(12) INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT)
`
`(19) World Intellectual Property
`Organization
`International Bureau
`
`1111111111111111 IIIIII IIIII 11111111111111111111111111111111111 IIIII IIIII IIII IIIIIII IIII 11111111
`
`( 43) International Publication Date
`15 September 2005 (15.09.2005)
`
`PCT
`
`(10) International Publication Number
`WO 2005/086429 Al
`
`(51) International Patent Classification 7:
`
`H04L 12/28
`
`(21) International Application Number:
`PCT /US2005/0063 81
`
`(22) International Filing Date: 28 February 2005 (28.02.2005)
`
`(25) Filing Language:
`
`(26) Publication Language:
`
`English
`
`English
`
`(30) Priority Data:
`60/548,616
`11/067,868
`
`27 February 2004 (27.02.2004) US
`28 February 2005 (28.02.2005) US
`
`(71) Applicant (for all designated States except US): VIADUX,
`INC. [US/US]; Suite 200, 9890 Towne Centre Drive, San
`Diego, CA 92121 (US).
`
`(72) Inventors; and
`(75) Inventors/Applicants (for US only): WONG, Yu-Man,
`Matthew [US/US]; 8575 Hopseed Lane, San Diego, CA
`92129 (US). SUNG,Jim [US/US]; 3003 Fried Avenue, San
`Diego, CA 92122 (US).
`
`(74) Agent: RAWLINS, Pattric, J.; Procopio, Cory, Harg(cid:173)
`reaves & Savitch LLP, 530 B Street, Suite 2100, San Diego,
`CA 92101 (US).
`
`(81) Designated States (unless otherwise indicated, for every
`kind of national protection available): AE, AG, AL, AM,
`AT, AU, AZ, BA, BB, BG, BR, BW, BY, BZ, CA, CH, CN,
`CO, CR, CU, CZ, DE, DK, DM, DZ, EC, EE, EG, ES, Fl,
`GB, GD, GE, GH, GM, HR, HU, ID, IL, IN, IS, JP, KE,
`KG, KP, KR, KZ, LC, LK, LR, LS, LT, LU, LV, MA, MD,
`MG, MK, MN, MW, MX, MZ, NA, NI, NO, NZ, OM, PG,
`PH, PL, PT, RO, RU, SC, SD, SE, SG, SK, SL, SM, SY, TJ,
`TM, TN, TR, TT, TZ, UA, UG, US, UZ, VC, VN, YU, ZA,
`ZM, ZW.
`
`(84) Designated States (unless otherwise indicated, for every
`kind of regional protection available): ARIPO (BW, GH,
`GM, KE, LS, MW, MZ, NA, SD, SL, SZ, TZ, UG, ZM,
`ZW), Eurasian (AM, AZ, BY, KG, KZ, MD, RU, TJ, TM),
`European (AT, BE, BG, CH, CY, CZ, DE, DK, EE, ES, Fl,
`FR, GB, GR, HU, IE, IS, IT, LT, LU, MC, NL, PL, PT, RO,
`SE, SI, SK, TR), OAPI (BF, BJ, CF, CG, CI, CM, GA, GN,
`GQ, GW, ML, MR, NE, SN, TD, TG).
`
`Published:
`with international search report
`
`[Continued on next page]
`
`--
`--iiiiiiii -
`iiiiiii ----iiiiiiii
`iiiiiiii ----
`,....i <
`°" M
`
`---------------------------------------------
`
`(54) Title: SYSTEM AND METHOD FOR DYNAMIC VLAN MULTIPLEXING
`
`- i
`
`-
`
`Enterprise
`side VLAN
`
`Service Provider
`side VLAN
`
`Enterprise
`side VLAN
`
`,20
`
`30
`
`Shared
`Access
`GB:;,~~ay
`
`,,AO
`
`,50
`
`120
`
`"'1'
`\0
`Q0
`Q
`(57) Abstract: Systems and methods to implement a shared access gateway (60) are provided that facilitate the multiplexing of
`ll) multiple enterprise VLAN (20, 30, 40) segments through a single device that translates (280) the VLAN communications from the
`Q multiple enterprise segments on the customer side into VLAN communications for delivery over a network service provider network.
`0 A single shared access gateway (90, 100) is deployed that is connected to multiple enterprise side network segments. SVLAN
`M controller (240, 250, 260) modules monitor the enterprise side ports of the shared access gateway and processes communications
`0 received from those ports. Each SVLAN controller module uses IVL and SVL to maintain its separate forwarding database as packets
`
`: , ingress from the customer side and get processed by the SVLAN controller module. A plurality of translation functions are employed
`;;, for proper encapsulation of VLAN traffic for transmission over a particular service provider network.
`
`Ex.1014
`VERIZON / Page 1 of 25
`
`

`

`WO 2005/0864 2 9 A 1
`
`1111111111111111 IIIIII IIIII 11111111111111111111 lllll lllll lllll lllll lllll 11111111111111111111111
`
`For two-letter codes and other abbreviations, refer to the "Guid(cid:173)
`ance Notes on Codes and Abbreviations" appearing at the begin(cid:173)
`ning of each regular issue of the PCT Gazette.
`
`Ex.1014
`VERIZON / Page 2 of 25
`
`

`

`WO 2005/086429
`
`PCT/0S2005/006381
`
`-1-
`SYSTEM AND METHOD FOR VLAN MULTIPLEXING
`
`Related Application
`The present application claims priority to United States provisional patent
`[01]
`application serial number 60/548,616 filed on February 27, 2004 which is incorporated
`herein by reference in its en~irety.
`
`Background
`
`1. Field of the Invention
`[02] The present invention generally relates to VLAN network administration and more
`particularly relates to VLAN switching and service provider side LAN-MAN translation.
`
`2. Related Art
`[03] Conventional virtual local area networks ("VLANs") were first developed as a
`technology to divide local area networks ("LANs") into logical segments for performance
`and privacy reasons. The IEEE 802.1 Q and 802.1 p standards provide the specification for
`conventional VLAN behavior. More recently, wide are network ("WAN") and
`metropolitan area network ("MAN") service providers have extended the VLAN
`technology as a means to provide transparent LAN services ("TLS") between remote sites
`among enterprises.
`[04) Conventional VLANs under the IEEE standards are somewhat limited in their
`application because the context of a VLAN segment is local (i.e., enterprise-specific) and
`the maximum number of VLANs in any local context is restricted to 4,094. In order to
`circumvent these limitations, network service providers must employ a device that
`translates the enterprise-side VLAN identifier into a service provider side VLAN identifier
`when providing TLS services to an enterprise that uses one or more VLANs. Such a
`device is typically referred to as customer premise equipment ("CPE") and uses translation
`techniques such as VLAN-in-VLAN encapsulation (also referred to herein as "Q-in-Q
`encapsulation" or "VLAN stacking").
`[05] Although a CPE translation device allows a network service provider to carry
`traffic for an enterprise, the service provider must deploy a separate CPE translation
`device for each enterprise due to the potential overlapping of the limited 4,094 VLAN ID
`address space at separate enterprises. Additionally, the service provide must also ensure
`that the VLAN IDs traveling over its network remain unique. Accordingly, to support a
`VLAN-based transparent LAN service over a WAN or MAN, a network service provider
`requires each enterprise to have its own VLAN switch which is capable of providing the
`
`Ex.1014
`VERIZON / Page 3 of 25
`
`

`

`WO 2005/086429
`
`PCT/0S2005/006381
`
`-2-
`LAN-MAN VLAN ID translation to maintain traffic transparency. Furthermore, the
`enterprise must also have a separate device to handle enterprise side VLAN switching.
`Therefore, what is needed is a system and method that overcomes these significant
`problems found in the conventional systems.
`
`Summary
`[06] Accordingly, systems and methods are provided that facilitate the multiplexing of
`multiple enterprise VLAN segments through a single device that translates the VLAN IDs
`from the multiple enterprise segments on the customer side into unique VLAN IDs for the
`network service provider. A single shared access gateway is deployed that is connected to
`multiple enterprise side (also referred to herein as "customer side") network segments.
`These com1ections are each monitored by a super VLAN ("SVLAN") controller module
`that maintains a separate forwarding database to track MAC addresses of network devices
`and their corresponding communication ports. Each SVLAN controller module uses
`shared VLAN learning ("SVL") to maintain its forwarding database (also referred to
`herein as a "MAC address table") as packets ingress from the customer side and are
`processed by the SVLAN controller module. Additionally, the system of multiple
`SVLAN controllers uses independent VLAN learning ("IVL") in combination with the
`SVL to provide VLAN multiplexing.
`
`Brief Description of the Drawings
`The details of the present invention, both as to its structure and operation, may be
`[07]
`gleaned in part by study of the accompanying drawings, in which like reference numerals
`refer to like parts, and in which:
`Figure 1 is a network diagram illustrating an example wide area network topology
`(08]
`according to an embodiment of the present invention;
`Figure 2 is a block diagram illustrating an example shared access gateway
`[09]
`according to an embodiment of the present invention;
`Figure 3 is a block diagram illustrating an example forwarding database according
`[10]
`to an embodiment of the present invention;
`Figure 4 is a block diagram illustrating an example shared access gateway with
`[11]
`SVLAN controller and translator modules according to an embodiment of the present
`invention;
`
`Ex.1014
`VERIZON / Page 4 of 25
`
`

`

`WO 2005/086429
`
`PCT/0S2005/006381
`
`-3-
`Figure 5 is a flow diagram illustrating an example method for shared access
`[12]
`gateway processing of communication frames according to an embodiment of the present
`invention; and
`Figure 6 is a block diagram illustrating an exemplary computer system as may be
`[13]
`used in connection with various embodiments described herein.
`
`Detailed Description
`[14] Certain embodiments disclosed herein provide for systems and methods for
`implementing a shared access gateway that allows dynamic multiplexing of multiple
`customer side VLANs across one or more service provider networks to implement
`transparent LAN services over a WAN. For example, one method as disclosed herein
`allows for a shared access gateway to employ a plurality of super VLAN ("SVLAN")
`controllers that each monitors a specific group or enterprise/customer. Incoming traffic on
`a user port is processed by the SVLAN controller that is monitoring that port and
`communication frames are switched over to the appropriate port for delivery to the
`destination address. The delivery port may be a user port (where customer side network
`devices are located) or a trunk port (for delivery over the network service provider
`network).
`[15] After reading this description it will become apparent to one skilled in the art how
`in various alternative embodiments and alternative
`invention
`the
`implement
`to
`applications. However, although various embodiments of the present invention will be
`described herein, it is understood that these embodiments are presented by way of example
`only, and not limitation. As such, this detailed description of various alternative
`embodiments should not be construed to limit the scope or breadth of the present invention
`as set forth in the appended claims.
`Fig. 1 is a network diagram illustrating an example wide area network topology
`[16]
`according to an embodiment of the present invention. In the illustrated embodiment, the
`system 10 comprises a plurality of enterprise side network segments 20, 30, 40, and 50.
`Each network segment is communicatively coupled with shared access gateway ("SAG")
`60 on the enterprise side. The SAG 60 is also communicatively coupled with service
`In alternative embodiments, SAG 60 may be
`provider networks 70 and 80.
`communicatively coupled with more or fewer enterprise side network segments and more
`or fewer service provider side service provider networks. Additionally in the illustrated
`
`Ex.1014
`VERIZON / Page 5 of 25
`
`

`

`WO 2005/086429
`
`PCT/0S2005/006381
`
`-4-
`em.bodiment, the service provider networks 70 and 80 communicatively couple SAGs 90
`and 100 and their corresponding enterprise side network segments 110, 120, and 130.
`The SAG 60 can be employed as a shared access device in environment such as a
`[17]
`multi-tenant or multi-dwelling complex. The SAG 60 may also be employed as an edge
`device in a service provider network such as networks 70 or 80. The external interfaces in
`the SAG 60 can be based on any wired or wireless technology which supports Ethernet
`MAC frame transport (e.g., xDSL, optical, 802.1 la/b/g, etc). Advantageously, the SAG
`60 is content neutral and therefore inherently supports the delivery of multi-services, such
`as voice, data, video and any combination of these and alternative types of content.
`Additionally, the SAG 60 inherently supports QoS via mechanisms such as those based on
`the IEEE 802.1 p or 802.1 Q standards or IP-based TOS/DiffServ.
`In the illustrated embodiment, network segments 20, 30, 40, and 50 can be any of a
`[18]
`variety of customer side networks. In one embodiment, network segment 20 is a network
`owned by enterprise X and located at site P. The network segment 20 is configured to be
`part of VLAN A. Additionally, network segment 30 is also network owned by enterprise
`X and located at site P. The network segment 30 is configured to be part of VLAN B. In
`alternative embodiments, a single network segment may comprise multiple networks with
`multiple network devices connected to each of the multiple networks. To simplify the
`description, however, the primary embodiment described herein will refer to a network
`segment as a single network with one or more network devices attached thereto.
`in alternative embodiments, a single network segment may be
`Similarly,
`[19]
`configured with devices that individually belong to different VLANs. Accordingly, a
`single network segment may carry traffic for more than one VLAN. To simplify the
`description, however, the primary embodiment described herein will describe a network
`segment as having one or more network devices that all belong to a single VLAN.
`Furthermore, although network segments 20, 30, 40, and 50 are shown to be
`[20]
`VLAN network segments, the present invention is not limited to VLAN network segments
`on the enterprise side. Other types of network segments such as a LAN using transparent
`LAN services ("TLS"), frame relay, or the like over a service provider network may also
`be employed. In an embodiment where a network segment implements TLS services, the
`network segment can be assigned a reserved identifier to implement the VLAN translation
`services provided by a shared access gateway. For example, a VLAN ID ("VID") that is
`not within the allowable VID address space can be used for this purpose.
`
`Ex.1014
`VERIZON / Page 6 of 25
`
`

`

`WO 2005/086429
`
`PCT/0S2005/006381
`
`-5-
`In alternative embodiments, other types of network services for different network
`(21]
`segments can also be handled in this fashion. For example, the shared access gateway
`module 60 can support legacy non-VLAN based enterprise networks by converting non(cid:173)
`VLAN traffic into VLAN-based traffic using service provider assigned VLAN ID
`techniques such as port-based VID ("PVID") assignment.
`In the illustrated embodiment, network segment 40 is a network owned by
`[22]
`enterprise Y, is located at site Q, and is configured to be part of VLAN C. Also in the
`illustrated embodiment, network segment 50 is a network owned by enterprise Z, located
`at site R, and configured to be part ofVLAN D.
`(23] Network segment 20 is communicatively coupled with network segment 110 via
`the infrastructure of shared access gateways 60 and 90 and service provider network 70.
`As shown in the illustrated embodiment, both network segments 20 and 110 are
`configured to be part of VLAN A, although they are located at different physical locations
`(site P and site S, respectively) that are owned by enterprise X. Thus, the VLAN A
`extends across a wide area network including network segments 20 and 110, shared access
`gateways 60 and 90 and service provider network 70.
`Similarly, VLAN C owned by enterprise Y and VLAN Downed by enterprise Z
`(24]
`also extend across a wide area network. The VLAN C may extend across service provider
`network 70 or service provider network 80, or both and also includes shared access
`gateways 60 and 100 and network segments 40 and 120. VLAN D extends across service
`provider network 80 and also includes shared access gateways 60 and 100 and network
`segments 50 and 130.
`[25] Advantageously, in one embodiment VLANs B & C can both use the same VLAN
`For example, VLAN B for enterprise X may be assigned VLAN ID 1000.
`ID.
`Additionally, VLAN C for enterprise & can also be assigned VLAN ID 1000. This re-use
`of VLAN IDs across enterprises allows a single shared access gateway module or device
`to service multiple enterprises, regardless off a particular enterprises use of the VLAN
`address space for its internal VLANs.
`Fig. 2 is a block diagram illustrating an example shared access gateway module 60
`[26]
`according to an embodiment of the present invention. In the illustrated embodiment, the
`shared access gateway module 60 comprises a plurality of SVLAN controller modules that
`each monitor one or more communication ports. A communication port can be a source
`port or a destination port and may also be referred to herein as a user port (enterprise side)
`or a trunk port (network service provider side). For example, SVLAN controller module
`
`Ex.1014
`VERIZON / Page 7 of 25
`
`

`

`WO 2005/086429
`
`PCT/0S2005/006381
`
`-6-
`240 is configured to monitor ports 200, 205, and 210. Also, SVLAN controller module
`250 is configured to monitor port 215 and SVLAN controller module 260 is configured to
`monitor ports 220 and 225.
`In the illustrated embodiment, each SVLAN controller modules 240, 250, and 260
`[27]
`each maintain a separate forwarding database 245, 255, and 265, respectively. The
`forwarding database is described in further detail with respect to figure 3. Additionally,
`each SVLAN controller module is communicatively coupled with the translator module
`280.
`
`The translator module 280 performs translation of network communications (also
`[28]
`referred to herein as frames or packets) so that communications from an originating
`network device in a particular VLAN (with its respective VLAN ID) are compatible with
`the service provider network that may assign VLAN IDs in a different fashion.
`Advantageously, the translator module 280 may perfonn a plurality of different types of
`translation as needed by the various service providers that are connected "to the shared
`access gateway module 60 through the plurality of communication ports such as ports 290
`and 295. It should be noted that the number of user ports and trunk ports may vary across
`different implementations of the shared access gateway module 60. Furthermore, it should
`be understood that the shared access gateway module 60 may be implemented in
`hardware, software, or some combination of the two such as a system on chip ("SOC") or
`ASIC.
`Fig. 3 is a block diagram illustrating an example forwarding database according to
`[29]
`an embodiment of the present invention. In the illustrated embodiment, the forwarding
`database (also referred to herein as a "MAC address table") comprises a plurality of
`entries that can be uniquely indexed by the MAC address field or a combination of MAC
`address and other fields. As the SVLAN controller module processes frames, it updates
`the forwarding database with the MAC address of the source network device and the port
`on which the frame was received. The frame may be received from a user port or a trunk
`port. Additionally, the forwarding database may include a time indicator -that allows an
`entry to expire. For example, a time indicator may be a timestamp associated with the
`most recently received frame. Other information helpful to the managelilent of VLAN
`communications may also be included in the forwarding database.
`Fig. 4 is a block diagram illustrating an example shared access gateway module 60
`[30]
`with SVLAN controller modules 240, 250, and 260 and translator module 280 according
`In the illustrated embodiment, SVLAN
`to an embodiment of the present invention.
`
`Ex.1014
`VERIZON / Page 8 of 25
`
`

`

`WO 2005/086429
`
`PCT/0S2005/006381
`
`-7-
`controller module 240 is configured to monitor communication ports including user ports
`1, 2, and 3 and comprises VLAN handler modules 310 and 320 that show the function of
`individual VLAN processing by the SVLAN controller module 240.
`For example, VLAN handler module 310 processes network communications for a
`[31]
`particular VLAN ID. According to one embodiment, VLAN handler module 310 may be
`configured to process all network communications for VLAN 310. Similarly, VLAN
`handler module 320 may be configured to process all network communications for VLAN
`320. Additionally, network devices belonging to VLAN 310 are located on network
`segments that are connected to user ports 1, 2, and 3. Thus, VLAN handler module 310
`may receive frames from any of these user ports. However, in the illustrated embodiment,
`network devices belonging to VLAN 320 are located only on the network segment that is
`connected to user port 3. Thus, VLAN handler module 320 receives frames only from
`user port 3. Note that SVLAN controller module 240 maintains the MAC address table
`245 for all network communications received on all of the user ports (and accordingly all
`of the VLAN IDs) it monitors. The use of a single MAC address table 245 by the SVLAN
`controller module 240 that monitors more than one VLAN is an implementation of shared
`VLAN learning and allows the SVLAN controller 240 to perform the enterprise VLAN
`switching function while at the same time the shared access gateway module 60 performs
`the LAN-MAN VLAN translation function. Additionally, the same VLAN ID can be used
`across SVLAN controller modules. For example, VLAN ID 1000 could be used for a
`VLAN being monitored by SVLAN controller module 240 and also used for a VLAN
`being monitored by SVLAN controller module 250.
`Similar configurations are also shown for SVLAN controller module 250 that is
`[32]
`monitoring user port 4 and SVLAN controller module 260 that is monitoring user ports 5
`In the illustrated embodiment, SVLAN controller module 250 is shown with
`and 6.
`VLAN handler 330 for processing packets for the VLAN with ID 330 that is located on
`the network segment connected to user port 4. SVLAN controller module 250 maintains
`the MAC address table 255. Also, SVLAN controller module 260 is shown with VLAN
`handler 340 for processing packets for the VLAN with ID 340 that is located on the
`network segments connected to user ports 5 and 6. SVLAN controller module 260
`maintains the MAC address table 265.
`The frames that are processed by the VLAN handler modules are forwarded to the
`[33)
`translator module 280 for translation prior to transmission over the service provider
`network (not shown) via a communication port such as trunk ports 1 and 2. The translator
`
`Ex.1014
`VERIZON / Page 9 of 25
`
`

`

`WO 2005/086429
`
`PCT/0S2005/006381
`
`-8-
`module 280 is shown having a plurality of function processor modules 350, 360, and 370
`to illustrate the function of translating frames according to various translation schemes
`such as VLAN-in-VLAN encapsulation (also referred to as Q-in-Q encapsulation).
`[34] Advantageously, frames sent to a particular function processor module can be
`encapsulated or translated and then transmitted over the service provider network for
`delivery to the destination address. The reverse translation or de-encapsulation process
`takes place on the delivery end where the translator module 280 provides the frame to the
`appropriate SVLAN controller module for transmission on the appropriate communication
`port based on a lookup in the MAC address table for the destination MAC address.
`Fig. 5 is a flow diagram illustrating an example method for shared access gateway
`[35]
`processing of communication frames according to an embodiment of the present
`invention. Initially, in step 400, the SVLAN controller module receives a frame from a
`In one embodiment, quality of service ("QoS') and bandwidth
`communication port.
`control can be implemented when the frame is received. For example, QoS may
`advantageously be performed if the communication port is a wireless network connection.
`Next, in step 405 the frame is processed through VLAN ingress filtering. This filtering
`In one embodiment,
`may include evaluating the VLAN tagging status of the frame.
`frames that lack the appropriate VLAN tag are dropped, as shown in step 410. Other
`filtering techniques may also be employed to ensure that only valid frames are processed
`further and thereby optimize frame processing and throughput.
`[36] After ingress filtering, the frame is next analyzed for VID classification. In one
`to
`embodiment, on the enterprise side port based VID ("PVID") can be employed
`In some instances, the VID will be known
`determine the VID of the incoming frame.
`based on the port itself, however, if multiple VLANs are assigned to a single network
`segment, then each frame can be filtered to determine its VID. In an embodiment wh.ere
`the network segment is using TLS, then all incoming frames can advantageously be
`assigned to the TLS VLAN that is in place for the particular port. On the service provider
`side a VID mapping process can be used to determine the VID assignment of the inc01ning
`frame.
`[37) Next, in step 420 VLAN priority classification takes place. This process
`establishes the priority of the frame, for example, based on the IEEE 802.lp standard, IP
`TOS/DiffServ, and the like. Once the priority of the frame has been established a
`destination VLAN lookup is performed, as shown in step 425. The destination VLAN
`lookup determines the VLAN ID to which the frame is directed. This can be determined
`
`Ex.1014
`VERIZON / Page 10 of 25
`
`

`

`WO 2005/086429
`
`PCT/0S2005/006381
`
`-9-
`based on the assigned VLAN tag. If the destination VLAN lookup fails, for example,
`when port of the incoming frame is not a member of the destination VLAN, then the frame
`is dropped, as illustrated in step 430. For example, in one embodiment traffic is only
`permitted between ports that are members of the same VLAN. In an embodiment where
`the network segment from which the frame originates is a TLS network segment, then the
`TLS traffic is directed to the TLS VLAN ID assigned to the port at which the frame was
`received.
`If the frame passes the destination VLAN lookup, then the MAC address table is
`(38]
`updated, as shown in step 435. The information from the incoming frame that is updated
`or added into the MAC address table can include the MAC address .of the source network
`device, the communication port on which the frame was received, and a timestamp or
`other timing information that allows the entry in the MAC address table to expire after a
`certain period of time elapses that causes the entry to become stale.
`[39] Advantageously, each SVLAN controller module maintains a separate MAC
`address table that is shared for all of the VLAN IDs of the enterprise that the SVLAN
`controller module is responsible for. This shared MAC address table allows the SVLAN
`controller module to implement shared VLAN learning within the communications for an
`enterprise.
`(40] Additionally, because each SVLAN controller module maintains a separate MAC
`address table, the SVLAN controller module is able to implement independent VLAN
`learning across enterprises. This combination of shared VLAN learning within an
`enterprise and independent VLAN learning across enterprises is particularly advantageous
`for implementing the shared access gateway to multiplex communications between the
`VLAN network segments of multiple enterprises across multiple network service
`providers.
`(41] Next, in step 440 the destination MAC address to VLAN interface lookup is
`performed. This step identifies the egress port to which the frame should be sent for
`delivery over the service provider network. Alternatively, the frame may be destined for
`delivery via a user port such that it would not be delivered over a service provider
`In either case, once the destination VLAN interface is determined, then the
`network.
`If the destination VLAN interface is not
`frame is forwarded to that port in step 445.
`determined, then the frame is broadcast to all of the VLAN interfaces that are associated
`with the particular VLAN ID.
`
`Ex.1014
`VERIZON / Page 11 of 25
`
`

`

`WO 2005/086429
`
`PCT/0S2005/006381
`
`-10-
`[42] After forwarding the frame to the VLAN interface, VLAN egress filtering may be
`performed in step 450 to determine the compatibility of the frame for transmission. For
`example, filters such as those described in IEEE 802.1 Q or other can be applied. If the
`frame does not pass the filtering step, it is discarded in step 455. If the frame passes the
`filtering step, then VLAN ID translation is performed in step 460.
`In one embodiment, during VLAN ID translation the VLAN ID on the enterprise
`[ 43]
`side remains intact. Alternatively, the VLAN ID on the enterprise side may also undergo a
`transformation to help determine the particular VLAN ID to be used when the frame is
`transmitted over the service provider network.
`In one embodiment, on the service provider side, unique VLAN IDs are
`[44]
`maintained across the service provider network. Accordingly a Q-in-Q encapsulation
`process may be performed in the VLAN translation step to assign a new VLAN ID to the
`frame for transmission across the service provider network. This can be referred to as
`LAN-MAN translation since the VLAN ID for the network segment (e.g., LAN) is
`translated into a VLAN ID for the service provider network ( e.g., MAN).
`The particular LAN-MAN translation function can be set up administratively, and
`[45]
`may include standard transformation techniques such as VLAN-in-VLAN encapsulation,
`which inserts an additional 4-byte VLAN tag containing a transformed unique VLAN ID
`into the frame immediately after the source and destination address field. Additionally, a
`configurable Ether-type field may also be included in the inserted tag to improve
`interoperability with various MAN switches. Other VLAN ID translations can also be
`used. In one embodiment, additional control can be applied to manage the egress tagging
`behavior (e.g., tagged or untagged). For example, the translator should be configured for
`tagged egress operation on a trunk port where there may be an aggregation of frames from
`multiple SVLAN controller modules. In an alternative embodiment, VLAN IDs from the
`enterprise side can be remapped to a VLAN ID for the network service provider side.
`[46] After the VLAN ID translation, the VLAN priority classification for the frame is
`performed in step 465. A frame can be classified with a priority such as those identified in
`IEEE 802.1 p, IP TOS/DiffServ, and others. Once the priority classification has been
`completed, the frame is transmitted on the port identified for the destination VLAN
`interface, as illustrated in step 470. Egress QoS and bandwidth control policies may also
`be implemented at this time to determine the compatibility of the frame for transmission.
`Fig. 6 is a block diagram illustrating an exemplary computer system 550 that may
`[47]
`be used in connection with the various embodiments described herein. For example, the
`
`Ex.1014
`VERIZON / Page 12 of 25
`
`

`

`WO 2005/086429
`
`PCT/0S2005/006381
`
`-11-
`computer system 550 may be used in conjunction with the shared access gateway
`described herein. The computer system may be implemented as a stand alone device, as
`an integrated as part of a larger device, or implemented as a system-on-chip. However,
`other computer systems and/or architectures may be used, as will be clear to those skilled
`in the art.
`The computer system 550 preferably includes one or more processors, such as
`[48]
`processor 552. Additional processors may be provided, such as an auxiliary processor to
`manage input/output, an auxiliary processor to perform floating point mathematical
`operations, a special-purpose microprocessor having an architecture suitable for :fast
`execution of signal processing algorithms (e.g., digital signal processor), a slave processor
`subordinate to the main processing system (e.g., back-end processor), an additional
`microprocessor or controller for dual or multiple processor systems, or a coprocessor.
`Such auxiliary processors may be discrete processors or may be integrated with 1:he
`processor 552.
`The processor 552 is preferably connected to a communication bus 554. The
`[49]
`communication bus 554 may include a data channel for facilitating information transfer
`between storage and other peripheral components of the computer system 550. The
`communication bus 554 further may provide a set of signals used for communication with
`the processor 552, including a data bus, address bus, and control bus (not shown). The
`communication bus 554 may comprise any standard or non-standard bus architecture such
`as, for example, bus architectures compliant with industry standard architecture ("IS