CN113452564B - Fault diagnosis method and device based on ACL - Google Patents

Fault diagnosis method and device based on ACL Download PDF

Info

Publication number
CN113452564B
CN113452564B CN202110726736.7A CN202110726736A CN113452564B CN 113452564 B CN113452564 B CN 113452564B CN 202110726736 A CN202110726736 A CN 202110726736A CN 113452564 B CN113452564 B CN 113452564B
Authority
CN
China
Prior art keywords
interface
acl
acl rule
interfaces
board card
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110726736.7A
Other languages
Chinese (zh)
Other versions
CN113452564A (en
Inventor
郑磊
赵旭东
秦德楼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN202110726736.7A priority Critical patent/CN113452564B/en
Publication of CN113452564A publication Critical patent/CN113452564A/en
Application granted granted Critical
Publication of CN113452564B publication Critical patent/CN113452564B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a fault diagnosis method and device based on an ACL (access control list), which are applied to network equipment, wherein the network equipment comprises a plurality of internal board cards; the method comprises the following steps: responding to an issuing instruction triggered by a user, and respectively issuing ACL rules to at least part of interfaces to be diagnosed in an internal board card of the network equipment; the ACL rule is used for counting the number of messages passing through the interface; enabling an ACL rule issued to the interface in response to a fault detection instruction triggered by the user, so that the interface executes the ACL rule, and counting the number of messages passing through the interface; and acquiring a statistical result obtained by the interface through executing the ACL rule, and determining that a fault interface with abnormal flow forwarding exists in the interface based on the statistical result. According to the technical scheme, the flow forwarding paths in the network equipment are divided, so that the difficulty of fault diagnosis is reduced, and the efficiency of fault diagnosis is improved.

Description

Fault diagnosis method and device based on ACL
Technical Field
The present application relates to the field of communications technologies, and in particular, to a fault diagnosis method and apparatus based on an ACL.
Background
With the great abundance of network applications, the network risks faced by users are more and more complex, and multiple security devices are often deployed on one link to ensure the network security of users. For example, firewall devices are deployed to handle filtering traffic, IPS devices are deployed to handle attack protection traffic, and DDOS devices are deployed to handle traffic flushing traffic, among others. However, when a certain device fails, a network failure may occur in an area where the link is located, which increases the complexity of network device management.
Disclosure of Invention
In view of this, in order to solve the problem of low efficiency and high difficulty in fault diagnosis, the present application provides a fault diagnosis method and apparatus based on an ACL.
Specifically, the method is realized through the following technical scheme:
in a first aspect, the present application provides a fault diagnosis method based on an ACL, which is applied to a network device, where the network device includes a plurality of internal boards; the method comprises the following steps:
responding to an issuing instruction triggered by a user, and respectively issuing ACL rules to at least part of interfaces to be diagnosed in an internal board card of the network equipment; the ACL rule is used for counting the number of messages passing through the interface;
enabling an ACL rule issued to the interface in response to a fault detection instruction triggered by the user, so that the interface executes the ACL rule, and counting the number of messages passing through the interface;
and acquiring a statistical result obtained by the interface through executing the ACL rule, and determining that a fault interface with abnormal flow forwarding exists in the interface based on the statistical result.
In a second aspect, the present application further provides an ACL-based fault diagnosis apparatus, which is applied to a network device, where the network device includes multiple internal boards; the device includes:
the issuing unit is used for responding to an issuing instruction triggered by a user and respectively issuing ACL rules to at least part of interfaces to be diagnosed in an internal board card of the network equipment; the ACL rule is used for counting the number of messages passing through the interface;
the statistical unit is used for responding to a fault detection instruction triggered by the user, starting an ACL rule issued to the interface so that the interface executes the ACL rule, and counting the number of messages passing through the interface;
and the computing unit is used for acquiring a statistical result obtained by the interface through executing the ACL rule and determining that a fault interface with abnormal flow forwarding exists in the interface based on the statistical result.
The technical scheme provided by the embodiment of the application can have the following beneficial effects:
by respectively issuing the ACL rules to the interfaces to be diagnosed, each interface can count the number of messages passing through the interface by executing the corresponding ACL rules, and determine the fault interface with abnormal flow forwarding in the interface based on the statistical result, thereby realizing the segmentation of the flow forwarding path in the network equipment, reducing the difficulty of fault diagnosis and improving the efficiency of fault diagnosis.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
FIG. 1 is a schematic diagram of a network device shown in an exemplary embodiment of the present application;
FIG. 2 is a flow chart of a method for ACL based fault diagnosis illustrated in an exemplary embodiment of the present application;
FIG. 3 is a flow chart illustrating another ACL based fault diagnostic method according to an exemplary embodiment of the present application;
fig. 4 is a hardware configuration diagram of an electronic device in which an ACL-based fault diagnosis apparatus according to an exemplary embodiment of the present application is shown;
fig. 5 is a block diagram illustrating an ACL-based fault diagnosis apparatus according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. The following description refers to the accompanying drawings in which the same numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at" \8230; "or" when 8230; \8230; "or" in response to a determination ", depending on the context.
Currently, different service boards for processing the above-mentioned multiple network security services can be deployed to a frame-type network device, so as to realize the integration of security functions. Meanwhile, the flow can be flexibly scheduled among all board cards in the machine frame by utilizing a flow definition technology, the flow is guided to be sent to different service board cards for service processing, the fusion of network security services is realized, and the effect of simplifying management is achieved.
Referring to fig. 1, fig. 1 is a schematic diagram of a network device according to an exemplary embodiment of the present application, and as shown in fig. 1, the network device is configured with a switch board, an interface board, and a plurality of service boards.
For example, the service boards shown in fig. 1 may include FW service boards for firewall device services, ADX service boards for load balancing device services, IPS service boards for attack protection device services, UAG service boards for auditing flow control device services, and DDOS service boards for traffic cleaning device services.
The exchange chip built in the exchange network board and the exchange chips built in other board cards realize the cross-board card forwarding of the flow through the internal interconnection port;
for example, IETH 1-6 shown in FIG. 1 are interconnected with IETHA-F, respectively.
The interface board card realizes the receiving and forwarding of the flow through an interface interconnected with the outside;
for example, ETH1 shown in fig. 1 is an ingress interface for receiving upstream device traffic, and ETH2 is an egress interface for forwarding traffic to downstream devices.
The switching chip arranged in each service board card is responsible for sending the flow to the built-in CPU for service processing;
for example, IETHA-F shown in FIG. 1 are interconnected with IETHH-L, respectively.
Specifically, the network device may implement scheduling of traffic among the boards based on a flow definition technology; for example, the forwarding flow of the packet shown in fig. 1 is:
the flow sent by the upstream equipment to the downstream equipment enters an interface board card of the network equipment through an external interface ETH 1; the flow definition control flow is sent from the interface board card to a CPU built in a DDOS service board card through the switching network board to process a flow cleaning service, and the path corresponding to the flow is as follows: IETHF → IETH6 → IETH5 → IETHE → IETHL; after the DDOS service board card finishes processing the service, the flow definition control flow is sent to the next service board card for service processing, namely the control flow is sent to the UAG service board card for processing the audit flow control service, and the path corresponding to the flow is as follows: IETHL → IETHE → IETH5 → IETH4 → IETHD → IETHK;
subsequently, the flow definition control flow is sequentially sent to the next service board card for service processing, after each service board card is processed, the flow definition control flow is sent to the downstream device through the external interface ETH2, and so on for the forwarding path, which may be referred to as shown in fig. 1 and is not described again.
The flow regulation measurement among the board cards is realized through the flow definition technology, the flow is controlled to be transmitted across the board cards by the switching chip arranged in the board cards, and the corresponding network service is processed by the built-in CPU, so that a solution scheme for integrating multiple network services into one network device is formed.
However, since the traffic is forwarded by the multiple boards inside the device for multiple times, the traffic is difficult to track, when the traffic is abnormal, the forwarding condition of the traffic inside the network device needs to be counted, and since each network service is in the forwarding process, the failed service board node can be determined by observing whether the service is recovered or not by skipping each service board one by one or canceling each service board.
On one hand, the diagnosis operation is too complicated, so that the fault is difficult to remove in time, and the fault diagnosis efficiency is low and the difficulty is high; on the other hand, in some cases the traffic is not allowed to be deactivated, for example, proxy traffic, which may cause a larger range of network anomalies once deactivated; in addition, when the cross-board card is forwarded, packet loss may also occur due to interaction between the switching chips, which causes traffic abnormality, and a fault misjudgment may be caused by observing only the service board card.
In view of this, the present application provides a technical solution for determining a faulty interface with abnormal traffic forwarding based on a statistical result of an ALC rule by issuing an ACL rule to at least part of interfaces of a network device.
When the method is realized, an ACL rule is respectively issued to at least part of interfaces to be diagnosed in an internal board card of the network equipment in response to an issuing instruction triggered by a user; the ACL rule is used for counting the number of messages passing through the interface;
enabling an ACL rule issued to the interface in response to a fault detection instruction triggered by the user, so that the interface executes the ACL rule, and counting the number of messages passing through the interface;
and acquiring a statistical result obtained by the interface through executing the ACL rule, and determining that a fault interface with abnormal flow forwarding exists in the interface based on the statistical result.
For example, the abnormal traffic features extracted from the abnormal traffic are used as matching items in the ACL rules, and at least part of the interfaces to be diagnosed in the interfaces of the traffic path are determined according to the internal forwarding path of the abnormal traffic in the internal board card of the network device;
respectively issuing the created ACL rules to the selected interfaces, so that after the ACL rules are started by each interface, the message characteristics passing through the interface are matched with the matching items in the ACL rules, and when the matching passes, executing corresponding processing actions in the ACL rules and counting the number of messages received by the interface; and outputting the statistical result of each interface, and judging the fault interface with abnormality during flow forwarding based on the statistical result.
In the above technical solution, the ACL rules are respectively issued to the interfaces to be diagnosed, so that each interface can count the number of messages passing through itself by executing the corresponding ACL rules, and determine that a failure interface with abnormal traffic forwarding exists in the interface based on the statistical result, thereby implementing the segmentation of the traffic forwarding path in the network device, thereby reducing the difficulty of failure diagnosis and improving the efficiency of failure diagnosis.
Next, examples of the present application will be described in detail.
Referring to fig. 2, fig. 2 is a flowchart illustrating an ACL-based fault diagnosis method according to an exemplary embodiment of the present application, and as shown in fig. 2, the method includes the following steps:
step 201: responding to an issuing instruction triggered by a user, and respectively issuing ACL rules to at least part of interfaces to be diagnosed in an internal board card of the network equipment; the ACL rule is used for counting the number of messages passing through the interface;
step 202: enabling an ACL rule issued to the interface in response to a fault detection instruction triggered by the user, so that the interface executes the ACL rule, and counting the number of messages passing through the interface;
step 203: and acquiring a statistical result obtained by the interface through executing the ACL rule, and determining that a fault interface with abnormal flow forwarding exists in the interface based on the statistical result.
The network equipment comprises a plurality of internal board cards.
Specifically, the network device may be a frame-type network device, and a plurality of slots are built in the network device for accessing various boards.
For example, a switch network board for implementing forwarding of traffic across boards, an interface board for accessing or transferring traffic out of a network device, and a service board for processing various network services.
In one illustrated embodiment, the network device may be a gateway device.
For example, the network device may be an integrated security gateway device that integrates three functions of routing switching, network security, and application delivery, and implements scheduling of traffic among boards by using a flow definition technology.
In this embodiment, in response to an issue instruction triggered by a user, ACL rules are issued to at least part of interfaces to be diagnosed in an internal board card of the network device, respectively; and the ACL rule is used for counting the number of the messages passing through the interface.
The issued instruction may be triggered by software for fault diagnosis in an operating system of the network device, or may be triggered by separately developed client software for fault detection that is interfaced with the network device.
For example, a user may trigger an ACL rule issuing instruction by inputting a corresponding command in a command line tool, and send the created ACL rule to an internal board card of the network device;
for another example, the user may create an ACL rule in the client interface, click the issue button, trigger an ACL rule issue instruction, and send the ACL rule to the internal board card of the network device.
In an embodiment shown in the figure, the internal board card at least includes an interface board card and/or a service board card; the interface at least comprises an external interface and/or an internal interconnection interface of the network equipment.
For example, the external interface of the network device may be an interface where an interface board card is interconnected with the outside of other devices, that is, an input interface where the interface board card receives external traffic and an output interface where the interface board card forwards the traffic to the outside.
The internal interconnection interface comprises an internal interconnection interface in an internal board card of the network equipment;
for example, the interface between the switch chip built in the interface board and the switch chip built in the switch network board of the network device, the interface between the switch chip built in the service board and the built-in CPU, and the interface between the switch chip built in the service board and the switch chip built in the switch network board of the gateway device are connected.
In an embodiment shown, the at least part of the interfaces to be diagnosed includes an interface of the abnormal traffic on an internal forwarding path in an internal board of the network device;
furthermore, an ACL rule may be issued to each interface of the abnormal traffic on the internal forwarding path in the internal board card of the network device, respectively.
For example, as shown in fig. 1, the internal forwarding path of traffic between the service boards of the network device may be used to determine the interfaces of the traffic path, and determine at least part of the interfaces from these interfaces as the interfaces to be diagnosed.
Further, after knowing the forwarding path of the abnormal traffic and the interfaces of the paths, the user may specify that ACL rules are issued to certain interfaces.
In one embodiment shown, the at least part of the interfaces to be diagnosed includes at least one interface in an internal board of the network device specified by the user.
For example, a user may specify a plurality of interfaces of an abnormal traffic path, issue an ACL rule to the interfaces, enable the interfaces to execute the ACL rule, and count the number of messages passing through the interfaces.
It should be noted that before issuing an ACL rule, in addition to the interface to be diagnosed, an ACL rule needs to be created.
In one embodiment shown, the ACL rules include a correspondence of matching items and processing actions; the matching item comprises abnormal flow characteristics extracted from abnormal flow; the processing action comprises counting the number of messages received by the interface.
The ACL (Access Control List) technique is a packet filtering-based Access Control technique, which can filter the data packets on the interface according to a set rule, and allow the data packets to pass through or drop. ACL is widely used in routers and three-layer switches, and by means of ACL, user access to a network can be effectively controlled, thereby maximally securing network security.
Generally, all switching chips of a network device support an ACL technology, and an ACL rule is set for an interface of the network device, so that the ACL rule can be used to control data packets flowing in and out of the interface traffic.
The ACL rules can perform specific processing actions, such as speed limiting, redirection, statistics, and the like, on the messages satisfying the characteristics by matching the specified characteristics of the messages.
For example, if the matching item in the ACL rule is the destination IP of 192.168.10.11 and the corresponding processing action is blocking, then when a message with the destination IP of 192.168.10.11 is received, the corresponding processing action is performed on the message as blocking because the specified feature of the message matches with the matching item in the ACL rule.
It is worth noting that only one ACL rule can be applied per interface in each direction.
Therefore, in order to enable the interface to perform statistical processing actions on abnormal traffic, it is necessary to extract abnormal traffic features from the abnormal traffic as matching items in the ACL rule, and use the number of messages passing through the interface from a specific direction of the statistical abnormal traffic as the processing actions in the ACL rule.
For example, assume that the abnormal traffic features extracted in the abnormal traffic: with a source IP of 192.168.2.8 and a destination IP of 100.100.2.8, the ACL rules issued to the interface IETHF on the interface board can be as shown in table 1 below:
matching items Processing actions
Source IP =192.168.2.8, destination IP =100.100.2.8 Counting the number of the passing messages in the direction
Source IP =192.168.2.8, destination IP =100.100.2.8 Counting the number of messages passing by
TABLE 1
Further, the message characteristics corresponding to the message received by the interface can be acquired, and the message characteristics are matched with the matching items in the ACL rule; and if the ACL rule is matched with the matched item, executing the processing action corresponding to the matched item in the ACL rule, and counting the number of the messages received by the interface.
In one embodiment, the abnormal flow feature extracted from the abnormal flow includes at least part of the content of the quintuple feature.
It should be noted that, those skilled in the art can make matching items in the ACL rules based on actual failure conditions by combining with the actual requirement to select part of the content of the quintuple feature.
For example, when all services in a network segment are abnormal, a source IP and a destination IP can be selected as abnormal traffic characteristics; for another example, when a service of a certain port number is abnormal, a source IP, a destination IP, and a failed port number may be selected as the abnormal traffic characteristics.
In order to issue the ACL rules to the interfaces to be diagnosed, the ACL rules corresponding to each interface may be issued to the board card where the interface is located, and the switching chip built in the board card is responsible for maintenance, and further, the switching chip issues the ACL rules to the interfaces to be diagnosed.
In an embodiment shown in the figure, an ACL rule is issued to an internal board where at least part of the interfaces to be diagnosed are located, so that a switching chip of the internal board maintains the ACL rule, and the ACL rule is issued to at least part of the interfaces to be diagnosed.
For example, taking the forwarding path ETH1 → IETHF → IETH6 → IETH5 → IETHE → IETHL as shown in fig. 1, where abnormal traffic flows from the ingress interface of the interface board to the CPU built in the DDOS service board for traffic cleaning service processing, in order to issue ACL rules to the interfaces ETH1, ietf, IETHE and IETHL to be diagnosed, ACL rules as shown in the following table 2 may be created to be issued:
Figure BDA0003138951410000091
TABLE 2
In order to issue the ACL rules to the interfaces to be diagnosed, the identifiers of the middle plate slot positions can be issued based on the ACL rules, and the ACL rules corresponding to each interface are issued to the board card where the interface is located;
for example, the entries numbered 1 and 2 may be issued to the interface board card of the board card slot No. 6, and the entries numbered 3 and 4 may be issued to the service board card of the board card slot No. 5.
Furthermore, an ACL rule is maintained by a switching chip of the board card, and the ACL rule corresponding to each interface is issued to the interface to be diagnosed interconnected with the switching chip based on the identifier of the interface to be diagnosed in the ACL rule issuing table;
for example, the switching chip of the interface board card in the card slot No. 6 may maintain the received ACL bone quota, issue the ACL rule in the entry numbered 1 to the ETH1 interface, and issue the ACL rule in the entry numbered 2 to the IETHF interface.
In this embodiment, in response to the fault detection instruction triggered by the user, an ACL rule issued to the interface is started, so that the interface executes the ACL rule, and the number of messages passing through the interface is counted;
the failure detection instruction is similar to the issuing instruction, and may be triggered by software for failure diagnosis in an operating system of the network device, or may be triggered by separately developed client software for failure detection in docking with the network device.
For example, after a user issues a preset ACL rule to an interface to be diagnosed, the user may start fault detection by inputting a command or clicking a button, activate the respective ACL rule for the interface to be diagnosed, execute the ACL rule, and count the number of messages passing through the interface.
Specifically, when an ACL rule is executed on an interface to be diagnosed, a message characteristic corresponding to a received message can be acquired and matched with a matching item in a preset ACL rule; and if the matching is carried out, executing the processing action corresponding to the matching item in the ACL rule, and counting the number of the messages received by the interface.
In one embodiment shown, the number of messages passing through the interface from a particular direction may be counted;
wherein the specific direction comprises an incoming direction or an outgoing direction.
For example, the processing actions shown in table 1 or table 2 are used to count the number of packets passing in or out direction.
In this embodiment, a statistical result obtained by executing the ACL rule by the interface is obtained, and a failed interface with abnormal traffic forwarding is determined to exist in the interface based on the statistical result.
Before analyzing the statistical result, outputting the statistical result of each interface in response to a stop instruction of a user; the specified statistical time can also be preset, and the statistical result of each interface in the specific time is output, which is not limited by the application and can be selected by the person skilled in the art according to the actual needs.
In one embodiment, the statistical result may be calculated based on a predetermined algorithm, and it is determined whether the variation of the number of packets passing through the interface reaches a threshold value; if yes, determining the interface as a fault interface with abnormal flow forwarding.
For example, taking table 2 as an example, assuming that the statistical results corresponding to the interfaces ETH1, ietf, IETHE, and IETHL are respectively CONUT1 to CONUT4, the statistical results may be calculated based on a preset algorithm, and it is determined whether the variation of the number of messages passing through the interfaces reaches a threshold value; if yes, determining the interface as a fault interface with abnormal flow forwarding.
Specifically, whether the calculation result reaches a threshold value or not can be judged by calculating (CONUT 2-CONUT 3)/CONUT 2; if the threshold is reached, it indicates that packet loss occurs from IETHF to ietoe, and the result may be output as: abnormal packet loss occurs when the interface board card in the card slot 6 of the number plate is forwarded to the DDOS service board card in the card slot 5 of the number plate in a cross-board mode, and the IETHF is a fault interface with abnormal flow forwarding;
if the value does not reach the threshold value, (CONUT 3-CONUT 4)/CONUT 3 can be continuously calculated, and whether the calculated result reaches the threshold value or not is continuously judged; if the threshold is reached, it indicates that packet loss occurs from IETHE to IETHL, and the output result may be: and when the interface board card in the card slot position 6 is forwarded to the DDOS service board card in the card slot position 5 across the board cards, abnormal packet loss occurs, and the IETHE is a fault interface with abnormal flow forwarding.
The threshold value can be set by a user according to actual requirements; in general, to improve the accuracy of fault detection, the threshold may be set to 1%.
In the above technical solution, the ACL rules are respectively issued to the interfaces to be diagnosed, so that each interface can count the number of messages passing through itself by executing the corresponding ACL rules, and determine that a failure interface with abnormal traffic forwarding exists in the interface based on the statistical result, thereby implementing the segmentation of the traffic forwarding path in the network device, thereby reducing the difficulty of failure diagnosis and improving the efficiency of failure diagnosis.
Referring to fig. 3, fig. 3 is a flowchart illustrating another ACL-based fault diagnosis method according to an exemplary embodiment of the present application. As shown in fig. 3, the method comprises the following steps:
s301: the interface to be diagnosed is determined.
Wherein, the abnormal traffic characteristics corresponding to the abnormal traffic can be extracted as the matching items in the ACL rules; for example, the abnormal traffic signature may be part of the content of a quintuple signature.
Further, determining an internal forwarding path of the abnormal traffic in an internal board card of the network device and an interface of an abnormal traffic path;
and determining at least part of the interfaces from the interfaces as the interfaces to be diagnosed, and determining the processing action in the ACL rule according to the flow direction of the traffic in the interfaces.
For example, when a traffic anomaly occurs in the network device of fig. 1, it is assumed that the extracted abnormal traffic features are: source IP =192.168.2.8, destination IP =100.100.2.8, and protocol =1;
the forwarding path in the internal board card of the network device according to the abnormal traffic is as follows:
(1) The flow sent by the upstream equipment to the downstream equipment enters an interface board card of the network equipment through an external interface ETH 1;
(2) The flow definition control flow is sent from the interface board card to a CPU built in a DDOS service board card through the switching network board to process a flow cleaning service, and the path corresponding to the flow is as follows: IETHF → IETH6 → IETH5 → IETHE → IETHL;
(3) After the DDOS service board card finishes processing the service, the flow definition control flow is sent to the UAG service board card to process the audit flow control service, and the path corresponding to the flow is as follows: IETHL → IETHE → IETH5 → IETH4 → IETHD → IETHK;
(4) After the UAG service board card processes the service, the flow definition control flow is sent to an IPS service board card to process the protection service, and the path corresponding to the flow is as follows: IETHK → IETHD → IETH4 → IETH3 → IETHC → IETHJ;
(5) After the IPS service board card finishes processing the service, the flow definition control flow is sent to the FW service board card to process and filter the service, and the path corresponding to the flow is as follows: IETHJ → IETHC → IETH3 → IETH2 → IETHB → IETHI;
(6) After the FW service board card finishes processing the service, the flow definition control flow is sent to the ADX service board card to process the load balancing service, and the path corresponding to the flow is as follows: IETHI → IETHB → IETH2 → IETH1 → IETHA → IETHH;
(7) After the ADX service board card processes the service, the flow definition control flow is sent to the downstream device through the external interface ETH2, and the path corresponding to the flow is: IETHH → IETHA → IETH1 → IETH6 → IETHF → ETH2.
S302: and issuing ACL rules to the interface to be diagnosed.
The ACL rule can also be created in advance, the network equipment stores the ACL rule in advance, and responds to an issuing instruction triggered by a user to respectively issue the ACL rule to at least part of interfaces to be diagnosed in an internal board card of the network equipment;
in addition, the interface to be diagnosed may also be at least one interface in an internal board of the network device specified by the user.
Specifically, in response to an issuing instruction triggered by a user, an ACL rule is issued to an internal board where at least part of the interfaces to be diagnosed are located, so that an exchange chip of the internal board maintains the ACL rule, and the ACL rule is issued to at least part of the interfaces to be diagnosed.
Continuing with fig. 1 as an example, assuming that each interface of the traffic path is an interface to be diagnosed, in order to issue an ACL rule to each interface, an ACL rule as shown in the following table 3 may be created and published:
Figure BDA0003138951410000131
Figure BDA0003138951410000141
TABLE 3
Further, according to the correspondence between each interface and the board card in table 3, the ACL rule may be sent to the board card corresponding to each interface based on the slot identifier of the board card in response to an issue instruction triggered by the user, the ACL rule is maintained by the switch chip of the board card, and the ACL rule is issued to only each interface to be diagnosed based on the identifier of the interface.
For example, the method includes issuing entries with numbers of 19 to 22 to the board slot 1, issuing entries with numbers of 15 to 18 to the board slot 2, issuing entries with numbers of 11 to 14 to the board slot 3, issuing entries with numbers of 7 to 10 to the board slot 4, issuing entries with numbers of 3 to 6 to the board slot 5, issuing entries with numbers of 1, 2, 23 and 24 to the board slot 6, maintaining an ACL rule by a switching chip of each board, and issuing the ACL rule to only each interface to be diagnosed based on an identifier of the interface.
S303: and (5) carrying out fault detection and executing ACL rules.
Specifically, in response to a fault detection instruction triggered by a user, an ACL rule issued to an interface is started, so that the interface executes the ACL rule, and the number of messages passing through the interface is counted;
furthermore, when the interface to be diagnosed executes the ACL rule, the message characteristics corresponding to the message received by the interface can be acquired and matched with the matching items in the ACL rule; and if the matching is carried out, executing the processing action corresponding to the matching item in the ACL rule, and counting the number of the messages received by the interface.
S304: and analyzing the statistical result to determine a fault interface.
Specifically, a statistical result may be calculated based on a predetermined algorithm, and it is determined whether a variation of the number of messages reaches a threshold value when the messages pass through the interface; if yes, determining the interface as a fault interface with abnormal traffic forwarding.
Continuing with fig. 1 as an example, the statistical results of two adjacent interfaces to be diagnosed along the direction of the flow path may be calculated based on a preset algorithm, and the calculated results may be compared with a threshold.
For example, assuming that the statistical results corresponding to the interfaces numbered 1 to 24 in table 3 are CONUT1 to 24, it is possible to determine whether the calculated result reaches the threshold value by calculating (CONUT 2-CONUT 3)/CONUT 2; if the threshold is reached, it indicates that packet loss occurs from IETHF to ietoe, and the result may be output as: when the interface board card in the card slot 6 is forwarded to the DDOS service board card in the card slot 5 across the board cards, abnormal packet loss occurs, and IETHF is a fault interface with abnormal flow forwarding;
if the threshold value is not reached, continuously calculating (CONUT 3-CONUT 4)/CONUT 3, and continuously judging whether the calculation result reaches the threshold value; if the threshold is reached, it indicates that packet loss occurs from IETHE to IETHL, and the output result may be: when the interface board card of the card slot position of the No. 6 board is forwarded to the DDOS service board card of the card slot position of the No. 5 board across the board cards, abnormal packet loss occurs, and the IETHE is a fault interface with abnormal flow forwarding;
the judgment of other interfaces is analogized, and is not described in detail herein.
In the above technical solution, the ACL rules are respectively issued to the interfaces to be diagnosed, so that each interface can count the number of messages passing through itself by executing the corresponding ACL rules, and determine that a failure interface with abnormal traffic forwarding exists in the interface based on the statistical result, thereby implementing the segmentation of the traffic forwarding path in the network device, thereby reducing the difficulty of failure diagnosis and improving the efficiency of failure diagnosis.
Corresponding to the method embodiment, the application also provides an embodiment of the fault diagnosis device based on the ACL. The embodiment of the ACL-based fault diagnosis device can be applied to electronic equipment. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. Taking a software implementation as an example, as a logical device, the device is formed by reading, by a processor of the electronic device where the device is located, a corresponding computer program instruction in the nonvolatile memory into the memory for operation. In terms of hardware, as shown in fig. 4, a hardware structure diagram of an electronic device where an ACL-based fault diagnosis apparatus is shown in an exemplary embodiment of the present application is shown, except for the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 4, the electronic device where the apparatus is located in the embodiment may also include other hardware according to an actual function of the electronic device, which is not described again.
Referring to fig. 5, fig. 5 is a block diagram of an ACL-based fault diagnosis apparatus according to an exemplary embodiment of the present application, and as shown in fig. 5, the ACL-based fault diagnosis apparatus 500 may be applied to the electronic device shown in fig. 4, and includes:
the issuing unit 501 is configured to respond to an issuing instruction triggered by a user, and respectively issue ACL rules to at least part of interfaces to be diagnosed in an internal board card of the network device; the ACL rule is used for counting the number of messages passing through the interface;
a counting unit 502, configured to enable an ACL rule issued to the interface in response to a fault detection instruction triggered by the user, so that the interface executes the ACL rule, and count the number of messages passing through the interface;
a calculating unit 503, configured to obtain a statistical result obtained by executing the ACL rule by the interface, and determine, based on the statistical result, that a faulty interface with abnormal traffic forwarding exists in the interface.
In one embodiment, the ACL rules include a correspondence of matching items and processing actions; the matching item comprises abnormal flow characteristics extracted from abnormal flow; the processing action comprises counting the number of messages received by the interface;
further, the statistic unit 502 includes:
the matching unit is used for acquiring message characteristics corresponding to the message received by the interface and matching the message characteristics with matching items in the ACL rules; and if the ACL rule is matched with the matched item, executing the processing action corresponding to the matched item in the ACL rule, and counting the number of the messages received by the interface.
In an embodiment, the abnormal flow feature extracted from the abnormal flow includes at least a part of the content of the quintuple feature.
In an embodiment, the internal board card at least includes an interface board card and/or a service board card; the interface at least comprises an external interface and/or an internal interconnection interface of the network equipment.
In an embodiment, the at least part of the interfaces to be diagnosed includes an interface of the abnormal traffic on an internal forwarding path in an internal board of the network device;
further, the issuing unit 501 may be configured to:
and respectively issuing ACL rules to each interface of the abnormal flow on an internal forwarding path in an internal board card of the network equipment.
In an embodiment, the at least part of the interfaces to be diagnosed includes at least one interface in an internal board of the network device specified by the user.
In an embodiment, the issuing unit 501 may be configured to:
and issuing an ACL rule to an internal board card where at least part of the interfaces to be diagnosed are located, so that an exchange chip of the internal board card maintains the ACL rule, and issuing the ACL rule to at least part of the interfaces to be diagnosed.
In an embodiment, the statistics unit 502 may be configured to:
counting the number of messages passing through the interface from a specific direction; wherein the particular direction comprises an ingress direction or an egress direction.
In one embodiment, the computing unit 503 includes:
a judging unit, configured to calculate the statistical result based on a predetermined algorithm, and determine whether a variation of the number of the messages reaches a threshold value when the messages pass through the interface; if yes, determining the interface as a fault interface with abnormal flow forwarding.
The embodiments in the present application are described in a progressive manner, and the same/similar parts in the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the client device embodiment and the apparatus embodiment, since they are substantially similar to the method embodiment, the description is relatively simple, and reference may be made to the partial description of the method embodiment for relevant points.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, wherein the modules described as separate parts may or may not be physically separate, and the parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The apparatuses, modules or modules illustrated in the above embodiments may be specifically implemented by a computer chip or an entity, or implemented by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
Corresponding to the method embodiment, the present specification also provides an embodiment of an electronic device. The electronic device includes: a processor and a memory for storing machine executable instructions; wherein the processor and the memory are typically interconnected by an internal bus. In other possible implementations, the device may also include an external interface to enable communication with other devices or components.
In this embodiment, the processor is caused to:
responding to an issuing instruction triggered by a user, and respectively issuing ACL rules to at least part of interfaces to be diagnosed in an internal board card of the network equipment; the ACL rule is used for counting the number of messages passing through the interface;
enabling an ACL rule issued to the interface in response to a fault detection instruction triggered by the user, so that the interface executes the ACL rule, and counting the number of messages passing through the interface;
and acquiring a statistical result obtained by the interface through executing the ACL rule, and determining that a fault interface with abnormal flow forwarding exists in the interface based on the statistical result.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (8)

1. A fault diagnosis method based on ACL is applied to network equipment, wherein the network equipment comprises a plurality of internal board cards; the method comprises the following steps:
responding to an issuing instruction triggered by a user, and respectively issuing ACL rules to at least part of interfaces to be diagnosed in an internal board card of the network equipment; wherein, the at least part of the interfaces to be diagnosed comprise interfaces of abnormal traffic on an internal forwarding path in an internal board card of the network equipment; the ACL rule is used for counting the number of messages passing through the interface; the internal board card at least comprises an interface board card and/or a service board card; the interface at least comprises an external interface and/or an internal interconnection interface of the network equipment;
enabling an ACL rule issued to the interface in response to a fault detection instruction triggered by the user, so that the interface executes the ACL rule, and counting the number of messages passing through the interface;
and acquiring a statistical result obtained by the interface through executing the ACL rule, and determining that a fault interface with abnormal flow forwarding exists in the interface based on the statistical result.
2. The method of claim 1, the ACL rules comprising a correspondence of matching terms and processing actions; the matching item comprises abnormal flow characteristics extracted from abnormal flow; the processing action comprises counting the number of messages received by the interface;
the interface executes the ACL rules, including:
acquiring message characteristics corresponding to the message received by the interface, and matching the message characteristics with matching items in the ACL rule;
and if the ACL rule is matched with the matched item, executing the processing action corresponding to the matched item in the ACL rule, and counting the number of the messages received by the interface.
3. The method according to claim 2, wherein the abnormal flow features extracted from the abnormal flow comprise at least part of the content of quintuple features.
4. The method of claim 1, the at least some interfaces to be diagnosed comprising at least one interface in an internal board of the network device specified by the user.
5. The method according to claim 1, wherein the issuing ACL rules to at least some interfaces to be diagnosed in an internal board of the network device respectively includes:
and issuing an ACL rule to an internal board card where at least part of the interfaces to be diagnosed are located, so that an exchange chip of the internal board card maintains the ACL rule, and issuing the ACL rule to at least part of the interfaces to be diagnosed.
6. The method of claim 1, wherein the counting the number of packets passing through the interface comprises:
counting the number of messages passing through the interface from a specific direction; wherein the specific direction comprises an incoming direction or an outgoing direction.
7. The method of claim 1, wherein the determining that there is a failed one of the interfaces for traffic anomalous forwarding based on the statistical result comprises:
calculating the statistical result based on a preset algorithm, and determining whether the variable quantity of the message quantity reaches a threshold value when the message passes through the interface;
if yes, determining the interface as a fault interface with abnormal flow forwarding.
8. A fault diagnosis device based on ACL is applied to network equipment, wherein the network equipment comprises a plurality of internal board cards; the device comprises:
the issuing unit is used for responding to an issuing instruction triggered by a user and respectively issuing ACL rules to at least part of interfaces to be diagnosed in an internal board card of the network equipment; wherein, the at least part of the interfaces to be diagnosed comprise interfaces of abnormal traffic on an internal forwarding path in an internal board card of the network equipment; the ACL rule is used for counting the number of messages passing through the interface; the internal board card at least comprises an interface board card and/or a service board card; the interface at least comprises an external interface and/or an internal interconnection interface of the network equipment;
the statistical unit is used for responding to a fault detection instruction triggered by the user, starting an ACL rule issued to the interface so that the interface executes the ACL rule, and counting the number of messages passing through the interface;
and the computing unit is used for acquiring a statistical result obtained by the interface through executing the ACL rule and determining that a fault interface with abnormal flow forwarding exists in the interface based on the statistical result.
CN202110726736.7A 2021-06-29 2021-06-29 Fault diagnosis method and device based on ACL Active CN113452564B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110726736.7A CN113452564B (en) 2021-06-29 2021-06-29 Fault diagnosis method and device based on ACL

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110726736.7A CN113452564B (en) 2021-06-29 2021-06-29 Fault diagnosis method and device based on ACL

Publications (2)

Publication Number Publication Date
CN113452564A CN113452564A (en) 2021-09-28
CN113452564B true CN113452564B (en) 2023-03-24

Family

ID=77813859

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110726736.7A Active CN113452564B (en) 2021-06-29 2021-06-29 Fault diagnosis method and device based on ACL

Country Status (1)

Country Link
CN (1) CN113452564B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108429625A (en) * 2017-02-13 2018-08-21 中兴通讯股份有限公司 A kind of method and device for realizing fault diagnosis

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101594265B (en) * 2009-06-30 2011-11-16 北京星网锐捷网络技术有限公司 Method and device for diagnosing network fault and network device
CN101741617A (en) * 2009-12-17 2010-06-16 中兴通讯股份有限公司 Method and device for positioning fault
CN102868553B (en) * 2012-08-28 2016-03-30 华为技术有限公司 Fault Locating Method and relevant device
CN105791149B (en) * 2016-02-24 2019-09-06 新华三技术有限公司 A kind of message processing method and device
US11606335B2 (en) * 2019-05-02 2023-03-14 Dell Products L.P. Systems and methods for hierarchical access control across devices in a network environment

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108429625A (en) * 2017-02-13 2018-08-21 中兴通讯股份有限公司 A kind of method and device for realizing fault diagnosis

Also Published As

Publication number Publication date
CN113452564A (en) 2021-09-28

Similar Documents

Publication Publication Date Title
EP1980054B1 (en) Method and apparatus for monitoring malicious traffic in communication networks
JP4547340B2 (en) Traffic control method, apparatus and system
US10193890B2 (en) Communication apparatus to manage whitelist information
US20080163333A1 (en) Method and apparatus for dynamic anomaly-based updates to traffic selection policies in a switch
US20130259052A1 (en) Communication system, forwarding node, received packet process method, and program
KR20050081439A (en) System of network security and working method thereof
CN103518354B (en) The detection method of network equipment, communication system and exceptional communication
US9419910B2 (en) Communication system, control apparatus, and communication method
WO2010132061A1 (en) A method and apparatus for policy enforcement using a tag
US20110214181A1 (en) Dual bypass module and methods thereof
CN112134894A (en) Moving target defense method for DDoS attack
CN109657463B (en) Method and device for defending message flooding attack
CN108737217B (en) Packet capturing method and device
CN114172718B (en) Security policy configuration method and device, electronic equipment and storage medium
EP2452466B1 (en) Apparatus and method for enhancing forwarding, classification, and monitoring of network traffic
Dang-Van et al. A multi-criteria based software defined networking system Architecture for DDoS-attack mitigation
CN107623629B (en) Restoration method and device for stream forwarding path
CN113452564B (en) Fault diagnosis method and device based on ACL
CN107645458B (en) Three-layer message drainage method and controller
CN107210969B (en) Data processing method based on software defined network and related equipment
KR20060130892A (en) Ddos detection and packet filtering scheme
CN113572774B (en) Message forwarding method and device in network equipment
CN101300807B (en) Network access node computer for a communication network, communication system and method for operating a communications system
JP2019213029A (en) Infection spreading attack detection system, method, and program
JP2006148778A (en) Packet transfer control unit

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant