed by identifiers intended to defeat cache
US8274989B1 (en) * 2006-03-31 2012-09-25 Rockstar Bidco, LP Point-to-multipoint (P2MP) resilience for GMPLS control of ethernet
US8316098B2 (en) 2011-04-19 2012-11-20 Seven Networks Inc. Social caching for device resource sharing and management
US8326985B2 (en) 2010-11-01 2012-12-04 Seven Networks, Inc. Distributed management of keep-alive message signaling for mobile network resource conservation and optimization
US8340110B2 (en) 2006-09-15 2012-12-25 Trapeze Networks, Inc. Quality of service provisioning for wireless networks
US8364181B2 (en) 2007-12-10 2013-01-29 Seven Networks, Inc. Electronic-mail filtering for mobile devices
US8385355B1 (en) * 2007-11-07 2013-02-26 Brixham Solutions Ltd E-Trees over MPLS and PBB-TE networks
US8412675B2 (en) 2005-08-01 2013-04-02 Seven Networks, Inc. Context aware data presentation
US8417823B2 (en) 2010-11-22 2013-04-09 Seven Network, Inc. Aligning data transfer to optimize connections established for transmission over a wireless network
US8438633B1 (en) 2005-04-21 2013-05-07 Seven Networks, Inc. Flexible real-time inbox access
US8468126B2 (en) 2005-08-01 2013-06-18 Seven Networks, Inc. Publishing data in an information community
US8484314B2 (en) 2010-11-01 2013-07-09 Seven Networks, Inc. Distributed caching in a wireless network of content delivered for a mobile application over a long-held request
US8621075B2 (en) 2011-04-27 2013-12-31 Seven Metworks, Inc. Detecting and preserving state for satisfying application requests in a distributed proxy and cache system
US8693494B2 (en) 2007-06-01 2014-04-08 Seven Networks, Inc. Polling
US8700728B2 (en) 2010-11-01 2014-04-15 Seven Networks, Inc. Cache defeat detection and caching of content addressed by identifiers intended to defeat cache
US8718057B1 (en) * 2004-01-20 2014-05-06 Nortel Networks Limited Ethernet LAN service enhancements
US8750123B1 (en) 2013-03-11 2014-06-10 Seven Networks, Inc. Mobile device equipped with mobile network congestion recognition to make intelligent decisions regarding connecting to an operator network
US8761756B2 (en) 2005-06-21 2014-06-24 Seven Networks International Oy Maintaining an IP connection in a mobile network
US8774844B2 (en) 2007-06-01 2014-07-08 Seven Networks, Inc. Integrated messaging
US8775631B2 (en) 2012-07-13 2014-07-08 Seven Networks, Inc. Dynamic bandwidth adjustment for browsing or streaming activity in a wireless network based on prediction of user behavior when interacting with mobile applications
US8787947B2 (en) 2008-06-18 2014-07-22 Seven Networks, Inc. Application discovery on mobile devices
US8793305B2 (en) 2007-12-13 2014-07-29 Seven Networks, Inc. Content delivery to a mobile device from a content service
US8799410B2 (en) 2008-01-28 2014-08-05 Seven Networks, Inc. System and method of a relay server for managing communications and notification between a mobile device and a web access server
US8805334B2 (en) 2004-11-22 2014-08-12 Seven Networks, Inc. Maintaining mobile terminal information for secure communications
US8812695B2 (en) 2012-04-09 2014-08-19 Seven Networks, Inc. Method and system for management of a virtual network connection without heartbeat messages
US8832228B2 (en) 2011-04-27 2014-09-09 Seven Networks, Inc. System and method for making requests on behalf of a mobile device based on atomic processes for mobile network traffic relief
US8838783B2 (en) 2010-07-26 2014-09-16 Seven Networks, Inc. Distributed caching for resource and mobile network traffic management
US8843153B2 (en) 2010-11-01 2014-09-23 Seven Networks, Inc. Mobile traffic categorization and policy for network use optimization while preserving user experience
US8849902B2 (en) 2008-01-25 2014-09-30 Seven Networks, Inc. System for providing policy based content service in a mobile network
US8861354B2 (en) 2011-12-14 2014-10-14 Seven Networks, Inc. Hierarchies and categories for management and deployment of policies for distributed wireless traffic optimization
US8868753B2 (en) 2011-12-06 2014-10-21 Seven Networks, Inc. System of redundantly clustered machines to provide failover mechanisms for mobile traffic management and network resource conservation
US8874761B2 (en) 2013-01-25 2014-10-28 Seven Networks, Inc. Signaling optimization in a wireless network for traffic utilizing proprietary and non-proprietary protocols
US8886176B2 (en) 2010-07-26 2014-11-11 Seven Networks, Inc. Mobile application traffic optimization
US8903954B2 (en) 2010-11-22 2014-12-02 Seven Networks, Inc. Optimization of resource polling intervals to satisfy mobile device requests
US8909759B2 (en) 2008-10-10 2014-12-09 Seven Networks, Inc. Bandwidth measurement
US8909202B2 (en) 2012-01-05 2014-12-09 Seven Networks, Inc. Detection and management of user interactions with foreground applications on a mobile device in distributed caching
US8918503B2 (en) 2011-12-06 2014-12-23 Seven Networks, Inc. Optimization of mobile traffic directed to private networks and operator configurability thereof
US8984581B2 (en) 2011-07-27 2015-03-17 Seven Networks, Inc. Monitoring mobile application activities for malicious traffic on a mobile device
US9002828B2 (en) 2007-12-13 2015-04-07 Seven Networks, Inc. Predictive content delivery
US9009250B2 (en) 2011-12-07 2015-04-14 Seven Networks, Inc. Flexible and dynamic integration schemas of a traffic management system with various network operators for network traffic alleviation
US9021021B2 (en) 2011-12-14 2015-04-28 Seven Networks, Inc. Mobile network reporting and usage analytics system and method aggregated using a distributed traffic optimization system
US9043433B2 (en) 2010-07-26 2015-05-26 Seven Networks, Inc. Mobile network traffic coordination across multiple applications
US9043731B2 (en) 2010-03-30 2015-05-26 Seven Networks, Inc. 3D mobile user interface with configurable workspace management
US9060032B2 (en) 2010-11-01 2015-06-16 Seven Networks, Inc. Selective data compression by a distributed traffic management system to reduce mobile data traffic and signaling traffic
US9065765B2 (en) 2013-07-22 2015-06-23 Seven Networks, Inc. Proxy server associated with a mobile carrier for enhancing mobile traffic management in a mobile network
US9077630B2 (en) 2010-07-26 2015-07-07 Seven Networks, Inc. Distributed implementation of dynamic wireless traffic policy
US9161258B2 (en) 2012-10-24 2015-10-13 Seven Networks, Llc Optimized and selective management of policy deployment to mobile clients in a congested network to prevent further aggravation of network congestion
US9173128B2 (en) 2011-12-07 2015-10-27 Seven Networks, Llc Radio-awareness of mobile device for sending server-side control signals using a wireless network optimized transport protocol
US9203864B2 (en) 2012-02-02 2015-12-01 Seven Networks, Llc Dynamic categorization of applications for network access in a mobile network
US9241314B2 (en) 2013-01-23 2016-01-19 Seven Networks, Llc Mobile device with application or context aware fast dormancy
US9251193B2 (en) 2003-01-08 2016-02-02 Seven Networks, Llc Extending user relationships
US9275163B2 (en) 2010-11-01 2016-03-01 Seven Networks, Llc Request and response characteristics based adaptation of distributed caching in a mobile network
US9307493B2 (en) 2012-12-20 2016-04-05 Seven Networks, Llc Systems and methods for application management of mobile device radio state promotion and demotion
US9325662B2 (en) 2011-01-07 2016-04-26 Seven Networks, Llc System and method for reduction of mobile network traffic used for domain name system (DNS) queries
US9326189B2 (en) 2012-02-03 2016-04-26 Seven Networks, Llc User as an end point for profiling and optimizing the delivery of content and data in a wireless network
US9330196B2 (en) 2010-11-01 2016-05-03 Seven Networks, Llc Wireless traffic management system cache optimization using http headers
US9832095B2 (en) 2011-12-14 2017-11-28 Seven Networks, Llc Operation modes for mobile traffic optimization and concurrent management of optimized and non-optimized traffic
US10263899B2 (en) 2012-04-10 2019-04-16 Seven Networks, Llc Enhanced customer service for mobile carriers using real-time and historical mobile application and traffic or optimization data associated with mobile devices in a mobile network

Families Citing this family (89)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7499647B2 (en) * 2000-05-22 2009-03-03 Opvista Incorporated Fully protected broadcast and select all optical network
US7120359B2 (en) * 2000-05-22 2006-10-10 Opvista Incorporated Broadcast and select all optical network
US6963575B1 (en) * 2000-06-07 2005-11-08 Yipes Enterprise Services, Inc. Enhanced data switching/routing for multi-regional IP over fiber network
US6934262B1 (en) * 2000-08-26 2005-08-23 Cisco Technology, Inc. Method and apparatus for restricting the assignment of VLANs
US6987740B1 (en) * 2000-09-11 2006-01-17 Cisco Technology, Inc. STP root guard
US7133410B2 (en) * 2001-02-12 2006-11-07 Tellabs Operations, Inc. Method and system for designing ring-based telecommunications networks
GB2377118B (en) * 2001-06-27 2003-06-25 3Com Corp Method and apparatus for determining unmanaged network devices in the topology of a network
US7054264B2 (en) * 2001-07-24 2006-05-30 Corrigent Systems Ltd. Interconnect and gateway protection in bidirectional ring networks
US7145878B2 (en) * 2001-07-27 2006-12-05 Corrigent Systems Ltd. Avoiding overlapping segments in transparent LAN services on ring-based networks
US7061859B2 (en) * 2001-08-30 2006-06-13 Corrigent Systems Ltd. Fast protection in ring topologies
ATE418198T1 (en) * 2001-09-04 2009-01-15 Rumi Sheryar Gonda METHOD FOR SUPPORTING SDH/SONET-APS ON ETHERNET
US20030048501A1 (en) * 2001-09-12 2003-03-13 Michael Guess Metropolitan area local access service system
US7283478B2 (en) * 2001-11-28 2007-10-16 Corrigent Systems Ltd. Traffic engineering in bi-directional ring networks
US7177946B1 (en) * 2001-12-06 2007-02-13 Cisco Technology, Inc. Optimal sync for rapid spanning tree protocol
GB0200838D0 (en) * 2002-01-15 2002-03-06 Xchangepoint Holdings Ltd Virtual local area network interconnection
US7529180B1 (en) * 2002-03-29 2009-05-05 Marvell International Ltd. Switch failover for aggregated data communication links
US7154861B1 (en) * 2002-04-22 2006-12-26 Extreme Networks Method and system for a virtual local area network to span multiple loop free network topology domains
US7680031B1 (en) * 2002-04-26 2010-03-16 Redback Networks Inc. Method and apparatus for load balancing and protecting data traffic in an optical ring
US7489867B1 (en) * 2002-05-06 2009-02-10 Cisco Technology, Inc. VoIP service over an ethernet network carried by a DWDM optical supervisory channel
JP4032816B2 (en) * 2002-05-08 2008-01-16 株式会社日立製作所 Storage network topology management system
CN1326375C (en) * 2002-05-08 2007-07-11 诺基亚公司 Distributing scheme for distributing information in network
US7398321B2 (en) * 2002-05-14 2008-07-08 The Research Foundation Of Suny Segment protection scheme for a network
US7941558B2 (en) * 2002-06-04 2011-05-10 Alcatel-Lucent Usa Inc. Loop elimination in a communications network
US7346709B2 (en) * 2002-08-28 2008-03-18 Tellabs Operations, Inc. Methods for assigning rings in a network
US8463947B2 (en) * 2002-08-28 2013-06-11 Tellabs Operations, Inc. Method of finding rings for optimal routing of digital information
US20040105455A1 (en) * 2002-08-29 2004-06-03 Seaman Michael John Automatic edge port and one way connectivity detection with rapid reconfiguration for shared media in spanning tree configured bridged Local Area Networks
KR100456674B1 (en) * 2002-11-09 2004-11-10 한국전자통신연구원 Method and apparatus for determining communication path on network using spanning tree and detecting circuits
US20040098510A1 (en) * 2002-11-15 2004-05-20 Ewert Peter M. Communicating between network processors
JP3799010B2 (en) * 2002-12-19 2006-07-19 アンリツ株式会社 Mesh network bridge
US8867333B2 (en) * 2003-03-31 2014-10-21 Alcatel Lucent Restoration path calculation considering shared-risk link groups in mesh networks
US7643408B2 (en) * 2003-03-31 2010-01-05 Alcatel-Lucent Usa Inc. Restoration time in networks
US7646706B2 (en) * 2003-03-31 2010-01-12 Alcatel-Lucent Usa Inc. Restoration time in mesh networks
US8296407B2 (en) * 2003-03-31 2012-10-23 Alcatel Lucent Calculation, representation, and maintenance of sharing information in mesh networks
US7689693B2 (en) * 2003-03-31 2010-03-30 Alcatel-Lucent Usa Inc. Primary/restoration path calculation in mesh networks based on multiple-cost criteria
US7376832B2 (en) 2003-04-21 2008-05-20 International Business Machines Corporation Distributed method, system and computer program product for establishing security in a publish/subscribe data processing broker network
US7558844B1 (en) 2003-05-06 2009-07-07 Juniper Networks, Inc. Systems and methods for implementing dynamic subscriber interfaces
US7336605B2 (en) 2003-05-13 2008-02-26 Corrigent Systems, Inc. Bandwidth allocation for link aggregation
US7602706B1 (en) * 2003-05-15 2009-10-13 Cisco Technology, Inc. Inter-ring protection for shared packet rings
US20060123428A1 (en) * 2003-05-15 2006-06-08 Nantasket Software, Inc. Network management system permitting remote management of systems by users with limited skills
US8078756B2 (en) * 2003-06-03 2011-12-13 Cisco Technology, Inc. Computing a path for an open ended uni-directional path protected switched ring
US7324461B2 (en) * 2003-08-26 2008-01-29 Alcatel Lucent Selective transmission rate limiter for rapid spanning tree protocol
US8111612B2 (en) * 2004-04-02 2012-02-07 Alcatel Lucent Link-based recovery with demand granularity in mesh networks
US7418000B2 (en) * 2004-06-03 2008-08-26 Corrigent Systems Ltd. Automated weight calculation for packet networks
US7733812B2 (en) * 2004-06-07 2010-06-08 Alcatel Method for enabling multipoint network services over a ring topology network
US7577367B2 (en) * 2004-06-15 2009-08-18 Op Vista Incorporated Optical communication using duobinary modulation
JP4397292B2 (en) * 2004-07-09 2010-01-13 富士通株式会社 Control packet loop prevention method and bridge device using the same
US7330431B2 (en) * 2004-09-03 2008-02-12 Corrigent Systems Ltd. Multipoint to multipoint communication over ring topologies
GB2418326B (en) * 2004-09-17 2007-04-11 Hewlett Packard Development Co Network vitrualization
US7958208B2 (en) * 2004-09-22 2011-06-07 At&T Intellectual Property I, L.P. System and method for designing a customized switched metro Ethernet data network
US7564869B2 (en) 2004-10-22 2009-07-21 Cisco Technology, Inc. Fibre channel over ethernet
US7801125B2 (en) * 2004-10-22 2010-09-21 Cisco Technology, Inc. Forwarding table reduction and multipath network forwarding
US7974223B2 (en) 2004-11-19 2011-07-05 Corrigent Systems Ltd. Virtual private LAN service over ring networks
US20060171302A1 (en) * 2005-02-03 2006-08-03 Cisco Technology, Inc. Data transmission in a network comprising bridges
US7768932B2 (en) * 2005-04-13 2010-08-03 Hewlett-Packard Development Company, L.P. Method for analyzing a system in a network
US7957276B2 (en) 2005-04-28 2011-06-07 Telcordia Licensing Company, Llc Call admission control and preemption control over a secure tactical network
WO2006119375A2 (en) * 2005-05-02 2006-11-09 Opvista, Incorporated Multiple interconnected broadcast and select optical ring networks with revertible protection switch
US7792017B2 (en) * 2005-06-24 2010-09-07 Infinera Corporation Virtual local area network configuration for multi-chassis network element
US20060291378A1 (en) * 2005-06-28 2006-12-28 Alcatel Communication path redundancy protection systems and methods
JP4283792B2 (en) * 2005-08-29 2009-06-24 富士通株式会社 Band control method and transmission apparatus
US9203731B2 (en) * 2005-09-16 2015-12-01 Cisco Technology, Inc. Mechanism to implement a layer 2 gateway
US7961621B2 (en) 2005-10-11 2011-06-14 Cisco Technology, Inc. Methods and devices for backward congestion notification
EP1949119A4 (en) * 2005-10-13 2017-01-18 Vello Systems, Inc. Optical ring networks using circulating optical probe in protection switching with automatic reversion
KR100723883B1 (en) 2005-12-07 2007-05-31 한국전자통신연구원 Root switch in ethernet network and method for mapping switch to a unique identifier by using the same
US7933237B2 (en) 2005-12-23 2011-04-26 Telcordia Licensing Company, Llc Ensuring quality of service of communications in networks
US7983150B2 (en) 2006-01-18 2011-07-19 Corrigent Systems Ltd. VPLS failure protection in ring networks
US7808931B2 (en) 2006-03-02 2010-10-05 Corrigent Systems Ltd. High capacity ring communication network
US7593400B2 (en) 2006-05-19 2009-09-22 Corrigent Systems Ltd. MAC address learning in a distributed bridge
US7760668B1 (en) 2006-06-20 2010-07-20 Force 10 Networks, Inc. Self-reconfiguring spanning tree
US7660303B2 (en) 2006-08-22 2010-02-09 Corrigent Systems Ltd. Point-to-multipoint functionality in a bridged network
US7903586B2 (en) * 2006-11-01 2011-03-08 Alcatel Lucent Ring rapid multiple spanning tree protocol system and method
KR20080082830A (en) * 2007-03-09 2008-09-12 삼성전자주식회사 Flushing processing unit and method of switching device in network for using spanning tree protocol
US7836360B2 (en) * 2007-04-09 2010-11-16 International Business Machines Corporation System and method for intrusion prevention high availability fail over
US7773883B1 (en) 2007-05-04 2010-08-10 Vello Systems, Inc. Single-fiber optical ring networks based on optical double sideband modulation
GB2449178B (en) * 2007-05-11 2009-09-23 Boeing Co Lightweight node based network redundancy solution leveraging rapid spanning tree protocol (RSTP)
US7792056B2 (en) * 2007-05-11 2010-09-07 The Boeing Company Lightweight node based network redundancy solution leveraging rapid spanning tree protocol (RSTP)
US8175458B2 (en) 2007-07-17 2012-05-08 Vello Systems, Inc. Optical ring networks having node-to-node optical communication channels for carrying data traffic
US8121038B2 (en) 2007-08-21 2012-02-21 Cisco Technology, Inc. Backward congestion notification
CN100534024C (en) * 2007-11-26 2009-08-26 中控科技集团有限公司 Industry ethernet based fault processing method, system and a switching arrangement
US9237034B2 (en) * 2008-10-21 2016-01-12 Iii Holdings 1, Llc Methods and systems for providing network access redundancy
US8184648B2 (en) 2009-06-18 2012-05-22 Rockstar Bidco, LP Method and apparatus for implementing control of multiple physically dual homed devices
US9054832B2 (en) 2009-12-08 2015-06-09 Treq Labs, Inc. Management, monitoring and performance optimization of optical networks
US8705741B2 (en) * 2010-02-22 2014-04-22 Vello Systems, Inc. Subchannel security at the optical layer
US8542999B2 (en) 2011-02-01 2013-09-24 Vello Systems, Inc. Minimizing bandwidth narrowing penalties in a wavelength selective switch optical network
US9124524B2 (en) * 2011-06-29 2015-09-01 Broadcom Corporation System and method for priority based flow control between nodes
US9692732B2 (en) 2011-11-29 2017-06-27 Amazon Technologies, Inc. Network connection automation
US8817598B2 (en) * 2012-04-19 2014-08-26 Cisco Technology, Inc. Hardware based convergence for a ring network
US11563806B1 (en) * 2019-05-17 2023-01-24 R-Stor, Inc. Content distribution network system and method
US11025527B2 (en) * 2019-07-22 2021-06-01 Dell Products L.P. Topology change processing in bridged networks using a spanning tree protocol
CN113645114A (en) * 2021-08-13 2021-11-12 广汽丰田汽车有限公司 Network failure prevention system, network management method, vehicle, and storage medium

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4872157A (en) * 1988-03-31 1989-10-03 American Telephone And Telegraph Company, At&T Bell Laboratories Architecture and organization of a high performance metropolitan area telecommunications packet network
US4872158A (en) * 1988-03-31 1989-10-03 American Telephone And Telegraph Company, At&T Bell Laboratories Distributed control rapid connection circuit switch
US5517498A (en) * 1993-09-20 1996-05-14 International Business Machines Corporation Spatial reuse of bandwidth on a ring network
US5742604A (en) * 1996-03-28 1998-04-21 Cisco Systems, Inc. Interswitch link mechanism for connecting high-performance network switches
US5818842A (en) * 1994-01-21 1998-10-06 Newbridge Networks Corporation Transparent interconnector of LANs by an ATM network
US5881131A (en) * 1993-11-16 1999-03-09 Bell Atlantic Network Services, Inc. Analysis and validation system for provisioning network related facilities
US5923659A (en) * 1996-09-20 1999-07-13 Bell Atlantic Network Services, Inc. Telecommunications network
US5935209A (en) * 1996-09-09 1999-08-10 Next Level Communications System and method for managing fiber-to-the-curb network elements
US5940376A (en) * 1997-01-29 1999-08-17 Cabletron Systems, Inc. Method and apparatus to establish a tap-point in a switched network using self-configuring switches having distributed configuration capabilities
US6041057A (en) * 1997-03-24 2000-03-21 Xylan Corporation Self-configuring ATM network
US6157647A (en) * 1996-11-06 2000-12-05 3Com Corporation Direct addressing between VLAN subnets
US6331983B1 (en) * 1997-05-06 2001-12-18 Enterasys Networks, Inc. Multicast switching

Family Cites Families (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH01255340A (en) * 1988-04-05 1989-10-12 Hitachi Ltd Multinetwork system
US6085238A (en) * 1996-04-23 2000-07-04 Matsushita Electric Works, Ltd. Virtual LAN system
US5923654A (en) * 1996-04-25 1999-07-13 Compaq Computer Corp. Network switch that includes a plurality of shared packet buffers
DE69738175T2 (en) * 1996-08-27 2008-01-31 Nippon Telegraph And Telephone Corp. Link transmission network
CN1245604A (en) * 1996-12-06 2000-02-23 科尔科迪亚技术股份有限公司 Inter-ring cross-connect for survivable multi-wavelength optical communication networks
US6084858A (en) * 1997-01-29 2000-07-04 Cabletron Systems, Inc. Distribution of communication load over multiple paths based upon link utilization
US6061335A (en) * 1997-07-24 2000-05-09 At&T Corp Method for designing SONET ring networks suitable for local access
US6295146B1 (en) * 1998-01-14 2001-09-25 Mci Communications Corporation System and method for sharing a spare channel among two or more optical ring networks
US6094687A (en) * 1998-01-17 2000-07-25 Fore Systems, Inc. System and method for connecting source nodes and destination nodes regarding efficient quality of services route determination using connection profiles
US6262977B1 (en) * 1998-08-28 2001-07-17 3Com Corporation High availability spanning tree with rapid reconfiguration
US6304575B1 (en) * 1998-08-31 2001-10-16 Cisco Technology, Inc. Token ring spanning tree protocol
US6674727B1 (en) * 1998-11-30 2004-01-06 Cisco Technology, Inc. Distributed ring protocol and database
US6628624B1 (en) * 1998-12-09 2003-09-30 Cisco Technology, Inc. Value-added features for the spanning tree protocol
US6373826B1 (en) * 1998-12-15 2002-04-16 Nortel Networks Limited Spanning tree algorithm
US6707789B1 (en) * 1998-12-18 2004-03-16 At&T Corp. Flexible SONET ring with integrated cross-connect system
US6515969B1 (en) * 1999-03-01 2003-02-04 Cisco Technology, Inc. Virtual local area network membership registration protocol for multiple spanning tree network environments
US6535490B1 (en) * 1999-03-04 2003-03-18 3Com Corporation High availability spanning tree with rapid reconfiguration with alternate port selection
US6629149B1 (en) * 1999-08-17 2003-09-30 At&T Corp. Network system and method
EP1132844A3 (en) * 2000-03-02 2002-06-05 Telseon IP Services Inc. E-commerce system facilitating service networks including broadband communication service networks
US6744769B1 (en) * 2000-10-19 2004-06-01 Nortel Networks Limited Path provisioning on ring-based networks

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4872157A (en) * 1988-03-31 1989-10-03 American Telephone And Telegraph Company, At&T Bell Laboratories Architecture and organization of a high performance metropolitan area telecommunications packet network
US4872158A (en) * 1988-03-31 1989-10-03 American Telephone And Telegraph Company, At&T Bell Laboratories Distributed control rapid connection circuit switch
US5517498A (en) * 1993-09-20 1996-05-14 International Business Machines Corporation Spatial reuse of bandwidth on a ring network
US5881131A (en) * 1993-11-16 1999-03-09 Bell Atlantic Network Services, Inc. Analysis and validation system for provisioning network related facilities
US5818842A (en) * 1994-01-21 1998-10-06 Newbridge Networks Corporation Transparent interconnector of LANs by an ATM network
US5742604A (en) * 1996-03-28 1998-04-21 Cisco Systems, Inc. Interswitch link mechanism for connecting high-performance network switches
US5935209A (en) * 1996-09-09 1999-08-10 Next Level Communications System and method for managing fiber-to-the-curb network elements
US5923659A (en) * 1996-09-20 1999-07-13 Bell Atlantic Network Services, Inc. Telecommunications network
US6157647A (en) * 1996-11-06 2000-12-05 3Com Corporation Direct addressing between VLAN subnets
US5940376A (en) * 1997-01-29 1999-08-17 Cabletron Systems, Inc. Method and apparatus to establish a tap-point in a switched network using self-configuring switches having distributed configuration capabilities
US6041057A (en) * 1997-03-24 2000-03-21 Xylan Corporation Self-configuring ATM network
US6331983B1 (en) * 1997-05-06 2001-12-18 Enterasys Networks, Inc. Multicast switching

Cited By (139)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6826158B2 (en) * 2000-03-02 2004-11-30 Onfiber Communications, Inc. Broadband tree-configured ring for metropolitan area networks
US20020009092A1 (en) * 2000-03-02 2002-01-24 Seaman Michael J. Broadband tree-configured ring for metropolitan area networks
US7149183B2 (en) 2001-04-18 2006-12-12 Skypilot Networks, Inc. Network channel access protocol - slot allocation
US7283494B2 (en) 2001-04-18 2007-10-16 Skypilot Networks, Inc. Network channel access protocol-interference and load adaptive
US7356043B2 (en) 2001-04-18 2008-04-08 Skypilot Networks, Inc. Network channel access protocol—slot scheduling
US20020176396A1 (en) * 2001-04-18 2002-11-28 Skypilot Network, Inc. Network channel access protocol-interference and load adaptive
US20020154622A1 (en) * 2001-04-18 2002-10-24 Skypilot Network, Inc. Network channel access protocol - slot scheduling
US7339947B2 (en) 2001-04-18 2008-03-04 Skypilot Networks, Inc. Network channel access protocol—frame execution
US7113519B2 (en) 2001-04-18 2006-09-26 Skypilot Networks, Inc. Network channel access protocol—slot scheduling
US20060280201A1 (en) * 2001-04-18 2006-12-14 Skypilot Networks, Inc. Network channel access protocol - slot scheduling
US7920561B2 (en) 2001-09-24 2011-04-05 Rumi Sheryar Gonda Method for supporting Ethernet MAC circuits
US7715379B2 (en) 2001-09-24 2010-05-11 Rumi Sheryar Gonda Method for supporting ethernet MAC circuits
US20030157947A1 (en) * 2002-01-08 2003-08-21 Fiatal Trevor A. Connection architecture for a mobile network
US8811952B2 (en) 2002-01-08 2014-08-19 Seven Networks, Inc. Mobile device power management in data synchronization over a mobile network with or without a trigger notification
US8549587B2 (en) 2002-01-08 2013-10-01 Seven Networks, Inc. Secure end-to-end transport through intermediary nodes
US20080037787A1 (en) * 2002-01-08 2008-02-14 Seven Networks, Inc. Secure transport for mobile communication network
US8127342B2 (en) 2002-01-08 2012-02-28 Seven Networks, Inc. Secure end-to-end transport through intermediary nodes
US8989728B2 (en) 2002-01-08 2015-03-24 Seven Networks, Inc. Connection architecture for a mobile network
US20070027832A1 (en) * 2002-01-08 2007-02-01 Seven Networks, Inc. Connection architecture for a mobile network
US7827597B2 (en) 2002-01-08 2010-11-02 Seven Networks, Inc. Secure transport for mobile communication network
US9608968B2 (en) 2002-01-08 2017-03-28 Seven Networks, Llc Connection architecture for a mobile network
US7139565B2 (en) * 2002-01-08 2006-11-21 Seven Networks, Inc. Connection architecture for a mobile network
US7751409B1 (en) * 2002-03-20 2010-07-06 Oracle America, Inc. Logical service domains for enabling network mobility
US9251193B2 (en) 2003-01-08 2016-02-02 Seven Networks, Llc Extending user relationships
US20040202185A1 (en) * 2003-04-14 2004-10-14 International Business Machines Corporation Multiple virtual local area network support for shared network adapters
US7596595B2 (en) 2003-06-18 2009-09-29 Utah State University Efficient unicast-based multicast tree construction and maintenance for multimedia transmission
US20040260814A1 (en) * 2003-06-18 2004-12-23 Utah State University Efficient unicast-based multicast tree construction and maintenance for multimedia transmission
US20050141523A1 (en) * 2003-12-29 2005-06-30 Chiang Yeh Traffic engineering scheme using distributed feedback
US8718057B1 (en) * 2004-01-20 2014-05-06 Nortel Networks Limited Ethernet LAN service enhancements
US7680281B2 (en) 2004-10-20 2010-03-16 Seven Networks, Inc. Method and apparatus for intercepting events in a communication system
US20090016526A1 (en) * 2004-10-20 2009-01-15 Seven Networks, Inc. Method and apparatus for intercepting events in a communication system
USRE45348E1 (en) 2004-10-20 2015-01-20 Seven Networks, Inc. Method and apparatus for intercepting events in a communication system
US8010082B2 (en) 2004-10-20 2011-08-30 Seven Networks, Inc. Flexible billing architecture
US8831561B2 (en) 2004-10-20 2014-09-09 Seven Networks, Inc System and method for tracking billing events in a mobile wireless network for a network operator
US8805334B2 (en) 2004-11-22 2014-08-12 Seven Networks, Inc. Maintaining mobile terminal information for secure communications
US8116214B2 (en) 2004-12-03 2012-02-14 Seven Networks, Inc. Provisioning of e-mail settings for a mobile terminal
US8873411B2 (en) 2004-12-03 2014-10-28 Seven Networks, Inc. Provisioning of e-mail settings for a mobile terminal
US9047142B2 (en) 2005-03-14 2015-06-02 Seven Networks, Inc. Intelligent rendering of information in a limited display environment
US8209709B2 (en) 2005-03-14 2012-06-26 Seven Networks, Inc. Cross-platform event engine
US20110179377A1 (en) * 2005-03-14 2011-07-21 Michael Fleming Intelligent rendering of information in a limited display environment
US8561086B2 (en) 2005-03-14 2013-10-15 Seven Networks, Inc. System and method for executing commands that are non-native to the native environment of a mobile device
US8839412B1 (en) 2005-04-21 2014-09-16 Seven Networks, Inc. Flexible real-time inbox access
US8438633B1 (en) 2005-04-21 2013-05-07 Seven Networks, Inc. Flexible real-time inbox access
US8064583B1 (en) 2005-04-21 2011-11-22 Seven Networks, Inc. Multiple data store authentication
US8761756B2 (en) 2005-06-21 2014-06-24 Seven Networks International Oy Maintaining an IP connection in a mobile network
US8412675B2 (en) 2005-08-01 2013-04-02 Seven Networks, Inc. Context aware data presentation
US8069166B2 (en) 2005-08-01 2011-11-29 Seven Networks, Inc. Managing user-to-user contact with inferred presence information
US8468126B2 (en) 2005-08-01 2013-06-18 Seven Networks, Inc. Publishing data in an information community
US20110165889A1 (en) * 2006-02-27 2011-07-07 Trevor Fiatal Location-based operations and messaging
US9055102B2 (en) 2006-02-27 2015-06-09 Seven Networks, Inc. Location-based operations and messaging
US8514878B1 (en) 2006-03-31 2013-08-20 Rockstar Consortium Us Lp Point-to-multipoint (P2MP) resilience for GMPLS control of ethernet
US8274989B1 (en) * 2006-03-31 2012-09-25 Rockstar Bidco, LP Point-to-multipoint (P2MP) resilience for GMPLS control of ethernet
US9250972B2 (en) * 2006-06-19 2016-02-02 International Business Machines Corporation Orchestrated peer-to-peer server provisioning
US20070294309A1 (en) * 2006-06-19 2007-12-20 International Business Machines Corporation Orchestrated peer-to-peer server provisioning
US20080001717A1 (en) * 2006-06-20 2008-01-03 Trevor Fiatal System and method for group management
US8340110B2 (en) 2006-09-15 2012-12-25 Trapeze Networks, Inc. Quality of service provisioning for wireless networks
US8805425B2 (en) 2007-06-01 2014-08-12 Seven Networks, Inc. Integrated messaging
US8774844B2 (en) 2007-06-01 2014-07-08 Seven Networks, Inc. Integrated messaging
US8693494B2 (en) 2007-06-01 2014-04-08 Seven Networks, Inc. Polling
US8385355B1 (en) * 2007-11-07 2013-02-26 Brixham Solutions Ltd E-Trees over MPLS and PBB-TE networks
US8364181B2 (en) 2007-12-10 2013-01-29 Seven Networks, Inc. Electronic-mail filtering for mobile devices
US8738050B2 (en) 2007-12-10 2014-05-27 Seven Networks, Inc. Electronic-mail filtering for mobile devices
US9002828B2 (en) 2007-12-13 2015-04-07 Seven Networks, Inc. Predictive content delivery
US8793305B2 (en) 2007-12-13 2014-07-29 Seven Networks, Inc. Content delivery to a mobile device from a content service
US8914002B2 (en) 2008-01-11 2014-12-16 Seven Networks, Inc. System and method for providing a network service in a distributed fashion to a mobile device
US8107921B2 (en) 2008-01-11 2012-01-31 Seven Networks, Inc. Mobile virtual network operator
US8909192B2 (en) 2008-01-11 2014-12-09 Seven Networks, Inc. Mobile virtual network operator
US9712986B2 (en) 2008-01-11 2017-07-18 Seven Networks, Llc Mobile device configured for communicating with another mobile device associated with an associated user
US8862657B2 (en) 2008-01-25 2014-10-14 Seven Networks, Inc. Policy based content service
US8849902B2 (en) 2008-01-25 2014-09-30 Seven Networks, Inc. System for providing policy based content service in a mobile network
US10659417B2 (en) 2008-01-28 2020-05-19 Seven Networks, Llc System and method of a relay server for managing communications and notification between a mobile device and application server
US8838744B2 (en) 2008-01-28 2014-09-16 Seven Networks, Inc. Web-based access to data objects
US8799410B2 (en) 2008-01-28 2014-08-05 Seven Networks, Inc. System and method of a relay server for managing communications and notification between a mobile device and a web access server
US8611231B2 (en) 2008-02-29 2013-12-17 Telefonaktiebolaget L M Ericsson (Publ) Connectivity fault management for ethernet tree (E-Tree) type services
US20100182913A1 (en) * 2008-02-29 2010-07-22 Telefonakiebolaget L M Ericisson (Publ) Connectivity fault management for ethernet tree (e-tree) type services
US7995488B2 (en) * 2008-02-29 2011-08-09 Telefonaktiebolaget L M Ericsson (Publ) Connectivity fault management for ethernet tree (E-Tree) type services
US8787947B2 (en) 2008-06-18 2014-07-22 Seven Networks, Inc. Application discovery on mobile devices
US8494510B2 (en) 2008-06-26 2013-07-23 Seven Networks, Inc. Provisioning applications for a mobile device
US8078158B2 (en) 2008-06-26 2011-12-13 Seven Networks, Inc. Provisioning applications for a mobile device
US8909759B2 (en) 2008-10-10 2014-12-09 Seven Networks, Inc. Bandwidth measurement
WO2011093882A1 (en) * 2010-01-29 2011-08-04 Hewlett-Packard Development Company, L.P. Configuration of network links in a virtual connection environment
US9043731B2 (en) 2010-03-30 2015-05-26 Seven Networks, Inc. 3D mobile user interface with configurable workspace management
US9043433B2 (en) 2010-07-26 2015-05-26 Seven Networks, Inc. Mobile network traffic coordination across multiple applications
US9077630B2 (en) 2010-07-26 2015-07-07 Seven Networks, Inc. Distributed implementation of dynamic wireless traffic policy
US8886176B2 (en) 2010-07-26 2014-11-11 Seven Networks, Inc. Mobile application traffic optimization
US8838783B2 (en) 2010-07-26 2014-09-16 Seven Networks, Inc. Distributed caching for resource and mobile network traffic management
US9049179B2 (en) 2010-07-26 2015-06-02 Seven Networks, Inc. Mobile network traffic coordination across multiple applications
US9407713B2 (en) 2010-07-26 2016-08-02 Seven Networks, Llc Mobile application traffic optimization
US8484314B2 (en) 2010-11-01 2013-07-09 Seven Networks, Inc. Distributed caching in a wireless network of content delivered for a mobile application over a long-held request
US9275163B2 (en) 2010-11-01 2016-03-01 Seven Networks, Llc Request and response characteristics based adaptation of distributed caching in a mobile network
US8782222B2 (en) 2010-11-01 2014-07-15 Seven Networks Timing of keep-alive messages used in a system for mobile network resource conservation and optimization
US9330196B2 (en) 2010-11-01 2016-05-03 Seven Networks, Llc Wireless traffic management system cache optimization using http headers
US8166164B1 (en) 2010-11-01 2012-04-24 Seven Networks, Inc. Application and network-based long poll request detection and cacheability assessment therefor
US8843153B2 (en) 2010-11-01 2014-09-23 Seven Networks, Inc. Mobile traffic categorization and policy for network use optimization while preserving user experience
US9060032B2 (en) 2010-11-01 2015-06-16 Seven Networks, Inc. Selective data compression by a distributed traffic management system to reduce mobile data traffic and signaling traffic
US8291076B2 (en) 2010-11-01 2012-10-16 Seven Networks, Inc. Application and network-based long poll request detection and cacheability assessment therefor
US8700728B2 (en) 2010-11-01 2014-04-15 Seven Networks, Inc. Cache defeat detection and caching of content addressed by identifiers intended to defeat cache
US8190701B2 (en) 2010-11-01 2012-05-29 Seven Networks, Inc. Cache defeat detection and caching of content addressed by identifiers intended to defeat cache
US8204953B2 (en) 2010-11-01 2012-06-19 Seven Networks, Inc. Distributed system for cache defeat detection and caching of content addressed by identifiers intended to defeat cache
US8966066B2 (en) 2010-11-01 2015-02-24 Seven Networks, Inc. Application and network-based long poll request detection and cacheability assessment therefor
US8326985B2 (en) 2010-11-01 2012-12-04 Seven Networks, Inc. Distributed management of keep-alive message signaling for mobile network resource conservation and optimization
US8539040B2 (en) 2010-11-22 2013-09-17 Seven Networks, Inc. Mobile network background traffic data management with optimized polling intervals
US8417823B2 (en) 2010-11-22 2013-04-09 Seven Network, Inc. Aligning data transfer to optimize connections established for transmission over a wireless network
US8903954B2 (en) 2010-11-22 2014-12-02 Seven Networks, Inc. Optimization of resource polling intervals to satisfy mobile device requests
US9100873B2 (en) 2010-11-22 2015-08-04 Seven Networks, Inc. Mobile network background traffic data management
US9325662B2 (en) 2011-01-07 2016-04-26 Seven Networks, Llc System and method for reduction of mobile network traffic used for domain name system (DNS) queries
US9300719B2 (en) 2011-04-19 2016-03-29 Seven Networks, Inc. System and method for a mobile device to use physical storage of another device for caching
US8356080B2 (en) 2011-04-19 2013-01-15 Seven Networks, Inc. System and method for a mobile device to use physical storage of another device for caching
US8316098B2 (en) 2011-04-19 2012-11-20 Seven Networks Inc. Social caching for device resource sharing and management
US9084105B2 (en) 2011-04-19 2015-07-14 Seven Networks, Inc. Device resources sharing for network resource conservation
US8635339B2 (en) 2011-04-27 2014-01-21 Seven Networks, Inc. Cache state management on a mobile device to preserve user experience
US8621075B2 (en) 2011-04-27 2013-12-31 Seven Metworks, Inc. Detecting and preserving state for satisfying application requests in a distributed proxy and cache system
US8832228B2 (en) 2011-04-27 2014-09-09 Seven Networks, Inc. System and method for making requests on behalf of a mobile device based on atomic processes for mobile network traffic relief
US8984581B2 (en) 2011-07-27 2015-03-17 Seven Networks, Inc. Monitoring mobile application activities for malicious traffic on a mobile device
US9239800B2 (en) 2011-07-27 2016-01-19 Seven Networks, Llc Automatic generation and distribution of policy information regarding malicious mobile traffic in a wireless network
US8868753B2 (en) 2011-12-06 2014-10-21 Seven Networks, Inc. System of redundantly clustered machines to provide failover mechanisms for mobile traffic management and network resource conservation
US8918503B2 (en) 2011-12-06 2014-12-23 Seven Networks, Inc. Optimization of mobile traffic directed to private networks and operator configurability thereof
US8977755B2 (en) 2011-12-06 2015-03-10 Seven Networks, Inc. Mobile device and method to utilize the failover mechanism for fault tolerance provided for mobile traffic management and network/device resource conservation
US9208123B2 (en) 2011-12-07 2015-12-08 Seven Networks, Llc Mobile device having content caching mechanisms integrated with a network operator for traffic alleviation in a wireless network and methods therefor
US9277443B2 (en) 2011-12-07 2016-03-01 Seven Networks, Llc Radio-awareness of mobile device for sending server-side control signals using a wireless network optimized transport protocol
US9173128B2 (en) 2011-12-07 2015-10-27 Seven Networks, Llc Radio-awareness of mobile device for sending server-side control signals using a wireless network optimized transport protocol
US9009250B2 (en) 2011-12-07 2015-04-14 Seven Networks, Inc. Flexible and dynamic integration schemas of a traffic management system with various network operators for network traffic alleviation
US8861354B2 (en) 2011-12-14 2014-10-14 Seven Networks, Inc. Hierarchies and categories for management and deployment of policies for distributed wireless traffic optimization
US9832095B2 (en) 2011-12-14 2017-11-28 Seven Networks, Llc Operation modes for mobile traffic optimization and concurrent management of optimized and non-optimized traffic
US9021021B2 (en) 2011-12-14 2015-04-28 Seven Networks, Inc. Mobile network reporting and usage analytics system and method aggregated using a distributed traffic optimization system
US8909202B2 (en) 2012-01-05 2014-12-09 Seven Networks, Inc. Detection and management of user interactions with foreground applications on a mobile device in distributed caching
US9131397B2 (en) 2012-01-05 2015-09-08 Seven Networks, Inc. Managing cache to prevent overloading of a wireless network due to user activity
US9203864B2 (en) 2012-02-02 2015-12-01 Seven Networks, Llc Dynamic categorization of applications for network access in a mobile network
US9326189B2 (en) 2012-02-03 2016-04-26 Seven Networks, Llc User as an end point for profiling and optimizing the delivery of content and data in a wireless network
US8812695B2 (en) 2012-04-09 2014-08-19 Seven Networks, Inc. Method and system for management of a virtual network connection without heartbeat messages
US10263899B2 (en) 2012-04-10 2019-04-16 Seven Networks, Llc Enhanced customer service for mobile carriers using real-time and historical mobile application and traffic or optimization data associated with mobile devices in a mobile network
US8775631B2 (en) 2012-07-13 2014-07-08 Seven Networks, Inc. Dynamic bandwidth adjustment for browsing or streaming activity in a wireless network based on prediction of user behavior when interacting with mobile applications
US9161258B2 (en) 2012-10-24 2015-10-13 Seven Networks, Llc Optimized and selective management of policy deployment to mobile clients in a congested network to prevent further aggravation of network congestion
US9307493B2 (en) 2012-12-20 2016-04-05 Seven Networks, Llc Systems and methods for application management of mobile device radio state promotion and demotion
US9271238B2 (en) 2013-01-23 2016-02-23 Seven Networks, Llc Application or context aware fast dormancy
US9241314B2 (en) 2013-01-23 2016-01-19 Seven Networks, Llc Mobile device with application or context aware fast dormancy
US8874761B2 (en) 2013-01-25 2014-10-28 Seven Networks, Inc. Signaling optimization in a wireless network for traffic utilizing proprietary and non-proprietary protocols
US8750123B1 (en) 2013-03-11 2014-06-10 Seven Networks, Inc. Mobile device equipped with mobile network congestion recognition to make intelligent decisions regarding connecting to an operator network
US9065765B2 (en) 2013-07-22 2015-06-23 Seven Networks, Inc. Proxy server associated with a mobile carrier for enhancing mobile traffic management in a mobile network

Also Published As

Publication number Publication date
EP1132844A2 (en) 2001-09-12
EP1132844A3 (en) 2002-06-05
US6826158B2 (en) 2004-11-30
US20020023170A1 (en) 2002-02-21
US20020009092A1 (en) 2002-01-24

Similar Documents

Publication Publication Date Title
US20020038253A1 (en) Point-to-multipoint virtual circuits for metropolitan area networks
US6963575B1 (en) Enhanced data switching/routing for multi-regional IP over fiber network
US7974223B2 (en) Virtual private LAN service over ring networks
KR101503629B1 (en) Differential forwarding in address-based carrier networks
US8228928B2 (en) System and method for providing support for multipoint L2VPN services in devices without local bridging
KR101406922B1 (en) Provider Link State Bridging
US7272137B2 (en) Data stream filtering apparatus and method
US8565235B2 (en) System and method for providing transparent LAN services
US9853896B2 (en) Method, device, and virtual private network system for advertising routing information
EP1478129B1 (en) Using network transport tunnels to provide service-based data transport
US20040165600A1 (en) Customer site bridged emulated LAN services via provider provisioned connections
US20050190757A1 (en) Interworking between Ethernet and non-Ethernet customer sites for VPLS
US20040223500A1 (en) Communications network with converged services
KR20110111365A (en) Resilient attachment to provider link state bridging(plsb) networks
CN101107824A (en) Connection-oriented communications scheme for connection-less communications traffic
JP5295273B2 (en) Data stream filtering apparatus and method
US20070121664A1 (en) Method and system for double data rate transmission
US8873431B1 (en) Communications system and method for maintaining topology in a VLAN environment
Sofia A survey of advanced ethernet forwarding approaches
US20070121619A1 (en) Communications distribution system
US7715429B2 (en) Interconnect system for supply chain management of virtual private network services
US20030208525A1 (en) System and method for providing transparent lan services
WO2008125603A1 (en) Method for forwarding data packets in an access network and device
WO2005018145A1 (en) System and method for providing transparent lan services
WO2006061547A1 (en) Interconnect system for supply chain management of virtual private network services

Legal Events

Date Code Title Description
AS Assignment

Owner name: TELSEON IP SERVICES, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:SEAMAN, MICHAEL J.;JAIN, VIPIN;JASZEWSKI, GARY;AND OTHERS;REEL/FRAME:011588/0285

Effective date: 20010228

AS Assignment

Owner name: TELSEON IP SERVICES, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:JASZEWSKI, GARY;REEL/FRAME:012264/0288

Effective date: 20010503

AS Assignment

Owner name: ONFIBER COMMUNICATIONS, INC., COLORADO

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:TELSEON IP SERVICES INC.;REEL/FRAME:013374/0513

Effective date: 20020731

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION

AS Assignment

Owner name: COMERICA BANK, MICHIGAN

Free format text: SECURITY AGREEMENT;ASSIGNORS:ONFIBER COMMUNICATIONS, INC.;ONFIBER CARRIER SERVICES - VIRGINIA, INC.;INFO-TECH COMMUNICATIONS;AND OTHERS;REEL/FRAME:017379/0215

Effective date: 20051006

AS Assignment

Owner name: ONFIBER CARRIER SERVICES-VIRGINIA, INC., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:COMERICA BANK;REEL/FRAME:018847/0033

Effective date: 20070202

Owner name: INFO-TECH COMMUNICATIONS, TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:COMERICA BANK;REEL/FRAME:018847/0033

Effective date: 20070202

Owner name: ONFIBER COMMUNICATIONS, INC., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:COMERICA BANK;REEL/FRAME:018847/0033

Effective date: 20070202

Owner name: ONFIBER CARRIER SERVICES, INC., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:COMERICA BANK;REEL/FRAME:018847/0033

Effective date: 20070202

AS Assignment

Owner name: QWEST COMMUNICATIONS INTERNATIONAL INC., COLORADO

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ONFIBER COMMUNICATIONS, INC.;REEL/FRAME:019781/0759

Effective date: 20070830