277 results about "Customer edge" patented technology

A method, apparatus and network for transporting layer-2 frames, such as Ethernet MAC, ATM AAL5, and Frame Relay, over MPLS, SONET/SDH, or OTN optical transport networks as well as electrical transport networks is disclosed. The method establishes "pseudo-wires" between, for example, routers, Layer-2 packet switches, or SONET/SDH switches. Inter-related ingress and egress resource tables may be used by provider edge nodes to negotiate consistently managed data tunnels across a provider network on behalf of data flowing from/to a diverse base of customer edge nodes. Detailed network resource information particular to each of the data flows is exchanged between provider edge nodes during the creation of pseudo-wires. Admission control algorithms are applied at the ingress and egress points in order to manage the data flows into a provider network and exiting from a provider network to customer equipment. By applying pseudo-wire shuffling and preemption techniques, the providers can make better use of their network resources by admitting more pseudo-wires.

Various embodiments relate to a Cloud Data Center, a system comprising the Cloud Data Center, and a related method. The Cloud Data Center may include a logical customer edge router to send packets between addresses in a private enterprise network and addresses in a logical network within a cloud network using Layer 2 protocol and MAC addressing. The logical network may have resources, known as virtual machines, allocated to the private enterprise network and may share a common IP address space with the private enterprise network. A directory at the Cloud Data Center may correlate the enterprise IP addresses of virtual machines with a MAC address, cloud IP address, and a location IP address within the logical network. The Cloud Data Center may double encapsulate packets with MAC, cloudIP, and locIP headers, when sending a packet to a destination in the logical network.

A protection mechanism capable of providing both local and end-to-end connection protection for dual homed access/aggregation devices or customer-edge devices in a network. The protection mechanism provides end-to-end and fast local protection for off the shelf access devices that do not have any built in per-connection protection capabilities. The access device is connected via two separate physical uplinks to two edge switches of the network. For each connection to be protected, a main path is provisioned from one edge switch and an alternative path is provisioned from the other edge switch. The edge switches are adapted to comprise means for switching traffic from the main path to the alternative path in the event a failure along the main path is detected. Failures both in the stack portion, the core portion and in the access device uplinks are protected against.

A technique efficiently routes Internet Protocol (IP) traffic on paths between customer edge devices (CEs) across a provider network (“CE-CE paths”) in a computer network. According to the novel technique, a path computation element (PCE), e.g., a provider edge device (PE), may learn dynamic link attribute information of remote links from the provider network to one or more remote CEs (e.g., “PE-CE links” or “CE-PE links”). A multi-homed requesting CE requests from the PCE a set of CE-CE path metrics (e.g., costs) to one or more remote destination address prefixes, e.g., via each multihomed CE-PE link from the requesting CE. In response to the request, the PCE computes the set of available CE-CE paths and current metrics to the remote destination address prefixes and returns the corresponding CE-CE path metrics to the requesting CE. The requesting CE modifies its IP forwarding entries accordingly in order to perform IP traffic routing corresponding to the CE-CE path metrics (e.g., asymmetrical load balancing) across its multi-homed CE-PE links.

A provider edge device, associated with a virtual private local area network service (VPLS) system, includes a memory to store instructions to implement a pseudowire mechanism to receive a first data frame from a source customer edge (CE) device associated with the VPLS system, incorporate the first data frame into a first VPLS packet, determine whether the source CE device is a single-homed CE device or a multi-homed CE device, and incorporate, into the first VPLS packet, a first pseudowire label, if the source CE device is a single-homed CE device, and incorporate, into the first VPLS packet, a second pseudowire label, different from the first pseudowire label, if the source CE device is a multi-homed CE device; and a processor to execute the instructions.

A method for fast converging an end-to-end service and a Provider Edge (PE) includes: setting routing information of at least two tunnels in a double-ascription PE of a remote Customer Edge (CE), wherein, the two tunnels are from the double-ascription PE of the remote CE to the PE connected with the remote CE; detecting tunnel states to obtain state information of the tunnels; the double-ascription PE obtaining available routing information and routing information of the at least two tunnels, and forwarding the service according to the available routing information. The double-ascription PE of the remote CE can directly forward the service according to the pre-configured routing information of other tunnels when the current tunnel is unavailable, such as a terminal node of the current tunnel is abnormal, thereby avoids the procedure of re-selecting the route, and increases the end-to-end service convergence speed and improves the service reliability.

In one embodiment, a network device may participate in an election process to elect one of two or more Provider Edge devices of a Redundancy Group to be a Designated Forwarder for the Redundancy Group, where the Redundancy Group is in a Service Provider network, and where the Redundancy Group serves a Customer Edge device of a customer network. The network device may forward multi-destination traffic to the Customer Edge device according to whether the network device is elected to be the Designated Forwarder for the Redundancy Group. Multi-destination traffic may include multicast traffic, broadcast traffic, or destination unknown unicast traffic.

A method and system for translation of virtual private network (VPN) addresses over a provider network are disclosed. The method includes creating a multipoint tunnel extending between customer edge routers in a VPN network and over the provider network. The multipoint tunnel is identified with a multicast address and multicast packets are sent over the tunnel to identify tunnel endpoints at customer edge routers within the VPN. The method further includes converting, at one of the customer edge routers, a VPN join message to a provider join message and sending it over the provider network.

In an embodiment, a network service provider (NSP) operates a provider network to provide VPN services to its customers. A VPN links various customer sites allowing customers to send data between these sites over the NSP network. Each site network includes a customer edge router (CE) while the provider network includes a plurality of provider edge routers (PEs) to communicate with the CEs. The PEs include virtual routing address (VRFs), and the PEs and CEs include interfaces (IFs). A database stores information related to the relationships between the network components (e.g., VPNs, PEs, CEs, VRFs, IFs, etc.), and a management software package (MSP) has access to the database. When a fault occurs, the MSP, based on collected information and information in the database, determines the impacted network components. Other features include classifying the seriousness of the network's faults and representing different faults by a color scheme.

A heterogeneous point-to-point links involves different technologies at it two ends, e.g., Ethernet at one end and ATM or Frame Relay at the other end. If two IP systems are connected via a heterogeneous point-to-point link, each may be using different address learning techniques. It is up to the Provider Edge devices to make these different techniques inter-work. A novel provider edge device and procedures that the edge device it to perform for forwarding packets properly are described. According to the invention, the provider edge device uses a broadcast address to forward the packet in one direction toward a customer edge device. In another direction, the provider edge device responds to an ARP request from the customer edge device with its own MAC address so that it can receive a packet from the customer edge device.

In one embodiment, a network device in a set of network devices obtains a pseudowire label for a Provider Edge (PE) device, where the pseudowire label corresponds to a Virtual Local Area Network (VLAN) on the PE device. In addition, the network device obtains a set of one or more MAC addresses reachable via the PE device, wherein the set of network devices support Ethernet Virtual Private Network (E-VPN) and are in the same redundancy group such that the set of network devices are coupled to the same customer edge device. The network device stores the pseudowire label in association with the set of one or more MAC addresses. The network device uses the pseudowire label to encapsulate traffic associated with the VLAN that is received from the customer edge device and destined to the set of MAC addresses reachable via the PE device.

A multiprotocol label switching (MPLS) network is operated by establishing a label switched path (LSP) that connects a first provider edge (PE) label switched router (LSR) a second PE LSR, and a customer edge (CE) LSR. The packet traffic that is associated with a plurality of different layer two technologies is encapsulated with an MPLS label. The encapsulated traffic is securely routed from the first PE LSR through the second PE LSR to the CE LSR using the LSP.

A system and method are disclosed for reliable communications in a packet network. A system that incorporates teachings of the present disclosure may include, for example, a network management system (NMS) having a controller programmed to establish between first and second customer edge (CE) routers in a full mesh packet network first and second logical data tunnels conforming to an isolation protocol, synchronize packet data in the first and second logical data tunnels, enable packet data exchanges between the first and second CE routers over the first logical data tunnel, direct the first and second CE routers to duplicate the packet data exchanged between them over the second logical data tunnel, and direct the first and second CE routers to synchronously switch to the second logical data tunnel upon detecting a fault in the first logical data tunnel.

A virtual private network (VPN) service is provided through a shared network infrastructure, with customer edge (CE) devices each having a provider edge (PE) interface having a single layer 3 address in the VPN. An address resolution request message is transmitted by a first CE device on plural layer 2 virtual circuits of its PE interface. The address resolution request message including the layer 3 address allocated to a second CE device of the VPN. In response to reception of such request message at the second CE device, an address resolution response message is returned to the first CE device. In response to reception of this response message, the first CE device maps the layer 3 address allocated to the second CE device to a virtual LAN identifier of the layer 2 virtual circuit on which the response message is received.

Embodiments of the present invention disclose a method, apparatus and system for forwarding a message, which are adapted for the scenario that a customer edge apparatus CE is connected to an Ether Virtual Private Network (EVPN) by way of dual homing through a first provider edge apparatus PE and a second PE. An Ether link is established between the first PE and the second PE. The method includes: establishing, by the first PE, a port isolation group; receiving, by the first PE, the message forwarded by the second PE through the port at the side of the first PE in the Ether link; and forwarding, by the first PE, the message to CEs connected to ports except the port isolation group in the first PE. Using the present invention, the technical problem, i.e., traffic passing back at the customer side during message forwarding in the EVPN network in the prior art, can be effectively solved without changing the current hardware chip design.

A method and an apparatus for providing security in an intranet network are disclosed. For example, the method receives a packet at a customer edge router, and applies an inbound access control list by the customer edge router to the packet if the packet is destined to a server in a protected server group, wherein said protected server group identifies one or more servers within the intranet network to be protected. The method applies an outbound access control list by the customer edge router to the packet if the packet is from a server in the protected server group.

Systems and techniques for fault analysis in a data communication system. A fault analysis console in a provider network serving one or more customer networks responds to a reported loss of connectivity in the customer network by analyzing traffic statistics for a router serving the customer network. If traffic statistics indicate network functionality, border gateway protocol status is evaluated for logical channels being served by the router. Test communications are performed for customer edge router addresses for the logical channels and border gateway protocol status is evaluated for each customer edge router address. Test communications are then performed from a local provider edge router to each remote customer edge router being served.

Method and apparatus that enable secure transmission of data in a scalable private network are described. Each station that is to be part of a private network registers with a key table. A group security association associated with the private network is forwarded to each trusted ingress and egress point that communicates with each member of the private network. When a member of the private network seeks to communicate with another member, it simply forwards the communication to the trusted ingress point. The trusted ingress point uses the security association associated with the private network to transform the communication and forwards the transformed communication through other intermediate stations in the network until it reaches a trusted egress point. The trusted egress point uses the stored security association to decode the transformed communication and forwards the communication to the appropriate destination. The ingress and egress points may be any points in the network, including customer edge devices, provider edge devices, or some combination thereof.