Abstract: A method and apparatus for providing management and maintenance to a node within a data communications network and to the composite data communications network. A network management application is started on a host which may be located at a network operation center. The management application is in communication with network nodes and services through adapters. A master daemon located at a node is activated. The master daemon starts a control adapter running on the node and if the control adapter fails the master daemon restarts the control adapter. The control adapter is capable of starting and stopping all services running on the node. Signals are communicated between the management application, the node and the services by way of adapters. Signaling provides for the exchange of useful event data related to the nodes and services running on the nodes.

Abstract: A method and apparatus for providing computer network access points the capability for multiple-level accounting. A gateway device located at the access point is capable of generating Internet protocol accounting start and stop requests based on various events that need to be accounted for when a user accesses a network. These events include the user account logon, the service establishments and the Point to Point protocol (PPP) connections between the gateway device and public and private domains within the network. The counter is capable of tracking the duration of sessions and connections and the byte-count associated with the specified session or connection. The gateway device communicates with an accounting server which stores the accounting requests and matches start requests with subsequent stop requests.

Abstract: A method for controlling subscriber access in a network capable of establishing connections with a plurality of domains includes receiving a communication from a subscriber using a first communication network coupled to at least one other communication network, the communication optionally including a domain identifier associated with a domain on the at least one other communication network, determining whether the subscriber is authorized to access the domain based upon the domain identifier and a list of authorized domains for a virtual circuit used to receive the communication and authorizing subscriber access to the domain when the domain identifier is included in the list. An access server includes a tunnel ID request generator and an authorizer. The tunnel ID request generator generates a tunnel ID request that includes a virtual circuit identifier associated with a virtual circuit used to accept a PPP authentication request.

Abstract: A system for identifying a subscriber includes an access server coupled to a number of subscribers using a first communication network and further coupled to a second communication network, a memory coupled to the access server, and a processor coupled to the memory. The access server receives a communication from a particular subscriber using a particular one of a number of virtual circuits associated with the first communication network. The memory stores path information that identifies a virtual circuit assigned to the particular subscriber. The processor identifies the particular subscriber for connection to the second communication network based upon the path information and the particular virtual circuit used to receive the communication from the particular subscriber.

Abstract: A system for identifying a subscriber includes an access server coupled to a number of subscribers using a first communication network and further coupled to a second communication network, a memory coupled to the access server, and a processor coupled to the memory. The access server receives a communication from a particular subscriber using a particular one of a number of virtual circuits associated with the first communication network. The memory stores path information that identifies a virtual circuit assigned to the particular subscriber. The processor identifies the particular subscriber for connection to the second communication network based upon the path information and the particular virtual circuit used to receive the communication from the particular subscriber.

Abstract: A method and apparatus for directing data network communications based on the geographic location of the user. One or the other or both of the geographic location of the local telephone access number with which the user is connected to one of a plurality of points of presence (PoPs) and the telephone number that the user is calling from to connect to the PoP is determined. This geographic location is compared to the geographic location of the home of the user. If the geographic locations differ, then it is determined that the user is a roaming user. If the user is a roaming user, then communications to the user over the data communications network are directed based at least in part upon the geographic location of the user.

Abstract: A system for determining subscriber information includes an access server coupled to a number of subscribers using a communication network, a memory coupled to the access server, and a processor coupled to the memory. The access server receives a communication from a particular subscriber using a particular one of a number of virtual circuits associated with the communication network. The memory stores subscriber information for the subscribers, wherein the subscriber information is indexed by path information that identifies a virtual circuit assigned to the particular subscriber. The processor determines subscriber information for communication to the particular subscriber based upon the path information and the particular virtual circuit used to receive communication from the particular subscriber.

Abstract: An address is allocated to a host device which is selected to obtain network access from any access point within a given communications system, while maintaining a network bandwidth management scheme that is consistently applied to a user's network bandwidth usage regardless of the access point used by the user. This is accomplished using a communications network having a at least one access point coupled to a first router which is configured to forward packets at a forwarding rate based on a source address contained in each of the packets. A user profile is assigned to each subscriber belonging to an access point. Each user profile includes a pool identifier which corresponds to a forwarding rate used by the router for packets corresponding to the subscriber.

Abstract: An address is allocated to a host device which is selected to obtain network access from any access point within a given communications system, while maintaining a network bandwidth management scheme that is consistently applied to a user's network bandwidth usage regardless of the access point used by the user. This is accomplished using a communications network having a at least one access point coupled to a first router which is configured to forward packets at a forwarding rate based on a source address contained in each of the packets. A user profile is assigned to each subscriber belonging to an access point. Each user profile includes a pool identifier which corresponds to a forwarding rate used by the router for packets corresponding to the subscriber.

Abstract: A method for load sharing between tunnels connecting communication networks includes receiving a communication from a subscriber using the first communication network, determining tunnel selection criteria for the communication, selecting one of the at least one tunnel based on the tunnel selection criteria and forwarding the communication on the selected tunnel. The tunnel selection criteria indicate the basis for selecting one of the tunnels. An apparatus for load sharing between tunnels connecting communication networks includes a receiving interface to receive a communication from a subscriber using the first communication network, a tunnel selection criteria determiner to determine tunnel selection criteria for the communication, a tunnel selector to select one of the tunnels based on the tunnel selection criteria and a session forwarder to forward the communication on the selected tunnel. In one aspect of the invention, load sharing is performed between Layer 2 Tunneling Protocol (L2TP) tunnels.

Abstract: In a first aspect of the present invention, a Wholesaler dynamically identifies one of a plurality of AAA services at a remote domain to route an access request to. The AAA service is selected based upon a set of rules applied to information which has been received dynamically from the plurality of AAA services and is indicative of load and status of the plurality of AAA services. In a second aspect of the present invention, a Wholesaler, based upon a Service Level Agreement (SLA) between the Wholesaler and a user, routes the user to one of a plurality of sub-service providers.

Abstract: A method for dynamic ingress to egress tunnel mapping from a first communication network to a second communication network includes receiving a tunneled communication from a subscriber using the first communication network, determining egress tunnel selection criteria for the tunneled communication, selecting one of at least one egress tunnel based on the egress tunnel selection criteria and forwarding the tunneled communication on the selected egress tunnel. The egress tunnel selection criteria indicate the basis for selecting one of the egress tunnels.

Abstract: A data communications network with a plurality of PoPs maintains a local database associated with each PoP and a central database somewhere on the data communications network. The local database contains a group identification such as a domain identification corresponding to a group of users, a maximum number of VPN sessions to provide the group of users at the PoP and a dynamic VPN session count corresponding to active VPN sessions currently provided to the group of users at the PoP. The central database contains a maximum number of VPN sessions to provide the group of users over the entire data communications network and a dynamic network-wide VPN session count corresponding to active VPN sessions currently provided to the group of users on the entire data communications network. Actions are taken when the group attempts to exceed either the local maximum number of sessions or the network-wide maximum number of sessions by more than a predetermined number.

Abstract: A method for controlling subscriber access in a network capable of establishing connections with multiple services includes receiving a communication from a subscriber using a first communication network coupled to a second communication network, the communication optionally including a domain identifier associated with a service on the second communication network, and authorizing the subscriber to access a service on the second communication network using a virtual circuit. The authorization is based upon a domain configuration override attribute associated with the virtual circuit used to receive the communication from the subscriber.

Abstract: A method for controlling subscriber access in a network capable of establishing connections with multiple services includes receiving a communication from a subscriber using a first communication network coupled to a second communication network, the communication optionally including a domain identifier associated with a service on the second communication network, and authorizing the subscriber to access a service on the second communication network using a virtual circuit. The authorization is based upon a domain configuration override attribute associated with the virtual circuit used to receive the communication from the subscriber.

Abstract: A method for conveying data communications network management information to an umbrella management system whereby network management information events are published on an information bus and received at a subscribing monitor interface located on the information bus. The monitor interface then converts the network management information events into umbrella management system-useable information and communicates the umbrella management useable information to the umbrella management system. In this manner, the umbrella management system is able to import valuable information pertaining to the devices and services that comprise the overall network. The monitor interface includes an adapter located on the information bus that subscribes to network management information events, a converter that formats the network management information events into data useable by the umbrella management system, and a forwarder that communicates the umbrella management system-useable data to the umbrella management system.

Abstract: A data communications network with a plurality of PoPs maintains a local database associated with each PoP and a central database somewhere on the data communications network. The local database contains a group identification such as a domain identification corresponding to a group of users, a maximum number of VPN sessions to provide the group of users at the PoP and a dynamic VPN session count corresponding to active VPN sessions currently provided to the group of users at the PoP. The central database contains a maximum number of VPN sessions to provide the group of users over the entire data communications network and a dynamic network-wide VPN session count corresponding to active VPN sessions currently provided to the group of users on the entire data communications network. Actions are taken when the group attempts to exceed either the local maximum number of sessions or the network-wide maximum number of sessions by more than a predetermined number.

Abstract: A method and apparatus for providing computer network access points the capability for multiple-level accounting. A gateway device located at the access point is capable of generating Internet protocol accounting start and stop requests based on various events that need to be accounted for when a user accesses a network. These events include the user account logon, the service establishments and the Point to Point protocol (PPP) connections between the gateway device and public and private domains within the network. The counter is capable of tracking the duration of sessions and connections and the byte-count associated with the specified session or connection. The gateway device communicates with an accounting server which stores the accounting requests and matches start requests with subsequent stop requests.

Abstract: A data communications network with a plurality of PoPs maintains a local database associated with each PoP and a central database somewhere on the data communications network. The local database contains a group identification such as a domain identification corresponding to a group of users, a maximum number of VPN sessions to provide the group of users at the PoP and a dynamic VPN session count corresponding to active VPN sessions currently provided to the group of users at the PoP. The central database contains a maximum number of VPN sessions to provide the group of users over the entire data communications network and a dynamic network-wide VPN session count corresponding to active VPN sessions currently provided to the group of users on the entire data communications network. Actions are taken when the group attempts to exceed either the local maximum number of sessions or the network-wide maximum number of sessions by more than a predetermined number.

Abstract: Service requests, which are used to properly process a network access request received from a client, are processed by routing the service requests between at least two service component instances according to a load balancing algorithm. Load balancing includes: calculating a first ticket amount and a second ticket amount; assigning the first ticket amount to a first instance and the second ticket amount to a second instance; using a selection scheme to select an instance having a ticket amount greater than a threshold amount to process a service request; decrementing the ticket amount corresponding to the instance selected; and scheduling the instance selected to receive a service request. The present invention may further include distinguishing between operable and inoperable instances, providing ticket amounts that are not based on performance ratings to inoperable instances, and providing ticket amounts that are based on performance ratings to operable instances.