Virtual private networks and methods for their operation

Abstract

A method and apparatus for providing a Virtual Private Network (VPN) over a connectionless network connecting a plurality of Local Area Networks (LANs), such as an Ethernet network, is disclosed. The method and apparatus comprises associated each VPN with a unique identifier and each LAN of the VPN with a interface device connecting the LAN to the connectionless network, which may be for example, a Synchronous Optical Network (SONET). The interface device may service a plurality of LANs. Accordingly, each LAN is associated with a User-Network Interface that forms part of the interface device. Each data packet destined for a second LAN, such Ethernet frames, received by the interface device for a first LAN is encapsulated with, if known, a Media Access Control (MAC) address of the interface device connected to the second LAN, the VPN's unique identifier, and the port on the interface device connected to the second LAN. Additionally, the corresponding MAC and port address of the first interface device is also used to encapsulate the Ethernet frames. If the MAC and port address is not known (i.e., it is not stored in a database on the first interface device), the first interface device multicasts an encapsulated Ethernet packet to the entire VPN. The first interface device maintains (i.e., updates and appends) its database of MAC and port addresses in response to encapsulated data frames received by the first interface device.