CN114257516A - Network accessibility verification method and device and computer storage medium - Google Patents

Network accessibility verification method and device and computer storage medium Download PDF

Info

Publication number
CN114257516A
CN114257516A CN202010987222.2A CN202010987222A CN114257516A CN 114257516 A CN114257516 A CN 114257516A CN 202010987222 A CN202010987222 A CN 202010987222A CN 114257516 A CN114257516 A CN 114257516A
Authority
CN
China
Prior art keywords
network
target
path
tunnel
reachability
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010987222.2A
Other languages
Chinese (zh)
Inventor
刘中喆
蔡宏坚
王璐林
周季钢
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to EP21866059.5A priority Critical patent/EP4203407A4/en
Priority to PCT/CN2021/117568 priority patent/WO2022053007A1/en
Publication of CN114257516A publication Critical patent/CN114257516A/en
Priority to US18/181,818 priority patent/US20230216763A1/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0677Localisation of faults
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
    • H04L43/0811Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking connectivity

Abstract

The application discloses a network reachability verification method and device and a computer storage medium, and belongs to the technical field of networks. The verification equipment acquires a source interface and a destination interface corresponding to the virtual message in a target network, wherein the target network comprises an underlying network and an overlay network constructed on the underlying network. And then, the verification equipment verifies the accessibility of the virtual message in the overlay network according to the logic topology of the multiple forwarding instances of the multiple network equipment in the target network, the routing information of the multiple forwarding instances, the source forwarding instance corresponding to the source interface and the target forwarding instance corresponding to the target interface. The method and the device realize single-layer reachability verification of the overlay network in the target network, and the verification accuracy is high.

Description

Network accessibility verification method and device and computer storage medium
The present application claims priority from chinese patent application No. 202010954718.X entitled "network reachability verification method and apparatus, computer storage medium" filed 11/09/2020, the entire contents of which are incorporated herein by reference.
Technical Field
The present application relates to the field of network technologies, and in particular, to a method and an apparatus for verifying network reachability, and a computer storage medium.
Background
With the expansion of the internet scale and the increase of the number of network protocols, the forwarding behavior of messages in the network becomes more and more complex, and various network problems are easy to occur. In order to ensure that the network operates reliably and efficiently, network operation and maintenance personnel need to master various network technologies and manually troubleshoot and locate problems and errors in network operation. The network verification technology can help network operation and maintenance personnel systematically analyze the network and quickly verify a series of routing attributes in the network. The network accessibility verification is an important verification technology for performing fault prevention, fault positioning and fault root cause analysis on the network.
At present, a network model is usually obtained by modeling a processing logic of message forwarding by a network device in a network. When network accessibility verification is carried out, according to a source interface, a target interface, a source Internet Protocol (IP) address and a target IP address to be verified, the accessibility verification is carried out on the whole network based on the network model, and the specific process is as follows: and verifying whether the message space consisting of the source IP address and the destination IP address can be output from the destination interface after being input from the source interface by using a network model, wherein the message space capable of being output from the destination interface is the reachable message space.
However, since reachability verification can only be performed on the entire network at present, the verification accuracy is low.
Disclosure of Invention
The application provides a network reachability verification method and device and a computer storage medium, which can solve the problem of low accuracy of the existing network reachability verification.
In a first aspect, a method for network reachability verification is provided. The method comprises the following steps: the verification equipment acquires a source interface and a destination interface corresponding to the virtual message in a target network, wherein the target network comprises an underlying network and an overlay network constructed on the underlying network. And then, the verification equipment verifies the accessibility of the virtual message in the overlay network according to the logic topology of the multiple forwarding instances of the multiple network equipment in the target network, the routing information of the multiple forwarding instances, the source forwarding instance corresponding to the source interface and the target forwarding instance corresponding to the target interface.
In the application, the verification device realizes reachability verification of the virtual message in the overlay network according to the logic topology of the multiple forwarding instances of the multiple network devices in the target network, the routing information of the multiple forwarding instances, the source forwarding instance corresponding to the source interface, and the target forwarding instance corresponding to the target interface, that is, single-layer reachability verification of the overlay network in the target network is realized, and the verification accuracy is high, so that the accuracy of fault location in the target network is high. In addition, the network reachability verification method provided by the application is high in implementation flexibility.
Optionally, the verification device further obtains a first network graph model corresponding to the overlay network, where the first network graph model reflects a logical topology of multiple forwarding instances of multiple network devices in the target network. The implementation process of verifying the reachability of the virtual packet in the overlay network by the verification device according to the logic topology of the multiple forwarding instances of the multiple network devices in the target network, the routing information of the multiple forwarding instances, the source forwarding instance corresponding to the source interface, and the destination forwarding instance corresponding to the destination interface includes: and the verification equipment verifies the accessibility of the virtual message in the overlay network according to the first network graph model, the routing information of the forwarding examples, the source forwarding example and the destination forwarding example.
In the application, the verification device obtains the first network graph model corresponding to the overlay network, and since the first network graph model reflects the logical topology of the multiple forwarding instances of the multiple network devices in the target network, that is, reflects the logical topology of the overlay network, the verification device can verify the reachability of the virtual packet in the overlay network according to the first network graph model. In addition, the verification device can also output the first network graph model so as to display the first network graph model on the verification device or other devices to realize the logic topology visualization of the overlay network.
Optionally, the implementation process of acquiring, by the verification device, the first network graph model corresponding to the overlay network includes: the verification device generates a first network graph model according to configuration information of a plurality of network devices in a target network, wherein the configuration information relates to forwarding examples, and the tunnel state information of the network devices is the same as the configuration information of the network devices.
Or, the first network graph model may also be generated by other devices and then sent to the verification device, and the implementation process of the verification device obtaining the first network graph model corresponding to the overlay network includes: the verification device receives the first network graph model sent by the other device.
Optionally, the first network graph model further includes connection relationships of multiple forwarding instances in the same network device.
Optionally, the configuration information of the forwarding instance of the network device includes one or more of a binding relationship between an interface of the network device and a two-layer forwarding instance in the network device, a three-layer virtual interface corresponding to the two-layer forwarding instance in the network device, a binding relationship between a three-layer virtual interface corresponding to the two-layer forwarding instance in the network device and a three-layer forwarding instance in the network device, a network identifier of the forwarding instance in the network device, or a routing target of the forwarding instance in the network device.
Optionally, the implementation process of the verification device verifying the reachability of the virtual packet in the overlay network includes: the validation device determines a logically reachable path and/or a logically unreachable path of the dummy packet in the overlay network.
Optionally, the logical reachable paths of the virtual packet in the overlay network include logical paths that satisfy the following conditions: the end point of the logic path is a destination forwarding instance, and an output interface of the virtual message forwarded from the destination forwarding instance is a destination interface.
Optionally, the logically unreachable path of the dummy packet in the overlay network includes a logical path satisfying one or more of the following conditions: the end point of the logic path is a destination forwarding instance, and an output interface of the virtual message forwarded from the destination forwarding instance is not a destination interface; the end point of the logic path does not have the next hop corresponding to the virtual message in the overlay network, and the end point of the logic path is not a target forwarding example; the logic path includes a loop thereon.
Optionally, the verifying device further verifies reachability in the underlying network between two tunnel end points of each tunnel on the target logical path, where the target logical path is a logical path of the virtual packet including the tunnel in the overlay network.
In the application, after the verification device acquires the tunnel of the virtual message on the logic path in the overlay network, the reachability between two tunnel endpoints of the tunnel in the underlying network can be verified, layered verification of a target network is achieved, and verification efficiency is high.
Optionally, the implementation process of the verifying device verifying reachability in the underlying network between two tunnel end points of each tunnel on the target logical path includes: when the target logic path is a logic reachable path of the virtual message in the overlay network, the verification device verifies the reachability between two tunnel end points of each tunnel on the target logic path in the underlying network.
In the application, the verification device may first acquire a logical path of the virtual packet in the overlay network, and after determining that the logical path is a reachable path of the virtual packet in the overlay network, verify reachability in the underlying network between two tunnel endpoints of each tunnel in the logical path, so as to determine whether the virtual packet can be reached in the target network through a physical path corresponding to the logical path in the underlying network; when the logical path is an unreachable path of the virtual message in the overlay network, the verification device determines that the physical path of the virtual message corresponding to the underlying network through the logical path is unreachable in the target network, and at this time, the reachability of the tunnel on the logical path in the underlying network does not need to be further verified, so that the computing resource is saved.
In one possible implementation, the implementation of the verifying device to verify reachability between two tunnel end points of each tunnel on the target logical path in the underlying network includes: and the verification device verifies the accessibility between the two tunnel end points of each tunnel on the target logic path in the underlying network according to the physical topology of the network devices in the target network and the public network routing information of the network devices.
Optionally, the verification device first obtains a second network graph model corresponding to the underlying network, where the second network graph model reflects physical topologies of multiple network devices in the target network; and verifying the accessibility in the underlying network between the two tunnel end points of each tunnel on the target logic path according to the second network graph model and the public network routing information of the plurality of network devices.
In another possible implementation, the verification device verifies reachability in the underlay network between two tunnel end points of each tunnel on the target logical path based on a set of tunnels including one or more pairs of tunnel end points reachable in the underlay network.
In this implementation manner, after acquiring the tunnel of the virtual packet on the logical path in the overlay network, the verification device only needs to search the tunnel set according to the identifiers of the two tunnel endpoints of the tunnel to determine whether the two tunnel endpoints of the tunnel are reachable in the underlying network, so that the verification efficiency is high.
Optionally, the verification device further obtains identifiers of a plurality of tunnel endpoints in the target network based on configuration information of a plurality of network devices in the target network; secondly, verifying the accessibility of a plurality of tunnel end points in the underlying network pairwise according to the physical topology of a plurality of network devices in the target network and the public network routing information of the plurality of network devices; and finally, generating a tunnel set according to a verification result of the accessibility of every two tunnel endpoints in the underlying network.
Alternatively, the tunnel set may be generated by another device and sent to the verification device.
Optionally, the verification device further obtains a second network graph model corresponding to the underlying network, where the second network graph model reflects physical topologies of multiple network devices in the target network. Correspondingly, the implementation process of verifying the reachability in the underlying network between the multiple tunnel endpoints by the verification device pairwise according to the physical topologies of the multiple network devices in the target network and the public network routing information of the multiple network devices includes: and the verification equipment verifies the accessibility of the plurality of tunnel end points in the underlying network pairwise according to the second network graph model and the public network routing information of the plurality of network equipment.
In the application, the verification device obtains the second network graph model corresponding to the underlying network, and since the second network graph model reflects the physical topology of the plurality of network devices in the target network, that is, reflects the physical topology of the underlying network, the verification device can verify the reachability between two tunnel endpoints of a tunnel on the logical path in the underlying network according to the second network graph model. In addition, the verification device can also output the second network diagram model so as to display the first network diagram model on the verification device or other devices, thereby realizing the physical topology visualization of the underlying network.
Optionally, the obtaining, by the verification device, an implementation process of the second network graph model corresponding to the underlying network includes: and the verification equipment generates a second network graph model according to the networking topology of the target network.
Or, the second network graph model may also be generated by other devices and sent to the verification device, and the implementation process of the verification device obtaining the second network graph model corresponding to the underlying network includes: and the verification device receives the second network graph model transmitted by the other device.
Optionally, the verification device further outputs a reachability verification result of the virtual packet in the target network, where the reachability verification result includes a reachable path set and/or an unreachable path set. The reachable path set comprises one or more pairs of reachable paths, wherein each pair of reachable paths comprises a logic reachable path of the virtual message in the overlay network and a corresponding physical reachable path of the logic reachable path in the underlying network; the set of unreachable paths includes a logically unreachable path for the virtual packet in the overlay network and/or a physically unreachable path for the virtual packet in the underlay network.
In the application, the verification device can output the reachable path and/or the unreachable path of the virtual message in the target network, and therefore network maintenance personnel can perform troubleshooting conveniently.
Optionally, when the reachability verification result includes the unreachable path set, the reachability verification result further includes an unreachable root of an unreachable path in the unreachable path set.
In the application, the reachability verification result output by the verification device may include an unreachable root cause of an unreachable path in the unreachable path set, so that network operation and maintenance personnel can perform fault location and maintenance conveniently.
Optionally, the verification device further obtains verification rule information, where the verification rule information includes a source address to be verified and a destination address to be verified; and then the verification equipment generates a virtual message according to the verification rule information, wherein the source address of the virtual message is determined based on the source address to be verified, and the destination address of the virtual message is determined based on the destination address to be verified. The source address of the virtual packet may specifically be the source address to be verified, and the destination address of the virtual packet may specifically be the destination address to be verified.
Optionally, the source address to be verified is a network segment address and/or the destination address to be verified is a network segment address.
Optionally, the validation rule information further includes one or more of a source port number, a destination port number, a transport layer protocol type, a mandatory network device in the target network, a source interface identification, or a destination interface identification.
Optionally, the routing information of the forwarding instance comprises one or more of a media access control table, a forwarding table, or an address resolution protocol table.
In a second aspect, a network reachability verification apparatus is provided. The apparatus comprises a plurality of functional modules that interact to implement the method of the first aspect and its embodiments described above. The functional modules can be implemented based on software, hardware or a combination of software and hardware, and the functional modules can be combined or divided arbitrarily based on specific implementation.
In a third aspect, a network reachability verification apparatus is provided, including: a processor and a memory;
the memory for storing a computer program, the computer program comprising program instructions;
the processor is configured to invoke the computer program to implement the network reachability verification method according to the first aspect and embodiments thereof.
In a fourth aspect, there is provided a computer storage medium having stored thereon instructions which, when executed by a processor of a computer device, implement a network reachability verification method as in the first aspect and its embodiments.
In a fifth aspect, a chip is provided, where the chip includes programmable logic circuits and/or program instructions, and when the chip runs, the method in the first aspect and its embodiments is implemented.
The beneficial effect that technical scheme that this application provided brought includes at least:
in the application, the verification device realizes reachability verification of the virtual message in the overlay network according to the logic topology of the multiple forwarding instances of the multiple network devices in the target network, the routing information of the multiple forwarding instances, the source forwarding instance corresponding to the source interface, and the target forwarding instance corresponding to the target interface, that is, single-layer reachability verification of the overlay network in the target network is realized, and the verification accuracy is high, so that the accuracy of fault location in the target network is high. In addition, after the verification device acquires the tunnel of the virtual message on the logic path in the overlay network, the reachability between two tunnel endpoints of the tunnel in the underlying network can be verified, layered verification on a target network is achieved, verification efficiency is high, verification flexibility is high, and effective verification on a network which is similar to a network which runs VXLAN protocol or GRE protocol and is subjected to multi-layer IP encapsulation and decapsulation can be achieved.
Drawings
Fig. 1 is a schematic structural diagram of a network reachability verification system provided in an embodiment of the present application;
fig. 2 is a schematic diagram of a networking topology of a communication network according to an embodiment of the present application;
fig. 3 is a schematic flowchart of a network reachability verification method provided in an embodiment of the present application;
fig. 4 is a schematic diagram of a first network graph model corresponding to an overlay network according to an embodiment of the present disclosure;
fig. 5 is a schematic diagram of a second network graph model corresponding to an underlying network according to an embodiment of the present disclosure;
fig. 6 is a schematic structural diagram of a network reachability verification apparatus provided in an embodiment of the present application;
fig. 7 is a schematic structural diagram of another network reachability verification apparatus provided in an embodiment of the present application;
fig. 8 is a schematic structural diagram of another network reachability verification apparatus provided in the embodiment of the present application;
fig. 9 is a schematic structural diagram of yet another network reachability verification apparatus provided in an embodiment of the present application;
fig. 10 is a schematic structural diagram of a further network reachability verification apparatus provided in an embodiment of the present application;
fig. 11 is a schematic structural diagram of a network reachability verification apparatus according to another embodiment of the present application;
fig. 12 is a schematic structural diagram of another network reachability verification apparatus provided in another embodiment of the present application;
fig. 13 is a schematic structural diagram of another network reachability verification apparatus according to another embodiment of the present application;
fig. 14 is a block diagram of a network reachability verification apparatus according to an embodiment of the present application.
Detailed Description
In order to make the purpose, technical solution and effect of the present application clearer, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
Fig. 1 is a schematic structural diagram of a network reachability verification system according to an embodiment of the present application. As shown in fig. 1, the system includes: authentication device 101 and network devices 102A-102C (collectively network devices 102) in a communication network. The number of network devices in fig. 1 is merely used as an exemplary illustration and is not a limitation on the communication network according to the embodiments of the present application.
The verification device 101 may be a server, a server cluster composed of several servers, or a cloud computing service center. The network device 102 may be a physical communication device such as a switch or a router, or may also be a virtual communication device such as a virtual switch or a virtual router. Optionally, with continued reference to fig. 1, the system further includes a control device 103. The control device 103 is used to manage and control the network device 102 in the communication network. The control device 103 may be a network controller, network management device, gateway or other device having control capabilities. The control device 103 may be one or more devices. The authentication device 101 and the control device 103 are connected by a wired network or a wireless network. The control device 103 and the network device 102 are connected through a wired network or a wireless network.
Optionally, the control device 103 stores therein a networking topology of a communication network managed by the control device 103. The control device 103 is also used to collect device information of the network devices 102 in the communication network, including configuration information, routing information, tunnel status information, and the like. The configuration information of the network device includes interface configuration information, protocol configuration information, and/or service configuration information, for example, a security control policy (ACL), which is embodied as a security access list (ACL). The routing information of the network device includes an Address Resolution Protocol (ARP) table, a Media Access Control (MAC) table, a routing table, and/or a forwarding table. The tunnel state information of the network device includes an identification of the tunnel endpoint and the state of the tunnel. The control device 103 may periodically collect the device information of the network device 102, or when the device information of the network device 102 is changed, the network device 102 actively reports the changed device information to the control device 103. The authentication device 101 can acquire the networking topology of the communication network and the device information of the network device 102 through the control device 103. Of course, the verification device 101 may also be integrated with the control device 103, which is not limited in this embodiment.
The communication network provided in the embodiment of the present application may be a Data Center Network (DCN), a metropolitan area network, a wide area network, or a campus network, and the like. The communication network includes an underlay (underlay) network and an overlay network built on top of the underlay network.
The underlying network may be a physical network formed by an internet (internet), a multi-protocol label switching (MPLS) network, and/or a Long Term Evolution (LTE) network. The underlying network comprises a plurality of network devices, and the network devices are connected through physical links.
The overlay network may be a logical network constructed on the basis of an underlying network by using a General Routing Encapsulation (GRE) protocol, a virtual extensible local area network (VXLAN) protocol, a dynamic intelligent virtual private network (DSVPN) technology, and/or an automatic virtual private network (Auto VPN) technology. The overlay network includes a tunnel (also referred to as an overlay tunnel) that is a virtual or logical link. Each tunnel corresponds to one or more paths in the underlay network, where each path is typically made up of multiple physical links that are joined back-and-forth in the underlay network.
The communication network provided by the embodiment of the application can adopt a two-layer network architecture or a three-layer network architecture. Under a two-layer network architecture, a communication network includes a convergence layer, which may also be referred to as a two-layer network, and an access layer, which is a high-speed switching backbone of the communication network and is used to access a workstation to the communication network. Under a three-layer network architecture, a communication network includes a core layer, an aggregation layer and an access layer, the communication network may also be referred to as a three-layer network, the core layer is a high-speed switching backbone of the communication network, the aggregation layer is used to provide an aggregation connection (connecting the access layer and the core layer), and the access layer is used to access a workstation to the communication network. The workstation may include a terminal, a server, or a Virtual Machine (VM). The following embodiments of the present application take a two-layer network architecture as an example of a communication network.
Illustratively, fig. 2 is a schematic diagram of a networking topology of a communication network provided in an embodiment of the present application. As shown in FIG. 2, the communication network 20 includes a network device 102a at the convergence layer and network devices 102b1-102b2 at the access layer. The communication network may be a fat tree or leaf-spine topology network, and the network device 102a is a spine switch, and the network device 102b1 and the network device 102b2 are leaf switches.
With continued reference to FIG. 2, network device 102a has interfaces GE1/2/0 and GE1/3/0, network device 102b1 has interfaces GE1/0/0.1 and GE1/1/0, and network device 102b2 has interfaces GE1/0/1.1 and GE 1/4/0. The interface GE1/0/0.1 on the network device 102b1 and the interface GE1/0/1.1 on the network device 102b2 are boundary interfaces. Network device 102b1 connects to VM1 through interface GE1/0/0.1, and network device 102b2 connects to VM2 and VM3 through interface GE 1/0/1.1. Interface GE1/1/0 on network device 102b1 interfaces with interface GE1/2/0 on network device 102 a. Interface GE1/4/0 on network device 102b2 interfaces with interface GE1/3/0 on network device 102 a.
Fig. 3 is a schematic flowchart of a network reachability verification method according to an embodiment of the present application. The method may be applied to the authentication device 101 in a system as shown in fig. 1. As shown in fig. 3, the method includes:
step 301, obtaining a source interface and a destination interface corresponding to the virtual packet in the target network.
The target network includes an underlay network and an overlay network constructed over the underlay network. The virtual message in the embodiment of the present application is not a real message, and the virtual message is used for simulating the transmission of the real message in the target network. The fields in the virtual message describe a Header Space (HS), which may also be referred to as a message space, and may represent a group of messages. Taking the example that the dummy packet includes a five-tuple, each element in the five-tuple may be a value or a set containing multiple values. Wherein, the five-tuple includes a source IP address, a destination IP address, a source port, a destination port and a transport layer protocol number. The source IP address and the destination IP address may be one specific IP address, or may be one network segment address (i.e., IP prefix), or may include a plurality of specific IP addresses. For example, the source IP address is 10.0.0.1, which is a specific IP address; destination IP address {20.0.0.1,20.0.0.3,20.0.0.4}, which includes 3 specific IP addresses. The source port number and the destination port number may be one specific port number, or a range of port numbers, or may comprise a plurality of specific port numbers. For example, the source port number is {1,3,5}, which indicates that there are 3 source ports; the destination port number is 0 to 255, and means that 256 destination ports, 0 to 255, are included. The transport layer protocol number may be one specific protocol number or a range of protocol numbers or may comprise a plurality of specific protocol numbers. For example, the transport layer Protocol number is 7, which indicates that a Transmission Control Protocol (TCP) is used.
Illustratively, a five tuple in a virtual message includes: the source IP address is 10.0.0.1, the destination IP address is 20.0.0.1, the source port number is 0-9, the destination port number is 12-15, and the transport layer protocol number is 7. The virtual message represents a group of messages with the same source IP address, destination IP address and transport layer protocol, the source port number of each message in the group of messages is one value of 0-9, the destination port number is one value of 12-15, and the number of the group of messages is 10 x 4-40.
As another example, a five-tuple in a virtual message includes: the source IP address is 10.0.0.1, the destination IP address is 20.0.0.1, the source port number is 0-9, the destination port number is 12-15, and the transport layer protocol number is 7. The dummy packet represents only one packet in which each element of the five-tuple is a specific value.
Optionally, the verification device obtains verification rule information, where the verification rule information includes a source address to be verified and a destination address to be verified. And the verification equipment generates a virtual message according to the verification rule information. The source address of the virtual message is determined based on the source address to be verified, and the destination address of the virtual message is determined based on the destination address to be verified. The validation rule information may be input to the validation device by a user. Optionally, the source address of the virtual packet is the source address to be verified, and the destination address of the virtual packet is the destination address to be verified.
Optionally, the source address to be verified is a network segment address and/or the destination address to be verified is a network segment address. The verification device may generate a virtual message according to the verification rule information, where a source address of the virtual message is the source address to be verified, and a destination address of the virtual message is the destination address to be verified, that is, the source address and/or the destination address of the virtual message may be a network segment address. Alternatively, the verification device may generate a plurality of dummy packets according to the verification rule information. Illustratively, the source address to be verified in the verification rule information is a network segment address, and includes m valid host addresses, and the destination address to be verified is a network segment address and includes n valid host addresses, and the verification device can generate m × n virtual messages according to the verification rule information, where the source address of each virtual message is a valid host address in the source address to be verified, and the destination address is a valid host address in the destination address to be verified. Wherein m and n are both positive integers.
Optionally, the validation rule information further includes one or more of a source port number, a destination port number, a transport layer protocol type, a mandatory network device in the target network, a source interface identification, or a destination interface identification. The source port number, the destination port number, the transport layer protocol type, the source IP address to be verified and the destination IP address to be verified form a quintuple of the virtual message. The transport layer Protocol type may be TCP or User Datagram Protocol (UDP), etc. The network device that must be passed through in the target network indicates the network device that the dummy packet must pass through in the target network. The source interface identification indicates an input interface of the virtual message in the target network, and the output interface identification indicates an output interface of the virtual message in the target network.
Optionally, the source interface of the virtual packet in the target network may be one or more, and the virtual packet may enter the target network from any one source interface; the virtual packet may also be forwarded out of the target network from any one of the destination interfaces. For example, the dummy packet may be transmitted using an equal-cost multipath (ECMP) mechanism. In the embodiment of the present application, a case that a virtual packet corresponds to a source interface and a destination interface in a target network is mainly taken as an example for description.
Illustratively, the source IP address to be verified in the verification rule information is 10.0.0.1/32, the destination IP address to be verified is 20.0.0.0/24 (network segment address), and the transport layer protocol number is 7 (corresponding to TCP). Assuming that the target network is the communication network 20 shown in fig. 2, the IP address of the VM1 is 10.0.0.1, the IP address of the VM2 is 20.0.0.1, and the IP address of the VM3 is 20.0.0.2. According to the device access information of the target network, the to-be-verified source IP address 10.0.0.1 is the IP address of the VM1, and the to-be-verified source IP address is accessed to the target network from the interface GE1/0/0.1 of the network device 102b 1; the valid host addresses in the target network belonging to this subnet of the to-be-verified destination IP address 20.0.0.0/24 include the IP address 20.0.0.1 of VM2 and the IP address 20.0.0.2 of VM3, which is forwarded out of the target network from interface GE1/0/1.1 of network device 102b 2. In a possible implementation manner, the verification device generates a virtual packet according to the verification rule information, where the source IP address of the virtual packet is 10.0.0.1, the destination IP addresses are 20.0.0.1 and 20.0.0.2, the transport layer protocol number is 7, and the virtual packet may be denoted as [10.0.0.1, {20.0.0.1,20.0.0.2 }; 7 ]; the source interface corresponding to the virtual message is GE1/0/0.1, the corresponding destination interface is GE1/0/1.1, and the virtual message is used for verifying the reachability from VM1 to VM2 and VM 3. In another possible implementation manner, the verification device generates two virtual packets according to the verification rule information. The source IP address of one of the virtual messages is 10.0.0.1, the destination IP address is 20.0.0.1, the transport layer protocol number is 7, and the virtual message can be represented as [10.0.0.1, 20.0.0.1; 7 ]; the source interface corresponding to the virtual message is GE1/0/0.1, the corresponding destination interface is GE1/0/1.1, and the virtual message is used for verifying the reachability from VM1 to VM 2. The source IP address of another virtual packet is 10.0.0.1, the destination IP address is 20.0.0.2, the transport layer protocol number is 7, and the virtual packet can be represented as [10.0.0.1, 20.0.0.2; 7 ]; the source interface corresponding to the virtual message is GE1/0/0.1, the corresponding destination interface is GE1/0/1.1, and the virtual message is used for verifying the reachability from VM1 to VM 3.
Optionally, when the source port number and the destination port number are not included in the validation rule information, the source port number in the virtual message may be set to 0 to 65535, and the destination port number in the virtual message may be set to 0 to 65535. For example, virtual message [10.0.0.1, {20.0.0.1,20.0.0.2 }; 7], virtual message [10.0.0.1, 20.0.0.1; 7] and virtual messages [10.0.0.1, 20.0.0.2; 7] the source port number and the destination port number are both 0-65535.
Step 302, verifying the reachability of the virtual message in the overlay network according to the logic topology of the multiple forwarding instances of the multiple network devices in the target network, the routing information of the multiple forwarding instances, the source forwarding instance corresponding to the source interface, and the destination forwarding instance corresponding to the destination interface.
Optionally, the routing information of the forwarding instance comprises one or more of a MAC table, a forwarding table, or an ARP table. One or more forwarding instances are configured in a network device, one forwarding instance corresponding to a set of routing information that is locally available on the network device. Each forwarding instance in the same network device works independently for realizing route isolation. A layer two forwarding instance (L2VPN instance) and/or a layer three forwarding instance (L3VPN instance) may be included in the network device. The two-layer forwarding instance corresponds to two-layer routing information, such as an MAC table, on the network device; the three-layer forwarding instance corresponds to three-layer routing information on the network device, such as a forwarding table. In VXLAN, the L2VPN instance may also be referred to as a Bridged Domain (BD) instance (corresponding to a layer two forwarding domain). The L3VPN instance may also be referred to as a Virtual Routing Forwarding (VRF) instance (corresponding to a three-layer forwarding domain). The source forwarding instance corresponding to the source interface and the destination forwarding instance corresponding to the destination interface are generally two-layer forwarding instances.
Optionally, the verification device may obtain a first network graph model corresponding to the overlay network, where the first network graph model reflects a logical topology of multiple forwarding instances of multiple network devices in the target network. The implementation of step 302 includes: and verifying the reachability of the virtual message in the overlay network according to the first network graph model, the routing information of the forwarding instances of the network devices in the target network, the source forwarding instance and the destination forwarding instance.
In the embodiment of the application, the verification device obtains the first network graph model corresponding to the overlay network, and since the first network graph model reflects the logical topology of the multiple forwarding instances of the multiple network devices in the target network, that is, reflects the logical topology of the overlay network, the verification device can verify the reachability of the virtual packet in the overlay network according to the first network graph model. In addition, the verification device can also output the first network graph model so as to display the first network graph model on the verification device or other devices to realize the logic topology visualization of the overlay network.
Optionally, the implementation process of acquiring, by the verification device, the first network graph model corresponding to the overlay network includes: the verification device generates a first network graph model according to configuration information of a plurality of network devices in the target network and the tunnel state information of the plurality of network devices. The first network graph model includes connection relationships of multiple forwarding instances in different network devices. Forwarding instances in different network devices are connected through tunnels. Optionally, when two network devices are configured as two tunnel endpoints of one tunnel respectively, the connection relationship of the multiple forwarding instances in the network device includes a connection relationship between two layers of forwarding instances in the two network devices, and/or a connection relationship between three layers of forwarding instances in the two network devices, where the connection relationship is established based on the tunnel.
Optionally, the first network graph model further includes connection relationships of multiple forwarding instances in the same network device. When a network device includes a two-layer forwarding instance and a three-layer forwarding instance, the two-layer forwarding instance and the three-layer forwarding instance may be connected to each other.
Optionally, the configuration information of the forwarding instance of the network device includes one or more of a binding relationship between an interface of the network device and a two-layer forwarding instance in the network device, a three-layer virtual interface corresponding to the two-layer forwarding instance in the network device, a binding relationship between a three-layer virtual interface corresponding to the two-layer forwarding instance in the network device and a three-layer forwarding instance in the network device, a network identifier of the forwarding instance in the network device, or a routing target of the forwarding instance in the network device. The three-layer virtual interface is used as a three-layer gateway, and the three-layer virtual interface may be configured in the network device or in another device. In VXLAN, the three-layer virtual interface is a logical interface based on BD, which may be abbreviated as vbdif; the network identifier of the forwarding instance in the network device is a VXLAN Network Identifier (VNI), and the VNI is used to distinguish VXLAN segments, and virtual machines of different VXLAN segments cannot directly communicate in two layers. Each forwarding instance is configured with a route target, which may also be referred to as a vpn-target. Route target is a Border Gateway Protocol (BGP) extended community attribute, and each forwarding instance needs to configure two types of Route targets, i.e., an egress direction and an ingress direction. When the value of the outbound direction route target (eRT for short) configured by the forwarding instance at the home terminal is equal to the value of the inbound direction route target (iRT for short) configured by the forwarding instance at the opposite terminal, the home terminal and the opposite terminal can exchange BGP routes with each other. Optionally, one forwarding instance is configured with one or more route targets. And the verification equipment determines whether the two forwarding instances have a connection relation according to the network identifications of the forwarding instances and/or the routing targets of the forwarding instances.
Illustratively, the overlay network in the target network runs VXLAN protocols. Continuing with the example in step 301, network device 102b1 configures VXLAN Tunnel Endpoint (VTEP) 1, and VTEP1 has an IP address of 1.1.1.1; network device 102b2 has VTEP2 configured therein, and VTEP2 has an IP address of 2.2.2.2. A VXLAN tunnel connection is established between network device 102b1 and network device 102b2 based on VTEP1 and VTEP 2. The tunnel is unidirectional, and two tunnels in opposite directions are usually established between two network devices to realize bidirectional communication. Assume that a BD instance and a VRF instance are configured in both network device 102b1 and network device 102b 2. The identifier of the BD instance in the network device 102b1 is 10, abbreviated as BD10, and the VRF instance in the network device 102b1 is abbreviated as VRF 1; the BD instance in network device 102b2 is identified as 20, abbreviated BD20, and the VRF instance in network device 102b2 is abbreviated VRF 2. The configuration information of network device 102b1 for the forwarding instance includes: GE1/0/0.1 is bound with BD10, vbdif10 corresponding to BD10, and vbdif10 is bound with VRF 1. The tunnel state information of network device 102b1 includes: IP address of VTEP 1: 1.1.1.1, IP Address of VTEP 2: 2.2.2.2, VTEP1 → VTEP 2: up, denotes: the status of the tunnel in the VTEP1 to VTEP2 direction is available. The configuration information of network device 102b2 for the forwarding instance includes: GE1/0/1.1 is bound with BD20, vbdif20 corresponding to BD20, and vbdif20 is bound with VRF 2. The tunnel state information of network device 102b2 includes: IP address of VTEP 2: 2.2.2.2, IP Address of VTEP 1: 1.1.1.1, VTEP2 → VTEP 1: up, denotes: the status of the tunnel in the VTEP2 to VTEP1 direction is available. Assuming that the route target of VRF1 matches the route target of VRF2 and the VNI of BD10 is different from the VNI of BD20, VRF1 and VRF2 are connected through a tunnel, BD10 and BD20 do not have a connection relationship, and a first network graph model corresponding to an overlay network in the target network may be as shown in fig. 4, where VM1 accesses BD10 of network device 102b1, and BD10 of network device 102b1 is connected with VRF1 of network device 102b 1; VM2 and VM3 both access BD20 of network device 102b2, BD20 of network device 102b2 is connected to VRF2 of network device 102b2, and VRF1 of network device 102b1 is connected to VRF2 of network device 102b2 through VXLAN tunnels.
Of course, the first network graph model may also be generated by other devices and then sent to the verification device, and the implementation process of the verification device obtaining the first network graph model corresponding to the overlay network includes: the verification device receives the first network graph model sent by the other device. The method for acquiring the first network graph model by the verification equipment is not limited.
Optionally, the implementation process of step 302 includes: the verification device determines a logical reachable path and/or a logical unreachable path of the virtual packet in the overlay network according to the logical topology (or the first network graph model) of the multiple forwarding instances of the multiple network devices in the target network, the routing information of the multiple forwarding instances, the source forwarding instance, and the destination forwarding instance.
Optionally, the logical reachable paths of the virtual packet in the overlay network include logical paths that satisfy the following conditions: the end point of the logic path is a destination forwarding instance, and an output interface of the virtual message forwarded from the destination forwarding instance is a destination interface. The logically unreachable paths of the dummy packets in the overlay network include logical paths that satisfy one or more of the following conditions: the end point of the logic path is a destination forwarding instance, and an output interface of the virtual message forwarded from the destination forwarding instance is not a destination interface; the end point of the logic path does not have the next hop corresponding to the virtual message in the overlay network, and the end point of the logic path is not a target forwarding example; the logic path includes a loop thereon. Wherein, the logic path includes a loop, that is, the logic path satisfies: the logic path has a target node where the virtual message arrives for multiple times, and the virtual message arrives at the target node for multiple times with the same input interface and/or the virtual message forwards from the target node for multiple times with the same output interface. The target node may be a forwarding instance.
Illustratively, the simulated transmission path of the virtual packet in the overlay network is: forwarding example 1 → forwarding example 2 → forwarding example 3 → forwarding example 4 → forwarding example 2, if the ingress interface of the virtual packet arriving twice to the forwarding example 2 is the same and/or the egress interface of the virtual packet forwarding twice from the forwarding example 2 is the same, it is determined that the simulated transmission path includes a loop: forwarding instance 2 → forwarding instance 3 → forwarding instance 4 → forwarding instance 2, forwarding instance 2 may be referred to as a loop node. In this embodiment of the present application, an nth loop node on the analog transmission path may be used as an end point of a logic path of the virtual packet in the overlay network, where N is an integer greater than 1. For example, if N is 2, the obtained simulated transmission path of the virtual packet in the overlay network is: forwarding instance 1 → forwarding instance 2 → forwarding instance 3 → forwarding instance 4 → forwarding instance 2.
In this embodiment of the present application, the determining, by the verification device, a logical reachable path and/or a logical unreachable path of the virtual packet in the overlay network may include: the verification device obtains one or more logic paths of the virtual packet in the overlay network according to the logic topology (or the first network graph model) of the multiple forwarding instances of the multiple network devices in the target network, the routing information of the multiple forwarding instances, and the source forwarding instance corresponding to the source interface, where an end point of the logic path does not have a next hop corresponding to the virtual packet in the overlay network, or the logic path includes a loop (the end point of the logic path may be a first-appearing duplicate node on the logic path). The verification device verifies whether the logic path is a logic reachable path of the virtual message in the overlay network based on the target forwarding instance.
Optionally, the implementation process of the verifying device verifying whether the logical path is a logical reachable path of the virtual packet in the overlay network based on the destination forwarding instance includes: when the logic path includes a destination forwarding instance, an outgoing interface forwarded by the virtual message from the destination forwarding instance is determined according to the routing information of the destination forwarding instance and the destination address of the virtual message. And when the output interface forwarded by the virtual message from the destination forwarding instance is the destination interface, determining the logic path as a logic reachable path of the virtual message in the overlay network. And when the output interface of the virtual message forwarded from the destination forwarding instance is not the destination interface, determining that the logic path is a logic unreachable path of the virtual message in the overlay network. Or, when the logical path does not include the destination forwarding instance, determining that the logical path is a logically unreachable path of the virtual packet in the overlay network.
For example, table 1 shows a forwarding table corresponding to VRF1 in fig. 4, and table 2 shows a forwarding table corresponding to BD10 in fig. 4 (the forwarding table is obtained by converting a MAC table and an ARP table corresponding to BD 10), and the IP address of vbdif10 corresponding to BD10 is 10.0.0.254/255.255.255.0. Table 3 shows a forwarding table corresponding to VRF2 in fig. 4, and table 4 shows a forwarding table corresponding to BD20 in fig. 4 (the forwarding table is obtained by converting a MAC table and an ARP table corresponding to BD 20), and the IP address of vbdif20 corresponding to BD20 is 20.0.0.254/255.255.255.0. Wherein, "/255.255.255.0" is the subnet mask.
TABLE 1
Destination IP Next hop Outlet interface
10.0.0.0/24 10.0.0.254 vbdif10
20.0.0.1/32 2.2.2.2 VXLAN tunnel
TABLE 2
Destination IP Next hop Outlet interface
10.0.0.1/32 / GE1/0/0.1
0.0.0.0/0 10.0.0.254 vbdif10
TABLE 3
Destination IP Next hop Outlet interface
20.0.0.0/24 20.0.0.254 vbdif20
10.0.0.1/32 1.1.1.1 VXLAN tunnel
TABLE 4
Destination IP Next hop Outlet interface
20.0.0.1/32 / GE1/0/1.1
20.0.0.2/32 / GE1/0/1.1
0.0.0.0/0 20.0.0.254 vbdif20
In a first example, for the dummy message [10.0.0.1, 20.0.0.1; 7], the corresponding source interface is GE1/0/0.1, and the corresponding destination interface is GE 1/0/1.1. Since GE1/0/0.1 is bound with BD10 and GE1/0/1.1 is bound with BD20, the corresponding source forwarding instance of the virtual packet in the overlay network is BD10, and the corresponding destination forwarding instance is BD 20. The dummy message in VM1 arrives at BD10 through ingress interface GE 1/0/1.1. As can be seen from table 2, the dummy packet is forwarded through the egress interface vbdif10 after reaching the BD 10. Since vbdif10 is bound to VRF1, as can be seen in connection with the first network graph model shown in fig. 4, the virtual message reaches VRF 1. Based on table 1, the virtual packet is forwarded through the VXLAN tunnel after reaching VRF 1. As can be seen from the first network graph model shown in fig. 4, the virtual packet forwarded through the VXLAN tunnel reaches VRF 2. Based on table 3, it can be known that the virtual packet is forwarded through the egress interface vbdif20 after reaching the VRF 2. Since the vbdif20 is a three-layer virtual interface corresponding to the BD20, as can be seen by combining the first network diagram model shown in fig. 4, the dummy packet reaches the BD 20. That is, the logic path of the virtual packet in the overlay network is: network device 102b1-BD10 → network device 102b1-VRF1 → network device 102b2-VRF2 → network device 102b2-BD 20. Since the logical path includes the destination forwarding instance BD20 and it can be known from table 4 that the virtual packet can be forwarded to the VM2 through the egress interface GE1/0/1.1 after reaching the BD20, the logical path "network device 102b1-BD10 → network device 102b1-VRF1 → network device 102b2-VRF2 → network device 102b2-BD 20" is a virtual packet [ 10.0.0.0.1, 20.0.0.1; reachable paths in the overlay network.
In a second example, for the dummy message [10.0.0.1, 20.0.0.2; 7], the corresponding source interface is GE1/0/0.1, and the corresponding destination interface is GE 1/0/1.1. Since GE1/0/0.1 is bound with BD10 and GE1/0/1.1 is bound with BD20, the corresponding source forwarding instance of the virtual packet in the overlay network is BD10, and the corresponding destination forwarding instance is BD 20. The dummy message in VM1 arrives at BD10 through ingress interface GE 1/0/1.1. As can be seen from table 2, the dummy packet is forwarded through the egress interface vbdif10 after reaching the BD 10. Since vbdif10 is bound to VRF1, as can be seen in connection with the first network graph model shown in fig. 4, the virtual message reaches VRF 1. After the virtual packet reaches the VRF1, because the table 1 does not have the forwarding table entry corresponding to the destination IP 20.0.0.2, the VRF1 does not forward the virtual packet. That is, the logic path of the virtual packet in the overlay network is: network device 102b1-BD10 → network device 102b1-VRF 1. Since the logical path does not include the destination forwarding instance BD20, the logical path "network device 102b1-BD10 → network device 102b1-VRF 1" is a virtual packet [10.0.0.1, 20.0.0.2; unreachable path in the overlay network.
In a third example, for virtual message [10.0.0.1, {20.0.0.1,20.0.0.2 }; 7], the corresponding source interface is GE1/0/0.1, and the corresponding destination interface is GE 1/0/1.1. Since GE1/0/0.1 is bound with BD10 and GE1/0/1.1 is bound with BD20, the corresponding source forwarding instance of the virtual packet in the overlay network is BD10, and the corresponding destination forwarding instance is BD 20. The dummy message in VM1 arrives at BD10 through ingress interface GE 1/0/1.1. As can be seen from table 2, the dummy packet is forwarded through the egress interface vbdif10 after reaching the BD 10. Since vbdif10 is bound to VRF1, as can be seen in connection with the first network graph model shown in fig. 4, the virtual message reaches VRF 1. Based on table 1, it can be known that a message with a destination IP of 20.0.0.1 is forwarded through a VXLAN tunnel, and a forwarding table entry corresponding to the destination IP of 20.0.0.2 does not exist in table 1, so that an original virtual message is split into two sub-virtual messages at a VRF1, and one sub-virtual message is [10.0.0.1, 20.0.0.1; 7], and the other sub-virtual message is [10.0.0.1, 20.0.0.2; 7]. Child virtual message [10.0.0.1, 20.0.0.1; 7] continuing to forward, wherein the process can refer to the first example to finally obtain a sub virtual message [10.0.0.1, 20.0.0.1; logical path 1 in overlay network: "network device 102b1-BD10 → network device 102b1-VRF1 → network device 102b2-VRF2 → network device 102b2-BD 20", the logical path 1 is a child virtual packet [10.0.0.1, 20.0.0.1; reachable logical paths in the overlay network. And child virtual message [10.0.0.1, 20.0.0.2; logical path 2 in overlay network: "network device 102b1-BD10 → network device 102b1-VRF 1" is an unreachable logical path. That is, virtual message [10.0.0.1, {20.0.0.1,20.0.0.2 }; 7] there are 2 logical paths in the overlay network, wherein the child virtual message [10.0.0.1, 20.0.0.1; 7] the logical path 1 in the overlay network is a logical reachable path, the sub-virtual message [10.0.0.1, 20.0.0.2; logical path 2 in the overlay network is a logically unreachable path.
It can be understood that, if the virtual packet is split into a plurality of sub-virtual packets in the process of analog transmission, the logical reachable path of the virtual packet in the overlay network specifically includes a logical reachable path of one or more sub-virtual packets in the overlay network, and the logical unreachable path of the virtual packet in the overlay network specifically includes a logical unreachable path of one or more sub-virtual packets in the overlay network. The logic reachable path or the logic unreachable path of each sub-virtual message is composed of a transmission path of the virtual message (i.e., a transmission path before splitting) from which the sub-virtual message is split, and a transmission path of the sub-virtual message (i.e., a transmission path after splitting). The logic reachable paths of the sub-virtual message in the overlay network comprise logic paths meeting the following conditions: the end point of the logic path is a destination forwarding instance, and the output interface of the sub virtual message forwarded from the destination forwarding instance is a destination interface. A logical unreachable path of a child virtual packet in an overlay network includes a logical path that satisfies one or more of the following conditions: the end point of the logic path is a destination forwarding example, and an output interface forwarded by the sub virtual message from the destination forwarding example is not a destination interface; the end point of the logic path does not have the next hop corresponding to the sub-virtual message in the overlay network, and the end point of the logic path is not a target forwarding example; the logic path includes a loop thereon. In the embodiment of the present application, a plurality of fields in the sub-virtual message describe a header space, which may represent a message or a group of messages. Taking the example that the sub-dummy packet includes a five-tuple, each element in the five-tuple may be a value or a set containing multiple values.
In the embodiment of the application, the verification device realizes reachability verification of the virtual message in the overlay network according to the logic topology of the multiple forwarding instances of the multiple network devices in the target network, the routing information of the multiple forwarding instances, the source forwarding instance corresponding to the source interface, and the target forwarding instance corresponding to the target interface, that is, single-layer reachability verification of the overlay network in the target network is realized, and the verification accuracy is high, so that the accuracy of fault location in the target network is high. In addition, the network reachability verification method provided by the embodiment of the application has high implementation flexibility.
Optionally, the verifying device may further verify reachability in the underlying network between two tunnel end points of each tunnel on a target logical path, where the target logical path is a logical path of the virtual packet including the tunnel in the overlay network. Optionally, when the target logical path is a reachable path of the virtual packet in the overlay network, the verification device verifies reachability in the underlying network between two tunnel end points of each tunnel on the target logical path.
In the embodiment of the application, after the verification device obtains the tunnel of the virtual message on the logic path in the overlay network, the reachability between two tunnel endpoints of the tunnel in the underlying network can be verified, layered verification of a target network is achieved, and verification efficiency is high. Furthermore, the verification device may first obtain a logical path of the virtual packet in the overlay network, and after determining that the logical path is a reachable path of the virtual packet in the overlay network, verify reachability in the underlying network between two tunnel endpoints of each tunnel in the logical path, so as to determine whether the virtual packet can be reached in the target network through a physical path in the underlying network corresponding to the logical path; when the logical path is an unreachable path of the virtual message in the overlay network, the verification device determines that the physical path of the virtual message corresponding to the underlying network through the logical path is unreachable in the target network, and at this time, the reachability of the tunnel on the logical path in the underlying network does not need to be further verified, so that the computing resource is saved.
In a first optional embodiment of the present application, the verification device performs on-demand verification of reachability of tunnels in the underlay network. The implementation process of verifying reachability between two tunnel end points of each tunnel on a target logical path in an underlying network by a verification device includes: and the verification device verifies the accessibility between the two tunnel end points of each tunnel on the target logic path in the underlying network according to the physical topologies of the plurality of network devices in the target network and the public network routing information of the plurality of network devices.
Each network device in the target network has corresponding public network routing information. The public network routing information includes a public network forwarding table. For example, table 5 shows a public network forwarding table corresponding to network device 102b1 in fig. 2, and the IP address of interface GE1/1/0 of network device 102b1 is 100.100.0.2/255.255.255.0. Table 6 shows the public network forwarding table corresponding to the network device 102a in fig. 2, the IP address of the interface GE1/2/0 of the network device 102a is 100.100.0.1/255.255.255.0, and the IP address of the interface GE1/3/0 is 100.200.0.1/255.255.255.0. Table 7 shows the public network forwarding table corresponding to network device 102b2 in fig. 2, and the IP address of interface GE1/4/0 of network device 102b2 is 100.200.0.2/255.255.255.0.
TABLE 5
Destination IP Next hop Outlet interface
2.2.2.2/32 100.100.0.1 GE1/1/0
TABLE 6
Destination IP Next hop Outlet interface
1.1.1.1/32 100.100.0.2 GE1/2/0
2.2.2.2/32 100.200.0.2 GE1/3/0
TABLE 7
Destination IP Next hop Outlet interface
1.1.1.1/32 100.200.0.1 GE1/4/0
For example, referring to the first example above, the dummy message [10.0.0.1, 20.0.0.1; 7] in the logical path "network device 102b1-BD10 → network device 102b1-VRF1 → network device 102b2-VRF2 → network device 102b2-BD 20" in the overlay network, the network device 102b1-VRF1 and the network device 102b2-VRF2 are connected through a VXLAN tunnel, which may be represented as: VTEP1 → VTEP 2. From network device 102b1-VRF1 to network device 102b2-VRF2, the virtual packet is actually encapsulated with a layer of VXLAN packet header in the underlying network, where the source IP address in the VXLAN packet header is IP address 1.1.1.1 of VTEP1, and the destination IP address in the VXLAN packet header is IP address 2.2.2.2 of VTEP 2. Based on tables 5 and 6, in conjunction with the physical topologies of network device 102b1, network device 102a, and network device 102b2, the tunnel "VTEP 1 → VTEP 2" corresponds to the physical path in the underlying network as: network device 102b1 → network device 102a → network device 102b2, i.e., the tunnel is reachable in the underlay network between the two tunnel endpoints VTEP1 and VTEP 2. It can further be concluded that: a virtual message [10.0.0.1,20.0.0.1 ] sent by the VM 1; 7] can reach VM2 in the target network.
In a second alternative embodiment of the present application, the verification device performs a full verification of reachability of tunnels in the underlay network. The implementation process of verifying reachability between two tunnel end points of each tunnel on a target logical path in an underlying network by a verification device includes: the verification device verifies reachability in the underlying network between two tunnel end points of each tunnel on the target logical path based on a set of tunnels including one or more pairs of tunnel end points reachable in the underlying network.
Optionally, the verifying device obtains the identities of the tunnel endpoints in the target network based on configuration information of the network devices in the target network, where the identities of the tunnel endpoints may be IP addresses of the tunnel endpoints. Then, the verification device verifies the accessibility of the tunnel end points in the underlying network pairwise according to the physical topology of the network devices in the target network and the public network routing information of the network devices, and generates a tunnel set according to the verification result of the accessibility of every two tunnel end points in the underlying network.
The verification device may obtain the identities of all tunnel endpoints configured in the target network based on the configuration information of all network devices in the target network, and then generate a tunnel set including all pairs of tunnel endpoints reachable in the underlay network. The manner in which the verifying device verifies the reachability in the underlying network between the two tunnel endpoints may refer to the related description in the first optional embodiment, and details of the embodiment of the present application are not described herein again.
Of course, the tunnel set may also be generated by other devices and then sent to the verification device, and the embodiment of the present application does not limit the manner in which the verification device acquires the tunnel set.
In this embodiment, after acquiring the tunnel of the virtual packet on the logical path in the overlay network, the verification device only needs to search the tunnel set according to the identifiers of the two tunnel endpoints of the tunnel to determine whether the two tunnel endpoints of the tunnel are reachable in the underlying network, so that the verification efficiency is high.
Optionally, the verification device may obtain a second network graph model corresponding to the underlying network, where the second network graph model reflects the physical topology of the plurality of network devices in the target network. In the first optional embodiment described above, the verification device may verify reachability in the underlying network between the two tunnel end points of each tunnel on the target logical path according to the second network graph model and the public network routing information of the plurality of network devices in the target network. In the second optional embodiment, the verification device may verify reachability between the tunnel endpoints in the underlying network based on the second network graph model and public network routing information of the network devices in the target network.
In the embodiment of the present application, the verification device obtains the second network diagram model corresponding to the underlying network, and since the second network diagram model reflects the physical topologies of the plurality of network devices in the target network, that is, reflects the physical topology of the underlying network, the verification device can verify the reachability between the two tunnel endpoints of the tunnel on the logical path in the underlying network according to the second network diagram model. In addition, the verification device can also output the second network diagram model so as to display the first network diagram model on the verification device or other devices, thereby realizing the physical topology visualization of the underlying network.
Optionally, the obtaining, by the verification device, an implementation process of the second network graph model corresponding to the underlying network includes: and the verification equipment generates a second network graph model according to the networking topology of the target network.
For example, the networking topology of the target network is as shown in fig. 2, then the second network graph model corresponding to the underlying network in the target network may be as shown in fig. 5, interface GE1/1/0 on network device 102b1 is connected to interface GE1/2/0 on network device 102a, and interface GE1/3/0 on network device 102a is connected to interface GE1/4/0 on network device 102b 2.
Of course, the second network graph model may also be generated by other devices and then sent to the verification device, and the implementation process of the verification device obtaining the second network graph model corresponding to the underlying network includes: and the verification device receives the second network graph model transmitted by the other device. The method for obtaining the second network graph model by the verification equipment is not limited in the embodiment of the application.
Optionally, the verification device may further output a reachability verification result of the virtual packet in the target network, where the reachability verification result includes a reachable path set and/or an unreachable path set. The reachable path set comprises one or more pairs of reachable paths, and each pair of reachable paths comprises a logical reachable path of the virtual message in the overlay network and a corresponding physical reachable path of the logical reachable path in the underlying network. The set of unreachable paths includes a logically unreachable path for the virtual packet in the overlay network and/or a physically unreachable path for the virtual packet in the underlay network.
Optionally, the virtual packet may have one or more logical paths in the overlay network, and may have one or more physical paths in the corresponding underlay network. Therefore, the reachability verification result for one virtual packet may include only the reachable path set, only the unreachable path set, or both the reachable path set and the unreachable path set.
For example, referring to the first example above, the dummy message [10.0.0.1, 20.0.0.1; the reachability verification result in the target network includes the reachable path set. The reachable path set includes a pair of reachable paths, where the pair of reachable paths includes a logical reachable path "network device 102b1-BD10 → network device 102b1-VRF1 → network device 102b2-VRF2 → network device 102b2-BD 20" and a physical reachable path "network device 102b1 → network device 102a → network device 102b 2" corresponding to the logical reachable path.
For another example, referring to the second example above, the dummy message [10.0.0.1, 20.0.0.2; 7] the reachability verification result in the target network includes the unreachable path set. The set of unreachable paths includes a logically unreachable path: "network device 102b1-BD10 → network device 102b1-VRF 1".
For another example, referring to the third example above, dummy message [10.0.0.1, {20.0.0.1,20.0.0.2 }; 7] the reachability verification result in the target network comprises a sub-virtual message [10.0.0.1, 20.0.0.1; 7] corresponding reachable path set and child virtual message [10.0.0.1, 20.0.0.2; 7] corresponding set of unreachable paths. The reachable path set includes a pair of reachable paths, where the pair of reachable paths includes a logical reachable path "network device 102b1-BD10 → network device 102b1-VRF1 → network device 102b2-VRF2 → network device 102b2-BD 20" and a physical reachable path "network device 102b1 → network device 102a → network device 102b 2" corresponding to the logical reachable path. The set of unreachable paths includes a logically unreachable path: "network device 102b1-BD10 → network device 102b1-VRF 1". It can be understood that, if the virtual packet is split into a plurality of sub virtual packets in the process of analog transmission, the reachability verification result of the virtual packet may include reachable path sets and/or unreachable path sets of the split sub virtual packets.
In the embodiment of the application, the verification device can output the reachable path and/or the unreachable path of the virtual message in the target network, thereby being beneficial to troubleshooting by network maintenance personnel.
Optionally, when the reachability verification result includes the unreachable path set, the reachability verification result further includes an unreachable root of the unreachable path set.
For example, referring to the second example above, the dummy message [10.0.0.1, 20.0.0.2; 7] the corresponding logical unreachable path "network device 102b1-BD10 → network device 102b1-VRF 1" is unreachable because: there is no forwarding entry matching the virtual packet in VRF1 of network device 102b 1.
In the embodiment of the application, the reachability verification result output by the verification device may include an unreachable root cause of an unreachable path in an unreachable path set, so that network operation and maintenance personnel can perform fault location and maintenance conveniently.
Illustratively, the reachability verification result output by the verification device may be expressed as follows:
virtual message:
{"protocolType":"7",
"srcIp":"10.0.0.1",
"srcMask":"255.255.255.255",
"dstIp":"20.0.0.1",
"dstMask":"255.255.255.255",
"srcPort":"0~65535",
"dstPort":"0~65535"}
a logically reachable path: network device 102b1-BD10 → network device 102b1-VRF1 → network device 102b2-VRF2 → network device 102b2-BD20
Virtual message:
{"protocolType":"7",
"srcIp":"10.0.0.1",
"srcMask":"255.255.255.255",
"dstIp":"20.0.0.2",
"dstMask":"255.255.255.255",
"srcPort":"0~65535",
"dstPort":"0~65535"}
logical unreachable path: network device 102b1-BD10 → network device 102b1-VRF 1;
can not reach the root cause: VRF1 missing forwarding table entry
Wherein, "protocolType" indicates a transport protocol number, "srcpp" indicates a source IP address, "srcpask" indicates a subnet mask of the source IP address, "dstIp" indicates a destination IP address, "dstMask" indicates a subnet mask of the destination IP address, "srcPort" indicates a source port, and "dstPort" indicates a destination port.
The sequence of the steps of the network reachability verification method provided by the embodiment of the application can be properly adjusted, and the steps can be correspondingly increased or decreased according to the situation. For example, the embodiments of the present application provide a hierarchical verification method for a target network including two layers, namely an underlay network and an overlay network, and so on, the method may also be used for implementing hierarchical verification for a communication network including three or more layers, and the embodiments of the present application are not described herein again.
To sum up, according to the network reachability verification method provided in the embodiment of the present application, the verification device implements reachability verification of the virtual packet in the overlay network according to the logical topology of the multiple forwarding instances of the multiple network devices in the target network, the routing information of the multiple forwarding instances, the source forwarding instance corresponding to the source interface, and the target forwarding instance corresponding to the target interface, that is, single-layer reachability verification for the overlay network in the target network is implemented, and the verification accuracy is higher, so that the accuracy of fault location in the target network is higher. In addition, after the verification device acquires the tunnel of the virtual message on the logic path in the overlay network, the reachability between two tunnel endpoints of the tunnel in the underlying network can be verified, layered verification on a target network is achieved, verification efficiency is high, verification flexibility is high, and effective verification on a network which is similar to a network which runs VXLAN protocol or GRE protocol and is subjected to multi-layer IP encapsulation and decapsulation can be achieved.
Fig. 6 is a schematic structural diagram of a network reachability verification apparatus according to an embodiment of the present application. The apparatus may be an authentication device 101 in a system as shown in fig. 1. As shown in fig. 6, the apparatus 60 includes:
the first obtaining module 601 is configured to obtain a source interface and a destination interface of a virtual packet in a target network, where the target network includes an underlying network and an overlay network constructed on the underlying network.
A first verification module 602, configured to verify reachability of a virtual packet in an overlay network according to a logic topology of multiple forwarding instances of multiple network devices in a target network, routing information of the multiple forwarding instances, a source forwarding instance corresponding to a source interface, and a destination forwarding instance corresponding to a destination interface.
In summary, in the network reachability verification apparatus provided in the embodiment of the present application, the reachability verification of the virtual packet in the overlay network is implemented according to the logic topology of the multiple forwarding instances of the multiple network devices in the target network, the routing information of the multiple forwarding instances, the source forwarding instance corresponding to the source interface, and the destination forwarding instance corresponding to the destination interface by the first verification module, that is, the single-layer reachability verification for the overlay network in the target network is implemented, the verification accuracy is higher, and thus the accuracy of locating the fault in the target network is higher.
Optionally, as shown in fig. 7, the apparatus 60 further comprises:
the second obtaining module 603 is configured to obtain a first network graph model corresponding to the overlay network, where the first network graph model reflects a logical topology of multiple forwarding instances of multiple network devices in the target network. Correspondingly, the first verification module 602 is configured to verify reachability of the virtual packet in the overlay network according to the first network graph model, the routing information of the multiple forwarding instances, the source forwarding instance, and the destination forwarding instance.
Optionally, the second obtaining module 603 is configured to generate a first network graph model according to configuration information about forwarding instances of multiple network devices in the target network and tunnel state information of the multiple network devices, where the first network graph model includes a connection relationship between multiple forwarding instances in different network devices, and the forwarding instances in different network devices are connected through tunnels.
Optionally, the first network graph model further includes connection relationships of multiple forwarding instances in the same network device.
Optionally, the configuration information of the forwarding instance of the network device includes one or more of a binding relationship between an interface of the network device and a two-layer forwarding instance in the network device, a three-layer virtual interface corresponding to the two-layer forwarding instance in the network device, a binding relationship between a three-layer virtual interface corresponding to the two-layer forwarding instance in the network device and a three-layer forwarding instance in the network device, a network identifier of the forwarding instance in the network device, or a routing target of the forwarding instance in the network device.
Optionally, the first verification module 602 is configured to determine a logically reachable path and/or a logically unreachable path of the dummy packet in the overlay network.
Optionally, the logical reachable paths of the virtual packet in the overlay network include logical paths that satisfy the following conditions: the end point of the logic path is the destination forwarding instance, and the output interface of the virtual message forwarded from the destination forwarding instance is the destination interface.
Optionally, the logically unreachable path of the dummy packet in the overlay network includes a logical path satisfying one or more of the following conditions: the end point of the logic path is a destination forwarding instance, and an output interface of the virtual message forwarded from the destination forwarding instance is not a destination interface; the end point of the logic path does not have the next hop corresponding to the virtual message in the overlay network, and the end point of the logic path is not a target forwarding example; the logic path includes a loop thereon.
Optionally, as shown in fig. 8, the apparatus 60 further comprises:
the second verifying module 604 is configured to verify reachability in the underlying network between two tunnel endpoints of each tunnel on a target logical path, where the target logical path is a logical path of a virtual packet including a tunnel in the overlay network.
Optionally, the second verification module 604 is configured to: and when the target logic path is a logic reachable path of the virtual message in the overlay network, verifying the reachability between two tunnel end points of each tunnel on the target logic path in the underlying network.
Optionally, the second verification module 604 is configured to: and verifying the accessibility between the two tunnel end points of each tunnel on the target logic path in the underlying network according to the physical topology of the network devices in the target network and the public network routing information of the network devices.
In a first alternative embodiment of the present application, as shown in fig. 9, the apparatus 60 further comprises: a third obtaining module 605, configured to obtain a second network graph model corresponding to the underlying network, where the second network graph model reflects a physical topology of multiple network devices in the target network. Accordingly, a second verification module 604 is configured to verify reachability in the underlying network between the two tunnel end points of each tunnel on the target logical path according to the second network graph model and the public network routing information of the plurality of network devices.
Optionally, the second verification module 604 is configured to: reachability in the underlying network between two tunnel end points of each tunnel on the target logical path is verified based on a set of tunnels including one or more pairs of tunnel end points reachable in the underlying network.
Optionally, as shown in fig. 10, the apparatus 60 further includes:
a fourth obtaining module 606, configured to obtain identifiers of multiple tunnel endpoints in the target network based on configuration information of multiple network devices in the target network; a third verification module 607, configured to verify reachability in the underlying network between the multiple tunnel endpoints in pairs according to physical topologies of multiple network devices in the target network and public network routing information of the multiple network devices; a first generating module 608 is configured to generate a tunnel set according to a verification result of reachability in the underlying network between each two tunnel endpoints of the plurality of tunnel endpoints.
In a second alternative embodiment of the present application, as shown in fig. 11, the apparatus 60 further includes a third obtaining module 605, configured to obtain a second network graph model corresponding to the underlying network, where the second network graph model reflects a physical topology of a plurality of network devices in the target network. Correspondingly, the third verification module 607 is configured to verify reachability between the tunnel endpoints in the underlying network in pairs according to the second network graph model and public network routing information of the network devices.
Optionally, the third obtaining module 605 is configured to generate a second network graph model according to the networking topology of the target network.
Optionally, as shown in fig. 12, the apparatus 60 further comprises:
the output module 609 is configured to output a reachability verification result of the virtual packet in the target network, where the reachability verification result includes a reachable path set and/or an unreachable path set. The reachable path set comprises one or more pairs of reachable paths, wherein each pair of reachable paths comprises a logic reachable path of the virtual message in the overlay network and a corresponding physical reachable path of the logic reachable path in the underlying network; the set of unreachable paths includes a logically unreachable path for the virtual packet in the overlay network and/or a physically unreachable path for the virtual packet in the underlay network.
Optionally, when the reachability verification result includes the unreachable path set, the reachability verification result further includes an unreachable root of an unreachable path in the unreachable path set.
Optionally, as shown in fig. 13, the apparatus 60 further includes:
the fifth obtaining module 610 is configured to obtain verification rule information, where the verification rule information includes a source address to be verified and a destination address to be verified. The second generating module 611 is configured to generate a virtual packet according to the verification rule information, where a source address of the virtual packet is determined based on the source address to be verified, and a destination address of the virtual packet is determined based on the destination address to be verified.
Optionally, the source address to be verified is a network segment address and/or the destination address to be verified is a network segment address.
Optionally, the validation rule information further includes one or more of a source port number, a destination port number, a transport layer protocol type, a mandatory network device in the target network, a source interface identification, or a destination interface identification.
Optionally, the routing information of the forwarding instance comprises one or more of a media access control table, a forwarding table, or an address resolution protocol table.
In summary, in the network reachability verification apparatus provided in the embodiment of the present application, the reachability verification of the virtual packet in the overlay network is implemented according to the logic topology of the multiple forwarding instances of the multiple network devices in the target network, the routing information of the multiple forwarding instances, the source forwarding instance corresponding to the source interface, and the destination forwarding instance corresponding to the destination interface by the first verification module, that is, the single-layer reachability verification for the overlay network in the target network is implemented, the verification accuracy is higher, and thus the accuracy of locating the fault in the target network is higher. In addition, after the tunnel of the virtual message on the logic path in the overlay network is obtained, the accessibility of the two tunnel endpoints of the tunnel in the underlying network can be verified through the second verification module, layered verification on a target network is realized, the verification efficiency is high, the verification flexibility is high, and effective verification on a network which is similar to a network which runs multilayer IP encapsulation decapsulation such as a VXLAN protocol or a GRE protocol can be realized.
With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.
Fig. 14 is a block diagram of a network reachability verification apparatus according to an embodiment of the present application. As shown in fig. 14, the apparatus 140 includes: a processor 1401, and a memory 1402.
A memory 1402 for storing a computer program, the computer program comprising program instructions;
a processor 1401, configured to invoke the computer program, and implement the network reachability verification method according to the foregoing method embodiment.
Optionally, the apparatus 140 further comprises a communication bus 1403 and a communication interface 1404.
The processor 1401 includes one or more processing cores, and executes various functional applications and data processing by running a computer program.
Memory 1402 may be used to store computer programs. Alternatively, the memory may store an operating system and application program elements required for at least one function. The operating system may be a Real Time eXceptive (RTX) operating system, such as LINUX, UNIX, WINDOWS, or OS X.
The communication interface 1404 may be multiple, and the communication interface 1404 is used for communication with other storage devices or network devices.
The memory 1402 and the communication interface 1404 are connected to the processor 1401 via a communication bus 1403 and 1403, respectively.
The embodiment of the present application further provides a computer storage medium, where instructions are stored on the computer storage medium, and when the instructions are executed by a processor of a computer device, the network reachability verification method described in the above method embodiment is implemented.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
In the embodiments of the present application, the terms "first", "second", and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
The term "and/or" in this application is only one kind of association relationship describing the associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
The above description is only exemplary of the present application and is not intended to limit the present application, and any modifications, equivalents, improvements, etc. made within the spirit and principles of the present application are intended to be included within the scope of the present application.

Claims (46)

1. A method for network reachability verification, the method comprising:
acquiring a source interface and a destination interface corresponding to a virtual message in a target network, wherein the target network comprises an underlying network and an overlay network constructed on the underlying network;
and verifying the reachability of the virtual message in the overlay network according to the logic topology of a plurality of forwarding instances of a plurality of network devices in the target network, the routing information of the plurality of forwarding instances, the source forwarding instance corresponding to the source interface and the destination forwarding instance corresponding to the destination interface.
2. The method of claim 1, further comprising:
acquiring a first network graph model corresponding to the overlay network, wherein the first network graph model reflects the logic topology of a plurality of forwarding instances of a plurality of network devices in the target network;
the verifying the reachability of the virtual packet in the overlay network according to the logical topology of the forwarding instances of the network devices in the target network, the routing information of the forwarding instances, the source forwarding instance corresponding to the source interface, and the destination forwarding instance corresponding to the destination interface includes:
and verifying the reachability of the virtual message in the overlay network according to the first network graph model, the routing information of the forwarding instances, the source forwarding instance and the destination forwarding instance.
3. The method of claim 2, wherein the obtaining the first network graph model corresponding to the overlay network comprises:
and generating the first network graph model according to configuration information of a plurality of network devices in the target network about forwarding instances and tunnel state information of the plurality of network devices, wherein the first network graph model comprises the connection relation of the plurality of forwarding instances in different network devices, and the forwarding instances in different network devices are connected through tunnels.
4. The method of claim 3, wherein the first network graph model further comprises connection relationships for multiple forwarding instances in the same network device.
5. The method according to claim 3 or 4, wherein the configuration information of the network device about the forwarding instance includes one or more of a binding relationship between an interface of the network device and a two-layer forwarding instance in the network device, a three-layer virtual interface corresponding to the two-layer forwarding instance in the network device, a binding relationship between a three-layer virtual interface corresponding to the two-layer forwarding instance in the network device and a three-layer forwarding instance in the network device, a network identifier of the forwarding instance in the network device, or a routing target of the forwarding instance in the network device.
6. The method according to any of claims 1 to 5, wherein said verifying reachability of said dummy packets in said overlay network comprises:
and determining a logic reachable path and/or a logic unreachable path of the virtual message in the overlay network.
7. The method of claim 6, wherein the logical reachable paths of the dummy packets in the overlay network comprise logical paths that satisfy the following condition:
the destination forwarding instance is the destination end point of the logic path, and the output interface of the virtual message forwarded from the destination forwarding instance is the destination interface.
8. The method of claim 6, wherein the logically unreachable path of the dummy packet in the overlay network comprises a logical path that satisfies one or more of the following conditions:
the destination forwarding instance is a destination interface, and an output interface of the virtual message forwarded from the destination forwarding instance is not the destination interface;
the end point of the logic path does not have the next hop corresponding to the virtual message in the overlay network, and the end point of the logic path is not the target forwarding instance;
the logic path includes a loop thereon.
9. The method according to any one of claims 1 to 8, further comprising:
and verifying the accessibility of two tunnel end points of each tunnel on a target logic path in the underlying network, wherein the target logic path is a logic path of the virtual message containing the tunnel in the overlay network.
10. The method of claim 9, wherein verifying reachability in the underlying network between two tunnel end points of each tunnel on the target logical path comprises:
and when the target logic path is a logic reachable path of the virtual message in the overlay network, verifying the reachability between two tunnel end points of each tunnel on the target logic path in the underlying network.
11. The method of claim 9 or 10, wherein verifying reachability in the underlying network between two tunnel end points of each tunnel on the target logical path comprises:
and verifying the reachability between two tunnel end points of each tunnel on the target logic path in the underlying network according to the physical topologies of the plurality of network devices in the target network and the public network routing information of the plurality of network devices.
12. The method of claim 11, further comprising:
acquiring a second network graph model corresponding to the underlying network, wherein the second network graph model reflects the physical topology of a plurality of network devices in the target network;
the verifying reachability in the underlying network between two tunnel end points of each tunnel on the target logical path according to physical topologies of a plurality of network devices in the target network and public network routing information of the plurality of network devices comprises:
and verifying the reachability between two tunnel end points of each tunnel on the target logic path in the underlying network according to the second network graph model and the public network routing information of the plurality of network devices.
13. The method of claim 9 or 10, wherein verifying reachability in the underlying network between two tunnel end points of each tunnel on the target logical path comprises:
verifying reachability in the underlying network between two tunnel endpoints of each tunnel on the target logical path based on a set of tunnels including one or more pairs of tunnel endpoints reachable in the underlying network.
14. The method of claim 13, further comprising:
acquiring identifiers of a plurality of tunnel endpoints in the target network based on configuration information of a plurality of network devices in the target network;
verifying the accessibility of the tunnel end points in the underlying network pairwise according to the physical topologies of the network devices in the target network and the public network routing information of the network devices;
and generating the tunnel set according to a verification result of reachability in the underlying network between every two tunnel end points in the plurality of tunnel end points.
15. The method of claim 14, further comprising:
acquiring a second network graph model corresponding to the underlying network, wherein the second network graph model reflects the physical topology of a plurality of network devices in the target network;
the pairwise verifying reachability among the tunnel endpoints in the underlying network according to physical topologies of a plurality of network devices in the target network and public network routing information of the network devices comprises:
and verifying the reachability among the tunnel end points in the underlying network pairwise according to the second network graph model and the public network routing information of the network devices.
16. The method according to claim 12 or 15, wherein the obtaining of the second network graph model corresponding to the underlying network comprises:
and generating the second network graph model according to the networking topology of the target network.
17. The method of any one of claims 1 to 16, further comprising:
outputting a reachability verification result of the virtual message in the target network, wherein the reachability verification result comprises a reachable path set and/or an unreachable path set;
wherein the reachable path set comprises one or more pairs of reachable paths, each pair of reachable paths comprising a logical reachable path of the virtual packet in the overlay network and a corresponding physical reachable path of the logical reachable path in the underlay network; the set of unreachable paths includes a logically unreachable path of the virtual packet in the overlay network and/or a physically unreachable path of the virtual packet in the underlay network.
18. The method of claim 17, wherein when the reachability verification result comprises a set of unreachable paths, the reachability verification result further comprises unreachable roots of unreachable paths in the set of unreachable paths.
19. The method of any one of claims 1 to 18, further comprising:
acquiring verification rule information, wherein the verification rule information comprises a source address to be verified and a destination address to be verified;
and generating the virtual message according to the verification rule information, wherein the source address of the virtual message is determined based on the source address to be verified, and the destination address of the virtual message is determined based on the destination address to be verified.
20. The method of claim 19, wherein the source address to be verified is a network segment address and/or the destination address to be verified is a network segment address.
21. The method of claim 19 or 20, wherein the validation rule information further comprises one or more of a source port number, a destination port number, a transport layer protocol type, a mandatory network device in the target network, a source interface identification, or a destination interface identification.
22. The method of any of claims 1 to 21, wherein the routing information of the forwarding instance comprises one or more of a media access control table, a forwarding table, or an address resolution protocol table.
23. A network reachability verification apparatus, comprising:
the device comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring a source interface and a destination interface corresponding to a virtual message in a target network, and the target network comprises an underlying network and an overlay network constructed on the underlying network;
a first verification module, configured to verify reachability of the virtual packet in the overlay network according to a logic topology of multiple forwarding instances of multiple network devices in the target network, routing information of the multiple forwarding instances, a source forwarding instance corresponding to the source interface, and a destination forwarding instance corresponding to the destination interface.
24. The apparatus of claim 23, further comprising:
a second obtaining module, configured to obtain a first network graph model corresponding to the overlay network, where the first network graph model reflects a logical topology of multiple forwarding instances of multiple network devices in the target network;
the first verification module is configured to verify reachability of the virtual packet in the overlay network according to the first network graph model, the routing information of the multiple forwarding instances, the source forwarding instance, and the destination forwarding instance.
25. The apparatus of claim 24, wherein the second obtaining module is configured to:
and generating the first network graph model according to configuration information of a plurality of network devices in the target network about forwarding instances and tunnel state information of the plurality of network devices, wherein the first network graph model comprises the connection relation of the plurality of forwarding instances in different network devices, and the forwarding instances in different network devices are connected through tunnels.
26. The apparatus of claim 25, wherein the first network graph model further comprises connection relationships for multiple forwarding instances in the same network device.
27. The apparatus according to claim 25 or 26, wherein the configuration information of the network device regarding the forwarding instance includes one or more of a binding relationship between an interface of the network device and a two-layer forwarding instance in the network device, a three-layer virtual interface corresponding to the two-layer forwarding instance in the network device, a binding relationship between a three-layer virtual interface corresponding to the two-layer forwarding instance in the network device and a three-layer forwarding instance in the network device, a network identifier of the forwarding instance in the network device, or a routing target of the forwarding instance in the network device.
28. The apparatus according to any one of claims 23 to 27, wherein the first authentication module is configured to:
and determining a logic reachable path and/or a logic unreachable path of the virtual message in the overlay network.
29. The apparatus of claim 28, wherein the logical reachable paths of the dummy packets in the overlay network comprise logical paths that satisfy the following condition:
the destination forwarding instance is the destination end point of the logic path, and the output interface of the virtual message forwarded from the destination forwarding instance is the destination interface.
30. The apparatus of claim 28, wherein the logically unreachable path for the dummy packets in the overlay network comprises a logical path that satisfies one or more of the following conditions:
the destination forwarding instance is a destination interface, and an output interface of the virtual message forwarded from the destination forwarding instance is not the destination interface;
the end point of the logic path does not have the next hop corresponding to the virtual message in the overlay network, and the end point of the logic path is not the target forwarding instance;
the logic path includes a loop thereon.
31. The apparatus of any one of claims 23 to 30, further comprising:
and the second verification module is used for verifying the reachability between two tunnel end points of each tunnel on a target logic path in the underlying network, wherein the target logic path is a logic path of the virtual message including the tunnel in the overlay network.
32. The apparatus of claim 31, wherein the second authentication module is configured to:
and when the target logic path is a logic reachable path of the virtual message in the overlay network, verifying the reachability between two tunnel end points of each tunnel on the target logic path in the underlying network.
33. The apparatus of claim 31 or 32, wherein the second authentication module is configured to:
and verifying the reachability between two tunnel end points of each tunnel on the target logic path in the underlying network according to the physical topologies of the plurality of network devices in the target network and the public network routing information of the plurality of network devices.
34. The apparatus of claim 33, further comprising:
a third obtaining module, configured to obtain a second network graph model corresponding to the underlying network, where the second network graph model reflects a physical topology of multiple network devices in the target network;
and the second verification module is used for verifying the reachability between two tunnel end points of each tunnel on the target logic path in the underlying network according to the second network graph model and the public network routing information of the plurality of network devices.
35. The apparatus of claim 31 or 32, wherein the second authentication module is configured to:
verifying reachability in the underlying network between two tunnel endpoints of each tunnel on the target logical path based on a set of tunnels including one or more pairs of tunnel endpoints reachable in the underlying network.
36. The apparatus of claim 35, further comprising:
a fourth obtaining module, configured to obtain identifiers of multiple tunnel endpoints in the target network based on configuration information of multiple network devices in the target network;
the third verification module is used for verifying the accessibility of the tunnel end points in the underlying network pairwise according to the physical topologies of the network devices in the target network and the public network routing information of the network devices;
a first generating module, configured to generate the tunnel set according to a verification result of reachability between every two tunnel endpoints in the underlying network among the plurality of tunnel endpoints.
37. The apparatus of claim 36, further comprising:
a third obtaining module, configured to obtain a second network graph model corresponding to the underlying network, where the second network graph model reflects a physical topology of multiple network devices in the target network;
and the third verification module is used for verifying the accessibility of the tunnel endpoints in the underlying network pairwise according to the second network graph model and the public network routing information of the network devices.
38. The apparatus of claim 34 or 37, wherein the third obtaining module is configured to:
and generating the second network graph model according to the networking topology of the target network.
39. The apparatus of any one of claims 23 to 38, further comprising:
the output module is used for outputting a reachability verification result of the virtual message in the target network, wherein the reachability verification result comprises a reachable path set and/or an unreachable path set;
wherein the reachable path set comprises one or more pairs of reachable paths, each pair of reachable paths comprising a logical reachable path of the virtual packet in the overlay network and a corresponding physical reachable path of the logical reachable path in the underlay network; the set of unreachable paths includes a logically unreachable path of the virtual packet in the overlay network and/or a physically unreachable path of the virtual packet in the underlay network.
40. The apparatus of claim 39, wherein the reachability verification result further comprises an unreachable root of an unreachable path in the set of unreachable paths when the reachability verification result comprises the set of unreachable paths.
41. The apparatus of any one of claims 23 to 40, further comprising:
the fifth acquisition module is used for acquiring verification rule information, wherein the verification rule information comprises a source address to be verified and a destination address to be verified;
and the second generation module is used for generating the virtual message according to the verification rule information, wherein the source address of the virtual message is determined based on the source address to be verified, and the destination address of the virtual message is determined based on the destination address to be verified.
42. The apparatus of claim 41, wherein the source address to be verified is a network segment address and/or the destination address to be verified is a network segment address.
43. The apparatus of claim 41 or 42, wherein the validation rule information further comprises one or more of a source port number, a destination port number, a transport layer protocol type, a mandatory network device in the target network, a source interface identification, or a destination interface identification.
44. The apparatus of any of claims 23 to 43, wherein the routing information of the forwarding instance comprises one or more of a media Access control table, a forwarding table, or an Address resolution protocol table.
45. A network reachability verification apparatus, comprising: a processor and a memory;
the memory for storing a computer program, the computer program comprising program instructions;
the processor, configured to invoke the computer program, to implement the network reachability verification method according to any one of claims 1 to 22.
46. A computer storage medium having stored thereon instructions which, when executed by a processor of a computer device, carry out a network reachability verification method of any one of claims 1 to 22.
CN202010987222.2A 2020-09-11 2020-09-18 Network accessibility verification method and device and computer storage medium Pending CN114257516A (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
EP21866059.5A EP4203407A4 (en) 2020-09-11 2021-09-10 Network reachability verification method and apparatus, and computer storage medium
PCT/CN2021/117568 WO2022053007A1 (en) 2020-09-11 2021-09-10 Network reachability verification method and apparatus, and computer storage medium
US18/181,818 US20230216763A1 (en) 2020-09-11 2023-03-10 Network reachability verification method and apparatus, and computer storage medium

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010954718X 2020-09-11
CN202010954718 2020-09-11

Publications (1)

Publication Number Publication Date
CN114257516A true CN114257516A (en) 2022-03-29

Family

ID=80788149

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010987222.2A Pending CN114257516A (en) 2020-09-11 2020-09-18 Network accessibility verification method and device and computer storage medium

Country Status (1)

Country Link
CN (1) CN114257516A (en)

Similar Documents

Publication Publication Date Title
US10116559B2 (en) Operations, administration and management (OAM) in overlay data center environments
Del Piccolo et al. A survey of network isolation solutions for multi-tenant data centers
EP3188409B1 (en) Oam mechanisms for evpn active-active services
US11115328B2 (en) Efficient troubleshooting in openflow switches
CN109075984B (en) Multipoint-to-multipoint tree for computed SPRING multicast
CN108574616A (en) A kind of method, equipment and the system of processing routing
JP6141407B2 (en) Split tie breaker for 802.1AQ
EP3070895A1 (en) Encapsulation method and system for flow identifier
US9331910B2 (en) Methods and systems for automatic generation of routing configuration files
WO2016174597A1 (en) Service based intelligent packet-in mechanism for openflow switches
US11329845B2 (en) Port mirroring over EVPN VXLAN
US11956141B2 (en) Service chaining with physical network functions and virtualized network functions
US20220255837A1 (en) Routing Information Transmission Method and Apparatus, and Data Center Interconnection Network
US20240129223A1 (en) Systems and methods for data plane validation of multiple paths in a network
CN108737183A (en) A kind of monitoring method and device of forwarding-table item
Amamou et al. A trill-based multi-tenant data center network
CN110380966B (en) Method for discovering forwarding path and related equipment thereof
US20230254244A1 (en) Path determining method and apparatus, and computer storage medium
CN108259366B (en) Message forwarding method and device
WO2022053007A1 (en) Network reachability verification method and apparatus, and computer storage medium
CN114257516A (en) Network accessibility verification method and device and computer storage medium
CN107483340B (en) A kind of dynamic routing notifying method and SDN controller and network system
Ma et al. An algorithm of physical network topology discovery in multi-VLANs
WO2019097281A1 (en) Adaptive hash function using bit position scoring to select fragmented windows
Rădoi et al. Integration of Data Center Network Technologies VxLAN, BGP, EVPN

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination