Network having secure fast packet switching and guaranteed quality of service

We claim:

1. In a packet switched data communications network, the network including a plurality of end systems and switches connected by links, each switch having at least one network port connected to another switch and some switches having access ports connected to end systems, and each end system having a unique physical layer address, each switch including a connection database of valid connections between different ports on the switch and a switching mechanism for establishing temporary connections between the different ports on the switch, the improvement comprising:

a connection server coupled to each switch,

means coupled to each switch and the connection server for registering each switch with the connection server, and

means, prior to transmission of a data packet comprising a connectionless datagram from a first end system having a first physical layer address to a second end system having a second physical layer address, for determining a path from the first end system to the second end system through one or more of the switches and for configuring the connection database of each respective switch on the path with a connection identifier including the first physical layer address and the second physical layer address of the first and second end systems, respectively,

the determining and configuring means being coupled to each switch and the connection server, and the data packet remaining as a connectionless datagram as the data packet is transmitted through the respective switches along the path.

2. The network of claim 1, wherein the connection identifier further includes:

an input port address of the respective switch on which the data packet arrives, and

which connection identifier is mapped to an output port of the respective switch on which the data packet exits the switch.

3. The network of claim 1, further including means for deleting the connection identifier from the connection database after a predetermined time.

4. The network of claim 2, wherein each switch includes address learning means for pairing the first physical layer address within an incoming data packet with the input port address on which the packet arrives at the respective switch, thereby generating a source address pair comprising the input port address and the first physical layer address, and the registering means includes a directory of source address pairs for end systems in the network.

5. The network of claim 1, wherein each switch includes means for storing the data packet while the path is determined and the switches along the path are configured.

6. The network of claim 1, wherein the means for determining includes means for extracting from a data packet, which data packet does not contain the second physical layer address of the second end system, higher layer protocol information and determining the second physical layer address of the second end system for which the data packet is intended.

7. The network of claim 6, wherein the means for determining further includes means for sending a reply to the first end system comprising the second physical layer address of the second end system.

8. The network of claim 1, wherein each switch includes means for sending a connection setup request to the connection server for starting the determining means.

9. The network of claim 1, wherein the connection server is external to the switches.

10. The network of claim 1, wherein the determining and configuring means configures the connection database of at least one of the switches to send the data packet from one input port of the switch to more than one output port of the switch.

11. The network of claim 1, wherein the determining and configuring means includes:

means for authorizing valid connections between the first and second end systems.

12. The network of claim 11, wherein the authorizing means includes:

a directory database of authorized valid connections between first and second end systems; and

means for accessing the directory database to determine if there is an authorized valid connection.

13. The network of claim 1, wherein the determining and configuring means includes:

means for determining a best path of valid connections from the first end system to the second end system through the switches of the network.

14. The network of claim 13, wherein the means for determining the best path utilizes a number of constraints including one or more of:

bandwidth;

cost;

QOS (quality of service); and

a maximum number of connections.

15. The network of claim 1, wherein the determining and configuring means includes:

means for determining the valid connections based on an application of time varying or differing constraints.

16. The network of claim 1, further including means for allocating a specified bandwidth to the valid connections.

17. The network of claim 1, including a management information database for controlling the switches.

18. The network of claim 1, further comprising a network management system which provides at least one of the following services:

a) determination of a best path between first and second end systems;

b) designation of authorized valid connections between first and second end systems;

c) determination of the location of end systems;

d) accounting of each end system's usage of the network based on the number of data packet or byte transmissions; and

e) designation of a specified bandwidth for valid connections between designated end systems.

19. The network of claim 1, wherein the physical layer address is a MAC address.

20. The network of claim 1, wherein the determining and configuring means includes:

call setup means for configuring the switches on the path with the valid connections;

data transfer means for forwarding one or more data packets on the path; and

call release means for terminating the valid connections on the path.

21. A method of controlling switches and transmitting data packets in a packet switched data communications network, the network including a plurality of end systems and switches connected by links, each switch having at least one network port connected to another switch and some switches having access ports connected to end systems, and each end system having a unique physical layer address, the method comprising the steps of:

prior to transmission of a data packet comprising a connectionless datagram from a first end system having a first physical layer address to a second end system having a second physical layer address, determining a first path from the first end system to the second end system through a plurality of switches based on the physical layer addresses of the first and second end systems, and

configuring the plurality of switches on the first path to enable transmission of the data packet, wherein

the data packet remaining as a connectionless datagram as the data packet is transmitted through the respective switches along the path.

22. The method of claim 21, wherein the configuring step comprises:

providing each switch in the first path with a connection identifier for the data packet, the connection identifier including an input port address of the respective switch, a first physical layer address of the first end system, and a second physical layer address of the second end system, and mapping the connection identifier to an output port of the respective switch.

23. The method of claim 22, wherein each switch has a connection database and the configuring step includes entering the connection identifier in the connection database of each respective switch on the first path.

24. The method of claim 23, further including the step of deleting the connection identifier from the connection database of the respective switch after a predetermined time.

25. The method of claim 23, wherein, once the first path has been determined, multiple data packets having the same connection identifier are transmitted through the network by accessing the respective connection databases in the respective switches on the first path, without redetermining the first path.

26. The method of claim 21, wherein the determining step includes determining a second path for transmission of a data packet from the first end system to a third end system, different from the second end system, and configuring each of the switches on the first path and the second path.

27. The method of claim 21, wherein the determining step includes pairing the first physical layer address within an incoming data packet with the input port address on which the packet arrives at the respective switch to determine a source address pair, and

registering the source address pair in a central directory for the end systems in the network.

28. The method of claim 21, wherein the determining step is initiated when the data packet enters a first switch adjacent to the first end system, and the data packet is stored during the determining and configuring steps.

29. The method of claim 21, wherein the determining step includes, when a first switch receives a broadcast data packet, extracting higher layer protocol information from within the broadcast data pocket to determine the second physical layer address of the second end system for which the broadcast data packet is intended.

30. The method of claim 21, wherein the determining step includes, when a first switch receives a data packet having an unknown connection identifier for the first physical address and the second physical layer address, extracting higher layer protocol information from within the data packet to determine the second end system for which the data packet is intended.

31. The method of claim 30, further including the first switch sending a reply back to the first end system with the second physical layer address of the second end system.

32. The method of claim 21, wherein the determining step includes sending a connection set-up request to a connection service for determining the path and configuring the switches.

33. The method of claim 21, wherein the configuring step includes configuring at least one of the switches to send the data packet from one input port of the switch to more than one output port of the switch.

34. The method of claim 21, wherein at least one of the switches on the path transmits data packets received from different first end systems but intended for one second end system, out different ports.

Description Submit all comments and votes

FIELD OF THE INVENTION

This invention relates to communication networks, and more particularly to an apparatus and method for providing a high transfer rate, guaranteed quality of service, and secure internetworking of packet-based LAN and WAN segments by establishing temporary connections which are protocol-independent and transparent to the end systems. In addition, this invention is directed to allocating bandwidth by multiple levels of arbitration among competing devices requesting access to a bandwidth-limited shared resource, and to a search method for making a best path determination through the network based on a number of constraints.

RELATED APPLICATIONS

The subject matter of the present application may be advantageously combined with the subject matters of the following copending and commonly owned applications filed on the same date, and which are hereby incorporated by reference in their entirety:

U.S. Ser. No. 08/187,856 entitled "Distributed Chassis Agent For Network Management," filed Jan. 28, 1994 by Brendan fee et al.;

U.S. Ser. No. 08/188,033 entitled "Fault Tolerant System Management Bus Architecture," filed Jan. 28, 1994 by Brendan Fee et al.

BACKGROUND OF THE INVENTION

Data networks today rely heavily on shared medium, packet-based LAN technologies for both access and backbone connections. The use of packet switching systems, such as bridges and routers, to connect these LANs into global internets is now widespread. An internet router must be capable of processing packets based on many different protocols, including IP, IPX, DECNET, AppleTALK, OSI, SNA and others. The complexities of building networks capable of switching packets around the world using these different protocols is challenging to both vendors and users.

Standards-based LAN systems work reasonably well at transfer rates up to about 100 Mbps. At transfer rates above 100 Mbps, providing the processing power required by a packet switch interconnecting a group of networks becomes economically unrealistic for the performance levels desired. This inability to economically "scale up" performance is beginning to cause restrictions in some user's planned network expansions. Also, today's data networks do not provide network managers with enough control over bandwidth allocation and user access.

Tomorrow's networks are expected to support "multimedia" applications with their much greater bandwidth and real-time delivery requirements. The next generation networks should also have the ability to dynamically reconfigure the network so that it can guarantee a predetermined amount of bandwidth for the requested quality of service (QOS). This includes providing access, performance, fault tolerance and security between any specified set of end systems as directed by the network's manager. The concept is to provide network managers with complete "command and control" over the entire network's infrastructure--not just tell them when a failure has occurred.

A new set of technologies known as asynchronous transfer mode (ATM) may provide the best:, long-term solution for implementing the requirements of both private and public internets. ATM promises to provide a more economical and scalable set of technologies for implementing the ultra-high-performance information networks that will be required to provide the quality of service users will demand. Thus, over the next 20 years, the network infrastructure may change from packet-based standards to one based on ATM cell switching. While changes in the accompanying network will be dramatic, it would be desirable for users making the transition to be able to retain their most recent equipment investment.

Another expected change in tomorrow's networks is a change in data flow. Data flow in today's network typically follows the client-server computing model. This is where many clients are all transferring data into and out of one or more network servers. Clients do not normally talk to each other; they share data by using the server. While this type of data exchange will continue, much more of the information flow in tomorrow's networks will be peer-to-peer. Since the ultimate goal is a truly distributed computing environment where all systems act as both the client and server, more of the data flow will follow a peer-to-peer model. The network will be required to provide more direct access to all peers wishing to use high-performance backbone internets connecting, for example, the desktop computers.

The bulk of information transported in the future will be of digital origin. This digital information will require a great deal more bandwidth than today's separate voice, fax, and SNA networks which operate with acceptable performance using voice grade telephone lines. Voice will shrink as a percentage of total traffic, while other forms of information including image and video will greatly increase. Even when compressing is available, the bandwidth requirements for both inside and outside building networks will need to be greatly expanded.

Text files and images can be sent over existing packet-based networks because the delivery of this information is not time critical. The new traffic (voice and video) is delivery time sensitive--variable or excessive latency will degrade the quality of service and can render this information worthless.

Thus, the new infrastructure requirements are expected to include:

increased workstation processing power at the desktop, which is driving the need for increased network performance and capacity;

increased numbers of network users, which is driving the need for increased network security;

network access and bandwidth allocation must be managed;

integrated voice, video and data applications are increasing the need to be able to guarantee improved network quality of service (QOS);

management must be able to provide a variable quality of service to each user based on their particular needs (a user's needs may change at any time);

the ability to guarantee each user's QOS can only be achieved by tightly integrating the network and its management systems.

It is an object of the present invention to provide an apparatus and method which satisfies one or more of the above-mentioned requirements.

SUMMARY OF THE INVENTION

In one important aspect, the present invention is a new technology referred to as secure fast packet switching (SFPS). SFPS will provide the same or better reliability and security as routers and with much greater packet switching performance, without an increase in cost. This is because the complexities and costs of providing multi-protocol routers increase greatly as performance needs go up. Also, SFPS provides the following capabilities, which routers cannot provide:

ability to create many separate, logical work group LANs on the same physical network

ability to create many separate virtual connections or circuits with a specified quality of service (QOS)

ability to guarantee a requested QOS--time sensitive delivery

ability to account for network use (why is the phone bill so high?)

Although ATM cell switching may similarly provide many of these new capabilities, adoption of cell switching would require that all existing networks be re-engineered. SFPS provides a transition between the packet based technologies of today and the cell based technologies of tomorrow. SFPS will enable a mixed packet and cell based network infrastructure to operate as one seamless switching fabric using the same service and configuration management system to deliver the QOS that users demand.

SFPS provides for high performance packet switching based on source and destination MAC IDs--the unique medium access control (MAC) address assigned to each end system by the IEEE. End-to-end connections are determined by a network management application that provides security and best path routing determinations based on a number of constraints. By switching packets based only on MAC layer information, the network infrastructure can remain protocol insensitive. This allows the network to provide an equal QOS to users sending packets based on NetBIOS, LAT, IP, IPX, SNA, or any other protocol. As protocols evolve the network and its management infrastructure will not have to be reworked to support the new protocols.

More specifically, the system uses source and destination MAC addresses which alone, or in combination with the input port on the switch, form a unique "connection identifier" for any communication exchange between end systems to be connected through an SFPS device. A specific example is as follows:

input port=2

source MAC address=00:00:1D:01:02:03

destination MAC address=00:00:1D:11:22:33; together, these form a "tuple" bound to a specific uni-directional flow from source address to destination address. All packets that have this tuple are automatically switched according to the operation of the SFPS.

Network infrastructures are built up around a core switching fabric. The switching fabric provides the physical paths or routes that allow users to send information to each other. Access to the switching fabric is gained through an access port. Access ports provide several functions--most importantly, they provide security and accounting services. Access ports also provide the network operator with the ability to monitor and control the access into and use of the switching fabric. End point systems such as personal computers (PCs), workstations, and servers connect to the access port using one of many access technologies such as Ethernet, Token Ring, FDDI, or ATM.

In a SFPS network, the access port acts as a management agent that performs five functions for the end point system. First, it provides directory services. Second it provides network access security services. Third, it provides routing services. Fourth, it provides the ability to reserve bandwidth along a path in the switching fabric. Finally, it provides accounting services. These five services: directory, security, routing, bandwidth management and accounting are required to provide a reliable network infrastructure.

In traditional bridge and router devices, each packet is treated as an independent unit of data called a datagram which is individually processed by application of access and security constraints, as well as path determination. In SFPS, this processing is done only on probe packets (common on LAN broadcast mediums) which are decoded, and through the use of a directory of end systems containing policy, call attributes, location, paths, quality of service, etc., the connection is either rejected or accepted, in which case the path is determined and switches along the path are "programmed" to allow subsequent packets on this "connection" to be switched. In either case, subsequent datagrams are either switched or discarded without having to re-apply all of the security and access control and path determination logic.

Another important aspect of the present invention is a method of determining a path between two nodes (end systems) on the network which has the following properties: the path is optimal for one metric and passes a set of threshold tests for a number of other metrics; and, it must do so within a given time constraint. The method is a breadth first recursive search in parallel which is initiated at the source node and proceeds outwardly to discover neighboring nodes and calculate traversal paths until reaching the destination node. The method includes a series of "pruning steps" to insure that the number of potential paths does not grow towards infinity and to limit the memory requirements and processing time of the search. Because of these real-world constraints (time, memory, processing), the path result may not be the mathematical (theoretical) best path, in every case, but the search will pursue those paths having a high probability of being the best path considering the constraints and in that sense the search will make a best path determination. Generally, the metrics include cost, bandwidth, policy, loss, etc. While a specific embodiment of the method is useful in determining an optimal path through the network, the method has much broader applications.

In another aspect, the present invention provides a method and apparatus allowing multiple levels of arbitration among competing devices requesting access to a bandwidth-limited, shared resource.

The first level of arbitration is programmable. The available bandwidth of the bandwidth-limited, shared resource can be equally allocated between all competing devices or some of the competing devices can be allocated more bandwidth than others. This feature of the present invention is useful when the maximum aggregate bandwidth requirements of the requesting devices are greater than the bandwidth of the shared, bandwidth-limited resource. Because it is programable, the arbitration system of the present invention can be used to allocate the available bandwidth to prioritize those competing devices that may more urgently need the bandwidth-limited, shared resource and other competing devices will only be allocated a fraction of the bandwidth that they actually need. However, these other competing devices will be allowed to use free time segments, thus effectively being able to use more bandwidth than they are programmed for in the first level of arbitration.

For those competing devices requiring isochronous service (including, but not limited to voice data and video data), only the first level of programmable arbitration is used. These devices are programmed not to participate in any other levels of arbitration except the first level. This allows these competing devices to use the time segments that are programmed for them, but not any of the time segments that may become available when a device does not require its programmed time segment. For example, an audio communications link requiring a very deterministic service policy would be programmed to use only the first level of arbitration and not any free time segments. The arbiter of the present invention is programmed with an adequate number of segments to support the bandwidth requirements of the audio communications link. These time segments are made available to the audio communications link in a periodic way that matches the bandwidth requirements of the device.

Additional levels of arbitration are provided to allocate unused time segments that may be available after the first level of arbitration to competing devices if the competing devices are programmed to participate in the additional levels of arbitration. The second and third levels of arbitrations allow unused time segments that may be available after the first level of arbitration to be assigned to other competing devices. The second level of arbitration provides a Round-Robin type of arbitration scheme that is used to allocate a free time segment to the competing device having the allocation token. If the competing device having the allocation token is not requesting use of the bandwidth-limited, shared resource, then a third level of arbitration is provided. In the third level of arbitration, each of the competing devices participating in the third level is assigned an identification number and placed in a list and the remaining free time segment is allocated to the competing device having a predetermined rank in the list. For example, the predetermined rank may be based on the sequential order of the identification numbers. The unallocated time segment might be allocated to the requesting competing device having a particular identification number, such as the lowest or highest identification number.

A key feature of the present invention is that arbitration is performed using a hierarchy of programmable arbitration schemes. The first level of arbitration is, for example, a programmable time division multiplexing arbiter. The second level of arbitration, which acts only to allocate any unused time segments after the first level of arbitration is, for example, a Round-Robin type arbiter. The third level of arbitration, which acts to allocate any time segment that remains unallocated after the second level of arbitration is a default level of arbitration that selects one of the requesting competing devices according to a predetermined scheme.

Another advantage of the arbitration system of the present invention is that arbitration is performed in parallel with data transfer cycles. That is, the competing device that is to be given exclusive use of the bandwidth-limited, shared resource is decided in the time segment prior to the time segment in which a data transfer is to occur. The arbitration decision is made at the same time that a data transfer is occurring in a time segment. This pipelining of decision making effectively makes the arbitration cycles look transparent to the competing devices and does not consume any portion of the available data transfer time.

The arbitration system of the present invention can support devices having different bandwidth requirements (i.e., different data transfer rates) in the same system because the system is programmable. In one embodiment of the invention, the granularity (that is, the amount of bandwidth represented by a time segment) of the time segments is programmed using an allocation memory. As the number of time segments in the allocation memory is increased, the granularity of bandwidth allocation becomes finer. Therefore, the arbitration system can meet the bandwidth requirements for competing devices that have differing bandwidth requirements. For example, a competing device having a low bandwidth can be assigned only a single time segment, since the low bandwidth device requires less frequent servicing. On the other hand, a competing device having a higher bandwidth could be assigned multiple contiguous time segments, thus allowing that device to complete a data transfer.

Another feature of the present invention, since it is a programmable arbitration system, is that the type of arbitration for each device may be programmed on a device by device basis. For example, a device may be programmed to participate only in the first level of arbitration and not in the second or third levels. In the same way, a device could be programmed to participate only in the second and/or third levels of arbitration. This makes the system more flexible depending upon the particular application and helps to guarantee quality of service for each competing device.

Many aspects of the previously defined inventions may be constructed as: software objects which exist in embedded devices as firmware; software objects which are part of an application on a commercial computer system; or Application Specific Integrated Circuit (ASIC) or functionally equivalent hardware components.

These and other functions and benefits of the present invention will be more fully described in the following detailed description.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic illustration of a network topology built with SFPS switches;

FIG. 2 is a schematic illustration of the internal components of an SFPS switch in a hardware embodiment;

FIG. 3 is a flowchart of the operation of the SFPS switch of FIG. 2;

FIG. 4 is a perspective view of a networking chassis with removable modules;

FIG. 5 is a schematic diagram of a networking module with a SFPS switch;

FIG. 6 is a schematic illustration of the networking chassis and the services it provides;

FIG. 7A is a schematic illustration of an SFPS switch;

FIG. 7B is a logical view of an SFPS switch;

FIG. 7C-1 and 7C-2 are a flowchart showing processing of a data packet by an SFPS switch;

FIG. 8 is a schematic illustration of a distributed SFPS switch;

FIG. 9 is a schematic illustration of a chassis and distributed switch and illustrates the formation of a distributed directory of port objects for the distributed switch;

FIG. 10 is a schematic illustration of the distributed switch on the physical and logical layers;

FIG. 11 is a flowchart illustrating a best path determination;

FIG. 12 is a schematic illustration of certain linked data structures used in the method of FIG. 11;

FIG. 13 is a sample network topology illustrating a traversal from a source node to destination node;

FIG. 14 illustrates a networking chassis with an exemplary application of the bandwidth arbiter of the present invention;

FIG. 15 is a schematic diagram of one embodiment of the arbiter used in the networking chassis of FIG. 14;

FIG. 16 illustrates a first programmed state machine that may be executed by the circuit of FIG. 14;

FIG. 17 illustrates a second programmed state machine that may be executed by the circuit of FIG. 14;

FIG. 18 is a flow chart illustrating how arbitration and allocation of time segments take place simultaneously to improve system efficiency in the present invention;

FIG. 19 is a flow chart illustrating the arbitration method of the present invention;

FIG. 20 is an illustration of the TDM RAM programming illustrating the arbitration method applied to an SFPS switch;

FIG. 21 is an illustration of an SFPS software embodiment; and

FIG. 22 is an illustration of a port object for the switch of FIG. 21.

DETAILED DESCRIPTION

The detailed description is separated into the following subsections for ease of reference:

1. Establishing "Virtual LANs" and "Virtual Connections"

1.1 Example 1--M11 transmits a packet destined for M99

1.2 Example 2--M11 transmits a packet destined for M66

2. SFPS Management Services

2.1 Route Services Management

2.2 Access Security Management

2.3 Directory Services Management

2.4 Accounting Management

2.5 Bandwidth Management

3. SFPS Hardware Implementation

4. Canonical Frame Representation

5. Networking Chassis With SFPS Modules

6. SFPS Functions

7. SFPS Host Agent

8. SPFS Distributed Switch

8.1 Example of IP Packet Flow Through Distributed Switch

8.2 Distributed Switch MIB

9. Best Path Determination

9.1 Example of Best Path Determination

9.2 Data Structures

9.3 Flow Chart

10. Allocation of Bandwidth

10.1 Discussion of the Related Art

10.2 New Apparatus and Method for Allocating Bandwidth

10.3 Example of Bandwidth Allocation For SFPS Module

11. SFPS Software Object Model

11.1 SFPS Objects

11.2 SFPS Application Threads

1. Establishing "Virtual LANs" and "Virtual Connections"

FIG. 1 shows a representative network topology built with six secure fast packet switches (SFPS) labeled S1 to S6 connected by link L. Each SFPS switch has for example, four ports. Some ports are labeled A for Access and some are labeled N for Network. Access ports provide network access security and packet routing services. Network ports do not perform security services since this function has already been performed at the original entry access port. The end systems are connected to the switches by links L and are labeled "M "; one of the end systems M10, comprises a network management server (NMS). This NMS will also contain the SFPS directory and path server.

Each SFPS includes a function known as a Connection Database Look-Up Engine (CDLUE). The CDLUE's job is to check the source and destination MAC IDs of a packet received by the SFPS against its internal database, called the connection table. The CDLUE will forward (route) packets out one or more ports based on the results of the connection table look-up. This function is similar to a bridge except that SFPS uses both the source and the destination MAC IDs to make the forwarding decision. Bridges only use the MAC destination address. Also, if a bridge isn't sure where a destination is, it will forward the packet out all ports except the one it came in on. This "flooding" results in loss of control over network access, bandwidth, information security, network performance and reliability. Because SFPS uses both the source and destination addresses it does not have the failings of current bridges and routers.

The network topology view of FIG. 1 will be used to illustrate how "virtual LANs" and "virtual connections" can be built to enable protocol insensitive routing and increased network security to be achieved. In this case, there are two logical work group LANs: WG1=(M11, M22, M99), and WG2=(M33, M55, M77). Two connections will be attempted: (M11, M99) and (M11, M66).

1.1 Example 1--M11 transmits a packet destined for M99.

1. Access switch S1 receives this packet on inbound port A1.

2. S1 looks up in its connection table to determine if a valid connection (M11 to M99) exists.

3. No connection is yet defined so S1 initiates a message exchange to the SFPS Server (Network Management Station) M10. This message exchange is an independent exchange between the switch S1 and the server M10.

a) The switch sends a message asking if M11 can (is allowed) to talk to M99. This is where security, policy and administrative constraints are applied.

b) If the two stations are allowed to have a connection, then the server M10 will determine the path of switches to be used to provide a logical connection between M11 and M99.

c) Since M11 can reach M99 by two different paths, one "best" path is selected. "Best" is constrained by, for example, cost, bandwidth, policy, loss, and other metrics.

d) Let's assume the best path is chosen as traversing S1 to S3 to S5.

e) The server M10 will then "program" each of these switches to support this connection path.

*Important point: Since SFPS has to be transparent in the M11-M99 interaction, it cannot modify the packets being exchanged. Typically, in traditional switches, the switch sets a connection-identifier that gets put in each packet, and is remapped at each switch, to allow the packet to be switched along the path. Since SFPS cannot touch any packet content, it has to have something in the existing packet that it can use in each switch to treat as a unique connection-identifier while preserving the M11 to M99 packet exchange. What is unique about SFPS is that it treats:

source MAC address

destination MAC address

as a unique "connection-identifier." Note, that this is an .implicit connection-identifier in each packet based on the arriving inbound port, but is an explicit connection-identifier in each switch's connection table.

f) Each of the switch's connection tables will look like this:

______________________________________ Source Port Source MAC Dest. MAC Outport ______________________________________ S1: Al M11 M99 N2 S3: N1 M11 M99 N3 S5: N2 M11 M99 A2 ______________________________________

g) So, once all these switches are programmed (through, for example, SNMP Network Management Protocol), a packet from M11 destined for M99 would look like this: ##STR1## and would be "switched" along the path as follows:

h) Note that once the switches have these connections defined, the packets traverse M11 to M99 without any additional call-setup or network management interaction. This provides the fast packet switching between the end systems. Note, the M11 to M99 packet exchange occurs as if they were directly connected on the same LAN segment. Thus, the "virtual LAN" is provided, as well as transparent switching.

i) At each switch, the switch looks up in the packet the source and destination MAC addresses and combines them with the inbound (source) port to form the connection identifier. If this connection is in its table, the packet will be forwarded (switched) out the designated output port. All subsequent M11 to M99 packets will take the same path through the switches. Note if a valid source-destination MAC pair arrives on a port other than the defined inport, it will be considered a security violation.

j) These "virtual connections" exist until they are explicitly removed by the network management system. This could be due to timeout (idle connection) or resource management. No explicit disconnect is done by M11 or M99.

1.2 Example 2--M11 transmits a packet destined for M66.

1. If M11 also transmits data destined for M66, the same set of processing would be done:

a) S1 receives the packet.

b) S1 looks up in its connection table and with no match will send a message to server M10.

c) Server M10 will reject the packet as unauthorized (not within one of the two approved logical work group or "virtual" LANS) and the packet will be dropped without a connection being made. An alarm may be set to indicate that an unauthorized transmission has been attempted.

2. SFPS Management Services

In this particular embodiment, the SFPS switches require five management service functions to be performed at a higher layer in the network management framework. The five functions are: Route Service, Access Security, Directory Service, Accounting, and Bandwidth Management. A general review of each management function is provided below. The functions are usually performed in software and may reside on none, some, or all SFPS in a network. Since some of the management functions are required by multiple-user applications, they may be shared and would be already available.

2.1 Route Services Management

These services are required so the SPFS can determine the best path to route a connection. When there are many possible "paths" to a destination, the route management will determine which one should be used and pass this information to the SFPSs so that their connection databases can be configured correctly. A preferred method of making a best path determination is described in a later section.

2.2 Access Security Management

These services are optional and can be used to limit user access to only a specified group of SFPS access ports. An access group may contain from 2 to any number of users. Users can only send or receive packets from members of their access group. Access to any other access ports would be prevented by filtering out those packets. Security also includes administrative policies.

2.3 Directory Services Management

These services provide the Route Services Management with a user to access port and switch database so that packets destined for users not directly connected to the local access switch can be located and then have a path to that switch selected. This service reduces the amount of time it takes for a connection to be established. An ISO X.500 Directory Services may be used which is compatible with NIS, Novell 4.0 and others.

2.4 Accounting Management

These services provide an a