Embodiment
In order realizing the situation of network equipment forwarding data flow to be tested in embodiments of the present invention, as shown in Figure 2, to provide a kind of method of network apparatus test, specifically may further comprise the steps:
S201: testing apparatus sends test data stream to the network equipment, wherein, described test data stream comprises the analog subscriber data flow, and the destination address of each packet is the address of described testing apparatus in the described analog subscriber data flow, and source address is the address of analog subscriber.
In embodiments of the present invention can be in setting-up time, send test data stream to the network equipment, this setting-up time can be that network apparatus test distributes into the needed time to all test data circulations, also can be network apparatus test to all test datas streams repeatedly transmit finishes the needed time, can also be other performances according to network apparatus test, for example to the authentication of a large amount of analog subscribers, can set this time is that the network equipment has authenticated the needed time of all analog subscribers, perhaps than having authenticated the longer time of needed time of all analog subscribers, in the concrete test process, can be provided with flexibly as required.
S202: whether described testing apparatus basis receives the test data stream that the described network equipment is transmitted in setting-up time, and, judge whether the described network equipment normally transmits described test data stream according to the authentication information of the certificate server of preserving to analog subscriber.
Described testing apparatus receives the analog subscriber data that the network equipment is transmitted in the time of setting, in the authentication information of certificate server to analog subscriber in described preservation, when finding the source address corresponding simulating user profile of described analog subscriber, judge that then the described network equipment normally transmits the analog subscriber packet; Or
In the authentication information of certificate server, when not finding the source address corresponding simulating user profile of described analog subscriber, then judge the improper forwarding analog subscriber of described network equipment packet to analog subscriber in described preservation.
S203: described testing apparatus is relatively according to himself access to netwoks control protocol IEEE802.1x agreement based on port, each analog subscriber in the verify data stream is authenticated the authentication result of statistics, with the authentication result of the Information Statistics of returning according to the described network equipment, judge that whether the described network equipment provides normal authentication to the analog subscriber of predetermined quantity.
Testing apparatus is according to the IEEE 802.1x agreement that himself disposes, and the information according to each analog subscriber in the test data stream authenticates each analog subscriber, and the statistics authentication result; Simultaneously verify data stream is sent to the network equipment, and the authentication result returned of statistics network equipment; According to the authentication result of himself statistics and the statistics of carrying out, judge that whether the described network equipment provides normal authentication to the analog subscriber of the predetermined quantity in the verify data stream according to the authentication result that the network equipment returns.
Wherein in the concrete process that the network equipment is tested, testing apparatus is arbitrarily to the order that the network equipment sends verify data stream and test data stream, and promptly S203 also can be positioned at before the S201, also can be positioned at after the S202.
Wherein test data stream also comprises the attack data flow.Attack the message that data flow comprises the full 0/F of source/target MAC (Media Access Control) address, the IP message of TTL=0/1, the message of CRC check mistake is less than 64 bytes with surpass the message of 1518 bytes, multicast packets, messages such as broadcast packet; In addition, the test data stream of unverified analog subscriber transmission also can be regarded as the attack data flow.
And the method for this network apparatus test also comprises: when each analog subscriber data source address, during the address of each analog subscriber that authenticates for pass through of preserving, the quantity of the normal analog subscriber data of transmitting of the described network equipment of receiving according to described testing apparatus, and the quantity of the analog subscriber authentication information of preserving, judge whether the described network equipment normally transmits the analog subscriber test data.
The method of this network apparatus test also comprises simultaneously: described testing apparatus sends configuration order to the described network equipment;
Described testing apparatus detects described network equipment attribute information according to the execution result that the described network equipment returns.
Configuration order comprises: monitor the order of described performance of network equipments, or control the order whether described network equipment carries out the configuration file content of preservation, or control the order of the information of described network equipment preservation.
Monitor the order of described performance of network equipments, comprising:
Check the utilance of the central processor CPU of the described network equipment, or check described network equipment memory usage.
The utilance of the CPU that supervising device returns according to the network equipment, or memory usage are judged the ability of network device processing data flow, wherein this data flow comprises, verify data stream and test data stream, wherein test data stream comprises, analog subscriber data flow and attack data flow.
Control the described network equipment and whether carry out the order of the configuration file content of preservation, comprising:
Control the described network equipment and carry out the IEEE802.1x protocol contents of the configuration file of preserving, or control the IEEE802.1x protocol contents that the described network equipment is not carried out the described configuration file of preservation.
Control the order of the information of described network equipment preservation, comprising:
Check the authentication information of the analog subscriber that pass through authentication that the described network equipment is preserved, or delete the MAC address entries of the described network equipment, the authentication information by the analog subscriber that authenticates.
Simultaneously the network equipment is when its unit exception, when for example crashing, also can be to testing apparatus output equipment abnormal information, and the device exception information of this network equipment output also can be monitored and preserve to testing apparatus.
And also preserve the configuration file of itself and certificate server, the network equipment in embodiments of the present invention in the testing apparatus, wherein comprise the authentication information field of each analog subscriber in the configuration file of certificate server; The configuration file of the network equipment comprises that the protocol information that the network equipment is followed is the IEEE802.1x protocol information in embodiments of the present invention; The configuration file of testing apparatus comprises that verify data stream and test data flow, and wherein comprises the authentication information of the analog subscriber of predetermined quantity in this verify data stream.
Wherein, the authentication information field that the authentication information of each analog subscriber comprises in the configuration file of testing apparatus, identical with the authentication information field that comprises in the configuration file of certificate server, then certificate server can provide authentication to the analog subscriber of testing apparatus, for example the authentication information of each analog subscriber of preserving in testing apparatus is a user ID, the MAC Address of user cipher and user PC, and the authentication information field of preserving in the certificate server also is user ID, during the MAC Address of user cipher and user PC, then certificate server authenticates according to the authentication information field of the authentication information that receives with self preservation.The authentication information that receives when certificate server and the authentication information field of preservation are not simultaneously, authentication service can not be provided, if promptly the authentication information field of analog subscriber comprises user ID in the configuration file of testing apparatus, authentication password, the IP address of the MAC Address of user PC and user PC, and the authentication information field of each analog subscriber of preserving in the configuration file of certificate server is an authentication password, the IP address of the MAC Address of user PC and user PC, then certificate server can not provide authentication service for the analog subscriber that testing apparatus comprises this authentication information field.
As shown in Figure 3, test macro comprises in embodiments of the present invention, testing apparatus 30, the network equipment 31 and certificate server 32.Wherein, the network equipment 31 is connected between testing apparatus 30 and the certificate server 32.Wherein, the flow direction of the direction indication data flow of arrow, the network equipment 31 and certificate server 32 all take out corresponding configuration file from testing apparatus 30.Testing apparatus 30 is according to himself configuration file of its preservation, generation test data stream, wherein test data stream comprises the analog subscriber data flow and/or attacks data flow, comprise a plurality of analog subscriber packets in each analog subscriber data flow, wherein the destination address of each analog subscriber packet is the address of testing apparatus 30, and source address is the address of analog subscriber; When test data stream is the analog subscriber data flow, if in setting-up time, receive this analog subscriber data flow that the network equipment 31 is transmitted, source address information according to the analog subscriber packet, and the certificate server of preserving judges to the authentication information of analog subscriber whether the network equipment 31 normally transmits the analog subscriber data flow.
In the authentication information of certificate server, when finding the source address corresponding simulating user profile of analog subscriber packet, then judge the described analog subscriber data flow of the normal forwarding of the described network equipment to analog subscriber in described preservation; Or
In the authentication information of certificate server that testing apparatus is being preserved, when not finding the source address corresponding simulating user profile of analog subscriber packet, then judge the network equipment 31 improper forwarding analog subscriber data flow to analog subscriber.
Simultaneously because each analog subscriber packet that comprises source address that testing apparatus 30 sends to the network equipment 31 is corresponding with the address of each analog subscriber respectively.So testing apparatus 30 is according to the analog subscriber quantity of passing through certificate server 32 authentications of its preservation, and the analog subscriber quantity of data packets of the normal forwarding that receives, judge whether the ability of the network equipment 31 forwarding analog subscriber data flow is normal.
And testing apparatus is according to the configuration order of the automation configuration script generation of preserving to the network equipment.Wherein, this configuration order comprises the order of monitoring described performance of network equipments, or controls the order whether described network equipment carries out the configuration file content of preservation, or controls the order of the information of described network equipment preservation.Configuration order can adopt the combined in any order of above-mentioned configuration order in whole test process, constantly sends to the network equipment.The network equipment 31 is carried out the configuration order that receives, and returns corresponding execution result to testing apparatus 30, and the execution result that the configuration order of testing apparatus 30 transmissions simultaneously and the network equipment 31 return all device being tested 30 records in the test log.Testing apparatus 30 also receives the device exception information of the network equipment 31 outputs simultaneously.
The execution result to the order of monitoring described performance of network equipments that testing apparatus 30 returns according to the network equipment is judged the ability of network device processing data flow.
And testing apparatus 30 is according to its authentication information to each analog subscriber of the network equipment 31 transmissions, according to the IEEE 802.1x agreement of himself preserving each analog subscriber is authenticated, statistics can be passed through the quantity of the analog subscriber of authentication, while testing apparatus 30 is added up according to the authentication result of the certificate server that the network equipment 31 that receives returns, and according to the statistics of self authentication, whether the concrete analysis network equipment 31 provides normal authentication to the analog subscriber of this predetermined quantity.
Wherein, owing to added up the quantity that to pass through the analog subscriber of authentication in the testing apparatus 30 voluntarily, and the analog subscriber data of passing through certificate server 32 authentications that the network equipment 31 returns have been added up, also write down the network equipment 31 simultaneously and normally transmitted the data flow of each user's transmission of simulation, also may write down the authentication information of the network equipment 31 simultaneously in the test log by the analog subscriber of authentication, therefore can be according to the result of record in the testing apparatus 30, phase-split network equipment 31 whether can transmit data flow normally, and judge whether this network equipment 31 can provide authentication service for the analog subscriber of this predetermined quantity.
In embodiments of the present invention in order to realize test to the network equipment, a kind of device of network apparatus test is provided, tester 401, be used for sending test data stream to the network equipment, wherein, described test data stream comprises the analog subscriber data flow, and the destination address of each packet is the address of described testing apparatus in the described analog subscriber data flow, and source address is the address of analog subscriber; Test data stream according to the described network equipment returns reaches the authentication information of the certificate server of preservation to analog subscriber, judges whether the described network equipment normally transmits described test data stream;
Test terminal 400, be used for sending the verify data stream that generates to network equipment, each analog subscriber in the verify data stream is authenticated based on IEEE 802.1x agreement according to himself, the authentication result of statistics, with the authentication result of the Information Statistics of returning according to the described network equipment, judge that whether the described network equipment provides normal authentication to the analog subscriber of predetermined quantity.
As shown in Figure 4, this testing apparatus also comprises monitor terminal 404.And this testing apparatus 30 also comprises file server 402 and hub 403.
The test that the controlled ports realization of the test terminal 400 connection network equipments is counted capacity to network equipment analog subscriber, can or surpass the capacity that this demarcates user capacity according to the number of users capacity of the demarcation of the network equipment, verify data stream in 400 configuration files of test terminal is set, comprises the authentication information of the analog subscriber of predetermined quantity in this verify data stream.Test terminal 400 sends to the network equipment with it according to the verify data stream that configuration file generates, simultaneously add up each analog subscriber automatically and whether authenticate and pass through according to the IEEE 802.1x agreement of self preserving, and the authentication result of the certificate server that returns of the uncontrolled port receiving and counting network equipment by the network equipment.And checking is in the validated user quantity of the network equipment, also do not reach under the situation of the number of users that can authenticate of demarcation, the disabled user can't authenticate and pass through, wherein the disabled user refers to that the user authentication information of preserving on user's authentication information and the certificate server is inequality, for example certain user's of test terminal 400 inputs user ID is not preserved in server, or the password bad of authentication etc.And can verify validated user at the network equipment reach demarcation can authenticated user quantity in limited time, legal and disabled user can not be by authentication.For example the user capacity of network equipment demarcation is 2000, when the user who 2000 authentications is passed through as this network equipment Ying Jing provides service, if the test terminal sends the authentication information of the 2001st analog subscriber to the network equipment, and this analog subscriber is a validated user, and this moment, the network equipment can not provide authentication service for this analog subscriber of test terminal.
In order to realize the network equipment is transmitted the test of data flow situation, adopt tester 401 to connect the controlled ports of the network equipment, information according to each analog subscriber obtains the analog subscriber data flow, wherein the source address of each analog subscriber packet is the address of this analog subscriber in this analog subscriber data flow, destination address is the address of tester 401, or the address of tester 401 preservations.Tester 401 is according to the analog subscriber data flow that receives, detect the source address information of each analog subscriber packet in this analog subscriber data flow, and, judge whether the network equipment normally transmits this analog subscriber data flow according to the authentication information of the certificate server of preserving to analog subscriber.According to the network condition simulated strike data flow of reality, send the attack data flow simultaneously to the network equipment.After tester 401 correctly receives each analog subscriber packet that the network equipment returns, obtain the analog subscriber information that comprises in each analog subscriber packet, whether whether normally transmit these data according to this analog subscriber by the authentication determination network equipment; The analog subscriber packet that correctly receives when tester 401 simultaneously, to analog subscriber that should the analog subscriber packet during the authentication by certificate server, it is undesired to judge that then the network equipment is transmitted the ability of these analog subscriber data.
And the authentication information of the analog subscriber of preserving in this tester 401, also can generate according to configuration file, be the authentication information of all preserving a this analog subscriber in the tester and the network equipment, data transmitted and tested judgement according to the authentication information of this analog subscriber.
Certainly also can select the analog subscriber of a part in the test process of reality, simulate the analog subscriber data flow of this part, concrete test process can be selected according to the actual needs.
And for the process that makes test more near actual conditions, adopt hub 403 with the test data of tester 401 and test terminal 400 regenerate shaping, amplification in embodiments of the present invention, the test data after shaping is amplified sends in this network equipment by the controlled ports of the network equipment.Adopt hub 403 can enlarge the transmission range of network, the process that makes test is more near actual conditions.
Wherein, file server 402 provides configuration file to the network equipment and certificate server, file server 402 also provides configuration file to test terminal 400, tester 401, hub 403 and monitor terminal 404 simultaneously, represents that with arrow data flow flows in Fig. 4.And monitor terminal 404 continues to send configuration order to the network equipment, the network equipment is carried out this configuration order and is returned execution result to monitor terminal 404, wherein this configuration order also can for the property in cycle return monitored results to monitor terminal 404, for example this configuration order was for returning the utilance of its CPU to monitor terminal every 10 seconds.
This monitor terminal 404 comprises: memory module is used to store the configuration order of monitor network equipment performance, or controls the configuration order whether described network equipment carries out the configuration file content of preservation, or controls the configuration order of the information of described network equipment preservation;
Sending module is used for sending the configuration order of storing to the network equipment.
The configuration order of monitor network equipment performance comprises: the utilance of the central processor CPU of the described network equipment is checked in storage, or checks the configuration order of described network equipment memory usage.And judge the disposal ability of the network equipment according to this information that monitor terminal 404 returns, promptly handle the ability of verify data stream and test data stream simultaneously data flow.
Whether control the described network equipment carries out the configuration order of the configuration file content of preservation and comprise: the described network equipment of storage control is carried out the IEEE802.1x protocol contents of the configuration file of preserving, or controls the configuration order of IEEE802.1x protocol contents that the described network equipment is not carried out the described configuration file of preservation.
The configuration order of controlling the information that the described network equipment preserves comprises: the authentication information of the analog subscriber that pass through authentication that the described network equipment is preserved is checked in storage, or deletes the configuration order of the MAC address entries of the described network equipment, the authentication information by the analog subscriber that authenticates.
The tester network apparatus test is transmitted the ability of data flow in embodiments of the present invention, makes the analog subscriber accesses network reliably after the authentication, and this method of testing can effectively test out the potential fault of the network equipment, thus the performance of the raising network equipment.The test terminal is tested the user capacity of the network equipment in embodiments of the present invention simultaneously, can also test simultaneously the state of large-capacity user lower network equipment in the network of reality, avoided the situation that network equipment appearance is crashed when a large number of users authenticates simultaneously, therefore, the method for testing of this network equipment can improve the stability and the reliability of the network equipment.
And tester is meant by hardware device and/or is applied to the device that the application software on the hardware device constitutes in embodiments of the present invention, can be picture IXIA, equipment such as SmartBits.Picture IXIA tester is by the IXIA hardware device, such as IXIA1600T cabinet and the application software that is applied on the hardware device, such as IxExplorer, formations such as IxNetwork, can be to the generation and the analysis control all sidedly of the layer 2-4 flow on the diverse network interface type module, this network interface comprise Ethernet, 10GB Ethernet, POS (PacketOver SONET), asynchronous transfer mode (Asynchronous Transfer Mode, ATM), frame relay or the like.Each test port of IXIA can dispose self-defining data flow, filtercondition separately and catch capacity.Perfect statistics and pictorial statement is provided, can (Device Under Test, DUT) performance and function be analysed in depth to equipment under test.Tester can generate test data stream automatically according to the information of the configuration file of downloading.Tester also can adopt software mode to realize simultaneously, promptly realizes sending the software of packet.In concrete test process, can dispose flexibly as required.
When realizing by hardware mode, a test port of tester is connected on the hub by Category-5 twisted pair or optical fiber cable, and another port is connected on the uncontrolled port of the network equipment by Category-5 twisted pair or optical fiber cable.
Because general client certificate software is the software that single user is authenticated, promptly a client goes up user of authentication, do not allow to authenticate simultaneously a plurality of users, therefore when on the test terminal client certificate software being installed, can only simulating a user and authenticate.In order to be implemented in the test that realizes the simulation a large number of users on the test terminal, adopted the client certificate software of multiple user authentications in embodiments of the present invention.The client certificate software of multiple user authentications is installed in the test terminal, the client certificate software of this multiple user authentications, according to the configuration file that obtains from file server, preserve the authentication information field of a large number of users of simulation in this configuration file, it is user ID, the MAC Address of authentication password and user PC can also comprise the IP address of user PC.During the client certificate software work of multiple user authentications, can be according to the test process that itself is provided with, order be obtained the user ID of each analog subscriber, and the MAC Address of authentication password and user PC can also comprise the IP address of user PC authenticating successively.After analog subscriber verification process finished, whether the client certificate software of multiple user authentications can be added up this analog subscriber automatically and authenticate and pass through, and carries out the authentication of next analog subscriber simultaneously.Therefore, the test process of the client certificate software of this multiple user authentications is set in the test terminal, can simulates the verification process of a large number of users, thereby reach the purpose of the user capacity of network apparatus test.
As shown in Figure 5, its function of the client certificate software of multiple user authentications realizes comprising following components in embodiments of the present invention: the parameter storage and as a result display module 501, parameter module 502 and client certificate module 503 are provided, and be connected to each other between each module.
Wherein, parameter storage and as a result display module 501 can finish the client certificate software of multiple user authentications and tester alternately, the authentication information field of each analog subscriber of parameter storage and display module 501 preservation testers settings as a result can also be preserved simultaneously other information of setting, user ID for example, user's number, authentication password, the MAC Address of user PC, the IP address of user PC can also be provided with authentication cycle period etc. according to the needs of test simultaneously.This module receives the authentication information of client certificate module 503 simultaneously, the authentication result that statistics client certificate module 503 is returned, give the tester with statistical result showed, the statistics that shows comprises, the number of analog subscriber success identity, the number of failure authentication, specifically each analog subscriber result such as authentication success whether.
And, parameter is stored and the quantity of the analog subscriber authentication information of display module 501 can be according to the test request setting as a result, for example be 4000,2000 etc., the user authentication information field of simulation comprises user ID, user's number, authentication password, the IP address of the MAC Address of user PC and user PC.By the operation of tester to the client certificate of multiple user authentications, multiple user authentications client certificate software can be preserved the user authentication information that is provided with get off with the form of text automatically.As long as this text is derived, be stored on the file server 402, in the concrete test process, utilize the client certificate software of multiple user authentications, download and open the text of preservation from file server 402, will import the user authentication information of setting automatically.
Parameter provides module 502, receive the data such as authentication information of the analog subscriber of parameter storage and display module 501 transmissions as a result, and, provide corresponding simulating user's authentication information field to client certificate module 503 according to the parameters for authentication information of the analog subscriber of client certificate module 503.For example this parameter provides the authentication information of the analog subscriber of parameter storage that module 502 receives and display module 501 transmissions as a result, comprise, user ID, user's number, authentication password, the IP address of the MAC Address of user PC and user PC, and the parameters for authentication information of the analog subscriber that client certificate module 503 needs comprises user ID, the MAC Address of authentication password and user PC, then parameter provides module 502 to comprise user ID, the authentication information field of the MAC Address of authentication password and user PC to these client certificate module 503 transmissions.Wherein the authentication information field that comprises in the authentication information of the analog subscriber of these client certificate module 503 preservations is identical with the authentication information field of preservation in the certificate server 32, also preserve the user ID of analog subscriber in the authentication authorization and accounting server 32, the mac address information of authentication password and user PC.
Client certificate module 503, provide module 502 to send the parameters for authentication information of analog subscriber to parameter, and provide the authentication information field and the IEEE 802.1x agreement of the needed analog subscriber of authentication that module 502 provides to authenticate, and authentication result is returned to parameter storage and display module 501 as a result according to parameter.
In embodiments of the present invention in order to realize monitoring to the network equipment, control desk CONSOLE port with the network equipment, be connected to serial line interface on the monitor terminal mainboard by cable, wherein, the CONSOLE port be the network equipment provide be specifically designed to the port that the network equipment is configured and manages.Operation monitoring software on the monitor terminal, monitor network equipment.
During actual the test, download automatized script, this automatized script is written into monitoring software from file server.So-called automatized script file can be to adopt vbScript, the text of automatized script language compilation such as JavaScript, content mainly comprises the periodic configuration order of the network equipment being carried out the automation configuration, this configuration order comprises the order of monitoring described performance of network equipments, or control the order whether described network equipment carries out the configuration file content of preservation, or control the order of the information of described network equipment preservation.Wherein, monitor the order of described performance of network equipments, comprising: check the utilance of the central processor CPU of the described network equipment, or check described network equipment memory usage.Control the described network equipment and whether carry out the order of the configuration file content of preservation, comprise: control the IEEE802.1x protocol contents that the described network equipment is carried out the configuration file of preserving, or control the IEEE802.1x protocol contents that the described network equipment is not carried out the described configuration file of preservation.Control the order of the information that the described network equipment preserves, comprising: check the authentication information of the analog subscriber that pass through authentication that the described network equipment is preserved, or delete the MAC address entries of the described network equipment, the authentication information by the analog subscriber that authenticates.
Monitoring software is written into the order that can automatically perform behind the automatized script in the script, send configuration order to the network equipment, the network equipment is carried out the operation of this configuration order correspondence, export corresponding execution result and give testing apparatus, and the network equipment occurs also exporting the corresponding apparatus abnormal information when unusual at equipment and gives testing apparatus.Wherein input, the result of output records in the monitoring daily record, and this monitoring daily record is kept in the testing apparatus.As shown in Figure 6, the monitored software of monitoring daily record meeting gets off with the form real time record of text, can write down automatically its time in the time of output information in each bar input of record, and the moment of this recorded information record is described.
File server is deposited the corresponding configuration file of the network equipment, the configuration file of tester test data, monitor terminal is the script and the test monitoring daily record of operation automatically, the configuration file of test terminal, the authentication information configuration file of analog subscriber on the certificate server, and the authentication information field of the analog subscriber in the configuration file of this certificate server, identical with the authentication information field of analog subscriber in the configuration file of test terminal, for example the configuration file of certificate server has been preserved the user ID of analog subscriber, authentication password, the IP address of the MAC Address of user PC and user PC, the user ID that then comprises analog subscriber in the configuration file of test terminal equally, authentication password, the IP address of the MAC Address of user PC and user PC, preserved the user ID of analog subscriber when the configuration file of certificate server, during the MAC Address of authentication password and user PC, the user ID that then comprises analog subscriber in the configuration file of test terminal equally, the MAC Address of authentication password and user PC guarantees that promptly the test terminal can obtain authentication to the test data that the network equipment sends in certificate server.File server can be served as by monitor terminal in embodiments of the present invention, is about to configuration file and is kept on the monitor terminal.
As shown in Figure 7,, the method for network apparatus test is described in detail, specifically may further comprise the steps below by a specific embodiment:
Step 701: the client software of the multiple user authentications of test terminal is according to the corresponding configuration file of downloading from file server, import verify data stream to be tested, the authentication information that comprises the analog subscriber of predetermined quantity in this verify data stream, the authentication information of the analog subscriber of this predetermined quantity is sent to the network equipment successively, and according to IEEE 802.1x agreement, and the authentication information of each analog subscriber that comprises in the verify data stream, each analog subscriber is authenticated, and the quantity of adding up the analog subscriber that passes through checking voluntarily, and the quantity of passing through the analog subscriber of checking.
Wherein the authentication information of analog subscriber comprises, the authentication information field of the MAC Address of user ID, authentication password, user PC and the IP address of user PC, and the authentication information field of the analog subscriber of preserving in the certificate server comprises the MAC Address of user ID, authentication password and user PC and the IP address of user PC.Be illustrated in figure 8 as the design sketch of authentication information of analog subscriber of predetermined quantity of the client software simulation of multiple user authentications.
In embodiments of the present invention, the analog subscriber of predetermined quantity is 4000, promptly simulates 4000 analog subscribers, and user ID begins successively increase progressively 4000 for the analog subscriber name from 1x00000001 at this, finishes to 1x00004000.The authentication password unification is 000000 promptly 60, and the MAC Address of user PC begins to increase progressively 4000 from 0000.0000.0001 successively, finishes to 0000.0000.0FA0.The IP address of user PC begins to increase progressively 4000 from 172.16.0.1/20, finishes to 172.16.15.250/20.For example, the authentication information of first analog subscriber is 1x00000001,000000,0000.0000.0001 and 172.16.0.1/20.
Step 702: tester is according to the corresponding configuration file of downloading from file server, information according to this configuration file continues in the cycle to send test data stream to the network equipment at a testing process, according to the data flow that the network equipment that correctly receives returns, judge whether the network equipment normally transmits data flow.
Wherein, the testing process cycle be multiple user authentications client certificate software to the analog subscriber of predetermined quantity all authentication finish the needed time.And this testing process cycle can be set flexibly according to the test needs in embodiments of the present invention.
This data flow can be the IP traffic of the normal exchange of simulation authenticated user, and for example analog subscriber is 4000, has promptly simulated 4000 analog subscriber data, and each analog subscriber is simulated the IP data of its transmission, totally 4000 IP data.Wherein, the MAC field and the IP field that comprise in the authentication information of the source MAC field of each bar IP digital simulation and source IP field and each analog subscriber are consistent, purpose MAC field, purpose IP field is the source MAC field that tester is connected the reception user who simulates on the uncontrolled port of the network equipment, source IP field, the i.e. address of tester.Such as, article one, the source MAC field of IP data is 0000.0000.0001, source IP field is 172.16.0.1, purpose MAC field is 0000.1000.0000, purpose IP field is 192.168.1.1, show that it is 0000.0000.0001 that the MAC of analog subscriber PC field is arranged in this authentication information, the IP field is 172.16.0.1, and the source MAC field that this tester is connected the reception user who simulates on the uncontrolled port of the network equipment is 0000.1000.0000, source IP field is 192.168.1.1, and in embodiments of the present invention the simulation the reception user can for one also can be for a plurality of.
Adopt this test mode, can whether can correctly transmit the analog subscriber data that authentication is passed through by network apparatus test, when this analog subscriber authentication is passed through, then can transmit these analog subscriber data, can not transmit the unsanctioned analog subscriber data of authentication, certainly adopt the form of other data flow, whether network apparatus test normally transmits data flow.
This test data stream also can be to attack data flow, the message that for example comprises the full 0/F of source MAC and target MAC (Media Access Control) address, existence time limit (Time to Live, TTL) be 0/1 IP message, cyclic redundancy (Cyclical Redundancy Check, the CRC) message of check errors is less than 64 bytes with surpass the message of 1518 bytes, multicast packets, messages such as broadcast packet.Wherein, each attacks the target MAC (Media Access Control) address of data and MAC Address and the IP address that purpose IP address is non-this tester.Thereby network apparatus test is to attacking the disposal ability of data, and receives when attacking data flow when tester, shows that the function of network equipment forwarding data flow is undesired.The behaviour in service of CPU and internal memory when the monitor network device processes is attacked data flow is simultaneously judged the disposal ability of the network equipment to test data stream and verify data stream.Certainly in the test process of reality, can select this quantity of attacking data flow, thereby reach the purpose of reasonable test.
Wherein the order of step 701 and step 702 can be exchanged.
Step 703: monitor terminal is carried out automatized script according to the corresponding configuration file of downloading from file server, to the periodic configuration order of network equipment input automation configuration.
These configuration orders can be the orders of the described performance of network equipments of monitoring, or control the order whether described network equipment carries out the configuration file content of preservation, or control the order of the information of described network equipment preservation.Monitor the order of described performance of network equipments, comprising: check the utilance of the central processor CPU of the described network equipment, or check described network equipment memory usage.Control the described network equipment and whether carry out the order of the configuration file content of preservation, comprise: control the IEEE802.1x protocol contents that the described network equipment is carried out the configuration file of preserving, or control the IEEE802.1x protocol contents that the described network equipment is not carried out the described configuration file of preservation.Control the order of the information that the described network equipment preserves, comprising: check the authentication information of the analog subscriber that pass through authentication that the described network equipment is preserved, or delete the MAC address entries of the described network equipment, the authentication information by the analog subscriber that authenticates.And in concrete monitor procedure, can adopt the combination of above-mentioned any one or several orders that the network equipment is carried out the periodicity monitoring.In the process that the network equipment is controlled, the result that the real time record network equipment is carried out will import, export the result, be kept in the test log simultaneously.
Wherein the order of step 703 and step 702 can be exchanged.
Step 704: after testing process finishes, the analytical test result.
Test to a data circulation ability comprises:
When test data stream is the analog subscriber data flow, if tester receives this analog subscriber data flow that the network equipment is transmitted in setting-up time, source address information according to the analog subscriber packet, and the certificate server of preserving judges to the authentication information of analog subscriber whether the network equipment normally transmits this analog subscriber data flow;
And when each analog subscriber data source address, during the address of each analog subscriber that authenticates for pass through of preserving, the quantity of the normal analog subscriber data of transmitting of the network equipment that receives according to tester, and the quantity of the analog subscriber authentication information of preserving, judge whether the network equipment normally transmits the analog subscriber test data.
Client certificate software owing to multiple user authentications in the test terminal can authenticate each analog subscriber according to IEEE 802.1x agreement simultaneously, and statistics authentication result, result behind the authenticated server authentication that the while test terminal also receives and statistics network equipment returns, so the test terminal can judge whether the network equipment can provide correct authentication service to the analog subscriber of predetermined quantity according to above-mentioned two statisticses.And because the network equipment has certain demarcation user capacity, when the quantity of the analog subscriber to be certified that sends to the network equipment when the test terminal surpasses its marked capacity, judge according to the authentication result that the test terminal receives whether the network equipment all can not provide authentication service to any analog subscriber in the case.
The utilance of the CPU that returns according to the network equipment or the utilance of internal memory are judged the disposal ability of the network equipment to data flow.
In test process, by the result of network equipment output.Whether phase-split network equipment occurs crashing, low memory, and control desk is hung up, analog subscriber can't authenticate and other error messages, result according to test output can also improve test process simultaneously, optimizes the method for testing of testing software, thereby reaches good test effect.
The method of the network apparatus test that the embodiment of the invention provides, by in the process that analog subscriber is authenticated, authentication result and the authentication result returned of the network equipment by self statistics, network apparatus test is to the verification process of the analog subscriber of predetermined number, simultaneously in to the verification process of analog subscriber by the forwarding situation of network apparatus test to the data flow of analog subscriber, network apparatus test is to the transfer capability of data flow, realization is to the test of network equipment data flow transfer capability, thus the transfer capability of the data flow of effective network apparatus test.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.