WO2023207048A1 - Network intent mining method and apparatus, and related device - Google Patents

Network intent mining method and apparatus, and related device Download PDF

Info

Publication number
WO2023207048A1
WO2023207048A1 PCT/CN2022/133151 CN2022133151W WO2023207048A1 WO 2023207048 A1 WO2023207048 A1 WO 2023207048A1 CN 2022133151 W CN2022133151 W CN 2022133151W WO 2023207048 A1 WO2023207048 A1 WO 2023207048A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
physical
intent
intention
physical network
Prior art date
Application number
PCT/CN2022/133151
Other languages
French (fr)
Chinese (zh)
Inventor
杨永强
张鹏
康宁
冀朝阳
Original Assignee
华为云计算技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为云计算技术有限公司 filed Critical 华为云计算技术有限公司
Publication of WO2023207048A1 publication Critical patent/WO2023207048A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/76Routing in software-defined topologies, e.g. routing between virtual machines

Definitions

  • the present application relates to the field of Internet technology, and in particular to a network intent mining method, device and related equipment.
  • network intent mining refers to a technology that converts actual network configurations into functions carried by the network and presents them in the form of intents, which can help managers (or operation and maintenance personnel) manage the network more efficiently.
  • VPC virtual private cloud
  • This application provides a network intent mining method to mine the intent in the network.
  • this application also provides a network intent mining device, a computing device, a computer-readable storage medium, and a computer program product.
  • this application provides a network intent mining method. Specifically, the network configuration of the physical network and the physical topology of the physical network are obtained, and multiple routes in the physical network are determined based on the network configuration and physical topology. The forwarding rules of each routing node in the node are used to determine the intent in the physical network based on the physical topology and multiple forwarding rules of multiple routing nodes.
  • the intent in the physical network includes the following types: Physical network Reachability intent, critical point intent, load balancing intent, or isolation intent in . Among them, the reachability intent can reflect the reachability between two subnets in the physical network; the load balancing intent can reflect that multiple routing paths between two reachable subnets in the physical network can be load balanced. ; Key point intent can reflect the same routing node passed by multiple routing paths between two reachable subnets in the physical network; Isolation intent can reflect the unreachability between two subnets in the physical network.
  • the mined intentions can be reachability intentions, key point intentions, load balancing intentions, or isolation intentions. Any variety.
  • forwarding rules are generated based on the network configuration and physical topology, and network intentions are mined based on the generated forwarding rules, rather than based on the forwarding rules extracted from the actual routing device. This can effectively avoid routing problems in the physical network. Changes in actual operation (such as routing device failure or link failure) may affect the accuracy of intent mining on the physical network.
  • intent mining can be achieved across the entire network and is not limited to parts of the physical network.
  • multiple routing paths in the physical network may be generated based on the physical topology and multiple forwarding rules of multiple routing nodes. Paths are used to forward packets between multiple subnets in a physical network so that intent in that physical network can be mined based on the multiple routing paths. In this way, intentions in the physical network can be mined by simulating and generating multiple routing paths in the physical network.
  • a forwarding graph including multiple routing nodes may be generated based on the physical topology and multiple forwarding rules of the multiple routing nodes.
  • the forwarding graph is used to indicate the packet forwarding behavior of multiple routing nodes, so that the forwarding graph can be traversed to generate multiple routing paths in the physical network.
  • multiple routing paths in the physical network can be generated by constructing and traversing the forwarding graph, so as to facilitate subsequent mining of intentions in the physical network based on the multiple routing paths.
  • the equivalence class corresponding to the target subnet in the physical network can be determined based on multiple forwarding rules of multiple routing nodes.
  • the forwarding graph is traversed, and one or more routing paths are determined in the physical network for the determined equivalence class.
  • the corresponding one or routing path can be determined based on the above method, thereby obtaining multiple routing paths corresponding to the multiple subnets in the physical network.
  • the location corresponding to the mined intention can be determined based on the network configuration and physical topology of the physical network.
  • the link tolerance upper limit is used to indicate the maximum number of physical links that are allowed to fail for this purpose. In this way, the reliability of each intention in the physical network is determined based on the link tolerance upper limit of each intention, so that when the physical network is migrated to the cloud, the reliability of each intention can be avoided as much as possible.
  • the minimum cut between the two subnets related to the intention in the physical network can be calculated based on the network configuration and physical topology, so that according to this The minimum cut between two subnets determines the upper limit of link tolerance corresponding to the intent. In this way, the link tolerance upper limit corresponding to each intention can be determined through graph processing.
  • the target number of physical links that the intention allows to fail can be determined first, and when the two subnets are When the minimum cut between subnets is not greater than the target number, multiple sets in the physical network are enumerated, and the number of failed physical links in each of the multiple sets is not greater than the minimum cut, so according to The multiple sets determine the link tolerance upper limit corresponding to the intent. In this way, under the condition that the number of failed physical links is small, it can be verified through enumeration whether (minimum cut-1) can be used as the link tolerance upper limit corresponding to the intention.
  • the target number of physical links that the intention allows to fail can be determined first, and when the two subnets are When the minimum cut between subnets is greater than the target number, multiple data planes are generated. Each data plane in the multiple data planes is used to indicate a failed logical link between the two subnets. The failure indicated by different data planes There are differences in logical links. Each logical link corresponds to at least one physical link. The total number of failed physical links in each data plane is not greater than the minimum cut, so that the link corresponding to the intention is determined based on the multiple data planes. Road tolerance limit. In this way, under the condition that there are a large number of failed physical links, it can be verified based on the multiple generated data planes whether (minimum cut-1) can be used as the link tolerance upper limit corresponding to the intention.
  • the number of failed physical links in the physical network can be calculated when the number of failed physical links in the physical network is the first number.
  • the total number of failed physical links in each first set in the plurality of first sets is not greater than the first number; and, when the total number of the plurality of first sets is less than a preset threshold (which can be determined by technical personnel in advance When setting, etc.), when the number of failed physical links in the physical network is calculated as the second number, the total number of multiple second sets in the physical network, and failures within each second set in the multiple second sets
  • the number of physical links is not greater than the second number, and the second number is greater than the first number, so that when the total number of the second set is greater than the preset threshold, it is determined that the first number is determined to be the physical link intended to allow failure.
  • Target number of links is not greater than the second number, and the second number is greater than the first number, so that when the total number of the second set is greater than the preset threshold, it is determined that the first number is determined to be the
  • a virtual network can also be configured in the cloud according to the intention in the physical network, so as to realize network migration from the physical network to the cloud.
  • the virtual network configured on the cloud includes multiple virtual private cloud VPCs, and the number of access control list ACL rules in each VPC does not exceed the first threshold, that is, the ACL resources consumed in each VPC Limit, or the number of VPCs in the virtual network does not exceed the second threshold, that is, the peer connection resources between VPCs consumed in the virtual network can be limited.
  • priority can be given to reducing the consumption of ACL resources.
  • the peering connection resources between VPCs can be reduced as much as possible. consumption.
  • this application provides a recommended network intent mining device, which includes various modules for implementing the network intent mining method in the first aspect or any possible implementation of the first aspect.
  • the present application provides a computing device, the computing device includes a processor and a memory; the memory is used to store instructions, and when the computing device is running, the processor executes the instructions stored in the memory, so that the The computing device executes the network intent mining method in the above first aspect or any implementation method of the first aspect.
  • the memory can be integrated into the processor or independent of the processor. Forwarding devices may also include buses. Among them, the processor is connected to the memory through a bus.
  • the memory may include readable memory and random access memory.
  • the present application provides a computer-readable storage medium that stores instructions in the computer-readable storage medium that, when run on a computing device, cause the computing device to execute the above-mentioned first aspect or the first fourth aspect. method in either implementation.
  • the present application provides a computer program product containing instructions that, when run on a computing device, cause the computing device to execute the method in the above-mentioned first aspect or any implementation of the first aspect.
  • Figure 1 is a schematic diagram of an exemplary application scenario provided by an embodiment of the present application.
  • Figure 2 is a schematic flowchart of a network intent mining method provided by an embodiment of the present application
  • Figure 3 is a schematic diagram of an exemplary interactive interface provided by an embodiment of the present application.
  • Figure 4 is a schematic diagram of the tree structure corresponding to multiple data planes
  • Figure 5 is a schematic structural diagram of an exemplary physical network 200 provided by an embodiment of the present application.
  • Figure 6 is a schematic diagram of the information in the ACL table configured in routing device R3;
  • Figure 7 is a schematic diagram of multiple routing topologies extracted from the physical network 200
  • Figure 8 is a schematic diagram of the forwarding table generated by routing device R6;
  • Figure 9 is a schematic diagram of equivalence classes divided based on the forwarding table (and ACL table);
  • Figure 10 is a schematic diagram of the constructed forwarding graph
  • Figure 11 is a schematic diagram of the data plane corresponding to the reachability intent between subnet 1 and subnet 4;
  • Figure 12 is a schematic diagram of the connections between different subnets
  • Figure 13 is a schematic diagram of grouping multiple subnets
  • Figure 14 is a schematic structural diagram of a network intent mining device provided by an embodiment of the present application.
  • Figure 15 is a schematic structural diagram of a computing device provided by an embodiment of the present application.
  • FIG 1 is a schematic diagram of an exemplary application scenario provided by an embodiment of the present application.
  • the user 100 (through a user terminal or client, etc.) can send an extraction instruction to the physical network 200 to instruct the physical network 200 to feed back its network configuration and physical topology to the user 100.
  • the user 100 can send an intent mining request to the network intent mining device 300, so that the network intent mining device 300 can mine the intent in the physical network 200 according to the network configuration and physical topology included in the intent mining request, and mine the intent in the physical network 200.
  • Feedback is given to the user 100 so that the user 100 can understand the physical network 200 based on the mined intention, or configure a corresponding virtual network in the cloud based on the intention to implement network migration.
  • the network intent mining device 300 can be deployed locally.
  • the network intent mining device 300 can be installed as a plug-in on a local terminal device, and after running, the plug-in can provide the user 100 with a local service of mining network intentions.
  • the network intent mining device 300 can also be implemented by hardware, such as using an application-specific integrated circuit (ASIC) or a programmable logic device (PLD).
  • ASIC application-specific integrated circuit
  • PLD programmable logic device
  • the PLD can be a complex program.
  • Logic device complex programmable logical device, CPLD), field-programmable gate array (field-programmable gate array, FPGA), general array logic (generic array logic, GAL) or any combination thereof implements the functions of the above network elements or modules.
  • the network intent mining device 300 may also be deployed in a cloud as a cloud service, such as an edge cloud, a distributed cloud, or a public cloud.
  • the network intent mining device 300 deployed in the cloud can provide the user 100 with a corresponding interactive interface for interacting with the user 100 .
  • the network intent mining device 300 located in the cloud can provide the user 100 with a cloud service for mining network intent.
  • the specific deployment method of the network intent mining device 300 is not limited.
  • the network intent mining device 300 can provide multiple users with local or cloud Intent mining services, etc.
  • Figure 2 is a schematic flow chart of a network intent mining method provided by an embodiment of the present application.
  • the method flow shown in Figure 2 can be implemented by the above-mentioned network intent mining device 300.
  • the following takes the network intention mining method shown in Figure 2 applied to the network intention mining device 300 shown in Figure 1 as an example for illustrative description.
  • the method may specifically include:
  • the network intent mining device 300 obtains the network configuration of the physical network 200 and the physical topology of the physical network 200.
  • the network configuration of the physical network 200 can be used to indicate the identification of ports on each routing device (such as a router, etc.) in the physical network 200, and the multiple subnets included in the physical network 200 (different subnets are forwarded through routing devices). data package) and other configuration information.
  • the network configuration may also include other information, such as the routing protocol (routing protocol) used by the routing device in the physical network 200 to forward data packets, the Internet Protocol (IP) address of the routing device, etc.
  • the physical topology of the physical network 200 can be used to indicate the interconnection structure between different routing devices in the physical network 200. Different routing devices can be interconnected through one or more physical links.
  • the user 100 when the user 100 desires to mine the intention in the physical network 200, the user 100 can extract the network configuration from the physical device in the physical network 200, for example, send it to the physical device in the physical network 200. Extract instructions so that the physical device can collect information such as network configuration and physical topology from the physical network 200 and output it to the user 100 .
  • the physical device may be a routing device or other device in the physical network 200.
  • the user 100 may send the network configuration and physical topology to the network intent mining device 300 to request the network intent mining device 300 to mine the intent in the physical network 200 .
  • the network intent mining device 300 can present an interactive interface as shown in Figure 3 to the external user 100, and prompt the user 100 in the interactive interface to import the network configuration and physical topology required for intent mining, so that the user 100 Information such as network configuration and physical topology can be input to the network intent mining device 300 on the interactive interface.
  • the user 100 may also instruct the physical device in the physical network 200 to send the collected network configuration and physical topology to the network intent mining device 300 to trigger the network intent mining device 300 to perform the network intent mining process.
  • the specific implementation manner of how the network intent mining device 300 obtains the network configuration and physical topology of the physical network 200 is not limited.
  • the intent in the physical network 200 to be mined may specifically be any of the reachability intent, the waypoint intent, the load balancing intent, or the isolation intent. One or more.
  • the reachability intent can be used to indicate the reachability between different subnets in the physical network 200. For example, when a data packet sent by subnet A can be forwarded to subnet B based on the routing device in the physical network 200, it means that subnet A and subnet B in the physical network 200 are reachable; and when subnet A sends When the data packet cannot be forwarded to subnet C, it means that subnet A and subnet C in the physical network 200 are unreachable.
  • the key point intent may be used to indicate the same routing device that data packets pass through during communication between multiple subnets in the physical network 200 .
  • the key point intent may be used to indicate the same routing device that data packets pass through during communication between multiple subnets in the physical network 200 .
  • the data packets sent by subnet A are routed to device 1 and route 1 in sequence.
  • Device 2, routing device 3 and routing device 4 are forwarded and finally transmitted to subnet B.
  • routing device 2 can be determined as the key point.
  • the load balancing intent may be used to indicate the number of forwarding paths that can be used in the physical network 200 to transmit data packets between different subnets. For example, when subnet A and subnet B in the physical network 200 perform data communication, the data packet sent by subnet A can be transmitted to subnet B through routing device 1, routing device 2 and routing device 3, or it can also be transmitted through routing device 1, routing device 2 and routing device 3. Routing device 1, routing device 4 and routing device 3 transmit to subnet B, then there are two forwarding paths between subnet A and subnet B that can be used to forward data packets, and subnet A (or subnet B) The sent data packet can be preferentially transmitted to subnet B (or subnet A) through the forwarding path with a relatively small load.
  • the isolation intention can be used to indicate the isolation between different subnets in the physical network 200, that is, the data packets between the two subnets are not reachable to each other. For example, if data packets sent by subnet A in the physical network 200 cannot be transmitted to subnet B, then subnet A and subnet B are isolated.
  • the network intent mining device 300 determines the forwarding rules of each of the multiple routing nodes in the physical network 200 based on the network configuration and physical topology.
  • the forwarding rules of each routing node are used to constrain the routing node's forwarding of data packets.
  • the physical network 200 includes multiple routing nodes, and the multiple routing nodes can be used to forward data packets communicated between different subnets.
  • each routing node can be implemented by a routing device.
  • each VRF table can be regarded as a routing node, that is, the routing device can correspond to multiple routing nodes.
  • Each routing node can be configured with a forwarding table or VRF table.
  • the forwarding table or VRF table includes at least one forwarding rule.
  • Each forwarding rule can be, for example, a row of data in the forwarding table or VRF table, used to instruct the routing node when forwarding.
  • the ports, next-hop routes, etc. used by the data packets corresponding to each subnet.
  • the network intent mining device 300 obtains the network configuration and physical topology of the physical network 200, it can input them into the configuration parser.
  • the configuration parser Such as batfish, etc., so that the configuration parser can parse the vendor-independent network configuration and the standardized form of the physical topology.
  • the network intent mining device 300 can determine the forwarding rules of multiple routing nodes in the physical network 200 according to the network configuration and physical topology. In a possible implementation, the network intent mining device 300 can determine the routing topology corresponding to multiple routing devices in the physical network 200 based on the network configuration and physical topology of the physical network 200 .
  • the network intent mining device 300 can determine the virtual local area network (VLAN) to which each routing device in the physical network 200 belongs and the physical links between interconnected routing devices based on the network configuration and physical topology. The number of VLAN tags each routing device can add to it. Then, the network intent mining device 300 can traverse any two routing devices among the multiple routing devices to determine whether the two routing devices are reachable at Layer 2 and whether the ports of the two routing devices belong to the same subnet. When two routing devices are reachable at Layer 2 and the ports of the two routing devices belong to the same subnet, the network intent mining device 300 can extract a Layer 3 link based on the two routing devices to represent the two routing devices. mutually reachable.
  • VLAN virtual local area network
  • the network intent mining device 300 can determine that there is no Layer 3 link between the two routing devices. In actual application, a Layer 3 link between these two routing devices can be implemented through one or more physical links. In this way, the network intent mining device 300 can extract multiple Layer 3 links from multiple routing devices based on the above-mentioned similar process, thereby obtaining the corresponding routing topology.
  • the network intent mining device 300 determines whether routing device A and routing device B are reachable at Layer 2, it may specifically start from routing device A, initially carry all VLAN tag sets, and perform a recursive depth-first search. Find the intersection between the VLAN tag set carried and the VLAN tag set of the next routing device between routing devices A and B. When there is a path whose VLAN tag set is not empty, it is determined that routing device A and routing device B are adjacent on the second layer; otherwise, it is determined that routing device A and routing device B are not adjacent on the second layer.
  • the network intent mining device 300 can generate multiple routing nodes and forwarding tables for each routing node in a simulated manner based on the obtained network configuration and the extracted routing topology corresponding to the multiple routing devices.
  • Each routing node corresponds to Based on a routing device or a VRF table on the routing device, the forwarding table of each routing node includes at least one forwarding rule, and the forwarding rule is used to restrict the routing node's forwarding of data packets.
  • routing node A can forward data packets to subnet 1 or subnet 2 according to forwarding rules, but not forward data packets to other subnets except subnet 1 and subnet 2, etc.
  • some routing devices in the physical network 200 may also be configured with an access control list (access control list, ACL).
  • ACL list is used to filter data packets received by the routing device. Specifically, The routing device determines according to the ACL list to forward the data packets that meet the conditions to the corresponding subnet, and discards the data packets that do not meet the conditions (that is, discards the data packets sent to other subnets). Therefore, in a further implementation, the network intent mining device 300 also generates an ACL table in a simulated manner.
  • the ACL table includes at least one forwarding rule, and the generated ACL table can be used to forward some or all routing nodes. Data packets are constrained.
  • the network intent mining device 300 can merge the forwarding rules in the ACL table of the routing node into the forwarding table; or, the network intent mining device 300 can separately deploy the forwarding table and the ACL table, that is, the network intent mining device 300 Among the multiple forwarding rules generated, some of the forwarding rules are used as entries in the forwarding table, and some of the forwarding rules are used as entries in the ACL table. This embodiment does not limit this.
  • the network intent mining device 300 determines the intent in the physical network 200 based on the physical topology and multiple forwarding rules of multiple routing nodes.
  • the intent includes the following types: reachability intent, key point intent, and load balancing intent. , or isolating intent.
  • the multiple forwarding rules of the multiple routing nodes can reflect different subnets. Whether they are mutually reachable, whether there are multiple routing paths, whether data packets of different subnets pass through the same routing node, and whether there is communication isolation between some subnets, etc., also reflects the intention in the physical network 200. Based on this, the network intent mining device 300 mines the intent in the physical network 200 according to the physical topology and multiple forwarding rules of multiple routing nodes.
  • the actual routing device in the physical network 200 is usually configured with a forwarding table and an ACL table
  • the forwarding table and ACL are extracted directly from the routing device, usually because there are links in the physical network 200
  • the forwarding table and ACL table extracted from the actual routing device may not truly reflect the actual intentions of the physical network 200.
  • two subnets in the physical network 200 may be damaged due to partial routing.
  • Equipment failure or partial link failure causes the two subnets to change from the reachable state to the unreachable state. Therefore, based on the network intent mined from the forwarding table extracted from the routing device and the ACL table, the two subnets will be erroneously identified.
  • the subnet is unreachable, which reduces the accuracy of network intent mining. Therefore, in this embodiment, the network intent mining device 300 generates the forwarding table and ACL table of each routing node in a simulated manner according to the network configuration and physical topology of the physical network 200, and performs operations based on the simulated generated forwarding table and ACL table. Network intent mining can prevent operating errors of the physical network 200 in actual scenarios from affecting the accuracy of network intent mining.
  • the network intent mining device 300 can generate multiple routing paths in the physical network 200 based on the physical topology and multiple forwarding rules of multiple routing nodes.
  • the multiple routing paths are used for Data packets between different subnets are forwarded, so that the network intent mining device 300 can mine the intent in the physical network 200 through the multiple routing paths generated. For example, when there is a routing path between subnet A, subnet B, and subnet C, and there is no routing path between subnet A and subnet D, it can be represented that subnet A is connected to subnet B and subnet C respectively. There is reachability between them, and there is isolation between subnet A and subnet D (for example, the difference between all subnet pairs and the subnet pair with reachability intention has isolation intention).
  • routing node I can be determined as a key point of multiple routing paths, that is, in the physical network 200 has the key point intention corresponding to the routing node I; and when there are multiple routing paths between subnet A and subnet B, the interconnection data packets between subnet A and subnet B can be based on the multiple routing paths.
  • the routing path performs load balancing, etc., that is, there is load balancing intention between subnet A and subnet B.
  • the network intent mining device 300 can mine one or more intentions in the physical network 200, and can implement intent mining within the entire network (that is, the entire physical network 200).
  • the network intent mining device 300 can generate a forwarding graph including multiple routing nodes based on the physical topology of the physical network 200 and multiple forwarding rules of the multiple routing nodes.
  • the forwarding graph Used to indicate the data packet forwarding behavior of multiple routing nodes, where the data packet forwarding behavior of each routing node in the forwarding graph can reflect the forwarding rules of the routing node, so that the network intent mining device 300 can traverse the forwarding graph , generating multiple routing paths in the physical network 200.
  • the forwarding graph may also include multiple subnet nodes, each subnet node is used to indicate a subnet in the physical network 200, and different subnet nodes are connected through routing nodes to represent the communication between different subnets. Data packets are forwarded through intermediate routing nodes.
  • the network intent mining device 300 may, for example, first determine multiple equivalence classes based on the forwarding rules in the forwarding table (and the ACL table). Each equivalence class corresponds to a subnet for Indicates a type of packet sent to this subnet in physical network 200.
  • the network intent mining device 300 can The forwarding rule of node I divides the data packets forwarded to the next-hop routing node II and sent to subnet A into an equivalence class, and divides the data packets forwarded to the next-hop routing node III and sent to subnet B. is another equivalence class.
  • the network intent mining device 300 can traverse the forwarding graph to determine the equivalence class corresponding to the target subnet in the physical network. 200 to determine one or more routing paths.
  • the target subnet can be any subnet in the physical network 200. Therefore, for each subnet in the physical network 200, one or more routing paths can be determined for the equivalence class corresponding to the subnet by referring to the above method. This determines multiple routing paths corresponding to multiple subnets in the physical network 200 .
  • the network intent mining device 300 can traverse the forwarding graph based on a depth-first search method.
  • the equivalence class can initially carry all equivalence classes and traverse all routing nodes. When traversing the current routing node, all the equivalence classes will be traversed. The equivalence class performs an intersection operation with the equivalence class corresponding to the edge of the current routing node to determine the next-hop routing node of the current routing node and one or more equivalence classes that reach the next-hop routing node, thereby completing the comparison. Traversing all routing nodes, that is, simulating the forwarding process of data packets between different subnets. In this way, according to the equivalence class corresponding to each routing node, routing paths between different subnets in the physical network 200 can be determined.
  • this embodiment may also include the following step S204.
  • the network intention mining device 300 determines the link tolerance upper limit corresponding to each intention based on the network configuration and physical topology of the physical network 200.
  • the link tolerance upper limit is used to indicate the maximum physical link that is allowed to fail for the intention. quantity.
  • the intention is established in the physical network 200, otherwise The intention is not established.
  • the upper limit of the link tolerance corresponding to the reachability intention between subnet A and subnet B is 3, then, when the routing path between subnet A and subnet B is between two adjacent routing nodes, When the number of failed physical links does not reach 3 (for example, 1 or 2 physical links fail, etc.), the reachability intention between subnet A and subnet B is always established.
  • the routing path between subnet A and subnet B may fail. The routing path will be disconnected because all physical links between the two routing nodes are disconnected, resulting in subnet A and subnet B being unreachable. At this time, the reachability intention is not established.
  • the network intention mining device 300 can calculate two sub-systems related to the intention in the physical network 200 based on the network configuration and physical topology of the physical network 200 .
  • Minimum cut between nets refers to deleting some edges (i.e., links between routing nodes) between two subnets (such as subnet nodes in the forwarding graph) in the forwarding graph, so that the traffic from one subnet to another subnet
  • this part of edges is called a cut.
  • the minimum cut refers to the cut with the smallest sum of edge weights among all cuts in the forwarding graph.
  • the edge weight specifically refers to the number of physical links corresponding to this edge. Then, the network intention mining device 300 can determine the link tolerance upper limit corresponding to the intention based on the minimum cut between the two subnets.
  • the network intent mining device 300 may determine the maximum value smaller than the minimum cut as the link tolerance upper limit corresponding to the reachability intent of the two subnets. For example, assuming that the minimum cut is 4, the upper link tolerance limit corresponding to the reachability intent of these two subnets is 3.
  • the network configuration in the physical network 200 may affect the link tolerance upper limit.
  • the maximum value smaller than the minimum cut is directly determined as the link tolerance upper limit, the determined link may be The upper tolerance limit is less accurate. For example, assuming that the minimum cut is 4, corresponding to the number of physical links on two edges (where the number of physical links on edge a is 2 and the number of physical links on edge b is 2), when the physical network 200 When some routing nodes between two subnets are restricted from communicating due to actual business requirements (such as firewalls, etc.), the edge a between these routing nodes is actually disconnected, which makes the In the network configuration of the physical network 200, the upper link tolerance limit corresponding to the reachability intention between the two subnets should be 1 instead of 3 (that is, less than the maximum value of the minimum cut).
  • the network intention mining device 300 can initially determine the link tolerance upper limit corresponding to each intention based on the minimum cut, and then verify the initially determined link tolerance upper limit, and after passing the verification, The minimum cut is used as the final link tolerance upper limit, and when the verification fails, the link tolerance upper limit calculated during the verification process is determined as the final link tolerance upper limit.
  • the network intent mining device 300 may calculate, for each intent, a target number of physical links that are allowed to fail for each intent based on the network configuration and physical topology. For example, the network intent mining device 300 can calculate the total number of multiple first sets in the physical network 200 when the number of failed physical links in the physical network 200 is the first number. Each first set may include one or more There are failed physical links in the physical network 200 (specifically, the identification of the failed physical links), and the number of failed physical links in each first set is not greater than the first number. When the total number of multiple first sets is less than the preset threshold, the network intent mining device 300 can calculate the total number of multiple second sets in the physical network 200 when the number of failed physical links in the physical network 200 is the second number.
  • each second set may include one or more failed links in the physical network 200, and the number of failed physical links in each second set is not greater than the second number, wherein the second number is greater than the Describe the first quantity.
  • the preset threshold which can be set in advance by technicians
  • the first number can be determined to be the target number of physical links that are intended to be allowed to fail. If the total number of the second set is still not greater than the preset threshold, the network intent mining device 300 can continue to increase the number of failed physical links in the physical network 200, assuming it is a third number, and refer to the above process to determine whether Determine the second quantity as the target quantity.
  • the network intent mining device 300 chooses to use the low tolerance method to verify the link tolerance upper limit, and when the minimum cut is greater than the target number, chooses to use the high tolerance method to verify the link tolerance upper limit.
  • the following takes the verification of the link tolerance upper limit corresponding to the reachability intention between subnet A and subnet B in the physical network 200 as an example for introduction and explanation.
  • the network intent mining device 300 can directly enumerate physical links that may fail in the physical network 200 to generate multiple sets, each set corresponding to A physical link failure situation.
  • the number of failed physical links included in each set (specifically, it may include the identification of failed physical links) is not greater than the minimum cut corresponding to the reachability intention, and different sets There are differences in the failed physical links included.
  • the network intent mining device 300 determines the link tolerance upper limit corresponding to the reachability intent between subnet A and subnet B based on the multiple sets.
  • both subnet A and subnet B can maintain mutual reachability. , and when the number of failed physical links reaches the minimum cut, and there is no reachability between subnet A and subnet B, the network intent mining device 300 can determine the maximum value less than the minimum cut as the maximum value between subnet A and subnet B. The upper link tolerance limit corresponding to the reachability intention between network B. Otherwise, the network intent mining device 300 can continue to determine the link tolerance upper limit corresponding to the reachability intent between subnet A and subnet B from the value range smaller than the minimum cut according to the above process.
  • the network intent mining device 300 can obtain all routing paths in the forwarding graph. Each edge on each routing path has an edge weight, and the edge weight is used to indicate the edge. The corresponding number of physical links. Then, the network intent mining device 300 can determine the data plane corresponding to each disconnected edge based on the routing path, thereby generating multiple data planes. Among them, each data plane is used to indicate a failed logical link (that is, an edge) between subnet A and subnet B. There are differences in the failed logical links indicated by different data planes. Each logical link corresponds to At least one physical link, and the total number of failed physical links in each data plane is not greater than the minimum cut.
  • the network intent mining device 300 can determine the link tolerance upper limit corresponding to the intent based on multiple data planes. For example, if the total number of failed physical links in the data plane is not greater than the minimum cut, subnet A and subnet B can maintain mutual reachability, and when the number of failed physical links reaches the minimum cut data In the plane, there is no reachability between subnet A and subnet B, then the network intention mining device 300 can determine the maximum value smaller than the minimum cut as the reachability intention corresponding to subnet A and subnet B. Link tolerance limit. Otherwise, the network intent mining device 300 can continue to determine the link tolerance upper limit corresponding to the reachability intent between subnet A and subnet B from the value range smaller than the minimum cut according to the above process.
  • the network intent mining device 300 can, for example, determine the data plane generated by continuing to disconnect the next edge based on the routing path and the currently disconnected edge, so as to avoid network intent as much as possible.
  • the mining device 300 generates duplicate data planes.
  • the relationship between multiple data planes generated by the network intent mining device 300 may be a tree structure as shown in FIG. 4 .
  • the network intention mining device 300 can reuse the results indicated by the same data plane without re-examining the data. By performing analysis on the plane, the verification efficiency of the network intent mining device 300 for the link tolerance upper limit can be improved and resource consumption can be reduced.
  • the network intention mining device 300 can determine the link tolerance upper limit corresponding to the reachability intention, isolation intention and key point intention between different subnets by repeating the above-mentioned similar process, and adopt a high tolerance method or a low tolerance method.
  • the determined link tolerance upper limit is verified by other methods, which will not be described in detail in this embodiment.
  • the network intent mining device 300 can present the intent to the user 100, so that the user 100 can manage and verify the physical network 200 according to the intent.
  • the network intention mining device 300 may further perform network migration based on the mined intentions, which is not limited in this embodiment.
  • this embodiment may further include the following step S205.
  • the network intent mining device 300 configures a virtual network in the cloud according to the intent in the physical network 200.
  • the network intent mining device 300 can create one or more VPCs in the cloud. Among them, the subnets in each VPC are reachable to each other. However, when there are isolation requirements between subnets within a VPC, you can configure ACL resources within the VPC to achieve isolation between different subnets within the VPC based on the ACL resources. In addition, subnets between different VPCs are isolated by default. However, when subnets between different VPCs need to be reachable, peering connection resources can be allocated between different VPCs so that subnets in different VPCs can access each other through the peering connection resources. Therefore, the network intention mining device 300 can create a corresponding VPC in the cloud according to the subnets included in the physical network 200 and the mined intentions, thereby realizing the migration of the physical network 200 to the cloud network.
  • the network intent mining device 300 can convert the ACL resources to be consumed into peer-to-peer connection resources when performing network migration. , reduce the consumption of ACL resources. For example, assuming that the physical network 200 includes subnet A, subnet B, and subnet C, and subnet B is interconnected with subnet A and subnet B respectively, and subnet A is isolated from subnet C, then if 3 If the subnet is created in a VPC, ACL resources need to be consumed in the VPC to isolate subnet A and subnet C.
  • the network intent mining device 300 can create VPC1 and VPC2, where VPC1 includes Subnet A and subnet B, VPC2 includes subnet C, and subnet B and subnet C are interconnected through the peering connection resources between VPCs, and subnet A and subnet C are in different VPCs. Achieve isolation.
  • FIG. 5 a schematic structural diagram of an exemplary physical network 200 is provided according to an embodiment of the present application.
  • the physical network 200 includes 6 routing devices (R1 to R6) and 4 subnets.
  • subnet 1 and subnet 2 belong to department 1
  • subnet 3 and subnet 4 belong to department 2
  • different subnets Networks can access each other through routing devices R1 to R6, and different subnets in the same department can access each other.
  • Subnet 4 in department 2 can access subnet 1 and subnet 2 in department 1.
  • subnet 3 in department 2 cannot access subnet 1 and subnet 2 in department 1.
  • the access of subnet 3 to subnet 1 and subnet 2 can be restricted by separately configuring an ACL table (ACL 101 in Figure 5) in routing device R3.
  • ACL table ACL 101 in Figure 5
  • the specific information configured for the ACL table in routing device R3 may be as shown in Figure 6 .
  • the edges between different routing devices shown in Figure 5 have weights, which are used to represent the routing cost (cost) between different routing devices based on the open shortest path first (open shortest path first, OSPF) protocol. , such as the weight of the edge between R3 and R6 is 100, etc.
  • OSPF open shortest path first
  • the routing path with the smallest total cost is selected based on the OSPF protocol to transmit the data packets.
  • the edges between different routing devices in Figure 5 are used to indicate the existence of connections between routing devices. In actual scenarios, two routing devices can be interconnected through one or more physical links, that is, The edges between routing devices correspond to one or more physical links.
  • the network intent mining device 300 can first obtain the network configuration and physical topology of the physical network 200. For example, it can obtain each routing device (R1) in the physical network 200. to R6), the routing protocol used by the routing device to forward data packets, the IP address of the routing device, multiple subnets (subnet 1 to subnet 4) and other configuration information, as well as the interconnection between different routing devices topology.
  • the network intent mining device 300 extracts multiple routing topologies in the physical network 200 based on the obtained network configuration and physical topology.
  • the extracted multiple routing topologies are the same as the physical topologies in the physical network 200.
  • the extracted multiple routing topologies can be specifically shown in Figure 7.
  • the network intent mining device 300 can generate the forwarding table of each routing device in a simulated manner based on the extracted multiple routing topologies and the network configuration of the physical network 200 .
  • the forwarding table includes at least one forwarding rule, which is used to restrict the forwarding of data packets by the routing device.
  • the network intent mining device 300 can also simulate and generate an ACL table for some routing devices (such as R3), and the ACL table includes at least one forwarding rule (or referred to as an ACL rule).
  • routing device R6 as an example, the generated forwarding table may be as shown in Figure 8 .
  • the network intent mining device 300 can divide the data packets between different subnets into multiple equivalence classes according to the forwarding rules in the generated forwarding table (and the forwarding rules in the ACL table), and each equivalence class corresponds to on a subnet.
  • the forwarding rules in the ACL table are also used to restrict the forwarding of data packets by the routing device
  • the equivalence classes divided by the network intent mining device 300 according to the ACL table can be the same as the equivalence classes divided according to the forwarding table. Use the same logo (such as the same symbol, etc.).
  • equivalence classes divided based on the forwarding table (and ACL table) are shown in Figure 9.
  • the network intent mining device 300 can use the ports on the routing device as graph nodes and the equivalence class set on the ports as attributes on the edges to construct a forwarding graph.
  • the constructed forwarding graph can be shown in Figure 10.
  • the forwarding diagram shown in Figure 10 mainly shows the access of subnet 3 and subnet 4 in department 2 to subnet 1 and subnet 2 in department 1.
  • the ACL table configured in R3 restricts access to subnet 3.
  • the dotted line nodes in Figure 10 represent different subnets
  • the solid line nodes represent different routing nodes.
  • the edges in the forwarding graph indicate the equivalence classes of the transmitted data packets, where "all” indicates that any equivalence class can pass, and "P1", “P2” and “P1P2" indicate the data packets that are allowed to pass.
  • one routing device corresponds to one routing node is used as an example for illustration. In actual application, a single routing device may be configured with multiple VRF tables. Therefore, when building a forwarding graph, Multiple routing nodes can be generated based on multiple VRF tables, and each routing node corresponds to a VFR table. At this time, based on one routing device in the physical network 200, multiple routing nodes can be generated in the forwarding graph due to multiple VRF tables on it.
  • the network intent mining device 300 can carry all equivalence classes, traverse the forwarding graph through depth-first search, etc., to determine the reachability between different subnets, thereby mining the reachability of the physical network 200 intention.
  • the difference between all subnet pairs in the forwarding graph and the subnet pairs with reachability intent is the isolation intent of the physical network 200 .
  • the network intent mining device 300 can mine the load balancing intent and the key point intent in the physical network 200 based on the number of routing paths between different subnets with reachability intent.
  • the routing path from P4 to P1 is P4 ⁇ R6 ⁇ R4 ⁇ R1 ⁇ P1 and P4 ⁇ R6 ⁇ R3 ⁇ R1 ⁇ P1
  • P4 to P1 also has load balancing intent.
  • the network intent mining device 300 can not only mine various intentions such as reachability intent, isolation intent, load balancing intent, and key point intent in the physical network 200, but can also further determine the link tolerance upper limit of some intents. .
  • the network intention mining device 300 can calculate the minimum cut between the subnet pairs according to the network configuration and the physical topology (or forwarding graph), so as to calculate the minimum cut between the subnet pairs according to the minimum cut.
  • the value of the cut determines the link tolerance upper limit of each intention, for example, (minimum cut - 1) is used as the link tolerance upper limit of the reachability intention between subnet pairs, etc.
  • the network intent mining device 300 can verify the determined upper limit of link tolerance.
  • the network intent mining device 300 can determine whether to use a low tolerance method for verification or a high tolerance method for verification based on the combination space of physical link failures.
  • the network intention mining device 300 can calculate the target number of physical links that each intention allows to fail based on the network configuration and physical topology.
  • the specific implementation process of determining the target number can be found in the relevant descriptions of the foregoing embodiments.
  • the low tolerance method is selected to verify the link tolerance upper limit
  • the high tolerance method is selected to verify the link tolerance upper limit.
  • the network intention mining device 300 can directly enumerate physical links that may fail in the physical network 200 based on the situation. , to generate multiple sets, each set corresponds to a physical link failure situation, the number of failed physical links in each set is not greater than the minimum cut corresponding to the reachability intent, and the failures included in different sets There are differences in the physical links. Then, the network intent mining device 300 can verify whether (minimum cut-1) can be used as the link tolerance upper limit corresponding to the reachability intent.
  • the network intent mining device 300 can determine (minimum cut-1) as the link tolerance upper limit corresponding to the reachability intent. Otherwise, the network intent mining device 300 may continue to determine the link tolerance upper limit corresponding to the reachability intent between the subnet pairs from a value range smaller than the minimum cut.
  • the network intent mining device 300 can obtain all routing paths in the forwarding graph. Each edge on each routing path has an edge weight, and the edge weight is used to indicate the edge. The corresponding number of physical links. Then, the network intent mining device 300 can determine the data plane corresponding to each disconnected edge based on the routing path, thereby generating multiple data planes. Taking the reachability intentions of subnet 1 and subnet 4 as an example, the generated data plane can be as shown in Figure 11 (only part of the data plane is shown in Figure 11 for exemplary explanation). Subnet 1 can communicate with subnet 4 through R1, R2, R4, and R6.
  • the disconnected edge may be the edge between R1 and R2, or the edge between R2 and R4, or the edge between R1 and R3, etc.
  • the edge between R1 and R2 is broken (that is, all physical links interconnecting R1 and R2 are broken)
  • subnet 1 can maintain reachability intent through R1, R3, R4, and R6.
  • disconnecting the edge between R1 and R2 and then disconnecting an edge on the routing path between subnet 1 and subnet 4 as shown in Figure 11 you can disconnect the edge between R1 and R3. Or it may be to disconnect the edge between R3 and R4, or it may be to disconnect the edge between R4 and R6 (not shown in Figure 11), etc.
  • the network intent mining device 300 can gradually increase the number of disconnected routing paths between subnet 1 and subnet 4 to generate a data plane as shown in FIG. 11 . Then, the network intent mining device 300 can determine the link tolerance upper limit corresponding to the reachability intent based on the multiple data planes corresponding to the reachability intent. Assume that when any two edges on all routing paths between subnet 1 and subnet 4 are disconnected, subnet 1 and subnet 4 have reachability intent, but they do not have reachability when any three edges are disconnected.
  • the upper limit of physical links corresponding to the reachability intention between subnet 1 and subnet 4 can be the number of physical links included in the first edge + the number of physical links included in the second edge + ( The number of physical links included in the third edge - 1). According to the above-mentioned similar process, the network intention mining device 300 can determine the link tolerance upper limit corresponding to each intention, so that the previously determined link tolerance upper limit can be adjusted according to the newly determined link tolerance upper limit.
  • the network intent mining device 300 can create a virtual network on the cloud based on the intent. Specifically, it can create one or more VPCs on the cloud, and each VPC includes the physical network 200. one or more subnets. Among them, 1. Subnets within a VPC are reachable by default; 2. Subnets between different VPCs are isolated by default; 3. Subnet isolation within the same VPC requires allocation of ACL resources; 4. Subnet reachability between different VPCs requires allocation Peer connection resources. Since ACL resources in the cloud are usually limited in actual application scenarios, when the network intent mining device 300 creates a virtual network in the cloud, it can reduce the consumption of ACL resources by converting the ACL resources to be consumed into peer-to-peer connection resources.
  • the network intent mining device 300 may first construct a schematic subnet connection diagram as shown in FIG. 12 based on the mined network intent and the subnets in the physical network 200 .
  • P1 represents subnet 1
  • P2 represents subnet 2
  • P3 represents subnet 3
  • P4 represents subnet 4.
  • the network intent mining device 300 can analyze the connected components (Connected Components) in the graph and divide each connected component into a group.
  • the connected components Connected Components
  • the network intent mining device 300 can analyze the connected components (Connected Components) in the graph and divide each connected component into a group.
  • the subnet connection schematic diagram shown in Figure 12 since the subnets are fully connected, they only contain one connected component.
  • the network intent mining device 300 can divide the subnets included in each connectivity component into a VPC. Since the ACL resources in a single VPC are limited, for example, the number of ACL rules consumed in each VPC does not exceed the first threshold (such as 1, etc.), therefore, the number of required ACL resources can be reduced by adjusting for each group. .
  • the network intent mining device 300 can use the following formula (1) to search for the division method that can reduce the largest number of ACL rules after dividing multiple subnets in the group into two parts.
  • W is the number of ACL rules that can be reduced by dividing multiple subnets in the group into two parts
  • nodenum part1 is the number of subnets included in the first part of the division
  • nodenum part2 is the number of subnets included in the second part of the division.
  • the number of subnets included, edgenum cut is the number of edges involved in the minimum cut between the two parts, that is, the number of losses.
  • the subnet connection diagram composed of multiple subnets in the physical network 200 may include multiple connected components, so that multiple groups can be formed based on the subnet connection diagram. Adjusting each group can reduce the ACL number of rules, but at the same time the two subnets will be divided into different VPCs. Therefore, the network intention mining device 300 can calculate the revenue value corresponding to each group through the following formula (2), and prioritize the group with a larger revenue value.
  • P is the profit value, which represents the ratio of the reduced number of ACL rules to the lost number of subnet pairs in the same VPC.
  • priority is given to dividing the groups with the largest profit value, which can reduce the number of ACL rules to be consumed as much as possible and reduce the number of lost subnet pairs in the same VPC.
  • group 1 and group 2 can be obtained as shown in Figure 13, where group 1 includes P1, P2, and P4 (i.e., subnet 1, subnet 2 and subnet 4 are classified into one VPC), and group 2 includes P3 (that is, subnet 3 is classified into another VPC).
  • the network intent mining device 300 can create corresponding VPCs in the cloud according to the adjusted grouping, allocate and configure corresponding subnets in each VPC, and allocate peer-to-peer connection resources between different VPCs, thereby achieving Network migration from physical network 200 to the cloud.
  • the network intent mining method provided by the embodiment of the present application is introduced in detail above with reference to Figures 1 to 13.
  • the network intent mining 1400 provided by the embodiment of the present application will be introduced from the perspective of functional units with reference to the accompanying drawings.
  • the network intention mining device 300 includes:
  • the information acquisition module 301 is used to acquire the network configuration of the physical network and the physical topology of the physical network;
  • the rule determination module 302 is configured to determine the forwarding rules of each of the multiple routing nodes in the physical network according to the network configuration and the physical topology;
  • the intent mining module 303 is configured to determine the intent in the physical network according to the physical topology and multiple forwarding rules of the multiple routing nodes.
  • the intent includes the following types: reachability intent, key Point intent, load balancing intent, or isolation intent.
  • the intention mining module 303 is used to:
  • Multiple routing paths in the physical network are generated according to the physical topology and multiple forwarding rules of the multiple routing nodes, and the multiple routing paths are used to forward information between multiple subnets in the physical network.
  • data packet ;
  • Intents in the physical network are mined based on the multiple routing paths.
  • the intention mining module 303 is used to:
  • a forwarding graph including the multiple routing nodes according to the physical topology and multiple forwarding rules of the multiple routing nodes, where the forwarding graph is used to indicate the data packet forwarding behavior of the multiple routing nodes;
  • the forwarding graph is traversed to generate multiple routing paths in the physical network.
  • the intention mining module 303 is used to:
  • Traversing the forwarding graph determines one or more routing paths for the equivalence class in the physical network.
  • the device 300 when the intent includes accessibility intent, key point intent, or isolation intent, the device 300 further includes:
  • the upper limit determination module 304 is configured to determine an upper limit of link tolerance corresponding to the intention according to the network configuration and the physical topology.
  • the upper limit of link tolerance is used to indicate the maximum physical link that the intention allows to fail. quantity.
  • the upper limit determination module 304 is used to:
  • the link tolerance upper limit corresponding to the intention is determined.
  • the upper limit determination module 304 is used to:
  • the link tolerance upper limit corresponding to the intention is determined according to the multiple sets.
  • the upper limit determination module 304 is used to:
  • each of the multiple data planes is used to indicate a failed logical link between the two subnets.
  • each logical link corresponds to at least one physical link, and the total number of failed physical links in each data plane is not greater than the minimum cut;
  • the link tolerance upper limit corresponding to the intention is determined according to the multiple data planes.
  • the upper limit determination module 304 is used to:
  • the number of failed physical links in the physical network is calculated as the first number, the total number of multiple first sets in the physical network, the number of failed physical links in each first set in the multiple first sets The number of roads is not greater than the first number;
  • the number of failed physical links in the physical network is calculated to be a second number, the total number of the plurality of second sets in the physical network, the The number of failed physical links in each of the plurality of second sets is not greater than the second number, and the second number is greater than the first number;
  • the first number is determined to be the target number of physical links that are intended to be allowed to fail.
  • the device 300 further includes:
  • the configuration module 305 is used to configure a virtual network in the cloud according to the intention in the physical network.
  • the virtual network includes multiple virtual private cloud VPCs, and the number of access control list ACL rules in each VPC does not exceed a first threshold, or the number of VPCs in the virtual network does not exceed a third threshold. Two thresholds.
  • the network intent mining device 300 may correspond to performing the method described in the embodiment of the present application, and the above and other operations and/or functions of the various modules of the network intent mining device 300 shown in Figure 14 are respectively implemented.
  • the corresponding processes of each method executed by the network intent mining device 300 in Figure 2 will not be described again for the sake of brevity.
  • the network intent mining process can also be implemented with a separate hardware device.
  • the computing devices that implement the network intent mining process are introduced in detail.
  • Figure 15 provides a schematic structural diagram of a computing device.
  • the computing device 1500 shown in Figure 15 can be specifically used to implement the functions of the network intent mining device 300 in the embodiment shown in Figure 2.
  • Computing device 1500 includes bus 1501, processor 1502, communication interface 1503, and memory 1504.
  • the processor 1502, the memory 1504 and the communication interface 1503 communicate through the bus 1501.
  • the bus 1501 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus, etc.
  • PCI peripheral component interconnect
  • EISA extended industry standard architecture
  • the bus can be divided into address bus, data bus, control bus, etc. For ease of presentation, only one thick line is used in Figure 15, but it does not mean that there is only one bus or one type of bus.
  • the communication interface 1503 is used to communicate with the outside, such as receiving network configuration and physical topology provided by the user 100 through the client.
  • the processor 1502 may be a central processing unit (CPU).
  • Memory 1504 may include volatile memory, such as random access memory (RAM).
  • RAM random access memory
  • the memory 1504 may also include non-volatile memory (non-volatile memory), such as read-only memory (ROM), flash memory, HDD or SSD.
  • the memory 1504 stores executable code, and the processor 1502 executes the executable code to perform the method performed by the network intent mining device 300 .
  • the network intention mining device 300 in FIG. 2 is executed.
  • the software or program code required for the functions is stored in the memory 1504.
  • the interaction between the computing device 1500 and other devices is implemented through the communication interface 1503.
  • the computing device 1500 receives network configuration and physical topology through the communication interface 1503.
  • the processor is used to execute instructions in the memory 1504 to implement the method executed by the network intent mining device 300 .
  • embodiments of the present application also provide a computer-readable storage medium.
  • the computer-readable storage medium stores instructions. When run on a computing device, the computing device causes the computing device to execute the above-described embodiment shown in Figure 2. Methods.
  • An embodiment of the present application also provides a computer program product.
  • the computer program product When the computer program product is executed by a computer, the computer executes any of the foregoing network intent mining methods.
  • the computer program product may be a software installation package. If it is necessary to use any of the foregoing network intent mining methods, the computer program product may be downloaded and executed on the computer.
  • the device embodiments described above are only illustrative.
  • the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physically separate.
  • the physical unit can be located in one place, or it can be distributed across multiple network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • the connection relationship between modules indicates that there are communication connections between them, which can be specifically implemented as one or more communication buses or signal lines.
  • the present application can be implemented by software plus necessary general hardware. Of course, it can also be implemented by dedicated hardware including dedicated integrated circuits, dedicated CPUs, dedicated memories, Special components, etc. to achieve. In general, all functions performed by computer programs can be easily implemented with corresponding hardware. Moreover, the specific hardware structures used to implement the same function can also be diverse, such as analog circuits, digital circuits or special-purpose circuits. circuit etc. However, for this application, software program implementation is a better implementation in most cases. Based on this understanding, the technical solution of the present application can be embodied in the form of a software product in essence or that contributes to the existing technology.
  • the computer software product is stored in a readable storage medium, such as a computer floppy disk. , U disk, mobile hard disk, ROM, RAM, magnetic disk or optical disk, etc., including several instructions to cause a forwarding device (which can be a personal computer, training device, or network device, etc.) to execute the steps described in various embodiments of this application. method.
  • a forwarding device which can be a personal computer, training device, or network device, etc.
  • the computer program product includes one or more computer instructions.
  • the computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device.
  • the computer instructions may be stored in or transmitted from one computer-readable storage medium to another, for example, the computer instructions may be transferred from a website, computer, training device, or data
  • the center transmits to another website site, computer, training equipment or data center through wired (such as coaxial cable, optical fiber, digital software developer line (DSL)) or wireless (such as infrared, wireless, microwave, etc.) means.
  • wired such as coaxial cable, optical fiber, digital software developer line (DSL)
  • wireless such as infrared, wireless, microwave, etc.
  • the computer-readable storage medium may be any available medium that a computer can store, or a data storage device such as a training device or a data center integrated with one or more available media.
  • the available media may be magnetic media (eg, floppy disk, hard disk, tape), optical media (eg, DVD), or semiconductor media (eg, Solid State Disk (SSD)), etc.

Abstract

The present application provides a network intent mining method, comprising: acquiring a network configuration of a physical network and the physical topological structure of the physical network; determining a forwarding rule for each of a plurality of routing nodes in the physical network according to the network configuration and the physical topological structure; thus determining intents in the physical network according to the physical topological structure and a plurality of forwarding rules for the plurality of routing nodes, wherein the intents in the physical network comprise several of the following: an accessibility intent, a key point intent, a load balance intent and an isolation intent in the physical network; and the forwarding rules are generated according to the network configuration and the physical topological structure; and mining the intents from the network on the basis of the generated forwarding rules, such that the accuracy of intent mining with regard to the physical network can be improved, and intent mining within the whole network range can be realized. The present application further provides a network intent mining apparatus and a related device.

Description

一种网络意图挖掘方法、装置及相关设备A network intent mining method, device and related equipment
本申请要求于2022年04月26日提交中国国家知识产权局、申请号为202210447023.1、申请名称为“一种网络意图挖掘方法、装置及相关设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application requires the priority of the Chinese patent application submitted to the State Intellectual Property Office of China on April 26, 2022, with the application number 202210447023.1 and the application title "A network intent mining method, device and related equipment", and its entire content has been approved This reference is incorporated into this application.
技术领域Technical field
本申请涉及互联网技术领域,尤其涉及一种网络意图挖掘方法、装置及相关设备。The present application relates to the field of Internet technology, and in particular to a network intent mining method, device and related equipment.
背景技术Background technique
实际应用场景中,网络规模随着网络服务的不断丰富而逐渐扩大,这使得管理、运维网络的难度也越来越高。目前,可以通过对实际的网络配置挖掘网络意图,以便基于该网络意图实现简化或者自动化管理网络。其中,网络意图挖掘,是指将实际的网络配置转换为网络所承载的功能,并通过意图的方式进行呈现的一项技术,能够帮助管理人员(或者运维人员)更加高效的管理网络。比如,当企业因为新型业务的增加而改变对于运行该业务的网络要求时(如要求多样化算力等),可以根据企业原先的网络配置挖掘网络意图,并根据挖掘出的网络意图在云上配置相应的虚拟私有云(virtual private cloud,VPC),以此实现在云上为该企业配置符合企业要求的虚拟网络,并且该虚拟网络中保留企业原先的网络配置。In actual application scenarios, the scale of the network is gradually expanding with the continuous enrichment of network services, which makes it increasingly difficult to manage and operate the network. Currently, network intent can be mined from actual network configurations to simplify or automate network management based on the network intent. Among them, network intent mining refers to a technology that converts actual network configurations into functions carried by the network and presents them in the form of intents, which can help managers (or operation and maintenance personnel) manage the network more efficiently. For example, when an enterprise changes its network requirements for running the business due to the increase of new services (such as requiring diversified computing power, etc.), it can mine network intentions based on the enterprise's original network configuration and use the mined network intentions on the cloud. Configure the corresponding virtual private cloud (VPC) to configure a virtual network for the enterprise on the cloud that meets the enterprise's requirements, and the enterprise's original network configuration is retained in the virtual network.
因此,如何挖掘出网络意图,成为亟需解决的重要问题。Therefore, how to dig out network intentions has become an important issue that needs to be solved urgently.
发明内容Contents of the invention
本申请提供了一种网络意图挖掘方法,实现挖掘出网络中的意图。此外,本申请还提供了一种网络意图挖掘装置、计算设备、计算机可读存储介质以及计算机程序产品。This application provides a network intent mining method to mine the intent in the network. In addition, this application also provides a network intent mining device, a computing device, a computer-readable storage medium, and a computer program product.
第一方面,本申请提供了一种网络意图挖掘方法,具体的,获取物理网络的网络配置以及物理网络的物理拓扑结构,并根据该网络配置以及物理拓扑结构,确定物理网络中的多个路由节点中每个路由节点的转发规则,从而根据该物理拓扑结构以及多个路由节点的多个转发规则,确定所述物理网络中的意图,该物理网络中的意图包括如下的多种:物理网络中的可达性意图、关键点意图、负载均衡意图、或者隔离性意图。其中,可达性意图可以反映物理网络中的两个子网之间的可达性;负载均衡意图,可以反映物理网络中的两个可达的子网之间的多条路由路径可以进行负载均衡;关键点意图,可以反映物理网络中的两个可达的子网之间的多条路由路径所经过的同一路由节点;隔离性意图,可以反映物理网络中的两个子网之间不可达。In the first aspect, this application provides a network intent mining method. Specifically, the network configuration of the physical network and the physical topology of the physical network are obtained, and multiple routes in the physical network are determined based on the network configuration and physical topology. The forwarding rules of each routing node in the node are used to determine the intent in the physical network based on the physical topology and multiple forwarding rules of multiple routing nodes. The intent in the physical network includes the following types: Physical network Reachability intent, critical point intent, load balancing intent, or isolation intent in . Among them, the reachability intent can reflect the reachability between two subnets in the physical network; the load balancing intent can reflect that multiple routing paths between two reachable subnets in the physical network can be load balanced. ; Key point intent can reflect the same routing node passed by multiple routing paths between two reachable subnets in the physical network; Isolation intent can reflect the unreachability between two subnets in the physical network.
如此,不仅可以实现挖掘出物理网络中的意图,而且,可以实现多种意图的挖掘,即所挖掘出的意图可以是可达性意图、关键点意图、负载均衡意图、或隔离性意图中的任意多种。另外,根据网络配置以及物理拓扑结构生成转发规则,并基于生成的转发规则挖掘网络意图,而并非是根据从实际的路由设备中提取的转发规则进行意图挖掘,这可以有效避免物理网络中的路由在实际运行中发生变化(如路由设备故障或链路失效)而导致影响对于物理网络的意图挖掘的准确性。而且,可以实现在全网范围内的意图挖掘,并不局限于物理网络中的部分网络。In this way, not only the intentions in the physical network can be mined, but also the mining of multiple intentions can be realized, that is, the mined intentions can be reachability intentions, key point intentions, load balancing intentions, or isolation intentions. Any variety. In addition, forwarding rules are generated based on the network configuration and physical topology, and network intentions are mined based on the generated forwarding rules, rather than based on the forwarding rules extracted from the actual routing device. This can effectively avoid routing problems in the physical network. Changes in actual operation (such as routing device failure or link failure) may affect the accuracy of intent mining on the physical network. Moreover, intent mining can be achieved across the entire network and is not limited to parts of the physical network.
在一种可能的实施方式中,在确定物理网络中的意图时,具体可以是根据物理拓扑结 构以及多个路由节点的多个转发规则,生成物理网络中的多条路由路径,该多条路由路径用于转发物理网络中多个子网之间的数据包,从而根据该多条路由路径,可以挖掘该物理网络中的意图。如此,可以通过模拟生成物理网络中的多条路由路径的方式,实现对物理网络中的意图的挖掘。In a possible implementation, when determining the intention in the physical network, multiple routing paths in the physical network may be generated based on the physical topology and multiple forwarding rules of multiple routing nodes. Paths are used to forward packets between multiple subnets in a physical network so that intent in that physical network can be mined based on the multiple routing paths. In this way, intentions in the physical network can be mined by simulating and generating multiple routing paths in the physical network.
在一种可能的实施方式中,在生成物理网络中的多条路由路径时,具体可以是根据物理拓扑结构以及多个路由节点的多个转发规则,生成包括多个路由节点的转发图,该转发图用于指示多个路由节点的数据包转发行为,从而可以遍历该转发图,生成物理网络中的多条路由路径。如此,可以通过构建并遍历转发图,实现生成物理网络中的多条路由路径,以便于后续基于该多条路由路径挖掘物理网络中的意图。In a possible implementation, when generating multiple routing paths in a physical network, a forwarding graph including multiple routing nodes may be generated based on the physical topology and multiple forwarding rules of the multiple routing nodes. The forwarding graph is used to indicate the packet forwarding behavior of multiple routing nodes, so that the forwarding graph can be traversed to generate multiple routing paths in the physical network. In this way, multiple routing paths in the physical network can be generated by constructing and traversing the forwarding graph, so as to facilitate subsequent mining of intentions in the physical network based on the multiple routing paths.
在一种可能的实施方式中,在生成物理网络中的多条路由路径的过程中,具体可以根据多个路由节点的多个转发规则,确定物理网络中的目标子网对应的等价类,从而遍历该转发图,为确定出的等价类在物理网络中确定一条或者多条路由路径。如此,针对物理网络的多个子网中的任意子网,均可以基于上述方式确定出相应的一条或者路由路径,以此得到物理网络中的多个子网对应的多条路由路径。并且,在确定路由路径的过程中,可以无需模拟生成数据包或者实际下发测试数据包,从而不仅可以提高确定多条路由路径的效率、降低资源消耗,而且更容易实现全网范围内的网络意图挖掘。In a possible implementation, in the process of generating multiple routing paths in the physical network, the equivalence class corresponding to the target subnet in the physical network can be determined based on multiple forwarding rules of multiple routing nodes. Thus, the forwarding graph is traversed, and one or more routing paths are determined in the physical network for the determined equivalence class. In this way, for any subnet among the multiple subnets of the physical network, the corresponding one or routing path can be determined based on the above method, thereby obtaining multiple routing paths corresponding to the multiple subnets in the physical network. Moreover, in the process of determining the routing path, there is no need to simulate the generation of data packets or actually deliver test data packets, which not only improves the efficiency of determining multiple routing paths and reduces resource consumption, but also makes it easier to implement a network-wide network Intention to dig.
在一种可能的实施方式中,当挖掘的意图具体为可达性意图或者关键点意图或者隔离性意图时,具体可以根据物理网络的网络配置以及物理拓扑结构,确定所挖掘出的意图对应的链路容忍上限,该链路容忍上限用于指示该意图所允许失效的最大物理链路的数量。如此,根据每种意图的链路容忍上限,确定该意图在物理网络中的可靠程度,以便在将该物理网络迁移至云上时,尽可能避免降低每种意图的可靠程度。In a possible implementation, when the mining intention is specifically a reachability intention, a key point intention, or an isolation intention, the location corresponding to the mined intention can be determined based on the network configuration and physical topology of the physical network. The link tolerance upper limit is used to indicate the maximum number of physical links that are allowed to fail for this purpose. In this way, the reliability of each intention in the physical network is determined based on the link tolerance upper limit of each intention, so that when the physical network is migrated to the cloud, the reliability of each intention can be avoided as much as possible.
在一种可能的实施方式中,在确定意图对应的链路容忍上限时,具体可以根据网络配置以及物理拓扑结构,计算物理网络中的意图相关的两个子网之间的最小割,从而根据这两个子网之间的最小割,确定意图对应的链路容忍上限。如此,可以通过图处理的方式,确定每种意图对应的链路容忍上限。In one possible implementation, when determining the upper limit of link tolerance corresponding to the intention, the minimum cut between the two subnets related to the intention in the physical network can be calculated based on the network configuration and physical topology, so that according to this The minimum cut between two subnets determines the upper limit of link tolerance corresponding to the intent. In this way, the link tolerance upper limit corresponding to each intention can be determined through graph processing.
在一种可能的实施方式中,在根据两个子网之间的最小割确定意图对应的链路容忍上限时,具体可以先确定该意图允许失效的物理链路的目标数量,并且,当这两个子网之间的最小割不大于该目标数量时,枚举该物理网络中的多个集合,该多个集合中的每个集合内失效的物理链路的数量不大于该最小割,从而根据该多个集合确定该意图对应的链路容忍上限。如此,可以在失效的物理链路的情况数量较少的条件下,通过枚举的方式验证(最小割-1)是否可以作为该意图对应的链路容忍上限。In a possible implementation, when determining the upper link tolerance limit corresponding to the intention based on the minimum cut between two subnets, the target number of physical links that the intention allows to fail can be determined first, and when the two subnets are When the minimum cut between subnets is not greater than the target number, multiple sets in the physical network are enumerated, and the number of failed physical links in each of the multiple sets is not greater than the minimum cut, so according to The multiple sets determine the link tolerance upper limit corresponding to the intent. In this way, under the condition that the number of failed physical links is small, it can be verified through enumeration whether (minimum cut-1) can be used as the link tolerance upper limit corresponding to the intention.
在一种可能的实施方式中,在根据两个子网之间的最小割确定意图对应的链路容忍上限时,具体可以先确定该意图允许失效的物理链路的目标数量,并且,当这两个子网之间的最小割大于目标数量时,生成多个数据平面,该多个数据平面中每个数据平面用于指示这两个子网之间失效的逻辑链路,不同数据平面所指示的失效的逻辑链路存在差异,每个逻辑链路对应于至少一条物理链路,每个数据平面中失效的物理链路总数不大于该最小割,从而根据该多个数据平面确定该意图对应的链路容忍上限。如此,可以在失效的物理链路的情况数量较多的条件下,基于生成的多个数据平面验证(最小割-1)是否可以作为该意 图对应的链路容忍上限。In a possible implementation, when determining the upper link tolerance limit corresponding to the intention based on the minimum cut between two subnets, the target number of physical links that the intention allows to fail can be determined first, and when the two subnets are When the minimum cut between subnets is greater than the target number, multiple data planes are generated. Each data plane in the multiple data planes is used to indicate a failed logical link between the two subnets. The failure indicated by different data planes There are differences in logical links. Each logical link corresponds to at least one physical link. The total number of failed physical links in each data plane is not greater than the minimum cut, so that the link corresponding to the intention is determined based on the multiple data planes. Road tolerance limit. In this way, under the condition that there are a large number of failed physical links, it can be verified based on the multiple generated data planes whether (minimum cut-1) can be used as the link tolerance upper limit corresponding to the intention.
在一种可能的实施方式中,在确定意图允许失效的物理链路的目标数量时,可以计算该物理网络中失效的物理链路数量为第一数量时物理网络中的多个第一集合的总数,该多个第一集合中每个第一集合内失效的物理链路的数量不大于该第一数量;并且,当该多个第一集合的总数小于预设阈值(可以预先由技术人员进行设定等)时,计算物理网络中失效的物理链路数量为第二数量时,该物理网络中的多个第二集合的总数,该多个第二集合中每个第二集合内失效的物理链路的数量不大于该第二数量,并且,第二数量大于第一数量,从而当第二集合的总数大于该预设阈值时,确定将第一数量确定为该意图允许失效的物理链路的目标数量。In a possible implementation, when determining the target number of physical links that are intended to be allowed to fail, the number of failed physical links in the physical network can be calculated when the number of failed physical links in the physical network is the first number. The total number of failed physical links in each first set in the plurality of first sets is not greater than the first number; and, when the total number of the plurality of first sets is less than a preset threshold (which can be determined by technical personnel in advance When setting, etc.), when the number of failed physical links in the physical network is calculated as the second number, the total number of multiple second sets in the physical network, and failures within each second set in the multiple second sets The number of physical links is not greater than the second number, and the second number is greater than the first number, so that when the total number of the second set is greater than the preset threshold, it is determined that the first number is determined to be the physical link intended to allow failure. Target number of links.
在一种可能的实施方式中,还可以根据物理网络中的意图,在云端配置虚拟网络,以此实现将物理网络向云端的网络迁移。In a possible implementation, a virtual network can also be configured in the cloud according to the intention in the physical network, so as to realize network migration from the physical network to the cloud.
在一种可能的实施方式中,在云端上配置的虚拟网络包括多个虚拟私有云VPC,每个VPC中的访问控制列表ACL规则数量不超过第一阈值,即对各个VPC中消耗的ACL资源进行限定,或者,该虚拟网络中的VPC数量不超过第二阈值,即可以限制虚拟网络中消耗的VPC之间的对等连接资源。进一步的,在云端配置虚拟网络时,可以优先减少对于ACL资源的消耗,在各个VPC中消耗的ACL规则数量不超过第一阈值的情况下,可以尽可能减少对于VPC之间的对等连接资源的消耗。In a possible implementation, the virtual network configured on the cloud includes multiple virtual private cloud VPCs, and the number of access control list ACL rules in each VPC does not exceed the first threshold, that is, the ACL resources consumed in each VPC Limit, or the number of VPCs in the virtual network does not exceed the second threshold, that is, the peer connection resources between VPCs consumed in the virtual network can be limited. Furthermore, when configuring a virtual network in the cloud, priority can be given to reducing the consumption of ACL resources. When the number of ACL rules consumed in each VPC does not exceed the first threshold, the peering connection resources between VPCs can be reduced as much as possible. consumption.
第二方面,本申请提供一种推荐网络意图挖掘装置,所述网络意图挖掘装置包括用于实现第一方面或第一方面任一种可能实现方式中的网络意图挖掘方法的各个模块。In a second aspect, this application provides a recommended network intent mining device, which includes various modules for implementing the network intent mining method in the first aspect or any possible implementation of the first aspect.
第三方面,本申请提供一种计算设备,所述计算设备包括处理器和存储器;该存储器用于存储指令,当该计算设备运行时,该处理器执行该存储器存储的该指令,以使该计算设备执行上述第一方面或第一方面的任一实现方法中网络意图挖掘方法。需要说明的是,该存储器可以集成于处理器中,也可以是独立于处理器之外。转发设备还可以包括总线。其中,处理器通过总线连接存储器。其中,存储器可以包括可读存储器以及随机存取存储器。In a third aspect, the present application provides a computing device, the computing device includes a processor and a memory; the memory is used to store instructions, and when the computing device is running, the processor executes the instructions stored in the memory, so that the The computing device executes the network intent mining method in the above first aspect or any implementation method of the first aspect. It should be noted that the memory can be integrated into the processor or independent of the processor. Forwarding devices may also include buses. Among them, the processor is connected to the memory through a bus. The memory may include readable memory and random access memory.
第四方面,本申请提供一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当其在计算设备上运行时,使得计算设备执行上述第一方面或第一四方面的任一种实现方式中的方法。In a fourth aspect, the present application provides a computer-readable storage medium that stores instructions in the computer-readable storage medium that, when run on a computing device, cause the computing device to execute the above-mentioned first aspect or the first fourth aspect. method in either implementation.
第五方面,本申请提供了一种包含指令的计算机程序产品,当其在计算设备上运行时,使得计算设备执行上述第一方面或第一方面的任一种实现方式中的方法。In a fifth aspect, the present application provides a computer program product containing instructions that, when run on a computing device, cause the computing device to execute the method in the above-mentioned first aspect or any implementation of the first aspect.
本申请在上述各方面提供的实现方式的基础上,还可以进行进一步组合以提供更多实现方式。Based on the implementation methods provided in the above aspects, this application can also be further combined to provide more implementation methods.
附图说明Description of drawings
图1为本申请实施例提供的一种示例性应用场景示意图;Figure 1 is a schematic diagram of an exemplary application scenario provided by an embodiment of the present application;
图2为本申请实施例提供的一种网络意图挖掘方法的流程示意图;Figure 2 is a schematic flowchart of a network intent mining method provided by an embodiment of the present application;
图3为本申请实施例提供的一示例***互界面的示意图;Figure 3 is a schematic diagram of an exemplary interactive interface provided by an embodiment of the present application;
图4为多个数据平面对应的树形结构示意图;Figure 4 is a schematic diagram of the tree structure corresponding to multiple data planes;
图5为本申请实施例提供的一示例性物理网络200的结构示意图;Figure 5 is a schematic structural diagram of an exemplary physical network 200 provided by an embodiment of the present application;
图6为在路由设备R3中配置的ACL表中的信息示意图;Figure 6 is a schematic diagram of the information in the ACL table configured in routing device R3;
图7为从物理网络200中提取的多条路由拓扑的示意图;Figure 7 is a schematic diagram of multiple routing topologies extracted from the physical network 200;
图8为路由设备R6生成的转发表的示意图;Figure 8 is a schematic diagram of the forwarding table generated by routing device R6;
图9为基于转发表(以及ACL表)所划分的等价类示意图;Figure 9 is a schematic diagram of equivalence classes divided based on the forwarding table (and ACL table);
图10为构建出的转发图示意图;Figure 10 is a schematic diagram of the constructed forwarding graph;
图11为子网1与子网4之间的可达性意图对应的数据平面示意图;Figure 11 is a schematic diagram of the data plane corresponding to the reachability intent between subnet 1 and subnet 4;
图12为不同子网之间的连接示意图;Figure 12 is a schematic diagram of the connections between different subnets;
图13为对多个子网进行分组的示意图;Figure 13 is a schematic diagram of grouping multiple subnets;
图14为本申请实施例提供的一种网络意图挖掘装置的结构示意图;Figure 14 is a schematic structural diagram of a network intent mining device provided by an embodiment of the present application;
图15为本申请实施例提供的一种计算设备的结构示意图。Figure 15 is a schematic structural diagram of a computing device provided by an embodiment of the present application.
具体实施方式Detailed ways
本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解,这样使用的术语在适当情况下可以互换,这仅仅是描述本申请的实施例中对相同属性的对象在描述时所采用的区分方式。The terms "first", "second", etc. in the description and claims of this application and the above-mentioned drawings are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that the terms so used are interchangeable under appropriate circumstances, and are merely a way of distinguishing objects with the same properties in describing the embodiments of the present application.
参见图1,为本申请实施例提供的一种示例性应用场景示意图。如图1所示,在该场景中,用户100(通过用户终端或者客户端等)可以向物理网络200发送提取指令,以指示物理网络200向用户100反馈其网络配置以及物理拓扑结构。然后,用户100可以向网络意图挖掘装置300发送意图挖掘请求,从而网络意图挖掘装置300可以根据该意图挖掘请求中包括的网络配置以及物理拓扑结构,挖掘出物理网络200中的意图,并将其反馈给用户100,以便用户100基于挖掘出的意图理解该物理网络200,或者,根据该意图在云端配置相应的虚拟网络,实现网络迁移。Refer to Figure 1, which is a schematic diagram of an exemplary application scenario provided by an embodiment of the present application. As shown in Figure 1, in this scenario, the user 100 (through a user terminal or client, etc.) can send an extraction instruction to the physical network 200 to instruct the physical network 200 to feed back its network configuration and physical topology to the user 100. Then, the user 100 can send an intent mining request to the network intent mining device 300, so that the network intent mining device 300 can mine the intent in the physical network 200 according to the network configuration and physical topology included in the intent mining request, and mine the intent in the physical network 200. Feedback is given to the user 100 so that the user 100 can understand the physical network 200 based on the mined intention, or configure a corresponding virtual network in the cloud based on the intention to implement network migration.
实际应用时,网络意图挖掘装置300可以部署于本地。比如,当网络意图挖掘装置300通过软件实现时,该网络意图挖掘装置300可以作为插件安装在本地的终端设备,并且该插件运行后可以为用户100提供挖掘网络意图的本地服务。或者,网络意图挖掘装置300也可以是由硬件实现,如利用专用集成电路(application-specific integrated circuit,ASIC)实现,或可编程逻辑器件(programmable logic device,PLD)实现,上述PLD可以是复杂程序逻辑器件(complex programmable logical device,CPLD),现场可编程门阵列(field-programmable gate array,FPGA),通用阵列逻辑(generic array logic,GAL)或其任意组合实现上述网元或模块的功能。In actual application, the network intent mining device 300 can be deployed locally. For example, when the network intent mining device 300 is implemented by software, the network intent mining device 300 can be installed as a plug-in on a local terminal device, and after running, the plug-in can provide the user 100 with a local service of mining network intentions. Alternatively, the network intent mining device 300 can also be implemented by hardware, such as using an application-specific integrated circuit (ASIC) or a programmable logic device (PLD). The PLD can be a complex program. Logic device (complex programmable logical device, CPLD), field-programmable gate array (field-programmable gate array, FPGA), general array logic (generic array logic, GAL) or any combination thereof implements the functions of the above network elements or modules.
或者,网络意图挖掘装置300也可以是作为云服务部署于云端,如边缘云、分布式云或者公有云等。相应的,部署于云端的网络意图挖掘装置300可以向用户100提供相应的交互界面,用于与用户100进行交互。这样,在用户100请求挖掘物理网络200中的意图时,位于云端的网络意图挖掘装置300可以为用户100提供挖掘网络意图的云服务。本实施例中,对于网络意图挖掘装置300的具体部署方式并不进行限定。Alternatively, the network intent mining device 300 may also be deployed in a cloud as a cloud service, such as an edge cloud, a distributed cloud, or a public cloud. Correspondingly, the network intent mining device 300 deployed in the cloud can provide the user 100 with a corresponding interactive interface for interacting with the user 100 . In this way, when the user 100 requests to mine intent in the physical network 200, the network intent mining device 300 located in the cloud can provide the user 100 with a cloud service for mining network intent. In this embodiment, the specific deployment method of the network intent mining device 300 is not limited.
值得注意的是,图1所示的应用场景仅作为一种示例性说明,并不用于限定,比如,在其它可能的应用场景中,网络意图挖掘装置300可以为多个用户提供本地或者云端的意图挖掘服务等。It is worth noting that the application scenario shown in Figure 1 is only an illustrative description and is not intended to be limiting. For example, in other possible application scenarios, the network intent mining device 300 can provide multiple users with local or cloud Intent mining services, etc.
为便于理解,下面结合附图,对本申请的实施例进行描述。For ease of understanding, the embodiments of the present application are described below in conjunction with the accompanying drawings.
参见图2,图2为本申请实施例提供的一种网络意图挖掘方法的流程示意图,图2所示的方法流程可以由上述网络意图挖掘装置300实现。为便于理解和说明,下面以图2所示的网络意图挖掘方法应用于图1所示的网络意图挖掘装置300为例进行示例性说明,该方法具体可以包括:Referring to Figure 2, Figure 2 is a schematic flow chart of a network intent mining method provided by an embodiment of the present application. The method flow shown in Figure 2 can be implemented by the above-mentioned network intent mining device 300. To facilitate understanding and explanation, the following takes the network intention mining method shown in Figure 2 applied to the network intention mining device 300 shown in Figure 1 as an example for illustrative description. The method may specifically include:
S201:网络意图挖掘装置300获取物理网络200的网络配置以及物理网络200的物理拓扑结构。S201: The network intent mining device 300 obtains the network configuration of the physical network 200 and the physical topology of the physical network 200.
其中,物理网络200的网络配置,可以用于指示物理网络200中的各个路由设备(如路由器等)上的端口的标识、物理网络200包括的多个子网(不同子网之间通过路由设备转发数据包)等配置信息。实际应用时,网络配置还可以包括其它信息,如物理网络200中的路由设备转发数据包所采用的路由协议(routing protocol)、路由设备的网际互连协议(internet protocol,IP)地址等。物理网络200的物理拓扑结构,可以用于指示物理网络200中的不同路由设备之间互连的结构,不同路由设备之间可以通过一条或者多条物理链路实现互连。Among them, the network configuration of the physical network 200 can be used to indicate the identification of ports on each routing device (such as a router, etc.) in the physical network 200, and the multiple subnets included in the physical network 200 (different subnets are forwarded through routing devices). data package) and other configuration information. In actual application, the network configuration may also include other information, such as the routing protocol (routing protocol) used by the routing device in the physical network 200 to forward data packets, the Internet Protocol (IP) address of the routing device, etc. The physical topology of the physical network 200 can be used to indicate the interconnection structure between different routing devices in the physical network 200. Different routing devices can be interconnected through one or more physical links.
在一些可能的实施方式中,当用户100期望挖掘物理网络200中的意图时,用户100可以从物理网络200中的物理设备中提取出网络配置,例如可以是向物理网络200中的物理设备发送提取指令,从而该物理设备可以从物理网络200中采集网络配置以及物理拓扑结构等信息,并将其输出给用户100。该物理设备可以是物理网络200中的路由设备或者其它设备。然后,用户100可以将该网络配置以及物理拓扑结构发送给网络意图挖掘装置300,以请求网络意图挖掘装置300挖掘该物理网络200中的意图。具体实现时,网络意图挖掘装置300可以对外向用户100呈现如图3所示的交互界面,并在该交互界面中提示用户100导入进行意图挖掘所需的网络配置以及物理拓扑结构,从而用户100可以在该交互界面上将网络配置以及物理拓扑结构等信息输入至网络意图挖掘装置300。In some possible implementations, when the user 100 desires to mine the intention in the physical network 200, the user 100 can extract the network configuration from the physical device in the physical network 200, for example, send it to the physical device in the physical network 200. Extract instructions so that the physical device can collect information such as network configuration and physical topology from the physical network 200 and output it to the user 100 . The physical device may be a routing device or other device in the physical network 200. Then, the user 100 may send the network configuration and physical topology to the network intent mining device 300 to request the network intent mining device 300 to mine the intent in the physical network 200 . During specific implementation, the network intent mining device 300 can present an interactive interface as shown in Figure 3 to the external user 100, and prompt the user 100 in the interactive interface to import the network configuration and physical topology required for intent mining, so that the user 100 Information such as network configuration and physical topology can be input to the network intent mining device 300 on the interactive interface.
或者,用户100也可以指示物理网络200中的物理设备将采集到的网络配置以及物理拓扑结构发送给网络意图挖掘装置300,以触发网络意图挖掘装置300执行网络意图挖掘的流程。本实施例中,对于网络意图挖掘装置300如何获取物理网络200的网络配置以及物理拓扑结构的具体实现方式并不进行限定。Alternatively, the user 100 may also instruct the physical device in the physical network 200 to send the collected network configuration and physical topology to the network intent mining device 300 to trigger the network intent mining device 300 to perform the network intent mining process. In this embodiment, the specific implementation manner of how the network intent mining device 300 obtains the network configuration and physical topology of the physical network 200 is not limited.
本实施例中,所要挖掘的物理网络200中的意图,具体可以是可达性(reachability)意图、关键点(waypoint)意图、负载均衡(loadbalance)意图、或隔离性(isolation)意图中的任意一种或者多种。In this embodiment, the intent in the physical network 200 to be mined may specifically be any of the reachability intent, the waypoint intent, the load balancing intent, or the isolation intent. One or more.
其中,可达性意图,可以用于指示物理网络200中不同子网之间的可达性。比如,当子网A发送的数据包能够基于物理网络200中的路由设备转发至子网B时,则表征物理网络200中子网A与子网B之间可达;而当子网A发送的数据包无法被转发至子网C时,则表征物理网络200中子网A与子网C之间不可达。Among them, the reachability intent can be used to indicate the reachability between different subnets in the physical network 200. For example, when a data packet sent by subnet A can be forwarded to subnet B based on the routing device in the physical network 200, it means that subnet A and subnet B in the physical network 200 are reachable; and when subnet A sends When the data packet cannot be forwarded to subnet C, it means that subnet A and subnet C in the physical network 200 are unreachable.
关键点意图,可以用于指示物理网络200中的多个子网之间进行通信过程中的数据包所经过的相同路由设备。比如,当物理网络200中的子网A与子网B进行数据通信存在两条路由路径时,其中,在基于路由路径1传输数据包时,子网A发送的数据包依次路由设备1、路由设备2、路由设备3以及路由设备4进行转发并最终传输至子网B,在基于路由路径2传输 数据包时,子网A发送的数据包依次路由设备1、路由设备2、路由设备5以及路由设备4进行转发并最终传输至子网B,则可以将路由设备2确定为关键点。The key point intent may be used to indicate the same routing device that data packets pass through during communication between multiple subnets in the physical network 200 . For example, when there are two routing paths for data communication between subnet A and subnet B in the physical network 200, when data packets are transmitted based on routing path 1, the data packets sent by subnet A are routed to device 1 and route 1 in sequence. Device 2, routing device 3 and routing device 4 are forwarded and finally transmitted to subnet B. When transmitting data packets based on routing path 2, the data packets sent by subnet A are routed device 1, routing device 2, routing device 5 and Routing device 4 forwards and finally transmits to subnet B, then routing device 2 can be determined as the key point.
负载均衡意图,可以用于指示物理网络200中用于传输不同子网之间的数据包所能使用的转发路径的数量。比如,当物理网络200中的子网A与子网B进行数据通信时,子网A发送的数据包可以通过路由设备1、路由设备2以及路由设备3传输至子网B,也可以是通过路由设备1、路由设备4以及路由设备3传输至子网B,则子网A以及子网B之间存在两条转发路径可以用于转发数据包,并且,子网A(或者子网B)发送的数据包可以优先通过负载相对较小的转发路径传输至子网B(或者子网A)。The load balancing intent may be used to indicate the number of forwarding paths that can be used in the physical network 200 to transmit data packets between different subnets. For example, when subnet A and subnet B in the physical network 200 perform data communication, the data packet sent by subnet A can be transmitted to subnet B through routing device 1, routing device 2 and routing device 3, or it can also be transmitted through routing device 1, routing device 2 and routing device 3. Routing device 1, routing device 4 and routing device 3 transmit to subnet B, then there are two forwarding paths between subnet A and subnet B that can be used to forward data packets, and subnet A (or subnet B) The sent data packet can be preferentially transmitted to subnet B (or subnet A) through the forwarding path with a relatively small load.
隔离性意图,可以用于指示物理网络200中不同子网之间的隔离性,也即两个子网之间的数据包相互不可达。比如,物理网络200中的子网A发送的数据包无法被传输至子网B,则子网A以及子网B之间具有隔离性。The isolation intention can be used to indicate the isolation between different subnets in the physical network 200, that is, the data packets between the two subnets are not reachable to each other. For example, if data packets sent by subnet A in the physical network 200 cannot be transmitted to subnet B, then subnet A and subnet B are isolated.
值得注意是,实际应用时,也可以从物理网络200中挖掘出其它类型的意图,本实施例对此并不进行限定。It is worth noting that in actual application, other types of intentions can also be mined from the physical network 200, which is not limited in this embodiment.
S202:网络意图挖掘装置300根据网络配置以及物理拓扑结构,确定物理网络200中的多个路由节点中每个路由节点的转发规则。S202: The network intent mining device 300 determines the forwarding rules of each of the multiple routing nodes in the physical network 200 based on the network configuration and physical topology.
其中,每个路由节点的转发规则用于约束该路由节点对于数据包的转发。Among them, the forwarding rules of each routing node are used to constrain the routing node's forwarding of data packets.
通常情况下,物理网络200中包括多个路由节点,该多个路由节点可以用于转发不同子网之间通信的数据包。其中,每个路由节点可以由一个路由设备实现。可选地,当一个路由设备中配置有多个虚拟路由转发(Virtual routing forwarding,VRF)表时,可以将每个VRF表视为一个路由节点,即该路由设备可以对应于多个路由节点。Typically, the physical network 200 includes multiple routing nodes, and the multiple routing nodes can be used to forward data packets communicated between different subnets. Among them, each routing node can be implemented by a routing device. Optionally, when multiple virtual routing forwarding (VRF) tables are configured in a routing device, each VRF table can be regarded as a routing node, that is, the routing device can correspond to multiple routing nodes.
每个路由节点可以配置有转发表或者VRF表,该转发表或者VRF表中包括至少一条转发规则,每条转发规则例如可以是转发表或者VRF表中的一行数据,用于指示路由节点在转发各个子网对应的数据包所使用的端口、下一跳路由等。Each routing node can be configured with a forwarding table or VRF table. The forwarding table or VRF table includes at least one forwarding rule. Each forwarding rule can be, for example, a row of data in the forwarding table or VRF table, used to instruct the routing node when forwarding. The ports, next-hop routes, etc. used by the data packets corresponding to each subnet.
实际应用时,由于不同厂商对于物理网络的配置形式可能存在差异,因此,网络意图挖掘装置300在获取到物理网络200中的网络配置以及物理拓扑结构后,可以将其输入至配置解析器中,如batfish等,从而由该配置解析器解析得到与厂商无关的网络配置以及物理拓扑结构的标准化形式。In actual application, since different manufacturers may have different configuration forms of physical networks, therefore, after the network intent mining device 300 obtains the network configuration and physical topology of the physical network 200, it can input them into the configuration parser. Such as batfish, etc., so that the configuration parser can parse the vendor-independent network configuration and the standardized form of the physical topology.
本实施例中,网络意图挖掘装置300可以根据网络配置以及物理拓扑结构,确定物理网络200中的多个路由节点的转发规则。在一种可能的实施方式中,网络意图挖掘装置300可以根据物理网络200的网络配置以及物理拓扑结构,确定物理网络200中多个路由设备对应的路由拓扑结构。In this embodiment, the network intent mining device 300 can determine the forwarding rules of multiple routing nodes in the physical network 200 according to the network configuration and physical topology. In a possible implementation, the network intent mining device 300 can determine the routing topology corresponding to multiple routing devices in the physical network 200 based on the network configuration and physical topology of the physical network 200 .
例如,网络意图挖掘装置300可以根据网络配置以及物理拓扑结构,确定物理网络200中每个路由设备所属的虚拟局域网(virtual local area network,VLAN)以及存在互连的路由设备之间的物理链路的数量,每个路由设备可以为其添加VLAN标签。然后,网络意图挖掘装置300可以遍历该多个路由设备中的任意两个路由设备,判断这两个路由设备是否二层可达以及这两个路由设备的端口是否属于同一子网。当两个路由设备二层可达并且这两个路由设备的端口属于同一子网时,则网络意图挖掘装置300可以基于这两个路由设备提取到一条三层链路,表征这两个路由设备相互可达。而当这两个路由设备并非二层可达或者 这两个路由设备的端口属于不同子网时,则网络意图挖掘装置300可以确定这两个路由设备不存在三层链路。实际应用时,这两个路由设备之间的一条三层链路,可以通过一条或者多条物理链路实现。如此,网络意图挖掘装置300可以基于上述类似过程,从多个路由设备中提取出多条三层链路,以此得到相应的路由拓扑结构。For example, the network intent mining device 300 can determine the virtual local area network (VLAN) to which each routing device in the physical network 200 belongs and the physical links between interconnected routing devices based on the network configuration and physical topology. The number of VLAN tags each routing device can add to it. Then, the network intent mining device 300 can traverse any two routing devices among the multiple routing devices to determine whether the two routing devices are reachable at Layer 2 and whether the ports of the two routing devices belong to the same subnet. When two routing devices are reachable at Layer 2 and the ports of the two routing devices belong to the same subnet, the network intent mining device 300 can extract a Layer 3 link based on the two routing devices to represent the two routing devices. mutually reachable. When the two routing devices are not reachable at Layer 2 or the ports of the two routing devices belong to different subnets, the network intent mining device 300 can determine that there is no Layer 3 link between the two routing devices. In actual application, a Layer 3 link between these two routing devices can be implemented through one or more physical links. In this way, the network intent mining device 300 can extract multiple Layer 3 links from multiple routing devices based on the above-mentioned similar process, thereby obtaining the corresponding routing topology.
示例性地,网络意图挖掘装置300在判断路由设备A以及路由设备B是否二层可达时,具体可以是从路由设备A出发,初始携带所有VLAN标签集,并通过递归深度优先搜索的方式,将携带的VLAN标签集与路由设备A以及B之间的下一个路由设备的VLAN标签集求取交集。当存在一条VLAN标签集不为空的路径,则确定路由设备A以及路由设备B二层相邻;否则,确定路由设备A以及路由设备B二层不相邻。For example, when the network intent mining device 300 determines whether routing device A and routing device B are reachable at Layer 2, it may specifically start from routing device A, initially carry all VLAN tag sets, and perform a recursive depth-first search. Find the intersection between the VLAN tag set carried and the VLAN tag set of the next routing device between routing devices A and B. When there is a path whose VLAN tag set is not empty, it is determined that routing device A and routing device B are adjacent on the second layer; otherwise, it is determined that routing device A and routing device B are not adjacent on the second layer.
然后,网络意图挖掘装置300可以根据获取的网络配置以及所提取到的多个路由设备对应的路由拓扑,以模拟的方式生成多个路由节点以及每个路由节点的转发表,每个路由节点对应于一个路由设备或者路由设备上的一个VRF表,每个路由节点的转发表中包括至少一条转发规则,该转发规则用于约束该路由节点对于数据包的转发情况。比如,路由节点A可以根据转发规则向子网1或子网2转发数据包,而不向除子网1以及子网2之外的其它子网转发数据包等。Then, the network intent mining device 300 can generate multiple routing nodes and forwarding tables for each routing node in a simulated manner based on the obtained network configuration and the extracted routing topology corresponding to the multiple routing devices. Each routing node corresponds to Based on a routing device or a VRF table on the routing device, the forwarding table of each routing node includes at least one forwarding rule, and the forwarding rule is used to restrict the routing node's forwarding of data packets. For example, routing node A can forward data packets to subnet 1 or subnet 2 according to forwarding rules, but not forward data packets to other subnets except subnet 1 and subnet 2, etc.
由于实际应用场景中,物理网络200中的部分路由设备还可能会配置有访问控制列表(access control list,ACL),该ACL列表用于对该路由设备所接收到的数据包进行过滤,具体可以是路由设备根据该ACL列表确定将满足条件的数据包转发给相应的子网,而将不满足条件的数据包进行丢弃(即丢弃发送给其它子网的数据包)。因此,在进一步的实现方式中,网络意图挖掘装置300还以模拟的方式生成ACL表,该ACL表中包括至少一条转发规则,并且,所生成的ACL表可以用于对部分或者全部路由节点转发数据包进行约束。本实施例中,网络意图挖掘装置300可以将路由节点的ACL表中的转发规则合并至转发表中;或者,网络意图挖掘装置300可以单独部署转发表以及ACL表等,即网络意图挖掘装置300所生成的多条转发规则中,部分转发规则作为转发表中的条目,另一部分转发规则作为ACL表中的条目,本实施例对此并不进行限定。In actual application scenarios, some routing devices in the physical network 200 may also be configured with an access control list (access control list, ACL). The ACL list is used to filter data packets received by the routing device. Specifically, The routing device determines according to the ACL list to forward the data packets that meet the conditions to the corresponding subnet, and discards the data packets that do not meet the conditions (that is, discards the data packets sent to other subnets). Therefore, in a further implementation, the network intent mining device 300 also generates an ACL table in a simulated manner. The ACL table includes at least one forwarding rule, and the generated ACL table can be used to forward some or all routing nodes. Data packets are constrained. In this embodiment, the network intent mining device 300 can merge the forwarding rules in the ACL table of the routing node into the forwarding table; or, the network intent mining device 300 can separately deploy the forwarding table and the ACL table, that is, the network intent mining device 300 Among the multiple forwarding rules generated, some of the forwarding rules are used as entries in the forwarding table, and some of the forwarding rules are used as entries in the ACL table. This embodiment does not limit this.
S203:网络意图挖掘装置300根据物理拓扑结构以及多个路由节点的多个转发规则,确定物理网络200中的意图,该意图包括如下的多种:可达性意图、关键点意图、负载均衡意图、或者隔离性意图。S203: The network intent mining device 300 determines the intent in the physical network 200 based on the physical topology and multiple forwarding rules of multiple routing nodes. The intent includes the following types: reachability intent, key point intent, and load balancing intent. , or isolating intent.
可以理解,由于物理网络200中的多个子网之间的互连,通常是由多个路由节点根据转发规则转发数据包实现,因此,该多个路由节点的多个转发规则可以体现不同子网之间是否相互可达、是否存在多条路由路径、不同子网的数据包是否经过同一路由节点以及部分子网之间是否存在通信隔离等,也即体现物理网络200中的意图。基于此,网络意图挖掘装置300根据物理拓扑结构以及多个路由节点的多个转发规则,挖掘出物理网络200中的意图。It can be understood that since the interconnection between multiple subnets in the physical network 200 is usually implemented by multiple routing nodes forwarding data packets according to forwarding rules, therefore, the multiple forwarding rules of the multiple routing nodes can reflect different subnets. Whether they are mutually reachable, whether there are multiple routing paths, whether data packets of different subnets pass through the same routing node, and whether there is communication isolation between some subnets, etc., also reflects the intention in the physical network 200. Based on this, the network intent mining device 300 mines the intent in the physical network 200 according to the physical topology and multiple forwarding rules of multiple routing nodes.
值得注意的是,虽然物理网络200中的实际路由设备中通常配置有转发表以及ACL表,但是,若直接从该路由设备中提取该转发表以及ACL,通常会因为物理网络200中存在链路失效或者路由设备故障等原因,导致从实际的路由设备中提取的转发表以及ACL表,可能并不能真实反应该物理网络200中的实际意图,如物理网络200中两个子网可能会因为部分路由设备故障或者部分链路失效,而导致这两个子网由可达状态变更为不可达状态,从而 基于从路由设备中提取的转发表以及ACL表所挖掘出的网络意图,会错误的认定该两个子网不可达,从而会降低网络意图挖掘的准确性。因此,本实施例中,网络意图挖掘装置300根据物理网络200的网络配置以及物理拓扑结构,以模拟的方式生成各个路由节点的转发表以及ACL表,并基于模拟生成的转发表以及ACL表进行网络意图挖掘,以此可以避免物理网络200在实际场景中的运行错误影响网络意图挖掘的准确性。It is worth noting that although the actual routing device in the physical network 200 is usually configured with a forwarding table and an ACL table, if the forwarding table and ACL are extracted directly from the routing device, usually because there are links in the physical network 200 Due to reasons such as failure or routing device failure, the forwarding table and ACL table extracted from the actual routing device may not truly reflect the actual intentions of the physical network 200. For example, two subnets in the physical network 200 may be damaged due to partial routing. Equipment failure or partial link failure causes the two subnets to change from the reachable state to the unreachable state. Therefore, based on the network intent mined from the forwarding table extracted from the routing device and the ACL table, the two subnets will be erroneously identified. The subnet is unreachable, which reduces the accuracy of network intent mining. Therefore, in this embodiment, the network intent mining device 300 generates the forwarding table and ACL table of each routing node in a simulated manner according to the network configuration and physical topology of the physical network 200, and performs operations based on the simulated generated forwarding table and ACL table. Network intent mining can prevent operating errors of the physical network 200 in actual scenarios from affecting the accuracy of network intent mining.
在一种挖掘网络意图的实现方式,网络意图挖掘装置300可以根据物理拓扑结构以及多个路由节点的多个转发规则,生成该物理网络200中的多条路由路径,该多条路由路径用于转发不同子网之间的数据包,从而网络意图挖掘装置300可以所生成的多条路由路径,挖掘该物理网络200中的意图。比如,当子网A与子网B、子网C之间存在路由路径,且子网A与子网D之间不存在路由路径时,可以表征子网A分别与子网B、子网C之间具有可达性,而子网A与子网D之间具有隔离性(如所有子网对与具有可达性意图的子网对的差集即具有隔离性意图)。进一步地,当子网A与子网B、子网C之间的路由路径上均包括路由节点I时,则该路由节点I可以被确定为多条路由路径的关键点,即物理网络200中具有该路由节点I对应的关键点意图;并且,当子网A与子网B之间存在多条路由路径时,则子网A与子网B之间互连的数据包可以基于该多条路由路径进行负载均衡等,即子网A以及子网B之间具有负载均衡意图。如此,网络意图挖掘装置300可以挖掘出物理网络200中的一种或者多种意图,并且可以实现在全网(即整个物理网络200)范围内的意图挖掘。In an implementation manner of mining network intent, the network intent mining device 300 can generate multiple routing paths in the physical network 200 based on the physical topology and multiple forwarding rules of multiple routing nodes. The multiple routing paths are used for Data packets between different subnets are forwarded, so that the network intent mining device 300 can mine the intent in the physical network 200 through the multiple routing paths generated. For example, when there is a routing path between subnet A, subnet B, and subnet C, and there is no routing path between subnet A and subnet D, it can be represented that subnet A is connected to subnet B and subnet C respectively. There is reachability between them, and there is isolation between subnet A and subnet D (for example, the difference between all subnet pairs and the subnet pair with reachability intention has isolation intention). Further, when the routing path between subnet A, subnet B, and subnet C all includes routing node I, then routing node I can be determined as a key point of multiple routing paths, that is, in the physical network 200 has the key point intention corresponding to the routing node I; and when there are multiple routing paths between subnet A and subnet B, the interconnection data packets between subnet A and subnet B can be based on the multiple routing paths. The routing path performs load balancing, etc., that is, there is load balancing intention between subnet A and subnet B. In this way, the network intent mining device 300 can mine one or more intentions in the physical network 200, and can implement intent mining within the entire network (that is, the entire physical network 200).
示例性地,网络意图挖掘装置300在确定多条路由路径时,可以根据物理网络200的物理拓扑结构以及多个路由节点的多个转发规则,生成包括多个路由节点的转发图,该转发图用于指示多个路由节点的数据包转发行为,其中,该转发图中的每个路由节点的数据包转发行为可以体现该路由节点的转发规则,从而网络意图挖掘装置300可以通过遍历该转发图,生成物理网络200中的多条路由路径。进一步地,该转发图中还可以包括多个子网节点,每个子网节点用于指示物理网络200中的一个子网,并且,不同子网节点通过路由节点进行连接,表征不同子网之间的数据包通过中间的路由节点进行转发。For example, when determining multiple routing paths, the network intent mining device 300 can generate a forwarding graph including multiple routing nodes based on the physical topology of the physical network 200 and multiple forwarding rules of the multiple routing nodes. The forwarding graph Used to indicate the data packet forwarding behavior of multiple routing nodes, where the data packet forwarding behavior of each routing node in the forwarding graph can reflect the forwarding rules of the routing node, so that the network intent mining device 300 can traverse the forwarding graph , generating multiple routing paths in the physical network 200. Further, the forwarding graph may also include multiple subnet nodes, each subnet node is used to indicate a subnet in the physical network 200, and different subnet nodes are connected through routing nodes to represent the communication between different subnets. Data packets are forwarded through intermediate routing nodes.
其中,网络意图挖掘装置300在遍历转发图时,例如可以是先根据转发表(以及ACL表)中的转发规则,确定多个等价类,每个等价类对应于一个子网,用于指示发送给物理网络200中的该子网的一类数据包。比如,假设路由节点I向下一跳路由节点II转发发送给子网A的数据包,向下一跳路由节点III转发发送给子网B的数据包,则,网络意图挖掘装置300可以根据路由节点I的转发规则,将转发给下一跳路由节点II并且发送给子网A的数据包划分为一个等价类,将转发给下一跳路由节点III并且发送给子网B的数据包划分为另一个等价类。以根据多个路由节点的多个转发规则确定物理网络200中目标子网对应的等价类为例,网络意图挖掘装置300可以遍历转发图,为该目标子网对应的等价类在物理网络200中确定一条或多条路由路径。其中,目标子网可以是物理网络200中任意一个子网,从而针对物理网络200中的各个子网,均可以参照上述方式为该子网对应的等价类确定一条或者多条路由路径,以此在物理网络200中确定出多个子网对应的多条路由路径。示例性地,网络意图挖掘装置300可以基于深度优先搜索方式对转发图进行遍历,具体可以是初始携带所有等价类,遍历所有的路由节点,其中,在遍历当前的路由节点时,将该所有等价类与当前路由节点的边对应的等价类进行求交集运算,确定当前路由节点的下一跳路由节点以及到达该 下一跳路由节点的一个或者多个等价类,以此完成对所有路由节点的遍历,也即模拟数据包在不同子网之间的转发过程。这样,根据每个路由节点对应的等价类,可以确定出物理网络200中的不同子网之间的路由路径。When traversing the forwarding graph, the network intent mining device 300 may, for example, first determine multiple equivalence classes based on the forwarding rules in the forwarding table (and the ACL table). Each equivalence class corresponds to a subnet for Indicates a type of packet sent to this subnet in physical network 200. For example, assuming that routing node I forwards the data packet sent to subnet A to next-hop routing node II, and forwards the data packet sent to subnet B to next-hop routing node III, then the network intent mining device 300 can The forwarding rule of node I divides the data packets forwarded to the next-hop routing node II and sent to subnet A into an equivalence class, and divides the data packets forwarded to the next-hop routing node III and sent to subnet B. is another equivalence class. Taking the determination of the equivalence class corresponding to the target subnet in the physical network 200 based on multiple forwarding rules of multiple routing nodes as an example, the network intent mining device 300 can traverse the forwarding graph to determine the equivalence class corresponding to the target subnet in the physical network. 200 to determine one or more routing paths. The target subnet can be any subnet in the physical network 200. Therefore, for each subnet in the physical network 200, one or more routing paths can be determined for the equivalence class corresponding to the subnet by referring to the above method. This determines multiple routing paths corresponding to multiple subnets in the physical network 200 . For example, the network intent mining device 300 can traverse the forwarding graph based on a depth-first search method. Specifically, it can initially carry all equivalence classes and traverse all routing nodes. When traversing the current routing node, all the equivalence classes will be traversed. The equivalence class performs an intersection operation with the equivalence class corresponding to the edge of the current routing node to determine the next-hop routing node of the current routing node and one or more equivalence classes that reach the next-hop routing node, thereby completing the comparison. Traversing all routing nodes, that is, simulating the forwarding process of data packets between different subnets. In this way, according to the equivalence class corresponding to each routing node, routing paths between different subnets in the physical network 200 can be determined.
在进一步可能的实施方式中,当网络意图挖掘装置300所挖掘出的意图,包括可达性意图或者关键点意图或者隔离性意图时,本实施例还可以包括下述步骤S204。In a further possible implementation, when the intent mined by the network intent mining device 300 includes reachability intent, key point intent, or isolation intent, this embodiment may also include the following step S204.
S204:网络意图挖掘装置300根据物理网络200的网络配置以及物理拓扑结构,确定出每种意图对应的链路容忍上限,该链路容忍上限用于指示该意图所允许失效的最大物理链路的数量。S204: The network intention mining device 300 determines the link tolerance upper limit corresponding to each intention based on the network configuration and physical topology of the physical network 200. The link tolerance upper limit is used to indicate the maximum physical link that is allowed to fail for the intention. quantity.
即,当物理网络200中的意图所对应的路由路径上相邻两个路由节点之间发生失效的物理链路的数量未超出给链路容忍上限时,该意图在物理网络200中成立,否则该意图不成立。比如,假设子网A以及子网B之间的可达性意图对应的链路容忍上限为3,则,当子网A以及子网B之间的路由路径上相邻两个路由节点之间发生失效的物理链路的数量均未达到3时(如失效1条或者2条物理链路等),子网A以及子网B之间的可达性意图始终成立。而当子网A以及子网B之间的路由路径上存在相邻两个路由节点之间发生失效的物理链路的数量达到3时,则子网A与子网B之间的路由路径可能会因为这两个路由节点之间的物理链路全部断开而导致路由路径断开,从而导致子网A以及子网B之间不可达,此时,可达性意图不成立。That is, when the number of failed physical links between two adjacent routing nodes on the routing path corresponding to the intention in the physical network 200 does not exceed the link tolerance upper limit, the intention is established in the physical network 200, otherwise The intention is not established. For example, assuming that the upper limit of the link tolerance corresponding to the reachability intention between subnet A and subnet B is 3, then, when the routing path between subnet A and subnet B is between two adjacent routing nodes, When the number of failed physical links does not reach 3 (for example, 1 or 2 physical links fail, etc.), the reachability intention between subnet A and subnet B is always established. When the number of failed physical links between two adjacent routing nodes on the routing path between subnet A and subnet B reaches 3, the routing path between subnet A and subnet B may fail. The routing path will be disconnected because all physical links between the two routing nodes are disconnected, resulting in subnet A and subnet B being unreachable. At this time, the reachability intention is not established.
作为一种实现示例,在确定每条意图对应的链路容忍上限时,网络意图挖掘装置300可以根据物理网络200的网络配置以及物理拓扑结构,计算该物理网络200中与该意图相关的两个子网之间的最小割。其中,割,是指转发图中删除两个子网(如转发图中的子网节点)之间的部分边(即路由节点之间的链路),使得从一个子网到另一个子网的路由路径为空集时,称该部分边(包括至少一个边)为一个割。相应的,最小割,是指转发图的所有割中,边权值和最小的割。本实施例中,边权值,具体是指这条边对应的物理链路的数量。然后,网络意图挖掘装置300可以根据这两个子网之间的最小割,确定该意图对应的链路容忍上限。As an implementation example, when determining the link tolerance upper limit corresponding to each intention, the network intention mining device 300 can calculate two sub-systems related to the intention in the physical network 200 based on the network configuration and physical topology of the physical network 200 . Minimum cut between nets. Among them, cut refers to deleting some edges (i.e., links between routing nodes) between two subnets (such as subnet nodes in the forwarding graph) in the forwarding graph, so that the traffic from one subnet to another subnet When the routing path is an empty set, this part of edges (including at least one edge) is called a cut. Correspondingly, the minimum cut refers to the cut with the smallest sum of edge weights among all cuts in the forwarding graph. In this embodiment, the edge weight specifically refers to the number of physical links corresponding to this edge. Then, the network intention mining device 300 can determine the link tolerance upper limit corresponding to the intention based on the minimum cut between the two subnets.
其中,对于两个子网之间的最小割,网络意图挖掘装置300可以将小于最小割的最大值确定为这两个子网的可达性意图对应的链路容忍上限。比如,假设最小割为4,则这两个子网的可达性意图对应的链路容忍上限为3。Wherein, for the minimum cut between two subnets, the network intent mining device 300 may determine the maximum value smaller than the minimum cut as the link tolerance upper limit corresponding to the reachability intent of the two subnets. For example, assuming that the minimum cut is 4, the upper link tolerance limit corresponding to the reachability intent of these two subnets is 3.
实际应用场景中,物理网络200中的网络配置,可以会影响链路容忍上限,此时,如果直接将小于最小割的最大值确定为链路容忍上限,则可能会使得所确定出的链路容忍上限的准确性较低。比如,假设最小割为4,对应于两条边上的物理链路数量(其中,边a上的物理链路数量为2、边b上的物理链路数量为2),当物理网络200中的两个子网之间的部分路由节点之间因为实际业务的需求而被限制不可通信时(如设置有防火墙等),该部分路由节点之间的边a实际上处于断开状态,这使得基于该物理网络200的网络配置,这两个子网之间的可达性意图对应的链路容忍上限应该为1,而不是为3(即小于最小割的最大值)。In actual application scenarios, the network configuration in the physical network 200 may affect the link tolerance upper limit. At this time, if the maximum value smaller than the minimum cut is directly determined as the link tolerance upper limit, the determined link may be The upper tolerance limit is less accurate. For example, assuming that the minimum cut is 4, corresponding to the number of physical links on two edges (where the number of physical links on edge a is 2 and the number of physical links on edge b is 2), when the physical network 200 When some routing nodes between two subnets are restricted from communicating due to actual business requirements (such as firewalls, etc.), the edge a between these routing nodes is actually disconnected, which makes the In the network configuration of the physical network 200, the upper link tolerance limit corresponding to the reachability intention between the two subnets should be 1 instead of 3 (that is, less than the maximum value of the minimum cut).
基于此,在进一步可能的实施方式中,网络意图挖掘装置300可以根据最小割初步确定为每种意图对应的链路容忍上限,然后对初步确定的链路容忍上限进行验证,并且通过验证后,将最小割作为最终的链路容忍上限,而在未通过验证时,将验证过程中所计算出的 链路容忍上限确定为最终的链路容忍上限。Based on this, in a further possible implementation, the network intention mining device 300 can initially determine the link tolerance upper limit corresponding to each intention based on the minimum cut, and then verify the initially determined link tolerance upper limit, and after passing the verification, The minimum cut is used as the final link tolerance upper limit, and when the verification fails, the link tolerance upper limit calculated during the verification process is determined as the final link tolerance upper limit.
示例性地,网络意图挖掘装置300针对每个意图,可以根据网络配置以及物理拓扑结构,计算每个意图所允许失效的物理链路的目标数量。例如,网络意图挖掘装置300可以计算该物理网络200中失效的物理链路数量为第一数量时,物理网络200中的多个第一集合的总数,每个第一集合内可以包括一条或者多条物理网络200中的失效的物理链路(具体可以是失效的物理链路的标识),并且,每个第一集合内失效的物理链路的数量均不大于该第一数量。当多个第一集合的总数小于预设阈值时,则网络意图挖掘装置300可以计算物理网络200中失效的物理链路数量为第二数量时,物理网络200中的多个第二集合的总数,每个第二集合内可以包括一条或者多条物理网络200中的失效链路,并且每个第二集合内失效的物理链路的数量不大于该第二数量,其中,第二数量大于所述第一数量。当第二集合的总数大于预设阈值(可以预先由技术人员进行设定)时,则可以确定该第一数量为该意图允许失效的物理链路的目标数量。而如果当第二集合的总数仍然不大于预设阈值时,则网络意图挖掘装置300可以继续增加物理网络200中失效的物理链路的数量,假设为第三数量,并参照上述过程,判断是否将第二数量确定为目标数量。For example, the network intent mining device 300 may calculate, for each intent, a target number of physical links that are allowed to fail for each intent based on the network configuration and physical topology. For example, the network intent mining device 300 can calculate the total number of multiple first sets in the physical network 200 when the number of failed physical links in the physical network 200 is the first number. Each first set may include one or more There are failed physical links in the physical network 200 (specifically, the identification of the failed physical links), and the number of failed physical links in each first set is not greater than the first number. When the total number of multiple first sets is less than the preset threshold, the network intent mining device 300 can calculate the total number of multiple second sets in the physical network 200 when the number of failed physical links in the physical network 200 is the second number. , each second set may include one or more failed links in the physical network 200, and the number of failed physical links in each second set is not greater than the second number, wherein the second number is greater than the Describe the first quantity. When the total number of the second set is greater than the preset threshold (which can be set in advance by technicians), the first number can be determined to be the target number of physical links that are intended to be allowed to fail. If the total number of the second set is still not greater than the preset threshold, the network intent mining device 300 can continue to increase the number of failed physical links in the physical network 200, assuming it is a third number, and refer to the above process to determine whether Determine the second quantity as the target quantity.
然后,当最小割不大于该目标数量时,网络意图挖掘装置300选择采用低容忍方式验证链路容忍上限,而当最小割大于该目标数量时,选择采用高容忍方式验证链路容忍上限。下面以对物理网络200中的子网A以及子网B之间的可达性意图对应的链路容忍上限进行验证为例进行介绍说明。Then, when the minimum cut is not greater than the target number, the network intent mining device 300 chooses to use the low tolerance method to verify the link tolerance upper limit, and when the minimum cut is greater than the target number, chooses to use the high tolerance method to verify the link tolerance upper limit. The following takes the verification of the link tolerance upper limit corresponding to the reachability intention between subnet A and subnet B in the physical network 200 as an example for introduction and explanation.
具体地,当采用低容忍方式验证链路容忍上限时,网络意图挖掘装置300可以根据直接枚举物理网络200中可能发生失效的物理链路的情况,以此生成多个集合,每个集合对应一种物理链路的失效情况,每个集合中包括的失效的物理链路(具体可以是包括失效的物理链路的标识)的数量不大于该可达性意图对应的最小割,并且不同集合内包括的失效的物理链路存在差异。然后,网络意图挖掘装置300根据该多个集合确定子网A与子网B之间的可达性意图对应的链路容忍上限。比如,网络意图挖掘装置300在确定小于最小割的最大值是否作为链路容忍上限时,若基于所有集合包括的链路失效情况,子网A以及子网B之间均能够保持相互可达性,且当失效物理链路的数量达到最小割时,子网A以及子网B之间不具有可达性,则网络意图挖掘装置300可以将小于最小割的最大值确定为子网A与子网B之间的可达性意图对应的链路容忍上限。否则,网络意图挖掘装置300可以按照上述过程,从小于该最小割的取值范围中继续确定子网A与子网B之间的可达性意图对应的链路容忍上限。Specifically, when a low-tolerance method is used to verify the link tolerance upper limit, the network intent mining device 300 can directly enumerate physical links that may fail in the physical network 200 to generate multiple sets, each set corresponding to A physical link failure situation. The number of failed physical links included in each set (specifically, it may include the identification of failed physical links) is not greater than the minimum cut corresponding to the reachability intention, and different sets There are differences in the failed physical links included. Then, the network intent mining device 300 determines the link tolerance upper limit corresponding to the reachability intent between subnet A and subnet B based on the multiple sets. For example, when the network intent mining device 300 determines whether the maximum value smaller than the minimum cut is used as the link tolerance upper limit, based on the link failure conditions included in all sets, both subnet A and subnet B can maintain mutual reachability. , and when the number of failed physical links reaches the minimum cut, and there is no reachability between subnet A and subnet B, the network intent mining device 300 can determine the maximum value less than the minimum cut as the maximum value between subnet A and subnet B. The upper link tolerance limit corresponding to the reachability intention between network B. Otherwise, the network intent mining device 300 can continue to determine the link tolerance upper limit corresponding to the reachability intent between subnet A and subnet B from the value range smaller than the minimum cut according to the above process.
当采用高容忍方式验证链路容忍上限时,网络意图挖掘装置300可以获取转发图中的所有路由路径,每条路由路径上的各个边具有边权值,该边权值用于指示该条边所对应的物理链路数量。然后,网络意图挖掘装置300可以根据该路由路径,确定断开每条边所对应的数据平面,以此可以生成多个数据平面。其中,每个数据平面用于指示子网A与子网B之间失效的逻辑链路(也即边),不同数据平面所指示的失效的逻辑链路存在差异,每个逻辑链路对应于至少一条物理链路,每个数据平面中失效的物理链路总数不大于最小割。最后,网络意图挖掘装置300可以根据多个数据平面确定该意图对应的链路容忍上限。比如,若在所有失效的物理链路总数不大于最小割的数据平面中,子网A以及子网B之间均能够保持相互可达性,而在失效物理链路的数量达到最小割的数据平面中,子网A以及子网B之间不具 有可达性,则网络意图挖掘装置300可以将小于最小割的最大值确定为子网A与子网B之间的可达性意图对应的链路容忍上限。否则,网络意图挖掘装置300可以按照上述过程,从小于该最小割的取值范围中继续确定子网A与子网B之间的可达性意图对应的链路容忍上限。When the high tolerance method is used to verify the link tolerance upper limit, the network intent mining device 300 can obtain all routing paths in the forwarding graph. Each edge on each routing path has an edge weight, and the edge weight is used to indicate the edge. The corresponding number of physical links. Then, the network intent mining device 300 can determine the data plane corresponding to each disconnected edge based on the routing path, thereby generating multiple data planes. Among them, each data plane is used to indicate a failed logical link (that is, an edge) between subnet A and subnet B. There are differences in the failed logical links indicated by different data planes. Each logical link corresponds to At least one physical link, and the total number of failed physical links in each data plane is not greater than the minimum cut. Finally, the network intent mining device 300 can determine the link tolerance upper limit corresponding to the intent based on multiple data planes. For example, if the total number of failed physical links in the data plane is not greater than the minimum cut, subnet A and subnet B can maintain mutual reachability, and when the number of failed physical links reaches the minimum cut data In the plane, there is no reachability between subnet A and subnet B, then the network intention mining device 300 can determine the maximum value smaller than the minimum cut as the reachability intention corresponding to subnet A and subnet B. Link tolerance limit. Otherwise, the network intent mining device 300 can continue to determine the link tolerance upper limit corresponding to the reachability intent between subnet A and subnet B from the value range smaller than the minimum cut according to the above process.
示例性地,网络意图挖掘装置300在生成多个数据平面时,例如可以根据路由路径以及当前断开的边,确定继续断开下一条边所产生的数据平面,以此可以尽可能避免网络意图挖掘装置300生成重复的数据平面。例如,网络意图挖掘装置300所生成的多个数据平面之间的关系可以是如图4所示的树形结构。实际应用时,在对不同意图的链路容忍上限进行验证过程中,若生成了相同的数据平面,则网络意图挖掘装置300可以复用相同数据平面所指示的结果,而可以不用重新对该数据平面进行分析,以此可以提高网络意图挖掘装置300针对链路容忍上限的验证效率,减少资源消耗。For example, when generating multiple data planes, the network intent mining device 300 can, for example, determine the data plane generated by continuing to disconnect the next edge based on the routing path and the currently disconnected edge, so as to avoid network intent as much as possible. The mining device 300 generates duplicate data planes. For example, the relationship between multiple data planes generated by the network intent mining device 300 may be a tree structure as shown in FIG. 4 . In actual application, during the verification process of the link tolerance upper limit of different intentions, if the same data plane is generated, the network intention mining device 300 can reuse the results indicated by the same data plane without re-examining the data. By performing analysis on the plane, the verification efficiency of the network intent mining device 300 for the link tolerance upper limit can be improved and resource consumption can be reduced.
值得注意的是,上述是以对子网A以及子网B之间的可达性意图对应的链路容忍上限进行验证为例进行示例性说明。实际应用时,网络意图挖掘装置300可以通过重复上述类似过程确定不同子网之间的可达性意图、隔离性意图以及关键点意图分别对应的链路容忍上限,并采用高容忍方式或者低容忍方式对所确定出的链路容忍上限进行验证等,本实施例对此不再进行赘述。It is worth noting that the above is an exemplary explanation using the verification of the link tolerance upper limit corresponding to the reachability intention between subnet A and subnet B as an example. In actual application, the network intention mining device 300 can determine the link tolerance upper limit corresponding to the reachability intention, isolation intention and key point intention between different subnets by repeating the above-mentioned similar process, and adopt a high tolerance method or a low tolerance method. The determined link tolerance upper limit is verified by other methods, which will not be described in detail in this embodiment.
在进一步可能的实施方式中,网络意图挖掘装置300在挖掘出物理网络200中的网络意图后,可以将该意图呈现给用户100,以便用户100根据该意图对物理网络200进行管理以及验证等。或者,网络意图挖掘装置300还可以进一步根据挖掘出的意图进行网络迁移等,本实施例对此并不进行限定。In a further possible implementation, after mining the network intent in the physical network 200, the network intent mining device 300 can present the intent to the user 100, so that the user 100 can manage and verify the physical network 200 according to the intent. Alternatively, the network intention mining device 300 may further perform network migration based on the mined intentions, which is not limited in this embodiment.
为便于理解,下面以根据意图进行网络迁移为例。示例性地,本实施例还可以进一步包括下述步骤S205。To facilitate understanding, the following takes network migration based on intent as an example. Illustratively, this embodiment may further include the following step S205.
S205:网络意图挖掘装置300根据物理网络200中的意图,在云端配置虚拟网络。S205: The network intent mining device 300 configures a virtual network in the cloud according to the intent in the physical network 200.
具体地,网络意图挖掘装置300可以在云端创建一个或者多个VPC。其中,每个VPC内的子网之间相互可达。但是,当VPC内部的子网之间存在隔离需求时,可以在该VPC内配置ACL资源,以在VPC内部基于该ACL资源实现不同子网之间的隔离。另外,不同VPC之间的子网默认隔离。但是,当不同VPC之间的子网需要实现可达时,可以为不同VPC之间分配对等连接资源,以便不同VPC内的子网可以通过该对等连接资源实现互访。因此,网络意图挖掘装置300可以根据物理网络200中包括的子网以及挖掘出的意图,在云端创建相应的VPC,以此实现物理网络200向云端网络的迁移。Specifically, the network intent mining device 300 can create one or more VPCs in the cloud. Among them, the subnets in each VPC are reachable to each other. However, when there are isolation requirements between subnets within a VPC, you can configure ACL resources within the VPC to achieve isolation between different subnets within the VPC based on the ACL resources. In addition, subnets between different VPCs are isolated by default. However, when subnets between different VPCs need to be reachable, peering connection resources can be allocated between different VPCs so that subnets in different VPCs can access each other through the peering connection resources. Therefore, the network intention mining device 300 can create a corresponding VPC in the cloud according to the subnets included in the physical network 200 and the mined intentions, thereby realizing the migration of the physical network 200 to the cloud network.
实际应用场景中,云端的ACL资源通常有限,因此,在一种可能的实施方式中,网络意图挖掘装置300在进行网络迁移时,可以通过将所要消耗的ACL资源转换为对等连接资源的方式,降低ACL资源的消耗。比如,假设物理网络200中包括子网A、子网B以及子网C,且子网B分别与子网A以及子网B互连,而子网A与子网C隔离,则如果将3个子网创建在一个VPC中,则需要在该VPC内消耗ACL资源以实现隔离子网A与子网C,为此,本实施例中,网络意图挖掘装置300可以创建VPC1以及VPC2,其中VPC1包括子网A以及子网B,VPC2包括子网C,并且,子网B与子网C通过VPC之间的对等连接资源实现互连,而子网A与子网C因为位于不同的VPC而实现隔离。In actual application scenarios, ACL resources in the cloud are usually limited. Therefore, in a possible implementation, the network intent mining device 300 can convert the ACL resources to be consumed into peer-to-peer connection resources when performing network migration. , reduce the consumption of ACL resources. For example, assuming that the physical network 200 includes subnet A, subnet B, and subnet C, and subnet B is interconnected with subnet A and subnet B respectively, and subnet A is isolated from subnet C, then if 3 If the subnet is created in a VPC, ACL resources need to be consumed in the VPC to isolate subnet A and subnet C. To this end, in this embodiment, the network intent mining device 300 can create VPC1 and VPC2, where VPC1 includes Subnet A and subnet B, VPC2 includes subnet C, and subnet B and subnet C are interconnected through the peering connection resources between VPCs, and subnet A and subnet C are in different VPCs. Achieve isolation.
为便于理解,下面结合具体实例对本申请实施例的技术方案进行示例性说明。参见图5,为本申请实施例提供的一示例性物理网络200的结构示意图。如图5所示,物理网络200包括6个路由设备(R1至R6)以及4个子网,其中,子网1以及子网2属于部门1,子网3以及子网4属于部门2,不同子网之间可以通过路由设备R1至R6实现互访,并且,同一部门内的不同子网之间可以互访,部门2中的子网4可以访问部门1中的子网1以及子网2,但是部门2中的子网3不能访问部门1中的子网1以及子网2。本实施例中,可以通过在路由设备R3中单独配置ACL表(如图5中的ACL101),以限制子网3对于子网1以及子网2的访问。示例性地,在路由设备R3中针对ACL表进行配置的具体信息可以如图6所示。To facilitate understanding, the technical solutions of the embodiments of the present application are illustratively described below with reference to specific examples. Referring to Figure 5, a schematic structural diagram of an exemplary physical network 200 is provided according to an embodiment of the present application. As shown in Figure 5, the physical network 200 includes 6 routing devices (R1 to R6) and 4 subnets. Among them, subnet 1 and subnet 2 belong to department 1, subnet 3 and subnet 4 belong to department 2, and different subnets Networks can access each other through routing devices R1 to R6, and different subnets in the same department can access each other. Subnet 4 in department 2 can access subnet 1 and subnet 2 in department 1. However, subnet 3 in department 2 cannot access subnet 1 and subnet 2 in department 1. In this embodiment, the access of subnet 3 to subnet 1 and subnet 2 can be restricted by separately configuring an ACL table (ACL 101 in Figure 5) in routing device R3. For example, the specific information configured for the ACL table in routing device R3 may be as shown in Figure 6 .
其中,图5所示的不同路由设备之间的边具有权值,该权值用于表征不同路由设备之间基于开放式最短路径优先(open shortest path first,OSPF)协议的路由代价(cost),如R3与R6之间的边的权值为100等。当不同子网之间存在多个路由路径可以传输数据包时,基于OSPF协议优先选择总代价最小的路由路径进行数据包的传输。值得注意的是,图5中不同的路由设备之间的边用于指示路由设备之间存在连接,实际场景中,两个路由设备之间可以通过一条或者多条物理链路实现互连,即路由设备之间的边对应于一条或者多条物理链路。Among them, the edges between different routing devices shown in Figure 5 have weights, which are used to represent the routing cost (cost) between different routing devices based on the open shortest path first (open shortest path first, OSPF) protocol. , such as the weight of the edge between R3 and R6 is 100, etc. When there are multiple routing paths between different subnets that can transmit data packets, the routing path with the smallest total cost is selected based on the OSPF protocol to transmit the data packets. It is worth noting that the edges between different routing devices in Figure 5 are used to indicate the existence of connections between routing devices. In actual scenarios, two routing devices can be interconnected through one or more physical links, that is, The edges between routing devices correspond to one or more physical links.
当需要将图5所示的物理网络200迁移至云端时,网络意图挖掘装置300可以先获取该物理网络200中的网络配置以及物理拓扑结构,例如可以获取物理网络200中的各个路由设备(R1至R6)上的端口的标识、路由设备转发数据包所采用的路由协议、路由设备的IP地址、多个子网(子网1至子网4)等配置信息,以及不同路由设备之间互连的拓扑结构。When the physical network 200 shown in Figure 5 needs to be migrated to the cloud, the network intent mining device 300 can first obtain the network configuration and physical topology of the physical network 200. For example, it can obtain each routing device (R1) in the physical network 200. to R6), the routing protocol used by the routing device to forward data packets, the IP address of the routing device, multiple subnets (subnet 1 to subnet 4) and other configuration information, as well as the interconnection between different routing devices topology.
然后,网络意图挖掘装置300根据获取的网络配置以及物理拓扑结构,提取出物理网络200中的多条路由拓扑,其具体实现可以参见前述实施例的相关之处描述,在此不做赘述。本实施例中,由于不同物理网络200中没有VLAN信息,因此,所提取的多条路由拓扑与物理网络200中的物理拓扑结构相同,所提取的多条路由拓扑具体可以如图7所示。Then, the network intent mining device 300 extracts multiple routing topologies in the physical network 200 based on the obtained network configuration and physical topology. For specific implementation, please refer to the relevant descriptions of the foregoing embodiments, and will not be described again here. In this embodiment, since there is no VLAN information in different physical networks 200, the extracted multiple routing topologies are the same as the physical topologies in the physical network 200. The extracted multiple routing topologies can be specifically shown in Figure 7.
接着,网络意图挖掘装置300可以根据提取出的多条路由拓扑以及物理网络200的网络配置,以模拟的方式生成各个路由设备的转发表。其中,转发表中包括至少一条转发规则,用于约束路由设备对于数据包的转发。另外,网络意图挖掘装置300还可以为部分路由设备(如R3)模拟生成ACL表,该ACL表中包括至少一条转发规则(或者称之为ACL规则)。以路由设备R6为例,所生成的转发表例如可以如图8所示。Next, the network intent mining device 300 can generate the forwarding table of each routing device in a simulated manner based on the extracted multiple routing topologies and the network configuration of the physical network 200 . The forwarding table includes at least one forwarding rule, which is used to restrict the forwarding of data packets by the routing device. In addition, the network intent mining device 300 can also simulate and generate an ACL table for some routing devices (such as R3), and the ACL table includes at least one forwarding rule (or referred to as an ACL rule). Taking routing device R6 as an example, the generated forwarding table may be as shown in Figure 8 .
接着,网络意图挖掘装置300可以根据生成的转发表中的转发规则(以及ACL表中的转发规则),将不同子网之间的数据包划分成多个等价类,每个等价类对应于一个子网。其中,由于ACL表中的转发规则也是用于约束路由设备对于的数据包的转发,因此,网络意图挖掘装置300根据ACL表所划分的等价类,与根据转发表所划分的等价类可以采用的相同的标识(如相同的符号等)。示例性地,基于转发表(以及ACL表)所划分的等价类如图9所示。Then, the network intent mining device 300 can divide the data packets between different subnets into multiple equivalence classes according to the forwarding rules in the generated forwarding table (and the forwarding rules in the ACL table), and each equivalence class corresponds to on a subnet. Among them, since the forwarding rules in the ACL table are also used to restrict the forwarding of data packets by the routing device, the equivalence classes divided by the network intent mining device 300 according to the ACL table can be the same as the equivalence classes divided according to the forwarding table. Use the same logo (such as the same symbol, etc.). For example, equivalence classes divided based on the forwarding table (and ACL table) are shown in Figure 9.
然后,网络意图挖掘装置300可以以路由设备上的端口为图节点,以端口上的等价类集合作为边上的属性,构建转发图。例如,所构建出的转发图,可以如图10所示。需要说明的是,图10所示的转发图中,主要示出了部门2中的子网3以及子网4,对于部门1中的子网1以及子网2的访问。其中,R3中配置的ACL表对子网3的访问进行了限制。其中,图10中的虚线节点表征不同的子网,实线节点表征不同的路由节点。转发图中的边指示了传输的数 据包的等价类,其中,“所有”(all)表征任意等价类均可以通过,“P1”、“P2”以及“P1P2”表征允许通过的数据包所属的等价类,“拒绝”表征等价类不能通过(图10中未示出)。需要说明的是,本实施例中,是以一个路由设备对应于一个路由节点为例进行示例性说明,实际应用时,单个路由设备中可能配置有多个VRF表,从而在构建转发图时,可以基于多个VRF表生成多个路由节点,每个路由节点对应一张VFR表。此时,基于物理网络200中的一个路由设备,可以因为其上的多张VRF表在转发图中生成多个路由节点。Then, the network intent mining device 300 can use the ports on the routing device as graph nodes and the equivalence class set on the ports as attributes on the edges to construct a forwarding graph. For example, the constructed forwarding graph can be shown in Figure 10. It should be noted that the forwarding diagram shown in Figure 10 mainly shows the access of subnet 3 and subnet 4 in department 2 to subnet 1 and subnet 2 in department 1. Among them, the ACL table configured in R3 restricts access to subnet 3. Among them, the dotted line nodes in Figure 10 represent different subnets, and the solid line nodes represent different routing nodes. The edges in the forwarding graph indicate the equivalence classes of the transmitted data packets, where "all" indicates that any equivalence class can pass, and "P1", "P2" and "P1P2" indicate the data packets that are allowed to pass. The equivalence class it belongs to, "reject" indicates that the equivalence class cannot be passed (not shown in Figure 10). It should be noted that in this embodiment, one routing device corresponds to one routing node is used as an example for illustration. In actual application, a single routing device may be configured with multiple VRF tables. Therefore, when building a forwarding graph, Multiple routing nodes can be generated based on multiple VRF tables, and each routing node corresponds to a VFR table. At this time, based on one routing device in the physical network 200, multiple routing nodes can be generated in the forwarding graph due to multiple VRF tables on it.
这样,网络意图挖掘装置300可以携带所有的等价类,通过深度优先搜索等方式对该转发图进行遍历,确定不同子网之间的可达性,以此挖掘出物理网络200的可达性意图。相应的,转发图中所有子网对和具有可达性意图的子网对之间的差集,即为物理网络200的隔离性意图。并且,网络意图挖掘装置300可以针对具有可达性意图的不同子网之间的路由路径的数量,挖掘出物理网络200中的负载均衡意图以及关键点意图。以负载均衡意图为例,对于子网1以及子网2而言,由于通过遍历可以确定,P4到达P1的路由路径为P4→R6→R4→R1→P1以及P4→R6→R3→R1→P1两条路由路径,故P4到P1还具有负载均衡意图。In this way, the network intent mining device 300 can carry all equivalence classes, traverse the forwarding graph through depth-first search, etc., to determine the reachability between different subnets, thereby mining the reachability of the physical network 200 intention. Correspondingly, the difference between all subnet pairs in the forwarding graph and the subnet pairs with reachability intent is the isolation intent of the physical network 200 . Furthermore, the network intent mining device 300 can mine the load balancing intent and the key point intent in the physical network 200 based on the number of routing paths between different subnets with reachability intent. Taking the load balancing intention as an example, for subnet 1 and subnet 2, as it can be determined through traversal, the routing path from P4 to P1 is P4→R6→R4→R1→P1 and P4→R6→R3→R1→P1 There are two routing paths, so P4 to P1 also has load balancing intent.
进一步地,网络意图挖掘装置300不仅可以挖掘出物理网络200中的可达性意图、隔离性意图、负载均衡意图以及关键点意图等多种意图,还可以进一步确定出部分意图的链路容忍上限。Furthermore, the network intent mining device 300 can not only mine various intentions such as reachability intent, isolation intent, load balancing intent, and key point intent in the physical network 200, but can also further determine the link tolerance upper limit of some intents. .
具体实现时,针对可达性意图、隔离性意图以及关键点意图,网络意图挖掘装置300可以根据网络配置以及物理拓扑结构(或者转发图)计算出子网对之间的最小割,从而根据最小割的数值确定每条意图的链路容忍上限,例如将(最小割-1)作为子网对之间的可达性意图的链路容忍上限等。During specific implementation, for the reachability intention, isolation intention and key point intention, the network intention mining device 300 can calculate the minimum cut between the subnet pairs according to the network configuration and the physical topology (or forwarding graph), so as to calculate the minimum cut between the subnet pairs according to the minimum cut. The value of the cut determines the link tolerance upper limit of each intention, for example, (minimum cut - 1) is used as the link tolerance upper limit of the reachability intention between subnet pairs, etc.
然后,网络意图挖掘装置300可以对确定出的链路容忍上限进行验证。本实施例中,网络意图挖掘装置300可以根据物理链路失效的组合空间确定选择选择采用低容忍方式进行验证还是选择采用高容忍方式进行验证。Then, the network intent mining device 300 can verify the determined upper limit of link tolerance. In this embodiment, the network intent mining device 300 can determine whether to use a low tolerance method for verification or a high tolerance method for verification based on the combination space of physical link failures.
具体地,网络意图挖掘装置300可以根据网络配置以及物理拓扑结构,计算每个意图允许失效的物理链路的目标数量,其确定目标数量的具体实现过程可参见前述实施例的相关之处描述。并且,当最小割不大于该最大数量时,选择采用低容忍方式验证链路容忍上限,而当最小割大于该最大数量时,选择采用高容忍方式验证链路容忍上限。Specifically, the network intention mining device 300 can calculate the target number of physical links that each intention allows to fail based on the network configuration and physical topology. The specific implementation process of determining the target number can be found in the relevant descriptions of the foregoing embodiments. Moreover, when the minimum cut is not greater than the maximum number, the low tolerance method is selected to verify the link tolerance upper limit, and when the minimum cut is greater than the maximum number, the high tolerance method is selected to verify the link tolerance upper limit.
以验证子网对之间的可达性意图为例,当采用低容忍方式验证链路容忍上限时,网络意图挖掘装置300可以根据直接枚举物理网络200中可能发生失效的物理链路的情况,以此生成多个集合,每个集合对应一种物理链路的失效情况,每个集合中失效的物理链路的数量不大于该可达性意图对应的最小割,不同集合内包括的失效的物理链路存在差异。然后,网络意图挖掘装置300可以验证(最小割-1)是否能够作为该可达性意图对应的链路容忍上限。例如,当所有失效物理链路组合中的失效物理链路的数量均小于最小割时,子网对之间是否具有可达性,而当失效物理链路的数量达到最小割时,子网A以及子网B之间不具有可达性,则网络意图挖掘装置300可以确定将(最小割-1)作为该可达性意图对应的链路容忍上限。否则,网络意图挖掘装置300可以从小于该最小割的取值范围中继续确定子网对之间的可达性意图对应的链路容忍上限。Taking the verification of reachability intention between subnet pairs as an example, when a low tolerance method is used to verify the link tolerance upper limit, the network intention mining device 300 can directly enumerate physical links that may fail in the physical network 200 based on the situation. , to generate multiple sets, each set corresponds to a physical link failure situation, the number of failed physical links in each set is not greater than the minimum cut corresponding to the reachability intent, and the failures included in different sets There are differences in the physical links. Then, the network intent mining device 300 can verify whether (minimum cut-1) can be used as the link tolerance upper limit corresponding to the reachability intent. For example, when the number of failed physical links in all failed physical link combinations is less than the minimum cut, whether there is reachability between subnet pairs, and when the number of failed physical links reaches the minimum cut, subnet A and there is no reachability between subnets B, then the network intent mining device 300 can determine (minimum cut-1) as the link tolerance upper limit corresponding to the reachability intent. Otherwise, the network intent mining device 300 may continue to determine the link tolerance upper limit corresponding to the reachability intent between the subnet pairs from a value range smaller than the minimum cut.
当采用高容忍方式验证链路容忍上限时,网络意图挖掘装置300可以获取转发图中的所 有路由路径,每条路由路径上的各个边具有边权值,该边权值用于指示该条边所对应的物理链路数量。然后,网络意图挖掘装置300可以根据该路由路径,确定断开每条边所对应的数据平面,以此可以生成多个数据平面。以子网1与子网4所具有的可达性意图为例,所生成的数据平面可以如图11所示(图11中仅示出部分数据平面进行示例性说明)。子网1可以通过R1、R2、R4以及R6实现与子网4进行通信。在断开一条边时,所断开的边可以是R1与R2之间的边、或者可以是R2与R4之间的边、或者可以是R1与R3之间的边等。在断开R1与R2之间的边时(即断开R1与R2之间互连的所有物理链路),子网1可以通过R1、R3、R4以及R6保持可达性意图。在断开R1与R2之间的边后再断开子网1与子网4之间的路由路径上的一条边时,如图11所示,可以是断开R1与R3之间的边,或者可以是断开R3与R4之间的边,或者可以是断开R4与R6之间的边(图11中未示出)等。如此,网络意图挖掘装置300可以逐渐增加断开子网1与子网4之间的路由路径的数量,生成如图11所示的数据平面。然后,网络意图挖掘装置300可以根据该可达性意图对应的多个数据平面确定该可达性意图对应的链路容忍上限。假设当断开子网1与子网4之间的所有路由路径上的任意两条边时,子网1与子网4具有可达性意图,而在断开任意三条边时不具有可达性意图,则子网1与子网4之间的可达性意图所对应的物理链路上限可以为第一条边包括的物理链路数量+第二条边包括的物理链路数量+(第三条边包括的物理链路数量-1)。按照上述类似过程,网络意图挖掘装置300可以确定出每条意图对应的链路容忍上限,从而可以根据新确定的链路容忍上限对前述初始确定的链路容忍上限进行调整。When the high tolerance method is used to verify the link tolerance upper limit, the network intent mining device 300 can obtain all routing paths in the forwarding graph. Each edge on each routing path has an edge weight, and the edge weight is used to indicate the edge. The corresponding number of physical links. Then, the network intent mining device 300 can determine the data plane corresponding to each disconnected edge based on the routing path, thereby generating multiple data planes. Taking the reachability intentions of subnet 1 and subnet 4 as an example, the generated data plane can be as shown in Figure 11 (only part of the data plane is shown in Figure 11 for exemplary explanation). Subnet 1 can communicate with subnet 4 through R1, R2, R4, and R6. When an edge is disconnected, the disconnected edge may be the edge between R1 and R2, or the edge between R2 and R4, or the edge between R1 and R3, etc. When the edge between R1 and R2 is broken (that is, all physical links interconnecting R1 and R2 are broken), subnet 1 can maintain reachability intent through R1, R3, R4, and R6. When disconnecting the edge between R1 and R2 and then disconnecting an edge on the routing path between subnet 1 and subnet 4, as shown in Figure 11, you can disconnect the edge between R1 and R3. Or it may be to disconnect the edge between R3 and R4, or it may be to disconnect the edge between R4 and R6 (not shown in Figure 11), etc. In this way, the network intent mining device 300 can gradually increase the number of disconnected routing paths between subnet 1 and subnet 4 to generate a data plane as shown in FIG. 11 . Then, the network intent mining device 300 can determine the link tolerance upper limit corresponding to the reachability intent based on the multiple data planes corresponding to the reachability intent. Assume that when any two edges on all routing paths between subnet 1 and subnet 4 are disconnected, subnet 1 and subnet 4 have reachability intent, but they do not have reachability when any three edges are disconnected. The upper limit of physical links corresponding to the reachability intention between subnet 1 and subnet 4 can be the number of physical links included in the first edge + the number of physical links included in the second edge + ( The number of physical links included in the third edge - 1). According to the above-mentioned similar process, the network intention mining device 300 can determine the link tolerance upper limit corresponding to each intention, so that the previously determined link tolerance upper limit can be adjusted according to the newly determined link tolerance upper limit.
进一步地,在挖掘出物理网络200中的意图后,网络意图挖掘装置300可以根据该意图在云端上创建虚拟网络,具体可以是在云端创建一个或者多个VPC,每个VPC内包括物理网络200中的一个或者多个子网。其中,1.VPC内的子网默认可达;2.不同VPC间的子网默认隔离;3.相同VPC内的子网隔离需分配ACL资源;4.不同VPC间的子网可达需分配对等连接资源。由于实际应用场景中,云端的ACL资源通常有限,因此,网络意图挖掘装置300在云端创建虚拟网络时,可以通过将所要消耗的ACL资源转换为对等连接资源的方式,降低ACL资源的消耗。Further, after mining the intent in the physical network 200, the network intent mining device 300 can create a virtual network on the cloud based on the intent. Specifically, it can create one or more VPCs on the cloud, and each VPC includes the physical network 200. one or more subnets. Among them, 1. Subnets within a VPC are reachable by default; 2. Subnets between different VPCs are isolated by default; 3. Subnet isolation within the same VPC requires allocation of ACL resources; 4. Subnet reachability between different VPCs requires allocation Peer connection resources. Since ACL resources in the cloud are usually limited in actual application scenarios, when the network intent mining device 300 creates a virtual network in the cloud, it can reduce the consumption of ACL resources by converting the ACL resources to be consumed into peer-to-peer connection resources.
作为一种实现示例,网络意图挖掘装置300可以先根据挖掘出的网络意图以及物理网络200中的子网,构建如图12所示的子网连接示意图。其中,P1表征子网1、P2表征子网2、P3表征子网3、P4表征子网4。As an implementation example, the network intent mining device 300 may first construct a schematic subnet connection diagram as shown in FIG. 12 based on the mined network intent and the subnets in the physical network 200 . Among them, P1 represents subnet 1, P2 represents subnet 2, P3 represents subnet 3, and P4 represents subnet 4.
然后,网络意图挖掘装置300可以分析出该图中的连通分量(Connected Component),并将每个连通分量划分为一个组。其中,图12所示的子网连接示意图中,由于子网之间是全连通的,因此仅包含一个连通分量。Then, the network intent mining device 300 can analyze the connected components (Connected Components) in the graph and divide each connected component into a group. Among them, in the subnet connection schematic diagram shown in Figure 12, since the subnets are fully connected, they only contain one connected component.
接着,网络意图挖掘装置300可以将每个连通分量包括的子网划分至一个VPC中。由于单个VPC中的ACL资源有限,如每个VPC中消耗的ACL规则数量不超过第一阈值(如1等),因此,可以通过针对每个分组进行调整,以降低所需的ACL资源的数量。具体实现时,针对每个分组,网络意图挖掘装置300可以通过下述公式(1),搜索出该分组内的多个子网划分成两个部分后所能减少的ACL规则数量最多的划分方式。Then, the network intent mining device 300 can divide the subnets included in each connectivity component into a VPC. Since the ACL resources in a single VPC are limited, for example, the number of ACL rules consumed in each VPC does not exceed the first threshold (such as 1, etc.), therefore, the number of required ACL resources can be reduced by adjusting for each group. . During specific implementation, for each group, the network intent mining device 300 can use the following formula (1) to search for the division method that can reduce the largest number of ACL rules after dividing multiple subnets in the group into two parts.
W=nodenum part1*nodenum part2-edgenum cut    (1) W=nodenum part1 *nodenum part2 -edgenum cut (1)
其中,W为将分组内的多个子网划分为两部分后所能减少消耗ACL规则的数量, nodenum part1为划分得到的第一部分内包括的子网数量,nodenum part2为划分得到的第二部分内包括的子网数量,edgenum cut为两部分之间的最小割所涉及到的边的数量,也即为损失的多个。 Among them, W is the number of ACL rules that can be reduced by dividing multiple subnets in the group into two parts, nodenum part1 is the number of subnets included in the first part of the division, and nodenum part2 is the number of subnets included in the second part of the division. The number of subnets included, edgenum cut is the number of edges involved in the minimum cut between the two parts, that is, the number of losses.
实际应用时,物理网络200中的多个子网所构成的子网连接示意图中可能包括多个连通分量,从而基于该子网连接示意图可以形成多个分组,对每个分组进行调整虽然能减少ACL规则的数量,但同时会将两部分子网划分至不同的VPC中。因此,网络意图挖掘装置300可以通过下述公式(2)计算出各个分组对应的收益值,并优先处理收益值较大的分组。In actual application, the subnet connection diagram composed of multiple subnets in the physical network 200 may include multiple connected components, so that multiple groups can be formed based on the subnet connection diagram. Adjusting each group can reduce the ACL number of rules, but at the same time the two subnets will be divided into different VPCs. Therefore, the network intention mining device 300 can calculate the revenue value corresponding to each group through the following formula (2), and prioritize the group with a larger revenue value.
P=(nodenum part1*nodenum part2-edgenum cut)/edgenum cut)    (2) P=(nodenum part1 *nodenum part2 -edgenum cut )/edgenum cut ) (2)
其中,P为收益值,表征减少的ACL规则数量与损失的同处一个VPC子网对数量之比。Among them, P is the profit value, which represents the ratio of the reduced number of ACL rules to the lost number of subnet pairs in the same VPC.
实际应用时,优先对收益值最大的分组进行划分,可以在尽可能多的减少所要消耗的ACL规则数量的同时,减少损失的同处一个VPC子网对数量。In actual application, priority is given to dividing the groups with the largest profit value, which can reduce the number of ACL rules to be consumed as much as possible and reduce the number of lost subnet pairs in the same VPC.
按照上述方式对图12所示的子网连接示意图进行分组后,可以得到如图13所示的组1以及组2,其中,组1内包括P1、P2、P4(即将子网1、子网2以及子网4划入一个VPC),组2包括P3(即将子网3划入另一个VPC)。After grouping the subnet connection diagram shown in Figure 12 in the above manner, group 1 and group 2 can be obtained as shown in Figure 13, where group 1 includes P1, P2, and P4 (i.e., subnet 1, subnet 2 and subnet 4 are classified into one VPC), and group 2 includes P3 (that is, subnet 3 is classified into another VPC).
这样,网络意图挖掘装置300可以根据调整后的分组,在云端创建相应的VPC,并在每个VPC内分配相应的子网并进行配置,在不同VPC之间分配对等连接资源,以此实现物理网络200至云端的网络迁移。实际应用时,还可以对创建的VPC数量进行限制,如创建的VPC的数量不超过第二阈值等,以此限制所需消耗的VPC之间的对等连接资源。In this way, the network intent mining device 300 can create corresponding VPCs in the cloud according to the adjusted grouping, allocate and configure corresponding subnets in each VPC, and allocate peer-to-peer connection resources between different VPCs, thereby achieving Network migration from physical network 200 to the cloud. In actual application, you can also limit the number of created VPCs, such as the number of created VPCs not exceeding the second threshold, etc., to limit the consumption of peer connection resources between VPCs.
上文结合图1至图13对本申请实施例提供的网络意图挖掘方法进行了详细介绍,下面将结合附图从功能单元的角度对本申请实施例提供的网络意图挖掘1400进行介绍。The network intent mining method provided by the embodiment of the present application is introduced in detail above with reference to Figures 1 to 13. The network intent mining 1400 provided by the embodiment of the present application will be introduced from the perspective of functional units with reference to the accompanying drawings.
参见图3所示的网络意图挖掘装置300的结构示意图,该网络意图挖掘装置300包括:Referring to the schematic structural diagram of the network intention mining device 300 shown in Figure 3, the network intention mining device 300 includes:
信息获取模块301,用于获取物理网络的网络配置以及所述物理网络的物理拓扑结构;The information acquisition module 301 is used to acquire the network configuration of the physical network and the physical topology of the physical network;
规则确定模块302,用于根据所述网络配置以及所述物理拓扑结构,确定所述物理网络中的多个路由节点中每个路由节点的转发规则;The rule determination module 302 is configured to determine the forwarding rules of each of the multiple routing nodes in the physical network according to the network configuration and the physical topology;
意图挖掘模块303,用于根据所述物理拓扑结构以及所述多个路由节点的多个转发规则,确定所述物理网络中的意图,所述意图包括如下的多种:可达性意图、关键点意图、负载均衡意图、或者隔离性意图。The intent mining module 303 is configured to determine the intent in the physical network according to the physical topology and multiple forwarding rules of the multiple routing nodes. The intent includes the following types: reachability intent, key Point intent, load balancing intent, or isolation intent.
在一种可能的实施方式中,所述意图挖掘模块303,用于:In a possible implementation, the intention mining module 303 is used to:
根据所述物理拓扑结构以及所述多个路由节点的多个转发规则,生成所述物理网络中的多条路由路径,所述多条路由路径用于转发所述物理网络中多个子网之间的数据包;Multiple routing paths in the physical network are generated according to the physical topology and multiple forwarding rules of the multiple routing nodes, and the multiple routing paths are used to forward information between multiple subnets in the physical network. data packet;
根据所述多条路由路径,挖掘所述物理网络中的意图。Intents in the physical network are mined based on the multiple routing paths.
在一种可能的实施方式中,所述意图挖掘模块303,用于:In a possible implementation, the intention mining module 303 is used to:
根据所述物理拓扑结构以及所述多个路由节点的多个转发规则,生成包括所述多个路由节点的转发图,所述转发图用于指示所述多个路由节点的数据包转发行为;Generate a forwarding graph including the multiple routing nodes according to the physical topology and multiple forwarding rules of the multiple routing nodes, where the forwarding graph is used to indicate the data packet forwarding behavior of the multiple routing nodes;
遍历所述转发图,生成所述物理网络中多条路由路径。The forwarding graph is traversed to generate multiple routing paths in the physical network.
在一种可能的实施方式中,所述意图挖掘模块303,用于:In a possible implementation, the intention mining module 303 is used to:
根据所述多个转发规则,确定所述物理网络中目标子网对应的等价类;According to the multiple forwarding rules, determine the equivalence class corresponding to the target subnet in the physical network;
遍历所述转发图为所述等价类在所述物理网络中确定一条或多条路由路径。Traversing the forwarding graph determines one or more routing paths for the equivalence class in the physical network.
在一种可能的实施方式中,当所述意图包括可达性意图或者关键点意图或者隔离性意图时,所述装置300还包括:In a possible implementation, when the intent includes accessibility intent, key point intent, or isolation intent, the device 300 further includes:
上限确定模块304,用于根据所述网络配置以及所述物理拓扑结构,确定所述意图对应的链路容忍上限,所述链路容忍上限用于指示所述意图允许失效的最大物理链路的数量。The upper limit determination module 304 is configured to determine an upper limit of link tolerance corresponding to the intention according to the network configuration and the physical topology. The upper limit of link tolerance is used to indicate the maximum physical link that the intention allows to fail. quantity.
在一种可能的实施方式中,所述上限确定模块304,用于:In a possible implementation, the upper limit determination module 304 is used to:
根据所述网络配置以及所述物理拓扑结构,计算所述物理网络中所述意图相关的两个子网之间的最小割;According to the network configuration and the physical topology, calculate the minimum cut between the two subnets related to the intention in the physical network;
根据所述两个子网之间的最小割,确定所述意图对应的链路容忍上限。According to the minimum cut between the two subnets, the link tolerance upper limit corresponding to the intention is determined.
在一种可能的实施方式中,所述上限确定模块304,用于:In a possible implementation, the upper limit determination module 304 is used to:
确定所述意图允许失效的物理链路的目标数量;Determine a target number of physical links that the intent will allow to fail;
当所述两个子网之间的最小割不大于所述目标数量时,枚举所述物理网络中的多个集合,所述多个集合中每个集合内失效的物理链路的数量不大于所述最小割;When the minimum cut between the two subnets is not greater than the target number, multiple sets in the physical network are enumerated, and the number of failed physical links in each of the multiple sets is not greater than The minimum cut;
根据所述多个集合确定所述意图对应的链路容忍上限。The link tolerance upper limit corresponding to the intention is determined according to the multiple sets.
在一种可能的实施方式中,所述上限确定模块304,用于:In a possible implementation, the upper limit determination module 304 is used to:
确定所述意图允许失效的物理链路的目标数量;Determine a target number of physical links that the intent will allow to fail;
当所述两个子网之间的最小割大于所述目标数量时,生成多个数据平面,所述多个数据平面中每个数据平面用于指示所述两个子网之间失效的逻辑链路,不同数据平面所指示的失效的逻辑链路存在差异,每个逻辑链路对应于至少一条物理链路,每个数据平面中失效的物理链路总数不大于所述最小割;When the minimum cut between the two subnets is greater than the target number, multiple data planes are generated, each of the multiple data planes is used to indicate a failed logical link between the two subnets. , there are differences in failed logical links indicated by different data planes, each logical link corresponds to at least one physical link, and the total number of failed physical links in each data plane is not greater than the minimum cut;
根据所述多个数据平面确定所述意图对应的链路容忍上限。The link tolerance upper limit corresponding to the intention is determined according to the multiple data planes.
在一种可能的实施方式中,所述上限确定模块304,用于:In a possible implementation, the upper limit determination module 304 is used to:
计算所述物理网络中失效的物理链路数量为第一数量时,所述物理网络中的多个第一集合的总数,所述多个第一集合中每个第一集合内失效的物理链路的数量不大于所述第一数量;When the number of failed physical links in the physical network is calculated as the first number, the total number of multiple first sets in the physical network, the number of failed physical links in each first set in the multiple first sets The number of roads is not greater than the first number;
当所述多个第一集合的总数小于预设阈值时,计算所述物理网络中失效的物理链路数量为第二数量时,所述物理网络中的多个第二集合的总数,所述多个第二集合中每个第二集合内失效的物理链路的数量不大于所述第二数量,所述第二数量大于所述第一数量;When the total number of the plurality of first sets is less than the preset threshold, when the number of failed physical links in the physical network is calculated to be a second number, the total number of the plurality of second sets in the physical network, the The number of failed physical links in each of the plurality of second sets is not greater than the second number, and the second number is greater than the first number;
当所述第二集合的总数大于所述预设阈值时,确定所述第一数量为所述意图允许失效的物理链路的目标数量。When the total number of the second set is greater than the preset threshold, the first number is determined to be the target number of physical links that are intended to be allowed to fail.
在一种可能的实施方式中,所述装置300还包括:In a possible implementation, the device 300 further includes:
配置模块305,用于根据所述物理网络中的意图,在云端配置虚拟网络。The configuration module 305 is used to configure a virtual network in the cloud according to the intention in the physical network.
在一种可能的实施方式中,所述虚拟网络包括多个虚拟私有云VPC,每个VPC中的访问控制列表ACL规则数量不超过第一阈值,或所述虚拟网络中的VPC数量不超过第二阈值。In a possible implementation, the virtual network includes multiple virtual private cloud VPCs, and the number of access control list ACL rules in each VPC does not exceed a first threshold, or the number of VPCs in the virtual network does not exceed a third threshold. Two thresholds.
根据本申请实施例的网络意图挖掘装置300可对应于执行本申请实施例中描述的方法,并且图14所示的网络意图挖掘装置300的各个模块的上述和其它操作和/或功能分别为了实现图2中网络意图挖掘装置300所执行的各个方法的相应流程,为了简洁,在此不再赘述。The network intent mining device 300 according to the embodiment of the present application may correspond to performing the method described in the embodiment of the present application, and the above and other operations and/or functions of the various modules of the network intent mining device 300 shown in Figure 14 are respectively implemented. The corresponding processes of each method executed by the network intent mining device 300 in Figure 2 will not be described again for the sake of brevity.
上述各实施例中,网络意图挖掘过程也可以以单独的硬件设备实现。下面,对实现网络意图挖掘过程的计算设备进行详细介绍。In the above embodiments, the network intent mining process can also be implemented with a separate hardware device. Next, the computing devices that implement the network intent mining process are introduced in detail.
图15提供了一种计算设备的结构示意图。图15所示的计算设备1500具体可以用于实现上述图2所示实施例中网络意图挖掘装置300的功能。Figure 15 provides a schematic structural diagram of a computing device. The computing device 1500 shown in Figure 15 can be specifically used to implement the functions of the network intent mining device 300 in the embodiment shown in Figure 2.
计算设备1500包括总线1501、处理器1502、通信接口1503和存储器1504。处理器1502、存储器1504和通信接口1503之间通过总线1501通信。总线1501可以是外设部件互连标准(peripheral component interconnect,PCI)总线或扩展工业标准结构(extended industry standard architecture,EISA)总线等。总线可以分为地址总线、数据总线、控制总线等。为便于表示,图15中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。通信接口1503用于与外部通信,例如接收用户100通过客户端提供的网络配置以及物理拓扑结构等。Computing device 1500 includes bus 1501, processor 1502, communication interface 1503, and memory 1504. The processor 1502, the memory 1504 and the communication interface 1503 communicate through the bus 1501. The bus 1501 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus, etc. The bus can be divided into address bus, data bus, control bus, etc. For ease of presentation, only one thick line is used in Figure 15, but it does not mean that there is only one bus or one type of bus. The communication interface 1503 is used to communicate with the outside, such as receiving network configuration and physical topology provided by the user 100 through the client.
其中,处理器1502可以为中央处理器(central processing unit,CPU)。存储器1504可以包括易失性存储器(volatile memory),例如随机存取存储器(random access memory,RAM)。存储器1504还可以包括非易失性存储器(non-volatile memory),例如只读存储器(read-only memory,ROM),快闪存储器,HDD或SSD。The processor 1502 may be a central processing unit (CPU). Memory 1504 may include volatile memory, such as random access memory (RAM). The memory 1504 may also include non-volatile memory (non-volatile memory), such as read-only memory (ROM), flash memory, HDD or SSD.
存储器1504中存储有可执行代码,处理器1502执行该可执行代码以执行前述网络意图挖掘装置300所执行的方法。The memory 1504 stores executable code, and the processor 1502 executes the executable code to perform the method performed by the network intent mining device 300 .
具体地,在实现图2所示实施例的情况下,且图2所示实施例中所描述的网络意图挖掘装置300为通过软件实现的情况下,执行图2中的网络意图挖掘装置300的功能所需的软件或程序代码存储在存储器1504中,计算设备1500与其它设备的交互通过通信接口1503实现,如计算设备1500通过通信接口1503接收网络配置以及物理拓扑结构等。处理器用于执行存储器1504中的指令,实现网络意图挖掘装置300所执行的方法。Specifically, when the embodiment shown in FIG. 2 is implemented, and the network intention mining device 300 described in the embodiment shown in FIG. 2 is implemented by software, the network intention mining device 300 in FIG. 2 is executed. The software or program code required for the functions is stored in the memory 1504. The interaction between the computing device 1500 and other devices is implemented through the communication interface 1503. For example, the computing device 1500 receives network configuration and physical topology through the communication interface 1503. The processor is used to execute instructions in the memory 1504 to implement the method executed by the network intent mining device 300 .
此外,本申请实施例还提供了一种计算机可读存储介质,该计算机可读存储介质中存储有指令,当其在计算设备上运行时,使得计算设备执行上述图2所示实施例所述的方法。In addition, embodiments of the present application also provide a computer-readable storage medium. The computer-readable storage medium stores instructions. When run on a computing device, the computing device causes the computing device to execute the above-described embodiment shown in Figure 2. Methods.
本申请实施例还提供了一种计算机程序产品,所述计算机程序产品被计算机执行时,所述计算机执行前述网络意图挖掘方法的任一方法。该计算机程序产品可以为一个软件安装包,在需要使用前述网络意图挖掘方法的任一方法的情况下,可以下载该计算机程序产品并在计算机上执行该计算机程序产品。An embodiment of the present application also provides a computer program product. When the computer program product is executed by a computer, the computer executes any of the foregoing network intent mining methods. The computer program product may be a software installation package. If it is necessary to use any of the foregoing network intent mining methods, the computer program product may be downloaded and executed on the computer.
另外需说明的是,以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。另外,本申请提供的装置实施例附图中,模块之间的连接关系表示它们之间具有通信连接,具体可以实现为一条或多条通信总线或信号线。In addition, it should be noted that the device embodiments described above are only illustrative. The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physically separate. The physical unit can be located in one place, or it can be distributed across multiple network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment. In addition, in the drawings of the device embodiments provided in this application, the connection relationship between modules indicates that there are communication connections between them, which can be specifically implemented as one or more communication buses or signal lines.
通过以上的实施方式的描述,所属领域的技术人员可以清楚地了解到本申请可借助软件加必需的通用硬件的方式来实现,当然也可以通过专用硬件包括专用集成电路、专用CPU、专用存储器、专用元器件等来实现。一般情况下,凡由计算机程序完成的功能都可 以很容易地用相应的硬件来实现,而且,用来实现同一功能的具体硬件结构也可以是多种多样的,例如模拟电路、数字电路或专用电路等。但是,对本申请而言更多情况下软件程序实现是更佳的实施方式。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在可读取的存储介质中,如计算机的软盘、U盘、移动硬盘、ROM、RAM、磁碟或者光盘等,包括若干指令用以使得一台转发设备(可以是个人计算机,训练设备,或者网络设备等)执行本申请各个实施例所述的方法。Through the above description of the embodiments, those skilled in the art can clearly understand that the present application can be implemented by software plus necessary general hardware. Of course, it can also be implemented by dedicated hardware including dedicated integrated circuits, dedicated CPUs, dedicated memories, Special components, etc. to achieve. In general, all functions performed by computer programs can be easily implemented with corresponding hardware. Moreover, the specific hardware structures used to implement the same function can also be diverse, such as analog circuits, digital circuits or special-purpose circuits. circuit etc. However, for this application, software program implementation is a better implementation in most cases. Based on this understanding, the technical solution of the present application can be embodied in the form of a software product in essence or that contributes to the existing technology. The computer software product is stored in a readable storage medium, such as a computer floppy disk. , U disk, mobile hard disk, ROM, RAM, magnetic disk or optical disk, etc., including several instructions to cause a forwarding device (which can be a personal computer, training device, or network device, etc.) to execute the steps described in various embodiments of this application. method.
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented using software, it may be implemented in whole or in part in the form of a computer program product.
所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、训练设备或数据中心通过有线(例如同轴电缆、光纤、数字软件开发者线(DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、训练设备或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存储的任何可用介质或者是包含一个或多个可用介质集成的训练设备、数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如固态硬盘(Solid State Disk,SSD))等。The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions described in the embodiments of the present application are generated in whole or in part. The computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another, for example, the computer instructions may be transferred from a website, computer, training device, or data The center transmits to another website site, computer, training equipment or data center through wired (such as coaxial cable, optical fiber, digital software developer line (DSL)) or wireless (such as infrared, wireless, microwave, etc.) means. The computer-readable storage medium may be any available medium that a computer can store, or a data storage device such as a training device or a data center integrated with one or more available media. The available media may be magnetic media (eg, floppy disk, hard disk, tape), optical media (eg, DVD), or semiconductor media (eg, Solid State Disk (SSD)), etc.

Claims (25)

  1. 一种网络意图挖掘方法,其特征在于,所述方法包括:A network intent mining method, characterized in that the method includes:
    获取物理网络的网络配置以及所述物理网络的物理拓扑结构;Obtain the network configuration of the physical network and the physical topology of the physical network;
    根据所述网络配置以及所述物理拓扑结构,确定所述物理网络中的多个路由节点中每个路由节点的转发规则;Determine the forwarding rules of each of the multiple routing nodes in the physical network according to the network configuration and the physical topology;
    根据所述物理拓扑结构以及所述多个路由节点的多个转发规则,确定所述物理网络中的意图,所述意图包括如下的多种:可达性意图、关键点意图、负载均衡意图、或者隔离性意图。According to the physical topology and multiple forwarding rules of the multiple routing nodes, the intent in the physical network is determined, and the intent includes the following types: reachability intent, key point intent, load balancing intent, Or isolating intent.
  2. 根据权利要求1所述的方法,其特征在于,所述根据所述物理拓扑结构以及所述多个路由节点的多个转发规则,确定所述物理网络中的意图,包括:The method according to claim 1, wherein determining the intention in the physical network according to the physical topology and multiple forwarding rules of the multiple routing nodes includes:
    根据所述物理拓扑结构以及所述多个路由节点的多个转发规则,生成所述物理网络中的多条路由路径,所述多条路由路径用于转发所述物理网络中多个子网之间的数据包;Multiple routing paths in the physical network are generated according to the physical topology and multiple forwarding rules of the multiple routing nodes, and the multiple routing paths are used to forward information between multiple subnets in the physical network. data packet;
    根据所述多条路由路径,挖掘所述物理网络中的意图。Intents in the physical network are mined based on the multiple routing paths.
  3. 根据权利要求2所述的方法,其特征在于,所述根据所述物理拓扑结构以及所述多个路由节点的多个转发规则,生成所述物理网络中的多条路由路径,包括:The method of claim 2, wherein generating multiple routing paths in the physical network based on the physical topology and multiple forwarding rules of the multiple routing nodes includes:
    根据所述物理拓扑结构以及所述多个路由节点的多个转发规则,生成包括所述多个路由节点的转发图,所述转发图用于指示所述多个路由节点的数据包转发行为;Generate a forwarding graph including the multiple routing nodes according to the physical topology and multiple forwarding rules of the multiple routing nodes, where the forwarding graph is used to indicate the data packet forwarding behavior of the multiple routing nodes;
    遍历所述转发图,生成所述物理网络中多条路由路径。The forwarding graph is traversed to generate multiple routing paths in the physical network.
  4. 根据权利要求3所述的方法,其特征在于,所述遍历所述转发图,生成所述物理网络中多条路由路径,包括:The method according to claim 3, characterized in that traversing the forwarding graph and generating multiple routing paths in the physical network includes:
    根据所述多个转发规则,确定所述物理网络中目标子网对应的等价类;According to the multiple forwarding rules, determine the equivalence class corresponding to the target subnet in the physical network;
    遍历所述转发图为所述等价类在所述物理网络中确定一条或多条路由路径。Traversing the forwarding graph determines one or more routing paths for the equivalence class in the physical network.
  5. 根据权利要求1至4任一项所述的方法,其特征在于,当所述意图包括可达性意图或者关键点意图或者隔离性意图时,所述方法还包括:The method according to any one of claims 1 to 4, characterized in that when the intention includes reachability intention or key point intention or isolation intention, the method further includes:
    根据所述网络配置以及所述物理拓扑结构,确定所述意图对应的链路容忍上限,所述链路容忍上限用于指示所述意图允许失效的最大物理链路的数量。According to the network configuration and the physical topology, a link tolerance upper limit corresponding to the intention is determined, and the link tolerance upper limit is used to indicate the maximum number of physical links that the intention allows to fail.
  6. 根据权利要求5所述的方法,其特征在于,所述根据所述网络配置以及所述物理拓扑结构,确定所述意图对应的链路容忍上限,包括:The method according to claim 5, wherein determining the link tolerance upper limit corresponding to the intention according to the network configuration and the physical topology includes:
    根据所述网络配置以及所述物理拓扑结构,计算所述物理网络中所述意图相关的两个子网之间的最小割;According to the network configuration and the physical topology, calculate the minimum cut between the two subnets related to the intention in the physical network;
    根据所述两个子网之间的最小割,确定所述意图对应的链路容忍上限。According to the minimum cut between the two subnets, the link tolerance upper limit corresponding to the intention is determined.
  7. 根据权利要求6所述的方法,其特征在于,所述根据所述两个子网之间的最小割,确定所述意图对应的链路容忍上限,包括:The method according to claim 6, wherein determining the link tolerance upper limit corresponding to the intention based on the minimum cut between the two subnets includes:
    确定所述意图允许失效的物理链路的目标数量;Determine a target number of physical links that the intent will allow to fail;
    当所述两个子网之间的最小割不大于所述目标数量时,枚举所述物理网络中的多个集合,所述多个集合中每个集合内失效的物理链路的数量不大于所述最小割;When the minimum cut between the two subnets is not greater than the target number, multiple sets in the physical network are enumerated, and the number of failed physical links in each of the multiple sets is not greater than The minimum cut;
    根据所述多个集合确定所述意图对应的链路容忍上限。The link tolerance upper limit corresponding to the intention is determined according to the multiple sets.
  8. 根据权利要求6所述的方法,其特征在于,所述根据所述两个子网之间的最小割,确 定所述意图对应的链路容忍上限,包括:The method according to claim 6, characterized in that determining the link tolerance upper limit corresponding to the intention according to the minimum cut between the two subnets includes:
    确定所述意图允许失效的物理链路的目标数量;Determine a target number of physical links that the intent will allow to fail;
    当所述两个子网之间的最小割大于所述目标数量时,生成多个数据平面,所述多个数据平面中每个数据平面用于指示所述两个子网之间失效的逻辑链路,不同数据平面所指示的失效的逻辑链路存在差异,每个逻辑链路对应于至少一条物理链路,每个数据平面中失效的物理链路总数不大于所述最小割;When the minimum cut between the two subnets is greater than the target number, multiple data planes are generated, each of the multiple data planes is used to indicate a failed logical link between the two subnets. , there are differences in failed logical links indicated by different data planes, each logical link corresponds to at least one physical link, and the total number of failed physical links in each data plane is not greater than the minimum cut;
    根据所述多个数据平面确定所述意图对应的链路容忍上限。The link tolerance upper limit corresponding to the intention is determined according to the multiple data planes.
  9. 根据权利要求7或8所述的方法,其特征在于,所述确定所述意图允许失效的物理链路的目标数量,包括:The method according to claim 7 or 8, characterized in that determining the target number of physical links that are intended to be allowed to fail includes:
    计算所述物理网络中失效的物理链路数量为第一数量时,所述物理网络中的多个第一集合的总数,所述多个第一集合中每个第一集合内失效的物理链路的数量不大于所述第一数量;When the number of failed physical links in the physical network is calculated as the first number, the total number of multiple first sets in the physical network, the number of failed physical links in each first set in the multiple first sets The number of roads is not greater than the first number;
    当所述多个第一集合的总数小于预设阈值时,计算所述物理网络中失效的物理链路数量为第二数量时,所述物理网络中的多个第二集合的总数,所述多个第二集合中每个第二集合内失效的物理链路的数量不大于所述第二数量,所述第二数量大于所述第一数量;When the total number of the plurality of first sets is less than the preset threshold, when the number of failed physical links in the physical network is calculated to be a second number, the total number of the plurality of second sets in the physical network, the The number of failed physical links in each of the plurality of second sets is not greater than the second number, and the second number is greater than the first number;
    当所述第二集合的总数大于所述预设阈值时,确定所述第一数量为所述意图允许失效的物理链路的目标数量。When the total number of the second set is greater than the preset threshold, the first number is determined to be the target number of physical links that are intended to be allowed to fail.
  10. 根据权利要求1至9任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1 to 9, characterized in that the method further includes:
    根据所述物理网络中的意图,在云端配置虚拟网络。A virtual network is configured in the cloud based on the intent in the physical network.
  11. 根据权利要求10所述的方法,其特征在于,所述虚拟网络包括多个虚拟私有云VPC,每个VPC中的访问控制列表ACL规则数量不超过第一阈值,或所述虚拟网络中的VPC数量不超过第二阈值。The method of claim 10, wherein the virtual network includes multiple virtual private cloud VPCs, and the number of access control list ACL rules in each VPC does not exceed a first threshold, or the VPCs in the virtual network The quantity does not exceed the second threshold.
  12. 一种网络意图挖掘装置,其特征在于,所述装置包括:A network intent mining device, characterized in that the device includes:
    信息获取模块,用于获取物理网络的网络配置以及所述物理网络的物理拓扑结构;An information acquisition module, used to acquire the network configuration of the physical network and the physical topology of the physical network;
    规则确定模块,用于根据所述网络配置以及所述物理拓扑结构,确定所述物理网络中的多个路由节点中每个路由节点的转发规则;A rule determination module, configured to determine the forwarding rules of each of the multiple routing nodes in the physical network according to the network configuration and the physical topology;
    意图挖掘模块,用于根据所述物理拓扑结构以及所述多个路由节点的多个转发规则,确定所述物理网络中的意图,所述意图包括如下的多种:可达性意图、关键点意图、负载均衡意图、或者隔离性意图。An intent mining module, configured to determine intent in the physical network based on the physical topology and multiple forwarding rules of the multiple routing nodes. The intent includes the following types: reachability intent, key points intent, load balancing intent, or isolation intent.
  13. 根据权利要求12所述的装置,其特征在于,所述意图挖掘模块,用于:The device according to claim 12, characterized in that the intention mining module is used for:
    根据所述物理拓扑结构以及所述多个路由节点的多个转发规则,生成所述物理网络中的多条路由路径,所述多条路由路径用于转发所述物理网络中多个子网之间的数据包;Multiple routing paths in the physical network are generated according to the physical topology and multiple forwarding rules of the multiple routing nodes, and the multiple routing paths are used to forward information between multiple subnets in the physical network. data packet;
    根据所述多条路由路径,挖掘所述物理网络中的意图。Intents in the physical network are mined based on the multiple routing paths.
  14. 根据权利要求13所述的装置,其特征在于,所述意图挖掘模块,用于:The device according to claim 13, characterized in that the intention mining module is used for:
    根据所述物理拓扑结构以及所述多个路由节点的多个转发规则,生成包括所述多个路由节点的转发图,所述转发图用于指示所述多个路由节点的数据包转发行为;Generate a forwarding graph including the multiple routing nodes according to the physical topology and multiple forwarding rules of the multiple routing nodes, where the forwarding graph is used to indicate the data packet forwarding behavior of the multiple routing nodes;
    遍历所述转发图,生成所述物理网络中多条路由路径。The forwarding graph is traversed to generate multiple routing paths in the physical network.
  15. 根据权利要求14所述的装置,其特征在于,所述意图挖掘模块,用于:The device according to claim 14, characterized in that the intention mining module is used for:
    根据所述多个转发规则,确定所述物理网络中目标子网对应的等价类;According to the multiple forwarding rules, determine the equivalence class corresponding to the target subnet in the physical network;
    遍历所述转发图为所述等价类在所述物理网络中确定一条或多条路由路径。Traversing the forwarding graph determines one or more routing paths for the equivalence class in the physical network.
  16. 根据权利要求12至15任一项所述的装置,其特征在于,当所述意图包括可达性意图或者关键点意图或者隔离性意图时,所述装置还包括:The device according to any one of claims 12 to 15, characterized in that when the intention includes reachability intention, key point intention or isolation intention, the device further includes:
    上限确定模块,用于根据所述网络配置以及所述物理拓扑结构,确定所述意图对应的链路容忍上限,所述链路容忍上限用于指示所述意图允许失效的最大物理链路的数量。An upper limit determination module, configured to determine an upper limit of link tolerance corresponding to the intention based on the network configuration and the physical topology. The upper limit of link tolerance is used to indicate the maximum number of physical links that the intention allows to fail. .
  17. 根据权利要求16所述的装置,其特征在于,所述上限确定模块,用于:The device according to claim 16, characterized in that the upper limit determination module is used for:
    根据所述网络配置以及所述物理拓扑结构,计算所述物理网络中所述意图相关的两个子网之间的最小割;According to the network configuration and the physical topology, calculate the minimum cut between the two subnets related to the intention in the physical network;
    根据所述两个子网之间的最小割,确定所述意图对应的链路容忍上限。According to the minimum cut between the two subnets, the link tolerance upper limit corresponding to the intention is determined.
  18. 根据权利要求17所述的装置,其特征在于,所述上限确定模块,用于:The device according to claim 17, characterized in that the upper limit determination module is used for:
    确定所述意图允许失效的物理链路的目标数量;Determine a target number of physical links that the intent will allow to fail;
    当所述两个子网之间的最小割不大于所述目标数量时,枚举所述物理网络中的多个集合,所述多个集合中每个集合内失效的物理链路的数量不大于所述最小割;When the minimum cut between the two subnets is not greater than the target number, multiple sets in the physical network are enumerated, and the number of failed physical links in each of the multiple sets is not greater than The minimum cut;
    根据所述多个集合确定所述意图对应的链路容忍上限。The link tolerance upper limit corresponding to the intention is determined according to the multiple sets.
  19. 根据权利要求17所述的装置,其特征在于,所述上限确定模块,用于:The device according to claim 17, characterized in that the upper limit determination module is used to:
    确定所述意图允许失效的物理链路的目标数量;Determine a target number of physical links that the intent will allow to fail;
    当所述两个子网之间的最小割大于所述目标数量时,生成多个数据平面,所述多个数据平面中每个数据平面用于指示所述两个子网之间失效的逻辑链路,不同数据平面所指示的失效的逻辑链路存在差异,每个逻辑链路对应于至少一条物理链路,每个数据平面中失效的物理链路总数不大于所述最小割;When the minimum cut between the two subnets is greater than the target number, multiple data planes are generated, each of the multiple data planes is used to indicate a failed logical link between the two subnets. , there are differences in failed logical links indicated by different data planes, each logical link corresponds to at least one physical link, and the total number of failed physical links in each data plane is not greater than the minimum cut;
    根据所述多个数据平面确定所述意图对应的链路容忍上限。The link tolerance upper limit corresponding to the intention is determined according to the multiple data planes.
  20. 根据权利要求18或19所述的装置,其特征在于,所述上限确定模块,用于:The device according to claim 18 or 19, characterized in that the upper limit determination module is used for:
    计算所述物理网络中失效的物理链路数量为第一数量时,所述物理网络中的多个第一集合的总数,所述多个第一集合中每个第一集合内失效的物理链路的数量不大于所述第一数量;When the number of failed physical links in the physical network is calculated as the first number, the total number of multiple first sets in the physical network, the number of failed physical links in each first set in the multiple first sets The number of roads is not greater than the first number;
    当所述多个第一集合的总数小于预设阈值时,计算所述物理网络中失效的物理链路数量为第二数量时,所述物理网络中的多个第二集合的总数,所述多个第二集合中每个第二集合内失效的物理链路的数量不大于所述第二数量,所述第二数量大于所述第一数量;When the total number of the plurality of first sets is less than the preset threshold, when the number of failed physical links in the physical network is calculated to be a second number, the total number of the plurality of second sets in the physical network, the The number of failed physical links in each of the plurality of second sets is not greater than the second number, and the second number is greater than the first number;
    当所述第二集合的总数大于所述预设阈值时,确定所述第一数量为所述意图允许失效的物理链路的目标数量。When the total number of the second set is greater than the preset threshold, the first number is determined to be the target number of physical links that are intended to be allowed to fail.
  21. 根据权利要求12至20任一项所述的装置,其特征在于,所述装置还包括:The device according to any one of claims 12 to 20, characterized in that the device further includes:
    配置模块,用于根据所述物理网络中的意图,在云端配置虚拟网络。A configuration module configured to configure a virtual network in the cloud according to the intention in the physical network.
  22. 根据权利要求21所述的装置,其特征在于,所述虚拟网络包括多个虚拟私有云VPC,每个VPC中的访问控制列表ACL规则数量不超过第一阈值,或所述虚拟网络中的VPC数量不超过第二阈值。The apparatus according to claim 21, wherein the virtual network includes multiple virtual private cloud VPCs, and the number of access control list ACL rules in each VPC does not exceed a first threshold, or the VPCs in the virtual network The quantity does not exceed the second threshold.
  23. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有指令,当其在计算设备上运行时,使得所述计算设备执行如权利要求1至权利要求11任一项所述的 方法的操作步骤。A computer-readable storage medium, characterized in that the computer-readable storage medium stores instructions that, when run on a computing device, cause the computing device to execute any one of claims 1 to 11 The steps of the method.
  24. 一种计算设备,其特征在于,所述计算设备处理器和存储器;A computing device, characterized by a processor and a memory;
    所述存储器,用于存储计算机指令;The memory is used to store computer instructions;
    所述处理器,用于根据所述计算机指令执行如权利要求1至11任一项所述方法的操作步骤。The processor is configured to execute the operating steps of the method according to any one of claims 1 to 11 according to the computer instructions.
  25. 一种包含指令的计算机程序产品,当其在计算设备上运行时,使得所述计算设备执行如权利要求1至11任一项所述方法的操作步骤。A computer program product containing instructions that, when run on a computing device, causes the computing device to perform the operational steps of the method according to any one of claims 1 to 11.
PCT/CN2022/133151 2022-04-26 2022-11-21 Network intent mining method and apparatus, and related device WO2023207048A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210447023.1 2022-04-26
CN202210447023.1A CN116996387A (en) 2022-04-26 2022-04-26 Network intention mining method and device and related equipment

Publications (1)

Publication Number Publication Date
WO2023207048A1 true WO2023207048A1 (en) 2023-11-02

Family

ID=88517186

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/133151 WO2023207048A1 (en) 2022-04-26 2022-11-21 Network intent mining method and apparatus, and related device

Country Status (2)

Country Link
CN (1) CN116996387A (en)
WO (1) WO2023207048A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110173692A1 (en) * 2010-01-08 2011-07-14 Board Of Trustees Of Michigan State University Method for computing network reachability
US20160036636A1 (en) * 2014-07-30 2016-02-04 Forward Networks, Inc. Systems and methods for network management
US20190075056A1 (en) * 2017-09-06 2019-03-07 Nicira, Inc. Internet protocol flow data including firewall rules
CN110679120A (en) * 2017-04-24 2020-01-10 微软技术许可有限责任公司 Communication network node
CN113924761A (en) * 2019-04-05 2022-01-11 谷歌有限责任公司 Cloud network reachability analysis

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110173692A1 (en) * 2010-01-08 2011-07-14 Board Of Trustees Of Michigan State University Method for computing network reachability
US20160036636A1 (en) * 2014-07-30 2016-02-04 Forward Networks, Inc. Systems and methods for network management
CN110679120A (en) * 2017-04-24 2020-01-10 微软技术许可有限责任公司 Communication network node
US20190075056A1 (en) * 2017-09-06 2019-03-07 Nicira, Inc. Internet protocol flow data including firewall rules
CN113924761A (en) * 2019-04-05 2022-01-11 谷歌有限责任公司 Cloud network reachability analysis

Also Published As

Publication number Publication date
CN116996387A (en) 2023-11-03

Similar Documents

Publication Publication Date Title
CN111886833B (en) Method for redirecting control channel messages and device for implementing the method
US10200279B1 (en) Tracer of traffic trajectories in data center networks
EP2552065B1 (en) Controller placement for fast failover in the split architecture
EP2817928B1 (en) Controller placement for fast failover in the split architecture
US9130858B2 (en) System and method for supporting discovery and routing degraded fat-trees in a middleware machine environment
US20150249587A1 (en) Method and apparatus for topology and path verification in networks
WO2019037738A1 (en) Method and apparatus for detecting network fault
CN108141416A (en) A kind of message processing method, computing device and message process device
CN104717081A (en) Gateway function realization method and device
US20170005919A1 (en) Method for constituting hybrid network spanning trees, method of redundancy, and control system thereof
US11469998B2 (en) Data center tenant network isolation using logical router interconnects for virtual network route leaking
Schmid et al. Polynomial-time what-if analysis for prefix-manipulating MPLS networks
US7886027B2 (en) Methods and arrangements for activating IP configurations
CN108400922B (en) Virtual local area network configuration system and method and computer readable storage medium thereof
CN114827002B (en) Multi-domain network security path calculation method, system, device, medium and terminal
CN111614505A (en) Message processing method and gateway equipment
CN115118585A (en) Service deployment method, device and system
US20110122879A1 (en) System for seamless connection of real and virtual networks
US20230231806A1 (en) Ghost routing
US20120170581A1 (en) Policy homomorphic network extension
WO2023207048A1 (en) Network intent mining method and apparatus, and related device
WO2022002123A1 (en) Verification method and apparatus for network configuration
US11438237B1 (en) Systems and methods for determining physical links between network devices
US9521066B2 (en) vStack enhancements for path calculations
Chen et al. A dynamic security traversal mechanism for providing deterministic delay guarantee in SDN

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22939863

Country of ref document: EP

Kind code of ref document: A1