WO2022002123A1 - Verification method and apparatus for network configuration - Google Patents

Verification method and apparatus for network configuration Download PDF

Info

Publication number
WO2022002123A1
WO2022002123A1 PCT/CN2021/103512 CN2021103512W WO2022002123A1 WO 2022002123 A1 WO2022002123 A1 WO 2022002123A1 CN 2021103512 W CN2021103512 W CN 2021103512W WO 2022002123 A1 WO2022002123 A1 WO 2022002123A1
Authority
WO
WIPO (PCT)
Prior art keywords
interface
network configuration
reachable
forwarding
path
Prior art date
Application number
PCT/CN2021/103512
Other languages
French (fr)
Chinese (zh)
Inventor
游理钊
张家华
唐昊
马法阳
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2022002123A1 publication Critical patent/WO2022002123A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0866Checking the configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0889Techniques to speed-up the configuration process

Definitions

  • the present application relates to the field of computer network communication, and in particular, to a method and device for verifying network configuration.
  • the computer network has become the infrastructure of the information age, and the correct network configuration is the basis for the normal operation of the computer network, because the services carried by the computer network are often changed, and the network configuration is constantly changing.
  • the industry has proposed a network verification method to ensure the correctness of the network configuration, that is, it is not necessary to send probe packets in the computer network, but a mathematical model is used to verify the correctness of the network configuration.
  • the network verification method converts the network configuration and forwarding behavior of network devices into a mathematical model, calculates the reachability of the network interface according to the mathematical model, and compares it with the expected reachability intent, thereby judging whether the network configuration is correct.
  • the reachability between the interfaces of the network device corresponding to the network configuration before the change and the reachability between the interfaces of the network device corresponding to the network configuration after the change, to obtain the changed network configuration.
  • the reachability between the interfaces of the network device is compared with the expected reachability intent to judge whether the incremental network configuration is correct.
  • Incremental network configuration often only affects the reachability between interfaces of some network devices. If for incremental network configuration, recalculating the mutual reachability of interfaces of network devices on the entire network will increase a great deal of calculation. quantity.
  • Embodiments of the present application provide a method and apparatus for verifying network configuration, which are used to reduce the amount of computation for verifying incremental network configuration when incremental network configuration is performed on a network device.
  • a first aspect provides a method for verifying a network configuration, including: comparing a basic network configuration and an incremental network configuration, and comparing a forwarding table corresponding to the basic network configuration and a forwarding table corresponding to the incremental network configuration to obtain a forwarding policy
  • a changed interface and/or a link with a changed forwarding route ; obtain a first reachable point pair, wherein the first reachable point pair indicates a part of the path where the interface and/or link is located under the incremental network configuration;
  • For the service access point look up the association table corresponding to the basic network configuration to obtain the second reachable point pair, and compare it with the first reachable point pair to verify the incremental network configuration; wherein, the association table indicates the network , the association between the interface and/or link that the path passes through and the reachable point pair of the path, and the second reachable point pair indicates the pair of service access points of the path where the interface and/or link is located under the basic network configuration .
  • the method for verifying the network configuration provided by the embodiment of the present application, by comparing the basic network configuration and the incremental network configuration, and comparing the forwarding table corresponding to the basic network configuration and the forwarding table corresponding to the incremental network configuration, so as to obtain the information that the forwarding policy has changed.
  • the first reachable point pair narrows the search range of reachable point pairs whose incremental network configuration may affect reachability to be related to the above-mentioned interface and/or link; and the second reachable point pair is the above-mentioned interface and/or link. Or the reachable pair of points that the link is involved in in the underlying network configuration.
  • By comparing the two reachable point pairs it is possible to accurately locate which reachable point pairs are affected by the incremental network configuration, and whether the above effects conform to the configuration intent, so as to verify the incremental network configuration. . Since it is not necessary to analyze the reachable point pairs of the whole network for the incremental network configuration, only the reachable point pairs related to the changed interface and/or link are analyzed, so the calculation amount for verifying the network configuration can be reduced.
  • the association table includes the association relationship between the interface passed by the path and the reachable point pair of the path. Compared with the association relationship between the network device and the reachable point pair in the prior art, the association granularity is finer, which reduces the need to pass the association table. Finds the range of reachable point pairs, thus reducing the workload of validating incremental network configurations.
  • a link may be indicated by a combination of interfaces (eg, interface pairs) at both ends of the link.
  • the method further includes: parsing the reachability matrix corresponding to the basic network configuration to obtain an association table, where the reachability matrix refers to whether the service access points in the network are reachable in pairs matrix.
  • the association table implements the association relationship between the interface and/or link and the reachable point pair. Compared with the association relationship between the network device and the reachable point pair, its granularity is finer, so that the reachable point pair can be searched according to the association table. The range can be narrowed when point-to-point.
  • the method further includes: updating the reachability matrix and the association table according to the first reachable point pair.
  • the updated reachability matrix and association table can be used as the basis for the next verification of the incremental network configuration, and there is no need to repeat the calculation.
  • parsing the reachability matrix corresponding to the basic network configuration to obtain the association table including: for each reachable path in the reachability matrix, extracting each cross-device link that constitutes the reachable path If the inbound and outbound interfaces are not service access points, establish the relationship between the inbound interface and the outbound interface and the reachable point pair of the reachable path; point-to-point relationship. That is to say, the inbound and outbound interfaces at both ends of the trail and the links in the middle of the trail are associated with reachable point pairs.
  • the basic network configuration and the incremental network configuration are compared, and the forwarding table corresponding to the basic network configuration is compared with the forwarding table corresponding to the incremental network configuration, so as to obtain the interface and the forwarding policy of the changed network in the network.
  • the link whose forwarding route has changed including: if the interface and/or link only exists in the basic network configuration or the corresponding forwarding table, add the interface and/or link to the deletion list, and mark the interface as a forwarding policy If there is a change, mark the link as a forwarding route change; if the interface and/or link only exists in the incremental network configuration or the corresponding forwarding table, add the interface and/or link to the increase list, and mark the interface as If the forwarding policy changes, the link will be marked as the forwarding route has changed; if the packet space of the forwarding policy of the interface in the basic network configuration and the incremental network configuration is inconsistent, the interface will be added to the modification list and marked as the forwarding policy has been changed.
  • This implementation subdivides the interfaces on which the forwarding policy has changed and/or the links on which the forwarding route has changed into several types: addition, deletion, and change, to help determine the impact on reachability after the incremental network configuration is issued. .
  • acquiring the first reachable point pair includes: calculating a first path through an interface and/or link under the incremental network configuration; acquiring a pair of service accesses at both ends of the first path point as the first reachable point pair.
  • calculating the first path through the interface and/or link under the incremental network configuration includes: for the interface where the forwarding policy is changed, using the interface as a starting point, and using the interface as a starting point in the incremental network Configure the message space of the corresponding forwarding policy as the initial message space, take all service access points as the end point, and traverse forward in the forwarding graph model of incremental network configuration to solve the first reachable path; Take the initial interface of the link as the starting point, take the packet space of the corresponding forwarding route configured on the incremental network as the initial packet space, take all service access points as the end point, and take the forwarding configured on the incremental network as the end point.
  • the forward traversal in the graph model solves the first reachable path; starting from the starting point and the initial message space, with all service access points as the end point, reverse traversal in the forwarding graph model solves the second reachable path; take the first reachable path The intersection of the path and the second reachable path, if the intersection of the packet space of the first reachable path and the packet space of the second reachable path is not empty, then splicing the first reachable path and the second reachable path to get The first path, and the result of the intersection is used as the packet space of the first path.
  • This embodiment ensures that the service access points at both ends of the path can communicate in both forward and reverse directions.
  • a network configuration verification device including: a comparison module for comparing a basic network configuration with an incremental network configuration, and comparing a forwarding table corresponding to the basic network configuration with a forwarding table corresponding to the incremental network configuration , to obtain the interface whose forwarding policy is changed and/or the link whose forwarding route is changed; the obtaining module obtains the first reachable point pair, wherein the first reachable point pair indicates that the interface and/or link is in the incremental network Under the configuration, a pair of service access points of the path where it is located; the comparison module is also used to look up the association table corresponding to the basic network configuration to obtain the second reachable point pair, and compare it with the first reachable point pair to get Verify the incremental network configuration; wherein, the association table indicates the association relationship between the interface and/or link that the path passes through and the reachable point pair of the path in the network, and the second reachable point pair indicates that the interface and/or link are in the network.
  • a pair of service indicates that the interface and/or link are in the network
  • the method further includes: a parsing module, configured to parse a reachability matrix corresponding to the basic network configuration to obtain an association table, where the reachability matrix refers to a pair of service access points used to represent the network A matrix of reachability between.
  • a parsing module configured to parse a reachability matrix corresponding to the basic network configuration to obtain an association table, where the reachability matrix refers to a pair of service access points used to represent the network A matrix of reachability between.
  • the method further includes: an update module, configured to update the reachability matrix and the association table according to the first reachable point pair.
  • the parsing module is specifically configured to: for each reachable path in the reachable matrix, extract the inbound interface and outbound interface of each cross-device link constituting the reachable path, and establish the inbound interface The association relationship between the outgoing interface and the reachable point pair of the reachable path; if neither the incoming interface nor the outgoing interface is a service access point, the association relationship between the link and the reachable point pair of the reachable path is established.
  • the comparison module is specifically configured to: if the interface and/or link exists only in the basic network configuration or the corresponding forwarding table, add the interface and/or link to the deletion list, and mark the interface If the forwarding policy changes, mark the link as a forwarding route change; if the interface and/or link only exists in the incremental network configuration or the corresponding forwarding table, add the interface and/or link to the increase list, and The interface is marked as the forwarding policy has changed, and the link is marked as the forwarding route has been changed; if the packet space of the forwarding policy of the interface in the basic network configuration and the incremental network configuration is inconsistent, the interface is added to the modification list and marked as forwarding The policy is changed; if the packet space of the forwarding route of the link in the basic network configuration and the incremental network configuration is inconsistent, the link is added to the modification list and marked as the forwarding route changed.
  • the obtaining module is specifically configured to: calculate the first path passing through the interface and/or link under the incremental network configuration; take a pair of service access points at both ends of the first path as the first path A point-to-point pair.
  • the acquiring module is specifically configured to: for an interface whose forwarding policy is changed, the interface is used as a starting point, and the message space of the corresponding forwarding policy configured on the interface in the incremental network is used as the initial message space, Taking all service access points as the end point, forward traversal in the forwarding graph model of incremental network configuration to solve the first reachable path; for the link whose forwarding route has changed, the starting interface of the link is The message space corresponding to the forwarding route configured in the incremental network is used as the initial message space, with all service access points as the end point, and the forward traversal is performed in the forwarding graph model of the incremental network configuration to solve the first reachable path; Starting from the initial message space, with all service access points as the end point, reverse traversal in the forwarding graph model to solve the second reachable path; take the intersection of the first reachable path and the second reachable path, if the first reachable path is The intersection of the packet space of the path and the packet space of the second reachable path is not empty, then
  • an apparatus for verifying a network configuration comprising a processor, the processor is connected to a memory, the memory is used for storing a computer program, and the processor is used for executing the computer program stored in the memory, so that the apparatus executes the first aspect and the method of any embodiment thereof.
  • a computer-readable storage medium is provided, and a computer program is stored in the computer-readable storage medium, and when it is run on a computer, the computer is made to execute the first aspect and any one of the embodiments thereof. method.
  • a computer program product comprising instructions which, when run on a computer or processor, cause the computer or processor to perform the method of the first aspect and any one of the embodiments.
  • FIG. 1 is a schematic diagram of the architecture of a communication system provided by an embodiment of the present application.
  • FIG. 2 is a schematic flowchart of a method for verifying a network configuration provided by an embodiment of the present application
  • FIG. 3 is a schematic diagram of the architecture of a communication network including a switch provided by an embodiment of the present application;
  • FIG. 4 is a schematic flowchart of another method for verifying a network configuration provided by an embodiment of the present application.
  • FIG. 5 is a schematic structural diagram of another communication network including a switch provided by an embodiment of the present application.
  • FIG. 6 is a schematic diagram of the architecture of another communication network including a switch provided by an embodiment of the present application.
  • FIG. 7 is a schematic structural diagram of yet another communication network including a switch provided by an embodiment of the present application.
  • FIG. 8 is a schematic diagram of a process for establishing a forwarding graph model of a network configuration provided by an embodiment of the present application
  • FIG. 9 is a schematic diagram of a forwarding graph model of a basic network configuration provided by an embodiment of the present application.
  • FIG. 10 is a schematic diagram of a forwarding graph model of an incremental network configuration provided by an embodiment of the present application.
  • FIG. 11 is a schematic diagram of a process for obtaining a reachability matrix corresponding to a basic network configuration according to an embodiment of the present application
  • FIG. 12 is a schematic diagram of a process for obtaining an association table corresponding to a basic network configuration provided by an embodiment of the present application
  • FIG. 13 is a schematic flowchart of another method for verifying network configuration provided by an embodiment of the present application.
  • FIG. 14 is a schematic diagram of a process for obtaining an interface with a changed forwarding policy and/or a link with a changed forwarding route according to an embodiment of the present application;
  • 15 is a schematic diagram of a process for obtaining a first path according to an embodiment of the present application.
  • 16 is a schematic structural diagram of an apparatus for verifying a network configuration provided by an embodiment of the present application.
  • FIG. 17 is a schematic structural diagram of another apparatus for verifying a network configuration provided by an embodiment of the present application.
  • Network configuration refers to the configuration related to the network forwarding behavior issued by the software defined network (SDN) controller to the network device.
  • SDN software defined network
  • Border gateway protocol BGP
  • Ethernet virtual private network ethernet virtual private network, EVPN
  • ACL policy configuration etc.
  • Basic network configuration refers to the existing network configuration of each network device before the new network configuration is issued by the SDN controller.
  • Incremental network configuration refers to the new network configuration delivered by the SDN controller.
  • Service access point an interface provided by a network device for connecting to a virtual machine where services are deployed, or for connecting to the Internet. Usually at both ends of the path.
  • Point-to-point Any two service access points in the entire network constitute a point-to-point pair, and a path may or may not exist between the two service access points.
  • Link Indicates that two interfaces can communicate directly without going through other interfaces. These two interfaces are called an interface pair. That is, a link can be indicated by a combination of interfaces at both ends of the link.
  • Packet space a set of header fields of a group of packets. Common header fields of packets include but are not limited to source internet protocol (IP) address, destination IP address, source port, destination port and protocol type .
  • IP internet protocol
  • Forwarding graph model a graph model that describes the link in which packets are forwarded according to forwarding rules in the network. Forwarding according to forwarding rules includes policy forwarding according to access control lists (ACLs), (forwarding info base, FIB) forwarding table for routing and forwarding.
  • ACLs access control lists
  • FIB forwarding info base
  • the forwarding graph model includes points and edges, where a point represents an interface of a network device, and an edge represents a link between two interfaces. A packet space is attached to the edge, which indicates the set of packets that can be forwarded by the link corresponding to the edge.
  • the points corresponding to the two interfaces can be connected together by an edge, and the additional packet space on the edge can be calculated by the forwarding table Or, for example, within the same network device, the packets received from one interface can be sent from another interface according to the forwarding table, then in the forwarding graph model, the points corresponding to these two interfaces can also be connected together by edges,
  • the additional packet space on the edge is the intersection of the packet spaces of the forwarding policies of the two interfaces.
  • Path It includes at least one link, and two links with a common interface are connected end to end to obtain a path.
  • the edges with common points are connected end-to-end in sequence.
  • the message space corresponding to the path is defined as the intersection of the additional message spaces on the edges corresponding to the links constituting the path.
  • the packet forwarding rules if there is at least one path between two service access points with a non-empty packet space, the two service access points are reachable, otherwise they are unreachable.
  • Reachable point pair point, which is used to represent an interface in the forwarding graph model, a point pair, that is, a pair of points, that is, a pair of interfaces, and a reachable point pair, that is, this pair of points is reachable, also There is a packet transmission path between the pair of interfaces, or in other words, packet transmission can be performed.
  • a reachable point pair can be understood as a pair of service access points at both ends of a path, including a start point and an end point.
  • Reachability matrix A matrix that indicates whether service access points in the network are reachable in pairs. If two service access points are reachable (a pair of reachable points), the corresponding matrix item has a value (eg Y), otherwise the corresponding matrix item is empty.
  • an embodiment of the present application provides a communication system, which may refer to a data center network (DCN), and the communication system includes an SDN controller 11 and a plurality of network devices 12 .
  • DCN data center network
  • the user can manage the network device 12 through the SDN controller 11 , obtain the latest network configuration from the network device 12 , and deliver the incremental network configuration to the network device 12 .
  • the user can also change the network configuration of the network device through the SDN controller 11 to meet the changing requirements of the network service.
  • the SDN controller 11 provides an interface for editing network topology and an interface for issuing policies, enabling users to add and delete logical devices, while ensuring that service changes can be correctly mapped to network configurations on corresponding network devices.
  • the user can also use the SDN controller 11 to query whether the current network configuration and status of the network conform to the management and control intent (for example, whether there is a loop in the network), and whether the network configuration to be delivered conforms to the management and control intent (for example, between certain network segments). whether they can communicate with each other), for example, implement the network configuration verification method in this embodiment of the present application.
  • the basic network configuration is periodically obtained from the network device or system database, and the network physical link topology (referred to as the network topology) is periodically obtained from the network device or system database, Receive the service change request issued by the user, generate the incremental network configuration on the corresponding network device, and verify whether the incremental network configuration to be issued conforms to the management and control intention.
  • the network topology is periodically obtained from the network device or system database
  • the network topology will not be modified when configuring the network configuration, so the network topology of the incremental network configuration is equivalent to the network topology of the basic network configuration.
  • the prior art provides a method for verifying network configuration, including:
  • S202 Determine a service access point pair and calculate a reachability matrix according to the forwarding graph model and service characteristics corresponding to the basic network configuration.
  • the reachability matrix includes N2 point pairs, and N2 calculations are performed when calculating the reachability matrix. If each calculation has a starting point and an ending point, the reachable path is calculated according to the depth-first search, which may calculate the reachable path or the unreachable path.
  • the point pair here may be an unreachable point pair.
  • the reachable path of a point pair is recalculated, and compared with the old reachable path, it is determined whether the point pair is a new reachable point pair, a reachable point pair is deleted, or a reachable point pair is modified.
  • the above scheme adopts the association relationship between network equipment and point-to-point, and has the following shortcomings:
  • the reason for the first deficiency is that, because the information of unreachable point pairs needs to be stored, the calculation can only be performed for N2 point pairs, which requires a large amount of calculation. If the newly added reachable point pair is caused by the incremental network configuration of the network device at the edge of the network, then this method can find the newly added reachable point pair, but if the newly added reachable point pair is caused by the network equipment in the middle of the network. Due to the incremental network configuration changes of network devices, this method cannot calculate such reachable point pairs, because there is no association between corresponding network devices and point pairs, so there is a possibility of omission.
  • the network device includes border leaf (Border Leaf) switches BL1 and BL2, and also includes top-of-rack leaf (ToR Leaf) switches L1-L4.
  • the service access points A, B, C, and D are the interfaces of switches L1, L2, L3, and L4, respectively.
  • switch L1 will store the unreachable information of the point pair (A, D).
  • the network configuration of switch L1 is modified so that interface A and interface D are reachable, the newly added point pair ( A, D) reachability information.
  • the network configuration of the switch BL2 is modified so that the interface A and the interface D are reachable, the reachability information of the newly added point pair (A, D) cannot be obtained because the association relationship is not stored on the switch BL2.
  • the second reason is that when network devices are used as the granularity to associate reachable point pairs, a network device often includes multiple interfaces, so that multiple reachable paths (that is, multiple reachable point pairs) will pass through the same network. equipment. If the network configuration of an interface is changed, if the network device is used as the granularity, the reachability information of all reachable point pairs involved in the network device will be recalculated, so there is repeated calculation.
  • switch BL1 will be associated with a point pair (A, B) and the point pair (A,C).
  • the network configuration of an interface of switch BL1 on the path from interface A to interface C is modified, resulting in unreachable interfaces A to C.
  • the point pair (A, B) and point pair (A, C) will be recalculated. ) is reachable, although it can be found that the point pair (A, C) is no longer reachable, but at the same time, it will recalculate whether the point pair (A, B) is reachable, so there is repeated calculation.
  • the edge is deleted and the starting point of the edge exists in the forwarding graph model corresponding to the basic network configuration, extract all flow information that the edge passes through, and in the forwarding graph model corresponding to the basic network configuration, the reachable point pair is calculated from the starting point. , the obtained reachable point pair is the deleted reachable point pair.
  • interface A to interface B is reachable, the flow from interface A to interface C is blocked by the ACL policy on switch BL1, and the flow from interface A to interface D is blocked on interface A.
  • ACL policy blocking is assumed.
  • interface A will store the flow information of ⁇ (A->B,f1),(A->C,f2),(A->D,f3) ⁇ , where f1, f2, f3 are different packets Head space; switch BL1 will store the flow information of ⁇ (A->C,f2) ⁇ .
  • extracting (A->D, f3) can calculate the reachable flow from interface A to interface D.
  • the reachable flow from interface A to interface C can be calculated by extracting (A->C, f2).
  • Each point in the forwarding graph model must store the flow information, including the final reachable and final unreachable flows, and the storage capacity is large; and a flow will be stored at all points of the passing path, and there are Duplicate storage problem.
  • Interface A belongs to the virtual routing forwarding (VRF) VRF1 corresponding to the virtual private cloud (VPC), the network segment is 20.1.0.0/24, and belongs to the ToR Leaf switch L1; interface B belongs to the VPC VRF1, the network segment It is 20.1.1.0/24, which belongs to ToR Leaf switch L2; interface C belongs to VPC VRF2, and the network segment is 20.2.0.0/24, which belongs to ToR Leaf switch L3; interface D belongs to VPC VRF3, and the network segment is 20.2.1.0/24, which belongs to ToR Leaf switch L4.
  • the DCN also includes the Border Leaf switch BL1, which is responsible for cross-VPC communication and intercommunication with the external Internet (Internet).
  • the basic network configuration is as follows: the border gateway protocol (BGP) Ethernet virtual private network (ethernet virtual private network, EVPN) configuration is imported on the switches L1-L4 and BL1 respectively, and virtual extensions can be established with each other.
  • BGP border gateway protocol
  • Ethernet virtual private network ethernet virtual private network
  • EVPN virtual private network
  • VXLAN virtual extensible local area network
  • network segments belonging to the same VPC can communicate with each other, that is, interface A and interface B can communicate with each other.
  • a static route for inter-VPC inter-VPC communication between interface A and interface C is configured on switch BL1:
  • the forwarding table on switch BL1 is shown in Table 3
  • the forwarding table on switch L1 is shown in Table 4
  • the forwarding table on switch L2 is shown in Table 5
  • the forwarding table on switch L3 is shown in Table 3.
  • the outgoing interface is another VRF, indicating that it needs to jump to other VRFs to further match the outgoing interface and next-hop IP
  • the outgoing interface is VXLAN, indicating that it is about to enter the VXLAN tunnel
  • the source IP address of the tunnel is the local VTEP IP.
  • the destination IP address is the next hop IP.
  • Interface A and interface B communicate directly through the tunnel between them, and interface A and interface C must pass through the switch BL1 to communicate.
  • VRF1 20.1.0.0/24
  • VRF1 20.1.1.0/24
  • VRF2 20.2.0.0/24
  • VRF3 20.2.1.0/24
  • the ACL access policy can be implemented through the modular QoS command line (MQC):
  • rule 5 deny ip destination 20.1.1.10 0.
  • the forwarding table on switch BL1 is shown in Table 7
  • the forwarding table on switch L1 is shown in Table 8
  • the forwarding table on switch L4 is shown in Table 9.
  • the embodiment of the present application provides a method for verifying a network configuration.
  • a corresponding forwarding graph model can be established based on the basic network configuration, and a reachability matrix corresponding to the basic network configuration can be obtained.
  • an association table corresponding to the basic network configuration can be obtained, where the association table indicates the association relationship between the interface and/or link passed by the path and the reachable point pair of the path in the network.
  • the association table corresponding to the existing basic network configuration can be used.
  • the interface for which the forwarding policy is changed and/or the chain for which the forwarding route is changed can be obtained. road. Then obtain the first reachable point pair of the path where the above-mentioned interface and/or link are located under the incremental network configuration, and obtain the first reachable point pair of the path where the above-mentioned interface and/or link are located under the basic network configuration by looking up the above-mentioned association table. Two reachable pairs.
  • the first reachable point pair narrows the search range of reachable point pairs whose incremental network configuration may affect reachability to be related to the above-mentioned interface and/or link; and the second reachable point pair is the above-mentioned interface and/or link. Or the reachable pair of points that the link is involved in in the underlying network configuration.
  • Corresponding forwarding graph models may be established for the basic network configuration and the incremental network configuration, respectively.
  • the process of establishing the forwarding graph model of the network configuration includes:
  • the network configuration file includes the configuration files on each network device.
  • the configuration file on each network device defines the protocol used and the specific configuration of the protocol, such as BGP EVPN configuration, static route configuration, and ACL policy configuration.
  • the converted network configuration model includes the configuration models on each network device, and the configuration model on each network device defines the protocol objects used and the properties of the protocol.
  • the conversion process is to convert the configuration text into an internally stored configuration model.
  • the conversion process will create two static route objects, among which: ip route-static vpn-instance VRF2 20.1.0.0 255.255.255.0 VRF1 converts one
  • the static route object includes the following attributes: the VPC it belongs to is VRF2, the destination network segment is 20.1.0.0/24, the outbound interface is VRF1, and the next hop IP is NULL by default.
  • Configuration models such as BGP EVPN configuration and ACL policy configuration can also be established accordingly.
  • the route advertisement is published, the optimal route is selected, and finally the route converges to form a forwarding table on each network device.
  • the operation process of the protocol (such as the BGP protocol) belongs to the public knowledge in the field, and will not be described in detail here.
  • the forwarding graph model consists of points and edges, where a point represents an interface of a network device, and an edge is used to connect two interfaces.
  • a point represents an interface of a network device
  • an edge is used to connect two interfaces.
  • the two cross-device interfaces can be connected together through an edge.
  • the packet space represented by all forwarding rules belonging to the same outgoing interface will be aggregated together, and the packet space represented by each forwarding rule will be calculated according to the longest prefix matching principle.
  • Two interfaces of the same network device can be connected together by an edge according to the policy forwarding behavior described in the configuration model. If an ACL policy is configured on the inbound interface, the packet space represented by all policy rules belonging to the same ACL policy will be aggregated to represent, and the packet space represented by each policy rule will be calculated according to the configured priority principle. . In addition, if an ACL policy is also configured on the outgoing interface, the packet space of the forwarding policy corresponding to this edge is the intersection of the packet space of the ACL policy of the ingress interface and the outgoing interface.
  • packets in the inbound direction of the I1 interface can be forwarded in the outbound direction of the I2 interface.
  • An ACL policy is configured on the inbound direction of the I1 interface to allow only some packets to pass through.
  • the ACL policy is configured in the direction to allow only some packets to pass through, and the packet space is represented as space2, then the packet space on the edge between the I1 interface and the I2 interface is represented as space1&space2.
  • the message space can be represented by a Boolean expression, or by a binary decision diagram (BDD) data structure.
  • BDD binary decision diagram
  • the ACL policy is only a forwarding policy behavior, and micro-segmentation or policy routing also belong to the forwarding policy.
  • the packet space of the edge (L1, VXLAN)->(L2, VXLAN) can be expressed as: ⁇ (*,20.1.1.0/24,*,*,*) ⁇ , where * represents the full space, for example, the source IP address is *, which represents 0.0.0.0/0, because Table 4 represents from switch L1 to switch L2
  • the forwarding entry of the VXLAN tunnel is only the second entry; the packet space of the edge (L1,A)->(L1,VXLAN) is ⁇ (*,*,*,*) ⁇ , because interface A is connected to the VXLAN
  • the interface is not configured with any forwarding policy, and all packets can pass by default.
  • the forwarding graph model of the incremental network configuration obtained is shown in FIG. 10 , in which the relevant part of the switch L3 is deleted and the relevant part of the switch L4 is added.
  • the message space of the edge is similar to the forwarding graph model of the basic network configuration.
  • the message space of the edge (BL1, VXLAN)->(L4, VXLAN) can be expressed as: ⁇ (*,20.2.1.0/24,* ,*,*) ⁇ , because there is only the third entry in the forwarding table representing the VXLAN tunnel from switch BL to switch L4 in Table 7; the message space of the edge (L1,A)->(L1,VXLAN) is updated It is: ⁇ (*,*,*,*,*)-(*,20.1.1.10/32,*,*,*) ⁇ , because an ACL forwarding that blocks access to the 20.1.1.10 virtual machine is configured on interface A Strategy.
  • the process of obtaining the reachability matrix corresponding to the basic network configuration includes:
  • the service characteristics such as all bridge-domain interfaces on the ToR Leaf switch, or, according to the service information such as the outbound interface corresponding to the logic switch (logic switch) on the SDN controller, the outbound interface on the Border Leaf switch, etc.
  • Some interfaces are identified as service access points.
  • S1102 Select an uncalculated starting point, take all access points as the end point, traverse all reachable paths in the forwarding graph model, and fill in the corresponding positions of the reachability matrix.
  • One traversal method is the depth-first search algorithm. For example, any service access point is taken as the starting point, the message space in the forwarding graph model is the full space, and the search is performed according to depth-first until it reaches a certain access point (ie the end point). ), marking a reachable path at this time; or the result of the packet space intersection operation is empty. Then search for the next reachable path until all edges of the forwarding graph model are traversed.
  • a value (Y) in the matrix indicates that the two are reachable, and no value indicates that they are not reachable.
  • Each reachable item of the reachability matrix corresponds to the following reachability information: reachable path and reachable packet space, which can be expressed as: ⁇ (path_i,space_i) ⁇ , where i ⁇ [0,n), n is reachable number of paths.
  • path_i consists of a series of links, that is, path_i can be expressed as ⁇ link_j ⁇ , where j ⁇ [0,l), and l is the number of links.
  • space_i can be expressed as ⁇ (src_ip, dst_ip, src_port, dst_port, protocol)_k ⁇ , namely ⁇ (source IP address, destination IP address, source port, destination port, protocol type)_k ⁇ , where k ⁇ [0,t) , t is the number of quintuples.
  • the value of the reachable item (A, B) is Y, indicating that the interface A to the interface B is reachable.
  • the first reachable path path_0 corresponding to the reachable item (A, B) can be expressed as: ⁇ start->(L1,A)->(L1,VXLAN)->(L2,VXLAN)->(L2,B )->end ⁇ .
  • start->(L1,A) indicates that the link "receives from interface A of switch L1", which is the inbound direction of the interface
  • (L1,VXLAN)->(L2,VXLAN) indicates that the link “from switch L1 to switch L2" tunnel
  • (L2,B)->end indicates that the link is "sent from interface B of switch L2", which is the outgoing direction of the interface.
  • the first reachable packet space space_0 corresponding to the reachable item (A, B) can be expressed as: ⁇ (*,20.1.1.0/24,*,*,*) ⁇ , where * means the full space, such as the source IP is *, which means 0.0.0.0/0.
  • an association table corresponding to the basic network configuration can be obtained.
  • Each matrix item in the reachability matrix represents whether the path between two service access points is reachable, and a reachable point pair is a pair of service access points at both ends of the path.
  • Each path can include at least one link.
  • the two ends of each link are an inbound interface and an outbound interface.
  • the inbound interface and the outbound interface belong to different network devices.
  • the inbound interface and the outbound interface form a pair of interface pairs. Both the interface and the interface pair are traversed by the path, so an association table can be established, where the association table indicates the association relationship between the interface and/or link traversed by the path and the reachable point pair of the path in the network.
  • the association table reflects the association relationship between the interface and/or link and the reachable point pair under the basic network configuration.
  • the process of parsing the reachability matrix corresponding to the basic network configuration to obtain the association table corresponding to the basic network configuration includes:
  • start->(L1,A), (L2,B)->end belong to special cross-device links, and only record the association relationship between interface (L1,A) and interface (L2,B).
  • the established association relationship between the ingress interface and the reachable point pair of the reachable path and the association relationship between the outgoing interface and the reachable point pair of the reachable path are shown in Table 11. shown
  • the specific process of verifying the network configuration includes:
  • step S1301 includes:
  • the deletion list includes interfaces and/or links deleted by the incremental network configuration or corresponding forwarding table relative to the base network configuration or corresponding forwarding table.
  • the added list includes the interfaces and/or links added by the incremental network configuration or corresponding forwarding table relative to the base network configuration or corresponding forwarding table.
  • the modification list includes the interfaces and/or links whose incremental network configuration has changed relative to the base network configuration.
  • the interfaces whose forwarding policies are changed and/or the links whose forwarding routes are changed include:
  • Added (ADD) list (BL1, VXLAN, L4, VXLAN), (L4, VXLAN, BL1, VXLAN).
  • Delete (DEL) list (BL1, VXLAN, L3, VXLAN), (L3, VXLAN, BL1, VXLAN).
  • Modify (MOD) list (L1, VXLAN, BL1, VXLAN), (L1, A) interface inbound direction.
  • the first reachable point is a pair of service access points at both ends of the path where the interface indicating the change of the forwarding policy and/or the link with the change of the forwarding route in the network is located under the incremental network configuration.
  • the first path of the interface whose forwarding policy is changed and/or the link whose forwarding route is changed can be calculated; a pair of service access points at both ends of the first path is taken as the first possible path. Up to the point.
  • the process of obtaining the first path includes:
  • the interface (L1,A) is taken as the starting point, and the message space of the corresponding forwarding policy configured on the incremental network for the interface is used as the initial message space,
  • the same depth-first search algorithm as in step S1101 is used until a certain access point (ie, the end point) is reached, and a reachable path is marked at this time, or until the packet space intersection is empty. Then search for the next reachable path until all edges of the forwarding graph model are traversed, and the first reachable path finally found is:
  • the message space is: ⁇ (*,20.1.1.0/24,*,*,* )-(*,20.1.1.10/32,*,*,*) ⁇ .
  • the message space is ⁇ (*,20.2.1.0/24 ,*,*,*) ⁇ .
  • the packet space of the forwarding route may refer to the packet space in the forwarding table.
  • the starting interface (BL1, VXLAN) of the link is used as the starting point, and the corresponding link is configured in the incremental network.
  • the message space in the forwarding table is the initial message space, with all service access points as the end point, using the same depth-first search algorithm as in step S1101, until it reaches a certain access point (ie, the end point), at this time, mark an available service point. up to the path, or until the packet space intersection is empty. Then search for the next reachable path until all edges of the forwarding graph model are traversed, and the first reachable path finally found is:
  • a link For a link (L4, VXLAN, BL1, VXLAN), take the starting interface (L4, VXLAN) of the link as the starting point, and take the message space of the link in the forwarding table corresponding to the incremental network configuration as the initial report.
  • the same depth-first search algorithm as in step S1101 is used until a certain access point (ie, the end point) is reached, and a reachable path is marked at this time, or until the message space intersection is empty. Then search for the next reachable path until all edges of the forwarding graph model are traversed, and the first reachable path finally found is:
  • a link For a link (L1, VXLAN, BL1, VXLAN), take the starting interface (L1, VXLAN) of the link as the starting point, and take the message space of the link in the forwarding table corresponding to the incremental network configuration as the initial report.
  • the same depth-first search algorithm as in step S1101 is used until a certain access point (ie, the end point) is reached, and a reachable path is marked at this time, or until the message space intersection is empty. Then search for the next reachable path until all edges of the forwarding graph model are traversed, and the first reachable path finally found is:
  • the interface (L1,A) is taken as the starting point, and the message space of the corresponding forwarding policy configured on the incremental network for the interface is used as the initial message space, Using the same depth-first search algorithm as in step S1101, reverse traversal and solution in the forwarding graph model until a certain access point (ie, the end point) is reached, and a reachable path is marked at this time, or, until the packet space intersection is empty . Then search for the next reachable path until all edges of the forwarding graph model are traversed, and the second reachable path finally found is:
  • the message space is ⁇ (*,*,*,*,*)-(*,20.1.1.10/32,*,*,*) ⁇ .
  • a link For a link (BL1, VXLAN, L4, VXLAN), take the starting interface (BL1, VXLAN) of the link as the starting point, and take the message space of the link in the forwarding table corresponding to the incremental network configuration as the initial report
  • the forwarding graph model is reversely traversed and solved until a certain access point (ie, the end point) is reached, and a reachable path is marked at this time, or, until the message space The intersection is empty. Then search for the next reachable path until all edges of the forwarding graph model are traversed, and the second reachable path finally found is:
  • the message space is ⁇ (*,20.2.1.0/24,*,*,*) ⁇ .
  • a link L4, VXLAN, BL1, VXLAN
  • take the starting interface (L4, VXLAN) of the link as the starting point
  • the forwarding graph model is reversely traversed and solved until a certain access point (ie, the end point) is reached, and a reachable path is marked at this time, or, until the message space The intersection is empty. Then search for the next reachable path until all edges of the forwarding graph model are traversed, and the second reachable path finally found is:
  • the message space is ⁇ (*,20.1.0.0/24,*,*,*) ⁇ .
  • a link For a link (L1, VXLAN, BL1, VXLAN), take the starting interface (L1, VXLAN) of the link as the starting point, and take the message space of the link in the forwarding table corresponding to the incremental network configuration as the initial report.
  • the forwarding graph model is reversely traversed and solved until a certain access point (ie, the end point) is reached, and a reachable path is marked at this time, or, until the message space The intersection is empty. Then search for the next reachable path until all edges of the forwarding graph model are traversed, and the second reachable path finally found is:
  • the message space is ⁇ (*,20.2.1.0/24,*,*,*) ⁇ .
  • the first path is:
  • the message space is: ⁇ (*,20.1.1.0/24,*, *,*)-(*,20.1.1.10/32,*,*,*) ⁇ .
  • the message space is ⁇ (*,20.2. 1.0/24,*,*,*) ⁇ .
  • the message space is ⁇ (*,20.2. 1.0/24,*,*,*) ⁇ .
  • the message space is ⁇ (*,20.1. 0.0/24,*,*,*) ⁇ .
  • the message space is: ⁇ (*,20.2 .1.0/24,*,*,*) ⁇ .
  • the interface and/or the link where the forwarding route is changed may be the interface and/or link in the above-mentioned add (ADD) list and modify (MOD) list, because for The interfaces and/or links in the delete (DEL) list no longer exist in the incremental network configuration, so no reachable paths are available.
  • ADD add
  • MOD modify
  • the first reachable point pair includes (A, B), (A, D), and (D, A).
  • the link list of the first reachable point pair and the corresponding packet space can also be obtained.
  • the second reachable point is a pair of service access points at both ends of the path where the interface indicating the change of the forwarding policy and/or the link with the change of the forwarding route in the network is configured under the basic network configuration.
  • searching the association table can obtain the corresponding second reachable point pair: (A, C), (C , A).
  • Modified reachable point pair (A,B). Its message space changes from ⁇ (*,20.1.1.0/24,*,*,*) ⁇ to ⁇ (*,20.1.1.0/24-20.1.1.10,*,*,*) ⁇ .
  • the newly added reachable point pair (A, D).
  • the new path corresponding to the reachable point pair is: start->(L1,A)->(L1,VXLAN)->(BL1,VXLAN)->(L4,VXLAN)->(L4,D) -> end.
  • the new message space corresponding to the reachable point pair is ⁇ (*,20.2.1.0/24,*,*,*) ⁇ .
  • the newly added reachable point pair (D,A).
  • the new path corresponding to the reachable point pair is: start->(L4,D)->(L4,VXLAN)->(BL1,VXLAN)->(L1,VXLAN)->(L1,A) -> end.
  • the new message space corresponding to the reachable point pair is ⁇ (*,20.1.0.0/24,*,*,*) ⁇ .
  • reachability matrix and the association table can also be updated according to the first reachable point pair and the second reachable point pair, which is equivalent to using the current incremental network configuration as the basic network configuration for the next incremental network configuration, so that there is no need to Repeated computation of reachability matrices and association tables.
  • the reachability matrix is updated according to the first reachable point pair and the second reachable point pair as shown in Table 13: For example, a new reachable point pair (D, A) is added, and the item is modified to Y.
  • the association table is updated according to the first reachable point pair and the second reachable point pair, as shown in Table 14: For example, in the inbound direction of the interface, the interface (L4, D) and the reachable point pair (D, D, D) are added. A), the association of (L3,C) with the reachable point pair (C,A) is deleted.
  • the method for verifying the network configuration provided by the embodiment of the present application, by comparing the basic network configuration and the incremental network configuration, and comparing the forwarding table corresponding to the basic network configuration and the forwarding table corresponding to the incremental network configuration, so as to obtain the information that the forwarding policy has changed.
  • the first reachable point pair narrows the search range of reachable point pairs whose incremental network configuration may affect reachability to be related to the above-mentioned interface and/or link; and the second reachable point pair is the above-mentioned interface and/or link. Or the reachable pair of points that the link is involved in in the underlying network configuration.
  • By comparing the two reachable point pairs it is possible to accurately locate which reachable point pairs are affected by the incremental network configuration, and whether the above effects conform to the configuration intent, so as to verify the incremental network configuration. . Since it is not necessary to analyze the reachable point pairs of the whole network for the incremental network configuration, only the reachable point pairs related to the changed interface and/or link are analyzed, so the calculation amount for verifying the network configuration can be reduced.
  • the verification method of the network configuration of FIG. 13 is compared with the verification method of the network configuration of FIG. 2:
  • the problem that the association table cannot find the newly added reachable point pair can be solved.
  • the newly added reachable point pair (A, D) no association relationship can be established in FIG. 2 because there is no reachable path from interface A to interface D.
  • the solution in FIG. 13 obtains the newly added reachable point pair by finding the first path, so the reachable point pair (A, D) can be found, and there is no problem of omission.
  • the verification method of the network configuration in FIG. 13 is compared with the verification method of the network configuration in FIG. 4 : it can solve the problems of repeated calculation and large storage overhead caused by full-flow storage.
  • each interface stores the flow that may pass through, for example, interface A will store the flow object:
  • the reachability of the three flows is calculated based on the forwarding graph model of the basic network configuration, and finally the reachability of interface A to interface B and the reachability of interface A to interface C are obtained.
  • the reachability of these three flows is solved, and finally the reachability of interface A to interface B and the reachability of interface A to interface D are obtained, so as to compare the interfaces whose forwarding policies have changed. .
  • the solution of the forwarding graph model based on the basic network configuration is a repetitive calculation.
  • each interface needs to store all possible flows, including flows that cannot be reached in the end.
  • interface A stores flows from interface A to interface D, and also stores specific flow information.
  • the solution in FIG. 13 only stores associated reachable point pairs for each interface, and does not need to store unreachable point pairs, which reduces storage overhead.
  • the flow information needs to express the packet space explicitly, so it includes various combinations of IP and port (Port). The scheme does not need to store specific flow information, which reduces storage overhead.
  • the solutions provided by the embodiments of the present application can be applied not only to the scenario of verifying the incremental network configuration, but also to the scenario of verifying the incremental data plane.
  • the forwarding table is obtained not by performing protocol simulation on the basic network configuration, but by grabbing the forwarding table of the network device.
  • the scenario of verifying the data plane is more suitable for post-event verification, that is, after the network configuration is delivered to the network device and takes effect, the forwarding table actually generated by the network device is captured, and the captured network configuration information is used to verify whether the network state meets the operating intent.
  • the embodiment of the present application also provides a network configuration verification device, which is used to implement the above-mentioned various methods.
  • the device for verifying the network configuration may be the SDN controller in the above method embodiments, or a device including the above SDN controller, or a chip or functional module in the SDN controller.
  • the verification apparatus of the network configuration includes corresponding hardware structures and/or software modules for executing each function.
  • the present application can be implemented in hardware or a combination of hardware and computer software with the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein. Whether a function is performed by hardware or computer software driving hardware depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.
  • each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module.
  • the above-mentioned integrated modules can be implemented in the form of hardware, and can also be implemented in the form of software function modules. It should be noted that, the division of modules in the embodiments of the present application is schematic, and is only a logical function division, and there may be other division manners in actual implementation.
  • FIG. 16 shows a schematic structural diagram of a verification apparatus 160 for a network configuration.
  • the network configuration verification device 160 includes a comparison module 1601 , an acquisition module 1602 , an analysis module 1603 , and optionally, an update module 1604 .
  • the comparison module 1601 may perform step S1301 in FIG. 13 and steps S13011-S13014 in FIG. 14 .
  • the obtaining module 1602 may execute step S1302 in FIG. 13 and steps S13021-S13024 in FIG. 15 .
  • the parsing module 1603 may execute steps S1201-S1202 in FIG. 12 and step S1303 in FIG. 13 .
  • the comparison module 1601 is configured to compare the basic network configuration and the incremental network configuration, and compare the forwarding table corresponding to the basic network configuration with the forwarding table corresponding to the incremental network configuration, so as to obtain the interface and/or the forwarding policy changed. or forwarding a link whose route has changed; the obtaining module 1602 obtains a first reachable point pair, wherein the first reachable point pair indicates a pair of services of the path where the interface and/or link is located under the incremental network configuration access point; the comparison module 1601 is further configured to look up the association table corresponding to the basic network configuration to obtain the second reachable point pair, and compare it with the first reachable point pair to verify the incremental network configuration; wherein , the association table indicates the association relationship between the interface and/or link that the path passes through and the reachable point pair of the path in the network, and the second reachable point pair indicates that the interface and/or link is located in one of the paths in the basic network configuration. to the service access point.
  • the method further includes: a parsing module 1603, configured to parse a reachability matrix corresponding to the basic network configuration to obtain an association table, wherein the reachability matrix refers to a two-dimensional representation of service access points in the network. A matrix of reachability between two.
  • the method further includes: an update module 1604, configured to update the reachability matrix and the association table according to the first reachable point pair.
  • the parsing module 1603 is specifically configured to: for each reachable path in the reachable matrix, extract the inbound interface and outbound interface of each cross-device link that constitutes the reachable path, and establish an inbound interface and an outbound interface of each cross-device link constituting the reachable path.
  • the comparison module 1601 is specifically configured to: if the interface and/or link exists only in the basic network configuration or the corresponding forwarding table, add the interface and/or link to the deletion list, and add the interface and/or link to the deletion list.
  • the obtaining module 1602 is specifically configured to: calculate the first path passing through the interface and/or link under the incremental network configuration; take a pair of service access points at both ends of the first path as The first reachable point pair.
  • the obtaining module 1602 is specifically configured to: for an interface whose forwarding policy is changed, the interface is used as the starting point, and the message space of the corresponding forwarding policy configured on the interface in the incremental network is used as the initial message space , with all service access points as the end point, forward traversal in the forwarding graph model of incremental network configuration to solve the first reachable path;
  • the message space of the forwarding route corresponding to the incremental network configuration is used as the initial message space, with all service access points as the end point, and forward traversal in the forwarding graph model of the incremental network configuration is used to solve the first reachable path; from the starting point Starting from the initial message space, with all service access points as the end point, reverse traversal in the forwarding graph model to solve the second reachable path; take the intersection of the first reachable path and the second reachable path, if the first reachable path is If the intersection of the packet space of the reachable path and the packet space of the second reachable path is not empty, the first path is obtained by splicing the first
  • the verification apparatus 160 of the network configuration is presented in the form of dividing each functional module in an integrated manner.
  • Module herein may refer to a specific ASIC, circuit, processor and memory executing one or more software or firmware programs, integrated logic circuit, and/or other device that may provide the functions described above.
  • each module in FIG. 8 can be implemented by the processor in the terminal device calling the computer execution instructions stored in the memory.
  • the apparatus 160 for verifying the network configuration provided in this embodiment can perform the above method, the technical effect that can be obtained can be referred to the above method embodiments, and details are not repeated here.
  • an embodiment of the present application further provides an apparatus for verifying a network configuration.
  • the apparatus 170 for verifying a network configuration includes a processor 1701 , a memory 1702 and a network interface 1703 , and the processor 1701 , the memory 1702 and the network interface 1703 Coupling, when the processor 1701 executes computer programs or instructions in the memory 1702, the corresponding methods in FIGS. 12-15 are performed.
  • Embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and when it runs on a computer or a processor, the computer or the processor causes the computer or the processor to execute the programs shown in FIGS. 12 to 15 . corresponding method.
  • the embodiments of the present application also provide a computer program product containing instructions, when the instructions are executed on a computer or a processor, the computer or processor can execute the corresponding methods in FIGS. 12-15 .
  • An embodiment of the present application provides a chip system, where the chip system includes a processor, and an apparatus for verifying a network configuration executes the corresponding methods in FIGS. 12-15 .
  • the chip system further includes a memory for storing necessary program instructions and data.
  • the chip system may include chips, integrated circuits, or chips and other discrete devices, which are not specifically limited in this embodiment of the present application.
  • the network configuration verification device, chip, computer storage medium, computer program product or chip system provided in this application are all used to execute the method described above, therefore, the beneficial effects that can be achieved can be referred to the above provided The beneficial effects in the implementation manner are not repeated here.
  • the processor involved in the embodiments of the present application may be a chip.
  • it can be a field programmable gate array (FPGA), an application specific integrated circuit (ASIC), a system on chip (SoC), or a central processing unit.
  • It can be a central processor unit (CPU), a network processor (NP), a digital signal processing circuit (DSP), or a microcontroller (MCU) , it can also be a programmable logic device (PLD) or other integrated chips.
  • FPGA field programmable gate array
  • ASIC application specific integrated circuit
  • SoC system on chip
  • CPU central processor unit
  • NP network processor
  • DSP digital signal processing circuit
  • MCU microcontroller
  • PLD programmable logic device
  • the memory involved in the embodiments of the present application may be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory.
  • the non-volatile memory may be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically programmable Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory.
  • Volatile memory may be random access memory (RAM), which acts as an external cache.
  • RAM random access memory
  • DRAM dynamic random access memory
  • SDRAM synchronous DRAM
  • SDRAM double data rate synchronous dynamic random access memory
  • ESDRAM enhanced synchronous dynamic random access memory
  • SLDRAM synchronous link dynamic random access memory
  • direct rambus RAM direct rambus RAM
  • the size of the sequence numbers of the above-mentioned processes does not mean the sequence of execution, and the execution sequence of each process should be determined by its functions and internal logic, and should not be dealt with in the embodiments of the present application. implementation constitutes any limitation.
  • the disclosed systems, devices and methods may be implemented in other manners.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented.
  • the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.
  • the above-mentioned embodiments it may be implemented in whole or in part by software, hardware, firmware or any combination thereof.
  • a software program it can be implemented in whole or in part in the form of a computer program product.
  • the computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, all or part of the processes or functions described in the embodiments of the present application are generated.
  • the computer may be a general purpose computer, special purpose computer, computer network, or other programmable device.
  • the computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be downloaded from a website site, computer, server, or data center Transmission to another website site, computer, server or data center by wire (eg coaxial cable, optical fiber, Digital Subscriber Line, DSL) or wireless (eg infrared, wireless, microwave, etc.).
  • the computer-readable storage medium can be any available medium that can be accessed by a computer or data storage devices including one or more servers, data centers, etc. that can be integrated with the medium.
  • the usable medium may be a magnetic medium (eg, a floppy disk, a hard disk, a magnetic tape), an optical medium (eg, a DVD), or a semiconductor medium (eg, a Solid State Disk (SSD)), and the like.
  • a magnetic medium eg, a floppy disk, a hard disk, a magnetic tape
  • an optical medium eg, a DVD
  • a semiconductor medium eg, a Solid State Disk (SSD)

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present application relates to the field of computer network communications, and provides a verification method and apparatus for a network configuration, used for reducing, when an incremental network configuration is performed on a network device, the amount of calculation for verifying the network configuration. The verification method for the network configuration is characterized by comprising: comparing a basic network configuration and an incremental network configuration, and comparing a forwarding table corresponding to the basic network configuration and a forwarding table corresponding to the incremental network configuration to obtain an interface where a forwarding policy is changed and/or a link where a forwarding routing is changed (S1301); obtaining a first reachable point pair (S1302); and searching for an association table corresponding to the basic network configuration to obtain a second reachable point pair, and comparing the second reachable point pair and the first reachable point pair to verify the incremental network configuration (S1303), wherein the association table indicates, in a network, the association relationship between the interface and/or link through which a path passes and a reachable point pair of the path, and the second reachable point pair indicates a pair of service access points of the path where the interface and/or link is located under the basic network configuration.

Description

网络配置的验证方法和装置Method and device for verifying network configuration
本申请要求于2020年6月30日提交国家知识产权局、申请号为202010615579.8、申请名称为“网络配置的验证方法和装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application with the application number 202010615579.8 and the application title "Method and Device for Verification of Network Configuration", which was submitted to the State Intellectual Property Office on June 30, 2020, the entire contents of which are incorporated into this application by reference middle.
技术领域technical field
本申请涉及计算机网络通信领域,尤其涉及一种网络配置的验证方法和装置。The present application relates to the field of computer network communication, and in particular, to a method and device for verifying network configuration.
背景技术Background technique
计算机网络已成为信息时代的基础设施,正确的网络配置是计算机网络正常运行的基础,因为计算机网络承载的业务经常发生变更,网络配置也在不断发生变更。业界提出了网络验证方法来保证网络配置的正确性,即无需在计算机网络中发送探测报文,而是借助数学模型来验证网络配置的正确性。具体来说,网络验证方法通过将网络配置与网络设备的转发行为转换成数学模型,并根据数学模型计算网络接口可达性,并与预期的可达意图进行对比,从而判断网络配置是否正确。The computer network has become the infrastructure of the information age, and the correct network configuration is the basis for the normal operation of the computer network, because the services carried by the computer network are often changed, and the network configuration is constantly changing. The industry has proposed a network verification method to ensure the correctness of the network configuration, that is, it is not necessary to send probe packets in the computer network, but a mathematical model is used to verify the correctness of the network configuration. Specifically, the network verification method converts the network configuration and forwarding behavior of network devices into a mathematical model, calculates the reachability of the network interface according to the mathematical model, and compares it with the expected reachability intent, thereby judging whether the network configuration is correct.
当对增量网络配置进行验证时,需要对比变更前网络配置对应的网络设备的接口之间可达性,以及,变更后网络配置对应的网络设备的接口之间可达性,得到发生变更的网络设备的接口之间可达性,并与预期的可达意图进行对比,从而判断增量网络配置是否正确。When verifying the incremental network configuration, it is necessary to compare the reachability between the interfaces of the network device corresponding to the network configuration before the change, and the reachability between the interfaces of the network device corresponding to the network configuration after the change, to obtain the changed network configuration. The reachability between the interfaces of the network device is compared with the expected reachability intent to judge whether the incremental network configuration is correct.
增量网络配置往往只会影响部分网络设备的接口之间的可达性,如果针对增量网络配置,对全网的网络设备的接口重新计算相互之间可达性,将增加很大的计算量。Incremental network configuration often only affects the reachability between interfaces of some network devices. If for incremental network configuration, recalculating the mutual reachability of interfaces of network devices on the entire network will increase a great deal of calculation. quantity.
发明内容SUMMARY OF THE INVENTION
本申请实施例提供一种网络配置的验证方法和装置,用于对网络设备进行增量网络配置时,减少验证增量网络配置的计算量。Embodiments of the present application provide a method and apparatus for verifying network configuration, which are used to reduce the amount of computation for verifying incremental network configuration when incremental network configuration is performed on a network device.
为达到上述目的,本申请的实施例采用如下技术方案:To achieve the above object, the embodiments of the present application adopt the following technical solutions:
第一方面,提供了一种网络配置的验证方法,包括:比较基础网络配置与增量网络配置,以及,比较基础网络配置对应的转发表与增量网络配置对应的转发表,以得到转发策略发生变更的接口和/或转发路由发生变更的链路;获取第一可达点对,其中,第一可达点对指示接口和/或链路在增量网络配置下,所在的路径的一对业务接入点;查找基础网络配置对应的关联表,以得到第二可达点对,并与第一可达点对进行比较,以对增量网络配置进行验证;其中,关联表指示网络中,路径经过的接口和/或链路与路径的可达点对的关联关系,第二可达点对指示接口和/或链路在基础网络配置下,所在路径的一对业务接入点。A first aspect provides a method for verifying a network configuration, including: comparing a basic network configuration and an incremental network configuration, and comparing a forwarding table corresponding to the basic network configuration and a forwarding table corresponding to the incremental network configuration to obtain a forwarding policy A changed interface and/or a link with a changed forwarding route; obtain a first reachable point pair, wherein the first reachable point pair indicates a part of the path where the interface and/or link is located under the incremental network configuration; For the service access point; look up the association table corresponding to the basic network configuration to obtain the second reachable point pair, and compare it with the first reachable point pair to verify the incremental network configuration; wherein, the association table indicates the network , the association between the interface and/or link that the path passes through and the reachable point pair of the path, and the second reachable point pair indicates the pair of service access points of the path where the interface and/or link is located under the basic network configuration .
本申请实施例提供的网络配置的验证方法,通过比较基础网络配置与增量网络配置,以及,比较基础网络配置对应的转发表与增量网络配置对应的转发表,以得到转发策略发生变更的接口和/或转发路由发生变更的链路;获取第一可达点对,第一可达点对指示接口和/或链路在增量网络配置下,所在的路径的一对业务接入点;查找基础网络配置对应的关联表,以得到第二可达点对,并与第一可达点对进行比较,以对增 量网络配置进行验证;其中,关联表指示网络中,路径经过的接口和/或链路与路径的可达点对的关联关系,第二可达点对指示接口和/或链路在基础网络配置下,所在路径的一对业务接入点。第一可达点对将增量网络配置可能影响到可达性的可达点对的搜索范围,缩小至与上述接口和/或链路相关;而第二可达点对是上述接口和/或链路在基础网络配置中涉及的可达点对。通过比较这两个可达点对,即可准确定位到具体哪些可达点对的可达性受到增量网络配置的影响,以及上述影响是否符合配置意图,从而实现对增量网络配置的验证。由于不必针对增量网络配置对全网的可达点对进行分析,只针对变更的接口和/或链路相关的可达点对进行分析,因此可以减少验证网络配置的计算量。另外,关联表中包括路径经过的接口与路径的可达点对的关联关系,相对于现有技术中网络设备与可达点对的关联关系,其关联粒度更细,减小了通过关联表查找可达点对的范围,因此可以减少对增量网络配置进行验证的工作量。The method for verifying the network configuration provided by the embodiment of the present application, by comparing the basic network configuration and the incremental network configuration, and comparing the forwarding table corresponding to the basic network configuration and the forwarding table corresponding to the incremental network configuration, so as to obtain the information that the forwarding policy has changed. A link whose interface and/or forwarding route has changed; obtain the first reachable point pair, which indicates a pair of service access points on the path where the interface and/or link is located under the incremental network configuration ; Look up the association table corresponding to the basic network configuration to obtain the second reachable point pair, and compare it with the first reachable point pair to verify the incremental network configuration; wherein, the association table indicates that in the network, the path through which the path passes The association relationship between the interface and/or link and the reachable point pair of the path, the second reachable point pair indicates a pair of service access points of the path where the interface and/or link is located under the basic network configuration. The first reachable point pair narrows the search range of reachable point pairs whose incremental network configuration may affect reachability to be related to the above-mentioned interface and/or link; and the second reachable point pair is the above-mentioned interface and/or link. Or the reachable pair of points that the link is involved in in the underlying network configuration. By comparing the two reachable point pairs, it is possible to accurately locate which reachable point pairs are affected by the incremental network configuration, and whether the above effects conform to the configuration intent, so as to verify the incremental network configuration. . Since it is not necessary to analyze the reachable point pairs of the whole network for the incremental network configuration, only the reachable point pairs related to the changed interface and/or link are analyzed, so the calculation amount for verifying the network configuration can be reduced. In addition, the association table includes the association relationship between the interface passed by the path and the reachable point pair of the path. Compared with the association relationship between the network device and the reachable point pair in the prior art, the association granularity is finer, which reduces the need to pass the association table. Finds the range of reachable point pairs, thus reducing the workload of validating incremental network configurations.
在一种可能的实施方式中,一条链路可以用该链路两端的接口的组合(例如接口对)来指示。In one possible implementation, a link may be indicated by a combination of interfaces (eg, interface pairs) at both ends of the link.
在一种可能的实施方式中,还包括:解析基础网络配置对应的可达矩阵,以得到关联表,其中,可达矩阵指用于表示网络中的业务接入点两两之间是否可达的矩阵。该关联表实现了接口和/或链路与可达点对之间的关联关系,相比于网络设备与可达点对之间的关联关系,其粒度更细,从而根据关联表查找可达点对时能缩小范围。In a possible implementation manner, the method further includes: parsing the reachability matrix corresponding to the basic network configuration to obtain an association table, where the reachability matrix refers to whether the service access points in the network are reachable in pairs matrix. The association table implements the association relationship between the interface and/or link and the reachable point pair. Compared with the association relationship between the network device and the reachable point pair, its granularity is finer, so that the reachable point pair can be searched according to the association table. The range can be narrowed when point-to-point.
在一种可能的实施方式中,还包括:根据第一可达点对更新可达矩阵和关联表。可以将本次更新后的可达矩阵和关联表作为下次对增量网络配置进行验证的基础,不必重复计算。In a possible implementation manner, the method further includes: updating the reachability matrix and the association table according to the first reachable point pair. The updated reachability matrix and association table can be used as the basis for the next verification of the incremental network configuration, and there is no need to repeat the calculation.
在一种可能的实施方式中,解析基础网络配置对应的可达矩阵,以得到关联表,包括:针对可达矩阵中的每条可达路径,提取构成可达路径的各条跨设备链路的入接口和出接口,建立入接口和出接口与可达路径的可达点对的关联关系;如果入接口和出接口均不是业务接入点,则建立链路与可达路径的可达点对的关联关系。也就是说对于路径两端的入接口和出接口,以及路径中间的链路均建立了与可达点对的关联关系。In a possible implementation manner, parsing the reachability matrix corresponding to the basic network configuration to obtain the association table, including: for each reachable path in the reachability matrix, extracting each cross-device link that constitutes the reachable path If the inbound and outbound interfaces are not service access points, establish the relationship between the inbound interface and the outbound interface and the reachable point pair of the reachable path; point-to-point relationship. That is to say, the inbound and outbound interfaces at both ends of the trail and the links in the middle of the trail are associated with reachable point pairs.
在一种可能的实施方式中,比较基础网络配置与增量网络配置,以及,比较基础网络配置对应的转发表与增量网络配置对应的转发表,以得到网络中转发策略发生变更的接口和/或转发路由发生变更的链路,包括:如果接口和/或链路只在基础网络配置或对应的转发表中存在,则将接口和/或链路加入删除列表,将接口标记为转发策略发生变更,将链路标记为转发路由发生变更;如果接口和/或链路只在增量网络配置或对应的转发表中存在,则将接口和/或链路加入增加列表,将接口标记为转发策略发生变更,将链路标记为转发路由发生变更;如果接口在基础网络配置和增量网络配置中的转发策略的报文空间不一致,则将接口加入修改列表,并标记为转发策略发生变更;如果链路在基础网络配置和增量网络配置中的转发路由的报文空间不一致,则将链路加入修改列表,并标记为转发路由发生变更。该实施方式将网络中转发策略发生变更的接口和/或转发路由发生变更的链路细分为增加、删除和变更这几种类型,帮助判断增量网络配置下发后对可达性的影响。In a possible implementation manner, the basic network configuration and the incremental network configuration are compared, and the forwarding table corresponding to the basic network configuration is compared with the forwarding table corresponding to the incremental network configuration, so as to obtain the interface and the forwarding policy of the changed network in the network. / or the link whose forwarding route has changed, including: if the interface and/or link only exists in the basic network configuration or the corresponding forwarding table, add the interface and/or link to the deletion list, and mark the interface as a forwarding policy If there is a change, mark the link as a forwarding route change; if the interface and/or link only exists in the incremental network configuration or the corresponding forwarding table, add the interface and/or link to the increase list, and mark the interface as If the forwarding policy changes, the link will be marked as the forwarding route has changed; if the packet space of the forwarding policy of the interface in the basic network configuration and the incremental network configuration is inconsistent, the interface will be added to the modification list and marked as the forwarding policy has been changed. ; If the packet space of the forwarding route of the link in the basic network configuration and the incremental network configuration is inconsistent, the link is added to the modification list, and the forwarding route is marked as changed. This implementation subdivides the interfaces on which the forwarding policy has changed and/or the links on which the forwarding route has changed into several types: addition, deletion, and change, to help determine the impact on reachability after the incremental network configuration is issued. .
在一种可能的实施方式中,获取第一可达点对,包括:计算在增量网络配置下, 经过接口和/或链路的第一路径;取第一路径两端的一对业务接入点作为第一可达点对。In a possible implementation manner, acquiring the first reachable point pair includes: calculating a first path through an interface and/or link under the incremental network configuration; acquiring a pair of service accesses at both ends of the first path point as the first reachable point pair.
在一种可能的实施方式中,计算在增量网络配置下,经过接口和/或链路的第一路径,包括:针对转发策略发生变更的接口,以接口作为起点,以接口在增量网络配置对应的转发策略的报文空间作为初始报文空间,以所有业务接入点为终点,在增量网络配置的转发图模型中正向遍历求解第一可达路径;针对转发路由发生变更的链路,以链路的起始接口作为起点,以链路在增量网络配置对应的转发路由的报文空间作为初始报文空间,以所有业务接入点为终点,在增量网络配置的转发图模型中正向遍历求解第一可达路径;从起点和初始报文空间开始,以所有业务接入点为终点,在转发图模型中反向遍历求解第二可达路径;取第一可达路径和第二可达路径的交集,如果第一可达路径的报文空间和第二可达路径的报文空间的交集不为空,则拼接第一可达路径和第二可达路径得到第一路径,并将交集的结果作为第一路径的报文空间。该实施方式保证了路径两端的业务接入点正向和反向均能通信。In a possible implementation manner, calculating the first path through the interface and/or link under the incremental network configuration includes: for the interface where the forwarding policy is changed, using the interface as a starting point, and using the interface as a starting point in the incremental network Configure the message space of the corresponding forwarding policy as the initial message space, take all service access points as the end point, and traverse forward in the forwarding graph model of incremental network configuration to solve the first reachable path; Take the initial interface of the link as the starting point, take the packet space of the corresponding forwarding route configured on the incremental network as the initial packet space, take all service access points as the end point, and take the forwarding configured on the incremental network as the end point. The forward traversal in the graph model solves the first reachable path; starting from the starting point and the initial message space, with all service access points as the end point, reverse traversal in the forwarding graph model solves the second reachable path; take the first reachable path The intersection of the path and the second reachable path, if the intersection of the packet space of the first reachable path and the packet space of the second reachable path is not empty, then splicing the first reachable path and the second reachable path to get The first path, and the result of the intersection is used as the packet space of the first path. This embodiment ensures that the service access points at both ends of the path can communicate in both forward and reverse directions.
第二方面,提供了一种网络配置的验证装置,包括:比较模块,用于比较基础网络配置与增量网络配置,以及,比较基础网络配置对应的转发表与增量网络配置对应的转发表,以得到转发策略发生变更的接口和/或转发路由发生变更的链路;获取模块,获取第一可达点对,其中,第一可达点对指示接口和/或链路在增量网络配置下,所在的路径的一对业务接入点;比较模块,还用于查找基础网络配置对应的关联表,以得到第二可达点对,并与第一可达点对进行比较,以对增量网络配置进行验证;其中,关联表指示网络中,路径经过的接口和/或链路与路径的可达点对的关联关系,第二可达点对指示接口和/或链路在基础网络配置下,所在路径的一对业务接入点。In a second aspect, a network configuration verification device is provided, including: a comparison module for comparing a basic network configuration with an incremental network configuration, and comparing a forwarding table corresponding to the basic network configuration with a forwarding table corresponding to the incremental network configuration , to obtain the interface whose forwarding policy is changed and/or the link whose forwarding route is changed; the obtaining module obtains the first reachable point pair, wherein the first reachable point pair indicates that the interface and/or link is in the incremental network Under the configuration, a pair of service access points of the path where it is located; the comparison module is also used to look up the association table corresponding to the basic network configuration to obtain the second reachable point pair, and compare it with the first reachable point pair to get Verify the incremental network configuration; wherein, the association table indicates the association relationship between the interface and/or link that the path passes through and the reachable point pair of the path in the network, and the second reachable point pair indicates that the interface and/or link are in the network. In the basic network configuration, a pair of service access points on the path.
在一种可能的实施方式中,还包括:解析模块,用于解析基础网络配置对应的可达矩阵,以得到关联表,其中,可达矩阵指用于表示网络中的业务接入点两两之间是否可达的矩阵。In a possible implementation manner, the method further includes: a parsing module, configured to parse a reachability matrix corresponding to the basic network configuration to obtain an association table, where the reachability matrix refers to a pair of service access points used to represent the network A matrix of reachability between.
在一种可能的实施方式中,还包括:更新模块,用于根据第一可达点对更新可达矩阵和关联表。In a possible implementation manner, the method further includes: an update module, configured to update the reachability matrix and the association table according to the first reachable point pair.
在一种可能的实施方式中,解析模块,具体用于:针对可达矩阵中的每条可达路径,提取构成可达路径的各条跨设备链路的入接口和出接口,建立入接口和出接口与可达路径的可达点对的关联关系;如果入接口和出接口均不是业务接入点,则建立链路与可达路径的可达点对的关联关系。In a possible implementation manner, the parsing module is specifically configured to: for each reachable path in the reachable matrix, extract the inbound interface and outbound interface of each cross-device link constituting the reachable path, and establish the inbound interface The association relationship between the outgoing interface and the reachable point pair of the reachable path; if neither the incoming interface nor the outgoing interface is a service access point, the association relationship between the link and the reachable point pair of the reachable path is established.
在一种可能的实施方式中,比较模块具体用于:如果接口和/或链路只在基础网络配置或对应的转发表中存在,则将接口和/或链路加入删除列表,将接口标记为转发策略发生变更,将链路标记为转发路由发生变更;如果接口和/或链路只在增量网络配置或对应的转发表中存在,则将接口和/或链路加入增加列表,将接口标记为转发策略发生变更,将链路标记为转发路由发生变更;如果接口在基础网络配置和增量网络配置中的转发策略的报文空间不一致,则将接口加入修改列表,并标记为转发策略发生变更;如果链路在基础网络配置和增量网络配置中的转发路由的报文空间不一致,则将链路加入修改列表,并标记为转发路由发生变更。In a possible implementation manner, the comparison module is specifically configured to: if the interface and/or link exists only in the basic network configuration or the corresponding forwarding table, add the interface and/or link to the deletion list, and mark the interface If the forwarding policy changes, mark the link as a forwarding route change; if the interface and/or link only exists in the incremental network configuration or the corresponding forwarding table, add the interface and/or link to the increase list, and The interface is marked as the forwarding policy has changed, and the link is marked as the forwarding route has been changed; if the packet space of the forwarding policy of the interface in the basic network configuration and the incremental network configuration is inconsistent, the interface is added to the modification list and marked as forwarding The policy is changed; if the packet space of the forwarding route of the link in the basic network configuration and the incremental network configuration is inconsistent, the link is added to the modification list and marked as the forwarding route changed.
在一种可能的实施方式中,获取模块,具体用于:计算在增量网络配置下,经过接口和/或链路的第一路径;取第一路径两端的一对业务接入点作为第一可达点对。In a possible implementation manner, the obtaining module is specifically configured to: calculate the first path passing through the interface and/or link under the incremental network configuration; take a pair of service access points at both ends of the first path as the first path A point-to-point pair.
在一种可能的实施方式中,获取模块,具体用于:针对转发策略发生变更的接口,以接口作为起点,以接口在增量网络配置对应的转发策略的报文空间作为初始报文空间,以所有业务接入点为终点,在增量网络配置的转发图模型中正向遍历求解第一可达路径;针对转发路由发生变更的链路,以链路的起始接口作为起点,以链路在增量网络配置对应的转发路由的报文空间作为初始报文空间,以所有业务接入点为终点,在增量网络配置的转发图模型中正向遍历求解第一可达路径;从起点和初始报文空间开始,以所有业务接入点为终点,在转发图模型中反向遍历求解第二可达路径;取第一可达路径和第二可达路径的交集,如果第一可达路径的报文空间和第二可达路径的报文空间的交集不为空,则拼接第一可达路径和第二可达路径得到第一路径,并将交集的结果作为第一路径的报文空间。In a possible implementation manner, the acquiring module is specifically configured to: for an interface whose forwarding policy is changed, the interface is used as a starting point, and the message space of the corresponding forwarding policy configured on the interface in the incremental network is used as the initial message space, Taking all service access points as the end point, forward traversal in the forwarding graph model of incremental network configuration to solve the first reachable path; for the link whose forwarding route has changed, the starting interface of the link is The message space corresponding to the forwarding route configured in the incremental network is used as the initial message space, with all service access points as the end point, and the forward traversal is performed in the forwarding graph model of the incremental network configuration to solve the first reachable path; Starting from the initial message space, with all service access points as the end point, reverse traversal in the forwarding graph model to solve the second reachable path; take the intersection of the first reachable path and the second reachable path, if the first reachable path is The intersection of the packet space of the path and the packet space of the second reachable path is not empty, then the first path is obtained by splicing the first reachable path and the second reachable path, and the result of the intersection is used as the report of the first path. text space.
第三方面,提供了一种网络配置的验证装置,包括处理器,处理器与存储器相连,存储器用于存储计算机程序,处理器用于执行存储器中存储的计算机程序,以使得装置执行如第一方面及其任一项实施方式所述的方法。In a third aspect, there is provided an apparatus for verifying a network configuration, comprising a processor, the processor is connected to a memory, the memory is used for storing a computer program, and the processor is used for executing the computer program stored in the memory, so that the apparatus executes the first aspect and the method of any embodiment thereof.
第四方面,提供了一种计算机可读存储介质,计算机可读存储介质中存储有计算机程序,当其在计算机上运行时,使得计算机执行如第一方面及其任一项实施方式所述的方法。In a fourth aspect, a computer-readable storage medium is provided, and a computer program is stored in the computer-readable storage medium, and when it is run on a computer, the computer is made to execute the first aspect and any one of the embodiments thereof. method.
第五方面,提供了一种包含指令的计算机程序产品,当指令在计算机或处理器上运行时,使得计算机或处理器执行如第一方面及任一项实施方式所述的方法。In a fifth aspect, there is provided a computer program product comprising instructions which, when run on a computer or processor, cause the computer or processor to perform the method of the first aspect and any one of the embodiments.
关于第二方面至第五方面内容的技术效果参照第一方面及其任一实施方式的技术效果,在此不再重复。Regarding the technical effects of the content of the second aspect to the fifth aspect, refer to the technical effects of the first aspect and any of its embodiments, which will not be repeated here.
附图说明Description of drawings
图1为本申请实施例提供的一种通信系统的架构示意图;FIG. 1 is a schematic diagram of the architecture of a communication system provided by an embodiment of the present application;
图2为本申请实施例提供的一种网络配置的验证方法的流程示意图;2 is a schematic flowchart of a method for verifying a network configuration provided by an embodiment of the present application;
图3为本申请实施例提供的一种包括交换机的通信网络的架构示意图;3 is a schematic diagram of the architecture of a communication network including a switch provided by an embodiment of the present application;
图4为本申请实施例提供的另一种网络配置的验证方法的流程示意图;4 is a schematic flowchart of another method for verifying a network configuration provided by an embodiment of the present application;
图5为本申请实施例提供的另一种包括交换机的通信网络的架构示意图;5 is a schematic structural diagram of another communication network including a switch provided by an embodiment of the present application;
图6为本申请实施例提供的又一种包括交换机的通信网络的架构示意图;6 is a schematic diagram of the architecture of another communication network including a switch provided by an embodiment of the present application;
图7为本申请实施例提供的再一种包括交换机的通信网络的架构示意图;FIG. 7 is a schematic structural diagram of yet another communication network including a switch provided by an embodiment of the present application;
图8为本申请实施例提供的一种建立网络配置的转发图模型的过程的示意图;8 is a schematic diagram of a process for establishing a forwarding graph model of a network configuration provided by an embodiment of the present application;
图9为本申请实施例提供的一种基础网络配置的转发图模型的示意图;9 is a schematic diagram of a forwarding graph model of a basic network configuration provided by an embodiment of the present application;
图10为本申请实施例提供的一种增量网络配置的转发图模型的示意图;10 is a schematic diagram of a forwarding graph model of an incremental network configuration provided by an embodiment of the present application;
图11为本申请实施例提供的一种得到基础网络配置对应的可达矩阵的过程的示意图;11 is a schematic diagram of a process for obtaining a reachability matrix corresponding to a basic network configuration according to an embodiment of the present application;
图12为本申请实施例提供的一种得到基础网络配置对应的关联表的过程的示意图;12 is a schematic diagram of a process for obtaining an association table corresponding to a basic network configuration provided by an embodiment of the present application;
图13为本申请实施例提供的又一种网络配置的验证方法的流程示意图;13 is a schematic flowchart of another method for verifying network configuration provided by an embodiment of the present application;
图14为本申请实施例提供的一种得到转发策略发生变更的接口和/或转发路由发生变更的链路的过程的示意图;14 is a schematic diagram of a process for obtaining an interface with a changed forwarding policy and/or a link with a changed forwarding route according to an embodiment of the present application;
图15为本申请实施例提供的一种得到第一路径的过程的示意图;15 is a schematic diagram of a process for obtaining a first path according to an embodiment of the present application;
图16为本申请实施例提供的一种网络配置的验证装置的结构示意图;16 is a schematic structural diagram of an apparatus for verifying a network configuration provided by an embodiment of the present application;
图17为本申请实施例提供的另一种网络配置的验证装置的结构示意图。FIG. 17 is a schematic structural diagram of another apparatus for verifying a network configuration provided by an embodiment of the present application.
具体实施方式detailed description
首先对本申请涉及的概念进行描述:First, the concepts involved in this application are described:
网络配置:指软件定义网络(software defined network,SDN)控制器为网络设备下发的与网络转发行为相关的配置。比如边界网关协议(border gateway protocol,BGP)以太网虚拟专用网络(ethernet virtual private network,EVPN)配置、ACL策略配置等。Network configuration: refers to the configuration related to the network forwarding behavior issued by the software defined network (SDN) controller to the network device. For example, border gateway protocol (BGP) Ethernet virtual private network (ethernet virtual private network, EVPN) configuration, ACL policy configuration, etc.
基础网络配置:指SDN控制器下发新的网络配置之前,各网络设备已经存在的网络配置。Basic network configuration: refers to the existing network configuration of each network device before the new network configuration is issued by the SDN controller.
增量网络配置:指SDN控制器下发新的网络配置。Incremental network configuration: refers to the new network configuration delivered by the SDN controller.
接口:由网络设备提供的本网络设备内部之间互相通信的端口,或者,用于与其他网络设备、虚拟机或互联网通信的端口。Interface: The port provided by the network device for internal communication between the network device, or the port used for communication with other network devices, virtual machines or the Internet.
业务接入点:网络设备提供的用于与部署业务的虚拟机连接,或者,用于与互联网连接的接口。通常位于路径的两端。Service access point: an interface provided by a network device for connecting to a virtual machine where services are deployed, or for connecting to the Internet. Usually at both ends of the path.
点对:全网中的任意两个业务接入点即构成点对,这两个业务接入点之间可能存在路径或者不存在路径。Point-to-point: Any two service access points in the entire network constitute a point-to-point pair, and a path may or may not exist between the two service access points.
链路:表示两个接口之间未经过其他接口而能够直接通信。这两个接口称为接口对。也就是说,一条链路可以用该链路两端的接口的组合来指示。Link: Indicates that two interfaces can communicate directly without going through other interfaces. These two interfaces are called an interface pair. That is, a link can be indicated by a combination of interfaces at both ends of the link.
报文空间:一组报文的头部字段的集合,常见的报文的头部字段包括但不限于源互联网协议(internet protocol,IP)地址、目的IP地址、源端口、目的端口和协议类型。报文空间可以表示为space={(src_ip,dst_ip,src_port,dst_port,protocol)},即{(源IP地址,目的IP地址,源端口,目的端口,协议类型)}。Packet space: a set of header fields of a group of packets. Common header fields of packets include but are not limited to source internet protocol (IP) address, destination IP address, source port, destination port and protocol type . The message space can be expressed as space={(src_ip, dst_ip, src_port, dst_port, protocol)}, ie {(source IP address, destination IP address, source port, destination port, protocol type)}.
转发图模型:一种描述报文在网络中根据转发规则进行转发的链路的图模型,根据转发规则进行的转发包括根据访问控制列表(access control list,ACL)进行策略转发、根据转发信息基础(forwarding info base,FIB)转发表进行路由转发等。转发图模型包括点和边,点表示网络设备的接口,边表示两个接口之间的链路。边上还附加有报文空间,表示该边对应的链路能够转发的报文的集合。例如,网络拓扑上跨设备的两个接口之间存在链路,则在转发图模型中可以通过边将这两个接口对应的点连接在一起,边上附加的报文空间可以通过转发表计算得到;或者例如,同一网络设备内部,从某一个接口接收的报文根据转发表可以从另一个接口发出,则在转发图模型中也可以通过边将这两个接口对应的点连接在一起,边上附加的报文空间为这两个接口的转发策略的报文空间的交集。Forwarding graph model: a graph model that describes the link in which packets are forwarded according to forwarding rules in the network. Forwarding according to forwarding rules includes policy forwarding according to access control lists (ACLs), (forwarding info base, FIB) forwarding table for routing and forwarding. The forwarding graph model includes points and edges, where a point represents an interface of a network device, and an edge represents a link between two interfaces. A packet space is attached to the edge, which indicates the set of packets that can be forwarded by the link corresponding to the edge. For example, if there is a link between two interfaces across devices in the network topology, in the forwarding graph model, the points corresponding to the two interfaces can be connected together by an edge, and the additional packet space on the edge can be calculated by the forwarding table Or, for example, within the same network device, the packets received from one interface can be sent from another interface according to the forwarding table, then in the forwarding graph model, the points corresponding to these two interfaces can also be connected together by edges, The additional packet space on the edge is the intersection of the packet spaces of the forwarding policies of the two interfaces.
路径:包括至少一条链路,具有共同接口的两条链路依次首尾连接即得到一条路径。对应至转发图模型中,即为具有共同点的边依次首尾连接。该路径对应的报文空间定义为构成该路径的各条链路对应的边上附加的报文空间的交集。Path: It includes at least one link, and two links with a common interface are connected end to end to obtain a path. Corresponding to the forwarding graph model, that is, the edges with common points are connected end-to-end in sequence. The message space corresponding to the path is defined as the intersection of the additional message spaces on the edges corresponding to the links constituting the path.
可达和不可达:根据报文转发规则两个业务接入点互相之间有至少一条报文空间不为空的路径,则这两个业务接入点即可达,否则不可达。Reachable and unreachable: According to the packet forwarding rules, if there is at least one path between two service access points with a non-empty packet space, the two service access points are reachable, otherwise they are unreachable.
可达点对:点,在转发图模型中用于表示接口,点对,即一对点,也就是指示一对接口,可达点对,即这一对点之间是可达的,也就是这一对接口之间存在报文传输 的路径,或者说,可以进行报文传输。可达点对可以理解为处于路径两端的一对业务接入点,包括起点和终点。Reachable point pair: point, which is used to represent an interface in the forwarding graph model, a point pair, that is, a pair of points, that is, a pair of interfaces, and a reachable point pair, that is, this pair of points is reachable, also There is a packet transmission path between the pair of interfaces, or in other words, packet transmission can be performed. A reachable point pair can be understood as a pair of service access points at both ends of a path, including a start point and an end point.
可达矩阵:表示网络中的业务接入点两两之间是否可达的矩阵。如果两个业务接入点可达(为可达点对),对应的矩阵项有值(例如Y),否则对应的矩阵项为空。Reachability matrix: A matrix that indicates whether service access points in the network are reachable in pairs. If two service access points are reachable (a pair of reachable points), the corresponding matrix item has a value (eg Y), otherwise the corresponding matrix item is empty.
如图1所示,本申请实施例提供了一种通信系统,可以指数据中心网络(data center network,DCN),该通信系统包括:SDN控制器11和多个网络设备12。As shown in FIG. 1 , an embodiment of the present application provides a communication system, which may refer to a data center network (DCN), and the communication system includes an SDN controller 11 and a plurality of network devices 12 .
用户可以通过SDN控制器11管理网络设备12,从网络设备12获取最新的网络配置,将增量网络配置下发到网络设备12上。用户还可以通过SDN控制器11改变网络设备的网络配置,以满足网络业务变更需求。例如,SDN控制器11提供网络拓扑的编辑接口和策略下发接口,使用户能够新增、删除逻辑设备,同时保证业务变更能正确映射到相应网络设备上的网络配置。此外,用户还可以通过SDN控制器11查询网络当前的网络配置和状态是否符合管控意图(比如网络中有无环路),即将下发的网络配置是否符合管控意图(例如某些网段之间能否互通),例如执行本申请实施例的网络配置的验证方法。The user can manage the network device 12 through the SDN controller 11 , obtain the latest network configuration from the network device 12 , and deliver the incremental network configuration to the network device 12 . The user can also change the network configuration of the network device through the SDN controller 11 to meet the changing requirements of the network service. For example, the SDN controller 11 provides an interface for editing network topology and an interface for issuing policies, enabling users to add and delete logical devices, while ensuring that service changes can be correctly mapped to network configurations on corresponding network devices. In addition, the user can also use the SDN controller 11 to query whether the current network configuration and status of the network conform to the management and control intent (for example, whether there is a loop in the network), and whether the network configuration to be delivered conforms to the management and control intent (for example, between certain network segments). whether they can communicate with each other), for example, implement the network configuration verification method in this embodiment of the present application.
本申请实施例的可以用于对增量网络配置进行验证的场景,定期从网络设备或者系统数据库获取基础网络配置,并且定期从网络设备或者系统数据库获取网络物理链路拓扑(简称网络拓扑),接收用户下发的业务变更请求,生成相应网络设备上的增量网络配置,验证即将下发的增量网络配置是否符合管控意图。实现对增量网络配置快速进行全网影响分析的功能。In the scenario that the embodiments of the present application can be used to verify the incremental network configuration, the basic network configuration is periodically obtained from the network device or system database, and the network physical link topology (referred to as the network topology) is periodically obtained from the network device or system database, Receive the service change request issued by the user, generate the incremental network configuration on the corresponding network device, and verify whether the incremental network configuration to be issued conforms to the management and control intention. Implements the function of quickly performing network-wide impact analysis on incremental network configurations.
需要说明的是,在配置网络配置时不会修改网络拓扑,所以增量网络配置的网络拓扑等价于基础网络配置的网络拓扑。It should be noted that the network topology will not be modified when configuring the network configuration, so the network topology of the incremental network configuration is equivalent to the network topology of the basic network configuration.
如图2所示,现有技术中提供了一种网络配置的验证方法,包括:As shown in Figure 2, the prior art provides a method for verifying network configuration, including:
S201、获取基础网络配置和网络拓扑,并得到对应的转发图模型。S201. Obtain basic network configuration and network topology, and obtain a corresponding forwarding graph model.
S202、根据基础网络配置对应的转发图模型和业务特征,确定业务接入点对并计算可达矩阵。S202. Determine a service access point pair and calculate a reachability matrix according to the forwarding graph model and service characteristics corresponding to the basic network configuration.
假设有N个业务接入点,可达矩阵中包括N2个点对,在计算可达矩阵时将进行N2次计算。如果每次计算有一个起点与终点,按照深度优先搜索来计算可达路径,可能计算出可达路径,也可能计算出不可达路径。Assuming that there are N service access points, the reachability matrix includes N2 point pairs, and N2 calculations are performed when calculating the reachability matrix. If each calculation has a starting point and an ending point, the reachable path is calculated according to the depth-first search, which may calculate the reachable path or the unreachable path.
另外,建立可达路径和不可达路径经过的网络设备与点对之间的关联关系,即这里的点对可能是不可达点对。In addition, an association relationship between network devices and point pairs passed by the reachable path and the unreachable path is established, that is, the point pair here may be an unreachable point pair.
S203、获取增量网络配置,结合已获取的网络拓扑,得到增量网络配置的转发图模型。S203. Acquire an incremental network configuration, and combine the acquired network topology to obtain a forwarding graph model of the incremental network configuration.
S204、根据基础网络配置和增量网络配置得到网络中转发策略和/或转发路由发生变更的网络设备的列表。S204. Obtain a list of network devices whose forwarding policies and/or forwarding routes are changed in the network according to the basic network configuration and the incremental network configuration.
S205、根据网络中转发策略和/或转发路由发生变更的网络设备的列表,查找网络设备与点对之间的关联关系,找出可能被影响的点对的列表,并在增量网络配置的转发图模型中重新计算点对的可达路径,与旧可达路径对比,确定该点对是新增可达点对、删除可达点对还是修改可达点对。S205. According to the list of network devices whose forwarding policies and/or forwarding routes are changed in the network, search for the association relationship between the network device and the point-to-point pair, find out the list of the point-to-point pairs that may be affected, and configure it in the incremental network In the forwarding graph model, the reachable path of a point pair is recalculated, and compared with the old reachable path, it is determined whether the point pair is a new reachable point pair, a reachable point pair is deleted, or a reachable point pair is modified.
上述方案采用网络设备与点对的关联关系,存在如下不足:The above scheme adopts the association relationship between network equipment and point-to-point, and has the following shortcomings:
(一)在计算可达矩阵时要针对N2个点对进行计算,一方面其计算量大,另一方面部分场景依然无法计算出新增的可达点对。(1) When calculating the reachability matrix, it is necessary to calculate the N2 point pairs. On the one hand, the calculation amount is large, and on the other hand, some scenarios still cannot calculate the newly added reachable point pairs.
(二)关联的粒度太粗,存在重复计算。(2) The granularity of the association is too coarse, and there is repeated calculation.
第一个不足产生的原因是,因为需要存储不可达点对信息,所以只能针对N2个点对进行计算,计算量大。假如新增的可达点对由处于网络边缘的网络设备的增量网络配置引起,那么这个方法是可以找到新增的可达点对,但是如果新增的可达点对由处于网络中间的网络设备的增量网络配置变化引起,这个方法就无法针对这样的可达点对进行计算,因为不存在相应网络设备与点对的关联关系,从而存在遗漏的可能。The reason for the first deficiency is that, because the information of unreachable point pairs needs to be stored, the calculation can only be performed for N2 point pairs, which requires a large amount of calculation. If the newly added reachable point pair is caused by the incremental network configuration of the network device at the edge of the network, then this method can find the newly added reachable point pair, but if the newly added reachable point pair is caused by the network equipment in the middle of the network. Due to the incremental network configuration changes of network devices, this method cannot calculate such reachable point pairs, because there is no association between corresponding network devices and point pairs, so there is a possibility of omission.
示例性的,如图3所示,网络设备包括边界叶子(Border Leaf)交换机BL1和BL2,还包括机架顶叶子(ToR Leaf)交换机L1-L4。A、B、C、D这些业务接入点分别是交换机L1、L2、L3、L4的接口。初始情况下,接口A至接口D不可达,那么交换机L1会存储点对(A,D)的不可达信息。如果修改了交换机L1的网络配置,使得接口A至接口D可达,通过查找交换机L1上的关联表,重新求解点对(A,D)是否可达时,是可以得到新增的点对(A,D)的可达信息。但是如果是修改了交换机BL2的网络配置,使得接口A至接口D可达,是无法得到新增的点对(A,D)的可达信息的,因为交换机BL2上没有存储该关联关系。Exemplarily, as shown in FIG. 3 , the network device includes border leaf (Border Leaf) switches BL1 and BL2, and also includes top-of-rack leaf (ToR Leaf) switches L1-L4. The service access points A, B, C, and D are the interfaces of switches L1, L2, L3, and L4, respectively. Initially, if interface A to interface D is unreachable, switch L1 will store the unreachable information of the point pair (A, D). If the network configuration of switch L1 is modified so that interface A and interface D are reachable, the newly added point pair ( A, D) reachability information. However, if the network configuration of the switch BL2 is modified so that the interface A and the interface D are reachable, the reachability information of the newly added point pair (A, D) cannot be obtained because the association relationship is not stored on the switch BL2.
第二个不足产生的原因是以网络设备为粒度来关联可达点对时,一个网络设备往往包括多个接口,使得多条可达路径(即多个可达点对)会经过相同的网络设备。假如某一个接口的网络配置发生了变更,如果以网络设备为粒度会重新计算该网络设备涉及的所有可达点对的可达信息,因此存在重复计算。The second reason is that when network devices are used as the granularity to associate reachable point pairs, a network device often includes multiple interfaces, so that multiple reachable paths (that is, multiple reachable point pairs) will pass through the same network. equipment. If the network configuration of an interface is changed, if the network device is used as the granularity, the reachability information of all reachable point pairs involved in the network device will be recalculated, so there is repeated calculation.
示例性的,如图3所示,假设初始状态下,接口A至接口B可达,接口A至接口C可达,并且都经过交换机BL1,那么交换机BL1上会关联点对(A,B)和点对(A,C)。假设修改了接口A至接口C的路径上交换机BL1某个接口的网络配置,导致接口A至C不可达了,按照上述方案,会重新计算点对(A,B)和点对(A,C)是否可达,虽然可以找到点对(A,C)不再可达,但是同时会重新计算点对(A,B)是否可达,因此存在重复计算。Exemplarily, as shown in FIG. 3 , assuming that in the initial state, interface A to interface B is reachable, and interface A to interface C are reachable, and they all pass through switch BL1, then switch BL1 will be associated with a point pair (A, B) and the point pair (A,C). Suppose that the network configuration of an interface of switch BL1 on the path from interface A to interface C is modified, resulting in unreachable interfaces A to C. According to the above scheme, the point pair (A, B) and point pair (A, C) will be recalculated. ) is reachable, although it can be found that the point pair (A, C) is no longer reachable, but at the same time, it will recalculate whether the point pair (A, B) is reachable, so there is repeated calculation.
如图4所示,现有技术中提供了另一种网络配置的验证方法,包括:As shown in Figure 4, another method for verifying network configuration is provided in the prior art, including:
S401、获取基础网络配置和网络拓扑,并得到对应的转发图模型。S401. Obtain basic network configuration and network topology, and obtain a corresponding forwarding graph model.
S402、根据基础网络配置对应的转发图模型,计算可达矩阵;并存储经过转发图模型各节点的所有流信息(包括每条流的起始点、报文空间)。S402. Calculate the reachability matrix according to the forwarding graph model corresponding to the basic network configuration; and store all flow information (including the starting point and message space of each flow) passing through each node of the forwarding graph model.
S403、获取增量网络配置,结合已获取的网络拓扑,得到增量网络配置的转发图模型。S403. Acquire an incremental network configuration, and combine the acquired network topology to obtain a forwarding graph model of the incremental network configuration.
S404、根据基础网络配置和增量网络配置得到网络中转发策略和/或转发路由发生变更的接口的列表,并转换成转发图模型中发生变更的点与边的列表。S404. Obtain a list of interfaces whose forwarding policies and/or forwarding routes are changed in the network according to the basic network configuration and the incremental network configuration, and convert it into a list of changed points and edges in the forwarding graph model.
S405、根据转发图模型的网络中转发策略和/或转发路由发生变更的点和边的列表,计算增量可达信息。S405. Calculate incremental reachability information according to the list of points and edges where the forwarding policy and/or the forwarding route are changed in the network of the forwarding graph model.
如果是新增边且边的起点在基础网络配置对应的转发图模型中存在,则提取该边经过的所有流信息,在增量网络配置对应的转发图模型中,从该起点开始计算可达点对,得到的可达点对即为新增可达点对。If it is a new edge and the starting point of the edge exists in the forwarding graph model corresponding to the basic network configuration, then extract all flow information that the edge passes through, and in the forwarding graph model corresponding to the incremental network configuration, calculate the reachability from the starting point. point pair, and the obtained reachable point pair is the newly added reachable point pair.
如果是删除边且边的起点在基础网络配置对应的转发图模型中存在,则提取该边经过的所有流信息,在基础网络配置对应的转发图模型中,从该起点开始计算可达点对,得到的可达点对即为删除可达点对。If the edge is deleted and the starting point of the edge exists in the forwarding graph model corresponding to the basic network configuration, extract all flow information that the edge passes through, and in the forwarding graph model corresponding to the basic network configuration, the reachable point pair is calculated from the starting point. , the obtained reachable point pair is the deleted reachable point pair.
如果是修改边,则提取起点经过的所有流信息,在基础网络配置对应的转发图模型和增量网络配置对应的转发图模型中从该起点分别计算可达点对,比较可达点对结果得出新增可达点对、删除可达点对和修改可达点对。If it is a modified edge, extract all flow information passed by the starting point, calculate reachable point pairs from the starting point in the forwarding graph model corresponding to the basic network configuration and the forwarding graph model corresponding to the incremental network configuration, and compare the reachable point pair results. Obtain the newly added reachable point pair, the deleted reachable point pair and the modified reachable point pair.
示例性的,如图5所示,假设初始状态下,接口A至接口B可达,接口A至接口C的流在交换机BL1被ACL策略阻断,接口A至接口D的流在接口A被ACL策略阻断。那么接口A就会存储{(A->B,f1),(A->C,f2),(A->D,f3)}的流信息,其中,f1、f2、f3为不同的报文头部空间;交换机BL1就会存储{(A->C,f2)}的流信息。假设增量网络配置修改了接口A的ACL策略,允许f3通过,那么提取出(A->D,f3)就可以计算出接口A至接口D的可达流。假设增量网络配置修改了交换机BL1的ACL策略,那么提取出(A->C,f2)就可以计算出接口A至接口C的可达流。通过存储完整的流信息(包括可达与不可达),就可以规避上一个方案中存在遗漏的缺点。Exemplarily, as shown in Figure 5, it is assumed that in the initial state, interface A to interface B is reachable, the flow from interface A to interface C is blocked by the ACL policy on switch BL1, and the flow from interface A to interface D is blocked on interface A. ACL policy blocking. Then interface A will store the flow information of {(A->B,f1),(A->C,f2),(A->D,f3)}, where f1, f2, f3 are different packets Head space; switch BL1 will store the flow information of {(A->C,f2)}. Assuming that the incremental network configuration modifies the ACL policy of interface A and allows f3 to pass, then extracting (A->D, f3) can calculate the reachable flow from interface A to interface D. Assuming that the incremental network configuration modifies the ACL policy of switch BL1, the reachable flow from interface A to interface C can be calculated by extracting (A->C, f2). By storing the complete flow information (including reachable and unreachable), the shortcomings of the previous scheme can be avoided.
但是该方案也存在下列缺陷:However, this scheme also has the following shortcomings:
(一)因为没有存储交换机与可达点对的关联关系,如果增量网络配置为删除边或修改边的情况,就需要重新计算基础网络配置的转发图模型中的可达点对。(1) Because the association between switches and reachable point pairs is not stored, if the incremental network is configured to delete or modify edges, it is necessary to recalculate the reachable point pairs in the forwarding graph model of the basic network configuration.
(二)转发图模型中每个点都要存储经过的流信息,包括最终可达的及最终不可达的流,存储量大;而且一条流将会在经过路径的全部点上都存储,存在重复存储的问题。(2) Each point in the forwarding graph model must store the flow information, including the final reachable and final unreachable flows, and the storage capacity is large; and a flow will be stored at all points of the passing path, and there are Duplicate storage problem.
下面示例性的对基础网络配置和增量网络配置进行说明:The basic network configuration and incremental network configuration are described below by way of example:
示例性的,在如图6所示的DCN中,包括A、B、C、D四个接口,分别属于不同业务的网段,用于下挂承载业务的虚拟机,如表1所示,接口A属于虚拟私有云(virtual private cloud,VPC)对应的虚拟路由转发(virtual routing forwarding,VRF)VRF1,网段为20.1.0.0/24,属于ToR Leaf交换机L1;接口B属于VPC VRF1,网段为20.1.1.0/24,属于ToR Leaf交换机L2;接口C属于VPC VRF2,网段为20.2.0.0/24,属于ToR Leaf交换机L3;接口D属于VPC VRF3,网段为20.2.1.0/24,属于ToR Leaf交换机L4。该DCN中还包括Border Leaf交换机BL1,负责跨VPC通信及与外界互联网(Internet)互通。Exemplarily, in the DCN shown in FIG. 6 , four interfaces A, B, C, and D are included, which belong to network segments of different services, and are used to attach virtual machines that carry services, as shown in Table 1. Interface A belongs to the virtual routing forwarding (VRF) VRF1 corresponding to the virtual private cloud (VPC), the network segment is 20.1.0.0/24, and belongs to the ToR Leaf switch L1; interface B belongs to the VPC VRF1, the network segment It is 20.1.1.0/24, which belongs to ToR Leaf switch L2; interface C belongs to VPC VRF2, and the network segment is 20.2.0.0/24, which belongs to ToR Leaf switch L3; interface D belongs to VPC VRF3, and the network segment is 20.2.1.0/24, which belongs to ToR Leaf switch L4. The DCN also includes the Border Leaf switch BL1, which is responsible for cross-VPC communication and intercommunication with the external Internet (Internet).
示例性的,其基础网络配置如下:在交换机L1~L4、BL1上分别导入边界网关协议(border gateway protocol,BGP)以太网虚拟专用网络(ethernet virtual private network,EVPN)配置,可以互相建立虚拟扩展局域网(virtual extensible local area network,VXLAN)隧道,每个交换机用于建立隧道的虚拟隧道端点(virtual tunnel end point,VTEP)IP如表2所示。在初始状态下,属于同一个VPC的网段是互通的,即接口A与接口B能互通。此外,在交换机BL1配置了接口A与接口C的跨VPC互通静态路由:Exemplarily, the basic network configuration is as follows: the border gateway protocol (BGP) Ethernet virtual private network (ethernet virtual private network, EVPN) configuration is imported on the switches L1-L4 and BL1 respectively, and virtual extensions can be established with each other. For a local area network (virtual extensible local area network, VXLAN) tunnel, the virtual tunnel end point (VTEP) IP used by each switch to establish the tunnel is shown in Table 2. In the initial state, network segments belonging to the same VPC can communicate with each other, that is, interface A and interface B can communicate with each other. In addition, a static route for inter-VPC inter-VPC communication between interface A and interface C is configured on switch BL1:
ip route-static vpn-instance VRF2 20.1.0.0 255.255.255.0 VRF1;ip route-static vpn-instance VRF2 20.1.0.0 255.255.255.0 VRF1;
ip route-static vpn-instance VRF1 20.2.0.0 255.255.255.0 VRF2。ip route-static vpn-instance VRF1 20.2.0.0 255.255.255.0 VRF2.
将上述静态路由配置导入BGP EVPN配置,接口A与接口C即能互通。Import the above static route configuration into the BGP EVPN configuration, and interface A and interface C can communicate with each other.
基础网络配置下发之后,交换机BL1上的转发表如表3所示,交换机L1上的转发表如表4所示,交换机L2上的转发表如表5所示,交换机L3上的转发表如表6所示,其中出接口为其他VRF,表示需要跳转到其他VRF进一步匹配出接口与下一跳IP;出接口为VXLAN,表示即将进入VXLAN隧道,隧道的源IP地址为本地VTEP IP,目的IP地址为下一跳IP。接口A与接口B直接通过二者之间的隧道进行通信,接口A与接口C必须经过交换机BL1中转进行通信。After the basic network configuration is issued, the forwarding table on switch BL1 is shown in Table 3, the forwarding table on switch L1 is shown in Table 4, the forwarding table on switch L2 is shown in Table 5, and the forwarding table on switch L3 is shown in Table 3. As shown in Table 6, the outgoing interface is another VRF, indicating that it needs to jump to other VRFs to further match the outgoing interface and next-hop IP; the outgoing interface is VXLAN, indicating that it is about to enter the VXLAN tunnel, and the source IP address of the tunnel is the local VTEP IP. The destination IP address is the next hop IP. Interface A and interface B communicate directly through the tunnel between them, and interface A and interface C must pass through the switch BL1 to communicate.
表1Table 1
接口interface 所属VPCOwning VPC 配置的网段configured network segment
AA VRF1VRF1 20.1.0.0/2420.1.0.0/24
BB VRF1VRF1 20.1.1.0/2420.1.1.0/24
CC VRF2VRF2 20.2.0.0/2420.2.0.0/24
DD VRF3VRF3 20.2.1.0/2420.2.1.0/24
表2Table 2
交换机switch VTEP IPVTEP IP
L1L1 1.1.1.11.1.1.1
L2L2 2.2.2.22.2.2.2
L3L3 3.3.3.33.3.3.3
L4L4 4.4.4.44.4.4.4
BL1BL1 11.11.11.1111.11.11.11
表3table 3
Figure PCTCN2021103512-appb-000001
Figure PCTCN2021103512-appb-000001
表4Table 4
Figure PCTCN2021103512-appb-000002
Figure PCTCN2021103512-appb-000002
表5table 5
Figure PCTCN2021103512-appb-000003
Figure PCTCN2021103512-appb-000003
表6Table 6
Figure PCTCN2021103512-appb-000004
Figure PCTCN2021103512-appb-000004
Figure PCTCN2021103512-appb-000005
Figure PCTCN2021103512-appb-000005
示例性的,如图7所示,对图6所示的DCN进行增量网络配置,将业务从接口C迁移到接口D,同时下发ACL阻断接口A与接口B的通信。在交换机BL1配置接口A与接口D的跨VPC互通静态路由:Exemplarily, as shown in FIG. 7 , incremental network configuration is performed on the DCN shown in FIG. 6 , services are migrated from interface C to interface D, and an ACL is issued to block the communication between interface A and interface B at the same time. Configure a static route for inter-VPC communication between interface A and interface D on switch BL1:
ip route-static vpn-instance VRF3 20.1.1.0 255.255.255.0 VRF1;ip route-static vpn-instance VRF3 20.1.1.0 255.255.255.0 VRF1;
ip route-static vpn-instance VRF1 20.2.1.0 255.255.255.0 VRF3。ip route-static vpn-instance VRF1 20.2.1.0 255.255.255.0 VRF3.
将上述静态路由配置导入BGP EVPN,接口A与接口D即能互通。并删除接口A与接口C的跨VPC互通静态路由:Import the above static route configuration into BGP EVPN, and interface A and interface D can communicate with each other. And delete the inter-VPC interworking static route between interface A and interface C:
ip route-static vpn-instance VRF2 20.1.0.0 255.255.255.0 VRF1;ip route-static vpn-instance VRF2 20.1.0.0 255.255.255.0 VRF1;
ip route-static vpn-instance VRF1 20.2.0.0 255.255.255.0 VRF2。ip route-static vpn-instance VRF1 20.2.0.0 255.255.255.0 VRF2.
同时在接口A入方向上配置ACL访问策略,禁止接口A下挂的虚拟机访问接口B下挂的20.1.1.10虚拟机。其中ACL访问策略可以通过模块化服务质量命令行(modular QoS command line,MQC)实现:At the same time, configure an ACL access policy on the inbound direction of interface A to prohibit the virtual machine attached to interface A from accessing the 20.1.1.10 virtual machine attached to interface B. The ACL access policy can be implemented through the modular QoS command line (MQC):
traffic policy p1traffic policy p1
classifier c1 behavior b1classifier c1 behavior b1
traffic behavior b1traffic behavior b1
denydeny
traffic classifier c1traffic classifier c1
if-match acl 1001if-match acl 1001
acl number 1001acl number 1001
rule 5 deny ip destination 20.1.1.10 0。rule 5 deny ip destination 20.1.1.10 0.
此外,在接口A的配置中会增加如下一条命令,其中inbound表示入方向:In addition, the following command is added to the configuration of interface A, where inbound indicates the inbound direction:
traffic-policy p1inboundtraffic-policy p1inbound
增量网络配置下发之后,交换机BL1上的转发表如表7所示,交换机L1上的转发表如表8所示,交换机L4上的转发表如表9所示。After the incremental network configuration is issued, the forwarding table on switch BL1 is shown in Table 7, the forwarding table on switch L1 is shown in Table 8, and the forwarding table on switch L4 is shown in Table 9.
表7Table 7
Figure PCTCN2021103512-appb-000006
Figure PCTCN2021103512-appb-000006
表8Table 8
Figure PCTCN2021103512-appb-000007
Figure PCTCN2021103512-appb-000007
表9Table 9
Figure PCTCN2021103512-appb-000008
Figure PCTCN2021103512-appb-000008
本申请实施例提供了一种网络配置的验证方法,对于初次对增量网络配置进行验证时,基于基础网络配置可以建立对应的转发图模型,并得到基础网络配置对应的可达矩阵,通过解析基础网络配置对应的可达矩阵,可以得到基础网络配置对应的关联表,该关联表指示网络中,路径经过的接口和/或链路与该路径的可达点对的关联关系。对于非初次对增量网络配置进行验证时,可以利用已有的基础网络配置对应的关联表。The embodiment of the present application provides a method for verifying a network configuration. When verifying an incremental network configuration for the first time, a corresponding forwarding graph model can be established based on the basic network configuration, and a reachability matrix corresponding to the basic network configuration can be obtained. From the reachability matrix corresponding to the basic network configuration, an association table corresponding to the basic network configuration can be obtained, where the association table indicates the association relationship between the interface and/or link passed by the path and the reachable point pair of the path in the network. When the incremental network configuration is not verified for the first time, the association table corresponding to the existing basic network configuration can be used.
然后,通过比较基础网络配置与增量网络配置,以及,比较基础网络配置对应的转发表与增量网络配置对应的转发表,可以得到转发策略发生变更的接口和/或转发路由发生变更的链路。再得到上述接口和/或链路在增量网络配置下所在的路径的第一可达点对,并通过查找上述关联表得到上述接口和/或链路在基础网络配置下所在的路径的第二可达对。第一可达点对将增量网络配置可能影响到可达性的可达点对的搜索范围,缩小至与上述接口和/或链路相关;而第二可达点对是上述接口和/或链路在基础网络配置中涉及的可达点对。通过比较这两个可达点对,即可准确定位到具体哪些可达点对的可达性受到增量网络配置的影响,以及上述影响是否符合配置意图,从而实现对增量网络配置的验证。Then, by comparing the basic network configuration with the incremental network configuration, and comparing the forwarding table corresponding to the basic network configuration with the forwarding table corresponding to the incremental network configuration, the interface for which the forwarding policy is changed and/or the chain for which the forwarding route is changed can be obtained. road. Then obtain the first reachable point pair of the path where the above-mentioned interface and/or link are located under the incremental network configuration, and obtain the first reachable point pair of the path where the above-mentioned interface and/or link are located under the basic network configuration by looking up the above-mentioned association table. Two reachable pairs. The first reachable point pair narrows the search range of reachable point pairs whose incremental network configuration may affect reachability to be related to the above-mentioned interface and/or link; and the second reachable point pair is the above-mentioned interface and/or link. Or the reachable pair of points that the link is involved in in the underlying network configuration. By comparing the two reachable point pairs, it is possible to accurately locate which reachable point pairs are affected by the incremental network configuration, and whether the above effects conform to the configuration intent, so as to verify the incremental network configuration. .
针对基础网络配置和增量网络配置可以分别建立对应的转发图模型,关于转发图模型见前面描述,在此不再重复。如图8所示,本申请实施例提供的网络配置的验证方法中,建立网络配置的转发图模型的过程包括:Corresponding forwarding graph models may be established for the basic network configuration and the incremental network configuration, respectively. For the forwarding graph model, see the previous description, which will not be repeated here. As shown in FIG. 8 , in the method for verifying the network configuration provided by the embodiment of the present application, the process of establishing the forwarding graph model of the network configuration includes:
S801、将网络配置文件转换为网络配置模型。S801. Convert the network configuration file into a network configuration model.
网络配置文件包括各个网络设备上的配置文件,每个网络设备上的配置文件定义了所使用的协议以及协议的具体配置,比如BGP EVPN配置、静态路由配置、ACL策略配置等。转换后的网络配置模型包括各个网络设备上的配置模型,每个网络设备上的配置模型定义了所使用的协议对象以及协议的属性。转换的过程就是将配置文本转换成内部存储的配置模型。The network configuration file includes the configuration files on each network device. The configuration file on each network device defines the protocol used and the specific configuration of the protocol, such as BGP EVPN configuration, static route configuration, and ACL policy configuration. The converted network configuration model includes the configuration models on each network device, and the configuration model on each network device defines the protocol objects used and the properties of the protocol. The conversion process is to convert the configuration text into an internally stored configuration model.
针对图6所示的DCN,以交换机BL1配置的静态路由为例,转换的过程会建立两个静态路由对象,其中:ip route-static vpn-instance VRF2 20.1.0.0 255.255.255.0 VRF1转换出来的一个静态路由对象包括如下属性:所属VPC为VRF2,目的网段为20.1.0.0/24,出接口为VRF1,下一跳IP为默认值NULL。For the DCN shown in Figure 6, taking the static route configured on switch BL1 as an example, the conversion process will create two static route objects, among which: ip route-static vpn-instance VRF2 20.1.0.0 255.255.255.0 VRF1 converts one The static route object includes the following attributes: the VPC it belongs to is VRF2, the destination network segment is 20.1.0.0/24, the outbound interface is VRF1, and the next hop IP is NULL by default.
BGP EVPN配置、ACL策略配置等配置模型也能相应建立。Configuration models such as BGP EVPN configuration and ACL policy configuration can also be established accordingly.
S802、根据网络配置模型、网络拓扑文件生成网络配置对应的转发表。S802. Generate a forwarding table corresponding to the network configuration according to the network configuration model and the network topology file.
根据网络配置模型中定义的各个协议对象,结合网络拓扑,按照协议运行的流程,发布路由通告,选择最优路由,最终路由收敛形成每个网络设备上的转发表。协议(比如BGP协议)运行的流程属于领域公开知识,在这里不再详细阐述。According to each protocol object defined in the network configuration model, combined with the network topology, according to the protocol running process, the route advertisement is published, the optimal route is selected, and finally the route converges to form a forwarding table on each network device. The operation process of the protocol (such as the BGP protocol) belongs to the public knowledge in the field, and will not be described in detail here.
S803、根据网络配置模型、转发表和网络拓扑生成网络配置的转发图模型。S803. Generate a forwarding graph model of the network configuration according to the network configuration model, the forwarding table and the network topology.
如前文所述的,转发图模型包括点和边,点表示网络设备的接口,边用于连接两个接口。根据转发表中描述的路由转发行为,即转发表项的出接口与下一跳IP(可以 找到对应的跨设备接口),可以通过边将跨设备的两个接口连接在一起。属于同一个出接口的所有转发规则代表的报文空间将会被聚合在一起表示,每个转发规则代表的报文空间将会按照最长前缀匹配原则来计算。As mentioned earlier, the forwarding graph model consists of points and edges, where a point represents an interface of a network device, and an edge is used to connect two interfaces. According to the route forwarding behavior described in the forwarding table, that is, the outgoing interface of the forwarding table entry and the next hop IP (the corresponding cross-device interface can be found), the two cross-device interfaces can be connected together through an edge. The packet space represented by all forwarding rules belonging to the same outgoing interface will be aggregated together, and the packet space represented by each forwarding rule will be calculated according to the longest prefix matching principle.
根据配置模型中描述的策略转发行为,可以通过边将同一网络设备的两个接口连接在一起。假如入接口配置了一个ACL策略,属于同一个ACL策略的所有策略规则代表的报文空间将会被聚合在一起表示,每个策略规则代表的报文空间将会按照配置的优先级原则来计算。此外,如果出接口也配置了一个ACL策略,那么这条边对应的转发策略报文空间为入接口与出接口的ACL策略的报文空间的交集。Two interfaces of the same network device can be connected together by an edge according to the policy forwarding behavior described in the configuration model. If an ACL policy is configured on the inbound interface, the packet space represented by all policy rules belonging to the same ACL policy will be aggregated to represent, and the packet space represented by each policy rule will be calculated according to the configured priority principle. . In addition, if an ACL policy is also configured on the outgoing interface, the packet space of the forwarding policy corresponding to this edge is the intersection of the packet space of the ACL policy of the ingress interface and the outgoing interface.
例如,I1接口入方向的报文可以从I2接口出方向转发出去,I1接口上针对入方向配置了ACL策略来只允许部分报文通过,其报文空间表示为space1,I2接口上正对出方向配置了ACL策略来只允许部分报文通过,其报文空间表示为space2,那么I1接口与I2接口之间的边的报文空间表示为space1&space2。For example, packets in the inbound direction of the I1 interface can be forwarded in the outbound direction of the I2 interface. An ACL policy is configured on the inbound direction of the I1 interface to allow only some packets to pass through. The ACL policy is configured in the direction to allow only some packets to pass through, and the packet space is represented as space2, then the packet space on the edge between the I1 interface and the I2 interface is represented as space1&space2.
为了方便计算,报文空间可以用布尔表达式表示,或者,用二元决策图(binary decision diagram,BDD)数据结构来表示。For the convenience of calculation, the message space can be represented by a Boolean expression, or by a binary decision diagram (BDD) data structure.
此外,ACL策略只是一种转发策略行为,微分段或者策略路由等也属于转发策略。In addition, the ACL policy is only a forwarding policy behavior, and micro-segmentation or policy routing also belong to the forwarding policy.
针对图6所示的DCN,得到的基础网络配置的转发图模型如图9所示,示例性的,(L1,VXLAN)->(L2,VXLAN)这条边的报文空间可以表示为:{(*,20.1.1.0/24,*,*,*)},其中*表示全空间,比如源IP地址为*,表示0.0.0.0/0,因为表4中代表从交换机L1到交换机L2的VXLAN隧道的转发表项只有第二项;(L1,A)->(L1,VXLAN)这条边的报文空间为{(*,*,*,*,*)},因为A接口与VXLAN接口没有配置任何的转发策略,默认全部报文可通过。针对图7所示的DCN,得到的增量网络配置的转发图模型如图10所示,其删除了交换机L3相关部分,新增了交换机L4相关部分。边的报文空间与基础网络配置的转发图模型类似,比如(BL1,VXLAN)->(L4,VXLAN)这条边的报文空间可以表示为:{(*,20.2.1.0/24,*,*,*)},因为表7中代表从交换机BL到交换机L4的VXLAN隧道的转发表项只有第三项;(L1,A)->(L1,VXLAN)这条边的报文空间更新为:{(*,*,*,*,*)-(*,20.1.1.10/32,*,*,*)},因为A接口上配置了一个阻断访问20.1.1.10虚拟机的ACL转发策略。For the DCN shown in Figure 6, the obtained forwarding graph model of the basic network configuration is shown in Figure 9. Exemplarily, the packet space of the edge (L1, VXLAN)->(L2, VXLAN) can be expressed as: {(*,20.1.1.0/24,*,*,*)}, where * represents the full space, for example, the source IP address is *, which represents 0.0.0.0/0, because Table 4 represents from switch L1 to switch L2 The forwarding entry of the VXLAN tunnel is only the second entry; the packet space of the edge (L1,A)->(L1,VXLAN) is {(*,*,*,*,*)}, because interface A is connected to the VXLAN The interface is not configured with any forwarding policy, and all packets can pass by default. For the DCN shown in FIG. 7 , the forwarding graph model of the incremental network configuration obtained is shown in FIG. 10 , in which the relevant part of the switch L3 is deleted and the relevant part of the switch L4 is added. The message space of the edge is similar to the forwarding graph model of the basic network configuration. For example, the message space of the edge (BL1, VXLAN)->(L4, VXLAN) can be expressed as: {(*,20.2.1.0/24,* ,*,*)}, because there is only the third entry in the forwarding table representing the VXLAN tunnel from switch BL to switch L4 in Table 7; the message space of the edge (L1,A)->(L1,VXLAN) is updated It is: {(*,*,*,*,*)-(*,20.1.1.10/32,*,*,*)}, because an ACL forwarding that blocks access to the 20.1.1.10 virtual machine is configured on interface A Strategy.
针对基础网络配置的转发图模型,可以得到基础网络配置对应的可达矩阵,关于可达矩阵见前面描述,在此不再重复。如图11所示,本申请实施例提供的网络配置的验证方法中,得到基础网络配置对应的可达矩阵的过程包括:For the forwarding graph model of the basic network configuration, the reachability matrix corresponding to the basic network configuration can be obtained. For the reachability matrix, see the previous description, which will not be repeated here. As shown in FIG. 11 , in the network configuration verification method provided by the embodiment of the present application, the process of obtaining the reachability matrix corresponding to the basic network configuration includes:
S1101、将接口识别为业务接入点,并将全部业务接入点作为求解可达路径的起点。S1101. Identify the interface as a service access point, and use all service access points as a starting point for finding a reachable path.
可以根据业务特性,比如ToR Leaf交换机上所有的桥接域(bridge-domain)接口,或者,根据SDN控制器上逻辑交换机(logic switch)对应的出接口,Border Leaf交换机上出接口等业务信息,将一些接口识别为业务接入点。According to the service characteristics, such as all bridge-domain interfaces on the ToR Leaf switch, or, according to the service information such as the outbound interface corresponding to the logic switch (logic switch) on the SDN controller, the outbound interface on the Border Leaf switch, etc. Some interfaces are identified as service access points.
S1102、选取一个未计算的起点,将所有接入点作为终点,在转发图模型中遍历所有可达路径,填入可达矩阵的对应位置。S1102: Select an uncalculated starting point, take all access points as the end point, traverse all reachable paths in the forwarding graph model, and fill in the corresponding positions of the reachability matrix.
一种遍历方法是深度优先搜索算法,例如,任取一个业务接入点作为起点,转发图模型中的报文空间为全空间,按照深度优先进行搜索,直到到达某个接入点(即终点),此时标记一条可达路径;或者报文空间交集运算结果为空。然后搜索下一条可 达路径,直到遍历完转发图模型的所有边。One traversal method is the depth-first search algorithm. For example, any service access point is taken as the starting point, the message space in the forwarding graph model is the full space, and the search is performed according to depth-first until it reaches a certain access point (ie the end point). ), marking a reachable path at this time; or the result of the packet space intersection operation is empty. Then search for the next reachable path until all edges of the forwarding graph model are traversed.
针对图6中示例,最终建立的可达矩阵如表10所示。For the example in Figure 6, the finally established reachability matrix is shown in Table 10.
表10Table 10
   AA BB CC DD
AA YY YY YY   
BB YY YY      
CC YY    YY   
DD          YY
矩阵中有值(Y)表示二者可达,无值表示不可达。可达矩阵的每一可达项对应以下可达信息:可达路径和可达报文空间,可以表示为:{(path_i,space_i)},其中i∈[0,n),n为可达路径个数。path_i由一系列链路组成,即path_i可表示为{link_j},其中j∈[0,l),l为链路个数。space_i可表示为{(src_ip,dst_ip,src_port,dst_port,protocol)_k},即{(源IP地址,目的IP地址,源端口,目的端口,协议类型)_k},其中k∈[0,t),t为五元组个数。A value (Y) in the matrix indicates that the two are reachable, and no value indicates that they are not reachable. Each reachable item of the reachability matrix corresponds to the following reachability information: reachable path and reachable packet space, which can be expressed as: {(path_i,space_i)}, where i∈[0,n), n is reachable number of paths. path_i consists of a series of links, that is, path_i can be expressed as {link_j}, where j∈[0,l), and l is the number of links. space_i can be expressed as {(src_ip, dst_ip, src_port, dst_port, protocol)_k}, namely {(source IP address, destination IP address, source port, destination port, protocol type)_k}, where k∈[0,t) , t is the number of quintuples.
例如表10中,可达项(A,B)的值为Y,表示从接口A至接口B是可达的。可达项(A,B)对应的第一条可达路径path_0可表示为:{start->(L1,A)->(L1,VXLAN)->(L2,VXLAN)->(L2,B)->end}。其中的start->(L1,A)表示链路“从交换机L1的接口A接收”,是接口入方向,(L1,VXLAN)->(L2,VXLAN)表示链路“从交换机L1至交换机L2的隧道”,(L2,B)->end表示链路“从交换机L2的接口B发出”,是接口出方向。可达项(A,B)对应的第一个可达报文空间space_0可表示为:{(*,20.1.1.0/24,*,*,*)},其中*表示全空间,比如源IP为*,表示0.0.0.0/0。For example, in Table 10, the value of the reachable item (A, B) is Y, indicating that the interface A to the interface B is reachable. The first reachable path path_0 corresponding to the reachable item (A, B) can be expressed as: {start->(L1,A)->(L1,VXLAN)->(L2,VXLAN)->(L2,B )->end}. Among them, start->(L1,A) indicates that the link "receives from interface A of switch L1", which is the inbound direction of the interface, and (L1,VXLAN)->(L2,VXLAN) indicates that the link "from switch L1 to switch L2" tunnel", (L2,B)->end indicates that the link is "sent from interface B of switch L2", which is the outgoing direction of the interface. The first reachable packet space space_0 corresponding to the reachable item (A, B) can be expressed as: {(*,20.1.1.0/24,*,*,*)}, where * means the full space, such as the source IP is *, which means 0.0.0.0/0.
通过解析基础网络配置对应的可达矩阵,可以得到基础网络配置对应的关联表。By analyzing the reachability matrix corresponding to the basic network configuration, an association table corresponding to the basic network configuration can be obtained.
可达矩阵中每一矩阵项都代表两个业务接入点之间的路径是否可达,可达点对为处于路径两端的一对业务接入点。而每条路径都可以包括至少一条链路,每条链路的两端分别是入接口和出接口,入接口与出接口属于不同的网络设备,入接口和出接口构成一对接口对,这些接口和接口对都是该路径所经过的,因此可以建立关联表,该关联表指示网络中,路径经过的接口和/或链路与该路径的可达点对的关联关系。并且该关联表体现的是在基础网络配置下,接口和/或链路与可达点对之间的关联关系。Each matrix item in the reachability matrix represents whether the path between two service access points is reachable, and a reachable point pair is a pair of service access points at both ends of the path. Each path can include at least one link. The two ends of each link are an inbound interface and an outbound interface. The inbound interface and the outbound interface belong to different network devices. The inbound interface and the outbound interface form a pair of interface pairs. Both the interface and the interface pair are traversed by the path, so an association table can be established, where the association table indicates the association relationship between the interface and/or link traversed by the path and the reachable point pair of the path in the network. And the association table reflects the association relationship between the interface and/or link and the reachable point pair under the basic network configuration.
具体的,如图12所示,本申请实施例提供的网络配置的验证方法中,解析基础网络配置对应的可达矩阵,得到基础网络配置对应的关联表的过程包括:Specifically, as shown in FIG. 12 , in the network configuration verification method provided by the embodiment of the present application, the process of parsing the reachability matrix corresponding to the basic network configuration to obtain the association table corresponding to the basic network configuration includes:
S1201、针对可达矩阵中的每条可达路径,提取构成可达路径的各条跨设备链路的入接口和出接口,建立入接口和出接口与可达路径的可达点对的关联关系。S1201. For each reachable path in the reachable matrix, extract the inbound interface and outbound interface of each cross-device link that constitutes the reachable path, and establish an association between the inbound interface and the outbound interface and the reachable point pairs of the reachable path relation.
其中,start->(L1,A),(L2,B)->end属于特殊的跨设备链路,且只记录接口(L1,A)、接口(L2,B)的关联关系。Among them, start->(L1,A), (L2,B)->end belong to special cross-device links, and only record the association relationship between interface (L1,A) and interface (L2,B).
示例性的,以接口A至接口B的可达信息为例,建立的入接口与可达路径的可达点对关联关系以及出接口与可达路径的可达点对的关联关系如表11所示Exemplarily, taking the reachability information from interface A to interface B as an example, the established association relationship between the ingress interface and the reachable point pair of the reachable path and the association relationship between the outgoing interface and the reachable point pair of the reachable path are shown in Table 11. shown
S1202、如果上述入接口和出接口均不是业务接入点,则建立该链路与可达路径的可达点对的关联关系。S1202. If neither the inbound interface nor the outbound interface is a service access point, establish an association relationship between the link and the reachable point pair of the reachable path.
示例性的,以接口A至接口B的可达信息为例,建立的链路与可达路径的可达点 对的关联关系如表11所示:Exemplarily, taking the reachability information from interface A to interface B as an example, the association relationship between the established link and the reachable point pair of the reachable path is shown in Table 11:
表11Table 11
Figure PCTCN2021103512-appb-000009
Figure PCTCN2021103512-appb-000009
针对所有可达信息建立的关联关系如表12所示:The association relationships established for all reachable information are shown in Table 12:
表12Table 12
Figure PCTCN2021103512-appb-000010
Figure PCTCN2021103512-appb-000010
如图13所示,本申请实施例提供的网络配置的验证方法中,具体的对网络配置进行验证的过程包括:As shown in FIG. 13 , in the method for verifying the network configuration provided by the embodiment of the present application, the specific process of verifying the network configuration includes:
S1301、比较基础网络配置与增量网络配置,以及,比较基础网络配置对应的转发表与增量网络配置对应的转发表,以得到网络中转发策略发生变更的接口和/或转发路由发生变更的链路。S1301. Compare the basic network configuration with the incremental network configuration, and compare the forwarding table corresponding to the basic network configuration with the forwarding table corresponding to the incremental network configuration, so as to obtain the interface on which the forwarding policy is changed and/or the forwarding route on the network. link.
具体的,如图14所示,针对每个接口和/或链路,步骤S1301包括:Specifically, as shown in FIG. 14, for each interface and/or link, step S1301 includes:
S13011、如果某一接口和/或链路只在基础网络配置或对应的转发表中存在,则将 该接口和/或链路加入删除(DEL)列表,将该接口标记为转发策略发生变更,将该链路标记为转发路由发生变更。S13011. If a certain interface and/or link exists only in the basic network configuration or the corresponding forwarding table, add the interface and/or link to the deletion (DEL) list, and mark the interface as the forwarding policy has changed, Mark the link as forwarding route change.
删除列表包括增量网络配置或对应的转发表相对于基础网络配置或对应的转发表删除的接口和/或链路。The deletion list includes interfaces and/or links deleted by the incremental network configuration or corresponding forwarding table relative to the base network configuration or corresponding forwarding table.
S13012、如果某一接口和/或链路只在增量网络配置或对应的转发表中存在,则将该接口和/或链路加入增加(ADD)列表,将该接口标记为转发策略发生变更,将该链路标记为转发路由发生变更。S13012. If a certain interface and/or link exists only in the incremental network configuration or the corresponding forwarding table, add the interface and/or link to the add (ADD) list, and mark the interface as a forwarding policy change , mark the link as a forwarding route change.
增加列表包括增量网络配置或对应的转发表相对于基础网络配置或对应的转发表增加的接口和/或链路。The added list includes the interfaces and/or links added by the incremental network configuration or corresponding forwarding table relative to the base network configuration or corresponding forwarding table.
S13013、如果某一接口在基础网络配置和增量网络配置中的转发策略的报文空间不一致,则将该接口加入修改(MOD)列表,并标记为转发策略发生变更。S13013. If the packet spaces of the forwarding policies of an interface in the basic network configuration and the incremental network configuration are inconsistent, add the interface to a modification (MOD) list, and mark it as a change in the forwarding policy.
S13014、如果某一链路在基础网络配置和增量网络配置中的转发路由的报文空间不一致,则将该链路加入修改(MOD)列表,并标记为转发路由发生变更。S13014. If the packet spaces of the forwarding routes of a link in the basic network configuration and the incremental network configuration are inconsistent, add the link to a modification (MOD) list, and mark the forwarding route as changed.
修改列表包括增量网络配置相对于基础网络配置改变的接口和/或链路。The modification list includes the interfaces and/or links whose incremental network configuration has changed relative to the base network configuration.
示例性的,针对图6和图7中示例,通过比较交换机BL1的增量前后的转发表(即表3与表7),可以发现新增链路(BL1,VXLAN,L4,VXLAN),删除链路(BL1,VXLAN,L3,VXLAN)。通过比较交换机L1的增量前后的转发表(即表4与表8),可以发现链路(L1,VXLAN,BL1,VXLAN)的转发路由的报文空间发生修改,从{(*,20.2.0.0/24,*,*,*)}变更为{(*,20.2.1.0/24,*,*,*)};通过比较交换机L1的增量前后的网络配置,可以发现(L1,A)接口入方向的转发策略的报文空间发生修改.Exemplarily, for the examples in FIG. 6 and FIG. 7 , by comparing the forwarding tables before and after the increment of the switch BL1 (ie, Table 3 and Table 7), you can find the newly added links (BL1, VXLAN, L4, VXLAN), delete them. Links (BL1, VXLAN, L3, VXLAN). By comparing the forwarding tables before and after the increment of switch L1 (that is, Table 4 and Table 8), it can be found that the packet space of the forwarding route of the link (L1, VXLAN, BL1, VXLAN) has been modified, from {(*, 20.2. 0.0/24,*,*,*)} is changed to {(*,20.2.1.0/24,*,*,*)}; by comparing the network configuration before and after the increment of switch L1, you can find (L1,A) The packet space of the forwarding policy in the inbound direction of the interface is modified.
最终,增量网络配置下发之后,转发策略发生变更的接口和/或转发路由发生变更的链路包括:Finally, after the incremental network configuration is delivered, the interfaces whose forwarding policies are changed and/or the links whose forwarding routes are changed include:
增加(ADD)列表:(BL1,VXLAN,L4,VXLAN)、(L4,VXLAN,BL1,VXLAN)。Added (ADD) list: (BL1, VXLAN, L4, VXLAN), (L4, VXLAN, BL1, VXLAN).
删除(DEL)列表:(BL1,VXLAN,L3,VXLAN)、(L3,VXLAN,BL1,VXLAN)。Delete (DEL) list: (BL1, VXLAN, L3, VXLAN), (L3, VXLAN, BL1, VXLAN).
修改(MOD)列表:(L1,VXLAN,BL1,VXLAN)、(L1,A)接口入方向。Modify (MOD) list: (L1, VXLAN, BL1, VXLAN), (L1, A) interface inbound direction.
S1302、获取第一可达点对。S1302. Obtain a first reachable point pair.
第一可达点对指示网络中转发策略发生变更的接口和/或转发路由发生变更的链路在增量网络配置下,所在的路径两端的一对业务接入点。The first reachable point is a pair of service access points at both ends of the path where the interface indicating the change of the forwarding policy and/or the link with the change of the forwarding route in the network is located under the incremental network configuration.
具体的,可以计算在增量网络配置下,经过转发策略发生变更的接口和/或转发路由发生变更的链路的第一路径;取第一路径两端的一对业务接入点作为第一可达点对。如图15所示,得到第一路径的过程包括:Specifically, under the incremental network configuration, the first path of the interface whose forwarding policy is changed and/or the link whose forwarding route is changed can be calculated; a pair of service access points at both ends of the first path is taken as the first possible path. Up to the point. As shown in Figure 15, the process of obtaining the first path includes:
S13021、针对转发策略发生变更的接口,以该接口作为起点,以该接口在增量网络配置对应的转发策略的报文空间作为初始报文空间,以所有业务接入点为终点,在增量网络配置的转发图模型中正向遍历求解第一可达路径。S13021. For the interface whose forwarding policy is changed, take the interface as the starting point, take the packet space of the corresponding forwarding policy configured on the interface in the incremental network as the initial packet space, take all service access points as the end point, and take the incremental network In the forwarding graph model of network configuration, forward traversal is used to solve the first reachable path.
示例性的,针对图7中示例,对于接口(L1,A),以接口(L1,A)为起点,以该接口在增量网络配置对应的转发策略的报文空间作为初始报文空间,使用与步骤S1101相同的深度优先搜索算法,直到到达某个接入点(即终点),此时标记一条可达路径,或者,直到报文空间交集为空。然后搜索下一条可达路径,直到遍历完转发图模型的所有边,最终找到的第一可达路径为:Exemplarily, for the example in FIG. 7, for the interface (L1,A), the interface (L1,A) is taken as the starting point, and the message space of the corresponding forwarding policy configured on the incremental network for the interface is used as the initial message space, The same depth-first search algorithm as in step S1101 is used until a certain access point (ie, the end point) is reached, and a reachable path is marked at this time, or until the packet space intersection is empty. Then search for the next reachable path until all edges of the forwarding graph model are traversed, and the first reachable path finally found is:
(L1,A)->(L1,VXLAN)->(L2,VXLAN)->(L2,B)->end,报文空间为:{(*,20.1.1.0/24,*,*,*)-(*,20.1.1.10/32,*,*,*)}。(L1,A)->(L1,VXLAN)->(L2,VXLAN)->(L2,B)->end, the message space is: {(*,20.1.1.0/24,*,*,* )-(*,20.1.1.10/32,*,*,*)}.
(L1,A)->(L1,VXLAN)->(BL1,VXLAN)->(L4,VXLAN)->(L4,D)->end,报文空间为{(*,20.2.1.0/24,*,*,*)}。(L1,A)->(L1,VXLAN)->(BL1,VXLAN)->(L4,VXLAN)->(L4,D)->end, the message space is {(*,20.2.1.0/24 ,*,*,*)}.
S13022、针对转发路由发生变更的链路,以该链路的起始接口作为起点,以该链路在增量网络配置对应的转发路由的报文空间作为初始报文空间,以所有业务接入点为终点,在增量网络配置的转发图模型中正向遍历求解第一可达路径。S13022. For the link whose forwarding route is changed, take the starting interface of the link as the starting point, take the message space of the forwarding route corresponding to the link in the incremental network configuration as the initial message space, and use all service access points as the initial message space. The point is the end point, and the first reachable path is solved by forward traversal in the forwarding graph model of the incremental network configuration.
转发路由的报文空间可以指转发表中的报文空间。The packet space of the forwarding route may refer to the packet space in the forwarding table.
示例性的,针对图7中示例,对于链路(BL1,VXLAN,L4,VXLAN),以该链路的起始接口(BL1,VXLAN)为起点,以该链路在增量网络配置对应的转发表中的报文空间为初始报文空间,以所有业务接入点为终点,使用与步骤S1101相同的深度优先搜索算法,直到到达某个接入点(即终点),此时标记一条可达路径,或者,直到报文空间交集为空。然后搜索下一条可达路径,直到遍历完转发图模型的所有边,最终找到的第一可达路径为:Exemplarily, for the example in FIG. 7, for the link (BL1, VXLAN, L4, VXLAN), the starting interface (BL1, VXLAN) of the link is used as the starting point, and the corresponding link is configured in the incremental network. The message space in the forwarding table is the initial message space, with all service access points as the end point, using the same depth-first search algorithm as in step S1101, until it reaches a certain access point (ie, the end point), at this time, mark an available service point. up to the path, or until the packet space intersection is empty. Then search for the next reachable path until all edges of the forwarding graph model are traversed, and the first reachable path finally found is:
(BL1,VXLAN)->(L4,VXLAN);(L4,D)->end,报文空间为:{(*,20.2.1.0/24,*,*,*)}。(BL1,VXLAN)->(L4,VXLAN); (L4,D)->end, the message space is: {(*,20.2.1.0/24,*,*,*)}.
对于链路(L4,VXLAN,BL1,VXLAN),以该链路的起始接口(L4,VXLAN)为起点,以该链路在增量网络配置对应的转发表中的报文空间为初始报文空间,使用与步骤S1101相同的深度优先搜索算法,直到到达某个接入点(即终点),此时标记一条可达路径,或者,直到报文空间交集为空。然后搜索下一条可达路径,直到遍历完转发图模型的所有边,最终找到的第一可达路径为:For a link (L4, VXLAN, BL1, VXLAN), take the starting interface (L4, VXLAN) of the link as the starting point, and take the message space of the link in the forwarding table corresponding to the incremental network configuration as the initial report. In the message space, the same depth-first search algorithm as in step S1101 is used until a certain access point (ie, the end point) is reached, and a reachable path is marked at this time, or until the message space intersection is empty. Then search for the next reachable path until all edges of the forwarding graph model are traversed, and the first reachable path finally found is:
(L4,VXLAN)->(BL1,VXLAN)->(L1,VXLAN)->(L1,A)->end,报文空间为:{(*,20.1.0.0/24,*,*,*)}。(L4,VXLAN)->(BL1,VXLAN)->(L1,VXLAN)->(L1,A)->end, the message space is: {(*,20.1.0.0/24,*,*,* )}.
对于链路(L1,VXLAN,BL1,VXLAN),以该链路的起始接口(L1,VXLAN)为起点,以该链路在增量网络配置对应的转发表中的报文空间为初始报文空间,使用与步骤S1101相同的深度优先搜索算法,直到到达某个接入点(即终点),此时标记一条可达路径,或者,直到报文空间交集为空。然后搜索下一条可达路径,直到遍历完转发图模型的所有边,最终找到的第一可达路径为:For a link (L1, VXLAN, BL1, VXLAN), take the starting interface (L1, VXLAN) of the link as the starting point, and take the message space of the link in the forwarding table corresponding to the incremental network configuration as the initial report. In the message space, the same depth-first search algorithm as in step S1101 is used until a certain access point (ie, the end point) is reached, and a reachable path is marked at this time, or until the message space intersection is empty. Then search for the next reachable path until all edges of the forwarding graph model are traversed, and the first reachable path finally found is:
(L1,VXLAN)->(BL1,VXLAN)->(L4,VXLAN)->(L4,D)->end,报文空间为:{(*,20.2.1.0/24,*,*,*)}。(L1,VXLAN)->(BL1,VXLAN)->(L4,VXLAN)->(L4,D)->end, the message space is: {(*,20.2.1.0/24,*,*,* )}.
S13023、从起点和初始报文空间开始,以所有业务接入点为终点,在增量网络配置的转发图模型中反向遍历求解第二可达路径。S13023 , starting from the starting point and the initial message space, and taking all service access points as the end point, reverse traversal in the forwarding graph model of the incremental network configuration to solve the second reachable path.
示例性的,针对图7中示例,对于接口(L1,A),以接口(L1,A)为起点,以该接口在增量网络配置对应的转发策略的报文空间作为初始报文空间,使用与步骤S1101相同的深度优先搜索算法,在转发图模型中反向遍历求解,直到到达某个接入点(即终点),此时标记一条可达路径,或者,直到报文空间交集为空。然后搜索下一条可达路径,直到遍历完转发图模型的所有边,最终找到的第二可达路径为:Exemplarily, for the example in FIG. 7, for the interface (L1,A), the interface (L1,A) is taken as the starting point, and the message space of the corresponding forwarding policy configured on the incremental network for the interface is used as the initial message space, Using the same depth-first search algorithm as in step S1101, reverse traversal and solution in the forwarding graph model until a certain access point (ie, the end point) is reached, and a reachable path is marked at this time, or, until the packet space intersection is empty . Then search for the next reachable path until all edges of the forwarding graph model are traversed, and the second reachable path finally found is:
start->(L1,A),报文空间为{(*,*,*,*,*)-(*,20.1.1.10/32,*,*,*)}。start->(L1,A), the message space is {(*,*,*,*,*)-(*,20.1.1.10/32,*,*,*)}.
对于链路(BL1,VXLAN,L4,VXLAN),以该链路的起始接口(BL1,VXLAN)为起点,以该链路在增量网络配置对应的转发表中的报文空间为初始报文空间,使用与步骤 S1101相同的深度优先搜索算法,在转发图模型中反向遍历求解,直到到达某个接入点(即终点),此时标记一条可达路径,或者,直到报文空间交集为空。然后搜索下一条可达路径,直到遍历完转发图模型的所有边,最终找到的第二可达路径为:For a link (BL1, VXLAN, L4, VXLAN), take the starting interface (BL1, VXLAN) of the link as the starting point, and take the message space of the link in the forwarding table corresponding to the incremental network configuration as the initial report In the message space, using the same depth-first search algorithm as in step S1101, the forwarding graph model is reversely traversed and solved until a certain access point (ie, the end point) is reached, and a reachable path is marked at this time, or, until the message space The intersection is empty. Then search for the next reachable path until all edges of the forwarding graph model are traversed, and the second reachable path finally found is:
start->(L1,A)->(L1,VXLAN)->(BL1,VXLAN),报文空间为{(*,20.2.1.0/24,*,*,*)}。start->(L1,A)->(L1,VXLAN)->(BL1,VXLAN), the message space is {(*,20.2.1.0/24,*,*,*)}.
对于链路(L4,VXLAN,BL1,VXLAN),以该链路的起始接口(L4,VXLAN)为起点,以该链路在增量网络配置对应的转发表中的报文空间为初始报文空间,使用与步骤S1101相同的深度优先搜索算法,在转发图模型中反向遍历求解,直到到达某个接入点(即终点),此时标记一条可达路径,或者,直到报文空间交集为空。然后搜索下一条可达路径,直到遍历完转发图模型的所有边,最终找到的第二可达路径为:For a link (L4, VXLAN, BL1, VXLAN), take the starting interface (L4, VXLAN) of the link as the starting point, and take the message space of the link in the forwarding table corresponding to the incremental network configuration as the initial report. In the message space, using the same depth-first search algorithm as in step S1101, the forwarding graph model is reversely traversed and solved until a certain access point (ie, the end point) is reached, and a reachable path is marked at this time, or, until the message space The intersection is empty. Then search for the next reachable path until all edges of the forwarding graph model are traversed, and the second reachable path finally found is:
start->(L4,D)->(L4,VXLAN),报文空间为{(*,20.1.0.0/24,*,*,*)}。start->(L4,D)->(L4,VXLAN), the message space is {(*,20.1.0.0/24,*,*,*)}.
对于链路(L1,VXLAN,BL1,VXLAN),以该链路的起始接口(L1,VXLAN)为起点,以该链路在增量网络配置对应的转发表中的报文空间为初始报文空间,使用与步骤S1101相同的深度优先搜索算法,在转发图模型中反向遍历求解,直到到达某个接入点(即终点),此时标记一条可达路径,或者,直到报文空间交集为空。然后搜索下一条可达路径,直到遍历完转发图模型的所有边,最终找到的第二可达路径为:For a link (L1, VXLAN, BL1, VXLAN), take the starting interface (L1, VXLAN) of the link as the starting point, and take the message space of the link in the forwarding table corresponding to the incremental network configuration as the initial report. In the message space, using the same depth-first search algorithm as in step S1101, the forwarding graph model is reversely traversed and solved until a certain access point (ie, the end point) is reached, and a reachable path is marked at this time, or, until the message space The intersection is empty. Then search for the next reachable path until all edges of the forwarding graph model are traversed, and the second reachable path finally found is:
start->(L1,A)->(L1,VXLAN),报文空间为{(*,20.2.1.0/24,*,*,*)}。start->(L1,A)->(L1,VXLAN), the message space is {(*,20.2.1.0/24,*,*,*)}.
S13024、取第一可达路径和第二可达路径的交集,如果第一可达路径的报文空间和第二可达路径的报文空间的交集不为空,则拼接第一可达路径和第二可达路径得到第一路径,并将交集的结果作为该第一路径的报文空间。S13024. Take the intersection of the first reachable path and the second reachable path, and if the intersection of the packet space of the first reachable path and the packet space of the second reachable path is not empty, splicing the first reachable path and the second reachable path to obtain the first path, and use the result of the intersection as the packet space of the first path.
示例性的,针对图7中示例,对于接口(L1,A),第一路径为:Exemplarily, for the example in FIG. 7, for the interface (L1, A), the first path is:
start->(L1,A)->(L1,VXLAN)->(L2,VXLAN)->(L2,B)->end,报文空间为:{(*,20.1.1.0/24,*,*,*)-(*,20.1.1.10/32,*,*,*)}。start->(L1,A)->(L1,VXLAN)->(L2,VXLAN)->(L2,B)->end, the message space is: {(*,20.1.1.0/24,*, *,*)-(*,20.1.1.10/32,*,*,*)}.
start->(L1,A)->(L1,VXLAN)->(BL1,VXLAN)->(L4,VXLAN)->(L4,D)->end,报文空间为{(*,20.2.1.0/24,*,*,*)}。start->(L1,A)->(L1,VXLAN)->(BL1,VXLAN)->(L4,VXLAN)->(L4,D)->end, the message space is {(*,20.2. 1.0/24,*,*,*)}.
对于链路(BL1,VXLAN,L4,VXLAN),第一路径为:For links (BL1, VXLAN, L4, VXLAN), the first path is:
start->(L1,A)->(L1,VXLAN)->(BL1,VXLAN)->(L4,VXLAN)->(L4,D)->end,报文空间为{(*,20.2.1.0/24,*,*,*)}。start->(L1,A)->(L1,VXLAN)->(BL1,VXLAN)->(L4,VXLAN)->(L4,D)->end, the message space is {(*,20.2. 1.0/24,*,*,*)}.
对于链路(L4,VXLAN,BL1,VXLAN),第一路径为:For links (L4, VXLAN, BL1, VXLAN), the first path is:
start->(L4,D)->(L4,VXLAN)->(BL1,VXLAN)->(L1,VXLAN)->(L1,A)->end,报文空间为{(*,20.1.0.0/24,*,*,*)}。start->(L4,D)->(L4,VXLAN)->(BL1,VXLAN)->(L1,VXLAN)->(L1,A)->end, the message space is {(*,20.1. 0.0/24,*,*,*)}.
对于链路(L1,VXLAN,BL1,VXLAN),第一路径为:For links (L1, VXLAN, BL1, VXLAN), the first path is:
start->(L1,A)->(L1,VXLAN)->(BL1,VXLAN)->(L4,VXLAN)->(L4,D)->end,报文空间为:{(*,20.2.1.0/24,*,*,*)}。start->(L1,A)->(L1,VXLAN)->(BL1,VXLAN)->(L4,VXLAN)->(L4,D)->end, the message space is: {(*,20.2 .1.0/24,*,*,*)}.
需要说明的是,上述转发策略发生变更的接口和/或转发路由发生变更的链路可以是前文所述的增加(ADD)列表和修改(MOD)列表中的接口和/或链路,因为对于删除(DEL)列表中的接口和/或链路在增量网络配置中已经不存在了,所以得不到可达路径。It should be noted that, the interface and/or the link where the forwarding route is changed may be the interface and/or link in the above-mentioned add (ADD) list and modify (MOD) list, because for The interfaces and/or links in the delete (DEL) list no longer exist in the incremental network configuration, so no reachable paths are available.
取各条第一路径两端的一对业务接入点得到第一可达点对包括(A,B)、(A,D)、(D,A)。 另外,还可以得到第一可达点对的链路列表以及对应的报文空间。Taking a pair of service access points at both ends of each first path, the first reachable point pair includes (A, B), (A, D), and (D, A). In addition, the link list of the first reachable point pair and the corresponding packet space can also be obtained.
S1303、查找基础网络配置对应的关联表,以得到第二可达点对,并与第一可达点对进行比较,以对增量网络配置进行验证。S1303. Search the association table corresponding to the basic network configuration to obtain the second reachable point pair, and compare it with the first reachable point pair to verify the incremental network configuration.
第二可达点对指示网络中转发策略发生变更的接口和/或转发路由发生变更的链路在基础网络配置下,所在路径两端的一对业务接入点。The second reachable point is a pair of service access points at both ends of the path where the interface indicating the change of the forwarding policy and/or the link with the change of the forwarding route in the network is configured under the basic network configuration.
示例性的,对于删除(DEL)列表中的接口和/或链路(BL1,VXLAN,L2,VXLAN),查找关联表可以得到对应的第二可达点对:(A,C)、(C,A)。对于修改(MOD)列表中的接口和/或链路(L1,VXLAN,BL1,VXLAN)、(L1,A)接口入方向,查找关联表可以得到对应的第二可达点对:(A,C)、{(A,B),(A,C)}。这些可达点对进行合并之后最终可以得到第二可达点对包括(A,B)、(A,C)。Exemplarily, for the interface and/or link (BL1, VXLAN, L2, VXLAN) in the deletion (DEL) list, searching the association table can obtain the corresponding second reachable point pair: (A, C), (C , A). For the inbound direction of the interface and/or link (L1, VXLAN, BL1, VXLAN) and (L1, A) in the modified (MOD) list, look up the association table to obtain the corresponding second reachable point pair: (A, C), {(A,B),(A,C)}. After these reachable point pairs are merged, a second reachable point pair including (A, B) and (A, C) can be finally obtained.
将第二可达点对(A,B)、(A,C)与第一可达点对(A,B)、(A,D)、(D,A)进行比较,可以得到:Comparing the second reachable point pair (A,B), (A,C) with the first reachable point pair (A,B), (A,D), (D,A), we can get:
删除的可达点对:(A,C)、(C,A)。Deleted reachable point pairs: (A,C), (C,A).
修改的可达点对:(A,B)。其报文空间从{(*,20.1.1.0/24,*,*,*)}变为{(*,20.1.1.0/24-20.1.1.10,*,*,*)}。Modified reachable point pair: (A,B). Its message space changes from {(*,20.1.1.0/24,*,*,*)} to {(*,20.1.1.0/24-20.1.1.10,*,*,*)}.
新增的可达点对:(A,D)。其中,该可达点对对应的新增路径为:start->(L1,A)->(L1,VXLAN)->(BL1,VXLAN)->(L4,VXLAN)->(L4,D)->end。该可达点对对应的新增报文空间为{(*,20.2.1.0/24,*,*,*)}。The newly added reachable point pair: (A, D). Among them, the new path corresponding to the reachable point pair is: start->(L1,A)->(L1,VXLAN)->(BL1,VXLAN)->(L4,VXLAN)->(L4,D) -> end. The new message space corresponding to the reachable point pair is {(*,20.2.1.0/24,*,*,*)}.
新增的可达点对:(D,A)。其中,该可达点对对应的新增路径为:start->(L4,D)->(L4,VXLAN)->(BL1,VXLAN)->(L1,VXLAN)->(L1,A)->end。该可达点对对应的新增报文空间为{(*,20.1.0.0/24,*,*,*)}。The newly added reachable point pair: (D,A). Among them, the new path corresponding to the reachable point pair is: start->(L4,D)->(L4,VXLAN)->(BL1,VXLAN)->(L1,VXLAN)->(L1,A) -> end. The new message space corresponding to the reachable point pair is {(*,20.1.0.0/24,*,*,*)}.
通过以上分析,可以对增量网络配置进行验证,即验证上述可达点对与增量网络配置下发后所预期的可达性是否一致。Through the above analysis, it is possible to verify the incremental network configuration, that is, to verify whether the above-mentioned reachable point pair is consistent with the expected reachability after the incremental network configuration is issued.
另外,还可以根据第一可达点对和第二可达点对更新可达矩阵和关联表,相当于将本次增量网络配置作为下一次增量网络配置的基础网络配置,这样就不必重复计算可达矩阵和关联表。In addition, the reachability matrix and the association table can also be updated according to the first reachable point pair and the second reachable point pair, which is equivalent to using the current incremental network configuration as the basic network configuration for the next incremental network configuration, so that there is no need to Repeated computation of reachability matrices and association tables.
对于根据第一可达点对和第二可达点对更新可达矩阵来说,删除与删除列表对应的矩阵项,增加与增加列表对应的矩阵项,修改与修改列表对应的矩阵项的可达信息。For updating the reachability matrix according to the first reachable point pair and the second reachable point pair, delete the matrix item corresponding to the delete list, add the matrix item corresponding to the add list, and modify the availability of the matrix item corresponding to the modification list. information.
对于根据第一可达点对和第二可达点对更新关联表来说,删除关联表中与删除列表对应的关联关系,增加与增加列表对应的关联关系,修改与修改列表对应的关联关系。For updating the association table according to the first reachable point pair and the second reachable point pair, delete the association relationship corresponding to the delete list in the association table, add the association relationship corresponding to the add list, and modify the association relationship corresponding to the modification list. .
示例性的,根据第一可达点对和第二可达点对更新可达矩阵如表13所示:例如,新增了可达点对(D,A),将可达矩阵对应的矩阵项修改为Y。Exemplarily, the reachability matrix is updated according to the first reachable point pair and the second reachable point pair as shown in Table 13: For example, a new reachable point pair (D, A) is added, and the item is modified to Y.
表13Table 13
   AA BB CC DD
AA YY YY    YY
BB YY YY      
CC       YY   
DD YY       YY
示例性的,根据第一可达点对和第二可达点对更新关联表如表14所示:例如,接口入方向,新增了接口(L4,D)与可达点对(D,A)的关联,删除了(L3,C)与可达点对(C,A)的关联。Exemplarily, the association table is updated according to the first reachable point pair and the second reachable point pair, as shown in Table 14: For example, in the inbound direction of the interface, the interface (L4, D) and the reachable point pair (D, D, D) are added. A), the association of (L3,C) with the reachable point pair (C,A) is deleted.
表14Table 14
Figure PCTCN2021103512-appb-000011
Figure PCTCN2021103512-appb-000011
本申请实施例提供的网络配置的验证方法,通过比较基础网络配置与增量网络配置,以及,比较基础网络配置对应的转发表与增量网络配置对应的转发表,以得到转发策略发生变更的接口和/或转发路由发生变更的链路;获取第一可达点对,第一可达点对指示接口和/或链路在增量网络配置下,所在的路径的一对业务接入点;查找基础网络配置对应的关联表,以得到第二可达点对,并与第一可达点对进行比较,以对增量网络配置进行验证;其中,关联表指示网络中,路径经过的接口和/或链路与路径的可达点对的关联关系,第二可达点对指示接口和/或链路在基础网络配置下,所在路径的一对业务接入点。第一可达点对将增量网络配置可能影响到可达性的可达点对的搜索范围,缩小至与上述接口和/或链路相关;而第二可达点对是上述接口和/或链路在基础网络配置中涉及的可达点对。通过比较这两个可达点对,即可准确定位到具体哪些可达点对的可达性受到增量网络配置的影响,以及上述影响是否符合配置意图,从而实现对增量网络配置的验证。由于不必针对增量网络配置对全网的可达点对进行分析,只针对变更的接口和/或链路相关的可达点对进行分析,因此可以减少验证网络配置的计算量。The method for verifying the network configuration provided by the embodiment of the present application, by comparing the basic network configuration and the incremental network configuration, and comparing the forwarding table corresponding to the basic network configuration and the forwarding table corresponding to the incremental network configuration, so as to obtain the information that the forwarding policy has changed. A link whose interface and/or forwarding route has changed; obtain the first reachable point pair, which indicates a pair of service access points on the path where the interface and/or link is located under the incremental network configuration ; Look up the association table corresponding to the basic network configuration to obtain the second reachable point pair, and compare it with the first reachable point pair to verify the incremental network configuration; wherein, the association table indicates that in the network, the path through which the path passes The association relationship between the interface and/or link and the reachable point pair of the path, the second reachable point pair indicates a pair of service access points of the path where the interface and/or link is located under the basic network configuration. The first reachable point pair narrows the search range of reachable point pairs whose incremental network configuration may affect reachability to be related to the above-mentioned interface and/or link; and the second reachable point pair is the above-mentioned interface and/or link. Or the reachable pair of points that the link is involved in in the underlying network configuration. By comparing the two reachable point pairs, it is possible to accurately locate which reachable point pairs are affected by the incremental network configuration, and whether the above effects conform to the configuration intent, so as to verify the incremental network configuration. . Since it is not necessary to analyze the reachable point pairs of the whole network for the incremental network configuration, only the reachable point pairs related to the changed interface and/or link are analyzed, so the calculation amount for verifying the network configuration can be reduced.
图13的网络配置的验证方法与图2的网络配置的验证方法相比:The verification method of the network configuration of FIG. 13 is compared with the verification method of the network configuration of FIG. 2:
首先,可以解决关联表无法找到新增的可达点对的问题。在图6和图7的示例中,对于新增的可达点对(A,D),图2是无法建立任何关联关系的,因为不存在从接口A至接口D的可达路径。而图13的方案是通过求第一路径的方式来得到新增的可达点对,因此可以找到可达点对(A,D),不存在遗漏的问题。First, the problem that the association table cannot find the newly added reachable point pair can be solved. In the examples of FIG. 6 and FIG. 7 , for the newly added reachable point pair (A, D), no association relationship can be established in FIG. 2 because there is no reachable path from interface A to interface D. The solution in FIG. 13 obtains the newly added reachable point pair by finding the first path, so the reachable point pair (A, D) can be found, and there is no problem of omission.
其次,可以解决关联粒度太粗带来的重复计算问题。在图6和图7的示例中,如果采用图2的方案(以网络设备为粒度进行关联),那么交换机L1会关联可达点对(A,B)和(A,C),当接口A的转发策略发生变更时,会认为交换机L1发生了变更,所以会重新计算点对(A,B)、(A,C)、(B,A)、(C,A)两两之间的可达性。其中点对(B,A)的可达性没有任何变化,本无需计算。如果交换机L1上承载了更多的可达点对,那么重复计算问题更严重。而图13的方案是基于变更接口及链路来求第一路径,而不是基于网络设备的粒度进行关联,避免了对点对(B,A)的可达性的重复计算。Secondly, it can solve the problem of repeated calculation caused by too coarse association granularity. In the examples of Figure 6 and Figure 7, if the solution of Figure 2 is adopted (the network device is used as the granularity for association), then the switch L1 will associate the reachable point pairs (A, B) and (A, C), when the interface A When the forwarding policy of the switch is changed, it will be considered that the switch L1 has been changed, so it will recalculate the availability between the point pairs (A,B), (A,C), (B,A), (C,A). reachability. There is no change in the reachability of the point pair (B, A), which does not need to be calculated. If the switch L1 carries more reachable point pairs, the double-counting problem is more serious. The solution in FIG. 13 is based on changing interfaces and links to find the first path, rather than performing association based on the granularity of network devices, which avoids repeated calculation of the reachability of the point pair (B, A).
图13的网络配置的验证方法与图4的网络配置的验证方法相比:可以解决全流存储带来的重复计算与大存储开销问题。The verification method of the network configuration in FIG. 13 is compared with the verification method of the network configuration in FIG. 4 : it can solve the problems of repeated calculation and large storage overhead caused by full-flow storage.
在图6和图7的示例中,如果采用图4的方案(全流存储),而没有建立关联表,每个接口存储可能经过的流,比如接口A会存储流对象:In the examples of Figure 6 and Figure 7, if the solution of Figure 4 (full flow storage) is adopted, without establishing an association table, each interface stores the flow that may pass through, for example, interface A will store the flow object:
A->B,(*,20.1.0.0/24,*,*,*)A->B,(*,20.1.0.0/24,*,*,*)
A->C,(*,20.2.0.0/24,*,*,*)A->C,(*,20.2.0.0/24,*,*,*)
A->D,(*,20.2.1.0/24,*,*,*)A->D,(*,20.2.1.0/24,*,*,*)
当接口A的转发策略发生变更时,一方面基于基础网络配置的转发图模型求解这三条流的可达情况,最终会求出接口A至接口B可达以及接口A至接口C可达,另一方面基于增量网络配置的转发图模型求解这三条流的可达情况,最终会求出接口A至接口B可达以及接口A至接口D可达,从而对比得出转发策略发生变更的接口。在这个过程中,基于基础网络配置的转发图模型求解属于重复计算。When the forwarding policy of interface A changes, on the one hand, the reachability of the three flows is calculated based on the forwarding graph model of the basic network configuration, and finally the reachability of interface A to interface B and the reachability of interface A to interface C are obtained. On the one hand, based on the forwarding graph model of incremental network configuration, the reachability of these three flows is solved, and finally the reachability of interface A to interface B and the reachability of interface A to interface D are obtained, so as to compare the interfaces whose forwarding policies have changed. . In this process, the solution of the forwarding graph model based on the basic network configuration is a repetitive calculation.
此外,每个接口需要存储所有可能经过的流,包括最终无法到达的流,比如接口A存储接口A至接口D的流,还存储具体的流信息。图13的方案针对每个接口只用存储关联的可达点对,不必存储不可达点对,减少了存储开销。另外,因为在复杂场景下(比如配置了转发策略只允许部分报文通过时),流信息需要显示地表达出报文空间,因此包括IP与端口(Port)的各种组合,而图13的方案不必存储具体的流信息,减少了存储开销。In addition, each interface needs to store all possible flows, including flows that cannot be reached in the end. For example, interface A stores flows from interface A to interface D, and also stores specific flow information. The solution in FIG. 13 only stores associated reachable point pairs for each interface, and does not need to store unreachable point pairs, which reduces storage overhead. In addition, in complex scenarios (for example, when a forwarding policy is configured to allow only some packets to pass through), the flow information needs to express the packet space explicitly, so it includes various combinations of IP and port (Port). The scheme does not need to store specific flow information, which reduces storage overhead.
本申请实施例提供的方案除可以用于对增量网络配置进行验证的场景,还可以应用于对增量数据面进行验证的场景。在对增量数据面进行验证的场景中,转发表不是通过对基础网络配置进行协议仿真得到,而是通过抓取网络设备的转发表而得到。对数据面进行验证的场景更适合事后验证,即网络配置下发到网络设备并生效之后,抓取网络设备实际生成的转发表,结合抓取的网络配置信息,验证网络状态是否满足运行意图。The solutions provided by the embodiments of the present application can be applied not only to the scenario of verifying the incremental network configuration, but also to the scenario of verifying the incremental data plane. In the scenario of verifying the incremental data plane, the forwarding table is obtained not by performing protocol simulation on the basic network configuration, but by grabbing the forwarding table of the network device. The scenario of verifying the data plane is more suitable for post-event verification, that is, after the network configuration is delivered to the network device and takes effect, the forwarding table actually generated by the network device is captured, and the captured network configuration information is used to verify whether the network state meets the operating intent.
本申请实施例还提供了一种网络配置的验证装置,该装置用于实现上述各种方法。该网络配置的验证装置可以为上述方法实施例中的SDN控制器,或者包含上述SDN控制器的装置,或者为SDN控制器内的芯片或功能模块。The embodiment of the present application also provides a network configuration verification device, which is used to implement the above-mentioned various methods. The device for verifying the network configuration may be the SDN controller in the above method embodiments, or a device including the above SDN controller, or a chip or functional module in the SDN controller.
可以理解的是,该网络配置的验证装置为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,本申请能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。It can be understood that, in order to realize the above-mentioned functions, the verification apparatus of the network configuration includes corresponding hardware structures and/or software modules for executing each function. Those skilled in the art should easily realize that the present application can be implemented in hardware or a combination of hardware and computer software with the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein. Whether a function is performed by hardware or computer software driving hardware depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.
本申请实施例可以根据上述方法实施例对网络配置的验证装置进行功能模块的划分,例如,可以对应各个功能划分各个功能模块,也可以将两个或两个以上的功能集成在一个处理模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。需要说明的是,本申请实施例中对模块的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。In this embodiment of the present application, functional modules may be divided for the verification device of the network configuration according to the foregoing method embodiments. For example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. . The above-mentioned integrated modules can be implemented in the form of hardware, and can also be implemented in the form of software function modules. It should be noted that, the division of modules in the embodiments of the present application is schematic, and is only a logical function division, and there may be other division manners in actual implementation.
比如,以网络配置的验证装置为上述方法实施例中的SDN控制器为例。图16示出了一种网络配置的验证装置160的结构示意图。该网络配置的验证装置160包括比较模块1601、获取模块1602、解析模块1603,可选的,还包括更新模块1604。比较模块1601可以执行图13中的步骤S1301,图14中的步骤S13011-S13014。获取模块1602可以执行图13中的步骤S1302,图15中的步骤S13021-S13024。解析模块1603可以执行图12中的步骤S1201-S1202,图13中的步骤S1303。For example, it is assumed that the device for verifying the network configuration is the SDN controller in the above method embodiment. FIG. 16 shows a schematic structural diagram of a verification apparatus 160 for a network configuration. The network configuration verification device 160 includes a comparison module 1601 , an acquisition module 1602 , an analysis module 1603 , and optionally, an update module 1604 . The comparison module 1601 may perform step S1301 in FIG. 13 and steps S13011-S13014 in FIG. 14 . The obtaining module 1602 may execute step S1302 in FIG. 13 and steps S13021-S13024 in FIG. 15 . The parsing module 1603 may execute steps S1201-S1202 in FIG. 12 and step S1303 in FIG. 13 .
示例性的,比较模块1601,用于比较基础网络配置与增量网络配置,以及,比较基础网络配置对应的转发表与增量网络配置对应的转发表,以得到转发策略发生变更的接口和/或转发路由发生变更的链路;获取模块1602,获取第一可达点对,其中,第一可达点对指示接口和/或链路在增量网络配置下,所在的路径的一对业务接入点;比较模块1601,还用于查找基础网络配置对应的关联表,以得到第二可达点对,并与第一可达点对进行比较,以对增量网络配置进行验证;其中,关联表指示网络中,路径经过的接口和/或链路与路径的可达点对的关联关系,第二可达点对指示接口和/或链路在基础网络配置下,所在路径的一对业务接入点。Exemplarily, the comparison module 1601 is configured to compare the basic network configuration and the incremental network configuration, and compare the forwarding table corresponding to the basic network configuration with the forwarding table corresponding to the incremental network configuration, so as to obtain the interface and/or the forwarding policy changed. or forwarding a link whose route has changed; the obtaining module 1602 obtains a first reachable point pair, wherein the first reachable point pair indicates a pair of services of the path where the interface and/or link is located under the incremental network configuration access point; the comparison module 1601 is further configured to look up the association table corresponding to the basic network configuration to obtain the second reachable point pair, and compare it with the first reachable point pair to verify the incremental network configuration; wherein , the association table indicates the association relationship between the interface and/or link that the path passes through and the reachable point pair of the path in the network, and the second reachable point pair indicates that the interface and/or link is located in one of the paths in the basic network configuration. to the service access point.
在一种可能的实施方式中,还包括:解析模块1603,用于解析基础网络配置对应的可达矩阵,以得到关联表,其中,可达矩阵指用于表示网络中的业务接入点两两之间是否可达的矩阵。In a possible implementation manner, the method further includes: a parsing module 1603, configured to parse a reachability matrix corresponding to the basic network configuration to obtain an association table, wherein the reachability matrix refers to a two-dimensional representation of service access points in the network. A matrix of reachability between two.
在一种可能的实施方式中,还包括:更新模块1604,用于根据第一可达点对更新可达矩阵和关联表。In a possible implementation manner, the method further includes: an update module 1604, configured to update the reachability matrix and the association table according to the first reachable point pair.
在一种可能的实施方式中,解析模块1603,具体用于:针对可达矩阵中的每条可达路径,提取构成可达路径的各条跨设备链路的入接口和出接口,建立入接口和出接口与可达路径的可达点对的关联关系;如果入接口和出接口均不是业务接入点,则建立链路与可达路径的可达点对的关联关系。In a possible implementation manner, the parsing module 1603 is specifically configured to: for each reachable path in the reachable matrix, extract the inbound interface and outbound interface of each cross-device link that constitutes the reachable path, and establish an inbound interface and an outbound interface of each cross-device link constituting the reachable path. The association relationship between the interface and the outgoing interface and the reachable point pair of the reachable path; if neither the incoming interface nor the outgoing interface is a service access point, the association relationship between the link and the reachable point pair of the reachable path is established.
在一种可能的实施方式中,比较模块1601具体用于:如果接口和/或链路只在基础网络配置或对应的转发表中存在,则将接口和/或链路加入删除列表,将接口标记为转发策略发生变更,将链路标记为转发路由发生变更;如果接口和/或链路只在增量网络配置或对应的转发表中存在,则将接口和/或链路加入增加列表,将接口标记为转发策略发生变更,将链路标记为转发路由发生变更;如果接口在基础网络配置和增量网 络配置中的转发策略的报文空间不一致,则将接口加入修改列表,并标记为转发策略发生变更;如果链路在基础网络配置和增量网络配置中的转发路由的报文空间不一致,则将链路加入修改列表,并标记为转发路由发生变更。In a possible implementation manner, the comparison module 1601 is specifically configured to: if the interface and/or link exists only in the basic network configuration or the corresponding forwarding table, add the interface and/or link to the deletion list, and add the interface and/or link to the deletion list. Mark as the forwarding policy has changed, and mark the link as the forwarding route has changed; if the interface and/or link only exists in the incremental network configuration or the corresponding forwarding table, add the interface and/or link to the increase list, Mark the interface as having changed the forwarding policy, and mark the link as having changed the forwarding route; if the packet space of the forwarding policy of the interface in the basic network configuration and the incremental network configuration is inconsistent, add the interface to the modification list and mark it as The forwarding policy is changed; if the packet space of the forwarding route of the link in the basic network configuration and the incremental network configuration is inconsistent, the link is added to the modification list and marked as the forwarding route changed.
在一种可能的实施方式中,获取模块1602,具体用于:计算在增量网络配置下,经过接口和/或链路的第一路径;取第一路径两端的一对业务接入点作为第一可达点对。In a possible implementation manner, the obtaining module 1602 is specifically configured to: calculate the first path passing through the interface and/or link under the incremental network configuration; take a pair of service access points at both ends of the first path as The first reachable point pair.
在一种可能的实施方式中,获取模块1602,具体用于:针对转发策略发生变更的接口,以接口作为起点,以接口在增量网络配置对应的转发策略的报文空间作为初始报文空间,以所有业务接入点为终点,在增量网络配置的转发图模型中正向遍历求解第一可达路径;针对转发路由发生变更的链路,以链路的起始接口作为起点,以链路在增量网络配置对应的转发路由的报文空间作为初始报文空间,以所有业务接入点为终点,在增量网络配置的转发图模型中正向遍历求解第一可达路径;从起点和初始报文空间开始,以所有业务接入点为终点,在转发图模型中反向遍历求解第二可达路径;取第一可达路径和第二可达路径的交集,如果第一可达路径的报文空间和第二可达路径的报文空间的交集不为空,则拼接第一可达路径和第二可达路径得到第一路径,并将交集的结果作为第一路径的报文空间。In a possible implementation manner, the obtaining module 1602 is specifically configured to: for an interface whose forwarding policy is changed, the interface is used as the starting point, and the message space of the corresponding forwarding policy configured on the interface in the incremental network is used as the initial message space , with all service access points as the end point, forward traversal in the forwarding graph model of incremental network configuration to solve the first reachable path; The message space of the forwarding route corresponding to the incremental network configuration is used as the initial message space, with all service access points as the end point, and forward traversal in the forwarding graph model of the incremental network configuration is used to solve the first reachable path; from the starting point Starting from the initial message space, with all service access points as the end point, reverse traversal in the forwarding graph model to solve the second reachable path; take the intersection of the first reachable path and the second reachable path, if the first reachable path is If the intersection of the packet space of the reachable path and the packet space of the second reachable path is not empty, the first path is obtained by splicing the first reachable path and the second reachable path, and the result of the intersection is used as the result of the first path. message space.
在本实施例中,该网络配置的验证装置160以采用集成的方式划分各个功能模块的形式来呈现。这里的“模块”可以指特定ASIC,电路,执行一个或多个软件或固件程序的处理器和存储器,集成逻辑电路,和/或其他可以提供上述功能的器件。In this embodiment, the verification apparatus 160 of the network configuration is presented in the form of dividing each functional module in an integrated manner. "Module" herein may refer to a specific ASIC, circuit, processor and memory executing one or more software or firmware programs, integrated logic circuit, and/or other device that may provide the functions described above.
具体的,图8中的各模块的功能/实现过程可以通过终端设备中的处理器调用存储器中存储的计算机执行指令来实现。Specifically, the function/implementation process of each module in FIG. 8 can be implemented by the processor in the terminal device calling the computer execution instructions stored in the memory.
由于本实施例提供的网络配置的验证装置160可执行上述方法,因此其所能获得的技术效果可参考上述方法实施例,在此不再赘述。Since the apparatus 160 for verifying the network configuration provided in this embodiment can perform the above method, the technical effect that can be obtained can be referred to the above method embodiments, and details are not repeated here.
如图17所示,本申请实施例还提供了一种网络配置的验证装置,该网络配置的验证装置170包括处理器1701、存储器1702和网络接口1703,处理器1701、存储器1702和网络接口1703耦合,当处理器1701执行存储器1702中的计算机程序或指令时,图12-图15中对应的方法被执行。As shown in FIG. 17 , an embodiment of the present application further provides an apparatus for verifying a network configuration. The apparatus 170 for verifying a network configuration includes a processor 1701 , a memory 1702 and a network interface 1703 , and the processor 1701 , the memory 1702 and the network interface 1703 Coupling, when the processor 1701 executes computer programs or instructions in the memory 1702, the corresponding methods in FIGS. 12-15 are performed.
本申请实施例还提供了一种计算机可读存储介质,该计算机可读存储介质中存储有计算机程序,当其在计算机或处理器上运行时,使得计算机或处理器执行图12-图15中对应的方法。Embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and when it runs on a computer or a processor, the computer or the processor causes the computer or the processor to execute the programs shown in FIGS. 12 to 15 . corresponding method.
本申请实施例还提供了一种包含指令的计算机程序产品,当指令在计算机或处理器上运行时,使得计算机或处理器执行图12-图15中对应的方法。The embodiments of the present application also provide a computer program product containing instructions, when the instructions are executed on a computer or a processor, the computer or processor can execute the corresponding methods in FIGS. 12-15 .
本申请实施例提供了一种芯片系统,该芯片系统包括处理器,用于网络配置的验证装置执行图12-图15中对应的方法。An embodiment of the present application provides a chip system, where the chip system includes a processor, and an apparatus for verifying a network configuration executes the corresponding methods in FIGS. 12-15 .
在一种可能的设计中,该芯片系统还包括存储器,该存储器,用于保存必要的程序指令和数据。该芯片系统,可以包括芯片,集成电路,也可以包含芯片和其他分立器件,本申请实施例对此不作具体限定。In a possible design, the chip system further includes a memory for storing necessary program instructions and data. The chip system may include chips, integrated circuits, or chips and other discrete devices, which are not specifically limited in this embodiment of the present application.
其中,本申请提供的网络配置的验证装置、芯片、计算机存储介质、计算机程序产品或芯片系统均用于执行上文所述的方法,因此,其所能达到的有益效果可参考上文所提供的实施方式中的有益效果,此处不再赘述。Wherein, the network configuration verification device, chip, computer storage medium, computer program product or chip system provided in this application are all used to execute the method described above, therefore, the beneficial effects that can be achieved can be referred to the above provided The beneficial effects in the implementation manner are not repeated here.
本申请实施例涉及的处理器可以是一个芯片。例如,可以是现场可编程门阵列(field programmable gate array,FPGA),可以是专用集成芯片(application specific integrated circuit,ASIC),还可以是系统芯片(system on chip,SoC),还可以是中央处理器(central processor unit,CPU),还可以是网络处理器(network processor,NP),还可以是数字信号处理电路(digital signal processor,DSP),还可以是微控制器(micro controller unit,MCU),还可以是可编程控制器(programmable logic device,PLD)或其他集成芯片。The processor involved in the embodiments of the present application may be a chip. For example, it can be a field programmable gate array (FPGA), an application specific integrated circuit (ASIC), a system on chip (SoC), or a central processing unit. It can be a central processor unit (CPU), a network processor (NP), a digital signal processing circuit (DSP), or a microcontroller (MCU) , it can also be a programmable logic device (PLD) or other integrated chips.
本申请实施例涉及的存储器可以是易失性存储器或非易失性存储器,或可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(read-only memory,ROM)、可编程只读存储器(programmable ROM,PROM)、可擦除可编程只读存储器(erasable PROM,EPROM)、电可擦除可编程只读存储器(electrically EPROM,EEPROM)或闪存。易失性存储器可以是随机存取存储器(random access memory,RAM),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(static RAM,SRAM)、动态随机存取存储器(dynamic RAM,DRAM)、同步动态随机存取存储器(synchronous DRAM,SDRAM)、双倍数据速率同步动态随机存取存储器(double data rate SDRAM,DDR SDRAM)、增强型同步动态随机存取存储器(enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(synchlink DRAM,SLDRAM)和直接内存总线随机存取存储器(direct rambus RAM,DR RAM)。应注意,本文描述的系统和方法的存储器旨在包括但不限于这些和任意其它适合类型的存储器。The memory involved in the embodiments of the present application may be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory. The non-volatile memory may be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically programmable Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory. Volatile memory may be random access memory (RAM), which acts as an external cache. By way of example and not limitation, many forms of RAM are available, such as static random access memory (SRAM), dynamic random access memory (DRAM), synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous link dynamic random access memory (synchlink DRAM, SLDRAM) ) and direct memory bus random access memory (direct rambus RAM, DR RAM). It should be noted that the memory of the systems and methods described herein is intended to include, but not be limited to, these and any other suitable types of memory.
应理解,在本申请的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。It should be understood that, in various embodiments of the present application, the size of the sequence numbers of the above-mentioned processes does not mean the sequence of execution, and the execution sequence of each process should be determined by its functions and internal logic, and should not be dealt with in the embodiments of the present application. implementation constitutes any limitation.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Those of ordinary skill in the art can realize that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the above-described systems, devices and units may refer to the corresponding processes in the foregoing method embodiments, which will not be repeated here.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、设备和方法,可以通过其它的方式实现。例如,以上所描述的设备实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,设备或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed systems, devices and methods may be implemented in other manners. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例 方案的目的。The units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件程序实现时,可以全部或部分地以计算机程序产品的形式来实现。该计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行计算机程序指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或者数据中心通过有线(例如同轴电缆、光纤、数字用户线(Digital Subscriber Line,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可以用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如,软盘、硬盘、磁带),光介质(例如,DVD)、或者半导体介质(例如固态硬盘(Solid State Disk,SSD))等。In the above-mentioned embodiments, it may be implemented in whole or in part by software, hardware, firmware or any combination thereof. When implemented using a software program, it can be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, all or part of the processes or functions described in the embodiments of the present application are generated. The computer may be a general purpose computer, special purpose computer, computer network, or other programmable device. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be downloaded from a website site, computer, server, or data center Transmission to another website site, computer, server or data center by wire (eg coaxial cable, optical fiber, Digital Subscriber Line, DSL) or wireless (eg infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or data storage devices including one or more servers, data centers, etc. that can be integrated with the medium. The usable medium may be a magnetic medium (eg, a floppy disk, a hard disk, a magnetic tape), an optical medium (eg, a DVD), or a semiconductor medium (eg, a Solid State Disk (SSD)), and the like.
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。The above are only specific embodiments of the present application, but the protection scope of the present application is not limited to this. should be covered within the scope of protection of this application. Therefore, the protection scope of the present application should be subject to the protection scope of the claims.

Claims (16)

  1. 一种网络配置的验证方法,其特征在于,包括:A method for verifying network configuration, comprising:
    比较基础网络配置与增量网络配置,以及,比较所述基础网络配置对应的转发表与所述增量网络配置对应的转发表,以得到网络中转发策略发生变更的接口和/或转发路由发生变更的链路;Comparing the basic network configuration and the incremental network configuration, and comparing the forwarding table corresponding to the basic network configuration and the forwarding table corresponding to the incremental network configuration, to obtain the interface and/or the forwarding route in which the forwarding policy has changed in the network. changed link;
    获取第一可达点对,其中,所述第一可达点对指示所述接口和/或所述链路在所述增量网络配置下,所在的路径的一对业务接入点;acquiring a first reachable point pair, wherein the first reachable point pair indicates a pair of service access points of the path where the interface and/or the link is located under the incremental network configuration;
    查找所述基础网络配置对应的关联表,以得到第二可达点对,并与所述第一可达点对进行比较,以对所述增量网络配置进行验证;其中,所述关联表指示所述网络中,路径经过的接口和/或链路与所述路径的可达点对的关联关系,所述第二可达点对指示所述接口和/或链路在所述基础网络配置下,所在路径的一对业务接入点。looking up an association table corresponding to the basic network configuration to obtain a second reachable point pair, and comparing it with the first reachable point pair to verify the incremental network configuration; wherein the association table Indicate the association relationship between the interface and/or link passed by the path and the reachable point pair of the path in the network, and the second reachable point pair indicates that the interface and/or link are in the basic network Under configuration, a pair of service access points on the path.
  2. 根据权利要求1所述的方法,其特征在于,还包括:The method of claim 1, further comprising:
    解析所述基础网络配置对应的可达矩阵,以得到所述关联表,其中,所述可达矩阵指用于表示网络中的业务接入点两两之间是否可达的矩阵。The reachability matrix corresponding to the basic network configuration is parsed to obtain the association table, wherein the reachability matrix refers to a matrix used to indicate whether two service access points in the network are reachable.
  3. 根据权利要求2所述的方法,其特征在于,还包括:The method of claim 2, further comprising:
    根据所述第一可达点对更新所述可达矩阵和所述关联表。The reachability matrix and the association table are updated according to the first reachable point pair.
  4. 根据权利要求2或3所述的方法,其特征在于,所述解析所述基础网络配置对应的可达矩阵,以得到所述关联表,包括:The method according to claim 2 or 3, wherein the parsing a reachability matrix corresponding to the basic network configuration to obtain the association table comprises:
    针对所述可达矩阵中的每条可达路径,提取构成所述可达路径的各条跨设备链路的入接口和出接口,建立所述入接口和所述出接口与所述可达路径的可达点对的关联关系;For each reachable path in the reachable matrix, extract the inbound interface and outbound interface of each cross-device link that constitutes the reachable path, and establish the inbound interface and the outbound interface and the reachable interface. The relationship between the reachable point pairs of the path;
    如果所述入接口和所述出接口均不是业务接入点,则建立所述链路与所述可达路径的可达点对的关联关系,所述链路以所述入接口和所述出接口的组合指示。If neither the inbound interface nor the outbound interface is a service access point, establish an association relationship between the link and the reachable point pair of the reachable path, and the link uses the inbound interface and the outbound interface as the service access point. The combined indication of the outgoing interface.
  5. 根据权利要求1-4任一项所述的方法,其特征在于,所述比较所述基础网络配置与增量网络配置,以及,比较所述基础网络配置对应的转发表与所述增量网络配置对应的转发表,以得到网络中转发策略发生变更的接口和/或转发路由发生变更的链路,包括:The method according to any one of claims 1-4, wherein the comparing the basic network configuration and the incremental network configuration, and comparing the forwarding table corresponding to the basic network configuration and the incremental network Configure the corresponding forwarding table to obtain the interface whose forwarding policy has changed and/or the link whose forwarding route has changed in the network, including:
    如果所述接口和/或所述链路只在所述基础网络配置或对应的转发表中存在,则将所述接口和/或链路加入删除列表,将所述接口标记为转发策略发生变更,将所述链路标记为转发路由发生变更;If the interface and/or the link only exists in the basic network configuration or the corresponding forwarding table, add the interface and/or the link to the deletion list, and mark the interface as having changed the forwarding policy , marking the link as a forwarding route change;
    如果所述接口和/或所述链路只在所述增量网络配置或对应的转发表中存在,则将所述接口和/或所述链路加入增加列表,将所述接口标记为转发策略发生变更,将所述链路标记为转发路由发生变更;If the interface and/or the link exists only in the incremental network configuration or the corresponding forwarding table, add the interface and/or the link to an increase list, and mark the interface as forwarding When the policy is changed, the link is marked as a change in the forwarding route;
    如果所述接口在所述基础网络配置和所述增量网络配置中的转发策略的报文空间不一致,则将所述接口加入修改列表,并标记为转发策略发生变更;If the packet space of the forwarding policy of the interface in the basic network configuration and the incremental network configuration is inconsistent, adding the interface to the modification list and marking it as a change in the forwarding policy;
    如果所述链路在所述基础网络配置和所述增量网络配置中的转发路由的报文空间不一致,则将所述链路加入所述修改列表,并标记为转发路由发生变更。If the packet space of the forwarding route of the link in the basic network configuration and the incremental network configuration is inconsistent, the link is added to the modification list, and the forwarding route is marked as changed.
  6. 根据权利要求1-5任一项所述的方法,其特征在于,所述获取第一可达点对,包括:The method according to any one of claims 1-5, wherein the acquiring the first reachable point pair comprises:
    计算在所述增量网络配置下,经过所述接口和/或链路的第一路径;calculating a first path through the interface and/or link under the incremental network configuration;
    取所述第一路径两端的一对业务接入点作为所述第一可达点对。A pair of service access points at both ends of the first path is taken as the first reachable point pair.
  7. 根据权利要求6所述的方法,其特征在于,所述计算在所述增量网络配置下,经过所述接口和/或链路的第一路径,包括:The method according to claim 6, wherein the calculating the first path through the interface and/or link under the incremental network configuration comprises:
    针对转发策略发生变更的接口,以所述接口作为起点,以所述接口在所述增量网络配置对应的转发策略的报文空间作为初始报文空间,以所有业务接入点为终点,在所述增量网络配置的转发图模型中正向遍历求解第一可达路径;For the interface whose forwarding policy is changed, take the interface as the starting point, take the packet space of the interface corresponding to the forwarding policy configured on the incremental network as the initial packet space, take all service access points as the end point, and use the interface as the starting point. The forward traversal in the forwarding graph model of the incremental network configuration solves the first reachable path;
    针对转发路由发生变更的链路,以所述链路的起始接口作为起点,以所述链路在所述增量网络配置对应的转发路由的报文空间作为初始报文空间,以所有业务接入点为终点,在所述增量网络配置的转发图模型中正向遍历求解所述第一可达路径;For a link whose forwarding route is changed, the starting interface of the link is used as the starting point, the message space of the corresponding forwarding route configured on the incremental network for the link is used as the initial message space, and all services are used as the initial message space. The access point is the end point, and the first reachable path is solved by forward traversal in the forwarding graph model of the incremental network configuration;
    从所述起点和所述初始报文空间开始,以所有业务接入点为终点,在所述转发图模型中反向遍历求解第二可达路径;Starting from the starting point and the initial message space, and taking all service access points as the end point, reverse traversal in the forwarding graph model to solve the second reachable path;
    取所述第一可达路径和所述第二可达路径的交集,如果所述第一可达路径的报文空间和所述第二可达路径的报文空间的交集不为空,则拼接所述第一可达路径和所述第二可达路径得到所述第一路径,并将交集的结果作为所述第一路径的报文空间。Take the intersection of the first reachable path and the second reachable path, if the intersection of the packet space of the first reachable path and the packet space of the second reachable path is not empty, then The first path is obtained by splicing the first reachable path and the second reachable path, and the result of the intersection is used as the packet space of the first path.
  8. 一种网络配置的验证装置,其特征在于,包括:A device for verifying network configuration, comprising:
    比较模块,用于比较基础网络配置与增量网络配置,以及,比较所述基础网络配置对应的转发表与所述增量网络配置对应的转发表,以得到转发策略发生变更的接口和/或转发路由发生变更的链路;A comparison module, configured to compare the basic network configuration and the incremental network configuration, and compare the forwarding table corresponding to the basic network configuration with the forwarding table corresponding to the incremental network configuration, so as to obtain the interface and/or the interface for which the forwarding policy has been changed and/or Forwarding the link whose route has changed;
    获取模块,获取第一可达点对,其中,所述第一可达点对指示所述接口和/或所述链路在所述增量网络配置下,所在的路径的一对业务接入点;an obtaining module, obtaining a first reachable point pair, wherein the first reachable point pair indicates a pair of service accesses of the path where the interface and/or the link is located under the incremental network configuration point;
    所述比较模块,还用于查找所述基础网络配置对应的关联表,以得到第二可达点对,并与所述第一可达点对进行比较,以对所述增量网络配置进行验证;其中,所述关联表指示所述网络中,路径经过的接口和/或链路与所述路径的可达点对的关联关系,所述第二可达点对指示所述接口和/或链路在所述基础网络配置下,所在路径的一对业务接入点。The comparison module is further configured to look up the association table corresponding to the basic network configuration to obtain a second reachable point pair, and compare it with the first reachable point pair to perform a comparison of the incremental network configuration. Verification; wherein the association table indicates the association relationship between the interface and/or link passed by the path and the reachable point pair of the path in the network, and the second reachable point pair indicates the interface and/or the reachable point pair. Or a pair of service access points of the path where the link is located under the basic network configuration.
  9. 根据权利要求8所述的装置,其特征在于,还包括:The device of claim 8, further comprising:
    解析模块,用于解析所述基础网络配置对应的可达矩阵,以得到所述关联表,其中,所述可达矩阵指用于表示网络中的业务接入点两两之间是否可达的矩阵。A parsing module, configured to parse the reachability matrix corresponding to the basic network configuration to obtain the association table, wherein the reachability matrix refers to a parameter used to indicate whether the service access points in the network are reachable in pairs matrix.
  10. 根据权利要求9所述的装置,其特征在于,还包括:The device of claim 9, further comprising:
    更新模块,用于根据所述第一可达点对更新所述可达矩阵和所述关联表。An update module, configured to update the reachability matrix and the association table according to the first reachable point pair.
  11. 根据权利要求9或10所述的装置,其特征在于,所述解析模块,具体用于:The device according to claim 9 or 10, wherein the parsing module is specifically used for:
    针对所述可达矩阵中的每条可达路径,提取构成所述可达路径的各条跨设备链路的入接口和出接口,建立所述入接口和所述出接口与所述可达路径的可达点对的关联关系;For each reachable path in the reachable matrix, extract the inbound interface and outbound interface of each cross-device link that constitutes the reachable path, and establish the inbound interface and the outbound interface and the reachable interface. The relationship between the reachable point pairs of the path;
    如果所述入接口和所述出接口均不是业务接入点,则建立所述链路与所述可达路径的可达点对的关联关系。If neither the inbound interface nor the outbound interface is a service access point, an association relationship between the link and the reachable point pair of the reachable path is established.
  12. 根据权利要求8-11任一项所述的装置,其特征在于,所述比较模块具体用于:The device according to any one of claims 8-11, wherein the comparison module is specifically used for:
    如果所述接口和/或所述链路只在所述基础网络配置或对应的转发表中存在,则将 所述接口和/或链路加入删除列表,将所述接口标记为转发策略发生变更,将所述链路标记为转发路由发生变更;If the interface and/or the link only exists in the basic network configuration or the corresponding forwarding table, add the interface and/or the link to the deletion list, and mark the interface as having changed the forwarding policy , marking the link as a forwarding route change;
    如果所述接口和/或所述链路只在所述增量网络配置或对应的转发表中存在,则将所述接口和/或所述链路加入增加列表,将所述接口标记为转发策略发生变更,将所述链路标记为转发路由发生变更;If the interface and/or the link exists only in the incremental network configuration or the corresponding forwarding table, add the interface and/or the link to an increase list, and mark the interface as forwarding When the policy is changed, the link is marked as a change in the forwarding route;
    如果所述接口在所述基础网络配置和所述增量网络配置中的转发策略的报文空间不一致,则将所述接口加入修改列表,并标记为转发策略发生变更;If the packet space of the forwarding policy of the interface in the basic network configuration and the incremental network configuration is inconsistent, adding the interface to the modification list, and marking it as a change in the forwarding policy;
    如果所述链路在所述基础网络配置和所述增量网络配置中的转发路由的报文空间不一致,则将所述链路加入所述修改列表,并标记为转发路由发生变更。If the packet space of the forwarding route of the link in the basic network configuration and the incremental network configuration is inconsistent, the link is added to the modification list, and the forwarding route is marked as changed.
  13. 根据权利要求8-12任一项所述的装置,其特征在于,所述获取模块,具体用于:The device according to any one of claims 8-12, wherein the acquisition module is specifically configured to:
    计算在所述增量网络配置下,经过所述接口和/或链路的第一路径;calculating a first path through the interface and/or link under the incremental network configuration;
    取所述第一路径两端的一对业务接入点作为所述第一可达点对。A pair of service access points at both ends of the first path is taken as the first reachable point pair.
  14. 根据权利要求13所述的装置,其特征在于,所述获取模块,具体用于:The device according to claim 13, wherein the acquisition module is specifically configured to:
    针对转发策略发生变更的接口,以所述接口作为起点,以所述接口在所述增量网络配置对应的转发策略的报文空间作为初始报文空间,以所有业务接入点为终点,在所述增量网络配置的转发图模型中正向遍历求解第一可达路径;For the interface whose forwarding policy is changed, the interface is used as the starting point, the message space of the corresponding forwarding policy configured on the interface in the incremental network is used as the initial message space, and all service access points are used as the end point. The forward traversal in the forwarding graph model of the incremental network configuration solves the first reachable path;
    针对转发路由发生变更的链路,以所述链路的起始接口作为起点,以所述链路在所述增量网络配置对应的转发路由的报文空间作为初始报文空间,以所有业务接入点为终点,在所述增量网络配置的转发图模型中正向遍历求解所述第一可达路径;For a link whose forwarding route is changed, the starting interface of the link is used as the starting point, the message space of the corresponding forwarding route configured on the incremental network for the link is used as the initial message space, and all services are used as the initial message space. The access point is the end point, and the first reachable path is solved by forward traversal in the forwarding graph model of the incremental network configuration;
    从所述起点和所述初始报文空间开始,以所有业务接入点为终点,在所述转发图模型中反向遍历求解第二可达路径;Starting from the starting point and the initial message space, taking all service access points as the end point, reverse traversal in the forwarding graph model to solve the second reachable path;
    取所述第一可达路径和所述第二可达路径的交集,如果所述第一可达路径的报文空间和所述第二可达路径的报文空间的交集不为空,则拼接所述第一可达路径和所述第二可达路径得到所述第一路径,并将交集的结果作为所述第一路径的报文空间。Take the intersection of the first reachable path and the second reachable path, if the intersection of the packet space of the first reachable path and the packet space of the second reachable path is not empty, then The first path is obtained by splicing the first reachable path and the second reachable path, and the result of the intersection is used as the packet space of the first path.
  15. 一种网络配置的验证装置,其特征在于,包括:A device for verifying network configuration, comprising:
    存储器,用于存储计算机程序;memory for storing computer programs;
    与所述存储器相连的处理器,用于通过调用所述存储器中存储的计算机程序以使得所述装置执行如权利要求1至7任一项所述的方法。A processor connected to the memory for causing the apparatus to perform the method according to any one of claims 1 to 7 by invoking a computer program stored in the memory.
  16. 一种计算机可读存储介质,其特征在于,包括计算机程序,当所述计算机程序在计算机上运行时,使得所述计算机执行权利要求1至7任一项所述的方法。A computer-readable storage medium, characterized by comprising a computer program, which, when the computer program is run on a computer, causes the computer to execute the method according to any one of claims 1 to 7.
PCT/CN2021/103512 2020-06-30 2021-06-30 Verification method and apparatus for network configuration WO2022002123A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010615579.8A CN113872784B (en) 2020-06-30 2020-06-30 Network configuration verification method and device
CN202010615579.8 2020-06-30

Publications (1)

Publication Number Publication Date
WO2022002123A1 true WO2022002123A1 (en) 2022-01-06

Family

ID=78981432

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/103512 WO2022002123A1 (en) 2020-06-30 2021-06-30 Verification method and apparatus for network configuration

Country Status (2)

Country Link
CN (1) CN113872784B (en)
WO (1) WO2022002123A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115442297A (en) * 2022-09-06 2022-12-06 中电云数智科技有限公司 System and method for realizing EIP intelligent access based on BGP

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106656792A (en) * 2016-11-30 2017-05-10 中国人民解放军国防科学技术大学 BGP (Border Gateway Protocol) routing trusted verification method based on SDN (Software Defined Network) architecture
US20180375730A1 (en) * 2017-06-23 2018-12-27 Infinera Corporation Technique for verification of newtork state after device upgrades
CN109768874A (en) * 2017-11-10 2019-05-17 华为技术有限公司 The method and device of configuration change in a kind of network
CN110098950A (en) * 2018-01-31 2019-08-06 慧与发展有限责任合伙企业 Network is verified to be intended to
WO2020069647A1 (en) * 2018-10-03 2020-04-09 Huawei Technologies Co., Ltd. System for deploying incremental network updates

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101272393B (en) * 2008-05-14 2010-11-03 杭州华三通信技术有限公司 Routing computing method and network node based on link condition routing protocol
US8887266B2 (en) * 2010-01-08 2014-11-11 Board Of Trustees Of Michigan State University Method for computing network reachability
CN103218497B (en) * 2013-04-24 2016-03-02 南京大学 Dynamic system based on increment linear programming online increment type fast verification system and method
US10057166B2 (en) * 2016-09-13 2018-08-21 Fujitsu Limited Network verification
US10938667B2 (en) * 2018-12-20 2021-03-02 Hewlett Packard Enterprise Development Lp Incremental intent checking for stateful networks

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106656792A (en) * 2016-11-30 2017-05-10 中国人民解放军国防科学技术大学 BGP (Border Gateway Protocol) routing trusted verification method based on SDN (Software Defined Network) architecture
US20180375730A1 (en) * 2017-06-23 2018-12-27 Infinera Corporation Technique for verification of newtork state after device upgrades
CN109768874A (en) * 2017-11-10 2019-05-17 华为技术有限公司 The method and device of configuration change in a kind of network
CN110098950A (en) * 2018-01-31 2019-08-06 慧与发展有限责任合伙企业 Network is verified to be intended to
WO2020069647A1 (en) * 2018-10-03 2020-04-09 Huawei Technologies Co., Ltd. System for deploying incremental network updates

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115442297A (en) * 2022-09-06 2022-12-06 中电云数智科技有限公司 System and method for realizing EIP intelligent access based on BGP
CN115442297B (en) * 2022-09-06 2023-08-22 中电云数智科技有限公司 System and method for realizing EIP intelligent access based on BGP

Also Published As

Publication number Publication date
CN113872784A (en) 2021-12-31
CN113872784B (en) 2022-12-06

Similar Documents

Publication Publication Date Title
US11563602B2 (en) Method and apparatus for providing a point-to-point connection over a network
US9602415B2 (en) Flow based network service insertion
CN105049361B (en) Identifying likely faulty components in a distributed system
CN109905251B (en) Network management method, device, electronic equipment and storage medium
US9203743B2 (en) Packet forwarding system, control device, forwarding device and method and program for preparing processing rules
US20150131666A1 (en) Apparatus and method for transmitting packet
US9736263B2 (en) Temporal caching for ICN
US10142183B2 (en) Snapshotting and instantiating a virtual topology
CN108696402A (en) The dialogue-based business statistics record of virtual router
WO2021008533A1 (en) Method for determining path, and related device
CN107113241B (en) Route determining method, network configuration method and related device
US20170104671A1 (en) Data packet processing method, service node, and delivery node
WO2020073685A1 (en) Forwarding path determining method, apparatus and system, computer device, and storage medium
US11082300B2 (en) Transforming data based on a virtual topology
CN102857491A (en) Management schemes for filter sets
US20150131458A1 (en) Multi-source correlation of network topology metrics
US20130198830A1 (en) Access relay method and access gateway device
US20130329599A1 (en) Method of Network Connectivity Analyses and System Thereof
WO2022002123A1 (en) Verification method and apparatus for network configuration
CN107294746B (en) Method and equipment for deploying service
US20150381775A1 (en) Communication system, communication method, control apparatus, control apparatus control method, and program
Argyropoulos et al. Control-plane slicing methods in multi-tenant software defined networks
US10541914B2 (en) Data packet forwarding method and network device
US11991211B1 (en) Symmetric cross-region network data flow management
US11936558B1 (en) Dynamic evaluation and implementation of network mutations

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21833001

Country of ref document: EP

Kind code of ref document: A1