other only through IP routers, where
filtering rules are installed to allow
only approved communication among
groups. Note that the machines with
IP addresses 2. 7 and 2. 8 are close together in the IP topology, but far apart
in the physical topology.
At the middle level of the figure
there is an isolated VLAN for each
group. Like the LANs, a VLAN uses
the Ethernet design in which names
are MAC addresses (abbreviated “M”).
These VLANs do their own routing,
separate from the routing in the LANs.
A virtual link in the IP network must
be implemented by a path in a VLAN
and a link in a VLAN must be implemented by a physical path. As a result, a packet from 1. 3 to 2. 6 must go
through IP router 0.5 and be screened,
even though the shortest physical path
between the red and green machines
does not go through an IP router. The
VLAN architecture has been found to
simplify administration, enhance security, and improve the efficiency of
campus networks.
22
A completely different kind of virtual network is often found in mul-titenant clouds, which may offer to
their tenants various services such
as load-balancing, packet filtering by
firewalls, and application-specific performance enhancements. Such clouds
have virtual networks that implement
these services by inserting middleboxes into the paths of sessions. In these
virtual networks, the major purpose of
routing and forwarding is to direct the
packets of sessions through middleboxes according to the tenant’s service specification.
3, 16
The most unusual networks in
this article are named data networks
(NDN).
25 In NDN each piece of data has
a unique name. For purposes of the
networking functions of routing and
forwarding, a data server has the name
of every piece of data available from
it; a server can have many names, and
a name can be assigned to many serv-
ers. The routing protocol uses advertis-
ing and other conventional techniques
so that a request for data is usually
forwarded to the nearest server with
the requested data. In NDN, a session
consists of a single request and its re-
sponse, and there is no source name
in the request packet. (A source name
would be useless for returning the re-
ly, the table at each member is a map-
ping from headerPattern and inLink to
outLink, where headerPattern matches
some subset of packet headers, and
inLink and outLink are local identifiers
for the links of that member. The map-
ping tells the member that on receiv-
ing a packet on incoming link inLink
whose header matches headerPattern,
it should forward the packet onto out-
going link outLink. The mapping can
also tell the member, explicitly or im-
plicitly, to drop the packet.
A session protocol is a set of conventions governing a specific kind of session; it always includes the behavior
of the session endpoint members, and
may include the behavior of other network members on the session path.
It covers packet headers, packet sequence, member state, and member
actions. The header format of a session
protocol is a specialization of its network’s forwarding format, so a header
must conform to both. The new model
makes particular use of the following
header fields:
• the name of the destination
endpoint;
• a session protocol identifier;
• a session identifier;
• a user network to identify the network being served by the session (as we
will discuss).
These fields are always present
in headers unless they are vestigial
(which means they would be identify-
ing elements in a set of size zero or one)
or unless the information they carry is
already stored in members along the
path of the session.
Examples of new networks. Many
campus architectures have networks
called virtual local area networks
(VLANs) that are not found in the
classic architecture.
22 The purpose of
VLANs is to maintain an important
network topology that is not present
in either the IP network or local area
networks (LANs) on campus, as shown
in Figure 3. In the figure, each physical
machine is assigned a color and final
name digit for its network members,
so that it is easy to see which network
members are on the same machine.
At the bottom level we see there are
physical LANs covering different areas of campus, and some high-speed
physical links across campus.b At the
top level the campus has a private IP
network. User machines are divided
into groups depending on whether
they belong to students, administrators, departments, or others. Members
of a group are identifiable by the pre-fixes of their IP addresses (abbreviated
in the figure). Within each group each
user machine is connected by a virtual
link to every other group member and
to one or more IP routers that serve as
security gateways to the group. Members of different groups can reach each
b The “campus IP network” at the bottom level
is a tricky part of the architecture, and will be
explained in section entitled The Usage Graph.
Figure 3. The architecture of campus network.
In this diagram, all lines between members are bidirectional pairs of links.
Administrators’ Group
Physical LAN Physical LAN
IP Network
Physical Link
Virtual Links
Campus
IP Network
Administrators’
Virtual LAN
(Extends
Across Campus)
2. 7
2. 6
0.4 0.5
0.5
2. 81. 3
0.4
M8
M8
M4
M4
M7
M7
M5
M5
M3 M6
M6