CN117176694B - Network construction method, device, electronic equipment and storage medium - Google Patents

Network construction method, device, electronic equipment and storage medium Download PDF

Info

Publication number
CN117176694B
CN117176694B CN202311451309.8A CN202311451309A CN117176694B CN 117176694 B CN117176694 B CN 117176694B CN 202311451309 A CN202311451309 A CN 202311451309A CN 117176694 B CN117176694 B CN 117176694B
Authority
CN
China
Prior art keywords
address
network
port
simulation
router
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311451309.8A
Other languages
Chinese (zh)
Other versions
CN117176694A (en
Inventor
龚亮华
周硕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fengtai Technology Beijing Co ltd
Original Assignee
Fengtai Technology Beijing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fengtai Technology Beijing Co ltd filed Critical Fengtai Technology Beijing Co ltd
Priority to CN202311451309.8A priority Critical patent/CN117176694B/en
Publication of CN117176694A publication Critical patent/CN117176694A/en
Application granted granted Critical
Publication of CN117176694B publication Critical patent/CN117176694B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The embodiment of the application provides a network construction method, a device, an electronic device and a storage medium, by acquiring a topology structure of a network device, wherein the network device comprises: the topology comprises: the connection relation between the ports of the simulation router and the ports of the simulation equipment; binding a target port of the simulation router to a network segment; acquiring a port of the simulation equipment connected with the target port; determining an IP address of the port based on the network segment; and generating a network configuration file based on the IP address, writing the network configuration file into the simulation equipment to allocate the IP address for the simulation equipment so as to construct a simulation network, and improving the allocation efficiency and reliability of the IP address of the simulation equipment.

Description

Network construction method, device, electronic equipment and storage medium
Technical Field
The application belongs to the technical field of network construction, and particularly relates to a network construction method, a device, electronic equipment and a storage medium.
Background
Along with the continuous improvement of the industrial automation degree, industrial control systems are increasingly widely applied in the industrial field, and the systems comprise a plurality of fields of monitoring, control, data acquisition and the like. Industrial networks play a key role in connecting these industrial control devices, and connect various devices, sensors and controllers to each other to form a tightly integrated network topology. However, planning, deployment and management of industrial networks often face a series of challenges, such as network initialization, security, traffic management, etc., and are typically tested and planned through an emulated network, where a large number of devices and network areas, each of which needs to be assigned a unique IP address, are often handled, and each of which needs to be provided with appropriate routing and security policies. In the related art, the distribution and the setting are performed manually by a user, but the manual method is time-consuming and labor-consuming, and is easy to cause configuration errors, so that production interruption and network security holes can be caused.
Disclosure of Invention
In view of the above problems, embodiments of the present application provide a network construction method, apparatus, electronic device, and storage medium, which can improve the distribution efficiency and reliability of IP addresses.
The embodiment of the application provides a network construction method, which comprises the following steps:
obtaining a topology of a network device, wherein the network device comprises: the topology comprises: the connection relation between the ports of the simulation router and the ports of the simulation equipment;
binding a target port of the simulation router to a network segment;
acquiring a port of the simulation equipment connected with the target port;
determining an IP address of the port based on the network segment;
and generating a network configuration file based on the IP address, and writing the network configuration file into the simulation equipment to allocate the IP address for the simulation equipment so as to construct a simulation network.
In some embodiments, the determining the IP address of the port based on the network segment includes:
determining whether the port has an IP address;
generating uniformly distributed random numbers and initializing an index range under the condition that the port does not have an IP address;
determining an index from the index range by adopting a binary search algorithm based on the random number;
Acquiring an IP address corresponding to the index from the address pool based on the index;
and determining the IP address as the IP address of the port.
In some embodiments, the method further comprises:
binding the IP address with the port to obtain an association relation;
and storing the association relation.
In some embodiments, the method further comprises:
the simulation router is controlled to periodically send hello messages to a preset multicast address, so that the simulation router corresponding to the multicast address obtains the hello messages, and the simulation router corresponding to the multicast address determines a neighbor relation;
and updating a routing table of the simulation router corresponding to the multicast address based on the neighbor relation.
In some embodiments, the method further comprises:
under the condition that the port needs to be initialized, the IP address, the routing information and the network segment of the port are acquired;
generating network configuration information based on the IP address, the routing information, and the network segment;
writing the network configuration information into the simulation equipment corresponding to the port;
triggering the simulation equipment to restart;
and after restarting the simulation equipment, controlling the simulation equipment to send the network configuration information to a network neighbor.
In some embodiments, the method further comprises:
obtaining firewall parameters;
generating firewall rules based on the firewall parameters;
sending the firewall rules to each network device;
after each network device successfully executes based on the firewall rules, the firewall rules in each network device are persisted.
In some embodiments, the method further comprises:
under the condition that a data packet sent by an external network is obtained, determining a source address, a source port, a target address and a target port of the data packet;
generating an address translation table based on the mapped protocol type, the source address, the source port, the destination address, and the destination port;
and mapping the data packet to the network equipment corresponding to the target address based on the address conversion table.
The embodiment of the application provides a network construction device, which comprises:
a first obtaining module, configured to obtain a topology structure of a network device, where the network device includes: the topology comprises: the connection relation between the ports of the simulation router and the ports of the simulation equipment;
the first binding module is used for binding the target port of the simulation router to a network segment;
The second acquisition module is used for acquiring the port of the simulation equipment connected with the target port;
a first determining module, configured to determine an IP address of the port based on the network segment;
and the first writing module is used for generating a network configuration file based on the IP address, writing the network configuration file into the simulation equipment so as to allocate the IP address for the simulation equipment and construct a simulation network.
An embodiment of the present application provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements a method according to any one of the preceding claims when the processor executes the computer program.
Embodiments of the present application provide a computer readable storage medium storing a computer program which, when executed by a processor, implements a method as described in any one of the above.
Embodiments of the present application provide a computer program product for causing an electronic device to perform any one of the methods described above when the computer program product is run on a terminal device.
The embodiment of the application provides a network construction method, a device, an electronic device and a storage medium, by acquiring a topology structure of a network device, wherein the network device comprises: the topology comprises: the connection relation between the ports of the simulation router and the ports of the simulation equipment; binding a target port of the simulation router to a network segment; acquiring a port of the simulation equipment connected with the target port; determining an IP address of the port based on the network segment; and generating a network configuration file based on the IP address, writing the network configuration file into the simulation equipment to allocate the IP address for the simulation equipment so as to construct a simulation network, and improving the allocation efficiency and reliability of the IP address of the simulation equipment.
Drawings
The present application will be described in more detail hereinafter based on embodiments and with reference to the accompanying drawings.
Fig. 1 is a schematic implementation flow chart of a network construction method provided in the embodiment of the present application;
FIG. 2 is a creation interface for creating a router component provided by an embodiment of the present application;
fig. 3 is a schematic diagram of a topology provided in an embodiment of the present application;
FIG. 4 is a schematic diagram of creating a network segment according to an embodiment of the present application;
fig. 5 is a schematic diagram of an IP address of a network device in a topology according to an embodiment of the present application;
FIG. 6 is a schematic diagram of a mapping configuration according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a network construction device according to an embodiment of the present application;
fig. 8 is a schematic diagram of a composition structure of an electronic device according to an embodiment of the present application.
In the drawings, like parts are given like reference numerals, and the drawings are not drawn to scale.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the present application will be described in further detail with reference to the accompanying drawings, and the described embodiments should not be construed as limiting the present application, and all other embodiments obtained by those skilled in the art without making any inventive effort are within the scope of the present application.
In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is to be understood that "some embodiments" can be the same subset or different subsets of all possible embodiments and can be combined with one another without conflict.
If a similar description of "first\second\third" appears in the application document, the following description is added, in which the terms "first\second\third" are merely distinguishing between similar objects and do not represent a particular ordering of the objects, it being understood that the "first\second\third" may be interchanged in a particular order or precedence, where allowed, so that the embodiments of the application described herein may be practiced in an order other than that illustrated or described herein.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the present application only and is not intended to be limiting of the present application.
Based on the problems existing in the related art, the embodiment of the application provides a network construction method, which is applied to electronic devices such as mobile phones, tablet computers, wearable devices, vehicle-mounted devices, augmented reality (augmented reality, AR)/Virtual Reality (VR) devices, notebook computers, ultra-mobile personal computer (UMPC), netbooks, personal digital assistants (personal digital assistant, PDA) and the like, and the embodiment of the application does not limit the specific types of the electronic devices. The functions implemented by the network construction method provided by the embodiment of the application may be implemented by calling a program code by a processor of the electronic device, where the program code may be stored in a computer storage medium.
An embodiment of the present application provides a network construction method, and fig. 1 is a schematic implementation flow diagram of the network construction method provided by the embodiment of the present application, as shown in fig. 1, including:
step S101, obtaining a topology structure of a network device, where the network device includes: the topology comprises: connection relation between ports of the emulation router and ports of the emulation device.
In the embodiment of the application, a user can select the identifier of the simulation router, the simulation device and the like to establish the topology structure, the identifier of the network device can be stored in the electronic device, and the network topology can be established through the identifiers of the network devices.
In some embodiments, where the electronic device may be communicatively coupled to the display device, a build interface of the topology provided to the network device by the display device may be provided by a user to set the topology of the network device through the build interface.
In this embodiment, the network devices are all virtual devices, and each network device has corresponding information, for example, the information may include: component name, component classification, component picture, component memory, component CPU, etc.
In this embodiment, the user may set the component name, the component classification, the component picture, the component memory, the component CPU, and the like.
In the embodiment of the application, the connection relation between the ports of each network device can be set, so that the topology structure of the network device is determined.
In this embodiment of the present application, the emulation device may be an industrial device, and the emulation device may also be an emulation router or the like.
Step S102, binding the target port of the simulation router to a network segment.
In the embodiment of the application, the user can set the network segment corresponding to the target port binding of the simulation router.
In this embodiment of the present application, the target port may be any port connected to the emulation device.
Illustratively, one destination port is bound to 192.168.1.0/24 segments.
Step S103, obtaining the port of the simulation equipment connected with the target port.
In the embodiment of the application, the cyberrange_port can be queried from the system, and the port of the simulation device connected with the port can be obtained.
Step S104, the IP address of the port is determined based on the network segment.
In the embodiment of the present application, step S104 may be implemented by the following steps:
step S1041, determining whether the port has an IP address.
In this embodiment of the present application, association information of an IP address and a port may be stored in an electronic device, after the port is acquired, matching may be performed based on the port, when matching is performed, whether an association relationship corresponding to the port exists may be determined, if the association relationship exists, it is determined that the port has an IP address, and if the association relationship does not exist, it is determined that the port does not have an IP address.
In step S1042, when the port does not have an IP address, a uniformly distributed random number is generated and an index range is initialized.
In the embodiment of the application, if the port does not have an IP address, the IP address of the port needs to be determined.
In the embodiment of the application, uniformly distributed random numbers can be generated, and the random numbers can be represented by R. The random number R is used to determine its position in the cumulative weight list.
In the embodiment of the application, available IP addresses are put in an address pool, the IP addresses in the address pool can be stored by using a list, and the IP addresses in the list support setting of weights, wherein the weights are used for representing the probability of each IP address being selected. The IP address may be selected by the R value.
In this embodiment of the present application, if no weight is set, all IP addresses may be considered to have equal weights, then a random number generator is used to select the addresses, if a weight parameter is provided, then an accumulated weight may be calculated to determine the probability of selection, and a binary search method is used to select the IP addresses, where each index corresponds to one IP address.
In the embodiment of the application, R is more than or equal to 0 and less than or equal to 1.
In the embodiment of the present application, index ranges low and high may be initialized, where low=0 and high=n-1, where n is the size of the set of IP addresses.
Step S1043, determining an index from the index range by using a binary search algorithm based on the random number.
The index may be represented by j, which may be determined using a binary search algorithm, where using a binary search algorithm j, may hold cu_weights [ j-1 ]. Ltoreq.R < cu_weights [ j ], where cu_weights is a cumulative weight list, to yield j.
After j is acquired, the corresponding IP address may be determined based on.
Step S1044, obtaining, from the address pool, the IP address corresponding to the index based on the index.
Illustratively, x_i = placement [ j ];
x_i represents the i-th randomly selected IP address.
The delivery is a set of IP addresses.
Step S1045, determining the IP address as the IP address of the port.
With the above example, the IP address corresponding to the location [ j ] is determined as the IP address of the port.
Step S105, generating a network configuration file based on the IP address, writing the network configuration file into the simulation equipment to allocate the IP address for the simulation equipment so as to construct a simulation network.
In some embodiments, after the IP address is acquired, information such as a corresponding mask may also be acquired. The template of the network configuration file can be preset, and after the information such as the IP address is acquired, the template can be adopted to fill the IP address, so that the network configuration file is generated.
In the embodiment of the application, the network configuration file can be written into a file system of the simulation device by means of the closed-init, such as writing/etc/sysconfig/network-scripts/ifcfg-eth 0, so that the network configuration file is written into the simulation device.
In the embodiment of the application, after the network configuration file is written into the simulation device, the network service of the simulation device is restarted through the qemu-guide-agent, so that the automatic distribution of the IP address is realized. After the allocation is completed, it can be determined that the device can correctly use the allocated IP address for communication, thereby constructing an emulation network.
The network construction method provided by the embodiment of the application is implemented by acquiring a topology structure of a network device, wherein the network device comprises: the topology comprises: the connection relation between the ports of the simulation router and the ports of the simulation equipment; binding a target port of the simulation router to a network segment; acquiring a port of the simulation equipment connected with the target port; determining an IP address of the port based on the network segment; and generating a network configuration file based on the IP address, writing the network configuration file into the simulation equipment to allocate the IP address for the simulation equipment so as to construct a simulation network, and improving the allocation efficiency and reliability of the IP address of the simulation equipment.
In some embodiments, after step S105, the method further comprises:
and step S106, binding the IP address and the port to obtain an association relation.
In this embodiment of the present application, in order to track the allocation situation of the IP address, a corresponding relationship may be established between the IP address and the port, so as to obtain an association relationship.
Step S107, storing the association relation.
In the embodiment of the application, the uniqueness and the accuracy of the IP address can be ensured by storing the association relations.
In the embodiment of the present application, by the above method, the IP address of each network device may be allocated.
In some embodiments, after step S107, the method further comprises:
step S108, the simulation router is controlled to periodically send hello messages to a preset multicast address, so that the simulation router corresponding to the multicast address obtains the hello messages, and the simulation router corresponding to the multicast address determines a neighbor relation.
In the embodiment of the application, the environment of the simulation router can be constructed by running the Quagga service on the CentOS 7.6 virtual machine. The service runs the OSPF routing protocol and each router periodically sends Hello messages to a specified multicast address, illustratively: 224.0.0.5 or 224.0.0.6.
In the embodiment of the application, when one OSPF router receives Hello messages from other routers, it will check the information in the messages and compare with the neighbor list maintained by itself. If the information contained in the message matches a known neighbor, they can confirm each other as being neighbors, thereby establishing a neighbor relationship.
Step S109, updating the routing table of the simulation router corresponding to the multicast address based on the neighbor relation.
In the embodiment of the application, the routing table of the simulation router can be updated through the neighbor relation.
In some embodiments, after step S109, the method further comprises:
in step S110, if the port needs to be initialized, the IP address, the routing information, and the network segment of the port are obtained.
In the embodiment of the application, the electronic device may query the IP address, the routing information, and the network segment of the port.
Step S111 generates network configuration information based on the IP address, the routing information, and the network segment.
And step S112, writing the network configuration information into the simulation equipment corresponding to the port.
In the embodiment of the application, a specific configuration tool, such as qemu-gum-agent, may be adopted to write the generated network configuration information into the configuration file (/ etc/quagga/ospfd.
And step S113, triggering the simulation equipment to restart.
The electronic device may trigger a restart of the relevant services of the emulated device.
Step S114, after the simulation device is restarted, controlling the simulation device to send the network configuration information to a network neighbor.
In the embodiment of the application, after initialization, the network configuration information is sent to the network neighbor again, so that the routing data packet can be sent and received correctly.
In some embodiments, the method further comprises:
in step S115, firewall parameters are obtained.
In the embodiment of the present application, firewall parameters include an INPUT (for a packet entering the system), an OUTPUT (for a packet leaving the system), and a FORWARD (for forwarding the packet through the system to other network devices), where the choice is whether to allow the packet to pass (ACCEPT) or reject (DROP).
Step S116, generating firewall rules based on the firewall parameters.
In the embodiment of the application, the firewall rules can be stored in a warehouse for subsequent access and management.
Step S117, the firewall rules are sent to each network device.
In this embodiment of the present application, the text command may be sent to each network device, where the text command may include: configuration conditions and actions of firewall rules.
In some embodiments, the synchronization to the network devices may be through Agent tools, ensuring that firewall rules are accurately delivered to the respective network devices.
In step S118, after each network device successfully executes based on the firewall rules, the firewall rules in each network device are persisted.
In the embodiment of the application, after each network device successfully executes, the network device executes the filtering or releasing of the data packet according to the matching condition defined by the rule, and after the successful execution, the system calls tools such as iptables-save and the like to persist the rule so as to ensure that the rule is still effective after the system is restarted.
In the embodiment of the application, the potential network attack can be detected and dealt with by setting the fireproof strong rule.
In some embodiments, the method further comprises:
step S119, when a data packet sent by the external network is acquired, determining a source address, a source port, a destination address, and a destination port of the data packet.
In the embodiment of the present application, the source address and the source port represent the source of the external traffic, that is, the address and the port for transmitting the data packet.
In the embodiment of the present application, the destination address and destination port represent an internal server or port to which the data packet should be mapped.
Step S120, generating an address translation table based on the mapped protocol type, the source address, the source port, the destination address, and the destination port.
In this embodiment of the present application, the protocol type may be specified by the user, and the protocol may be: TCP or UDP.
In the embodiment of the application, the system generates a corresponding NAT table rule according to the determined parameter to perform mapping operation.
Step S121, mapping the data packet to the network device corresponding to the target address based on the address translation table.
For example, one rule might be to map the source address and port of an external HTTP request to the IP address and HTTP port of an internal server. The generated NAT table rules are synchronized to the network device by an Agent tool (e.g., a gust-Agent) to ensure that the rules are accurately applied to the device.
After the network device receives the rule, the mapping of the data packet is performed according to the defined mapping parameters. After successful execution, the system invokes a corresponding command, such as iptables-save, to ensure that the rules persist and remain valid after the system is restarted.
Based on the foregoing embodiments, the embodiments of the present application further provide a network construction method, where the method can be implemented: automatic network planning, network configuration and initialization, network security management, wherein,
When automatic network planning is realized, the electronic equipment allows a user to plan the topological structure of the simulated industrial network by using an intuitive interface, automatically distributes IP addresses, configures routes and sets gateways based on predefined rules, ensures the uniqueness and reasonability of the addresses, and simultaneously considers the requirements of different network areas, thereby reducing the complexity and errors of manual network initialization.
As industrial networks need to remain dynamic and scalable to cope with new device additions and network topology changes. When network configuration and initialization is implemented, it determines the shortest path by exchanging link state information and automatically updates the routing table. This means that the routing information is automatically adapted and updated when new devices join the network or when a change in the network topology occurs.
In realizing network security management, the filtering, forwarding and mapping rules of the traffic are realized through iptables, and an advanced network security policy is supported. This includes the definition and management of firewall rules, and the detection and countering of potential network attacks.
In implementing automatic network planning, first, the starting IP address, subnet mask, and range of each network segment need to be determined. The electronic device will calculate the network address and broadcast address for that segment and then iterate through the host addresses available in the segment, starting with network address +1, to broadcast address-1, creating and returning IP address objects available in the corresponding segment, forming a pool of IP addresses that will be used for subsequent automatic address allocation.
When the topology is built up, a particular port of the emulated router is bound to a predefined segment, e.g., one port is bound to 192.168.1.0/24 segments. Next, the electron will query the cyberange_port, acquire the port of the emulation device connected to the port, and determine whether the current port has an IP address, if not, acquire the IP address from the address pool, the specific algorithm is as follows,
a put-back random selection is made from a given pool of IP addresses to generate a list of k selected elements (like the IP addresses in the above embodiment). The IP address support weights (weights) are set to determine the probability that different elements are selected. If no weighting parameters are provided, all elements are considered to have equal weights and then a random number generator is used to make the selection. If a weight parameter is provided, the cumulative weight is calculated to determine a selection probability and a binary search is used for element selection.
The selected IP address may be expressed by the following formula:
X_i = population[j];
x_i represents the i-th randomly selected element, and the position is the element set.
j is an index calculated by:
a uniformly distributed random number R is generated, where 0< = R <1.
The index ranges low and high are initialized, where low=0 and high=n-1, where n is the size of the element set.
The index j is determined using a binary search algorithm such that cum_weights [ j-1] < = R < cum_weights [ j ] hold, where cum_weights is a cumulative weight list.
And returning the element position [ j ] corresponding to the index j as a selection result.
The generated uniformly distributed random number R is used to determine its position in the cumulative weight list cum_weights and then the corresponding element is selected.
In the embodiment of the present application, R is used to find the index j satisfying the condition of cum_weights [ j-1] <=r < cum_weights [ j ], and then select the deposition [ j ] as the result of random selection.
In the embodiment of the application, after the IP address is successfully acquired, the electronic device sorts metadata information, including information such as an IP address, a mask and the like, generates the content of a network configuration file in a template filling mode, writes the content into a file system of the simulation device, such as/etc/sysconfigug/network-descriptions/ifcfg-eth 0, and restarts network services through qemu-guide-agents to realize automatic allocation of addresses, thereby ensuring that the device can correctly use the allocated IP address for communication. In addition, in order to track the allocation situation of the IP address, the electronic device binds the allocated IP address with the port and records the association relations, so as to ensure the uniqueness and accuracy of the IP address.
In the embodiment of the application, the environment of the virtual router or switch can be constructed by running the Quagga service on the CentOS 7.6 virtual machine. The service runs the OSPF routing protocol and each router periodically sends Hello messages to a designated multicast address (e.g., 224.0.0.5 or 224.0.0.6) and when one OSPF router receives Hello messages from other routers, it checks the information in the message and compares it with its own maintained neighbor list. If the information contained in the message matches a known neighbor, they can confirm each other as being neighbors, thereby establishing a neighbor relationship.
When a specific network area or port needs to be initialized, the system inquires network information related to the port, including an IP address, a subnet mask and the like, generates network configuration information through calculation of an ipaddress library, determines a subnet and route related parameters to which the port belongs, and generates network segment information. Next, the system uses a specific configuration tool, such as qemu-guide-agent, to write the generated network configuration information into the configuration file (/ etc/quagga/ospfd.conf) of the virtual device, and then the system triggers the related service of the network device to restart. After the network management service (NetworkManager) and the routing service (ospfd) are restarted, the device announces the piece of network information to the network neighbors, and can correctly send and receive the routing data packet. This process reconstructs the device's routing table, ensuring that the device can efficiently route data packets to its target network area.
In the embodiment of the present application, the firewall rules support a variety of actions, including INPUT (for packets entering the system), OUTPUT (for packets leaving the system), and FORWARD (packets forwarded through the system to other network devices). An administrator may customize rules based on the flow requirements of the packets to choose whether to allow the packets to pass (ACCEPT) or reject the packets (DROP).
In the embodiment of the application, after the firewall rule is configured, the network device filters or passes the data packet according to parameters such as the source address, the source port, the target address, the target port and the like, so that fine granularity control of network traffic is realized.
The firewall rule processing includes: structuring, rule storage and warehousing, rule generation, rule issuing to network equipment, rule execution and persistence. The electronic equipment carries out structural treatment on the fireproof paint parameters, and stores the treated rules in a warehouse for subsequent access and management. And then automatically generating firewall rules according to the parameters, wherein the firewall rules are expressed in the form of text commands, and the text commands comprise matching conditions and actions of the firewall rules. The generated rules are then synchronized to the network device through a special Agent tool, ensuring that the rules are accurately delivered to the target device. Once the rule is successfully synchronized, the network device executes the filtering or releasing of the data packet according to the matching condition defined by the rule, and after the successful execution, the system calls tools such as iptables-save and the like to persist the rule so as to ensure that the rule is still valid after the system is restarted.
The mapping function is implemented by using NAT tables to ensure that packets can be routed correctly by handling source and destination IP addresses and port translations.
In the mapping function, the following key parameters need to be determined:
source address and source port: indicating the source of the external traffic, i.e. the address and port from which the packet is sent.
Destination address and destination port: indicating the internal server or port to which the packet should be mapped.
Protocol type: the administrator needs to specify the type of protocol to be mapped, such as TCP or UDP.
And the electronic equipment generates a corresponding NAT table rule according to the determined parameters so as to execute mapping operation. For example, one rule might be to map the source address and port of an external HTTP request to the IP address and HTTP port of an internal server. The generated NAT table rules are synchronized to the network device by an Agent tool (e.g., a gust-Agent) to ensure that the rules are accurately applied to the device.
After the network device receives the rule, the mapping of the data packet is performed according to the defined mapping parameters. After successful execution, the system invokes a corresponding command, such as iptables-save, to ensure that the rules persist and remain valid after the system is restarted.
The method provided by the embodiment of the application can be applied to enterprises, public institutions, community organizations, higher institutions, scientific research institutions and all entities and institutions related to industrial Internet information security work in the field of industrial Internet information security. The industry internet information security work involves subjects including, but not limited to, industry internet platform providers, intelligent manufacturing enterprises, industry automation system developers, industry equipment manufacturers, network security consultants, industry internet research institutions, government regulatory agencies, and the like.
Based on the foregoing embodiments, embodiments of the present application provide a specific example, including:
firstly, a router component (the same as the simulation router in the above embodiment) needs to be created, fig. 2 is a creation interface for creating the router component provided in the embodiment of the present application, and as shown in the drawing, a refresh button in a platform basic resource-virtual machine management-virtual machine template may be clicked to obtain a current latest template list. Thereafter, in component management, virtualized components are created from the templates, and component classification requires selection of routers, which may select configurations, select systems, select pictures, etc. to create the components.
A test topology is then built using the just created assembly, fig. 3 is a schematic diagram of one topology provided by an embodiment of the present application, as shown in fig. 3, where the topology may be created.
By filling in the information such as the network segment name, the start address, the end address, the mask, etc. of the network segment, the network segment data is created, fig. 4 is a schematic diagram of creating a network segment according to the embodiment of the present application, as shown in fig. 4, where the electronic device creates all address data of 10.1.1.1.1-10.1.1.254, for example, the start address is 10.1.1.1 and the end address is 10.1.1.254.
After the component is started, the network under the router component is clicked to create the network segment information for the e1 and e2 bindings, respectively.
The emulation component connected with the port can be distributed to the address in the network segment to announce the port, i.e. the network segment is added into the network to realize the communication of the whole network, and fig. 5 is a schematic diagram of the IP address of the network device in the topology structure provided by the embodiment of the application, and as shown in fig. 5, an emulation network is constructed.
In this embodiment of the present application, a mapping page may be selected, and a new addition may be clicked, taking the ssh protocol as an example, fig. 6 is a schematic diagram of a mapping configuration provided in this embodiment of the present application, and as shown in fig. 6, through this mapping, when the address of 10.1.1.0/24 segment accesses the 22222 port of 10.1.1.254, it will be mapped onto the 22 port of 20.1.1.1.
Executing the command "ssh 10.1.1.254-p 22222" on component 10.1.1.1, successfully logs in after entering the password, and using "ip add" finds that the component is currently already at 20.1.1.1.
Based on the foregoing embodiments, the embodiments of the present application provide a network construction apparatus, where each module included in the apparatus and each unit included in each module may be implemented by a processor in a computer device; of course, the method can also be realized by a specific logic circuit; in practice, the processor may be a central processing unit (CPU, central Processing Unit), a microprocessor (MPU, microprocessor Unit), a digital signal processor (DSP, digital Signal Processing), or a field programmable gate array (FPGA, field Programmable Gate Array), or the like.
An embodiment of the present application provides a network construction device, and fig. 7 is a schematic structural diagram of the network construction device provided in the embodiment of the present application, as shown in fig. 7, a network construction device 700 includes:
a first obtaining module 701, configured to obtain a topology of a network device, where the network device includes: the topology comprises: the connection relation between the ports of the simulation router and the ports of the simulation equipment;
a first binding module 702, configured to bind a destination port of the emulated router to a network segment;
a second obtaining module 703, configured to obtain a port of the emulation device connected to the target port;
a first determining module 704, configured to determine an IP address of the port based on the network segment;
the first writing module 705 is configured to generate a network configuration file based on the IP address, and write the network configuration file into the emulation device, so as to allocate an IP address to the emulation device, so as to construct an emulation network.
In some embodiments, the determining module 704 includes:
a first determining unit, configured to determine whether an IP address exists in the port;
the generation unit is used for generating random numbers which are uniformly distributed under the condition that the port does not have an IP address, and initializing an index range;
A second determining unit, configured to determine an index from the index range using a binary search algorithm based on the random number;
an obtaining unit, configured to obtain, from the address pool, an IP address corresponding to the index based on the index;
and a third determining unit, configured to determine the IP address as the IP address of the port.
In some embodiments, the network construction device 700 further comprises:
the second binding module is used for binding the IP address with the port to obtain an association relation;
and the storage module is used for storing the association relation.
In some embodiments, the network construction device 700 further comprises:
the transmission module is used for controlling the simulation router to periodically transmit hello messages to a preset multicast address so that the simulation router corresponding to the multicast address acquires the hello messages and the simulation router corresponding to the multicast address determines a neighbor relation;
and the updating module is used for updating the routing table of the simulation router corresponding to the multicast address based on the neighbor relation.
In some embodiments, the network construction device 700 further comprises:
the second acquisition module is used for acquiring the IP address, the routing information and the network segment of the port under the condition that the port needs to be initialized;
A first generation module, configured to generate network configuration information based on the IP address, the routing information, and the network segment;
the second writing module is used for writing the network configuration information into the simulation equipment corresponding to the port;
the triggering module is used for triggering the simulation equipment to restart;
and the control module is used for controlling the simulation equipment to send the network configuration information to a network neighbor after the simulation equipment is restarted.
In some embodiments, the network construction device 700 further comprises:
the third acquisition module is used for acquiring firewall parameters;
the second generation module generates firewall rules based on the firewall parameters;
the sending module is used for sending the firewall rules to each network device;
and the persistence module is used for persistence of the firewall rules in each network device after each network device is successfully executed based on the firewall rules.
In some embodiments, the network construction device 700 further comprises:
the second determining module is used for determining a source address, a source port, a target address and a target port of the data packet under the condition that the data packet sent by the external network is acquired;
a third generating module, configured to generate an address translation table based on the mapped protocol type, the source address, the source port, the destination address, and the destination port;
And the mapping module is used for mapping the data packet to the network equipment corresponding to the target address based on the address conversion table.
An embodiment of the present application provides an electronic device, fig. 8 is a schematic diagram of a composition structure of the electronic device provided in the embodiment of the present application, as shown in fig. 8, and the electronic device 800 includes: a processor 801, at least one communication bus 802, a user interface 803, at least one external communication interface 804, memory 805. Wherein the communication bus 802 is configured to enable connected communication between these components. The user interface 803 may include a display screen, and the external communication interface 804 may include a standard wired interface and a wireless interface, among others. The processor 801 is configured to execute a program of a network construction method stored in a memory to implement the steps in the network construction method provided in the above-described embodiment.
In the embodiment of the present application, if the network construction method described above is implemented in the form of a software functional module and sold or used as a separate product, it may also be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially or partly contributing to the prior art, and the computer software product may be stored in a storage medium, and include several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read Only Memory (ROM), a magnetic disk, an optical disk, or other various media capable of storing program codes. Thus, embodiments of the present application are not limited to any specific combination of hardware and software.
Accordingly, the present embodiment provides a storage medium having stored thereon a computer program which, when executed by a processor, implements the steps in the network construction method provided in the above embodiment.
Embodiments of the present application further provide a computer program product, which when run on a terminal device, causes the electronic device to perform any of the above-described network construction methods.
The description of the electronic device and the storage medium embodiments above is similar to that of the method embodiments described above, with similar advantageous effects as the method embodiments. For technical details not disclosed in the embodiments of the computer apparatus and the storage medium of the present application, please refer to the description of the method embodiments of the present application.
It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application. The foregoing embodiment numbers of the present application are merely for describing, and do not represent advantages or disadvantages of the embodiments.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above described device embodiments are only illustrative, e.g. the division of the units is only one logical function division, and there may be other divisions in practice, such as: multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. In addition, the various components shown or discussed may be coupled or directly coupled or communicatively coupled to each other via some interface, whether indirectly coupled or communicatively coupled to devices or units, whether electrically, mechanically, or otherwise.
The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units; can be located in one place or distributed to a plurality of network units; some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated in one unit; the integrated units may be implemented in hardware or in hardware plus software functional units.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, where the program, when executed, performs steps including the above method embodiments; and the aforementioned storage medium includes: a mobile storage device, a Read Only Memory (ROM), a magnetic disk or an optical disk, or the like, which can store program codes.
Alternatively, the integrated units described above may be stored in a computer readable storage medium if implemented in the form of software functional modules and sold or used as a stand-alone product. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially or partly contributing to the prior art, embodied in the form of a software product stored in a storage medium, comprising several instructions for causing a controller to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a removable storage device, a ROM, a magnetic disk, or an optical disk.
The foregoing is merely an embodiment of the present application, but the protection scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered in the protection scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (9)

1. A network construction method, comprising:
Obtaining a topology of a network device, wherein the network device comprises: the topology comprises: the connection relation between the ports of the simulation router and the ports of the simulation equipment;
binding a target port of the simulation router to a network segment;
acquiring a port of the simulation equipment connected with the target port;
determining the IP address of the port based on the network segment, the determining the IP address of the port based on the network segment comprising: determining whether the port has an IP address; generating uniformly distributed random numbers and initializing an index range under the condition that the port does not have an IP address; determining an index from the index range by adopting a binary search algorithm based on the random number; acquiring an IP address corresponding to the index from the address pool based on the index; determining the IP address as the IP address of the port;
and generating a network configuration file based on the IP address, and writing the network configuration file into the simulation equipment to allocate the IP address for the simulation equipment so as to construct a simulation network.
2. The method according to claim 1, wherein the method further comprises:
Binding the IP address with the port to obtain an association relation;
and storing the association relation.
3. The method according to claim 1, wherein the method further comprises:
the simulation router is controlled to periodically send hello messages to a preset multicast address, so that the simulation router corresponding to the multicast address obtains the hello messages, and the simulation router corresponding to the multicast address determines a neighbor relation;
and updating a routing table of the simulation router corresponding to the multicast address based on the neighbor relation.
4. A method according to claim 3, characterized in that the method further comprises:
under the condition that the port needs to be initialized, the IP address, the routing information and the network segment of the port are acquired;
generating network configuration information based on the IP address, the routing information, and the network segment;
writing the network configuration information into the simulation equipment corresponding to the port;
triggering the simulation equipment to restart;
and after restarting the simulation equipment, controlling the simulation equipment to send the network configuration information to a network neighbor.
5. The method according to claim 1, wherein the method further comprises:
Obtaining firewall parameters;
generating firewall rules based on the firewall parameters;
sending the firewall rules to each network device;
after each network device successfully executes based on the firewall rules, the firewall rules in each network device are persisted.
6. The method according to any one of claims 1 to 5, further comprising:
under the condition that a data packet sent by an external network is obtained, determining a source address, a source port, a target address and a target port of the data packet;
generating an address translation table based on the mapped protocol type, the source address, the source port, the destination address, and the destination port;
and mapping the data packet to the network equipment corresponding to the target address based on the address conversion table.
7. A network construction device, comprising:
a first obtaining module, configured to obtain a topology structure of a network device, where the network device includes: the topology comprises: the connection relation between the ports of the simulation router and the ports of the simulation equipment;
the first binding module is used for binding the target port of the simulation router to a network segment;
The second acquisition module is used for acquiring the port of the simulation equipment connected with the target port;
a first determining module, configured to determine an IP address of the port based on the network segment, where determining the IP address of the port based on the network segment includes: determining whether the port has an IP address; generating uniformly distributed random numbers and initializing an index range under the condition that the port does not have an IP address; determining an index from the index range by adopting a binary search algorithm based on the random number; acquiring an IP address corresponding to the index from the address pool based on the index; determining the IP address as the IP address of the port;
and the first writing module is used for generating a network configuration file based on the IP address, writing the network configuration file into the simulation equipment so as to allocate the IP address for the simulation equipment and construct a simulation network.
8. An electronic device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the method according to any of claims 1 to 6 when executing the computer program.
9. A computer readable storage medium storing a computer program, characterized in that the computer program when executed by a processor implements the method according to any one of claims 1 to 6.
CN202311451309.8A 2023-11-03 2023-11-03 Network construction method, device, electronic equipment and storage medium Active CN117176694B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311451309.8A CN117176694B (en) 2023-11-03 2023-11-03 Network construction method, device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311451309.8A CN117176694B (en) 2023-11-03 2023-11-03 Network construction method, device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN117176694A CN117176694A (en) 2023-12-05
CN117176694B true CN117176694B (en) 2024-02-06

Family

ID=88947289

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311451309.8A Active CN117176694B (en) 2023-11-03 2023-11-03 Network construction method, device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117176694B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101925102A (en) * 2010-06-08 2010-12-22 中国人民解放军理工大学 Wireless network topology simulation method adopting Ethernet promiscuous mode
CN106878095A (en) * 2017-04-28 2017-06-20 北京仿真中心 A kind of network collocating method and system based on scenario distributed emulation
CN108365988A (en) * 2018-02-12 2018-08-03 江南大学 Industrial control system emulation mode based on cloud platform
CN115333819A (en) * 2022-08-05 2022-11-11 北京华信傲天网络技术有限公司 Remote network access system and communication method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102377669B (en) * 2011-10-18 2014-12-10 华为技术有限公司 Method for sending message and switch

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101925102A (en) * 2010-06-08 2010-12-22 中国人民解放军理工大学 Wireless network topology simulation method adopting Ethernet promiscuous mode
CN106878095A (en) * 2017-04-28 2017-06-20 北京仿真中心 A kind of network collocating method and system based on scenario distributed emulation
CN108365988A (en) * 2018-02-12 2018-08-03 江南大学 Industrial control system emulation mode based on cloud platform
CN115333819A (en) * 2022-08-05 2022-11-11 北京华信傲天网络技术有限公司 Remote network access system and communication method

Also Published As

Publication number Publication date
CN117176694A (en) 2023-12-05

Similar Documents

Publication Publication Date Title
JP5610247B2 (en) Network system and policy route setting method
US10257091B2 (en) Pipeline table identification
EP3675419A1 (en) Method and apparatus for detecting network fault
CN109981493B (en) Method and device for configuring virtual machine network
WO2016130108A1 (en) Network policy conflict detection and resolution
US9621512B2 (en) Dynamic network action based on DHCP notification
CN106921578B (en) Method and device for generating forwarding table item
CN107547242B (en) The acquisition methods and device of VM configuration information
CN107809386B (en) IP address translation method, routing device and communication system
US9954775B2 (en) Software-defined network (SDN) system using host abstraction, and method for implementing the same
CN110474960B (en) Method and device for service deployment in virtual network
CN113452561A (en) Topology generation method, device and equipment and readable storage medium
US20140156820A1 (en) Configuration information selection based on extracted information
CN109510717B (en) Method, device, equipment and storage medium for acquiring information of node equipment
CN117176694B (en) Network construction method, device, electronic equipment and storage medium
CN103532852A (en) Routing scheduling method, routing scheduling device and network equipment
CN109729010B (en) Method, equipment and system for determining traffic transmission path in network
CN107294989B (en) Method and device for preventing ARP gateway spoofing
CN107465770B (en) SDN network and non-SDN network communication method and device
US10038566B1 (en) Systems and methods for multicast message routing
CN114172815B (en) Behavior traffic transmission method, device, computer equipment and computer readable storage medium
US20100238930A1 (en) Router and method of forwarding ipv6 packets
CN112737850B (en) Mutually exclusive access method and device
CN111654558B (en) ARP interaction and intranet flow forwarding method, device and equipment
CN112532506B (en) Hybrid networking method, device, server and computer-readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant