Devices such as computer systems, routers, switches, load balancers, firewalls, and the like, are commonly linked to each other in networks. These networks are configured in different ways depending on implementation-specific details such as the hardware used and the physical location of the equipment, and also depending on the particular objectives of the network. One common type of network configuration includes a number of “virtual” networks, commonly known as virtual local area networks (VLANs). A VLAN is, in essence, a logical segmentation of a physical local area network (LAN).
An advantage of VLANs is that the devices associated with a particular virtual network do not need to all be in the same physical location, yet all will appear to be on the same LAN. Prior Art FIG. 1 is a block diagram of a portion of a LAN 10 that includes a number of racks (20, 21 and 22) of computer systems (30–38) and a hierarchy of switches (11–16). Each of the computer systems 30–38 is physically wired to a respective switch (14, 15 or 16), which are each physically wired to switches 12 and 13, which in turn are physically wired to switch 11. By routing signals through the various switches, computer systems in different racks or within the same rack can communicate with each other, within certain constraints that will be explained. In addition, a signal from a remote device (not shown) can also be routed through the various switches so that the remote device can communicate with any of the devices in LAN 10, within certain constraints as well.
In the simplified example of Prior Art FIG. 1, LAN 10 is logically segmented into a VLAN 1 and a VLAN 2. VLAN 1 includes computer systems 30 and 37, and VLAN 2 includes computer systems 31 and 36. Should computer system 30 need to communicate with computer system 37, for example, a signal from computer system 30 can be routed through switch 14 to switch 16 and on to computer system 37.
For reasons such as security or privacy, communication between VLANs may not be permitted. In LAN 10, access to a particular VLAN is controlled by the switches 11–16. For example, switch 16 can be configured to forward a message from computer system 30 (VLAN 1) to computer system 37 (VLAN 1) but to not forward a message from computer system 30 (VLAN 1) to computer system 36 (VLAN 2). In a similar manner, communication from a remote device can be controlled so that the remote device can only communicate with certain devices in LAN 10. Therefore, even though VLANs can share resources such as switches, VLANs can be prevented from sharing traffic and information.
Another advantage of VLANs is that the management and cabling of groups of devices are simplified, particularly when the allocation of resources within the LAN is changed. For instance, in the simplified example of Prior Art FIG. 1, VLAN 1 may be used by one organization and VLAN 2 by another. The first organization may need more resources, while the resources of the other organization may be under-utilized. Accordingly, one of the computer systems in VLAN 2 can be reallocated to VLAN 1. Using VLANs, this can be accomplished without rewiring the LAN. Instead, this is accomplished by reconfiguring the appropriate switches.
In actual practice, a typical LAN will include large numbers of computer systems and switches (as well as other devices), with frequent changes to the allocation of these resources among the various VLANs. Each change may result in the reconfiguring of multiple switches. Typically, when a change is made, a human operator inputs/issues commands to reconfigure the affected switches. When done manually, this can be a tedious and time-consuming process that is also prone to human error.
Automated processes are becoming available to assist in the configuring of VLANs. However, these processes still have their shortcomings, particularly with regard to the verification of proper configuration of switches and therefore of VLANs. Some prior art techniques rely on manual procedures to verify correctness of the switch configurations. Typically, these procedures require logging into each switch, issuing commands to view their existing configurations, comparing those configurations to documentation of the desired (design) state, and then issuing commands to correct any discrepancies. Once the switches are reconfigured to correct any discrepancies, it may even be necessary to repeat the verification process. In general, manual verification is slow, costly and prone to human error.
Other prior art techniques essentially rely on the automated configuration process itself to ensure correct configuration of the switches and VLANs. For example, using information from a database, an automated procedure may exist for sending configuration commands to a switch. Such procedures may eliminate one source of human error, but they still have their shortcomings. Significantly, such procedures do not provide the capability to check that the switch configuration matches that of the database. Commands may go awry, may be misdirected to an incorrect switch, or may not be implemented as intended. Switches may malfunction during operation, perhaps losing some of their programming. A switch may be hacked with malicious intent, perhaps causing it to direct traffic to an unauthorized destination or to not forward traffic at all to certain destinations.
For these and other reasons, a method and/or system that can verify that switches and hence VLANs are properly configured would be of value. Embodiments of the present invention provide this and other advantages.