JPH09284282A - Virtual network operation management system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To automatically revise a configuration of a virtual network attended with revision of a directory service by revising setting of a physical object in response to a request by a physical manager in an agent. SOLUTION: A physical manager module 221 gives setting revision information being information attended with revision of a virtual network to relating devices such as an ATM 3001 and a switching hub 3002 being network components. A notice from a physical manager 200 starts an agent module 321 in each device. The agent module 321 uses a server/client setting control module 3212 in a server 3004 and a client 3005 to revise the configuration of the actual information device. Similarly a switching hub setting control module 3213 in the switching hub 3002 revises the configuration of the actual information device. Similarly a router 3003 uses a router setting control module 3214 to revise the configuration of the actual information device.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a technology for supporting construction, operation and management of a network, and more particularly to construction of a switch network including a conventional shared network.
The present invention relates to technology that supports easy operation and management.

[0002]

2. Description of the Related Art In order to construct / operate / manage a computer network system in which a plurality of information devices are connected and used, a hardware device and a configuration / operation between each device are
In addition to operation / management, network system construction / operation / management is required. Targets for constructing, operating, and managing network systems include physical objects such as information devices and hardware devices that make up the network, and logical objects such as users, and an organization that manages these objects in an easy-to-understand manner. There is a directory service, etc., in which a logical hierarchy structure is used to represent such items.

Conventionally, construction, operation, and management of these objects are all performed on the directory service for logical objects, and are performed at the directory service level for physical objects and by actual hardware devices. There are things that must be done.

For example, in a company or the like, when the organization or the like is changed, not only the directory service but also the logical object or the physical object is changed. Furthermore, the movement of hardware devices, etc. also occurs, and along with this, it is necessary to actually change the setting values such as the network address, etc., so that the load of constructing, operating and managing the network system increases significantly. ,
The difficulty of setting etc. has become apparent.

Meanwhile, Nikkei Communication November 1994
According to the technology published in the "Inrush, Partial LAN" article in the 21st issue, a virtual LAN that can be freely configured on a switch-type network without being restricted by its physical configuration is described.

[0006]

However, according to this technique, with respect to the change of the organization described above, the setting of the network address or the like for the actual movement of the hardware device is simply reduced, It does not describe changes to the entire network system, including changes to physical and logical objects and even directory services.

Therefore, according to the present invention, the construction / operation / management of the conventional directory service and the logical objects and physical objects and the construction / operation / management of each hardware device are separately performed in accordance with the change of the organization in the company. What was previously stored, in response to changes in logical and physical objects on the directory service, automatically
It is an object of the present invention to provide a virtual network operation management system that realizes an optimal network configuration for changes in organizations and the like regardless of the physical configuration. Further, it is another object of the present invention to provide a virtual network operation management system that supports not only a switch network but also a conventional shared network.

[0008]

In order to achieve the above object, the present invention provides a virtual system for automatically realizing an optimum network configuration in response to a change of a logical object or a physical object on a directory service. A network operation management system, including a logical manager that constructs, operates, and manages directory services and logical objects, and a physical manager that constructs, operates, and manages physical objects such as information devices and hardware devices that make up the network. The logical manager has an agent on each physical object, and the logical manager communicates with the physical manager when the directory service or the logical object is set or changed, and means for performing the setting. From the means and the physics manager The physical object has communication means for receiving information from the logical object and communication means for transmitting information to the logical object, and the agent receives information from the physical object. A virtual network operation management system comprising: a communication means for receiving the information, a communication means for transmitting information to the physical object, and a means for setting / changing the physical object based on the information.

According to the virtual network operation management system of the present invention, when a directory service or a logical object is set or changed, the logical manager notifies the physical manager of the information. Then, the physical manager notifies the agent of information corresponding to the information. Then, the physical object on which the agent is installed is set / changed.

On the other hand, when a physical object is set or changed, the agent informs the physical manager of the information. Then, the physical manager notifies the logical manager of information corresponding to the information. Further, the logical manager sets / changes directory services and logical objects.

Therefore, in response to changes in the directory service, logical objects and physical objects, an optimum network configuration is automatically realized without being restricted by the physical configuration.

[0012]

BEST MODE FOR CARRYING OUT THE INVENTION An embodiment of a virtual network integrated construction operation management system according to the present invention will be described below.

FIG. 1 shows the configuration of a virtual network integrated construction operation management system according to this embodiment.

As shown in the figure, the virtual network integrated construction operation management system is intended for networks in all ranges from the global network to the local network. In this embodiment, in particular, the switch type including the conventional shared network is used. A logical manager 100 that constructs, operates, and manages directory services and logical objects, and a physical manager 20 that constructs, operates, and manages physical objects such as information devices and hardware devices that compose the network will be described.
0 and an agent 300 on each physical object.

FIG. 2 shows the configuration of the logic manager 100.

As shown in the figure, the logical manager 100 is
In terms of hardware, input devices such as keyboards and mice
107, an external storage device 108 such as a floppy disk drive or a hard disk device, a display device 109, an external device such as a printer 110, and controllers 103 to 106 for controlling input between these external devices, an interface circuit 105, and a CPU 10.
1. An ordinary computer system including a main body having a memory 102. The logic manager 100 also has a network interface and is connected to the network via that interface. Logic manager 10
0 may be connected to any part of the network.

The memory 102 includes a logic manager module 121, an operating system module 122, and a communication control module 123 as programs executed by the CPU 101. The memory also contains tables for managing the logical objects.

FIGS. 24A, 24B and 24C show examples of the structure of the table 124.

FIG. 24A shows the logical object ID (i
dentifier) 2401, a group name 2404 to which the logical object belongs, and a logical object ID 2403 that is a parent in the hierarchical structure. All logical objects have unique IDs in the system and are registered in this correspondence table as logical objects.

FIG. 24B is a correspondence table of a physical object, which is a device in the network and a logical object corresponding to the device. Every device in the network has a unique ID in the system and is registered in this correspondence table. This correspondence table shows the physical object ID 2411 and the attributes (ATM, PRINTER, C) of the device having that ID.
LIENT, ROOTER, etc.) 2412 and its ID
A logical object ID 2413 corresponding to a device having This correspondence table may be included in the physical manager 200.

FIG. 24C is a correspondence table of the group name 2412 and the virtual network name 2422.

As shown in FIG. 5, the logical manager module 121 includes a directory service window module 1211, a directory tree setting module.
1212, a user setting module 1213, and an information device setting module 1214. Furthermore, modules may be added as needed.

The logic manager module 121 is started by an operator. The directory service window module 1211 is created by using a directory service compliant with the ITU-TX500 series (for example, NDS manufactured by Novell Inc.), and the relationship between logical objects is displayed as a directory tree on a display device and the relationship is changed. -Provide a user interface for registering new objects. It also displays the connection relationships on the virtual network between physical objects.

When an operator newly registers or changes a user, the user setting module 12
Reference numeral 13 performs processing for adding / deleting records and changing the contents of existing records for the tables related to the logical objects shown in FIGS. 23 (A) and 23 (B). Further, the physical manager 200 is notified of the corresponding physical object ID and the contents of change / registration.

When an operator newly registers or changes a certain device, that is, information equipment, a record is added / added to the information equipment setting module and the table related to the physical object ID shown in FIG. Delete,
Perform the process of changing the contents of the existing record. In addition, the physical manager 200 is notified of the physical object ID and the change registration content.

When the operator newly creates or changes the directory tree, the directory tree setting module 1212 requests the user setting module 1213 or / and the information device setting module 1214 for processing according to the contents. To do.

Logical manager 100 and physical manager 2
Transmission and reception of information between 00s is performed in the same manner as normal data transmission and reception using the protocol used in the network. Similarly, FIG. 3 shows the configuration of the physical manager 200.

As shown in the figure, the physical manager 200
In terms of hardware, input devices such as keyboards and mice
207, an external storage device 208 such as a floppy disk drive or a hard disk device, a display device 209, an external device such as a printer 210, and controllers 203 to 206 for controlling input between these external devices, an interface circuit 205, and a CPU 20.
1. An ordinary computer system including a main body having a memory 202. The physical manager 200 also
It has a network interface and is connected to a network through the interface. The physical manager 200 may be connected to any part of the network.
Further, the physical manager 200 may share the same device as the logical manager 100.

The memory 202 includes a physical manager module 221, an operating system module 222, and a communication control module 223 as programs executed by the CPU 201. The memory also includes a table 224 for managing physical objects.

FIG. 25 shows an example of the structure of the table 224.

FIG. 25 is a list of devices in the network which are physical objects. Every device in the network has a unique physical object ID in the system and is registered in this list. This list includes a physical object ID 2501, an attribute 2502 of a device having the physical object ID, a virtual network name 2503 to which the physical object belongs, information 2504 indicating the position and connection of the object, and an address 2505 on the network such as an IP address. Including. The table 224 may include further items depending on the type and configuration of the network. Further, as shown in FIG. 6, the physical manager module 221 includes an information device / window module 2211, a server / client setting / change management module 2212, and a switching hub setting / change management module 22.
13 and router setting / change management module 2214. Furthermore, modules may be added as needed.

The physical manager module 221 is activated by an operator's operation or a notification from a logical manager or agent. The information equipment window module 2211 displays the physical and logical connection relationships of the information equipment on a display device, and provides a user interface for changing the connection or adding equipment.

The process can be known from the attribute specified by the operator, the logical manager, or the agent, or the attribute of the newly registered information device. When the information equipment is a server or a client, a server / client setting management module 2212, when it is a switching hub, a switching hub setting management module 2213, and when it is a router, a router setting management module 2214.
Updates or adds the corresponding record in the table 224 (FIG. 25). Further, in response to a processing request from a person other than the agent, the agent 300 in the related information device is notified of the changed contents and requested to perform the processing.

Physical manager 200 and agent 30
Transmission and reception of information between 0s is performed in the same manner as normal data transmission and reception using the protocol used in the network.

An agent 300 is included in each of the information equipment devices forming the network. FIG. 4 shows the configuration of the agent.

As shown in the figure, the agent 300 is, in terms of hardware, an input device 30 such as a keyboard or a mouse.
7. External storage devices 308 such as floppy disk drives and hard disk devices, display devices 309, printers 310 and other external devices, and controllers 303 to 306 for controlling inputs between these external devices, interface circuits 305, and CPU 30.
1. An ordinary computer system including a main body having a memory 302. The agent 300 also has a network interface and is connected to the network via the interface. The agent may be a system made up of some of these elements.
For example, a display device may not always be attached like a router. These components need not be agent-specific. The information device to which the agent belongs may share the element with the agent to realize the function.

The memory 302 includes an agent module 321, an operating system module 322, and a communication control module 323 as programs executed by the CPU 301. Further, the memory has a table 324 having information on the address and control of the information device itself. The configuration of the table 324 differs depending on the information device.

Further, as shown in FIG.
Module 321 is information device setting change module 321
1, a server / client setting control module 3212, a switching hub setting control module 3213, and a router setting control module 3214. Furthermore, modules may be added as needed. On the contrary, the modules used by the attribute of the information device to which the agent 300 belongs are limited, so the agent module 32
1 may be composed of only a minimum number of modules for each information device.

The agent module 321 is activated by an operator's operation or a notification from the physical manager 200. Operator's operation or physical manager 2
The notification information device setting change module 3211 from 00 receives the server / client setting / control module 3212, the switch hub setting control module 3213, and the router setting control module 2 depending on the attribute of the information device.
The process is divided into 214. Each module sets / updates the table 324. Further, each module may control not only the table 324 change but also the setting and operation of the information equipment.

When the operator sets the agent settings, the physical manager 200 is notified of the changed contents.

The program modules are CPUs 101, 201, 3
It is executed by 01 and the corresponding process is embodied on the computer system. For convenience, in the following description, this process will be referred to by the name of the corresponding program module.

The operations of the logical manager 100, physical manager 200, and agent 300 will be described below.

First, the outline of the operation will be described.

However, the present embodiment is a network centered on a switch network, although it may include a shared network. For example, when a network information device is relocated due to a change in organization or the like, it is necessary to change the network address and the like in the shared network. However, if a switch type network is used, a logical network configuration can be defined. There is no need. In other words, conventionally, the network segment depends on the physical arrangement, but the network segment can be determined by the logical arrangement.

In the world of TCP / IP protocol, the network segment mentioned here corresponds to a range or subnet in which broadcasting is performed. Therefore, a logical network configuration at the IP protocol level becomes possible, and the network segment of this unit will be referred to as a virtual network here.
Note that this is conceivable even in cases other than the IP protocol. Further, in the virtual network, a closed space is constructed there, so that security and the like are guaranteed.

On the other hand, in corporate organizations and the like, people are frequently moved due to personnel changes and project changes, and network information devices are no exception. In particular, most information devices such as personal computers and workstations are owned by users, and the information devices move as the users move.

Therefore, one important feature of the present invention will be described below by taking a network used by a hierarchical organization as an example.

In a layered organization, such as a company,
As in the case of section, department, place of business, and company, the unit of the upper layer is composed of the set of units of the lower layer.
Here, the virtual network is configured in units of layers regardless of physical arrangement such as geographical location.

In the present embodiment, the hierarchical organization is constructed and managed by a directory service, and a virtual network is constructed by each unit. An example showing this situation is shown in FIG.

FIG. 8 shows the directory service window 1001 and the information equipment window 2001.

Directory service window 1001 showing a logical hierarchical structure of a hierarchical organization and information device window 2001 showing a virtual network
Is displayed on the display device 109 of the logical manager 100 or the display device 209 of the physical manager 200.

Directory service window 1001
Constructs a global directory tree, where Root represents the Earth. Below that is Japan, which is a country, and below that is the company HITACHI. Furthermore, there are business establishments SDL and SDC below that, and below that are divisions 4Dept., 5Dept., And 6Dept., And a virtual network is configured in units of these divisions. Under 4 Dept., there is Manager A who is the department manager, file server FS1 used at the department level, print server PS1, printer Printer1, and section 405U, and users B, C, and D are under 405U. Similarly, Manager E who is the department manager under 5 Dept., file server FS2 used at department level, print server PS2,
There are printers Printer2 and 501U, and users F and G are below 501U.

Information equipment / window 2001 is 4Dept. And 5D
The ept. section is displayed as a virtual network. Virtual Network (4Dept.) And Virtual Network (5Dep.
t.) is the 4Dep of the directory service window 1001.
Corresponds to t. and 5Dept., and each element also corresponds. Note that, here, it is assumed that the user owns one information device and is described as such.

At this time, for example, due to personnel changes, 4D
Suppose user D10011 of 405U of ept. decides to move to 501U of 5D ept.

The operator activates the logic manager module 121 of the logic manager 100 to display the directory service window 1001 shown in FIG.
User D is dragged and dropped with a mouse etc. 40
Move from 5U to 501U.

The logic manager module 121 is shown in FIG.
The corresponding record in the logical object ID / group name correspondence table shown in FIG. 4A is changed. Further, all physical object IDs whose logical object ID is D in the physical object ID / logical object ID correspondence table shown in FIG. 24B are extracted and notified to the physical manager 200 via the communication management module 123.

Upon receiving this notification, the physical manager module of the physical manager 200 is activated.

In the server / client setting / change management module 2212 in the physical manager module, in response to the movement of the client 2001 owned by the user D, the virtual network is changed, specifically, the client 2001 uses Virtual Network (4Dept .)
Information of the physical object ID shown in FIG. 25 is changed so that it becomes a constituent element of Virtual Network (5 Dept.).

By the way, the network shown in FIG. 9 includes a logical manager 100, a physical manager 200, an ATM (Asynchronous
us Transfer Mode) 3001, a switching hub 3002, a router 3003, a server 3004, a client 3005, and the like. As shown in FIG. 10, the physical manager module 221 uses the ATM (Asynchronous Trans), which is a constituent element of the network, to provide information associated with the change of the virtual network.
fer Mode) 3001, switching hub 3002, router 3003,
The setting change information is transmitted to related devices such as the server 3004 and the client 3005.

The notification sent from the physical manager 200 activates the agent module 321 in each device.

The agent module 321 is a server
In the server 3004 and the client 3005, the server / client setting update control module 3212 changes the actual configuration of the information device.

Similarly, in the switching hub 3002, the switching hub setting control module 3213 changes the actual configuration of the information device.

Similarly, in the router 3003, the router setting control module 3214 changes the actual configuration of the information device.

Further, although the group forming the virtual network is divided by the organization such as a company in the above embodiment, it may be based on security.

As shown in FIG. 11, the virtual network group is designated as Security Level A 401, Security Level
B 402, Security Level C 403, Security Level D 404
Project A 405 is divided into Security Level A
401, Security Level B 402, Security Level C 403,
Belonging to Security Level D 404, Project B 406 is Sec
urity Level B 402, Security Level C 403, Security
Belongs to Level D 404.

At this time, member 4601 of Project B 406
But think about when you move from Project B to Project A.
Correspondingly, the security level of information equipment of member 4061 is Security Level B 402, Security Level C 40
3, Security Level D 404 to Security Level A 401,
Security Level B 402, Security Level C 403, Securi
Changed to belong to ty Level D 404.

Furthermore, as shown in FIG. 12, instead of the security level in FIG. 11, it is an example of division by department. Virtual Network Group Plannig Divisi
on 501, Marketing Division 502, Development Divisi
on 503, Sales Division 504, Project A 505
Plannig Division 501, Marketing Division 502,
Development Division 503, Sales Division 504, Project B 506, Marketing Division 502, Dev
Belongs to lopment Division 503 and Sales Division 504.

At this time, as in the case of FIG. 11, the virtual network is simultaneously and automatically changed by the movement of the members.

As described above, in addition to security and departments, the factors that divide the virtual network include, for example,
It may be a protocol or service.

Further, it is possible to realize a computer environment as shown in FIG. 13 by dynamically changing the connection of the virtual network by the user for the plurality of virtual networks as described above.

Specifically, Virt which is Security Level A
ual Network A 601, Sales Division Virtual Net
work B 602, Virtual Network which is SNMP
For k C 603, users 604 can be dynamically or concurrently connected to their respective virtual networks as needed.

FIG. 14 is a flow chart showing an operation procedure performed by an operator who uses the software according to the present invention and an outline of processing performed by the software. However, the actual operation of this software does not have to strictly follow the order of the flow shown in Fig. 14, and some operation orders may be reversed,
You may omit a part of operation repetition or a part of operation.

First, the operator of this software is 71
The tree structure of the directory, which is a feature of the directory service, is edited by 401. This editing operation is for performing operations such as creation, duplication, deletion, change of attributes such as name, and movement of a position on the tree structure of a container object which is an element object of the directory 7140 structure.
The processing for this operation is, as illustrated in 714011, securing a memory area for storing the information of the edited object, setting processing of the object attribute, and drawing processing for displaying the object related to the operation on the operation screen, It also includes processing corresponding to user operations such as drag and drop. The processing indicated by 714011 is as shown in FIG.
The directory setting module 1212 in the logical manager module 121 shown in FIG.

Next, the operator edits 71402 logical objects such as users, groups, and files which are recorded and managed as electronic information on the directory service in the directory structure. This editing operation also includes all operations such as creation and duplication, like the editing of the directory. Furthermore, regarding the processing that accompanies the operation,
The same 714021 process as 714011 is required. The processing indicated by 714021 is performed by the user setting module 1213 in the logic manager module 121 shown in FIG.

In the directory structure, the file server, client machine, router, and switch are recorded and managed as electronic information on the directory service. Since the setting process for the corresponding device is required,
The operator edits the physical object 71403. This editing operation also includes all operations such as creation and duplication, like the editing of the directory. Further, as for the processing associated with the operation, the processing of 714031 similar to that of 714011 is required. At this time, information set for the actual device is also set and recorded as electronic information on the directory service. The processing indicated by 714031 is performed by the information device setting module 1214 in the logic manager module 121 shown in FIG.

After that, the operator performs an operation 71404 for editing information related to each other with respect to the objects created / edited by the operations 71401 to 71403. The information related to each other here means setting of attributes that affect the state of each object of a plurality of objects such as master-slave relationship, ownership relationship, dependency relationship, right relationship such as access as shown in 714041. .

FIG. 15 is an example of a window operation screen provided by this software for performing the operation shown in FIG. FIG. 15 shows a window 7150 for operating the directory service (hereinafter directory window) 7150 and a window for operating only physical objects (hereinafter physical window) 7151.

Among the objects shown on the directory window 150, reference numerals 1501 to 1504 denote a directory tree structure, which has a tree structure with the root 1501 as a parent. In this example, Department 1 (1502), which corresponds to a department, Section 1 (1503) and Section 2 (1504) corresponding to (1) indicate a virtual company organization. Besides, it is also possible to show the floor structure of the building by using this directory. Here, Section 1 (1503) is an object selected by the user on the screen.

Reference numerals 1505 to 1509 denote logical objects or physical objects inside the Section 1 (71503) object. User1 (1505) and User2 (1506) are user objects and logical objects.

Similarly, Desktop2 (1507), Note1 (1508), Des
ktop3 (1509) is an object indicating a personal computer and is a physical object. Display contents of these objects can be scrolled by a scroll bar. Here, Desktop2 (1507)
Is an object selected by the user on the screen.

The physical window 151 is a window for displaying each information device by an icon. ATM1 (1511), Switch
A network connection device such as 1 (1512) and each computer (1513 to 1517) are displayed to show the network connection status. Here, Desktop2 of the same name shown in the directory window 150 and the physical window 151
(1507 and 1516) show the same device. Object identifier, ATM /
Unique address values used for communication such as MAC addresses, or information unique to information devices such as device model numbers and serial numbers can be used.

The physical object created on the physical window can be put in a specific position in the directory by an operation such as drag and drop. Also, the user icon on the directory window
It is also possible to set the owner, administrator, etc. of the physical object by performing a drag and drop operation on 1505 and the like.

By operating these windows, the logical objects and physical objects are placed under the control of the directory service, and various settings and mutual relationships can be set.

FIG. 16 is a flow chart showing an internal processing procedure for the operation of 71401 shown in FIG.

The designated object information search 71601 is a process for identifying an object designated by the user, including the case of creating a new object. Information on the object to be searched is shown in 716011. Each of these pieces of information is various attribute information that identifies the specified object and defines the property of the object.

Directory window redrawing process 71602
Is a process of inspecting the interrelationships of all the objects that make up the delay 7140, creating information for displaying in tree form, and actually drawing. In this redisplay processing, as shown in 716021, a list is created to display the objects, and the display order is determined based on the list.However, the objects are searched without creating the list. It is also possible to take a method of displaying while.

The object display process 71603 in the specified context is a process of identifying an object on the tree specified by the user, retrieving the contents of child objects included in the object, and displaying the contents in a window. Similar to 716021, this process is a process of creating a list for displaying objects and determining the display order, but the display can be performed without creating the list.

FIG. 17 is a flow chart showing the internal processing procedure for the operation of editing 71402 of the logical object shown in FIG.

In the context designation 71701, the user receives the designation of the context for specifying the object on the directory. As shown in 717011, this context specifying process can be combined with a search process in addition to an operation using an input device such as a mouse or a keyboard.

The logical object creating process 71702 is a process for creating a logical object, and includes a process for an existing object. When an operation on an existing object is designated, only the object attribute setting process of the processes shown in 717021 is performed. Further, when the movement of the object is designated, only the registration processing in the tree is performed.

In the object display process 71704, the created and edited object is displayed in the window. The processing relating to this display is essentially the same processing as the display processing shown at 71603.

FIG. 18 is a flow chart showing the internal processing procedure for the operation of the physical object edit 71402 shown in FIG.

The flow of the process and the contents of the process are the same as the process of the logical object shown in FIG. 17, but the information such as the identifier for identifying the corresponding information equipment is set as the object attribute to be set in the object. There is a difference in that it must be included.

FIG. 19 is a flow chart showing an internal processing procedure for the operation 71404 of editing the relationship information between a plurality of objects shown in FIG.

The processing flow of FIG. 19 is, for example, User1 object 1 of the Directory Tree window 7150 shown in FIG.
An explanation will be given for the case where the mutual relation between the 505 and the Desktop2 object 1516 of the Physical Object Map window 151 is set to Own (ownership). By the physical object designation 71901, the Desktop2 object 1516 151 is designated by the user operation 719011 such as a mouse. Similarly, the user1 object 7150 of 7150 is specified by the logical object designation 71902.
6 is designated by a user operation 719021 such as a mouse.
With respect to these designated objects, it is possible to register the relationship "Own" by a specific operation such as a mouse. The relationship between the two objects is a process of registering reference destination information for mutually referencing the objects and related attributes indicating the reference contents as attributes of each object.
(719031). By these processes, the relation between the physical object and the logical object is clarified, and the operation of the logical object on the directory service can be reflected in the setting status of the information device by the opposing relationship between the physical object and the information device. Become.

FIG. 20 is a diagram showing an example of a setting window screen for registering an object on the directory service in the virtual network group.

The Directory Tree window 7200 is the same window as 7150 shown in FIG. Virtual Network
The Group List window 7201 is a window that displays a plurality of virtual networks and their members. For example, virtual network groups classified by security level in FIG.
It can be displayed as up2 etc. This window has a D
Icon areas 72011 and 72012 showing the status of logical objects such as users incorporated in each virtual network by dragging and dropping from the irectory Tree window 7200, areas 72013 and 72014 displaying the names of groups of each virtual network, Policy Description button 72 to set group classification rules
There are 015 and 72016. A scroll bar or the like may be arranged in each display area to scroll the display information.

In the example of FIG. 20, User1 (72005) is set as Security G
It shows that User1 has been incorporated into Security Group 1 by dragging and dropping it to icon area 72011 of roup1.

FIG. 21 is a flow chart of operations and processing when editing a virtual network group. First,
A network group is created 72101 by operator operation. Here, the memory area for the virtual network group is secured, the group name is set, and displayed in the window (721011). Next, set the classification attribute for this group as a group policy (721
02). The group policy referred to here may be, for example, a department in the company organization or the above-mentioned classification based on the security level. Since groups can be created based on these different classification policies, policies of different dimensions can be treated equally. FIG. 22 is a flowchart showing an operation and a process of assigning a user or the like to the virtual network group created in the process of 7210. By treating each virtual network group itself as an object,
It is possible to perform the processing similar to the processing of 7190 for setting the relationship between a plurality of objects. That is, logical object designation 72201, virtual network group designation 7
The logical object belongs to the virtual network group by identifying the object according to 2202 and setting the related attributes such as the cross-reference of the logical object and the virtual network group object and the definition of the member.

FIG. 23 is a flowchart showing an outline of the processing performed by the agent module 321. The agent performs a setting process for each information device based on the directory information set by the logical manager module 121 and obtained by communication via the physical manager. First, the agent checks whether or not the setting information of the information device managed by itself is recorded as an object on the directory service, and acquires the information set on the directory service (72301). Next, which operation is selected from among a plurality of setting operations prepared in advance is determined from the acquired setting information (72302). This determination can be classified according to the characteristics of the service or device, for example, indicated by 7230. Further, the policy of the virtual network group is checked to determine which group is actually incorporated (72303), and the actual setting operation is performed (72304). For example, when transferring the LAN Emulation Client to a security level A group, specify the ATM address of the LAN Emulation Server that manages the security level A group.
It can be set by writing to the LAN Emulation Client setting file.

[0101]

As described above, according to the present invention, by providing the logical manager, the physical manager, and the agent, the configuration of the virtual network can be automatically changed simultaneously with the change of the directory service. It is possible to provide a virtual network integrated construction operation management system that is.

Further, according to the present invention, grouping of virtual networks can be performed by, for example, security, department,
It is possible to provide a virtual network integrated construction and operation management system that dynamically and flexibly responds to changes such as movements of objects, which are constituent elements of the protocols and services, and the like. Further, according to the present invention, it is possible to provide a virtual network integrated construction and operation management system in which one user can access a plurality of virtual networks dynamically and simultaneously.

[Brief description of drawings]

FIG. 1 is a diagram showing a configuration of an entire system according to an embodiment of the present invention.

FIG. 2 is a diagram showing a configuration of a logic manager according to an embodiment of the present invention.

FIG. 3 is a diagram showing a configuration of a physical manager according to an embodiment of the present invention.

FIG. 4 is a diagram showing a configuration of an agent according to an embodiment of the present invention.

FIG. 5 is a diagram showing a configuration of a logic manager module according to an embodiment of the present invention.

FIG. 6 is a diagram showing a configuration of a physical manager module according to an embodiment of the present invention.

FIG. 7 is a diagram showing a configuration of an agent module according to an embodiment of the present invention.

FIG. 8 is a diagram showing a directory service window and an information equipment window according to the embodiment of the present invention.

FIG. 9 is a diagram showing a relationship between a logical manager and a physical manager according to the embodiment of the present invention.

FIG. 10 is a diagram showing a relationship between a physical manager and an agent according to the embodiment of the present invention.

FIG. 11 is a diagram showing grouping of security level virtual networks according to an embodiment of the present invention.

FIG. 12 is a diagram showing grouping of department-level virtual networks according to an embodiment of the present invention.

FIG. 13 is a diagram showing how one user dynamically and flexibly connects to a plurality of virtual networks according to an embodiment of the present invention.

FIG. 14 is a flowchart illustrating an outline of user operation and processing for software according to the embodiment of the present invention.

FIG. 15 is an example of a window operation screen provided by software according to the embodiment of the present invention.

FIG. 16 is a flowchart showing an internal processing procedure for a directory tree editing operation in the software processing according to the embodiment of the present invention.

FIG. 17 is a flowchart showing an internal processing procedure for a logical object editing operation in the software processing according to the embodiment of the present invention.

FIG. 18 is a flowchart showing an internal processing procedure for a physical object editing operation, of the software processing according to the embodiment of the present invention.

FIG. 19 is a flowchart showing an internal processing procedure for an editing operation of relational information between a plurality of objects in the software processing according to the embodiment of the present invention.

FIG. 20 is a flow chart showing an internal processing procedure for an editing operation of relation information between a plurality of objects in the software processing according to the embodiment of the present invention.

FIG. 21 is a flowchart showing an internal processing procedure for an editing operation of relational information between a plurality of objects in the software processing according to the embodiment of the present invention.

FIG. 22 is a flowchart showing an internal processing procedure for an editing operation of relation information between a plurality of objects in the software processing according to the embodiment of the present invention.

FIG. 23 is a flowchart showing an internal processing procedure for an editing operation of relational information between a plurality of objects in the software processing according to the embodiment of the present invention.

FIG. 24 is a diagram showing a table structure in the logic manager according to the embodiment of the present invention.

FIG. 25 is a diagram showing a table configuration in the physical manager according to the embodiment of the present invention.

[Explanation of symbols]

100 ... Logical manager, 200 ... Physical manager, 300 ... Agent, 121 ... Logical manager module, 221 ... Physical manager, 321 ... Agent manager, 1211
… Directory Services Window Module, 12
12 ... Directory tree setting module, 1213 ... User setting module, 1214 ... Information device setting module, 2211
… Information equipment, window module, 2212… Server /
Client setting management module, 2213 ... Switching hub setting management module, 2214 ... Router setting management module, 3211 ... Information device setting change module, 3212 ... Server / client setting control module, 3213 ... Switching hub setting control module, 3214 ... Router setting Control module, 1001 ... Directory service window, 2001 ... Information equipment window

 ─────────────────────────────────────────────────── ─── Continuation of the front page (72) Satoshi Miyazaki, Satoshi Miyazaki 1099, Ozenji, Aso-ku, Kawasaki-shi, Kanagawa Hitachi, Ltd. System Development Laboratory (72) Kenji Kawakita, 1099, Ozenji, Aso-ku, Kawasaki-shi, Kanagawa Hitachi, Ltd. (72) Inventor Takashi Kagei, 216 Totsuka-cho, Totsuka-ku, Yokohama-shi, Kanagawa Hitachi Information Technology Division (72) Inventor Akira Mineo 5030 Totsuka-cho, Totsuka-ku, Yokohama-shi, Kanagawa Hitachi, Ltd. (72) Inventor Keizo Mizuguchi, 5030 Totsuka-cho, Totsuka-ku, Yokohama-shi, Kanagawa Stock Development, Hitachi Ltd. Software Development Headquarters

Claims (5)

[Claims] 1. A network operation management system for managing a logical object which is a logical constituent element of a network system and a physical object which is a physical constituent element of the network system. A logical manager that manages relationships between logical objects, a physical manager that connects to a network and manages physical objects associated with the logical objects and relationships between physical objects, and the physical objects on each physical object And an agent for controlling the setting of the logical manager, the logical manager has means for notifying the physical manager of the content of the change when the relationship between the managed logical objects has changed, and the physical manager , The above Depending on the contents of the change notified by the manager and the correspondence between the logical object and the physical object, the relationship between the physical objects to be managed is updated so as to match the relationship between the logical objects after the change. , Having means for requesting each of the agents to change the setting of each physical object so as to match the relationship between the updated physical objects, wherein the agent is a physical object in response to a request from the physical manager. A network operation management system characterized by changing settings of. 2. The network operation management system according to claim 1, wherein the physical manager manages a virtual network that represents the logical relationship between the physical objects and the physical objects, and the logical manager. A means for updating the virtual network to be managed so as to match the relationship between the logical objects after the change according to the content of the change notified by the manager and the correspondence between the logical object and the physical object. A network operation management system having: 3. A network operation management system for managing a logical object which is a logical constituent element of a network system and a physical object which is a physical constituent element of the network system, wherein the logical object and the relationship between the logical objects. And a physical manager that manages a virtual network associated with the logical object, which represents the physical object associated with the logical object and a logical relationship between the physical objects. When the relationship between the managed logical objects is changed, the logical manager has means for notifying the physical manager of the content of the change, and the physical manager is provided with the change notified by the logical manager. Content and the logical object Means for updating the virtual network to be managed so as to match the changed relationship between the logical objects according to the correspondence between the physical object and the virtual network and the correspondence between the logical object and the virtual network. A network operation management system having: 4. The network operation management system according to claim 1, 2 or 3, wherein the logical manager hierarchically establishes the relationship between the logical objects and the logical objects. A network operation management system characterized by being managed as a directory expressed in. 5. A network operation management system for managing a physical object that is a physical component of a network system, wherein the network operation management system is associated with the logical object and represents the physical relationship between the physical object and the physical object. A network operation management system having means for grouping and managing virtual networks.