The present invention relates generally to networked communications and, more particularly, to a hierarchical isolated learning, forwarding and flooding for metro Ethernet bridging domains.
In distributed switching systems, switching entities perform packet forwarding, forwarding entry learning, and aging out of forwarding entries. If a switching entity is associated with multiple Virtual Local Area Networks (“VLANs”), each VLAN may have its own forwarding table. This Ethernet switch architecture is based upon VLANs, and the switching functionality is implemented by keeping VLANs as the center of the architecture. Most of the core switching functionalities such as Ethernet host learning, packet forwarding and packet flooding are carried out on a per-VLAN basis. This architecture requires that most of the configuration to operate a switch needs to be applied on a per-VLAN basis and must be repeated for each VLAN.
In one embodiment, a switch includes a processor coupled to a memory, one or more forwarding tables residing within the memory, and one or more ports. The one or more ports are associated with a plurality of virtual local area networks. The one or more ports are associated with a plurality of bridge domains. Each of the bridge domains is associated with one of the forwarding tables, and each of the forwarding tables is associated with one of the bridge domains. The processor is configured to assign a first tag to a received packet, the first tag comprising an identification of an active bridge domain, assign a second tag to the received packet, look up the destination address of the received packet in one of the forwarding tables, and if the destination address is not found in the forwarding table, and selectively flood the one or more ports of the active bridge domain with a copy of the received packet. The active bridge domain includes one of the plurality of bridge domains. The active bridge domain is associated with the ingress port of the received packet. The second tag includes an identification of one of the plurality of virtual local area networks.
In a further embodiment, a method for networked communications includes receiving a packet, assigning a first tag to a received packet, the first tag comprising an identification of an active bridge domain, assigning a second tag to the received packet, looking up the destination address of the received packet in a forwarding table, and if the destination address is not found in the forwarding table, selectively flooding the one or more ports of the active bridge domain with a copy of the received packet. The second tag includes an identification of one of the plurality of virtual local area networks. The active bridge domain includes one of the plurality of bridge domains. The active bridge domain is associated with the ingress port of the received packet.
In yet a further embodiment, an article of manufacture includes a computer readable medium and computer-executable instructions carried on the computer readable medium. The instructions are readable by a processor. The instructions, when read and executed, cause the processor to assign a first tag to a received packet, assign a second tag to the received packet, the second tag comprising an identification of one of the plurality of virtual local area networks, look up the destination address of the received packet in a forwarding table, and if the destination address is not found in the forwarding table, selectively flood the one or more ports of the active bridge domain with a copy of the received packet. The first tag includes an identification of an active bridge domain. The active bridge domain includes one of the plurality of bridge domains. The active bridge domain is associated with the ingress port of the received packet.
For a more complete understanding of the present invention and its features and advantages, reference is now made to the following description, taken in conjunction with the accompanying drawings, in which:
Processor 204 may comprise, for example, a microprocessor, microcontroller, digital signal processor (DSP), application specific integrated circuit (ASIC), or any other digital or analog circuitry configured to interpret and/or execute program instructions and/or process data. Processor 204 may interpret and/or execute program instructions and/or process data stored in memory 202. Memory 202 may comprise any system, device, or apparatus configured to hold and/or house one or more memory modules. Each memory module may include any system, device or apparatus configured to retain program instructions and/or data for a period of time (e.g., computer-readable media).
VLAN 210 may comprise one or more of ports 206. Ports 206 may be associated with one or more VLANs 210. VLANs 210 may be associated with one or more network entities 208 communicatively coupled to the ports 206 which comprise the VLAN 210. VLANs 210 may be associated with a multicast group identification (MGID) 216. MGID 216 may comprise an identification of all ports 206 associated with a VLAN 210.
Switch 201 may comprise one or more bridge domains 212. A bridge domain 212 may be a virtual organization of some or all of the VLANs 210 of the switch 201. Each bridge domain 212 may comprise ports 206 associated with one or more VLANs 210. For example, in
Bridge domain 212 may comprise forwarding table 214. Forwarding table 214 may be implemented in any suitable manner to store and make available to switch 201 through bridge domain 212 information concerning other network entities 208 in switching system 200 and how the network entities 208 may be accessed through ports 206. Forwarding table 214 may comprise information about that may span multiple VLANs 210 within the bridge domain 212. In one embodiment, a single forwarding table 214 may be necessary for all VLANs 210 in a bridge domain 212
In one embodiment, forwarding table 214 may be implemented partially or fully in hardware in switch 201. In such an embodiment, forwarding table 214 may be implemented partially or fully by processor 204. In another embodiment, forwarding table 214 may be implemented partially or fully in memory 202. Forwarding table 214 may be operable by logic or instructions contained within memory 202, and executed by processor 204.
Forwarding table 214 may comprise information, for a given address, identifying what ports 206 may be used to access the device having the address. The addresses used by forwarding table 214 may comprise MAC addresses. In one embodiment, forwarding table 214 may comprise information regarding for a given VLAN 210, which ports 206 may be used to access the VLAN. Forwarding table 214 may comprise the necessary forwarding information specific to a given bridge domain 212.
Bridge domain 212 may be configured to receive packets from extranet router 302. Extranet router 302 may be configured to receive packets from extranet 304. Extranet router 302 may comprise any router suitable to send and receive packets from extranet 304 and bridge domain 212. In one embodiment, extranet router 302 may be implemented within switch 201. In another embodiment, extranet router 302 may be implemented in an electronic device coupled to switch 201. Extranet router 302 may be configured to add a tag to received packets. In one embodiment, extranet router 302 may be configured to add a tag to the packet representing the bridge domain 212 to which the packet belongs. In another embodiment, extranet router 302 may be configured to add a tag to the packet representing the VLAN 210 inside the bridge domain 212 to which the packet belongs. In yet another embodiment, extranet router 302 may be configured to perform network address translation (“NAT”) from an externally visible Internet protocol (“IP”) address and layer 4 protocol port to an internal known IP address, and possibly a different layer 4 protocol port. Any suitable method may be used to perform NAT, or reverse NAT, including methods to which a private IP address and protocol port number are translated into a public IP address and protocol port number, or vice versa.
Bridge domain 212 may be configured to receive packets from a VLAN 210. Based on the port 206 through which the packet was received into switch 201, the packet will enter a bridge domain 212. Bridge domain 212 may be configured to add a tag to the received packet, representing bridge domain 212. In one embodiment, bridge domain 212 may be configured to also add a tag to the received packet representing the VLAN 210 where the packet is to be sent.
Upon receipt of a packet, a bridge domain 212 may be configured to determine the source address of the packet. The source address may comprise a MAC address. If the source address of the packet is not found in its forwarding table 214, a bridge domain 212 may be configured to add the source address to forwarding table 214, along with the ingress port through which the packet was received. A bridge domain 212 may be configured to determine, by accessing the destination address of a received packet and accessing its forwarding table 214, to which port 206 the packet should be sent. If the destination address of the packet cannot be found, the bridge domain 212 may be configured to selectively flood the VLANs 210 associated with the bridge domain 212. In one embodiment, bridge domains 212 may be configured to flood all the ports 206 associated with the VLAN 210 identified by the tag associating the packet with the particular VLAN 210. If the destination address of the packet can be found in forwarding table 214, bridge domains 212 may be configured to forward the packet to the appropriate destination through the associated port 206 identified in forwarding table 214.
In one embodiment, bridge domains 212 may be configured to flood all the ports 206 associated with the VLAN 210 identified by the tag associating the packet with the particular VLAN 210 by applying egress VLAN filtering logic. A bridge domain 212 may be configured to determine, for each port 206 associated with the bridge domain 212, whether the port 206 is associated with the particular VLAN 210. If the particular VLAN 210 is configured on port 206, then the packet may be forwarded through port 206. If the particular VLAN 210 is not configured on port 206, then the packet may be dropped. In another embodiment, if the packet was received from a particular VLAN 210, the packet may not be flooded back to the same VLAN 210. Bridge domains 212 may be configured to learn the address, identity, or ports of destinations within a given VLAN 210 by receipt of reply messages or packets in response to flooding ports 206. Bridge domains 212 may be configured to add entries to forwarding table 214 based upon these received packets. The entries may include the source address of the replying destination, as well as the ingress port through which the packet was received.
In one embodiment, a bridge domain 212 may be configured to receive a packet that is to be forwarded to extranet 304. In such an embodiment, the bridge domain 212 may be configured to remove tags of the packet associated with identifying the bridge domain 212. The bridge domain 212 may be configured to forward the packet to extranet router 202. Extranet router 302 may be configured to conduct reverse NAT on the packet. Any known NAT mechanism may be used to conduct NAT or reverse NAT on the packet. Extranet router 302 may be configured to remove tags of the packet associated with associating the packet with VLAN 210. Extranet router 302 may be configured to send the packet to a destination in extranet 304.
In one embodiment, switching system 200 may be configured to separate traffic between different cloud applications. Cloud applications may be operating on or more network entities 208. Switching system 200 may be configured to prevent traffic from one cloud application from reaching another cloud application. Such configurations may improve security of operations of cloud applications, as they may decrease the chances of a security breach in one cloud application from affecting other cloud applications. Cloud applications may be configured to operate on a single VLAN 210, or on a defined set of VLANs 210. Because bridge domains 212 may be configured to only flood packets to ports 206 associated with a given VLAN 210, bridge domains 212 may be configured to only flood packets to VLANs 210 associated with a particular cloud application, thus preventing other cloud applications on other VLANs from receiving the flooded packets.
In operation, extranet router 302 may receive a packet from extranet 304 to be forwarded to a network destination 208 communicatively coupled to a port 206 associated with a bridge domain 212. Extranet router 302 may conduct NAT on the destination address of the packet. The destination address of the packet may comprise an IP address. In one embodiment, extranet router 302 may tag the packet with an identification of the VLAN 210 to which the packet is associated. The packet may then be handled by the associated bridge domain. For example, the packet may be associated with VLAN 210a. Extranet router 302 may determine to which bridge domain 212 the packet belongs. In one embodiment, extranet router 302 may use the arrival port 206 of the packet to determine to which bridge domain 212 that the packet belongs. For example, if a packet arrives over port 206f, then the packet may be handed off to bridge domain 212a; if a packet arrives over port 206i, then the packet may be handed off to bridge domain 212b. The bridge domain 212 which receives the packet may then tag the packet with an identification of the bridge domain.
A bridge domain 212 may receive the packet from extranet router 302. A bridge domain 212 may be operating on switch 201. A bridge domain 212 may receive a packet from a network entity 208 communicatively coupled to a bridge domain 212 through port 206 configured to operate as part of VLAN 210. The bridge domain 212 which receives the packet may then tag the packet with an identification of the bridge domain. In one embodiment, a bridge domain 212 may tag the packet with a VLAN tag corresponding to an identification of the VLAN 210 through which the packet was received.
Upon receipt of a packet, a bridge domain 212 may look up the source address of the packet in forwarding table 214. The source address may comprise a MAC address. If the source address is not contained within forwarding table 214, the address may be added to forwarding table 214. For example, if a packet arrives at bridge domain 212a through port 206f, with an address of 00:23:45:67:89:AB, and no entry in forwarding table 214a exists for the combination of one or more of the address, VLAN, and bridge identifiers, a new entry may be created in forwarding table 214a associating an entry including a particular bridge domain, VLAN, and address 00:23:45:67:89:AB, associating the entry with port 206f.
Upon receipt of a packet, a bridge domain 212 may look up the destination address of the packet in forwarding table 214. The destination address may comprise a MAC address. A bridge domain 212 may use any combination of bridge, VLAN, or address identifiers to look up the destination address of the packet in forwarding table 214. If the destination address of the packet is found in forwarding table 214, the packet may be forwarded to the port associated with the found address entry. For example, if bridge domain 212a receives a packet tagged with VLAN 210b, looks up the destination address of the packet, 00:76:54:32:10:BA, in forwarding table 214a, and determines that no corresponding entry exists in forwarding table 214a, a copy of the packet may be selectively flooded to ports 206b-e. In one embodiment, the packet may be selectively flooded by determining, at each port 206 associated with the bridge domain 212, whether the packet is tagged for a VLAN 210 that is configured as associated with the port 206. If the VLAN 210 is not configured for the port 206, then the packet is dropped. If the VLAN 210 is configured for the port 206, then the packet is forwarded through port 206 to network entity 208. In another embodiment, a packet is not flooded through a port 206 through which the packet was received by bridge domain 212.
If the destination address of the packet is found in forwarding table 214, the packet may be sent to the port 206 corresponding to the found entry in forwarding table 214. For example, if the destination address is 00:11:11:11:11:AA, corresponding to network entity 208a, bridge domain 212a may access forwarding table 214a to determine the port associated with an entry for the address and VLAN 210a, and forward the packet to port 206a.
If the packet is to be sent to extranet 304, a bridge domain 212 may send the packet to extranet router 302. A bridge domain 212 may remove the tag of the packet identifying bridge domain 212 before sending the packet. Extranet router 302 may be remove the tag of the packet identifying a VLAN. Extranet router 302 may perform reverse NAT. Extranet router 302 may send the packet to a destination in extranet 304.
The systems and embodiments of
Once the packet has arrived, in step 420 the packet may be tagged with an indication of the VLAN to which the packet is to be sent. In one embodiment, if the packet arrived via a VLAN in step 415, the packet may be tagged with an indication of the VLAN through which the packet arrived. In step 425, the packet may be tagged with an indication of the bridge domain in which the packet has arrived. In one embodiment, the bridge domain corresponding to the ingress port of the packet's arrival may be the bridge domain for which the packet is tagged.
In step 430, the source address of the packet may be looked up in a forwarding table, to determine whether or not the source address is known. The source address may be looked up in a forwarding table on the basis of a combination of any of the source address, the VLAN, or the bridge domain identifiers. In step 435, if the source address is not known, then the source address may be learned by creating a new entry in the forwarding table corresponding to the source address of the packet. In one embodiment, the new entry may also contain information regarding the VLAN or bridge domain identifiers. If the source address is known, then the method may proceed to step 440.
In step 440, the destination address of the packet may be looked up in a forwarding table to determine whether or not the destination address is known. The destination address may be looked up in a forwarding table on the basis of a combination of any of the source address, the VLAN, or the bridge domain identifiers. If the destination address of the packet is not in the forwarding table, then in step 445 the packet may be selectively flooded to ports associated with the destination VLAN. In one embodiment, the packet may be selectively flooded by flooding the packet to all ports, and for each port, determining whether or not the port is configured as part of the destination VLAN. If the destination address of the packet is in the forwarding table, then the appropriate egress port may be determined and the method may proceed to step 450.
In step 450, it may be determined whether or not the destination address is in the extranet or not. If the destination address is not in the extranet, the method may proceed to step 465. If the destination address is in the extranet, then in step 455 the VLAN and bridge domain tags may be removed from the packet. Reverse NAT may be performed upon the packet. In step 460, the packet may be sent to the destination in the extranet.
In step 465, the packet may be forwarded to the destination address through the identified port.
Although
Methods 400 may be implemented using the system of
For the purposes of this disclosure, computer-readable media may include any instrumentality or aggregation of instrumentalities that may retain data and/or instructions for a period of time. Computer-readable media may include, without limitation, storage media such as a direct access storage device (e.g., a hard disk drive or floppy disk), a sequential access storage device (e.g., a tape disk drive), compact disk, CD-ROM, DVD, random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), and/or flash memory; as well as communications media such wires, optical fibers, and other tangible, non-transitory media; and/or any combination of the foregoing.
Although the present disclosure has been described in detail, it should be understood that various changes, substitutions, and alterations can be made hereto without departing from the spirit and the scope of the disclosure as defined by the appended claims.