CN116137602A - Network reachability verification method, device and system - Google Patents

Abstract

The application discloses a network reachability verification method, device and system, and belongs to the technical field of networks. The verification device determines a plurality of forwarding subnets corresponding to the network according to forwarding table items on network devices in the network. The forwarding sub-networks are in one-to-one correspondence with the address sets. Each forwarding sub-network includes only network devices having an outbound interface matching at least one destination address in the address set corresponding to the forwarding sub-network. When the reachability of the message in the network needs to be verified, the verification device can adopt the forwarding sub-network corresponding to the address set where the destination address of the message is located for verification. Because a forwarding subnetwork only includes network devices that have outgoing interfaces that match destination addresses in the address set corresponding to the forwarding subnetwork, the forwarding subnetwork is typically smaller in size than the entire network. The reachability verification is performed on the message in the forwarding sub-network, so that the verification complexity is lower compared with the reachability verification performed on the message in the whole network, and the verification efficiency can be further improved.

Description

Network reachability verification method, device and system

Technical Field

The present invention relates to the field of network technologies, and in particular, to a method, an apparatus, and a system for verifying network reachability.

Background

With the expansion of the internet scale and the increase of the number of network protocols, the forwarding behavior of the messages in the network is more and more complex, and various network problems are easy to occur. In order to ensure reliable and efficient operation of the network, network operators need to master various network technologies to manually troubleshoot and locate problems and errors in network operation. The network verification technique can help network operators systematically analyze the network and quickly verify a series of routing attributes in the network. The network reachability verification is an important verification technology for performing fault prevention, fault positioning and fault root cause analysis on the network.

At present, message forwarding processing logic of network equipment in a network is generally modeled to obtain a network model. When the network reachability verification is performed, the reachability verification is performed on the whole network based on the network model according to a source interface, a destination interface, a source internet protocol (Internet Protocol, IP) address and a destination IP address to be verified, and the specific process is as follows: and verifying whether a message header space formed by a source IP address and a destination IP address can be output from a destination interface after being input from the source interface by using a network model, wherein the message header space which can be output from the destination interface is the reachable message header space.

However, the availability verification of the whole network can only be realized at present, so that the verification efficiency is low.

Disclosure of Invention

The application provides a network reachability verification method, device and system, which can solve the problem of low verification efficiency when network reachability verification is performed at present.

In a first aspect, a network reachability verification method is provided, applied to verification equipment. The verification device obtains a forwarding table item on network equipment in the network, and determines a plurality of forwarding subnets corresponding to the network according to the forwarding table item. The forwarding sub-networks are in one-to-one correspondence with the address sets. Each address set of the plurality of address sets includes one or more destination addresses. Each forwarding sub-network includes only network devices having an outbound interface matching at least one destination address in the address set corresponding to the forwarding sub-network. Each forwarding sub-network is used for verifying the reachability of the message of the destination address in the address set corresponding to the forwarding sub-network in the network.

The present application divides a network into a plurality of forwarding sub-networks, each for verifying the reachability of a message addressed to a set of destination addresses in the network, respectively. When the reachability of the message in the network needs to be verified, the verification device can adopt the forwarding sub-network corresponding to the address set where the destination address of the message is located for verification. Because a forwarding subnetwork only includes network devices in the network that have outgoing interfaces that match at least one destination address in the address set corresponding to the forwarding subnetwork, the forwarding subnetwork is typically smaller in size than the entire network. The reachability verification is performed on the message in the forwarding sub-network, so that the verification complexity is lower compared with the reachability verification performed on the message in the whole network, and the verification efficiency can be further improved.

Optionally, there is no intersection between address sets corresponding to any two forwarding subnetworks in the plurality of forwarding subnetworks.

In the present application, different forwarding sub-networks are used to verify the reachability of messages addressed to different destination addresses in the network. That is, for a message addressed to a destination address, reachability verification only needs to be performed within one forwarding sub-network.

Optionally, the forwarding behaviors of the plurality of destination addresses in the same address set in the network are the same. The forwarding actions corresponding to the plurality of destination addresses in the network are the same, and may include: the outgoing interfaces that each of the plurality of destination addresses matches on the same network device are the same or there is no matching outgoing interface.

In the application, because the forwarding behaviors of the multiple destination addresses in the same address set in the network are the same, when the reachability of the messages sent to the multiple destination addresses in the same address set in the network needs to be verified, for the multiple messages with the same starting point and destination interface in the network, only one message needs to be verified based on the corresponding forwarding sub-network, and the reachability of the other messages in the network is consistent with the reachability of the message in the network. This further improves the verification efficiency.

Optionally, the verification device determines the plurality of address sets from forwarding entries on network devices in the network. For each address set in the address sets, the verification device generates a forwarding graph model corresponding to the address set according to the matching relation between the destination address in the address set and the outgoing interface on the network device in the network, the topology of the network and the configuration information of the network device in the network. The forwarding graph model reflects an interface connection relationship of an outgoing interface matched with a destination address in the address set on network equipment in a forwarding sub-network corresponding to the address set. The interface connection relationship includes an indication of a direction of forwarding the message.

In the implementation mode, the reachability of the message in the network can be verified only by a forwarding graph model corresponding to the address set to which the destination address of the message belongs, and a forwarding table item on the network equipment is not required to be used in the verification process, so that the verification process is simple and the verification efficiency is high.

Optionally, for each network device in the network, the verification device determines, according to the forwarding table entry on the network device, a destination address group that each outgoing interface on the network device matches respectively. The verification device determines a plurality of address sets according to destination address groups respectively matched with all outgoing interfaces on all network devices in the network.

In a first possible scenario, the authentication device comprises a distributed deployment of a master device and a slave device, both of which are implemented by the master device. The master device may also distribute forwarding graph models corresponding to the multiple address sets to one or more slave devices, so that the slave devices use the received forwarding graph models to verify the reachability of the messages sent to the destination addresses in the address sets corresponding to the forwarding graph models in the network.

Optionally, the master device may also obtain a verification requirement, where the verification requirement includes information of a destination address to be verified, information of a starting point, and information of a destination interface. The master device determines a target slave device from one or more slave devices according to the destination address to be verified. The target slave device stores a target forwarding graph model. The address set corresponding to the target forwarding graph model has an intersection with the target address to be verified. The master device sends a sub-authentication requirement to the target slave device. The sub-verification requirement comprises the intersection of the target address to be verified and the address set corresponding to the target forwarding graph model, the information of the starting point and the information of the target interface.

In a second possible case, the authentication device may also obtain an authentication requirement comprising information of the destination address to be authenticated, information of the origin and information of the destination interface. And the verification equipment generates a virtual message according to the verification requirement. The destination address of the virtual message is determined based on the destination address to be verified. The verification device adopts a target forwarding sub-network in the forwarding sub-networks to verify the reachability of the virtual message from the starting point to the target interface. The address set corresponding to the target forwarding sub-network includes the destination address of the virtual message.

Optionally, in the case that the verification device generates a forwarding graph model corresponding to each address set, the verification device may use the forwarding graph model corresponding to the target forwarding sub-network to verify the reachability of the virtual packet from the start point to the destination interface.

Optionally, the destination address to be verified is a network segment address. Alternatively, the destination address to be verified may be the host address.

Optionally, the information of the origin comprises one or more of an identification of the source device, a source address to be verified, an identification of the source network device or an identification of the source interface. The information of the destination interface includes an identification of the destination end device and/or an identification of the destination interface.

Optionally, in the second possible case, an implementation manner of verifying, by the verification device, reachability of the virtual packet from the start point to the destination interface by using the destination forwarding subnetwork in the multiple forwarding subnetworks includes: the verification device determines reachable paths and/or unreachable paths of the virtual message in the target forwarding sub-network.

Optionally, the reachable paths of the virtual message in the target forwarding sub-network include paths satisfying the following conditions: the output interface of the virtual message forwarded from the target forwarding sub-network is the target interface.

Optionally, the unreachable paths of the virtual message in the target forwarding sub-network include paths satisfying at least one of the following conditions: the outgoing interface of the virtual message forwarded from the target forwarding sub-network is not a target interface, and the path comprises a loop.

Optionally, the verification device may further output a reachability verification result of the virtual message in the network. The reachability validation results include a set of reachable paths and/or a set of unreachable paths.

Optionally, when the reachability verification result includes a set of unreachable paths, the reachability verification result further includes an unreachable root cause of the unreachable paths in the set of unreachable paths. Alternatively, the unreachable root causes include routing loops, leaving the network from the wrong interface, routing black holes, etc.

In a second aspect, a network reachability verification apparatus is provided. The apparatus comprises a plurality of functional modules that interact to implement the method of the first aspect and embodiments thereof described above. The plurality of functional modules may be implemented based on software, hardware, or a combination of software and hardware, and the plurality of functional modules may be arbitrarily combined or divided based on the specific implementation.

In a third aspect, a network reachability verification system is provided. The system includes a master device.

The main device is used for acquiring forwarding table items on network devices in the network and determining a plurality of forwarding subnets corresponding to the network according to the forwarding table items on the network devices in the network. The forwarding subnets are in one-to-one correspondence with a plurality of address sets, each address set in the plurality of address sets including one or more destination addresses. Each forwarding sub-network includes only network devices having an outbound interface matching at least one destination address in the address set corresponding to the forwarding sub-network. Each forwarding sub-network is used for verifying the reachability of the message sent to the destination address in the address set corresponding to the forwarding sub-network in the network.

Optionally, the system further comprises one or more slave devices. The master device is further configured to distribute forwarding graph models corresponding to the multiple address sets to one or more slave devices, so that the slave devices use the received forwarding graph models to verify reachability of a message sent to a destination address in the address set corresponding to the forwarding graph models in the network.

Optionally, the master device is further configured to obtain a verification requirement, where the verification requirement includes information of a destination address to be verified, information of a starting point, and information of a destination interface. The master device is further configured to determine a target slave device from the one or more slave devices according to the destination address to be verified, and send a sub-verification requirement to the target slave device. The target slave device stores a target forwarding graph model. And the address set corresponding to the target forwarding graph model is intersected with the target address to be verified. The sub-verification requirement comprises the intersection of the target address to be verified and the address set corresponding to the target forwarding graph model, the information of the starting point and the information of the target interface. The target slave device is used for generating a virtual message according to the sub-verification requirement, and verifying the accessibility of the virtual message from the starting point to the target interface by adopting a target forwarding graph model. The destination address of the virtual message is determined based on the intersection of the destination address to be verified and the address set corresponding to the target forwarding graph model.

In a fourth aspect, a network reachability verification apparatus is provided. The apparatus includes a processor and a memory.

The memory is used for storing a computer program. The computer program includes program instructions.

The processor is configured to invoke the computer program to implement the method of the first aspect and embodiments thereof or the method of the second aspect and embodiments thereof.

In a fifth aspect, a computer-readable storage medium is provided. The computer readable storage medium has instructions stored thereon which, when executed by a processor, implement the method of the first aspect and embodiments thereof described above.

In a sixth aspect, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the method of the first aspect and embodiments thereof.

In a seventh aspect, a chip is provided. The chip includes programmable logic circuitry and/or program instructions. The methods of the first aspect and embodiments thereof described above are implemented when the chip is running.

Drawings

Fig. 1 is a schematic view of an application scenario according to an embodiment of the present application;

fig. 2 is a flow chart of a network reachability verification method provided in an embodiment of the present application;

Fig. 3 is a schematic diagram of a network topology according to an embodiment of the present application;

FIG. 4 is a schematic diagram of a forwarding graph model provided in an embodiment of the present application;

FIG. 5 is a schematic diagram of another forwarding graph model provided by embodiments of the present application;

fig. 6 is a flowchart of another network reachability verification method provided in an embodiment of the present application;

FIG. 7 is a schematic diagram of a network reachability verification system provided in an embodiment of the present application;

fig. 8 is a schematic structural diagram of a network reachability verification device according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of another network reachability verification device provided in the embodiment of the present application;

fig. 10 is a schematic structural diagram of another network reachability verification device according to an embodiment of the present application;

fig. 11 is a schematic structural diagram of another network reachability verification device provided in the embodiment of the present application;

fig. 12 is a block diagram of a network reachability verification apparatus provided in an embodiment of the present application.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the embodiments of the present application will be described in further detail below with reference to the accompanying drawings.

At present, when network reachability verification is performed, the whole network is modeled and verified as a whole, and verification efficiency is low. In particular, in a large-scale network, the greater the number of devices in the network, the lower the verification efficiency of this verification method.

In view of this, the present application provides a scheme for dividing a network into a plurality of forwarding sub-networks according to forwarding entries on network devices in the network, and performing reachability verification according to the forwarding sub-networks. The forwarding subnets are in one-to-one correspondence with the address sets, namely each forwarding subnet corresponds to one address set respectively. Here, different forwarding sub-networks may contain the same network device, i.e. different forwarding sub-networks corresponding to the same network may have intersections. Each of the plurality of address sets includes one or more IP addresses. The IP address in the address set is the destination address of the message that can be forwarded by the network device in the corresponding forwarding sub-network. The IP addresses in the address set are referred to herein as destination addresses. Each forwarding sub-network includes only network devices having an outbound interface matching at least one destination address in the address set corresponding to the forwarding sub-network. The network device has an output interface matched with the destination address, which is understood that there is a forwarding table entry corresponding to the destination address on the network device, that is, the network device can forward the message addressed to the destination address. The forwarding sub-network only comprises network devices in the network having an outbound interface matching at least one destination address in the address set corresponding to the forwarding sub-network, that is, each network device in the forwarding sub-network can forward a message addressed to at least one destination address in the address set corresponding to the forwarding sub-network. In this application, the forwarding sub-network may include all network devices in the network that have an outgoing interface matching at least one destination address in the address set corresponding to the forwarding sub-network, that is, all network devices in the network that have a forwarding table entry corresponding to a certain destination address are in the forwarding sub-network corresponding to the address set where the destination address is located. Each forwarding sub-network is used for verifying the reachability of the message sent to the destination address in the address set corresponding to the forwarding sub-network in the network.

The method and the device are suitable for three-layer route forwarding scenes, namely message forwarding scenes based on IP addresses. By dividing the network into a plurality of forwarding sub-networks, each forwarding sub-network is used to verify the reachability of a message addressed to a set of destination addresses in the network, respectively. When the reachability of the message in the network needs to be verified, the verification device can adopt the forwarding sub-network corresponding to the address set where the destination address of the message is located for verification. Because a forwarding subnetwork only includes network devices in the network that have outgoing interfaces that match at least one destination address in the address set corresponding to the forwarding subnetwork, the forwarding subnetwork is typically smaller in size than the entire network. The reachability verification is performed on the message in the forwarding sub-network, so that the verification complexity is lower compared with the reachability verification performed on the message in the whole network, and the verification efficiency can be further improved. In addition, because the forwarding subnets can be used for independently verifying the reachability of the messages sent to the corresponding destination addresses in the network, when the reachability of the messages in the network needs to be verified, synchronous verification can be performed on the messages on the basis of the forwarding subnets on one verification device, or distributed parallel verification can be performed on the messages on the basis of the forwarding subnets on the verification devices, so that the verification efficiency can be further improved.

In one implementation, there is no intersection between address sets corresponding to any two forwarding subnetworks in the plurality of forwarding subnetworks corresponding to the same network. That is, the destination addresses in the address sets corresponding to different forwarding subnets are different.

In this implementation, different forwarding sub-networks are used to verify the reachability of messages addressed to different destination addresses in the network. That is, for a message addressed to a destination address, reachability verification only needs to be performed within one forwarding sub-network.

In one implementation, the forwarding behavior of multiple destination addresses in the same address set in the network is the same. The forwarding behaviors of the plurality of destination addresses in the network are the same, and the forwarding behaviors comprise: the outgoing interfaces of each destination address of the plurality of destination addresses that match on the same network device are the same or there is no matching outgoing interface. In other words, messages addressed to any destination address in the same set of addresses are either forwarded by a network device in the network from the same egress interface or discarded by the network device because there is no corresponding forwarding entry. For example, two messages addressed to different destination addresses in the same address set, if the start point and destination interface of the two messages in the network are the same, then the transmission paths of the two messages in the network are the same. The origin of the message in the network may be the source interface or may be the source network device.

In this implementation manner, since the forwarding behaviors of the multiple destination addresses in the same address set in the network are the same, when the reachability of the messages sent to the multiple destination addresses in the same address set in the network needs to be verified, for the multiple messages with the same starting point and destination interface in the network, only one message needs to be verified based on the corresponding forwarding sub-network, and the reachability of the other messages in the network is consistent with the reachability of the message in the network.

In the embodiment of the application, the address set that simultaneously satisfies the conditions in the two implementations is called a packet equivalence class (packet equivalence class, PEC). The implementation process of determining a plurality of forwarding sub-networks corresponding to the network may include: firstly, dividing the total IP address into a plurality of message equivalent classes according to forwarding table items on network equipment in a network, and then dividing all network equipment which can forward messages which are sent to the IP address in the same message equivalent class into a forwarding sub-network. The plurality of message equivalence classes satisfy: each message equivalence class comprises a non-empty IP address set, the corresponding forwarding behaviors of the IP addresses in the same message equivalence class in the network are the same, and the intersection between any two message equivalence classes is empty. Optionally, the union of all message equivalence classes is a full-volume IP address. For example, in a packet forwarding scenario based on internet protocol version four (Internet Protocol version, ipv 4) address, 2 may be used ³² The full number of IP addresses is divided into a number of message equivalence classes. Also for example, in a message forwarding scenario based on internet protocol version six (Internet Protocol version, ipv 6) address, 2 may be used ¹²⁸ The full number of IP addresses is divided into a number of message equivalence classes.

Optionally, there are multiple ways to partition the equivalence classes of the message. One way includes: for each network device in the network, determining a destination address group respectively matched with each outgoing interface on the network device according to the forwarding table item on the network device. And determining a plurality of PECs according to destination address groups respectively matched with all the outlet interfaces of all the network devices in the network.

For a network, the total IP address is divided into the message equivalent class with the least number, and the forwarding sub-network with the least number corresponding to the network can be obtained. The embodiment of the application provides the following two implementation modes, and the total IP address can be divided into the message equivalent class with the least number.

In the embodiment of the present application, for convenience of explanation, the destination address in each forwarding table entry is converted into its corresponding integer set. Taking IPv4 address as an example, the total IP address comprises 0.0.0.0-255.255.255.255, and the corresponding integer set is [0,2 ] ³² -1]. The destination address in the forwarding table entry is typically expressed in terms of segment address + mask length, and consecutive integer intervals are typically translated based on the segment address in the forwarding table entry. For example, the set of integers corresponding to destination address 0.0.1.0/24 (including the 256 specific IP addresses 0.0.1.0-0.0.1.255) is [256,511 ]]. For another example, the set of integers corresponding to destination address 0.0.1.1/32 is {257}.

The first implementation mode:

the first step: and respectively determining a destination address group matched with each output interface on each network device according to the forwarding table item on the network device and the longest matching principle. The longest match refers to the route with the longest match mask when there are multiple entries of the same route for the network segment. That is, under the longest matching principle, the longer the mask length, the higher the corresponding route matching priority.

For example, the network device R1 has the outgoing interfaces ge1 and ge2, and the matching relationship of the outgoing interfaces ge1 and ge2 with the destination address group is expressed as: { ge1- > [5,10], ge2- > [1,3] }, i.e. the message of the integer set belonging to [5,10] corresponding to the destination address can be forwarded by the output interface ge1 of the network device R1, and the message of the integer set belonging to [1,3] corresponding to the destination address can be forwarded by the output interface ge2 of the network device R1. The network device R2 has outgoing interfaces ge3 and ge4, and the matching relationship between the outgoing interfaces ge3 and ge4 and the destination address group is expressed as: { ge3- > [7,12], ge4- > [1,3] }, i.e. the message of the integer set belonging to [7,12] corresponding to the destination address can be forwarded by the output interface ge3 of the network device R2, and the message of the integer set belonging to [1,3] corresponding to the destination address can be forwarded by the output interface ge4 of the network device R2.

And a second step of: and determining a plurality of PECs according to destination address groups respectively matched with all the outlet interfaces of all the network devices in the network.

Optionally, the specific implementation flow of the second step is as follows: let H be the set comprising destination address groups H that all outgoing interfaces on all network devices in the network match respectively, each destination address group H being an element in H. An address set P is initialized, P being a set comprising a full amount of IP addresses. Each time a new set P is generated in the subsequent algorithm flow, the elements in P may be sets, for example, destination address groups. The algorithm flow comprises the following steps: for each destination address group H in H, sequentially: 1. computing complementary sets of h relative to full set (full IP address)

2. Let an empty set be P _new H and +.>

Respectively intersecting with the elements in P, and setting the intersection result of h and the elements in P as t,/>

The intersection result with the element in P is t', if t is not null, then add t to P _new In, if t 'is not null, then t' is added to P _new In (a) and (b); 3. will P _new Assigned to P, P: =p _new . Thus, after traversing all destination address groups H in H, the resulting P is a PEC set that is partitioned for the full number of IP addresses, the PEC set comprising a plurality of PECs.

For example, referring to the example in the first step, h= { h1= [5,10], h2= [7,12], h3= [1,3] }. Assume the corpus is [0,30].

For h1= [5,10]:

1、

2、t1＝h1∩P＝[5,10]，/>

at this time, P _new ＝{t1,t1′}；3、P:＝{t1,t1′}。/>

For h2= [7,12]:

1、

2、t2＝h2∩P＝{[7,10],[11,12]}，

at this time, P _new ＝{t2,t2′}；3、P:＝{t2,t2′}。

For h3= [1,3]:

1、

2、t3＝h3∩P＝[1,3]，

at this time, P _new ＝{t3,t3′}；3、P:＝{t3,t3′}。

Finally, p= { [1,3], [7,10], [11,12], [5,6], {0} {4} u [13,30] }, i.e. divide the corpus [0,30] into 5 PECs: pec1= [1,3], pec2= [7,10], pec3= [11,12], pec4= [5,6], pec5= {0} {4} u [13,30].

The second implementation mode:

the first step: and for each destination address in the full IP address, determining the matched outgoing interfaces of the destination address on all network devices in the network according to the longest matching principle according to forwarding table items on each network device.

For example, for each destination address in the full IP address, performing the longest match on each network device results in a corresponding egress interface, and if there is no matching forwarding table entry, indicating that there is no corresponding egress interface, so that a global mapping may be obtained: < dstIP, { outputIf } >. Wherein dstIP is the destination address, { outputIf } is the output interface set corresponding to the destination address.

And a second step of: the same destination address of the outgoing interfaces matched on all network devices in the network is divided into the same PEC.

The { outputIf } in the global map obtained in the first step is used as a key, dstIP is used as a value (value), and all values with the same key are used as one PEC, so that a plurality of PECs can be obtained.

The above two implementations of dividing the full amount of IP addresses into the least number of message equivalents are used as exemplary illustrations only and are not limiting on the solution of the present application. In the two implementations, a set of egress interfaces matched in the network by each PEC may be further obtained, where the set of egress interfaces includes egress interfaces on one or more network devices.

The following describes the present technical solution in detail from a plurality of aspects such as a method flow, a system, a software device, a hardware device, etc.

For example, fig. 1 is a schematic diagram of an application scenario involved in a network reachability verification method provided in an embodiment of the present application. As shown in fig. 1, the application scenario includes: authentication device 101 and network devices 102A-102C (collectively network devices 102) in a communication network. The number of network devices in fig. 1 is for illustrative purposes only and is not intended as a limitation on the communication networks to which embodiments of the present application relate.

The verification device 101 is a device independent of the network device 102, and may be, for example, a server cluster including several servers, or a cloud computing service center. The server may be a physical device, or may be a Virtual Machine (VM). The network device 102 may be an entity communication device such as a switch or a router, or may be a virtual communication device such as a virtual switch or a virtual router.

Optionally, referring to fig. 1, the application scenario further includes a control device 103. The control device 103 is used for managing and controlling the network device 102 in the communication network. The control device 103 may be a network controller, a network management device, a gateway or other device with control capabilities. The control device 103 may be one or more devices. The authentication device 101 and the control device 103 are connected by a wired network or a wireless network. The control device 103 is connected to the network device 102 via a wired network or a wireless network.

Alternatively, the topology of the communication network managed by the control device 103 is stored in the control device 103. The control device 103 is also used for collecting device information of the network device 102 in the communication network, including configuration information, routing information, tunnel state information, etc. The configuration information of the network device comprises interface configuration information, protocol configuration information and/or service configuration information etc., e.g. security control policies, embodied as a security access list (access control list, ACL). The routing information of the network device includes address resolution protocol (Address Resolution Protocol, ARP) tables, forwarding tables, and the like. The tunnel state information of the network device includes an identification of the tunnel endpoint and a state of the tunnel. The control device 103 may periodically collect device information of the network device 102, or when the device information of the network device 102 is changed, the network device 102 actively transmits the changed device information to the control device 103. The verification device 101 may acquire the topology of the communication network and the device information of the network device 102 through the control device 103, and perform network reachability verification according to the topology of the communication network and the device information of the network device 102. The verification device 101 and the control device 103 may be separate devices, or the verification device 101 and the control device 103 may be integrated together, which is not limited in the embodiment of the present application.

The communication network provided in the embodiments of the present application may be a data center network (data center network, DCN), a metropolitan area network, a wide area network, or a campus network, etc., and the types of the communication networks are not limited in the embodiments of the present application.

The communication network provided in the embodiment of the application may adopt a two-layer network architecture or a three-layer network architecture. Under a two-layer network architecture, the communication network includes a convergence layer, which may also be referred to as a two-layer network, that is a high-speed switching backbone of the communication network, and an access layer for accessing the workstation to the communication network. The communication network adopting the two-layer network architecture may be, for example, a fat tree (fat-tree-spine) network. Under a three-layer network architecture, the communication network includes a core layer, which may also be referred to as a three-layer network, a convergence layer, which is a high-speed switching backbone of the communication network, for providing a convergence connection (connecting the access layer and the core layer), and an access layer, which is used for accessing the workstation to the communication network. The workstation may include a terminal, a server, a VM, or the like.

In the embodiment of the application, the verification device can acquire the topology of the communication network and the device information of the network device, and perform modeling and verification according to the topology of the communication network and the device information of the network device. Alternatively, the verification device may be implemented using a plurality of devices distributed to be divided into a master device and a slave device (slave), the master device acquiring topology of the communication network and device information of the network device, and modeling according to the topology of the communication network and the device information of the network device, and then distributing the model to the slave devices; the slave device stores the model sent by the master device and performs verification based on the model. The present application describes the implementation procedures of the two cases by the following two embodiments, respectively.

In a first embodiment of the present application, the verification device obtains a topology of the communication network and device information of the network device, and performs modeling and verification according to the topology of the communication network and the device information of the network device. Fig. 2 is a flow chart of a network reachability verification method provided in an embodiment of the present application. As shown in fig. 2, the method includes:

step 201, the verification device acquires a forwarding table item of a network device in the network.

Alternatively, in the application scenario as shown in fig. 1, the verification device 101 may receive forwarding entries of respective network devices in the network sent by the control device 103.

For example, fig. 3 is a schematic diagram of a network topology according to an embodiment of the present application. As shown in fig. 3, the network 30 includes a network device a, a network device B, and a network device C. Network device A has interfaces GE1/0/1, GE1/0/2, and GE1/0/3. Network device B has interfaces GE1/0/1, GE1/0/2, and GE1/0/3. The network device C has interfaces GE1/0/1, GE1/0/2, and GE1/0/3. Wherein the interface GE1/0/2 of the network device A is connected with the interface GE1/0/1 of the network device B. The interface GE1/0/3 of network device A is connected to the interface GE1/0/1 of network device C. Interface GE1/0/3 of network device B is connected to interface GE1/0/2 of network device C. Interface GE1/0/1 of network device A is connected to VM1, interface GE1/0/2 of network device B is connected to VM2, and interface GE1/0/3 of network device C is connected to VM 3. Suppose that forwarding entries on network device a, network device B, and network device C are referred to in tables 1, 2, and 3, respectively. The forwarding table entry on the actual network device may also include a next hop, which is not shown for simplicity of description in the embodiment of the present application.

TABLE 1

Destination address (prefix)	Outlet interface
		0.0.1.0/24	GE1/0/1
0.0.1.1/32	GE1/0/2
		0.0.2.0/24	GE1/0/2

TABLE 2

Destination address (prefix)	Outlet interface
		0.0.1.0/24	GE1/0/1
0.0.1.1/32	GE1/0/2
		0.0.2.0/24	GE1/0/2

TABLE 3 Table 3

Destination address (prefix)	Outlet interface
		0.0.1.0/24	GE1/0/1
0.0.1.1/32	GE1/0/2
		0.0.2.0/24	GE1/0/2

Step 202, the verification device determines a plurality of forwarding subnets corresponding to the network according to forwarding table items on network devices in the network.

The forwarding sub-networks corresponding to the network correspond to the address sets one by one, namely each forwarding sub-network corresponds to one address set respectively. Each of the plurality of address sets includes one or more destination addresses. Each forwarding sub-network includes only network devices having an outbound interface matching at least one destination address in the address set corresponding to the forwarding sub-network. Each forwarding sub-network is used for verifying the reachability of the message sent to the destination address in the address set corresponding to the forwarding sub-network in the network. The verification device determines a plurality of forwarding subnets corresponding to the network, and may determine which network devices are specifically in each forwarding subnet. Further, the verification device may also determine which interfaces of the respective network devices in the same forwarding sub-network are used to forward the message addressed to the destination address in the corresponding address set. In this way, the verification device, after determining the forwarding sub-network, can obtain the outgoing interface set in which the destination address in the address set matches in the network.

Optionally, the forwarding behaviors of multiple destination addresses in the same address set in the network are the same, and each forwarding subnet may be represented by a forwarding graph model. The implementation process of step 202 includes steps a through B.

In step a, the verification device determines a plurality of address sets from forwarding entries on network devices in the network.

Optionally, one implementation of step a includes: for each network device in the network, the verification device determines a destination address group respectively matched with each outgoing interface on the network device according to the forwarding table entry on the network device. The verification device determines a plurality of address sets according to destination address groups respectively matched with all outgoing interfaces on all network devices in the network. Specific implementation algorithms for this implementation can be referred to the first implementation described above for classifying the full amount of IP addresses into the least number of message equivalents.

The embodiments of the present application will be described by taking the PEC defined above as an example of an address set. For example, assume the corpus is [0,2 ³² -1]Referring to the example in step 201, based on the network deviceA. The forwarding entries on network device B and network device C may be calculated to obtain 3 PECs. Wherein the destination address in PEC1 comprises 0.0.1.0, 0.0.1.2-0.0.1.255, and the corresponding integer set is {256} U258,511 ]The method comprises the steps of carrying out a first treatment on the surface of the The destination address in PEC2 comprises 0.0.1.1, 0.0.2.0-0.0.2.255, and the corresponding integer set is {257} U512,767]The method comprises the steps of carrying out a first treatment on the surface of the The destination address in PEC3 is the complement of the union of PEC1 and PEC2 relative to the whole set, and the corresponding integer set is [0,255]∪[768,2 ³² -1]. This is a way of dividing the full IP address into the smallest number of PECs, in practice more PECs can be obtained, e.g. PEC1 can be subdivided into {256} and [258,511 ]]The two different PECs, the number of divisions of the PEC is not limited by the embodiments of the present application.

In step B, for each address set in the plurality of address sets, the verification device generates a forwarding graph model corresponding to the address set according to a matching relationship between a destination address in the address set and an outbound interface on a network device in the network, a topology of the network, and configuration information of the network device in the network.

The forwarding graph model corresponding to each address set reflects the interface connection relation of the outgoing interface matched with the destination address in the address set on the network equipment in the forwarding sub-network corresponding to the address set. The interface connection relationship includes an indication of a direction of forwarding the message. Each forwarding graph model may be used to verify reachability in the network of a message addressed to a destination address in the set of addresses to which the forwarding graph model corresponds. In the embodiment of the application, the forwarding graph model consists of nodes, interfaces and links. The nodes, interfaces, and links may be real physical devices, physical interfaces, and physical links, or may be virtual forwarding instances, tunnel endpoints, and tunnel connections.

The outgoing interface on the network device having a matching relationship with the destination address refers to an outgoing interface of the network device for forwarding a message addressed to the destination address. For example, referring to the example in step A, the outbound interfaces that the destination address in PEC1 matches in the network include outbound interface GE1/0/1 of network device A, outbound interface GE1/0/1 of network device B, and outbound interface GE1/0/1 of network device C. The outgoing interfaces matched by the destination address in the PEC2 in the network include the outgoing interface GE1/0/2 of the network device a, the outgoing interface GE1/0/2 of the network device B, and the outgoing interface GE1/0/2 of the network device C. The destination address in PEC3 has no matching outgoing interface in the network.

The configuration information for a network device includes interface configuration information such as which interfaces are on the network device, which interfaces are connected on one network device, and so on. The interface connection relationship between network devices can be determined in combination with the network topology and the interface configuration information of the respective network devices.

Optionally, after the verification device generates forwarding graph models corresponding to the multiple address sets respectively, the correspondence between the address sets and the forwarding graph models is stored, so that the message can be used in subsequent reachability verification.

For example, fig. 4 and fig. 5 are schematic structural diagrams of a forwarding graph model provided in an embodiment of the present application. Fig. 4 is a forwarding graph model corresponding to PEC1 in step a, and fig. 5 is a forwarding graph model corresponding to PEC2 in step a. Because the destination address in PEC3 has no matched egress interface in the network, i.e. no network device in the network is able to forward the message addressed to the destination address in PEC3, the forwarding graph model corresponding to PEC3 is empty. In this implementation, if a set of addresses does not have a corresponding forwarding graph model, the verification device may determine that none of the messages addressed to the destination address in the set of addresses are reachable in the network.

As shown in fig. 4, an interface GE1/0/1 of the network device C is connected to an interface GE1/0/3 of the network device a, where the interface GE1/0/1 of the network device C is an outgoing interface, and the interface GE1/0/3 of the network device a is an incoming interface, and a packet forwarding direction (indicated by an arrow in the figure) between the interface GE1/0/1 of the network device C and the interface GE1/0/3 of the network device a is: interface GE1/0/1 of network device C→interface GE1/0/3 of network device A. The interface GE1/0/1 of the network device B is connected with the interface GE1/0/2 of the network device A, wherein the interface GE1/0/1 of the network device B is an outgoing interface, and the interface GE1/0/2 of the network device A is an incoming interface. The message forwarding direction (indicated by arrow in the figure) between interface GE1/0/1 of network device B and interface GE1/0/2 of network device a is: interface GE1/0/1 of network device B→interface GE1/0/2 of network device A.

As shown in fig. 5, an interface GE1/0/2 of the network device a is connected to an interface GE1/0/1 of the network device B, where the interface GE1/0/2 of the network device a is an outgoing interface, the interface GE1/0/1 of the network device B is an incoming interface, and a message forwarding direction (indicated by an arrow in the figure) between the interface GE1/0/2 of the network device a and the interface GE1/0/1 of the network device B is: interface GE1/0/2 of network device A→interface GE1/0/1 of network device B. The interface GE1/0/3 of the network device B is connected with the interface GE1/0/2 of the network device C, wherein the interface GE1/0/2 of the network device C is an outgoing interface, and the interface GE1/0/3 of the network device B is an incoming interface. The message forwarding direction (indicated by arrow in the figure) between interface GE1/0/2 of network device C and interface GE1/0/3 of network device B is: interface GE1/0/2 of network device C→interface GE1/0/3 of network device B.

Step 203, the verification device obtains a verification requirement, where the verification requirement includes information of a destination address to be verified, a starting point, and destination interface information.

Optionally, the verification device obtains a verification requirement, the verification requirement comprising a destination address to be verified. The authentication requirements may be entered into the authentication device by a user. Optionally, the destination address to be verified is a network segment address or a host address.

Optionally, the information of the origin comprises one or more of an identification of the source device, a source address to be verified, an identification of the source network device or an identification of the source interface. The information of the destination interface comprises an identification of the destination device and/or an identification of the destination interface. The identification of the source device is used to indicate the originating device, which may be, for example, a terminal, a server, or a VM. The source address to be verified is the IP address of the originating device. The identity of the source network device is used to indicate the first network device through which the message passes in the network. The identification of the source interface is used to indicate the ingress interface of the network. The identity of the destination device is used to indicate the destination device, which may be, for example, a terminal, a server or a VM. The identity of the destination interface is used to indicate the outgoing interface of the network. If the authentication requirement includes an identification of the source network device or an identification of the source interface, the authentication device may directly obtain a starting point in the network from the authentication requirement. Alternatively, if the authentication requirement includes an identification of the source device or a source address to be authenticated, the authentication device may combine the authentication requirement with ARP table reasoning in the network device to derive a starting point in the network. If the verification requirement includes an identification of the destination interface, the verification device may directly obtain the destination interface in the network from the verification requirement. Alternatively, if the authentication requirements include an identification of the destination device, the authentication device may draw inferences about the destination interface in the network in conjunction with the authentication requirements and an ARP table in the network device.

For example, in the network shown in fig. 3, the destination address to be verified is 0.0.1.0/24 based on the verification requirement, the source interface in the network is interface GE1/0/3 of network device C, and the destination interface in the network is interface GE1/0/1 of network device a. The verification requirement may be used to verify the reachability of the source device VM3 to the destination device VM 1.

Step 204, the verification device generates a virtual message according to the verification requirement, and the destination address of the virtual message is determined based on the destination address to be verified.

The virtual message in the embodiment of the application is not a real message, and is used for simulating the transmission of the real message in the network. The destination address field of a virtual message describes a Header Space (HS), which may also be referred to as a header space, that may represent a message or a group of messages. The destination address in the virtual message may be a specific IP address, or may be a segment address (i.e., IP prefix), or may include a plurality of specific IP addresses. For example, the destination address of the virtual message is 10.0.0.1, which is a specific IP address. For another example, the destination address of the virtual message is 0.0.2.0/24, which is a segment address. For another example, the destination address of the virtual message is {20.0.0.1,20.0.0.3,20.0.0.4}, which includes 3 specific IP addresses.

The verification device may generate one or more virtual messages according to the verification requirements. For example, the destination addresses to be verified in the verification requirement belong to the same PEC, and the verification device may generate a virtual message according to the verification requirement, where the destination address of the virtual message is the destination address to be verified. Or, the destination address to be verified in the verification requirement is a network segment address or includes a plurality of host addresses, the destination address to be verified intersects with a plurality of PECs, and then the verification device can generate a plurality of virtual messages according to the verification requirement, wherein the destination address of each virtual message belongs to one PEC.

For example, in connection with the example of reference step 202, the destination address to be verified is 0.0.1.0/24 and the corresponding set of integers is [256,511]. Wherein {256 }. U. 258,511] belongs to PEC1, {257} belongs to PEC2, the verification device can generate two virtual messages. The destination address of the virtual message 1 includes 0.0.1.0, 0.0.1.2-0.0.1.255, and is used for verifying the accessibility of the IP addresses 0.0.1.0, 0.0.1.2-0.0.1.255. The destination address of virtual message 2 is 0.0.1.1, which is used to verify the reachability to 0.0.1.1 this IP address.

Because the forwarding behaviors corresponding to the multiple destination addresses in the same PEC are the same in the network, for the multiple destination addresses belonging to the same PEC, verification can be completed by adopting one virtual message Wen Yici, and verification by adopting multiple virtual messages is not needed, so that verification efficiency can be improved. The embodiment of the application does not exclude that the destination address to be verified contains m valid host addresses, and the verification device correspondingly generates m virtual messages, wherein each virtual message is used for verifying a valid host address in the destination address to be verified. Wherein m is a positive integer.

Step 205, the verification device verifies the reachability of the virtual message from the starting point to the destination interface by adopting the target forwarding sub-network in the forwarding sub-networks.

The address set corresponding to the target forwarding sub-network includes the destination address of the virtual message. For example, referring to the example in step 204, the forwarding subnetwork used to validate virtual message 1 may be the forwarding subnetwork corresponding to PEC1 that includes the destination address of virtual message 1, and the forwarding subnetwork used to validate virtual message 2 may be the forwarding subnetwork corresponding to PEC2 that includes the destination address of virtual message 2.

In a first implementation manner, forwarding behaviors of multiple destination addresses in the same address set in the network are the same, and each forwarding sub-network can be represented by a forwarding graph model. The verification device may obtain a first forwarding graph model reflecting an interface connection relationship of an outgoing interface on a network device in the target forwarding sub-network that matches a destination address in an address set corresponding to the target forwarding sub-network, where the interface connection relationship includes a packet forwarding direction. The implementation of step 205 may include: the verification device verifies the reachability of the virtual message from the starting point to the destination interface based on the first forwarding graph model.

For example, if the forwarding graph model corresponding to PEC1 to which the virtual packet 1 belongs is shown in fig. 4, the reachability of the virtual packet 1 from the source interface to the destination interface may be verified by using the forwarding graph model shown in fig. 4. The forwarding graph model corresponding to the PEC2 to which the virtual message 2 belongs is shown in fig. 5, and the forwarding graph model shown in fig. 5 is adopted to verify the reachability of the virtual message 2 from the source interface to the destination interface. In connection with the example of reference step 204, assume that the source interface is interface GE1/0/3 of network device C and the destination interface is interface GE1/0/1 of network device A. As can be seen from fig. 4, the transmission path of the virtual message 1 in the network is: interface GE1/0/3 of network device C, interface GE1/0/1 of network device C, interface GE1/0/3 of network device A, interface GE1/0/1 of network device A, the transmission path is an reachable path, i.e. virtual message 1 is reachable from the source interface to the destination interface. As can be seen from fig. 5, the transmission path of the virtual message 2 in the network is: interface GE1/0/3 of network device C→interface GE1/0/2 of network device C→interface GE1/0/3 of network device B→interface GE1/0/2 of network device B, the transmission path is an unreachable path, i.e., virtual message 2 is unreachable from the source interface to the destination interface, unreachable root is "out of network from wrong interface".

In the first implementation mode, the verification device can verify the reachability of the virtual message in the network only by a forwarding graph model corresponding to the address set to which the destination address of the virtual message belongs, and the forwarding table item on the network device is not required to be used in the verification process, so that the verification process is simple and the verification efficiency is high.

In a second implementation, all forwarding subnets that the authentication device needs to authenticate correspond to a forwarding graph model. The verification device may obtain a second forwarding graph model reflecting the topology of all forwarding subnets that the verification device needs to verify. In this embodiment, if the verification device needs to verify all forwarding subnets corresponding to the network, the second forwarding graph model reflects the network topology of the whole network, and the second forwarding graph model may refer to, for example, the network topology of the network 30 shown in fig. 3. The implementation process of step 205 may include: the verification device verifies the reachability of the virtual message from the starting point to the destination interface based on the second forwarding graph model and the outbound interface on the network device in the target forwarding sub-network, which is matched with the destination address in the address set corresponding to the target forwarding sub-network. Specifically, the verification device may perform depth-first graph search on the second forwarding graph model from a node where the source interface is located according to an outbound interface on the network device in the target forwarding sub-network, where the outbound interface is matched with a destination address in the address set corresponding to the target forwarding sub-network, so as to obtain a transmission path of the virtual message in the network.

For example, in connection with the example in reference to step 204, assume that the source interface is interface GE1/0/3 of network device C and the destination interface is interface GE1/0/1 of network device A. The output interface matched with the destination address of the virtual message 1 on the network equipment C is an interface GE1/0/1, and based on the second forwarding graph model, the interface GE1/0/1 of the network equipment C is connected with the interface GE1/0/3 of the network equipment A, so that the virtual message 1 reaches the interface GE1/0/3 of the network equipment A after passing through the interface GE1/0/1 of the network equipment C; the outgoing interface on the network device a, which is matched with the destination address of the virtual message 1, is interface GE1/0/1, so that it can be determined that the virtual message 1 can reach the destination interface, and the transmission path of the virtual message 1 in the network is as follows: interface GE1/0/3 of network device C→interface GE1/0/1 of network device C→interface GE1/0/3 of network device A→interface GE1/0/1 of network device A. The output interface matched with the destination address of the virtual message 2 on the network equipment C is an interface GE1/0/2, and based on the second forwarding graph model, the interface GE1/0/2 of the network equipment C is connected with the interface GE1/0/3 of the network equipment B, so that the virtual message 2 reaches the interface GE1/0/3 of the network equipment B after passing through the interface GE1/0/2 of the network equipment C; the outgoing interface on the network device B, which is matched with the destination address of the virtual message 2, is interface GE1/0/2, and the virtual message 2 is forwarded out of the network from the interface GE1/0/2 of the network device B, so that it can be determined that the virtual message 2 cannot reach the destination interface, and the transmission path of the virtual message 2 in the network is as follows: interface GE1/0/3 of network device C→interface GE1/0/2 of network device C→interface GE1/0/3 of network device B→interface GE1/0/2 of network device B.

In the second implementation manner, the verification device can verify the reachability of the virtual message in the network only by using the second forwarding graph model and the outbound interface matched with the destination address of the virtual message on the network device in the forwarding sub-network corresponding to the address set to which the destination address of the virtual message belongs. The message is reachability-verified by adopting the outbound interface information of the network equipment in the forwarding sub-network, and compared with the message is reachability-verified by adopting the outbound interface information of the network equipment in the whole network, the message is low in verification complexity, and further the verification efficiency can be improved. In addition, because the verification device can acquire the output interface set corresponding to each forwarding sub-network (or address set) in the process of dividing the forwarding sub-network, when the verification device searches the graph in the second forwarding graph model, the verification device can find the corresponding network device based on the output interface set corresponding to the address set to which the destination address of the virtual message belongs, and further determine the transmission path of the virtual message in the second forwarding graph model, without using the forwarding table item on the network device, the verification process is simple, and the verification efficiency is high.

In a third implementation, the implementation procedure of step 205 includes: the verification device verifies the reachability of the virtual message from the starting point to the destination interface according to the forwarding table item on the network device in the target forwarding sub-network, the topology of the target forwarding sub-network and the configuration information of the network device in the target forwarding sub-network.

In a third implementation manner, the verification device only needs to verify the reachability of the virtual message in the network based on the topology of the forwarding sub-network corresponding to the address set to which the destination address of the virtual message belongs and the device information of the network device in the forwarding sub-network. Because a forwarding subnetwork only includes network devices in the network that have outgoing interfaces that match destination addresses in the address set corresponding to the forwarding subnetwork, the forwarding subnetwork is typically smaller in size than the entire network. The reachability verification is performed on the message in the forwarding sub-network, so that the verification complexity is lower compared with the reachability verification performed on the message in the whole network, and the verification efficiency can be further improved.

Optionally, in step 205, the verification device verifies the reachability of the virtual packet from the start point to the destination interface by using the destination forwarding sub-network, which may be: the verification device determines reachable paths and/or unreachable paths of the virtual message in the target forwarding sub-network. Because virtual messages may be transmitted using an equal-cost multi path (ECMP) mechanism, the virtual messages may have both reachable and unreachable paths in the network.

Optionally, the reachable paths of the virtual message in the target forwarding sub-network include paths satisfying the following conditions: the output interface of the virtual message forwarded from the target forwarding sub-network is the target interface. For example, the transmission path of the virtual message 1 in the network is an reachable path. The unreachable paths of the virtual message in the target forwarding sub-network include paths satisfying at least one of the following conditions: the outgoing interface of the virtual message forwarded from the target forwarding sub-network is not a target interface, and the path comprises a loop. Wherein, the path includes a loop, refer to: the path is provided with a node which is reached by the virtual message for multiple times, and the input interfaces of the virtual message which reaches the node for multiple times are the same and/or the output interfaces of the virtual message which is forwarded from the node for multiple times are the same. For example, the transmission path of the virtual message 2 in the network is an unreachable path, because the outgoing interface of the virtual message 2 forwarded from the target forwarding sub-network is not a destination interface, that is, the virtual message 2 leaves the network from the wrong interface.

Optionally, the verification device may further output a reachability verification result of the virtual message in the network after determining the reachable path and/or the unreachable path of the virtual message in the target forwarding sub-network. The reachability verification result includes a set of reachable paths and/or a set of unreachable paths. Since a virtual message may have one or more paths in the network, the reachability verification result for a virtual message may include only the reachable path set, or only the unreachable path set, or both the reachable path set and the unreachable path set.

In the embodiment of the application, the verification device can output the reachable path and/or the unreachable path of the virtual message in the network, which is beneficial to the network maintenance personnel to remove the obstacle.

Optionally, when the reachability verification result includes a set of unreachable paths, the reachability verification result may further include an unreachable root cause of an unreachable path in the set of unreachable paths. Alternatively, the unreachable root causes include routing loops, leaving the network from the wrong interface, routing black holes, etc. The routing loop refers to the same ingress interface and/or the same egress interface that reach the same node multiple times when the message is forwarded in the network. Leaving the network from the wrong interface means that the message does not reach the designated destination host after being forwarded from a certain outgoing interface of the network. The routing black hole means that the message cannot be forwarded from any outgoing interface of the network.

In the embodiment of the application, the reachability verification result output by the verification device can comprise the unreachable root cause of the unreachable path in the unreachable path set, so that network operation and maintenance personnel can conveniently perform fault location and maintenance.

Optionally, when the destination address to be verified includes a plurality of IP addresses, the reachability verification results corresponding to different PECs (each PEC corresponds to a virtual message) may be output with the PEC as granularity. Or if the same paths exist in the path sets corresponding to different PECs, the same paths corresponding to different PECs can be combined and output. Alternatively, only the indication of the reachability of the IP address, specifically, which IP addresses are reachable and which are not, may be output. The embodiment of the application does not limit the output form of the reachability verification result.

For example, in the network shown in fig. 3, the destination address to be verified is 0.0.1.0/24, the source interface is interface GE1/0/3 of the network device C, the destination interface is interface GE1/0/1 of the network device a, the PEC set obtained by dividing the full-scale IP address includes PEC 1-PEC 3 in step a, and the verification device generates the virtual message 1 and the virtual message 2 based on the destination address to be verified. The reachability verification result output by the verification device may be expressed as follows:

"virtual message 1: { "dstIp": "0.0.1.0", "0.0.1.2-0.0.1.255"; "dstMask": "255.255.255.255" }

Reachable path: interface GE1/0/3 of network device C, interface GE1/0/1 of network device C, interface GE1/0/3 of network device A, interface GE1/0/1 of network device A "

"virtual message 2: { "dstIp": "0.0.1.1"; "dstMask": "255.255.255.255" }

Unreachable path: interface GE1/0/3 of network device C, interface GE1/0/2 of network device C, interface GE1/0/3 of network device B, interface GE1/0/2 of network device B; unreachable root cause: leaving the network from the wrong interface "

Where "dstpp" represents the destination address and "dstMask" represents the subnet mask of the destination address.

In the network reachability verification method provided by the embodiment of the application, the network is divided into a plurality of forwarding sub-networks, and each forwarding sub-network is used for verifying the reachability of a message sent to a group of destination addresses in the network. When the reachability of the message in the network needs to be verified, the verification device can adopt the forwarding sub-network corresponding to the address set where the destination address of the message is located for verification. Because a forwarding subnetwork only includes network devices in the network that have outgoing interfaces that match at least one destination address in the address set corresponding to the forwarding subnetwork, the forwarding subnetwork is typically smaller in size than the entire network. The reachability verification is performed on the message in the forwarding sub-network, so that the verification complexity is lower compared with the reachability verification performed on the message in the whole network, and the verification efficiency can be further improved. In addition, because the forwarding subnets can be used for independently verifying the reachability of the messages sent to the corresponding destination addresses in the network, when the reachability of the messages in the network needs to be verified, synchronous verification can be performed on the messages on one verification device based on the forwarding subnets respectively, and the verification efficiency can be further improved.

In a second embodiment of the present application, the verification device is implemented using a plurality of devices distributed in a deployment, and the plurality of devices are divided into a master device and a slave device. The master device obtains topology of the communication network and device information of the network device, models according to the topology of the communication network and the device information of the network device, and distributes the model to the slave devices. The slave device stores the model sent by the master device and performs verification based on the model. For example, fig. 6 is a flowchart of another network reachability verification method provided in an embodiment of the present application. As shown in fig. 6, the method includes:

step 601, the master device obtains a forwarding table entry on a network device in the network.

The implementation process of this step 601 may refer to the above step 201, and the embodiments of the present application are not repeated here.

Step 602, the master device determines a plurality of forwarding subnets corresponding to the network according to forwarding table entries on network devices in the network.

The implementation process of this step 602 may refer to the above step 202, and the embodiments of the present application are not repeated here.

Step 603, the master device distributes information of each forwarding sub-network to one or more slave devices, so that the slave devices adopt the corresponding forwarding sub-network to verify the reachability of the message sent to the destination address in the address set corresponding to the forwarding sub-network in the network.

In the first implementation manner, each forwarding sub-network is represented by a forwarding graph model, and then the information of the forwarding sub-network may be the forwarding graph model corresponding to the forwarding sub-network. Accordingly, one implementation of step 603 includes: the master device distributes forwarding graph models respectively corresponding to the multiple address sets to one or more slave devices, so that the slave devices can verify the reachability of the message sent to the destination address in the corresponding address set in the network by adopting the received forwarding graph models. In this implementation, the slave device needs to verify how many forwarding subnets and how many forwarding graph models to store. The implementation process corresponding to step 602 includes: the master device determines a plurality of address sets from forwarding entries on network devices in the network. For each address set in the address sets, the master device generates a forwarding graph model corresponding to the address set according to the matching relation between the destination address in the address set and the outgoing interface on the network device in the network, the topology of the network and the configuration information of the network device in the network. The specific implementation process may refer to the above steps a to B, and the embodiments of the present application are not repeated here.

In a second implementation manner, all forwarding subnets allocated to the same slave device by the master device are represented by a forwarding graph model, the forwarding graph model reflects the topology of all forwarding subnets required to be verified by the slave device, and information of one or more forwarding subnets sent to the slave device may include one forwarding graph model and an outbound interface set matched in the network by a destination address in an address set corresponding to the one or more forwarding subnets respectively. Accordingly, another implementation of step 603 includes: the method comprises the steps that a master device sends an outgoing interface set, in which destination addresses in address sets corresponding to one or more forwarding sub-networks are respectively matched in a network, and a forwarding graph model reflecting the topology of the one or more forwarding sub-networks to a slave device, so that the slave device can verify the reachability of a message in the network by adopting the received forwarding graph model and combining the outgoing interface set, in which the destination addresses of the message are matched in the network, of the message. In this implementation, the slave device only needs to store one forwarding graph model no matter how many forwarding subnets it needs to authenticate. The master device may generate a forwarding graph model corresponding to a slave device according to the topology of all forwarding sub-networks required to be verified by the slave device and the configuration information of the network devices in all forwarding sub-networks required to be verified by the slave device.

In a third implementation, the information of the forwarding sub-network includes forwarding entries on network devices in the forwarding sub-network, topology of the forwarding sub-network, and configuration information of the network devices in the forwarding sub-network.

Optionally, the network reachability verification system provided in the embodiment of the application includes one or more slave devices. The following embodiments of the present application illustrate examples in which a network reachability verification system includes a plurality of slave devices. The master device may evenly distribute the plurality of forwarding subnets to the plurality of slave devices to enable load balancing of the plurality of slave devices. For example, in step 602, the master device determines that the network corresponds to N forwarding subnets, and the network reachability verification system includes M slave devices, where N and M are integers greater than 1. If N is an integer multiple of M, the master device may allocate N/M forwarding subnets to each slave device.

For example, fig. 7 is a schematic structural diagram of a network reachability verification system provided in an embodiment of the present application. As shown in FIG. 7, the system includes a master device 701 and a plurality of slave devices 702A-702C (the system is illustrated as including 3 slave devices). Assuming that the master device determines that the network corresponds to 30 forwarding subnets, master device 701 may assign forwarding subnets 1-10 to slave device 702A for verification, forwarding subnets 11-20 to slave device 702B for verification, and forwarding subnets 21-30 to slave device 702C for verification.

Optionally, after distributing the forwarding sub-network for the plurality of slave devices, the master device further records the corresponding relationship between each slave device and the forwarding sub-network, and specifically may record the address set that can be verified by each slave device.

Step 604, the master device obtains a verification requirement, where the verification requirement includes information of a destination address to be verified, information of a starting point, and information of a destination interface.

The implementation process of this step 604 may refer to the above step 203, and the embodiments of the present application are not repeated here.

Step 605, the master device determines a target slave device from the one or more slave devices according to the destination address to be verified.

The target slave device is the slave device which needs to be verified at the time. The target slave device satisfies: the address set corresponding to the forwarding sub-network responsible for verification by the target slave device has an intersection with the destination address to be verified. Optionally, in a first implementation of step 603, the target slave device satisfies: and the target slave equipment stores a target forwarding graph model, and an address set corresponding to the target forwarding graph model is intersected with the target address to be verified.

Alternatively, if the destination address to be verified has an intersection with each of address sets corresponding to forwarding subnets for which the plurality of slave devices are responsible for verification, the master device may determine that each of the plurality of slave devices is a target slave device.

For example, the destination address to be verified is 0.0.1.0/24, and the corresponding integer set is [256,511 ]]. The destination addresses in the address set corresponding to the forwarding sub-network allocated by the master device for the slave device 1 comprise 0.0.1.0, 0.0.1.2-0.0.1.255, and the corresponding integer set is {256} U [258,511 ]]. The destination addresses in the address set corresponding to the forwarding sub-network allocated by the master device for the slave device 2 comprise 0.0.1.1, 0.0.2.0-0.0.2.255, and the corresponding integer set is {257} U [512,767 ]]. The integer set corresponding to the destination address in the address set corresponding to the forwarding sub-network allocated by the master device to the slave device 3 is [0,255]∪[768,2 ³² -1]. Since the address sets corresponding to the forwarding subnets of the slave device 1 and the slave device 2 responsible for verification are intersected with the destination address to be verified, the master device determines that the slave device needing verification at the time comprises the slave device 1 and the slave device 2.

Step 606, the master device sends sub-verification requirements to the target slave device.

Wherein the sub-authentication requirement includes information of a destination address, a start point, and information of a destination interface, which need to be authenticated from the device. The destination address to be verified by the slave device is the intersection of the destination address to be verified and the address set corresponding to the forwarding sub-network for which the target slave device is responsible for verification. For a specific explanation of the verification requirement, reference may be made to the explanation of the verification requirement in step 203, which is not repeated herein.

In step 607, the target slave device generates a virtual message according to the sub-verification requirement, where the destination address of the virtual message is determined based on the destination address carried in the sub-verification requirement.

The implementation process of step 607 may refer to step 204, and the embodiments of the present application are not repeated here.

Optionally, the target slave device may determine, as the target forwarding subnet, a forwarding subnet corresponding to an address set to which the destination address carried in the sub-verification requirement belongs.

Step 608, the target slave device adopts the target forwarding sub-network to verify the reachability of the virtual message from the starting point to the target interface.

The implementation process of this step 608 may refer to the above step 205, and the embodiments of the present application are not repeated here.

Optionally, the target slave device may also send the reachability verification result of the virtual message in the network to the master device. After receiving the reachability verification results from one or more target slave devices, the master device gathers and outputs the reachability verification results corresponding to the destination address to be verified. Optionally, the reachability verification result includes a set of reachable paths and/or a set of unreachable paths.

In the network reachability verification method provided by the embodiment of the application, the network is divided into a plurality of forwarding sub-networks, and each forwarding sub-network is used for verifying the reachability of a message sent to a group of destination addresses in the network. When the reachability of the message in the network needs to be verified, the verification device can adopt the forwarding sub-network corresponding to the address set where the destination address of the message is located for verification. Because a forwarding subnetwork only includes network devices in the network that have outgoing interfaces that match at least one destination address in the address set corresponding to the forwarding subnetwork, the forwarding subnetwork is typically smaller in size than the entire network. The reachability verification is performed on the message in the forwarding sub-network, so that the verification complexity is lower compared with the reachability verification performed on the message in the whole network, and the verification efficiency can be further improved. In addition, because the multiple forwarding subnets can be used for independently verifying the reachability of the messages sent to the corresponding destination addresses in the network, the multiple forwarding subnets are distributed and deployed on the multiple verification devices, when the reachability of the multiple messages in the network needs to be verified, the multiple messages can be respectively and parallelly verified in a distributed mode on the multiple verification devices based on the multiple forwarding subnets, and the verification efficiency can be further improved.

The sequence of the steps of the network reachability verification method provided by the embodiment of the application can be properly adjusted, and the steps can be correspondingly increased or decreased according to the situation. Any method of modification, which is within the scope of the present disclosure, will be readily apparent to those skilled in the art, and is intended to be encompassed within the scope of the present disclosure. For example, in the method shown in fig. 6, the master device may integrate the functions of the slave devices, bear a part of verification work, and implement the distributed verification function together with other slave devices, which is not described in detail herein.

The authentication device for performing the method shown in fig. 2, or the master device for performing the method shown in fig. 6, may be the network reachability authentication apparatus 800 shown in fig. 8. As shown in fig. 8, the apparatus 800 includes:

a first obtaining module 801 is configured to obtain a forwarding table entry on a network device in a network.

A processing module 802, configured to determine a plurality of forwarding subnets corresponding to the network according to forwarding entries on network devices in the network. The forwarding sub-networks are in one-to-one correspondence with the address sets. Each of the plurality of address sets includes one or more destination addresses. Each forwarding sub-network only includes network devices having an outbound interface matching at least one destination address in the address set corresponding to the forwarding sub-network. Each forwarding sub-network is used for verifying the reachability of the message of the destination address in the address set corresponding to the forwarding sub-network in the network.

Optionally, there is no intersection between address sets corresponding to any two forwarding subnetworks in the plurality of forwarding subnetworks.

Optionally, the forwarding behaviors of the plurality of destination addresses in the same address set in the network are the same. The forwarding actions corresponding to the plurality of destination addresses in the network are the same, and may include: the outgoing interfaces of each destination address of the plurality of destination addresses that match on the same network device are the same or there is no matching outgoing interface.

Optionally, the processing module 802 is configured to: a plurality of address sets are determined from forwarding entries on network devices in the network. For each of the plurality of address sets, the processing module 802 generates a forwarding graph model corresponding to the address set according to a matching relationship between a destination address in the address set and an outbound interface on a network device in the network, a topology of the network, and configuration information of the network device in the network. The forwarding graph model reflects an interface connection relationship of an outgoing interface matched with a destination address in the address set on network equipment in a forwarding sub-network corresponding to the address set. The interface connection relationship includes an indication of a direction of forwarding the message.

Optionally, the apparatus 800 is applied to a master device, as shown in fig. 9, and the apparatus 800 further includes:

A sending module 803, configured to distribute forwarding graph models corresponding to the multiple address sets respectively to one or more slave devices, so that the one or more slave devices use the received forwarding graph model to verify the reachability of a packet sent to a destination address in the address set corresponding to the forwarding graph model in the network.

Optionally, as shown in fig. 10 or 11, the apparatus 800 further includes: a second acquisition module 804.

In the apparatus shown in fig. 10, a second obtaining module 804 is configured to obtain the verification requirement. The authentication requirements include information of the destination address to be authenticated, information of the origin and information of the destination interface. The processing module 802 is further configured to determine a target slave device from among the one or more slave devices according to the destination address to be verified. The target slave device stores a target forwarding graph model. And the address set corresponding to the target forwarding graph model is intersected with the target address to be verified. The sending module 803 is further configured to send a sub-verification requirement to the target slave device. The sub-verification requirement comprises the intersection of the target address to be verified and the address set corresponding to the target forwarding graph model, the information of the starting point and the information of the target interface.

In the apparatus shown in fig. 11, a second obtaining module 804 is configured to obtain the verification requirement. The authentication requirements include information of the destination address to be authenticated, information of the origin and information of the destination interface. The processing module 802 is further configured to generate a virtual message according to the verification requirement. The destination address of the virtual message is determined based on the destination address to be verified. The processing module 802 is further configured to verify reachability of the virtual message from the origin to the destination interface using a target forwarding subnetwork of the plurality of forwarding subnetworks. The address set corresponding to the target forwarding sub-network comprises the destination address of the virtual message.

Optionally, the processing module 802 is configured to: and determining an reachable path and/or an unreachable path of the virtual message in the target forwarding sub-network.

The specific manner in which the various modules perform the operations in the apparatus of the above embodiments have been described in detail in connection with the embodiments of the method, and will not be described in detail herein.

The embodiment of the application also provides a network reachability verification system. The system comprises: and a master device. The main device is used for acquiring forwarding table items on network devices in the network and determining a plurality of forwarding subnets corresponding to the network according to the forwarding table items on the network devices in the network. The forwarding sub-networks are in one-to-one correspondence with the address sets. Each of the plurality of address sets includes one or more destination addresses. Each forwarding sub-network only includes network devices having an outbound interface matching at least one destination address in the address set corresponding to the forwarding sub-network. Each forwarding sub-network is used for verifying the reachability of the message of the destination address in the address set corresponding to the forwarding sub-network in the network.

Optionally, the system further comprises: one or more slave devices. The master device is further configured to distribute forwarding graph models corresponding to the multiple address sets to one or more slave devices, so that the slave devices use the received forwarding graph models to verify reachability of a message sent to a destination address in the address set corresponding to the forwarding graph models in the network.

Optionally, the master device is further configured to obtain a verification requirement. The authentication requirements include information of the destination address to be authenticated, information of the origin and information of the destination interface. The master device is further configured to determine a target slave device from the one or more slave devices according to the destination address to be verified, and send a sub-verification requirement to the target slave device. The target slave device stores a target forwarding graph model. And the address set corresponding to the target forwarding graph model is intersected with the target address to be verified. The sub-verification requirement comprises the intersection of the target address to be verified and the address set corresponding to the target forwarding graph model, the information of the starting point and the information of the target interface. The target slave device is used for generating a virtual message according to the sub-verification requirement, and verifying the accessibility of the virtual message from the starting point to the target interface by adopting a target forwarding graph model. The destination address of the virtual message is determined based on the intersection of the destination address to be verified and the address set corresponding to the target forwarding graph model.

The functional implementation of the master device and the slave device in the network reachability verification system provided in the embodiment of the present application may refer to the related explanation in the method flow shown in fig. 6, which is not described herein again.

The authentication device for performing the method shown in fig. 2, or the master device for performing the method shown in fig. 6, may be the network reachability authentication apparatus 1200 shown in fig. 12. As shown in fig. 12, the apparatus 1200 includes: a processor 1201 and a memory 1202.

Memory 1202 for storing a computer program comprising program instructions.

A processor 1201 for invoking the computer program to implement the method performed by the authentication device of fig. 2 or the master device of fig. 6.

Optionally, the network device 1200 also includes a communication bus 1203 and a communication interface 1204.

Wherein the processor 1201 includes one or more processing cores, the processor 1201 performs various functional applications and data processing by running computer programs.

Memory 1202 may be used to store computer programs. Optionally, the memory may store an operating system and at least one application unit required for functionality. The operating system may be a real-time operating system (Real Time eXecutive, RTX), LINUX, UNIX, WINDOWS, or an operating system such as OS X.

The communication interface 1204 may be plural, and the communication interface 1204 is used for communicating with other devices.

The memory 1202 and the communication interface 1204 are connected to the processor 1201 through the communication bus 1203, respectively.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present invention, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital subscriber line (digital subscriber line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a digital versatile disk (digital versatile disc, DVD)), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.

It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program for instructing relevant hardware, where the program may be stored in a computer readable storage medium, and the storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.

In the present embodiments, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.

The term "and/or" in this application is merely an association relation describing an associated object, and indicates that three relations may exist, for example, a and/or B may indicate: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.

The foregoing description of the preferred embodiments is merely exemplary in nature and is in no way intended to limit the invention, its application, to the form and details of construction and the arrangement of the preferred embodiments, and thus, any and all modifications, equivalents, and alternatives falling within the spirit and principles of the present application.

Claims (24)

1. A method of network reachability verification, the method comprising:

Acquiring a forwarding table item on network equipment in a network;

and determining a plurality of forwarding subnets corresponding to the network according to forwarding table items on network equipment in the network, wherein the forwarding subnets are in one-to-one correspondence with a plurality of address sets, each address set in the address sets comprises one or more destination addresses, each forwarding subnet only comprises network equipment with an outgoing interface matched with at least one destination address in the address set corresponding to the forwarding subnets, and each forwarding subnet is respectively used for verifying the reachability of a message sent to the destination address in the address set corresponding to the forwarding subnets in the network.

2. The method of claim 1, wherein there is no intersection between address sets corresponding to any two forwarding subnetworks of the plurality of forwarding subnetworks.

3. A method according to claim 1 or 2, characterized in that the forwarding behavior of the corresponding destination addresses in the network in the same set of addresses is the same.

4. A method according to claim 3, wherein the forwarding behavior of the plurality of destination addresses in the network is the same, comprising: the outgoing interfaces of each destination address in the plurality of destination addresses matched on the same network device are the same or have no matched outgoing interfaces.

5. The method according to claim 3 or 4, wherein said determining a plurality of forwarding sub-networks corresponding to the network according to forwarding entries on network devices in the network comprises:

determining the plurality of address sets according to forwarding entries on network devices in the network;

and for each address set in the address sets, generating a forwarding graph model corresponding to the address set according to the matching relation between a destination address in the address set and an outgoing interface on network equipment in the network, the topology of the network and configuration information of the network equipment in the network, wherein the forwarding graph model reflects the interface connection relation between the outgoing interface matched with the destination address in the address set on network equipment in a forwarding sub-network corresponding to the address set, and the interface connection relation comprises an indication of a message forwarding direction.

6. The method of claim 5, wherein the method is applied to a master device, the method further comprising:

and distributing forwarding graph models respectively corresponding to the multiple address sets to one or more slave devices, so that the one or more slave devices can verify the reachability of the message sent to the destination address in the address set corresponding to the forwarding graph model in the network by adopting the received forwarding graph models.

7. The method of claim 6, wherein the method further comprises:

acquiring verification requirements, wherein the verification requirements comprise a target address to be verified, information of a starting point and information of a target interface;

determining a target slave device in the one or more slave devices according to the target address to be verified, wherein a target forwarding graph model is stored in the target slave device, and an address set corresponding to the target forwarding graph model is intersected with the target address to be verified;

and sending a sub-verification requirement to the target slave device, wherein the sub-verification requirement comprises an intersection set of the target address to be verified and an address set corresponding to the target forwarding graph model, information of the starting point and information of the target interface.

8. The method according to any one of claims 1 to 5, further comprising:

acquiring verification requirements, wherein the verification requirements comprise a target address to be verified, information of a starting point and information of a target interface;

generating a virtual message according to the verification requirement, wherein the destination address of the virtual message is determined based on the destination address to be verified;

and verifying the reachability of the virtual message from the starting point to the destination interface by adopting a target forwarding sub-network in the forwarding sub-networks, wherein an address set corresponding to the target forwarding sub-network comprises the destination address of the virtual message.

9. A method according to claim 7 or 8, wherein the destination address to be verified is a network segment address.

10. The method according to any of claims 7 to 9, wherein the information of the origin comprises one or more of an identification of the source device, a source address to be authenticated, an identification of the source network device or an identification of the source interface, and the information of the destination interface comprises an identification of the destination device and/or an identification of the destination interface.

11. The method of claim 8, wherein said employing a target forwarding subnetwork of said plurality of forwarding subnetworks to verify reachability of said virtual message from said origin to said destination interface, comprises:

and determining an reachable path and/or an unreachable path of the virtual message in the target forwarding sub-network.

12. The method of claim 11, wherein the reachable paths of the virtual message in the target forwarding sub-network include paths that satisfy the following conditions: the output interface forwarded by the virtual message from the target forwarding sub-network is the target interface; and/or the number of the groups of groups,

the unreachable paths of the virtual message in the target forwarding sub-network include paths satisfying at least one of the following conditions: and the output interface forwarded by the virtual message from the target forwarding sub-network is not the target interface, and the path comprises a loop.

13. A network reachability verification apparatus, the apparatus comprising:

the first acquisition module is used for acquiring forwarding table items on network equipment in a network;

the processing module is used for determining a plurality of forwarding subnets corresponding to the network according to forwarding table items on network equipment in the network, the forwarding subnets are in one-to-one correspondence with a plurality of address sets, each address set in the address sets comprises one or more destination addresses, each forwarding subnet only comprises network equipment with an outgoing interface matched with at least one destination address in the address set corresponding to the forwarding subnets, and each forwarding subnet is respectively used for verifying the reachability of a message sent to the destination address in the address set corresponding to the forwarding subnets in the network.

14. The apparatus of claim 13, wherein there is no intersection between address sets corresponding to any two forwarding subnetworks of the plurality of forwarding subnetworks.

15. The apparatus according to claim 13 or 14, wherein the forwarding behavior of corresponding destination addresses in the network in the same set of addresses is the same.

16. The apparatus of claim 15, wherein the processing module is configured to:

determining the plurality of address sets according to forwarding entries on network devices in the network;

and for each address set in the address sets, generating a forwarding graph model corresponding to the address set according to the matching relation between a destination address in the address set and an outgoing interface on network equipment in the network, the topology of the network and configuration information of the network equipment in the network, wherein the forwarding graph model reflects the interface connection relation between the outgoing interface matched with the destination address in the address set on network equipment in a forwarding sub-network corresponding to the address set, and the interface connection relation comprises an indication of a message forwarding direction.

17. The apparatus of claim 16, wherein the apparatus is a master device, the apparatus further comprising:

and the sending module is used for distributing forwarding graph models respectively corresponding to the plurality of address sets to one or more slave devices so that the slave devices can verify the reachability of the message of the destination address in the address set corresponding to the forwarding graph model in the network by adopting the received forwarding graph model.

18. The apparatus of claim 17, further comprising a second acquisition module,

the second acquisition module is used for acquiring verification requirements, wherein the verification requirements comprise information of a destination address to be verified, information of a starting point and information of a destination interface;

the processing module is further configured to determine, according to the destination address to be verified, a target slave device from the one or more slave devices, where a target forwarding graph model is stored in the target slave device, and an address set corresponding to the target forwarding graph model has an intersection with the destination address to be verified;

the sending module is further configured to send a sub-verification requirement to the target slave device, where the sub-verification requirement includes an intersection of the target address to be verified and an address set corresponding to the target forwarding graph model, information of the starting point, and information of the target interface.

19. The apparatus according to any one of claims 13 to 16, further comprising a second acquisition module,

the second acquisition module is used for acquiring verification requirements, wherein the verification requirements comprise information of a destination address to be verified, information of a starting point and information of a destination interface;

The processing module is further used for generating a virtual message according to the verification requirement, and the destination address of the virtual message is determined based on the destination address to be verified;

the processing module is further configured to verify, by using a target forwarding subnet in the multiple forwarding subnets, reachability of the virtual message from the starting point to the destination interface, where an address set corresponding to the target forwarding subnet includes a destination address of the virtual message.

20. The apparatus of claim 19, wherein the processing module is configured to:

and determining an reachable path and/or an unreachable path of the virtual message in the target forwarding sub-network.

21. A network reachability verification system, comprising: a master device;

the main equipment is used for acquiring forwarding table items on network equipment in a network and determining a plurality of forwarding sub-networks corresponding to the network according to the forwarding table items on the network equipment in the network;

the forwarding subnets are in one-to-one correspondence with the address sets, each address set in the address sets comprises one or more destination addresses, each forwarding subnet only comprises network equipment with an outgoing interface matched with at least one destination address in the address set corresponding to the forwarding subnet, and each forwarding subnet is used for verifying the reachability of a message sent to the destination address in the address set corresponding to the forwarding subnet in the network.

22. The system of claim 21, wherein the system further comprises: one or more slave devices;

the master device is further configured to distribute forwarding graph models corresponding to the multiple address sets to the one or more slave devices, so that the one or more slave devices use the received forwarding graph models to verify reachability of a message sent to a destination address in the address set corresponding to the forwarding graph models in the network.

23. The system of claim 22, wherein the system further comprises a controller configured to control the controller,

the master device is further configured to obtain a verification requirement, where the verification requirement includes information of a destination address to be verified, information of a starting point, and information of a destination interface;

the master device is further configured to determine a target slave device in the one or more slave devices according to the destination address to be verified, and send a sub-verification requirement to the target slave device, where a target forwarding graph model is stored in the target slave device, an address set corresponding to the target forwarding graph model has an intersection with the destination address to be verified, and the sub-verification requirement includes an intersection of the destination address to be verified and the address set corresponding to the target forwarding graph model, information of the starting point, and information of the destination interface;

The target slave device is configured to generate a virtual message according to the sub-verification requirement, and verify, by using the target forwarding graph model, the reachability of the virtual message from the starting point to the destination interface, where the destination address of the virtual message is determined based on an intersection set of the destination address to be verified and an address set corresponding to the target forwarding graph model.

24. A network reachability verification apparatus, comprising: a processor and a memory;

the memory is used for storing a computer program, and the computer program comprises program instructions;

the processor is configured to invoke the computer program to implement the network reachability verification method according to any of claims 1 to 12.

Images