(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2004/0223497 A1
`Sanderson et al.
`(43) Pub. Date:
`Nov. 11, 2004
`
`US 20040223497A1
`
`(54) COMMUNICATIONS NETWORK WITH
`CONVERGED SERVICES
`
`Publication Classification
`(51) Int. Cl." ..................................................... H04L 12/28
`(52) U.S. Cl. ........................................................ 370/395.52
`(75) Inventors: David M. Sanderson, Plymouth, MN
`(US); Reid Knuttila, Minneapolis, MN (57)
`ABSTRACT
`(US)
`A communications network provides one or more shared
`Correspondence Address:
`Services, Such as voice or Video, to customers over a
`ALTERA LAW GROUP, LLC
`respective virtual private network (VPN). At the same time,
`6500 CITY WEST PARKWAY
`each customer may have its own private data VPN for
`SUTE 100
`handling private company data. The shared service VPN
`MINNEAPOLIS, MN 55344-7704 (US)
`permits users from different customers to communicate
`directly over the shared service VPN. Trust and security are
`(73) Assignee: Onvoy Inc., Minneapolis, MN
`established at the edge of the network, as the information
`enters from the customer's site. As a result, no additional
`(21) Appl. No.:
`10/431,664
`Security measures are required within the shared Service
`VPN for the communications between users. This architec
`ture results in a fast, high quality, shared Service.
`
`(22) Filed:
`
`May 8, 2003
`
`2OO Y
`
`
`
`2O2
`
`Headquarters
`
`Ex.1018
`CISCO SYSTEMS, INC. / Page 1 of 29
`
`

`

`Patent Application Publication Nov. 11, 2004 Sheet 1 of 8
`
`US 2004/0223497 A1
`
`1 OO
`Ya
`
`102
`
`Headquarters
`
`
`
`104
`
`- 104
`
`104
`
`104
`
`FIG. 1
`
`204
`
`FIG. 2
`
`Ex.1018
`CISCO SYSTEMS, INC. / Page 2 of 29
`
`

`

`Patent Application Publication Nov. 11, 2004 Sheet 2 of 8
`
`US 2004/0223497 A1
`
`
`
`
`
`(HG) ?SOH
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`eounoS
`
`J??no}}
`
`Z09
`
`eOunoS
`
`Ex.1018
`CISCO SYSTEMS, INC. / Page 3 of 29
`
`

`

`Patent Application Publication Nov. 11, 2004 Sheet 3 of 8
`
`US 2004/0223497 A1
`
`8 | 17
`
`
`
`
`
`
`
`
`
`
`
`
`
`Ex.1018
`CISCO SYSTEMS, INC. / Page 4 of 29
`
`

`

`US 2004/0223497 Al
`
`3,Q
`©
`
`BOLSoul
`
`
`
`
`
`
`
`JOWUO}U]
`
`
`
`
`Patent Application Publication Nov. 11, 2004 Sheet 4 of 8 NdAPyePOLS
` NdAFie=
`
`-ZLS
`
`GOLS
`
`s.q
`
`NdA#180
`
`cOS
`
`Ex.1018
`CISCO SYSTEMS, INC./ Page 5 of 29
`
`Ex.1018
`CISCO SYSTEMS, INC. / Page 5 of 29
`
`
`

`

`Patent Application Publication Nov. 11, 2004 Sheet 5 of 8
`
`US 2004/0223497 A1
`
`929
`
`909
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`9Z9 -euoud
`
`
`
`9091 || Je?nduu00dl
`
`Ex.1018
`CISCO SYSTEMS, INC. / Page 6 of 29
`
`

`

`Patent Application Publication Nov. 11, 2004 Sheet 6 of 8
`
`US 2004/0223497 A1
`
`
`
`
`
`Ex.1018
`CISCO SYSTEMS, INC. / Page 7 of 29
`
`

`

`Patent Application Publication Nov. 11, 2004 Sheet 7 of 8
`
`908
`
`608
`
`
`
`ss300e uouuuuoo
`
`NoHA
`
`— 609
`
`Z09
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Ex.1018
`CISCO SYSTEMS, INC. / Page 8 of 29
`
`

`

`Patent Application Publication Nov. 11, 2004 Sheet 8 of 8
`
`US 2004/0223497 A1
`
`Ingress LSR assigns FEC
`
`902
`-1
`
`904
`u1
`Inner and outer labels derived and pushed
`onto incoming packet
`y
`
`Inner label identified at PE router and
`allocated.
`y
`Obtain outer label from forwarding table
`and attach to packet
`
`y
`Stack inner and outer labels and attached
`to VPN packet
`
`u1 906
`
`-1 908
`
`91O
`
`912
`y
`u1
`Label information distributed to
`neighboring LSRs
`914
`y
`LSP identified to egress PE router by outer -
`label
`
`916
`y
`Egress LSR connecting to destination Ce |-
`router identified
`
`FIG. 9
`
`Ex.1018
`CISCO SYSTEMS, INC. / Page 9 of 29
`
`

`

`US 2004/0223497 A1
`
`Nov. 11, 2004
`
`COMMUNICATIONS NETWORK WITH
`CONVERGED SERVICES
`
`FIELD OF THE INVENTION
`0001. The present invention is directed generally to com
`munications, and more particularly to a communications
`network that provides voice, Video, Internet and private data
`Services.
`
`BACKGROUND
`0002 Communications systems for companies having a
`number of sites have historically been complex. One of the
`reasons for the complexity is the Simultaneous requirement
`for open communications, Such as telephony and Video
`Services, with entities outside the company, and for privacy
`of company information.
`0.003
`Private networks, for carrying private information,
`were originally built either to reduce costs or because there
`was no public service available. The initial private networks
`were made up of leased circuits, initially analog, and then
`later digital. Companies typically built private networks for
`data communication purposes and Separate networks for
`telecommunications or voice traffic. This was required
`because the networks were specialized for the media they
`were transporting. FIG. 1 illustrates one example private
`network 100, in which the company headquarters 102 is
`connected directly to each branch office 104. One of the
`problems with such a network is that none of the branch
`offices can communicate with each other directly. AS a
`result, if the connection at the headquarters 102 is broken,
`for example due to equipment failure, then no office can
`communicate with another office. Also, private networks
`based on leased circuits were very expensive and very few
`companies could afford them.
`0004 Consequently, Public Data Network companies
`arose, to lease capacity on their networks. These companies
`used link layer technologies, Such as X.25, Frame Relay, and
`eventually asynchronous transfer mode (ATM), to create
`Virtual circuits across their network, thus allowing their
`client's Sites to be connected together. Such virtual circuits
`are often referred to as virtual private networks (VPNs), and
`are commonly defined as a network whereby customer
`connectivity amongst multiple Sites is deployed on a shared
`infrastructure with the same policies as a private network.
`The customers were charged either for the amount of traffic
`that traversed the virtual circuit and/or the capacity, also
`referred to as bandwidth, that was provided to the customer.
`0005) An example of a VPN 200, based on X.25, Frame
`Relay or ATM is schematically shown in FIG. 2. This VPN
`differs in two main respects from that illustrated in FIG. 1.
`First, the VPN is physically formed on a shared. communi
`cations network 206. Second, the VPN provides greater
`connectivity between sites. Not only are all satellite offices
`204 connected to the headquarter site 202, but some of the
`satellite offices 204 are connected to each other. Thus, the
`greater redundancy in the connections of the VPN permits
`satellite offices 204 to communicate even if the connection
`at the headquarters 202 is broken.
`0006 Another method of creating VPNs is by using a
`layer 3 technology. Internet Protocol (IP) is the predominant
`layer 3 protocol and tunneling protocols like Generic Rout
`
`ing Encapsulation (GRE) and IPsec can be used to create
`virtual connections between sites on an IP based network
`Such as the Internet. In the case of GRE, a packet destined
`for another site is encapsulated inside another IP packet
`whose destination address is the address of the router
`attached to the destination site and whose Source address is
`the address of the router that encapsulated the original
`packet. This explained further with reference to FIG. 3. The
`Source host 302 generates a packet 304 that contains fields
`for the addresses of the Source host, SH, and the destination
`host, DH. The packet is sent to a source router 306 that adds
`to the packet addresses for the Source router, SR, and the
`destination router, DR, to form the encapsulated packet 308.
`The encapsulated packet 308 is then sent through the Inter
`net 310 to the destination router 312, which strips out the
`router addresses to reproduce the original packet 314 that is
`then directed to the destination host 316. The IPsec protocol
`is similar to GRE but uses a different encapsulation method
`and provides authentication and encryption of the payload.
`0007 Layer 2 technologies (such as X.25, Frame Relay
`and ATM) and Layer 3 technologies are known as the
`Overlay Model of creating VPNs. It is called overlay
`because the underlying network is independent of the Virtual
`network using it: the virtual network has no knowledge of
`the structure of the physical network. One problem with the
`overlay model, however, is that it does not Scale well as the
`number of Sites increases. In order for each Site to be able to
`send traffic to another site on the VPN, without the traffic
`passing through an intermediate site, a full mesh of Virtual
`circuits must be built. This requires that n(n-1)/2 bidirec
`tional virtual circuits be built, where n is the number of sites.
`AS the number of Sites, or nodes, increases, the number of
`Virtual circuits grows exponentially.
`0008 Another problem with the use of VPNs is that they
`permit the transfer of data only to those sites that are part of
`the VPN. If a first customer who has a VPN on the physical
`network wishes to communicate with another customer who
`has another VPN on the same physical network, then the first
`customer has to use an external communications System, for
`example a public utility telephone System. This results in
`additional costs and complexity for the customer.
`0009 Companies often built several VPNs to the same
`Sites, one for private data communication, one for Voice, and
`one for Video. This was expensive but necessary because the
`underlying networks used to transport these Services were
`incompatible. The advent of ATM permitted all of these
`Services to transverse over a common infrastructure. Unfor
`tunately, ATM was not widely deployed, was expensive, and
`needed to use the overlay model to accomplish its task. IP
`became the technology to converge all of these Services onto
`a common infrastructure. IP was already widely used for
`data communications. H.323, an ITU-T standard, allowed
`video to ride an IP infrastructure, while Voice Over IP (VoIP)
`did the same for Voice. This greatly reduced the costs of
`building VPNs for these services because a common infra
`structure could be shared. However, the problem still
`remained that while internal communications within the
`company could take place over the VPN, communications
`with other companies, Such as vendors or customers, had to
`take place over a different System.
`SUMMARY OF THE INVENTION
`0010. There remains a need to improve the flexibility of
`networks So that customers are provided with privacy for
`
`Ex.1018
`CISCO SYSTEMS, INC. / Page 10 of 29
`
`

`

`US 2004/0223497 A1
`
`Nov. 11, 2004
`
`transferring private data among its own different Sites, while
`at the same time permitting the users to communicate freely
`with other users on the network, whether or not they belong
`to the Same customer, and also others who are off the
`network.
`0.011
`Generally, the present invention relates to a com
`munications network on which one or more shared Services,
`Such as voice or Video, are provided to customers over a
`respective virtual private network (VPN). At the same time,
`each customer may have its own private data VPN for
`handling private company data. The shared service VPN
`permits users from different customers to communicate
`directly over the shared service VPN. Trust and security are
`established at the edge of the network, as the information
`enters from the customer's site. As a result, no additional
`Security measures are required within the shared Service
`VPN for the communications between users. This architec
`ture results in a fast, high quality shared Service.
`0012 One embodiment of the invention is directed to a
`method of providing a communications System to a plurality
`of customers. The method includes providing, on a commu
`nications network, at least one shared Service virtual private
`network (VPN) accessible by a first set of customers for a
`shared Service, permitting communication between users of
`different customers Subscribed to that service. The method
`also includes providing, on the communications network, at
`least one private data VPN for handling private customer
`information, the at least one private data VPN being asso
`ciated with a respective customer.
`0013 Another embodiment of the invention is directed to
`a communications System for providing communications
`Services to a plurality of customers. The System includes a
`communications network configured with at least one shared
`service virtual private network (VPN). A least a first set of
`customerS is connected respectively to the at least one
`shared service VPN for sharing a respective service on the
`at least one shared service VPN. The network is also
`configured with at least one private data VPN for handling
`private customer information, the at least one private data
`VPN being associated with a respective customer.
`0.014) Another embodiment of the invention is directed to
`a System for providing centralized Services to customers on
`a converged Service network. The System comprises a com
`munications network configured with at least one shared
`service virtual private network (VPN) accessible by multiple
`customers to receive a Service in a shared environment on
`the converged Service network. There is also a central
`Services VPN. Common service units are connected to the
`central Services VPN. The central Services VPN is connected
`to the at least one shared service VPN via at least one
`Security device.
`0.015. Another embodiment of the invention is directed to
`a method for providing centralized Services to customers on
`a converged Service, communications network. The method
`comprises providing at least one shared virtual private
`network (VPN) accessible by multiple customers to receive
`a Service in a shared environment on the converged Service
`network and providing a central services VPN. Common
`Service units are connected to the central services VPN. The
`central services VPN is connected to the at least one shared
`service VPN via at least one security device.
`0016. Another embodiment of the invention is directed to
`a System for connecting a customer to a communications
`
`network. The System comprises a customer edge (CE)
`router, a provider edge (PE) router, and a connection
`between the CE router and the PE router. The CE router is
`configured to select a VPN over which an IP packet received
`from the customer is to travel. The CE router selects from i)
`at least one shared service virtual private network (VPN)
`connected to the PE router and configured for providing a
`shared Service to multiple customers on the communications
`network and ii) a private data VPN (PD-VPN) connected to
`the PE router.
`0017 Another embodiment of the invention is directed to
`a method of connecting a customer to a communications
`network having at least one shared Service virtual private
`network (VPN) for providing a shared service to multiple
`customers and a private data VPN (PD-VPN). The method
`comprises selecting a VPN from i) at least the one shared
`service virtual private network (VPN) connected to a PE
`router and configured for providing a shared Service to
`multiple customers on the communications network and ii)
`a private data VPN (PD-VPN) connected to the PE router. IP
`traffic is then directed to the selected VPN.
`0018. Another embodiment of the invention is directed to
`a method of directing IP traffic from a customer onto a
`communications network configured with at least one shared
`service virtual private network (VPN) and at least one
`private data VPN (PD-VPN). The method comprises deter
`mining which VPN the IP traffic is to be directed to from i)
`the at least the one shared service VPN and ii) a private data
`VPN (PD-VPN). Quality of service (QoS) rules are applied
`to the IP traffic based on the determined VPN.
`0019. Another embodiment of the invention is directed to
`a communications System providing converged IP Services
`to customers. The System comprises a communications
`network configured with at least one shared Service Virtual
`private network (VPN) for providing a shared service a first
`set of the customers and at least one private data VPN
`(PD-VPN) for carrying private data of at least one respective
`customer. The network includes at least one customer edge
`(CE) router configured to determine which VPN, from i) the
`at least the one shared service VPN and ii) a private data
`VPN (PD-VPN), IP traffic received from an associated
`customer is to be directed to. The CE router is further
`configured to apply quality of service (QoS) rules to the IP
`traffic based on the determined VPN.
`0020. The above summary of the present invention is not
`intended to describe each illustrated embodiment or every
`implementation of the present invention. The figures and the
`detailed description which follow more particularly exem
`plify these embodiments.
`BRIEF DESCRIPTION OF THE DRAWINGS
`0021. The invention may be more completely understood
`in consideration of the following detailed description of
`various embodiments of the invention in connection with the
`accompanying drawings, in which:
`0022 FIG. 1 schematically presents a configuration of a
`prior art network,
`0023 FIG. 2 schematically presents a configuration of a
`prior art Virtual private network;
`FIG. 3 schematically shows labeling of an IP
`0024
`packet;
`
`Ex.1018
`CISCO SYSTEMS, INC. / Page 11 of 29
`
`

`

`US 2004/0223497 A1
`
`Nov. 11, 2004
`
`FIG. 4 schematically shows an embodiment of the
`0.025
`physical layer of a converged IPServices network according
`to principles of the present invention;
`0.026
`FIG. 5 schematically shows an embodiment of the
`logical layer of a converged IP Services network according
`to principles of the present invention;
`0.027
`FIG. 6 schematically shows an embodiment of the
`customer edge of a converged IPServices network according
`to principles of the present invention;
`0028 FIG. 7 schematically shows another embodiment
`of the customer edge of a converged IP Services network
`according to principles of the present invention;
`0029 FIG. 8 schematically shows an embodiment of
`network logic for providing centralized Services to custom
`erS on the converged IP Services network, according to
`principles of the present invention; and
`0030 FIG. 9 presents steps in an embodiment of a
`method of labeling IP packets according to an embodiment
`of the present invention.
`0.031
`While the invention is amenable to various modi
`fications and alternative forms, Specifics thereof have been
`shown by way of example in the drawings and will be
`described in detail. It should be understood, however, that
`the intention is not to limit the invention to the particular
`embodiments described. On the contrary, the intention is to
`cover all modifications, equivalents, and alternatives falling
`within the spirit and scope of the invention as defined by the
`appended claims.
`
`DETAILED DESCRIPTION
`0032. In general, the present invention is directed to a
`communications network that a Service provider Supplies to
`customers for voice, Video, private data and Internet Ser
`vices. All the Services are provided on the Same physical
`network, which is referred to as a converged network. The
`Service provider is able to offer a fully managed Service that
`includes providing the managed access link (via resale), the
`access equipment (the customer premises router), manage
`ment of the equipment and administration of the Internet
`protocol (IP)-based virtual private network (VPN) services,
`referred to as the converged IP services.
`
`Overview
`0033) To support the IP-based services, the converged IP
`Services (CISP) network approach is to create a layered
`architecture where the IP routed architecture is built. The IP
`equipment and the IP backbone may be overlaid on an
`existing optical or electrical network architecture, which is
`the framework for offering services. Access service to the IP
`transport and routed backbone network is made continuous
`through the local provider's network and over the last mile
`local loop to the customer end-Sites. The Service allows
`customers to acquire access to a site for the aggregation of
`all traffic. Customers can fully mesh each geographically
`dispersed site into the VPN-based offering. The service
`provider may manage the customer edge router, located at
`the customer premises, that gives access to the high-band
`width at the edge of the backbone network, and so the
`Service may be configured for end-to-end quality of Service
`(QoS).
`
`0034. The edge of the network provides class of service
`(CoS) as a way of denoting the relative importance of the
`customer's traffic contained in the information being trans
`mitted. Classifying and transporting the classified traffic,
`which are engineered to consume network resources and
`relates to the price Structure of the offered Services, are Some
`of the important busineSS decisions associated with overall
`QoS. QoS techniques enable the Service provider to manage
`different kinds of traffic based on priority and service level
`agreements (SLAS). The Service provider may provide value
`and SLAS to its connected customer Sites by delivering its
`VPN-based services over its IP network and not over the
`public Internet. Gateway access to the global Internet and to
`the public Switched telephone network (PSTN) may be
`accommodated through the service provider's PoPs.
`0035 An important feature of the converged IP network
`is the construction of various VPNs. Another approach for
`building VPNs, not discussed earlier, is the Peer Model. In
`a Peer Model, the router with which the customer commu
`nicates, known as the customer edge (CE) router, exchanges
`information with the provider's edge (PE) router, thus
`allowing the Service provider to determine the route to the
`destination sites. This greatly reduces the complexity of the
`customer's network. Multiple protocol label Switching
`(MPLS) allows the use of a MPLS-VPN. This is an example
`of peer model method of building VPNs.
`0036) A new approach to providing converged commu
`nication services is now described. The IP-based convergent
`network is based on a quality of service (QoS) architecture
`that allows the delivery of private network services to
`customers over a shared service VPN infrastructure. The
`edge of the network is the location where QoS functionality
`is defined. QoS is enforced throughout the network. The
`QoS Solution is extended acroSS the edge, the extended edge
`and the backbone networks.
`0037. The QoS techniques include using raw bandwidth
`and multi-protocol label switching (MPLS) in the backbone
`network. The extended edge, connecting between the cus
`tomer and the CE router, uses virtual LANs (VLANs) for
`logical partitioning of the Ethernet network. In the edge
`network, frame relay encapsulation allows the creation of
`Virtual interfaces that can be placed into virtual forwarding
`and routing (VRF) tables. QoS policy can also be applied to
`the Virtual interfaces.
`0038. In one embodiment, customer traffic reaches the
`router in the PoP via a frame-relay-enabled permanent
`virtual circuit (PVC) configured over a leased-line link. The
`PVC is a logical connection giving the impression of a
`dedicated and fixed or point-to-point link. A logical PVC is
`configured within the access link for every Subscribed
`service from the CE router to the connecting PE router. The
`traffic is classified through differentiated services before
`being sent down the PVC.
`0039. Once the classified traffic has reached the point of
`presence (PoP) server, more specifically the edge router, the
`traffic enters the IP network cloud, where the customer's
`traffic shares the IP backbone network bandwidth with all
`other communicating customer Sites. All of the customer
`Sites in a community of interest communicate with one
`another directly through the any-to-any connectivity nature
`of the IP-based transport network.
`004.0
`IP-based transport means the source and destina
`tion devices are defined and identified by logical IP
`
`Ex.1018
`CISCO SYSTEMS, INC. / Page 12 of 29
`
`

`

`US 2004/0223497 A1
`
`Nov. 11, 2004
`
`addresses. The IP addressing Scheme is integral to routing
`and forwarding customer traffic through the network. The
`convergent network accommodates the use of addressing
`from both the global address Space and from the private
`address Space, including customer private addresses.
`0041 Customers using their own private addressing
`Schemes are able to utilize the convergent network. The
`Service provider may convert the private addresses to unique
`addresses for use on the IP converged network when an
`overlap of private addresses occurs. Private addresses are
`not visible or directly accessible outside of the converged
`network.
`0042. In the converged backbone network, multi-protocol
`label switching (MPLS) labels establish the class of service,
`based on the service classification done at the edge, VPN
`membership, and the route the packet will take based on the
`routing protocols. In one example, the OSPF (open shortest
`path first) and BGP (border gateway protocol) routing pro
`tocols may be used within the network to Support the routing
`policies and the MPLS forwarding mechanisms.
`0043. The MPLS packet-forwarding technology used
`acroSS the backbone network creates the shared Service
`VPNs for the aggregation of each service subscribed to by
`the customers. MPLS is used as a fast-transport forwarding
`and switching mechanism to move prioritized IP traffic
`through the backbone of the convergent network between
`the customer Sites and the Services network.
`0044) The services network is connected to the backbone
`network Via, for example an extended edge Ethernet network
`that utilizes a VLAN transport technology to Support the
`private and logical partitioning of aggregated Services.
`VLANs over Ethernet networks are analogous to the VPNs
`on the IP-routed backbone network and provide an aggre
`gated path for each offered Service configured on the net
`work.
`0045. Each service or VPN on the overall managed
`network is utilized for aggregating a multiple number of
`customer sites. Each Service aggregate (each VPN for each
`Service) is proactively monitored for performance to meet
`the Service level agreements (SLAS). The SLA monitoring
`capability may be provided using a router-based network
`assurance Software tool. The tool utilizes the management
`network, which allows network QoS metrics to flow to a
`performance measuring tool.
`
`Physical Layer
`0046) One particular embodiment of the CISP network is
`now described with reference to FIGS. 4 and 5. For the
`purposes of illustration only, the network is described as
`having four customers, A, B, C and D. The customers A, B,
`C, and D may be different corporate entities. Customer Ahas
`three Sites at different physical locations, A1, A2 and A3.
`Customer B has one site, B1. Customer C has two sites, C1
`and C2. Reference is first made to FIG. 4, which Schemati
`cally shows physical connectivity in one particular embodi
`ment of a converged network.
`0047. Several point-of-presence (POP) servers 402a,
`402b, 402c and 402d, also referred to as provider edge (PE)
`routers, are connected via high Speed uplinkS 404, Such as
`OC12 lines, to two or more gigabit switched routers (GSRs)
`406a and 406b, referred to as provider (P) routers. In one
`
`particular example, the P routers 406a and 406b may be
`Cisco 12410 Gigabit Switch routers, or equivalent, and the
`PE routers 402a-402d may be Cisco 10008 Edge Services
`Routers, or equivalent. The Prouters 406a and 406b may be
`connected via high speed lines 408, for example OC48 lines.
`The lines 408 connecting between the P routers 406 are
`generally of a higher Speed than the uplinkS 404 connecting
`between the PE routers 402a-402d and the P routers 406,
`although this is not a necessary condition. The PE routers
`402a-402d and the P routers 406a and 406b form the
`backbone of the IP converged network. The PE routers
`402a-402d may be connected to P routers 406a and 406b
`with redundant connections. The PE routers 402a-402d are
`multi-functional and provide edge functionality.
`0048. The bandwidth capacities on the dual router up
`links 404 may be provisioned so that no more than 50% of
`the rated line Speed is committed, insuring a necessary
`degree of reliability. This allows for failover of one of the
`circuits to the alternate circuit without causing a circuit
`overload condition. The uplinks 404 to the P routers 406
`may be based on SONET (Synchronous Optical Network)
`technology.
`0049. One commonly used protocol for layer-3 IP trans
`port is layer-1 SONET, namely packet-over-SONET (POS).
`POS modules (or interface cards) on the routers for the
`uplinks 404 may allow connectivity to an embedded optical
`network. SONET ADMs (add-drop multipliers) and dark
`fiber Strands provide the efficient transport and the high
`bandwidth capacity for IP transport. Routers equipped with
`POS interfaces map the IP packets into the SONET payload
`envelope (IP over PPP over SONET). Implementing IP
`transport directly over fiber entails using SONET framing
`but may avoid the need for expensive SONET ADM.
`0050. The different customer sites are connected to the
`network through the PE routers. In the illustrated embodi
`ment, sites A1, A2 and C1 are connected via PE router 402a,
`sites B1 and C2 are connected via PE router 402b, sites D1
`and A3 are connected via PE router 402c and site D2 is
`connected via PE router 402d. Access to the PE routers may
`be by any Suitable method, for example via a private line
`Such as DS1, DS3, and the like, or wireless if the wireless
`network supports the same Quality of Service (QoS) as used
`by the network 400. Link layer technologies such as Frame
`Relay and ATM may be used as an acceSS method to access
`the network, as is discussed below.
`0051. At least one of the PE routers, in the illustrated case
`PE router 402d, is connected via an extended edge network
`410 to a services network 411 that provides for various
`acceSS functions. The extended edge network 410 connects
`the services network 411 to the IP backbone network. The
`extended edge network 410 may be an Ethernet network or
`Subnet The extended network 410 connects to one or more
`Ethernet Switches 412 which aggregates traffic from numer
`ous ports and places it on the appropriate VLAN by con
`figuration. The PE router 402d Switches traffic between
`VLANs based on Static or dynamic routing information.
`0052 The Ethernet network, commonly referred to as a
`local area network (LAN), is created to extend the edge
`network in support of virtual LANs (VLANs). The Ethernet
`network Supports connectivity to the Services network, a
`Security device, and the out-of-band management network.
`0053. In the illustrated embodiment, the service network
`is coupled to the extended edge network 410 via a gateway
`
`Ex.1018
`CISCO SYSTEMS, INC. / Page 13 of 29
`
`

`

`US 2004/0223497 A1
`
`Nov. 11, 2004
`
`Switch 412, such as a Cisco 65XX Switch. The gateway
`Switch 412 may be connected to various external Services on
`the service network 411, for example a public Switched
`telephone network (PSTN) gateway 414 and/or the Internet
`416. The gateway Switch 412 may be connected to the
`Internet 416 through a managed security device 418. The
`Security device 418 may be a firewall, a proxy device, a
`security gateway that uses, for example IPSec (IPSecurity)
`architecture, an intrusion detection device or a content
`filtering device or any other Suitable unit that provides
`protection. A firewall typically only allows the passage of
`traffic based on established policies. The policies may be
`based on protocol, Source address, destination address,
`direction of traffic, and the like. A proxy device interacts
`with the traffic Stream at the application layer, and is
`application specific. For example, an HTTP(hypertext trans
`fer protocol) proxy server would terminate an HTTP session,
`evaluate its appropriateneSS based on a configured policy
`and then, if the policy checks were positive, initiate an
`HTTP Session based on the original request. Security gate
`ways are known from the IPSec standard. Intrusion detec
`tion devices monitor traffic for defined traffic patterns that
`may be an indication that Someone is trying to attack the
`network.
`0054.
`In this particular embodiment, the security device
`418 is part of the extended edge network 410 and is
`Suspended from the Ethernet Switches. Redundant Security
`devices may be deployed since the Security device 418 can
`be a single-point-of-failure. In the event of a failure or
`outage, the Secondary or redundant