JP5414608B2 - Network management apparatus, network management method, and computer program - Google Patents

Description

  The present invention relates to a technique for centrally managing a plurality of network devices.

  Conventionally, there is a packet relay system having a stack configuration in which a plurality of packet relay apparatuses are connected in a daisy chain with a dedicated cable (see Non-Patent Document 1). This packet relay system includes a master packet relay device and a member packet relay device, and a setting operation for the member packet relay device is performed through the master packet relay device. That is, in this system, it is possible to set all the packet relay apparatuses in a centralized manner by performing a setting operation on the master packet relay apparatus.

  However, in order to realize a packet relay system having a stack configuration, it is necessary to connect each packet relay device in a daisy chain with a dedicated cable, and thus there is a problem that devices that can be connected are limited. In addition, since the length of the dedicated cable is limited, it is impossible to manage a packet relay apparatus that is physically far away. In addition, since each member / packet relay apparatus is centrally managed by the master / packet relay apparatus, the processing load on the master / packet relay apparatus is large, and the number of manageable member / packet relay apparatuses is limited. (For example, about 10 units). These problems are not limited to managing packet relay apparatuses, but may also occur when various network devices are managed using a stack configuration.

Cisco Systems LLC, “Cisco StackWise and StackWise Plus Technology”, [online], [searched February 23, 2010], Internet <URL: http://www.cisco.com/web/JP/product/hs/ switches / cat3750 / prodlit / prod_white_paper09186a00801b096a.html>

JP 2009-147710 A JP 2008-5008 A

  In light of the above-described problems, the problem to be solved by the present invention is to provide a technique capable of centrally managing a plurality of network devices without being restricted by the conventional stack configuration.

SUMMARY An advantage of some aspects of the invention is to solve at least a part of the problems described above, and the invention can be implemented as the following forms or application examples.
A first aspect of the present invention is a network management apparatus that manages a plurality of network devices,
A communication unit that communicates with a plurality of network devices having different functions via a network;
The configuration of the network is displayed on a display screen, an operation for grouping two or more network devices among the plurality of network devices is accepted on the display screen, and the two or more network devices grouped are received. A user interface unit that displays one virtually synthesized virtual device on the display screen;
A mapping table generation unit that generates a mapping table that represents a correspondence relationship between the setting items of the virtual function included in the virtual device and the network device that actually has the function ;
When a setting is made on a setting item of a virtual function included in the virtual device on the display screen, the network device corresponding to the setting item is specified with reference to the mapping table, and the specified A setting request indicating the content of the setting is established after establishing a session for transmitting the setting request with the network device, and a setting result indicating whether the setting with respect to the setting request is successful or unsuccessful. A setting processing unit that collects from each identified network device and manages the collection result in association with each virtual device;
Equipped with a,
The setting processing unit
Prior to transmitting the setting request to the specified network device, request an exclusive lock for blocking the setting request from another network management device to the specified network device,
In the case where there are a plurality of the specified network devices, if there is even one network device that has failed the exclusive lock, the transmission of the setting request is canceled,
In the case where there are a plurality of the specified network devices, if there is even one network device in which the setting according to the setting request has failed based on the collection result, all the specified network devices To restore the original settings to
Network management device.
According to the network management device having the above configuration, the administrator simply sets the virtual function of the virtual device displayed on the display screen, and actually has the function that is the target of the setting. Settings can be made for the device. In the above configuration, the network management apparatus and the network device to be managed are connected not by a dedicated cable but by a general network. Therefore, it is possible to suppress the restriction of target devices connected to the network management apparatus, and it is also possible to manage network devices that are physically far away. Furthermore, according to the above configuration, each network device is managed by the network management device connected to the network device, rather than the network device itself managing a plurality of network devices. Therefore, the role of the master packet relay device in the conventional stack configuration is not required, and more network devices can be managed. Therefore, according to the network management apparatus having the above configuration, it is possible to manage a plurality of network devices having different functions in a unified manner without being restricted by the conventional stack configuration.
Furthermore, according to the network management device configured as described above, it is possible to reliably transmit the setting request by using a session established between the network management device and the network device. Further, since an exclusive lock is requested for the specified network device prior to transmitting the setting request to the network, it is possible to prevent the network device from being simultaneously set by a plurality of network management devices. . Also, if there is at least one network device that has failed to lock, the setting request transmission is canceled, and if there is at least one network device that has failed to set, the setting contents are restored, so that the virtual device is 1 It is possible to make it appear to the administrator that the device is a single device.

Application Example 1 A network management apparatus that displays a communication unit that communicates with a plurality of network devices via a network, a configuration of the network on a display screen, and the plurality of networks on the display screen A user interface unit that accepts an operation for grouping two or more network devices of the devices, and displays on the display screen one virtual device obtained by virtually synthesizing the two or more grouped network devices; A setting for the setting item of the virtual device is set on the display screen, a mapping table generating unit that generates a mapping table representing a correspondence between the setting item of the virtual device and the network device that actually has the setting item. If it is made, the network device corresponding to the setting item is referred to the mapping table. Identify, network management apparatus provided in the network devices that are the specific, and a setting processing unit that transmits a setting request indicating the content of the setting.

  According to the network management device configured as described above, the administrator simply sets the virtual device displayed on the display screen, and the network device that actually has the setting item that is the setting target. Settings can be made. In the above configuration, the network management apparatus and the network device to be managed are connected not by a dedicated cable but by a general network. For this reason, it is possible to suppress restriction of target devices connected to the network management apparatus, and it is also possible to manage packet relay apparatuses that are physically far away. Furthermore, according to the above configuration, each network device is managed by the network management device connected to the network device, rather than the network device itself managing a plurality of network devices. Therefore, the role of the master packet relay device in the conventional stack configuration is not required, and more network devices can be managed. Therefore, according to the network management device having the above configuration, it is possible to manage a plurality of network devices in a centralized manner without being restricted by the conventional stack configuration.

[Application Example 2] The network management device according to Application Example 1, wherein the setting processing unit establishes a session for transmitting the setting request with the specified network device, and A network management device that transmits a setting request.
With such a configuration, it is possible to reliably transmit the setting request by using a session established between the network management apparatus and the network device.

[Application Example 3] The network management device according to Application Example 1 or Application Example 2, wherein the setting processing unit transmits the setting request to the specified network device before the specified network device. A network management device that requests an exclusive lock for blocking a setting request from another network management device.
With such a configuration, it is possible to prevent network devices from being set simultaneously from a plurality of network management devices.

Application Example 4 In the network management device according to Application Example 3, in the case where there are a plurality of the specified network devices, the setting processing unit includes at least one network device that has failed the exclusive lock. In this case, a network management device that cancels transmission of the setting request.
With such a configuration, it is possible to make an administrator appear that the virtual device is a single device.

Application Example 5 In the network management device according to any one of Application Examples 1 to 4, the setting processing unit responds to the setting request when there are a plurality of the specified network devices. A network management device that returns the setting contents of all the specified network devices to the original setting contents when there is even one network device that has failed to be set.
Even with such a configuration, it is possible to pretend to the administrator that the virtual device is a single device.

[Application Example 6] The network management device according to any one of Application Example 1 to Application Example 5, wherein each of the plurality of network devices is a packet relay device provided with a port for transmitting and receiving packets. The mapping table generation unit generates a mapping table representing a correspondence table between a virtual port of the virtual device and a port actually included in each packet relay device as the setting item of the virtual device. apparatus.
With such a configuration, it becomes possible to perform the settings relating to the ports possessed by each of the plurality of packet relay apparatuses in a unified manner using the virtual apparatus on the display screen.

[Application Example 7] The network management device according to any one of Application Examples 1 to 5, wherein the plurality of network devices include a plurality of types of network devices having different functions, and the mapping table The generation unit is a network management device in which a correspondence relationship between a virtual function included in the virtual device and a function actually included in each of the packet relay devices is recorded as a setting item of the virtual device.
With such a configuration, it is possible to perform the setting of the functions of each of the plurality of types of network devices having different functions by using the virtual device on the display screen.

Application Example 8 The network management device according to Application Example 7, wherein the plurality of types of network devices having different functions are a plurality of types of server devices having different functions.
With such a configuration, it becomes possible to perform the setting of functions possessed by a plurality of types of server apparatuses having different functions in a unified manner using the virtual apparatus on the display screen.

  In addition to the configuration as the network management device described above, the present invention can also be configured as a network management method or a computer program. The computer program may be recorded on a computer-readable recording medium. As the recording medium, for example, various media such as a flexible disk, a CD-ROM, a DVD-ROM, a magneto-optical disk, a memory card, and a hard disk can be used.

It is explanatory drawing which shows the structure of the network to which the network management apparatus as a 1st Example and a some packet relay apparatus are connected. It is explanatory drawing which shows schematic structure of a packet relay apparatus. It is explanatory drawing which shows schematic structure of a network management apparatus. It is a figure which shows an example of GUI. It is a figure which shows an example of GUI. It is a sequence diagram which shows the flow of the process performed when a multi packet relay apparatus is produced | generated. It is a flowchart of a port mapping table generation process. It is a figure which shows an example of a port mapping table. It is a flowchart of the setting process using a multi-packet relay apparatus. It is a sequence diagram which shows the flow of a setting process roughly. It is explanatory drawing which shows an example of a session table. It is explanatory drawing which shows an example of a lock result management table. It is explanatory drawing which shows an example of a setting result management table. It is explanatory drawing which shows the structure of the network with which the network management apparatus as 2nd Example and multiple types of network equipment are connected. It is explanatory drawing which shows schematic structure of the network management apparatus in 2nd Example. It is a figure which shows an example of GUI in 2nd Example. It is a figure which shows an example of GUI in 2nd Example. It is a sequence diagram which shows the flow of the process performed when a multi-function apparatus is produced | generated. It is a flowchart of a function mapping table generation process. It is a figure which shows an example of a function mapping table.

Hereinafter, embodiments of the present invention will be described in the following order based on examples.
A. First embodiment:
(A1) Network configuration:
(A2) Configuration of packet relay device:
(A3) Configuration of network management device:
(A4) Generation procedure of multi-packet relay apparatus:
(A5) Setting process using multi-packet relay apparatus:
B. Second embodiment:
C. Variations:

A. First embodiment:
(A1) Network configuration:
FIG. 1 is an explanatory diagram showing the configuration of a network to which a network management device and a plurality of packet relay devices are connected as a first embodiment of the present invention. The network 10 shown in FIG. 1 is built in the company A, and the company A has a department A and a department B. In the department A, three packet relay apparatuses 12a to 12c are arranged, and also in the department B, three packet relay apparatuses 12d to 12f are arranged. Since these packet relay devices 12a to 12f are all the same device configuration, they may be collectively referred to as “packet relay device 12” below. Each packet relay device 12 is connected to a node device such as a computer, a network printer, or NAS (Network Attached Storage).

  Each packet relay device 12 is connected to the gateway device 18 by an Ethernet (registered trademark) cable 26. The gateway device 18 has a function of mediating connection between each packet relay device 12 and the Internet 20. The gateway device 18 is further connected to a network management device 100 for managing the packet relay device 12 installed in the department A and the department B. A unique IP address is assigned to each of the network management device 100, each packet relay device 12, and the gateway device 18. In the example shown in FIG. 1, the packet relay apparatuses 12d to 12f are connected to the gateway apparatus 18 by a logical multiple line 27 in which a plurality of Ethernet cables are logically bundled. If the logical multiple line 27 is used, a large band can be secured. For example, it is possible to transmit a large amount of setting information from the network management apparatus 100 to the packet relay apparatuses 12d to 12f at high speed. Note that the configuration of the network 10 and the number of packet relay devices 12 managed by the network management device 100 are not limited to the example illustrated in FIG. 1, and can be appropriately changed to other modes.

  The network management apparatus 100 according to the present embodiment manages, for example, a plurality of packet relay apparatuses 12 in the department A and the department B as the multi-packet relay apparatuses 23 that are each one virtual packet relay apparatus. be able to. Hereinafter, a device configuration and processing contents for managing a plurality of packet relay devices 12 as one virtual multi-packet relay device 23 will be described in detail.

(A2) Configuration of packet relay device:
FIG. 2 is an explanatory diagram showing a schematic configuration of the packet relay device 12. The packet relay device 12 includes a plurality of interface modules 61, a switching module 63, and a control module 64.

  The interface module 61 includes a plurality of packet transmission / reception ports 65, a controller 69, and a memory 71. The packet transmission / reception port 65 is a physical port to which an Ethernet cable is physically connected. The packet transmission / reception port 65 constituting the logical multiplex line 27 is composed of a plurality of physical ports. The controller 69 has a function of analyzing the packet received from the packet transmission / reception port 65 and identifying the destination of the packet. The memory 71 is used as a buffer for temporarily storing packets transmitted and received through the packet transmission / reception port 65.

  If the destination of the packet is another device as a result of analyzing the received packet, the controller 69 determines the interface module 61 and the packet transmission / reception port 65 to which the device is connected based on a predetermined address table. The packet received through the interface module 61 and the packet transmission / reception port 65 is transferred. On the other hand, when the destination of the received packet is a packet addressed to itself, the controller 69 transmits the received packet to the control module 64.

  The control module 64 includes a CPU 73 and a memory 74. The CPU 73 functions as a packet transmitting / receiving unit 76, a management device communication unit 77, and a setting processing unit 78 by executing a predetermined program stored in the memory 74. The packet transmitting / receiving unit 76 is responsible for receiving packets addressed to itself and transmitting packets to other devices. The management device communication unit 77 has a function of receiving a setting request addressed to itself from the network management device 100 through the packet transmission / reception unit 76 and returning its own setting information in response to a request from the network management device 100. The setting processing unit 78 performs various settings related to the operation of the packet relay device 12 in response to the setting request received from the network management device 100. The contents of this setting include, for example, a VLAN ID setting for each packet transmission / reception port 65, an address setting for filtering, a QoS band setting, and the like.

  The switching module 63 has a function of switching a communication path between the interface modules 61 or between the interface module 61 and the control module 64 in accordance with an instruction from the interface module 61 or the control module 64.

(A3) Configuration of network management device:
FIG. 3 is an explanatory diagram showing a schematic configuration of the network management apparatus 100. The network management device 100 is configured by a general-purpose computer, and includes a CPU 41, a memory 42, a hard disk 43, a network interface 44, a display device 56, a keyboard 57, a mouse 58, and the like. The CPU 41 functions as a packet transmitting / receiving unit 46, a management target communication unit 47, and a management processing unit 48 by executing a predetermined program stored in the memory 42.

  The packet transmission / reception unit 46 controls transmission / reception of packets through the network interface 44. The managed communication unit 47 obtains the function of transmitting a setting request to each packet relay device 12 to be managed and the setting information of each packet relay device 12 from each packet relay device 12 through the packet transmitting / receiving unit 46. And has a function of recording in the setting information database 55 in the hard disk 43. The setting information acquired from each packet relay device 12 includes information such as the IP address of the packet relay device 12, the number of interface modules 61 included in the packet relay device 12, and the number of packet transmission / reception ports 65, for example. .

  The management processing unit 48 is an application that operates as a front end of the management target communication unit 47, and includes a user interface unit 49, a mapping table generation unit 50, and a setting processing unit 59. The user interface unit 49 displays a GUI (graphical user interface) for managing the packet relay device 12 on the display device 56 and accepts an instruction for generating the multi-packet relay device 23. The mapping table generation unit 50 generates a port mapping table 51 representing the correspondence between the setting items of the multi-packet relay device 23 and the actual setting items of the packet relay device 12 (details will be described later). When the user interface unit 49 accepts a setting operation for the multi-packet relay device 23, the setting processing unit 59 executes a setting process for transmitting a setting request corresponding to the setting operation to the actual packet relay device 12. . In this setting process, a port mapping table 51 generated by the mapping table generation unit 50, a session table 52 stored in the hard disk 43, a lock result management table 53, a setting result management table 54, and a setting information database 55 are used. . Details of the setting process will be described later.

(A4) Generation procedure of multi-packet relay apparatus:
4 and 5 are diagrams illustrating an example of the GUI 60 displayed on the display device 56 of the network management device 100. FIG. In the GUI 60, the configuration (network topology) of the network 10 is drawn with symbols (icons) representing the gateway device 18 and each packet relay device 12. In the example illustrated in FIG. 4, the packet relay devices 12 a to 12 c are connected in a star shape to the gateway device 18 (the packet relay devices 12 d to 12 f are omitted). On the GUI 60, when the administrator selects all the packet relay apparatuses 12a to 12c using the keyboard 57 and the mouse 58 and presses the grouping button BT1, the virtual packet relay apparatus is displayed as shown in FIG. A symbol of a certain multi-packet relay apparatus 23 is created. In the present embodiment, a predetermined identification mark MK is added to the symbol of the multi-packet relay apparatus 23 to indicate that it is a virtual apparatus. When the multi-packet relay device 23 is generated on the GUI 60 in this way, a virtual IP address is assigned to the multi-packet relay device 23, and the multi-packet relay device 23 is generated below the GUI 60. Is displayed together with the operation date and time. When the administrator selects the multi-packet relay apparatus 23 on the GUI 60 and presses the release button BT2, it is possible to cancel the grouping.

  FIG. 6 is a sequence diagram showing a flow of processing executed when the multi-packet relay apparatus 23 is generated by the GUI 60. First, when the GUI 60 is operated by the administrator and the symbols of the multi-packet relay device 23 are generated on the screen as shown in FIG. 5, the user interface unit 49 sends the “packet relay device” to the mapping table generation unit 50. The command “combine 12a to 12c as the multi-packet relay device 23” is transmitted (step S101). When receiving this command, the mapping table generation unit 50 executes a port mapping table generation process described below to generate the port mapping table 51 (step S102).

  FIG. 7 is a flowchart of the port mapping table generation process executed by the mapping table generation unit 50. FIG. 8 is a diagram illustrating an example of the port mapping table 51 generated by the port mapping table generation process. When this port mapping table generation processing is executed, first, the mapping table generation unit 50 determines a virtual IP address that is an apparent IP address of the multi-packet relay apparatus 23 that is virtually generated, It records in the port mapping table 51 (step S201). This virtual IP address is used by the management processing unit 48 to distinguish between the multi-packet relay device 23 and other devices (for example, other multi-packet relay device 23, packet relay device 12, gateway device 18, etc.). This is the address to use.

  When the virtual IP address is recorded in the port mapping table 51, the mapping table generation unit 50 then continues to the actual packet relay device 12 (hereinafter referred to as “member device”) that has become the combination source of the multi-packet relay device 23. An actual IP address (hereinafter referred to as “real IP address”) is acquired from the setting information database 55 and recorded in the port mapping table 51 in association with the virtual IP address described above (step S204). Then, each packet transmission / reception port 65 included in the member apparatus is assigned to a virtual packet transmission / reception port of the multi-packet relay apparatus 23, and the correspondence is recorded in the port mapping table 51 (step S206). The mapping table generating unit 50 repeats this process for the number of interface modules 61 included in the member device (step S205) and for the number of member devices (step S203). At this time, the mapping table generating unit 50 increments the virtual interface module number of the multi-packet relay apparatus 23 every time the number of the interface module 61 of the member apparatus is incremented (step S207). By doing so, a unique virtual interface module number is assigned to each interface module 61 of each member device.

  When the processing described above is completed for all the member devices that are the combination source of the multi-packet relay device 23, the generation of the port mapping table 51 is completed. As shown in FIG. 8, referring to the port mapping table 51 generated in this way, the virtual packet transmission / reception port of the multi-packet relay apparatus 23 is physically assigned to which packet transmission / reception port 65 of which member apparatus. It is possible to determine whether it corresponds. For example, according to the port mapping table 51 shown in FIG. 8, the first virtual packet transmission / reception port of the 0th virtual interface module of the multi-packet relay apparatus 23 (hereinafter expressed as port [0/1]). Corresponds to the first packet transmission / reception port (that is, port [0/1]) of the 0th interface module of the member device whose IP address is “100.100.100.1”.

  As described above, after the generation of the port mapping table 51 is completed, a new packet relay device 12 can be added to the combined multi-packet relay device 23. Specifically, an operation of selecting the symbol of the multi-packet relay device 23 and the symbol of the new packet relay device 12 and pressing the grouping button BT1 on the GUI 60 shown in FIG. 4 or FIG. The new packet relay device 12 can be virtually added to the multi-packet relay device 23 by performing an operation of dragging and dropping the symbol of the new packet relay device 12 onto the symbol of the multi-packet relay device 23. it can.

  At this time, the management processing unit 48 in the network management apparatus 100 updates the port mapping table 51 in the following procedure. That is, first, when an operation for adding the packet relay device 12 to the multi-packet relay device 23 is performed on the GUI 60 by the administrator, “add a new packet relay device to the multi-packet relay device 23”. Is transmitted from the user interface unit 49 to the mapping table generation unit 50 (step S103 in FIG. 6). Upon receiving this command, the mapping table generation unit 50 executes the same processing as the processing in steps S204 to S207 in FIG. 7, and newly sets a new virtual interface module and virtual packet transmission / reception port of the multi-packet relay device 23. The interface module 61 of the packet relay apparatus 12 to be added is associated with the packet transmission / reception port 65. By doing so, the port mapping table 51 is updated (step S104 in FIG. 6). Here, an example in which a new packet relay device 12 is added to the multi-packet relay device 23 has been described. However, for example, when a delete button on the GUI is pressed, a part of the packet is transferred from the multi-packet relay device 23. Of course, it is possible to perform the process of deleting the relay device 12.

  The process of generating one virtual multi-packet relay device 23 from the plurality of packet relay devices 12 using the GUI 60 has been described above. Next, a description will be given of a procedure in which the administrator uses the multi-packet relay device 23 to perform setting for a plurality of packet relay devices 12 in an integrated manner.

(A5) Setting process using multi-packet relay apparatus:
FIG. 9 is a flowchart of the setting process using the multi-packet relay device 23. FIG. 10 is a sequence diagram schematically showing the flow of this setting process. In this setting process, first, the administrator selects the multi-packet relay apparatus 23 on the GUI 60 shown in FIG. 5 and then presses the setting button BT3. Then, on the screen, a setting screen (not shown) on which setting items for the multi-packet relay apparatus 23 (virtual packet transmission / reception port in this embodiment) are displayed is displayed. On this setting screen, for example, the administrator can set a VLAN ID, a filtering rule, a QoS band, and the like for each virtual packet transmission / reception port of the multi-packet relay apparatus 23. At this time, it is also possible to collectively perform the same setting for a plurality of virtual packet transmission / reception ports.

  When the above-described setting is performed on the GUI 60, the setting processing unit 59 of the network management apparatus 100 first refers to the port mapping table 51 illustrated in FIG. 8 and corresponds to the virtual packet transmission / reception port that is the setting target. The packet relay device 12 (member device), the interface module 61, and the packet transmission / reception port 65 are identified (step S401 in FIG. 9). For example, referring to FIG. 8, when settings are made for port [0/15], port [1/3], and port [4/4] of multi-packet relay apparatus 23, these are set. Are the port [0/15] of the packet relay device 12a with the real IP address “100.100.100.1” and the packet relay device 12b with the real IP address “110.11.10.10.1”. Port [0/3], and the port [2/4] of the packet relay device 12c whose real IP address is “120.120.120.1”.

  When the setting target member device, the interface module 61, and the packet transmission / reception port 65 are specified, the setting processing unit 59 then uses the management target communication unit 47 to determine the setting target member device based on the NETCONF protocol. Start the setting procedure. The NETCONF protocol is a protocol standardized by IETF (Internet Engineering Task Force), and is a protocol for exchanging setting information described in XML between network devices.

  Under the NETCONF protocol, settings for member devices are performed as follows. That is, first, the setting processing unit 59 generates a session ID for the multi-packet relay apparatus 23, and records this session ID in the session table 52 (step S402). Next, the setting processing unit 59 individually transmits a request to establish a NETCONF session to the setting target member device (step S403). When the member device receives a session establishment request from the network management device 100, each member device generates a session ID and notifies the network management device 100 of it. Upon receiving the session ID from the member device, the setting processing unit 59 records each received session ID in the session table 52 in association with the session ID of the multi-packet relay device 23 (step S404).

  FIG. 11 is an explanatory diagram illustrating an example of the session table 52. According to this session table 52, the session IDs “14”, “15” and “34” notified from the setting target member devices correspond to the session ID “10” generated for the multi-packet relay device 23. It is attached. That is, in the subsequent processing, when a setting request is issued for the session ID of the multi-packet relay device 23, the session ID is converted into a session ID for setting member devices, and those The setting request is transferred toward the session ID. In this way, if the session ID is used, the setting request can be reliably transmitted to an appropriate transmission destination. Even when the same session ID is notified from different member devices, the member device to be set can be uniquely identified by referring to the combination of the session ID and the real IP address.

  When the NETCONF session is established between the multi-packet relay device 23 and the setting target member device by the processing described above, the setting processing unit 59 locks the setting target member device through the above-described session ID. A request is made (step S405). The exclusive lock is a process for causing the member device to block the setting request from the other network management device so that the setting is not performed simultaneously from the other network management device. If the exclusive lock has been requested, the member apparatus accepts the request and applies the exclusive lock to itself, and returns a response message stating “OK”. On the other hand, if the exclusive lock is already performed by another network management apparatus, a response message describing “NG” is returned. When the setting processing unit 59 receives a response message describing the exclusive lock result (“OK” or “NG”) from each member device that has requested the exclusive lock, the setting processing unit 59 records the lock result in the lock result management table 53. (Step S406).

  FIG. 12 is an explanatory diagram showing an example of the lock result management table 53. According to the lock result management table 53, although the exclusive lock requested for the session IDs “14” and “45” is successful (“OK”), the exclusive lock requested for the session ID “34” is Failed (“NG”).

  When the recording to the lock result management table 53 is completed as described above, the setting processing unit 59 determines whether or not all requested exclusive locks are successful based on the recorded contents of the lock result management table 53. (Step S407). If there is at least one session for which the exclusive lock has not succeeded, the setting processing unit 59 records “NG” indicating that the exclusive lock has failed for the current session ID in the lock result management table 53, and The setting process is abnormally terminated. For example, in the example shown in FIG. 12, since the exclusive lock for the session ID “34” has failed, the lock result of the multi-packet relay apparatus 23 itself is also recorded as “NG”. This is because the multi-packet relay device 23 is a virtual device, but is one device for management, so if any port (member device) cannot be set even partly, it is treated as “abnormal”. Because. When the setting process is abnormally terminated due to the failure of the exclusive lock, the setting processing unit 59 explicitly sends a request to release the exclusive lock to the packet relay device in which the exclusive lock is successful. To end the process. Alternatively, an exclusive lock time limit is provided in advance, and the exclusive lock is released by time-out, and the process is terminated.

  If it is determined in step S407 that all of the requested exclusive locks have been successful, the setting processing unit 59 issues a setting request indicating the setting contents applied to each setting item (each port) on the GUI 60. Then, the message is transmitted to each session ID of the member device (step S408). For example, when the same setting is performed for each port of each member device, a setting request indicating the same setting content is transmitted to each member device through session IDs “14”, “45”, and “34”. The

  Each member device to be set receives a setting request addressed to each session ID. Then, the setting processing unit 78 analyzes the received setting request, and applies the setting according to the analysis result to itself. In each member device, the setting request is received by the interface module 61 and transferred to the control module 64 via the switching module 63. In the control module 64, the setting request is finally delivered to the setting processing unit 78 via the packet transmitting / receiving unit 76 and the management device communication unit 77.

  When the setting target member device finishes setting to itself, it returns the setting result to the network management device 100. Specifically, a response message marked “OK” is generated in the setting processing unit 78 when the setting is successful, and a response message marked “NG” is generated in the setting processing unit 78 when the setting is failed. 77, and returns to the network management apparatus 100 via the packet transmitting / receiving unit 76, the switching module 63, and the interface module 61. Upon receiving the setting result from the setting target member device, the setting processing unit 59 of the network management device 100 records the setting result in the setting result management table 54 (step S409).

  FIG. 13 is an explanatory diagram showing an example of the setting result management table 54. The setting result management table 54 shown in FIG. 13 shows an example in which the settings for the session IDs “14” and “34” have succeeded, but the settings for the session ID “45” have failed.

  When the recording of the setting result in the setting result management table 54 is completed, the setting processing unit 59 determines whether the setting for all member devices to be set has been successful based on the recorded contents of the setting result management table 54 ( Step S410). As illustrated in FIG. 13, if the setting for the setting target member device fails even partially, the setting processing unit 59 abnormally ends the setting processing. Although the multi-packet relay device 23 is virtual, it is a single device for management purposes, so that if any member device has failed to be set, the device itself is treated as “abnormal”. is there. When the setting process is abnormally terminated due to the setting failure, the setting processing unit 59 performs processing by explicitly sending a request to return to the previous setting to the member device that has been successfully set. End. Alternatively, the setting is provisionally performed in advance, and the setting is returned to the previous state by not being settled within a predetermined timeout time, and the process is terminated. When a request to return to the previous setting is explicitly sent, the previous setting contents recorded in the setting information database 55 are read, a setting request is generated based on the setting contents, and the setting request is transmitted again.

  If it is determined in step S410 that the setting for all member devices to be set has been successful, the setting processing unit 59 records the setting content for each member device to be set in the setting information database 55 (step S410). S411), the setting process ends normally.

  According to the network management apparatus 100 of the present embodiment described above, a plurality of packet relay apparatuses 12 are grouped into one multi-packet relay apparatus by grouping the plurality of packet relay apparatuses 12 displayed on the GUI 60. 23 can be handled virtually. Therefore, the administrator can make settings for a plurality of packet relay apparatuses 12 collectively by making settings for the multi-packet relay apparatus 23. Also, when the same setting is made to a plurality of packet relay apparatuses 12 (for example, when the same VLAN ID, filtering rule, and QoS band are set in different packet relay apparatuses), one multi-packet Once the setting is made for the relay device 23, the same setting can be collectively made for the member devices constituting the multi-packet relay device 23. As a result, for example, when newly configuring a network in a company or when increasing the size of a small-medium-scale network configuration, it is necessary to repeatedly perform the same setting individually for a plurality of packet relay apparatuses 12. In addition, the number of man-hours required for the administrator to set the packet relay device 12 can be greatly reduced.

  Further, in this embodiment, each packet relay device 12 is managed by the network management device 100 prepared for exclusive use, so that it plays the role of a master packet relay device like a packet relay device having a conventional stack configuration. The packet relay device 12 becomes unnecessary. Therefore, there is no restriction on the number of manageable units, which is limited to reduce the load on the master / packet relay apparatus. Therefore, even in a data center or the like, if the network management apparatus 100 of this embodiment is used, a large amount of packet relay apparatuses 12 can be easily managed. Further, in this embodiment, instead of connecting the packet relay devices 12 in a daisy chain with a dedicated cable as in the prior art, just connecting the network management device 100 and the packet relay device 12 by general Ethernet, Each packet relay device 12 can be managed. Therefore, it is not necessary to arrange the individual packet relay devices 12 close to each other. Therefore, for example, it is possible to manage the packet relay apparatus 12 installed across a plurality of floors.

  Further, in this embodiment, even if some of the member devices constituting the multi-packet relay device 23 cannot be locked or the setting fails, the setting for the other member devices is canceled. Therefore, the multi-packet relay device 23 can appear as if it is operating as one device, and the administrator is not aware of the existence of the member device, and the multi-packet relay device 23 Can be set.

B. Second embodiment:
In the first embodiment described above, the technology for collectively managing a plurality of packet relay apparatuses having the same function has been described. In contrast, in the second embodiment, a technique for collectively managing a plurality of network devices having different functions will be described.

  FIG. 14 is an explanatory diagram showing a configuration of a network 10B in which a network management apparatus 100B according to a second embodiment of the present invention and a plurality of types of network devices are connected. As shown in FIG. 14, in this embodiment, a packet relay device 12, a traffic measurement device 13, and a security device 14 having different functions are arranged in the department A, and these are connected to the network 10B. . The traffic measurement device 13 in the present embodiment is a packet relay device having a function of measuring traffic flowing in the network. In addition, the security device 14 in this embodiment is a packet relay device that is intentionally set to be easy to enter, such as a honeypot, in order to investigate a cracker intrusion technique or a computer virus behavior. It is. The configurations of the traffic measurement device 13 and the security device 14 are substantially the same as those of the packet relay device 12 described in the first embodiment, and a function for traffic measurement and a function for security are added as software. Yes. In this embodiment, a plurality of types of network devices having different functions as described above are managed as a virtual multi-function device 23B.

  FIG. 15 is an explanatory diagram showing a schematic configuration of the network management apparatus 100B. As shown in FIG. 15, the network management apparatus 100B of this embodiment includes a function mapping table 51B instead of the port mapping table 51 provided in the network management apparatus 100 of the first embodiment shown in FIG. Details of the function mapping table 51B will be described later. In the setting information database 55 in this embodiment, the IP address of each device to be managed (packet relay device, traffic measuring device, security device) and the setting contents of each function are recorded.

  16 and 17 are diagrams illustrating an example of the GUI 60B displayed on the display device 56 of the network management apparatus 100B. As shown in FIG. 16, in this embodiment, symbols representing the packet relay device 12, the traffic measurement device 13, and the security device 14 are drawn on the GUI 60B. When these devices are grouped by the same method as in the first embodiment, as shown in FIG. 17, a virtual device having all the functions of the packet relay device 12, the traffic measuring device 13, and the security device 14 is provided. A multi-function device 23B is generated. Hereinafter, each device constituting the multi-function device 23B is referred to as a “member device”. When the setting button BT3 is pressed after selecting the multi-function device 23B on the GUI 60B, a setting screen (not shown) on which setting items for the multi-function device 23B are displayed is displayed on the screen. In this embodiment, the setting screen includes setting items related to the packet relay function, setting items related to the traffic measurement function, and setting items related to the security function.

  FIG. 18 is a sequence diagram illustrating a flow of processing executed when the multifunction device 23B is generated by the GUI 60B. First, when the GUI 60B is operated by the administrator and the multi-function device 23B is generated as shown in FIG. 17, the user interface unit 49 sends to the mapping table generation unit 50 “the packet relay device 12 and the traffic measurement device 13 and A command “synthesize the security device 14 as the multifunction device 23B” is transmitted (step S601). When receiving this command, the mapping table generation unit 50 executes a function mapping table generation process described below to generate a function mapping table 51B (step S602). The function mapping table 51B is a table indicating which device physically provides the function that is apparently provided by the multi-function device 23B.

  FIG. 19 is a flowchart of a function mapping table generation process executed by the mapping table generation unit 50. FIG. 20 is a diagram illustrating an example of a function mapping table 51B generated by the function mapping table generation process. When this function mapping table generation process is executed, the mapping table generation unit 50 first determines a virtual IP address that is an apparent IP address of the newly generated multi-function device 23B, and stores it in the function mapping table 51B. Recording is performed (step S701).

  When the virtual IP address is recorded in the function mapping table 51B, the mapping table generating unit 50 subsequently acquires the real IP addresses of all the member devices constituting the multi-function device 23B from the setting information database 55, and the above-described virtual IP address is recorded. It is recorded in the function mapping table 51B in association with the IP address (step S702). Further, a function identifier indicating the content of the function of each member device is acquired from the setting information database 55, and recorded in the function mapping table 51B in association with the virtual IP address described above (step S704). In this embodiment, the function identifier is acquired from the function mapping table 51B. However, the administrator may input the function identifier using a keyboard or the like.

  When the processing described above ends, the function mapping table 51B is completed. According to the example shown in FIG. 20, the multi-function device 23B given “192.168.1.1” as the virtual IP address has a packet relay function, a traffic measurement function, and a security function. Are provided by member devices whose real IP addresses are “100.100.100.1”, “110.110.110.1”, and “120.120.120.1”, respectively. Recognize. After the generation of the function mapping table 51B is completed as described above, a new member device is added to the combined multifunction device 23B as in the first embodiment (step S603 in FIG. 18). S604), it is possible to delete some member devices from the multi-function device 23B after synthesis.

  Next, a procedure for the administrator to set the packet relay device 12, the traffic measurement device 13, and the security device 14 as if they are one device using the multi-function device 23B will be described. For example, it is assumed that the administrator wants to set the traffic measurement function of the multi-function device 23B. At this time, if the administrator performs the setting using the GUI 60B, the setting request needs to be individually transmitted from the setting processing unit 59 to the member device that is actually set. Therefore, when the setting is made for the multi-function device 23B, the setting processing unit 59 refers to the function mapping table 51B in FIG. 20 and identifies the member device that provides the traffic measurement function. According to the function mapping table 51B of FIG. 20, it can be seen that the traffic measurement function of the multi-function device 23B is provided by the traffic measurement device 13 whose IP address is “110.11.10.10.1”. Accordingly, when the setting processing unit 59 specifies the setting target member device, the setting processing unit 59 starts the setting procedure for the setting target member device using the management target communication unit 47. This setting procedure follows the setting process (FIG. 9) based on the NETCONF protocol described in the first embodiment. In other words, a setting request is finally transmitted to each member device while establishing a session and requesting an exclusive lock. If even one of the member devices that transmit the setting request fails in the exclusive lock or setting, the processing is terminated abnormally and the setting processing is canceled as in the first embodiment.

  According to the second embodiment described above, a plurality of network devices having different functions can be set as if they were one device. As a result, it is not necessary to perform settings by accessing each network device individually, and the number of man-hours required for setting can be reduced. In this embodiment, a packet relay device, a traffic measurement device, and a security device are given as examples of a plurality of network devices having different functions. However, these are examples, and various other network devices can be applied. Is possible. For example, a plurality of types of server devices having different functions such as a file server, a Web server, and a mail server can be collectively managed and set by the same technique as in the above-described embodiment.

C. Variations:
As mentioned above, although several Example of this invention was described, this invention is not limited to these Examples, A various structure can be taken in the range which does not deviate from the meaning.

  For example, in the above embodiment, each network device is displayed as a symbol on the GUI. However, if each network device can be uniquely represented, it can be represented by various objects such as character strings and symbols. is there. In addition, on the GUI, each network device may be displayed in a list instead of the network connection state.

  In the above embodiment, the setting for each member device is performed based on the NETCONF protocol. However, it may be performed using SNMP or a unique protocol.

  In the above-described embodiment, the setting process itself is canceled when the exclusive lock or setting fails even with one member device. However, the setting may be canceled only for the member device for which the exclusive lock or setting has failed, and the setting process may be continued for the member device for which the exclusive lock or setting has been successful.

DESCRIPTION OF SYMBOLS 10,10B ... Network 12, 12a-12f ... Packet relay apparatus 13 ... Traffic measuring device 14 ... Security apparatus 18 ... Gateway apparatus 20 ... Internet 23 ... Multi-packet relay apparatus 23B ... Multifunction apparatus 26 ... Ethernet cable 27 ... Logical multiplexing Line 41 ... CPU
DESCRIPTION OF SYMBOLS 42 ... Memory 43 ... Hard disk 44 ... Network interface 46 ... Packet transmission / reception part 47 ... Management object communication part 48 ... Management processing part 49 ... User interface part 50 ... Mapping table production | generation part 51 ... Port mapping table 51B ... Function mapping table 52 ... Session Table 53 ... Lock result management table 54 ... Setting result management table 55 ... Setting information database 56 ... Display device 57 ... Keyboard 58 ... Mouse 59 ... Setting processing unit 61 ... Interface module 63 ... Switching module 64 ... Control module 65 ... Packet transmission / reception port 69 ... Controller 71 ... Memory 73 ... CPU
74 ... Memory 76 ... Packet transmission / reception unit 77 ... Management device communication unit 78 ... Setting processing unit 100, 100B ... Network management device

Claims (3)

A network management device for managing a plurality of network devices,
A communication unit that communicates with a plurality of network devices having different functions via a network;
The configuration of the network is displayed on a display screen, an operation for grouping two or more network devices among the plurality of network devices is accepted on the display screen, and the two or more network devices grouped are received. A user interface unit that displays one virtually synthesized virtual device on the display screen;
A mapping table generation unit that generates a mapping table that represents a correspondence relationship between the setting items of the virtual function included in the virtual device and the network device that actually has the function ;
When a setting is made on a setting item of a virtual function included in the virtual device on the display screen, the network device corresponding to the setting item is specified with reference to the mapping table, and the specified A setting request indicating the content of the setting is established after establishing a session for transmitting the setting request with the network device, and a setting result indicating whether the setting with respect to the setting request is successful or unsuccessful. A setting processing unit that collects from each identified network device and manages the collection result in association with each virtual device;
Equipped with a,
The setting processing unit
Prior to transmitting the setting request to the specified network device, request an exclusive lock for blocking the setting request from another network management device to the specified network device,
In the case where there are a plurality of the specified network devices, if there is even one network device that has failed the exclusive lock, the transmission of the setting request is canceled,
In the case where there are a plurality of the specified network devices, if there is even one network device in which the setting according to the setting request has failed based on the collection result, all the specified network devices To restore the original settings to
Network management device. A network management method for managing a plurality of network devices by a network management device,
(A) communicating with a plurality of network devices having different functions via a network;
(B) displaying the configuration of the network on a display screen, and accepting an operation for grouping two or more network devices of the plurality of network devices on the display screen; Displaying one virtual device obtained by virtually combining network devices on the display screen;
(C) generating a mapping table representing a correspondence relationship between setting items of virtual functions included in the virtual device and the network devices that actually have the functions ;
(D) When a setting is made on a setting item of a virtual function included in the virtual device on the display screen, the mapping source network device corresponding to the setting item is referred to with reference to the mapping table. Specifying a session for transmitting the setting request with the specified network device and then transmitting a setting request representing the contents of the setting, and whether the setting with respect to the setting request is successful or unsuccessful Collecting a setting result indicating each of the identified network devices, and managing the collection result in association with each virtual device;
Equipped with a,
In the step (d),
Prior to transmitting the setting request to the specified network device, request an exclusive lock for blocking the setting request from another network management device to the specified network device,
In the case where there are a plurality of the specified network devices, if there is even one network device that has failed the exclusive lock, the transmission of the setting request is canceled,
In the case where there are a plurality of the specified network devices, if there is even one network device in which the setting according to the setting request has failed based on the collection result, all the specified network devices To restore the original settings to
Network management method. A computer program for managing a plurality of network devices,
A communication function for communicating with a plurality of network devices having different functions via a network;
The configuration of the network is displayed on a display screen, an operation for grouping two or more network devices among the plurality of network devices is accepted on the display screen, and the two or more network devices grouped are received. A user interface function for displaying the virtually combined virtual device on the display screen;
And setting items of the virtual functions which the virtual device comprises a mapping table generating function for generating a mapping table indicating the correspondence between the network device actually has the function,
On the display screen, when a setting is made for a setting item of a virtual function included in the virtual device, the mapping table is referred to identify the composition source network device corresponding to the setting item, A setting that indicates the success or failure of the setting in response to the setting request by transmitting a setting request indicating the setting contents after establishing a session for transmitting the setting request with the specified network device A setting processing function for collecting results from each of the identified network devices and managing the collection results in association with each virtual device;
Is a computer program that causes a computer to realize
The setting processing function
Prior to transmitting the setting request to the specified network device, request an exclusive lock for blocking the setting request from another network management device to the specified network device,
In the case where there are a plurality of the specified network devices, if there is even one network device that has failed the exclusive lock, the transmission of the setting request is canceled,
In the case where there are a plurality of the specified network devices, if there is even one network device in which the setting according to the setting request has failed based on the collection result, all the specified network devices To restore the original settings to
Computer program.

Images