SYSTEM AND METHOD FOR ROUTING A CROSS SEGMENTS OF A NETWORK SWITCH
FIELD OF THE INVENTION
The present invention relates generally to providing connectivity between segments of a network, and more particularly to using a switch to route data between segments of a network. BACKGROUND OF THE INVENTION
When providing connectivity between various network components of one or more networks connected to a gateway, it is often desirable to segregate groups of one or more network components into separate subnets. By providing separate subnets, various higher-level functions or operations can be performed by the gateway on data transmitted between the subnets. For example, the gateway could place an email server in a different subnet than an intranet of personal computers, thereby providing a secure network segment (also known as a "demilitarized zone" or secure perimeter network) between the intranet of personal computers (PCs) and the email server. As a result, external network components can access the internal email server without being able to access the intranet of PCs. Likewise, segments of a network can be separated into different subnets to prevent a high data flow on one network segment from degrading the bandwidth of another network segment.
However, while using separate subnets for different network segments provides a number of advantages, known implementations for routing across separate subnets typically are relatively expensive due to their need for separate network controllers for each subnet. As a result, as the number of subnets increases, the cost and complexity of the gateway increases since additional network controllers must be added to the gateway.
In view of the limitations of known subnet routing implementations, an improved system and method for providing routing across network segments would be advantageous.
SUMMARY OF THE INVENTION
The disclosed technique mitigates or solves the above-identified limitation in known implementations, as well as other unspecified deficiencies in the known implementations.
- ! •
The use of Institute of Electrical and Electronics Engineers (IEEE) 802. lq tagging, IEEE 802. lp priority fields, and VLAN capabilities of various Ethernet switch chips allows a host processor to route across the network interfaces of a switch chip. A host processor attached to a single interface of a switch chip can route across all interfaces by: identifying the interface that each frame is received from; directing the outgoing segment that each frame from the host processor must go out; and preventing the switch chip from directly forwarding frames between network interfaces.
Various implementations of the present invention can be adapted to utilize a switch chip by addressing three issues. First of all, the switch chip can be adapted to prevent the forwarding of data between the Ethernet segments that are to be routed or otherwise processed at a higher-level. All frames that are to be routed or further processed are provided to, and processed by, the host processor. This includes unicast, multicast, and broadcast packets. Secondly, the switch chip is adapted to identify from which Ethernet segment a frame was received before passing data up through a network layer stack, such as Internet Protocol (IP). Lastly, implementations of the present invention generally identify the Ethernet segment by which the switch chip is to output frames from the host processor, including unicast, multicast, and broadcast packets.
In accordance with one embodiment of the present invention, a gateway for routing frames across multiple subnets is provided, the gateway being in electrical communication with a plurality of network segments, and each network segment is associated at least one of the subnets. The gateway comprises a processor and a network switch in electrical communication with the processor and having a plurality of ports, each port associated with one of the network segments, the network switch being adapted to receive, at a first port, a frame from a first network segment associated with a first subnet, associate a source indicator with the frame, the source indicator including an identifier representative of the first subnet, and provide the frame and the source indicator to the processor when an intended destination of the frame is a second subnet different from the first subnet. Furthermore, the processor is adapted to perform at least one higher-level function with the frame based at least in part on the source indicator to generate a modified frame.
In a distributed network comprising a first network segment associated with a first subnet and a second network segment associated with a second subnet, a gateway coupled to the first and second network segments is provided in accordance with another
embodiment of the present invention. The gateway comprises a network switch in bidirectional communication with a processor, wherein the network switch is adapted to provide a frame received via a first port and a source indicator to the processor when an intended destination of the frame includes the second subnet, the source indicator being representative of the first subnet, and wherein the processor is adapted to perform at least one higher-level function using the frame based at least in part on the source indicator to generate a modified frame.
In a distributed network comprising multiple network segments, a network switch having at least three ports is provided in accordance with at least one embodiment of the present invention. Each port is coupled to a separate network segment, the at least three ports including a first port coupled to a first network segment, the first network segment being associated with a first subnet, a second port coupled to a second network segment, the second network segment being associated with a second subnet, and a third port coupled to a processor, where the first port is adapted for bi-directional communication between the third port and the first network segment and the second port is adapted for bidirectional communication between the third port and the second network segment. The network switch is adapted to associate a source indicator with a frame received from the first port, the source indicator representing the first subnet, and provide the frame and the source indicator to the processor via the third port when an intended destination of the frame is the second subnet.
In a distributed network comprising multiple network segments coupled to a network switch, a processor in electrical communication with the network switch is provided in accordance with yet another embodiment of the present invention. The processor is adapted to receive a frame and a source indicator associated with the frame from the network switch, the source indicator being representative of a source subnet of the frame, perform at least one higher-level function with the frame based at least in part on the source indicator to generate a modified frame and associate a destination indicator with the modified frame, the destination indicator being representative of at least one intended destination subnet of the modified frame. The processor is further adapted to provide the modified frame and the destination indicator to the network switch for output to the at least one intended destination subnet.
In accordance with an additional embodiment of the present invention, a method to route at least one frame from a first subnet to a second subnet using a network switch is
provided. The method comprises the steps of receiving, at a first port of the network switch, a frame from a first network segment associated with the first subnet, wherein an intended destination of the frame includes a second network segment associated with the second subnet, providing the frame and a source indicator from the network switch to a processor, the source indicator representing of the first subnet, and performing, at the processor, at least one higher-level function with the frame based at least in part on the source indicator to generate a modified frame.
In accordance with another embodiment of the present invention, a method for routing frames of data across switched Ethernet segments is provided. The method comprises the steps of receiving, at a first port of an Ethernet switch, a frame from a first Ethernet segment, wherein the first port is associated with a first VLAN and where the frame is intended for receipt by a network component of a second Ethernet segment associated with a second VLAN, associating, at the Ethernet switch, a source indicator with the frame, the source indicator including a first VID associated with the first VLAN, and providing the frame and the source indicator from the Ethernet switch to an application stack of a processor via a first channel, wherein the first channel is associated with the first VID. The method further comprises the steps of performing, at the application stack, at least one higher-level function based at least in part on the source indicator to generate a modified frame, associating a destination indicator with the modified frame, wherein the destination indicator includes a second VID associated with the second VLAN, and providing the modified frame and the destination indicator from the application stack to the network switch. The method additionally includes the step of providing the modified frame to a second port of the network switch associated with the second VLAN for output to the second Ethernet segment based at least in part on the second VID of the destination indicator.
One objective of at least one embodiment of the present invention is to allow a switch chip to be attached to a host processor to create a router that can route frames across each network interface attached to the switch chip. Another objective of at least one embodiment of the present invention is to minimize the cost of implementing subnets by reducing the number of network controllers necessary to support multiple subnets.
Still further features and advantages of the present invention are identified in the ensuing description, with reference to the drawings identified below.
BRIEF DESCRIPTION OF THE DRAWINGS
The purposes and advantages of the present invention will be apparent to those of ordinary skill in the art from the following detailed description in conjunction with the appended drawings in which like reference characters are used to indicate like elements, and in which:
Figure 1 is a block diagram illustrating a system for routing data across multiple network segments in accordance with at least one embodiment of the present invention;
Figure 2 is a block diagram illustrating a mechanism for associating the ports of a network switch with different virtual local area networks in accordance with at least one embodiment of the present invention; and
Figure 3 is a block diagram illustrating a mechanism for providing frames from one network segment to another network segment using virtual local area networks in accordance with at least one embodiment of the present invention.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Figures 1-3 illustrate a method and a system for using a network switch to route frames between network segments. In at least one embodiment, one or more frames from one network segment are provided to one of a plurality of ports of a network switch. The network switch provides the each frame to a processor as it is received when the source and destination of the frame are on different subnets or the frame is intended for the processor. The processor, in one embodiment, then performs one or more higher-level functions using a received frame, such as routing, Internet Protocol Security (IPSec) or network address translation (NAT). After modifying the frame as a result of the performance of the one or more higher-level functions, the processor provides the modified frame back to the network switch for output on a port connected to the intended destination of the frame. In at least one embodiment, the network switch utilizes port- based virtual local area networks (VLANs) to prevent frames received at one port of the network switch from being directly sent out another port when the frames have different source and destination subnets.
Additionally, the network switch can use the VLANs to indicate to the processor the source subnet of the frame. In this case, each port of the network switch can be assigned to a certain VLAN (representing a certain subnet), and as a frame is received at a certain port, the network switch associates the port's VLAN identification (VID) with the
frame to indicate the source VLAN/subnet of the frame. Likewise, the processor can use the VLAN capability of the network switch to indicate to the network switch the particular port or ports that is to be used to output a frame to one or more network segments attached to the particular port/ports. In this case, the processor can associate the VID of the destination VLAN/subnet with a frame and provide this destination indicator and the frame to the network switch. The network switch, using the VID of the destination indicator, outputs the frame on the one or more ports associated with the VLAN having the VID of the destination indicator. One advantage of at least one embodiment of the present invention is that the cost of implementing multiple subnets can be reduced since a separate network controller is not necessary for each subnet.
The term "frame," as used herein, refers to any logical segmentation of data transmitted over a networked medium, and usually includes a source address, a destination address, a data payload, and an error correction field, as well as various other fields. Examples of frames include Ethernet frames, IP packets, Asynchronous Transfer Mode (ATM) frames, and the like.
Referring now to Figure 1, a system 100 for routing data across segments of a network switch 130 is illustrated in accordance with at least one embodiment of the present invention. The system 100 includes one or more subnets 102-106 connected to a gateway 120. The subnets 102-106 each can include one or more network segments having one or more network components, where a network component can include any component or device adapted to communicate with another component or device over a network, such as a server, a hub, a router, a bridge, a switch, a terminal, a PC, and the like. In the illustrated embodiment, the subnet 102 includes a wide area network (WAN) 150 and the subnet 104 includes a data server 108, such as a file transfer protocol (FTP) server or simple mail transfer protocol (SMTP) server. The subnet 106 includes two network segments, one including PCs 110-114 connected via a hub 122 to the gateway 120 and a PC 116 connected separately to the gateway 120. The number and type of subnets connected to the gateway 120 and/or the number and type of network components of the subnets are illustrated for exemplary purposes. The present invention may be implemented with any number or type of subnets and any combination of network components on a subnet using the guidelines provided herein.
The gateway 120 can include any of a variety of devices utilized to connect two or more networks or subnets together, such as a digital subscribe line (xDSL) modem, a
firewall, a gateway, a router, a bridge, and the like. To illustrate, the gateway 120 can include a combination bridge/router adapted to provide a communication link between the Internet (one embodiment of the WAN 150 of the subnet 102) and the network components of the subnets 104, 106. To facilitate communication between the WAN 150 and the subnets 102-106, in at least one embodiment, the gateway 120 includes a network switch 130 connected to a communications processor 140. In one embodiment, the switch 130, as illustrated, includes a plurality of ports 132-138, each coupled to one of the network segments or network components of the subnets 102-106. The ports 132-138 can include ports adapted to support any of a variety of network architectures, such as Ethernet, token ring, asynchronous transfer mode (ATM), and the like. One example of an appropriate switch 130 is an Ethernet switch having the trade designation KS8993 available from Kendin Communications, Inc. of Sunnyvale, California. As with the subnets, the number of ports of the switch 130 is exemplary. Implementations of the present invention can utilize network switches having any number of ports without departing from the spirit or the scope of the present invention.
The communications processor 140 can include any of a variety of processing devices adapted to modify frames of data for networking purposes, where modification of frames can include, but is not limited to, routing frames, switching frames, bridging frames, as well as performing higher-level functions, such as network address translation (NAT) or encryption. The communications processor 140, herein referred to as the processor 140, can include a processor specifically designed for communications processing, such as an application specific integrated circuit (ASIC), a general purpose processor adapted to execute a set of executable instructions appropriate for handling of network data, a communications-specific microprocessor or microcontoller, or a combination thereof. One such implementation includes a communications processor available under the trade designation Helium 200 from GlobeSpanVirata, Inc. of Red Bank, New Jersey. Alternatively, the processor 140 can be implemented as a combination of discrete logic components.
The gateway 120 can be adapted to perform a variety of functions within the system 100. For example, in one embodiment, the gateway 120 is adapted to route frames between separate subnets. To illustrate, the gateway 120 can be utilized to route frames from the network components of the subnets 104, 106 to the WAN 105 of the subnet 102, and vice versa. Likewise, the gateway 120 can be adapted to function as a
bridge by bridging frames between network segments of the same subnet. In this case, frames received via the port 138 from the PC 116 can be bridged to the PC 110 via the port 136 and the hub 122. Frames from the PCs 110-114 likewise can be bridged to the PC 116 via ports 136, 138 of the gateway 120. Additionally, the gateway 120 can perform various higher-level operations while switching/bridging/routing frames between network segments. For example, the gateway 120 can act as a firewall between the WAN 150 and the subnets 104, 106 by providing network address translation (NAT) on frames from the subnets 104, 106 to the WAN 150 and on frames from the WAN 150 intended for one or more of the network components of the subnets 104, 106. Likewise, the gateway 120 can be adapted to implement the subnet 104 as a secure perimeter network, thereby allowing external access to the data server 108 from the subnet 102 without sacrificing the security of the subnet 106. The gateway 120 can be adapted to provide a variety of other higher-level functions, whereby a higher-level function, as defined herein, includes any function, process, or operation performed at Layer 3 (the Network layer) or higher of the Open Systems Interconnection (OSI) Network Model. Higher-level functions can include routing, NAT, Internet Protocol Security (IPSec), encryption, filtering, and the like.
In order to provide the routing, bridging, and other desired functionality of the gateway 120, in at least one embodiment, each frame received at any of the ports 132-138 is filtered based at least in part on its intended destination. If the final destination of a received frame is located on the same network segment as the source of the frame, the switch 130 can be adapted to drop the frame. For example, if the PC 110 were to transmit a frame intended for the PC 114, the frame typically would be received by one port of the hub 122 and retransmitted out all of the other ports of the hub 122, one of which is connected to the port 136. Accordingly, when the switch 130 receives this frame, it can determine from its learning table, for example, that the source and destination of the frame are on the same network segment, so the switch 130 can drop the frame. If the intended destination of a received frame is located on the same subnet but a different network segment, then the switch 130 can be adapted to forward (i.e., switch) the frame between the source port and the destination port. For example, assume the PC 116 transmits a frame intended for the PC 112. The frame is received at the port 138 of the switch 130. The switch 130, noting that the port (port 138) associated with the source and
the port (port 136) associated with the destination (port 136) are in the same subnet 106, forwards the frame directly from port 138 to port 136 for output.
However, when a frame received at the switch 130 has an intended destination that is in a different subnet than the source of the frame or when the frame is intended for the processor 140, the switch 130, in at least one embodiment, is adapted to provide the frame to the processor 140 via the port 142. The processor 140 then can perform one or more higher-level functions (which typically modify the frame) and then provide the modified frame back to the switch 130 for output on the port associated with the intended destination of the modified frame. For example, assume that PC 116 transmits a frame intended for the server 108. Since the PC 116 and the server 108 are on different subnets, the switch 130, in one embodiment, is adapted to provide the frame to the processor 140 for routing of the frame, as well as any other appropriate higher-level functions. The term "modify", as utilized herein with respect to frames of data, can include any of a variety of functions or processes performed on a frame by the processor 140. To illustrate, the processor 140 typically replaces the media access control (MAC) header and updates the Time to Live field and checksum in the IP header when routing an Ethernet frame from one subnet to another. When performing a NAT operation, the processor 140 typically modifies the source or destination IP address along with other fields within the frame.
By routing frames having an intended destination on a different subnet than the source subnet through the processor 140, various higher-level functions can be provided that otherwise are generally not available from conventional network switches or bridges. The higher-level functions provided by the processor 140 can include frame/packet filtering, network address translation (NAT), IPSec, implementation of a firewall between the WAN 150 and the subnets 104, 106, and the like. To illustrate, a frame received at port 132 that is intended for subnet 104 would be directly provided to port 134 if the switch 130 operated as a conventional network switch. However, since the switch 130 is adapted to provide the frame to the processor 140 in accordance with one implementation of the present invention, the processor 140 can perform a desired operation on the frame, such as NAT, before providing the frame back to the network switch 130 for output on port 134.
For example, assume a frame received by the switch 130 from the PC 116 via the port 138 is provided to the processor 140. The processor 140, noting the intended destination of the frame (server 108 in this example), modifies/processes the frame by
replacing the MAC header and updating the IP header and provides the modified frame to the switch 130. Additionally, in at least one embodiment, the processor 140 associates a destination indicator with the modified frame that is used by the switch 130 to determine which of ports 132-138 the modified frame is to be output on. Using this destination indicator, the switch 130 determines that the intended destination of the frame is connected to the port 134 and therefore provides the modified frame to the port 134 for output to the server 108.
In another example, assume that a frame from the PC 116 is received by the switch 130 via the port 138, where the frame is intended for a data server on the WAN 150 of the subnet 102. The switch 130, noting that the source subnet and the destination subnet are different, then forwards the frame to the processor 140 via the port 142 along with a source indicator representative of the source subnet of the frame. In this example, the gateway 120 is implemented as a firewall between the WAN 150 and the subnets 104, 106. Accordingly, the processor 140, noting the source subnet, performs a NAT operation on the frame and provides the modified frame to the switch 130 along with a destination indicator that the frame is intended for output via the port 132. Based at least in part on this destmation indicator, the switch 130 outputs the modified frame on the port 132 for reception by the data server on the WAN 150.
Additionally, in some cases, frames received at the switch 130 may be intended for the processor 140. For example, the gateway 120 could be adapted to monitor the status of the network components of the system 100. In this case, the processor 140 could be adapted to generate "ping" packets to test the connectivity between the processor 140 and the components 108, 110-116, and 150. Upon receipt of a ping packet, each of these components typically would send a response packet to the processor 140 via the network switch 130. Accordingly, the processor 140 can be viewed as a network segment for the provision of frames by the network switch 130. Accordingly, when a frame is received on a port associated with one subnet and the frame has the processor 140 as its intended destination, the switch 130 can be adapted to forward the frame to the processor 140 as though the processor 140 were another network segment. Referring now to Figures 2-3, various mechanisms to route data between the subnets 102-106 are illustrated in accordance with at least one embodiment of the present invention. For ease of illustration, various embodiments of the present invention are discussed herein in the context of Ethernet network architectures, such as lOBaseT,
100BaseTX, 100BaseFX, and the like. However, the present invention may be implemented using other network architectures known to those skilled in the art. Accordingly, any reference made herein to an Ethernet architecture also applies to other network architectures, unless otherwise noted. Referring to Figure 2, a mechanism to indicate the source port and/or destination port of a frame is illustrated. As discussed above, in at least one embodiment, the switch 130 is adapted to provide all frames received at the ports 132-138 that have different source and destination subnets, as well as frames intended for the processor 140, to the processor 140 for the application of one or more higher-level functions. In order to indicate the port at which a frame was received by the switch 130 (i.e., the source port) to the processor 140, the switch 130 can be adapted to associate a source indicator with the frame prior to providing the frame to the processor 140. The processor 140 can then utilize this indicator value to determine the source subnet of the frame and handle the frame accordingly. Similarly, the processor 140 can be adapted to include a destination indicator with a frame that has been handled by the processor before the frame is provided back to the switch 130. The switch 130, in this case, can use the destination indicator to determine which of the ports 132-138 is to be used to output the frame to its intended destination.
In at least one embodiment, a virtual local area network (VLAN) scheme is utilized to provide the source indicator and/or the destination indicator. In this case, the switch 130 is adapted to support port-based VLANs, such as a VLAN implementation in accordance with the IEEE 802. lq standard. In this case, the switch 130 can assign the ports 132-138 to one or more VLANs. In at least one embodiment, the ports 132-138 are assigned to a VLAN based at least in part on the subnet associated with each port. In the illustrated embodiment, since the port 132 is associated with the subnet 102 and the port 134 is associated with the subnet 104, the port 132 is assigned to the VLAN 202 and the port 134 is assigned to the VLAN 204. Likewise, since the ports 136, 138 (Figure 1) are associated with the same subnet (subnet 106, Figure 1), the ports 136, 138 can be assigned to the same VLAN. The ports 136, 138 and their associated subnet 106 of the exemplary implementation illustrated in Figure 1 are omitted for ease of illustration. In general, network switches implementing VLANs are prevented from forwarding frames between ports having mutually exclusive VLAN memberships. Accordingly, since the port 132 belongs to a different VLAN than the port 134, there typically is no way for
frames from the WAN 150 to be forwarded directly to the data server 108 by the switch 130. Likewise, due to mutually exclusive VLAN memberships, frames from the data server 108 are not forwarded directly to the WAN 150 by the switch 130. However, because ports 136, 138 belong to a same VLAN, a frame received at one of the ports 136, 138 can be forwarded by the switch 130 directly to the other port without necessitating the involvement of the processor 140.
Since ports 132, 134 have a mutually exclusive VLAN membership, frames typically are not directly switched between port 132 and port 134 of the switch 130. Likewise, since ports 136, 138 belong to a different VLAN than either the port 132 or the port 134, frames typically cannot be directly switched between ports 136, 138 and either port 132 or port 134. Since the processor 140, in one embodiment, directs the switch 130 to assign the port 142 to all of the VLANs of the ports 132-138, frames having differing source and destination subnets and frames intended for the processor 140 (i.e., frames that need to be routed and/or otherwise modified) can be provided from the source port to port 142 for output to the processor 140.
As illustrated with reference to the VLAN membership table 206, port 132 is assigned to the VLAN 202, the port 134 is assigned to the VLAN 204, and the port 142 is assigned to both the VLAN 202 and the VLAN 204. Accordingly, any frame received via the port 132 that needs to be routed or modified is forwarded to the port 142 since the port 132 and the port 142 belong to the same VLAN 202. Likewise, any frame received via the port 134 that needs to be routed or modified is provided to the port 142 since they also share the same VLAN 204. As a result, all frames received at the ports 132, 134 that need to be routed or modified are forwarded to the processor 140 via the port 142 and are prevented from being provided directly to the other port. To illustrate, the line 222 demonstrates that frames received at port 132 (from VLAN 202) are provided from the port 132 to the port 142 since they both are in the same VLAN. Likewise, frames from the port 142 intended for the WAN 150 can be forwarded from the port 142 to the port 132 due to their mutual VLAN membership. The line 224 illustrates a similar frame transfer between the data server 108 connected to the port 134 and the processor 140 connected to the port 142. Since the port 142 is a member of the VLAN 204, frames received at the port 134 can be forwarded to the port 142, and vice versa. However, as discussed, the switch 130, in one embodiment, is adapted to prevent the direct transfer
(illustrated by line 226) of frames directly from the port 132 to the port 134 and from the port 134 to the port 132 since the ports 132, 134 are members of different VLANs.
Referring now to Figure 3, an exemplary operation of the gateway 120 is illustrated in accordance with at least one embodiment of the present invention wherein a frame 302 from the server 108 is routed by the gateway 120 for delivery to the WAN 150. In the illustrated embodiment, the data server 108 provides an Ethernet frame (frame 302) to the gateway 120, where the frame 302 is intended for receipt by a network component on the WAN 150. Upon receipt of the frame 302, the switch 130 identifies the source subnet based on the port (port 134) used to receive the frame and associates a source indicator 306 with the frame 302 based at least in part on the source subnet identified. The switch 130, in at least one embodiment, utilizes port-based VLANs, as discussed in Figure 2, to assign a VLAN identification (VID) to the source indicator 306 associated with the frame 302. In one implementation, the VID is added as an IEEE 802. lq VID value to the Tag Control Field following the source address field and the destination address field of the Ethernet frame. For example, the switch 130 could assign a VTD of 1 to the VLAN 202 and a VID of 2 to the VLAN 204. Accordingly, any frame received via the port 132 is assigned a VID of 1 in the TCI field of the frame and a frame received via the port 134 is assigned a VID of 2 in its TCI field. Alternatively, the VID can be added as an IEEE 802. lp priority value. Other methods of indicating a VLAN to which a certain frame belongs may be used without departing from the spirit or the scope of the present invention.
Since, in this example, the port 142 belongs to the same VLAN (VLAN 204, Figure 2), the switch 130 provides the frame 302 (with the source indicator 306) to the port 142 for output to the processor 140. The frame 302 is received at the processor 140 by an interface 324 implemented as part of, or connected to, the processor 140. In at least one embodiment, the interface 324 includes an Ethernet media access control (MAC) interface integrated as part of the processor 140 and the port 142 includes an interface compatible with the Ethernet MAC interface, such as a Media Independent Interface (Mil). Certain implementations of the switch 130 can be adapted to convert one port into an interface compatible with an Ethernet MAC interface through an MIL For example, the switch 130 could include an Ethernet switch available under the trade name KS8995E from Kendin Communications, Inc. of Sunnyvale, California. This exemplary Ethernet switch includes five ports, where one of the five ports can be converted into a Mil
compatible with an Ethernet MAC interface. The four non-convertible ports can be implemented as the ports 132-138, and the fifth port can be converted to a Mil for implementation as the port 142 to interface with the Ethernet MAC interface (one embodiment of the interface 324) of the processor 140. In at least one embodiment, the processor 140 includes a switch driver 310 and an application stack 320 for handling and modifying frames received from the switch 130. The switch driver 310 includes a device driver for the switch 130 that is adapted to receive a frame from the interface 324, remove or disassociate any indicators, such as the source indicator 306 from the frame, if necessary, and provide the frame to the application stack 320. The application stack 320 includes one or more protocol stacks, such as an Internet Protocol (IP) stack, as well as any higher-level application layers. The switch driver 310 and the application stack 320 can be implemented as software, firmware, hardware, or a combination therein. For example, in at least one embodiment, the switch driver 310 includes a first set of executable instructions and the application stack 320 includes a second set of executable instructions, both sets performed by the processor 140.
In order to route across all of the ports of the switch 130, the switch driver 310 generally must bind multiple channels to the application stack 320, one channel for each of the ports 132, 134. Ports 136 and 138, in this example, are combined into a single channel since they are both associated with the same subnet. Accordingly, in at least one embodiment, the switch driver 310 includes a virtual driver 312 associated with the port 132 and a virtual driver 314 associated with the port 134 (as well as a virtual driver for the ports 136, 138 omitted for ease of illustration). Each of the virtual drivers 312, 314 is bound to the application stack 320 as a separate channel, resulting in a separate channel between the switch driver 310 and the application stack 320 for each of the ports 132, 134. From the perspective of the application stack 320, two separate network interfaces are attached. Accordingly, the application stack 320 can route frames between the ports 132, 134 using the channels provided by the virtual drivers 312, 314.
Upon receipt of the frame 302 from the interface 324, the switch driver 310 can determine which one of the virtual drivers 312, 314 is associated with the port used to receive the frame 302. This can be accomplished by analyzing the source indicator 306. For example, if the switch 130 placed a VID value representing VLAN 204 into the TCI field of the frame 302, the switch driver 310 can access this value and determine the
virtual driver associated with the VLAN 204, which, in this case, is the virtual driver 314. After the switch driver 310 identifies the virtual driver 314, the switch driver 310, in one embodiment, strips the source indicator 306 from the frame 302 and provides the frame 302 to the application stack 320 for bridging/routing/security processing and/or further processing.
The application stack 320, in at least one embodiment, is adapted to provide one or more desired higher-level functions in addition to being adapted to route/bridge/switch frames. For example, the application stack 320 can route the frame 302, perform NAT on the frame 302, filter the frame 302, encrypt the payload of the frame 302, and the like. After the frame 302 is processed/modified by the application stack 320, the modified frame is provided over the appropriate channel to the switch driver 310 as modified frame 304. In this case, the channel associated with the destination address of the modified frame 304 (the address of the network component on WAN 150) is supported by the virtual driver 312. Accordingly, the application stack 320 provides the modified frame 304 to the switch driver 310 using the virtual switch driver 312.
It will be appreciated that in order for the switch 130 to forward the modified frame 304 to the appropriate port, the switch 130 must have an indication of the desired output port/subnet. The typical indicator that used by a switch, the destination MAC address, is not sufficient when routing a frame across a network switch since broadcast, multicast and aged unicast addresses will go out ports that the frame is not intended for. Accordingly, in at least one embodiment, the switch driver 310 associates a destination indicator 308 with the modified frame 304. As with the source indicator 306, the destination indicator 308, in one embodiment can include an IEEE 802. lq VID value in the TCI field of frame 304 or an IEEE 802. lp priority value. However, unlike the source indicator 306 which indicated the source subnet of the frame 302 to the switch driver 130, the destination indicator 308 instead indicates the destination subnet(s) of the modified frame 304 to the switch 130. Since, in this case, the modified frame 304 was received via a channel provided by the virtual driver 312, the switch driver 310 can include the VID value associated with the virtual driver 312 as the destination indicator 308 (such as the VID of the VLAN 202 of Figure 2). The switch driver 310 provides the modified frame 304, along with the destination indicator 308, to the port 142 of the switch 130 via the interface 324.
The switch 130, upon receipt of the modified frame 304, analyzes the destination indicator 308 to determine the one or more output ports to be used to output the modified frame 304. The destination indicator 308 of the modified frame 304, in this example, has a VID value associated with the VLAN 202, of which the ports 132, 142 are members. Since port 142 and the port 132 are members of the same VLAN, the switch 130 can remove or disassociate the destination indicator 308 from the modified frame 304 and provide the modified frame 304 to the port 132 for output to the WAN 150. Meanwhile, since the ports 134-138 are not members of the VLAN 202, the switch 130 avoids providing the frame 304 to the ports 134-138 for output. Although one mechanism to determine source and destination ports of a frame based at least in part on VLAN membership has been illustrated, other mechanisms may be utilized by those skilled in the art, using the guidelines provided herein. In an alternate embodiment, the switch 130 can include a managed network switch, whereby a learning table built by the switch 130 can be provided to the switch driver 310. Therefore, when a frame is received by the switch driver 310 from the switch 130, the switch driver 310 can deteπnine the source port of the frame by using the source address of the frame and the learning table and provide the frame to the application stack 320 through the corresponding virtual driver. Likewise, when a unicast frame is received by the switch 130 from the switch driver 310, the switch 130 can determine the appropriate output port of the switch 130 based at least in part on the destination address of the frame and from the learning table. When a broadcast or multicast frame is received by the switch from the switch driver 310, the switch 130 will need an additional indicator as described above to ensure that the frame does not go out all ports of the switch 130.
Other embodiments, uses, and advantages of the invention will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. The specification should be considered exemplary only, and the scope of the invention is accordingly intended to be limited only by the following claims and equivalents thereof.