ProHoster > Блог > Gudanarwa > Shin Cisco SD-WAN zai yanke reshen da DMVPN ke zaune?

Shin Cisco SD-WAN zai yanke reshen da DMVPN ke zaune?

Tun daga watan Agusta 2017, lokacin da Cisco ya sami Viptela, babban fasahar da aka bayar don tsara cibiyoyin sadarwar da aka rarraba ya zama. Cisco SD-WAN. A cikin shekaru 3 da suka gabata, fasahar SD-WAN ta sami sauye-sauye da yawa, duka na inganci da ƙima. Don haka, aikin ya faɗaɗa sosai kuma goyan baya ya bayyana akan masu amfani da hanyoyin sadarwa na zamani Cisco ISR 1000, ISR 4000, ASR 1000 da Virtual CSR 1000v. A lokaci guda, yawancin abokan cinikin Cisco da abokan tarayya suna ci gaba da mamakin: Menene bambance-bambance tsakanin Cisco SD-WAN da kuma hanyoyin da aka saba da su dangane da fasaha irin su Cisco DMVPN и Cisco Performance Routing kuma yaya mahimmancin waɗannan bambance-bambance?

Anan ya kamata mu yi ajiyar nan da nan cewa kafin zuwan SD-WAN a cikin fayil ɗin Sisiko, DMVPN tare da PfR sun kafa mahimmin sashi a cikin gine-gine. Cisco IWAN (Intelligent WAN), wanda kuma shi ne magabacin cikakken fasahar SD-WAN. Duk da kamanceceniya na duka ayyukan da ake warwarewa da kuma hanyoyin magance su, IWAN bai taɓa samun matakin sarrafa kansa ba, sassauci da daidaitawa da ake buƙata don SD-WAN, kuma a cikin lokaci, ci gaban IWAN ya ragu sosai. Haka kuma, fasahohin da suka hada da IWAN ba su tafi ba, kuma yawancin abokan ciniki na ci gaba da amfani da su cikin nasara, ciki har da na'urorin zamani. A sakamakon haka, wani yanayi mai ban sha'awa ya taso - kayan aikin Cisco guda ɗaya yana ba ku damar zaɓar fasahar WAN mafi dacewa (classic, DMVPN + PfR ko SD-WAN) daidai da buƙatun da tsammanin abokan ciniki.

Labarin ba ya nufin yin nazari dalla-dalla duk fasalulluka na Cisco SD-WAN da fasahar DMVPN (tare da ko ba tare da Rubutun Ayyuka ba) - akwai adadi mai yawa na takaddun takaddun da kayan don wannan. Babban aikin shine ƙoƙarin kimanta mahimman bambance-bambance tsakanin waɗannan fasahohin. Amma kafin mu ci gaba da tattauna waɗannan bambance-bambance, bari mu ɗan tuna da fasahohin da kansu.

Menene Cisco DMVPN kuma me yasa ake buƙata?

Cisco DMVPN yana magance matsalar haɗin kai mai ƙarfi (= mai daidaitawa) na cibiyar sadarwa ta reshe mai nisa zuwa cibiyar sadarwar cibiyar cibiyar kasuwanci yayin amfani da nau'ikan tashoshi na sadarwa na sabani, gami da Intanet (= tare da ɓoyewar tashar sadarwa). A zahiri, ana samun wannan ta hanyar ƙirƙirar hanyar sadarwa mai ruɓani na aji na L3 VPN a cikin yanayi-zuwa-multipoint tare da ma'ana mai ma'ana ta nau'in "Star" (Hub-n-Spoke). Don cimma wannan, DMVPN yana amfani da haɗin haɗin fasaha masu zuwa:

  • Hanyar IP
  • Multipoint GRE tunnels (mGRE)
  • Ƙa'idar Ƙimar Ƙimar Hop ta gaba (NHRP)
  • IPSec Crypto bayanan martaba

Shin Cisco SD-WAN zai yanke reshen da DMVPN ke zaune?

Menene babban fa'idodin Cisco DMVPN idan aka kwatanta da na yau da kullun ta hanyar amfani da tashoshin MPLS VPN?

  • Don ƙirƙirar cibiyar sadarwar interbranch, yana yiwuwa a yi amfani da kowane tashoshi na sadarwa - duk abin da zai iya samar da haɗin IP tsakanin rassan ya dace, yayin da zirga-zirgar za a ɓoye (inda ya cancanta) da daidaitawa (in da zai yiwu).
  • Cikakken haɗin kai tsakanin rassan yana samuwa ta atomatik. A lokaci guda, akwai ramummuka masu tsattsauran ra'ayi tsakanin rassan tsakiya da na nesa, da ramuka masu ƙarfi akan buƙata tsakanin rassan nesa (idan akwai zirga-zirga)
  • Masu hanyar sadarwa na reshe na tsakiya da na nesa suna da tsari iri ɗaya har zuwa adiresoshin IP na musaya. Ta amfani da mGRE, babu buƙatar daidaita dubun, ɗaruruwa, ko ma dubban ramuka. A sakamakon haka, ingantaccen scalability tare da ƙirar da ta dace.

Menene Cisco Performance Routing kuma me yasa ake buƙata?

Lokacin amfani da DMVPN akan hanyar sadarwa ta interbranch, tambaya ɗaya mai mahimmanci ta kasance ba a warware ta ba - yadda za a tantance yanayin kowane rami na DMVPN don biyan buƙatun zirga-zirgar ababen hawa masu mahimmanci ga ƙungiyarmu kuma, sake, dangane da irin wannan kima, yin aiki mai ƙarfi. yanke shawara akan sake hanya? Gaskiyar ita ce, DMVPN a cikin wannan ɓangaren ya bambanta kaɗan daga tsarin tsarin gargajiya - mafi kyawun abin da za a iya yi shi ne saita hanyoyin QoS waɗanda za su ba ku damar ba da fifiko kan zirga-zirgar ababen hawa a cikin hanyar fita, amma ba za ku iya yin la'akari da yanayin yanayin ba. dukan hanyar a wani lokaci ko wani.

Kuma abin da za a yi idan tashar ta lalata wani bangare kuma ba gaba ɗaya ba - yadda za a gano da kimanta wannan? DMVPN kanta ba zai iya yin wannan ba. Idan aka yi la’akari da cewa tashoshi masu haɗa rassa suna iya wucewa ta hanyar sadarwar sadarwa daban-daban, ta amfani da fasahohi daban-daban, wannan aikin ya zama mara nauyi. Kuma a nan ne fasahar hanyar sadarwa ta Cisco Performance Routing ta zo don ceto, wanda a lokacin ya riga ya wuce matakai da yawa na ci gaba.

Shin Cisco SD-WAN zai yanke reshen da DMVPN ke zaune?

Ayyukan Cisco Performance Routing (nan gaba PfR) ya sauko don auna yanayin hanyoyin (tunnels) na zirga-zirga dangane da ma'auni masu mahimmanci don aikace-aikacen cibiyar sadarwa - latency, bambancin latency (jitter) da asarar fakiti (kashi). Bugu da ƙari, ana iya auna bandwidth da aka yi amfani da su. Waɗannan ma'aunai suna faruwa a kusa da ainihin lokacin da zai yiwu kuma a bisa gaskiya, kuma sakamakon waɗannan ma'aunin yana ba mai amfani da na'ura mai ba da hanya tsakanin hanyoyin sadarwa damar yin amfani da PfR a hankali don yanke shawara game da buƙatar canza hanyar wannan ko waccan nau'in zirga-zirga.

Don haka, ana iya siffanta aikin haɗin DMVPN/PfR kamar haka:

  • Bada abokin ciniki damar amfani da kowane tashoshi na sadarwa akan hanyar sadarwar WAN
  • Tabbatar da mafi girman ingancin aikace-aikace masu mahimmanci akan waɗannan tashoshi

Menene Cisco SD-WAN?

Cisco SD-WAN fasaha ce da ke amfani da tsarin SDN don ƙirƙira da sarrafa hanyar sadarwar WAN ta ƙungiya. Wannan musamman yana nufin amfani da abin da ake kira masu sarrafawa (abubuwan software), waɗanda ke ba da ƙungiyar kaɗe-kaɗe da daidaitawa ta atomatik na duk abubuwan da aka gyara. Ba kamar SDN na canonical (Salon Tsabtace Slate), Cisco SD-WAN yana amfani da nau'ikan masu sarrafawa da yawa, kowannensu yana yin aikin kansa - an yi wannan da gangan don samar da mafi kyawun scalability da geo-redundancy.

Shin Cisco SD-WAN zai yanke reshen da DMVPN ke zaune?

A cikin yanayin SD-WAN, aikin yin amfani da kowane nau'in tashoshi da tabbatar da aikin aikace-aikacen kasuwanci ya kasance iri ɗaya, amma a lokaci guda, buƙatun don aiki da kai, scalability, tsaro da sassauci na irin wannan hanyar sadarwa ta fadada.

Tattaunawar bambance-bambance

Idan yanzu muka fara nazarin bambance-bambancen da ke tsakanin waɗannan fasahohin, za su faɗo cikin ɗaya daga cikin nau'ikan masu zuwa:

  • Bambance-bambancen gine-gine - ta yaya ake rarraba ayyuka a cikin sassa daban-daban na mafita, ta yaya aka tsara hulɗar irin waɗannan abubuwan, kuma ta yaya wannan ya shafi iyawa da sassaucin fasaha?
  • Ayyuka - menene fasaha ɗaya za ta iya yi wanda wani ba zai iya ba? Kuma shin yana da mahimmanci haka?

Menene bambance-bambancen gine-gine kuma suna da mahimmanci?

Kowane ɗayan waɗannan fasahohin yana da “ɓangarorin motsi” da yawa waɗanda suka bambanta ba kawai a cikin ayyukansu ba, har ma da yadda suke hulɗa da juna. Yadda ake tunanin waɗannan ƙa'idodin kuma gabaɗayan injiniyoyi na maganin suna ƙayyade girman girman sa, haƙurin kuskure da ingantaccen aiki gabaɗaya.

Bari mu dubi bangarori daban-daban na gine-ginen dalla-dalla:

Data-jirgin sama - wani ɓangare na maganin da ke da alhakin watsa zirga-zirgar mai amfani tsakanin tushen da mai karɓa. DMVPN da SD-WAN ana aiwatar da su gabaɗaya iri ɗaya akan masu amfani da hanyoyin da kansu bisa ga Multipoint GRE tunnels. Bambance-bambancen shine yadda ake samar da saitin sigogi masu mahimmanci don waɗannan ramukan:

  • в DMVPN/PfR keɓaɓɓen matsayi ne na matakai biyu na nodes tare da Tauraro ko Hub-n-Spoke topology. Ana buƙatar saiti na cibiyar sadarwa da kuma daurin Spoke zuwa Hub, da kuma hulɗa ta hanyar ka'idar NHRP don samar da haɗin kai da jirgin sama. Sakamakon haka, yin canje-canje ga Hub ɗin yana da wahala sosaimasu alaƙa, alal misali, don canza / haɗa sabbin tashoshi na WAN ko canza sigogi na waɗanda suke.
  • в SD WAN cikakken tsari ne mai ƙarfi don gano sigogi na ramukan da aka shigar bisa ga tsarin sarrafa jirgin sama (ka'idar OMP) da kuma jirgin sama (ma'amala tare da mai sarrafa vBond don gano mai sarrafawa da ayyukan zirga-zirgar NAT). A wannan yanayin, ana iya amfani da kowane nau'i na topologies, ciki har da na matsayi. A cikin ƙaƙƙarfan shimfidar yanayin rami mai rufi, sassauƙan daidaitawa na topology mai ma'ana a cikin kowane VPN(VRF) yana yiwuwa.

Shin Cisco SD-WAN zai yanke reshen da DMVPN ke zaune?

Sarrafa-jirgin sama - ayyuka na musanya, tacewa da gyare-gyaren hanya da sauran bayanai tsakanin sassan bayani.

  • в DMVPN/PfR – an gudanar da shi ne kawai tsakanin masu amfani da hanyoyin sadarwa na Hub da Spoke. Musayar bayanan kai tsaye tsakanin Spokes ba zai yiwu ba. Sakamakon haka, Idan ba tare da Cibiyar da ke aiki ba, jirgin sama mai sarrafawa da jirgin sama ba zai iya aiki ba, wanda ke ɗora ƙarin buƙatun samuwa mai yawa akan Hub wanda ba za a iya cika shi koyaushe ba.
  • в SD WAN - Ba a taɓa yin amfani da jirgin sama kai tsaye tsakanin masu amfani da hanyar sadarwa ba - hulɗa yana faruwa ne bisa ka'idar OMP kuma dole ne a aiwatar da shi ta hanyar wani nau'in mai sarrafa vSmart na musamman, wanda ke ba da yuwuwar daidaitawa, ajiyar geo-da kuma sarrafa yanki na tsakiya. lodin sigina. Wani fasali na ka'idar OMP shine gagarumin juriya ga asara da 'yancin kai daga saurin tashar sadarwa tare da masu sarrafawa (a cikin iyakoki masu dacewa, ba shakka). Wanne daidai da nasarar yana ba ku damar sanya masu sarrafa SD-WAN a cikin gajimare na jama'a ko masu zaman kansu tare da shiga ta Intanet.

Shin Cisco SD-WAN zai yanke reshen da DMVPN ke zaune?

Siyasa-jirgin sama - wani ɓangare na maganin da ke da alhakin ma'anar, rarrabawa da kuma amfani da manufofin tafiyar da zirga-zirga akan hanyar sadarwa da aka rarraba.

  • DMVPN - an iyakance shi ta hanyar ingancin sabis (QoS) manufofin da aka saita daban-daban akan kowane na'ura mai ba da hanya tsakanin hanyoyin sadarwa ta hanyar samfuran kayan aikin CLI ko Firayim Minista.
  • DMVPN/PfR - An tsara manufofin PfR akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa (MC) ta hanyar CLI sannan a rarraba ta atomatik zuwa MCs reshe. A wannan yanayin, ana amfani da hanyoyin canja wurin manufofin iri ɗaya kamar na jirgin sama. Babu yuwuwar raba musayar manufofin, bayanan tukwici da bayanan mai amfani. Yada manufofin yana buƙatar kasancewar haɗin IP tsakanin Hub da Magana. A wannan yanayin, aikin MC na iya, idan ya cancanta, a haɗa shi tare da na'ura mai ba da hanya tsakanin hanyoyin sadarwa na DMVPN. Yana yiwuwa (amma ba a buƙata ba) don amfani da samfuran kayan aikin Firayim don tsarar manufofin tsakiya. Wani muhimmin fasali shi ne cewa an kafa manufofin a duk duniya a cikin hanyar sadarwa ta hanya guda - Ba a goyan bayan manufofin mutum ɗaya na ɓangarori ɗaya.
  • SD WAN – Gudanarwar zirga-zirga da ingancin manufofin sabis an ƙayyade su ta tsakiya ta hanyar Cisco vManage mai hoto mai hoto, ana samun dama ta hanyar Intanet (idan ya cancanta). Ana rarraba su ta hanyar tashoshin sigina kai tsaye ko a kaikaice ta hanyar masu kula da vSmart (dangane da nau'in manufofin). Ba su dogara da haɗin bayanai da jirgin sama tsakanin masu amfani da hanyar sadarwa ba, saboda yi amfani da duk hanyoyin zirga-zirga tsakanin mai sarrafawa da na'ura mai ba da hanya tsakanin hanyoyin sadarwa.

    Don sassan cibiyar sadarwa daban-daban, yana yiwuwa a sassauƙa tsara manufofi daban-daban - iyakar manufofin an ƙaddara ta yawancin masu ganowa na musamman da aka bayar a cikin mafita - lambar reshe, nau'in aikace-aikacen, jagorar zirga-zirga, da sauransu.

Shin Cisco SD-WAN zai yanke reshen da DMVPN ke zaune?

Orchestration-jirgin sama - hanyoyin da ke ba da damar abubuwan haɗin gwiwa don gano juna a hankali, daidaitawa da daidaita hulɗar da ke gaba.

  • в DMVPN/PfR Gano juna tsakanin masu amfani da hanyar sadarwa yana dogara ne akan daidaitattun na'urorin Hub da daidaitattun na'urorin Spoke. Gano mai ƙarfi yana faruwa ne kawai don Spoke, wanda ke ba da rahoton sigogin haɗin yanar gizon sa zuwa na'urar, wanda kuma an riga an saita shi tare da Spoke. Ba tare da haɗin IP tsakanin Spoke da aƙalla Hub guda ɗaya ba, ba zai yuwu a samar da ko dai jirgin sama na bayanai ko jirgin sama mai sarrafawa ba.
  • в SD WAN Ƙaddamar da ɓangarori na mafita yana faruwa ta amfani da mai sarrafa vBond, wanda kowane sashi (masu amfani da hanyoyin sadarwa da vManage/vSmart masu kula da su) dole ne su fara kafa haɗin haɗin IP.

    Da farko, abubuwan da aka gyara ba su sani ba game da sigogin haɗin gwiwar juna - don wannan suna buƙatar ƙungiyar mawaƙa ta tsakiya ta vBond. Ka'ida ta gaba ɗaya ita ce kamar haka - kowane bangare a farkon matakin yana koya (a atomatik ko a tsaye) kawai game da sigogin haɗin kai zuwa vBond, sannan vBond ya sanar da na'ura mai ba da hanya tsakanin hanyoyin sadarwa game da vManage da masu kula da vSmart (an gano a baya), wanda ke ba da damar kafa ta atomatik. duk haɗin sigina da ake buƙata.

    Mataki na gaba shine don sabon na'ura mai ba da hanya tsakanin hanyoyin sadarwa don koyo game da sauran masu amfani da hanyar sadarwa ta hanyar sadarwar OMP tare da mai sarrafa vSmart. Don haka, na'ura mai ba da hanya tsakanin hanyoyin sadarwa, ba tare da farkon sanin komai ba game da sigogin cibiyar sadarwa, yana iya ganowa ta atomatik da haɗawa da masu sarrafawa sannan kuma ta atomatik ganowa da ƙirƙirar haɗin kai tare da sauran hanyoyin sadarwa. A wannan yanayin, sigogin haɗin duk abubuwan da aka fara ba su sani ba kuma suna iya canzawa yayin aiki.

Shin Cisco SD-WAN zai yanke reshen da DMVPN ke zaune?

Gudanarwa-jirgin sama - wani ɓangare na maganin da ke ba da kulawa da kulawa ta tsakiya.

  • DMVPN/PfR – Ba a samar da mafita na musamman na sarrafa jirgin ba. Don ainihin aiki da kai da saka idanu, ana iya amfani da samfura irin su Cisco Prime Infrastructure. Kowane na'ura mai ba da hanya tsakanin hanyoyin sadarwa yana da ikon sarrafawa ta hanyar layin umarni CLI. Ba a bayar da haɗin kai tare da tsarin waje ta API ba.
  • SD WAN - duk hulɗar yau da kullun da saka idanu ana aiwatar da su ta tsakiya ta hanyar ƙirar hoto na mai sarrafa vManage. Duk fasalulluka na maganin, ba tare da togiya ba, ana samun su don daidaitawa ta hanyar vManage, haka kuma ta hanyar cikakken ɗakin karatu na REST API.

    Duk saitunan cibiyar sadarwar SD-WAN a cikin vManage sun sauko zuwa manyan gine-gine guda biyu - Samar da samfuran na'urori (Tsarin Na'ura) da kuma samar da wata manufa wacce ke ƙayyade dabarun aikin cibiyar sadarwa da sarrafa zirga-zirga. A lokaci guda, vManage, watsa shirye-shiryen da mai gudanarwa ya samar, ta atomatik zabar waɗanne canje-canje kuma akan waɗanne na'urori / masu sarrafawa ke buƙatar yin su, wanda ke ƙara haɓaka inganci da haɓakar mafita.

    Ta hanyar dubawar vManage, ba kawai daidaitawar bayani na Cisco SD-WAN yana samuwa ba, har ma da cikakken sa ido kan matsayin duk abubuwan da aka haɗa na maganin, har zuwa halin yanzu na ma'auni don ramukan mutum ɗaya da ƙididdiga kan amfani da aikace-aikace daban-daban. bisa nazarin DPI.

    Duk da daidaitawar hulɗar, duk abubuwan da aka gyara (masu sarrafawa da masu amfani da hanyoyin sadarwa) suna da cikakken aikin layin umarni na CLI, wanda ya zama dole a matakin aiwatarwa ko kuma idan akwai gaggawa don bincike na gida. A cikin yanayin al'ada (idan akwai tashar sigina tsakanin abubuwan da aka gyara) akan masu amfani da hanyar sadarwa, layin umarni yana samuwa ne kawai don bincike kuma baya samuwa don yin canje-canje na gida, wanda ke ba da garantin tsaro na gida kuma kawai tushen canje-canje a cikin irin wannan hanyar sadarwa shine vManage.

Haɗin Tsaro - a nan muna magana ba kawai game da kariyar bayanan mai amfani ba lokacin da aka watsa ta tashoshi masu buɗewa, amma har ma game da cikakken tsaro na cibiyar sadarwar WAN dangane da fasahar da aka zaɓa.

  • в DMVPN/PfR Yana yiwuwa a ɓoye bayanan mai amfani da ka'idojin sigina. Lokacin amfani da wasu nau'ikan na'ura mai ba da hanya tsakanin hanyoyin sadarwa, ayyukan Tacewar zaɓi tare da duba zirga-zirga, IPS/IDs kuma ana samun su. Yana yiwuwa a raba cibiyoyin sadarwar reshe ta amfani da VRF. Yana yiwuwa a tabbatar (ɗaya-factor) ladabi ladabi.

    A wannan yanayin, ana ɗaukar na'ura mai ba da hanya tsakanin hanyoyin sadarwa a matsayin amintaccen kashi na hanyar sadarwa ta hanyar tsoho - watau. ba a ɗauka ko a yi la'akari da lamuran rashin daidaituwa ta zahiri na na'urori guda ɗaya da yuwuwar samun damar shiga ba tare da izini ba; babu wani tabbaci na abubuwa biyu na abubuwan da aka gyara, wanda a cikin yanayin hanyar sadarwa da aka rarraba a ƙasa. na iya ɗaukar ƙarin haɗari masu mahimmanci.

  • в SD WAN ta kwatanci tare da DMVPN, ana ba da ikon ɓoye bayanan mai amfani, amma tare da haɓaka tsaro na cibiyar sadarwa sosai da ayyukan ɓangarori na L3/VRF (Firewall, IPS/IDs, tace URL, tace DNS, AMP/TG, SASE, TLS/SSL wakili, da sauransu) d.). A lokaci guda, musayar maɓallan ɓoyewa ana aiwatar da su cikin inganci ta hanyar masu kula da vSmart (maimakon kai tsaye), ta hanyar da aka riga aka kafa tashoshi na siginar da aka kiyaye ta DTLS/TLS boye-boye bisa takaddun tsaro. Wanne kuma yana ba da garantin tsaro na irin waɗannan musayar kuma yana tabbatar da ingantaccen scalability na maganin har zuwa dubun dubatar na'urori akan hanyar sadarwa iri ɗaya.

    Duk hanyoyin haɗin sigina (mai sarrafawa-zuwa-mai sarrafawa, mai sarrafa-router) ana kuma kiyaye su bisa DTLS/TLS. Masu ba da hanya tsakanin hanyoyin sadarwa suna sanye take da takaddun aminci yayin samarwa tare da yuwuwar sauyawa / haɓakawa. Ana samun ingantaccen tabbatar da abubuwa biyu ta hanyar wajibi da cikar sharuɗɗa guda biyu don na'ura mai ba da hanya tsakanin hanyoyin sadarwa/mai sarrafawa don aiki a cikin hanyar sadarwar SD-WAN:

    • Ingantacciyar takardar shaidar tsaro
    • Haɗin kai tsaye da sane ta mai gudanarwa na kowane bangare a cikin jerin “farar” na’urorin da aka yarda.

Shin Cisco SD-WAN zai yanke reshen da DMVPN ke zaune?

Bambance-bambancen aiki tsakanin SD-WAN da DMVPN/PfR

Ci gaba da tattaunawa game da bambance-bambancen aiki, ya kamata a lura da cewa yawancin su ci gaba ne na gine-gine - ba wani asiri ba ne cewa lokacin da aka kafa tsarin gine-ginen mafita, masu haɓakawa suna farawa daga damar da suke so su samu a ƙarshe. Bari mu dubi mafi girman bambance-bambance tsakanin fasahohin biyu.

AppQ (Ingantacciyar aikace-aikacen) - ayyuka don tabbatar da ingancin watsa zirga-zirgar aikace-aikacen kasuwanci

Mahimman ayyuka na fasahar da ake la'akari da su suna nufin inganta ƙwarewar mai amfani kamar yadda zai yiwu lokacin amfani da aikace-aikacen kasuwanci mai mahimmanci a cikin hanyar sadarwa da aka rarraba. Wannan yana da mahimmanci musamman a cikin yanayin da IT ba ta sarrafa ɓangaren kayan aikin ko kuma baya bada garantin nasarar canja wurin bayanai.

DMVPN baya samar da irin waɗannan hanyoyin. Mafi kyawun abin da za a iya yi a cikin hanyar sadarwa ta DMVPN ta al'ada ita ce rarraba zirga-zirgar zirga-zirga ta aikace-aikace da ba da fifiko lokacin da aka tura ta zuwa tashar WAN. Zaɓin rami na DMVPN an ƙaddara a cikin wannan yanayin kawai ta samuwarsa da sakamakon aiki na ƙa'idodi. A lokaci guda, ba a la'akari da ƙarshen-zuwa-ƙarshen yanayin hanya / rami da yuwuwar lalatawar sa dangane da ma'aunin ma'auni masu mahimmanci waɗanda ke da mahimmanci ga aikace-aikacen cibiyar sadarwa - jinkiri, bambancin jinkiri (jitter) da asara (% ). A wannan batun, kai tsaye kwatanta classic DMVPN tare da SD-WAN dangane da magance matsalolin AppQ ya rasa ma'ana - DMVPN ba zai iya magance wannan matsalar ba. Lokacin da kuka ƙara fasahar Sisiko Performance Routing (PfR) a cikin wannan mahallin, yanayin ya canza kuma kwatancen Cisco SD-WAN ya zama mafi ma'ana.

Kafin mu tattauna bambance-bambance, ga saurin duba yadda fasahar ke kama da juna. Don haka, duka fasahar:

  • sami tsarin da zai ba ku damar tantance yanayin kowane rami da aka kafa bisa ga wasu ma'auni - aƙalla, jinkiri, bambancin jinkiri da asarar fakiti (%)
  • yi amfani da ƙayyadaddun kayan aiki don ƙirƙira, rarrabawa da amfani da dokokin sarrafa zirga-zirga (manufofin), la'akari da sakamakon auna yanayin ma'aunin ma'aunin rami.
  • Rarraba zirga-zirgar aikace-aikacen a matakan L3-L4 (DSCP) na ƙirar OSI ko ta sa hannun aikace-aikacen L7 dangane da hanyoyin DPI da aka gina a cikin na'ura mai ba da hanya tsakanin hanyoyin sadarwa.
  • Don mahimman aikace-aikace, suna ba ku damar tantance ƙimar ƙima na ma'auni, ƙa'idodin watsa zirga-zirga ta tsohuwa, da ƙa'idodi don sake hanyar zirga-zirga lokacin da ƙimar ƙima ta wuce.
  • Lokacin da aka tattara zirga-zirga a cikin GRE/IPSec, suna amfani da tsarin masana'antu da aka riga aka kafa don canja wurin alamomin DSCP na ciki zuwa jigon fakiti na GRE/IPSEC na waje, wanda ke ba da damar daidaita manufofin QoS na ƙungiyar da ma'aikacin telecom (idan akwai SLA mai dacewa) .

Shin Cisco SD-WAN zai yanke reshen da DMVPN ke zaune?

Ta yaya SD-WAN da DMVPN/PfR ma'aunin ƙarshen-zuwa-ƙarshen ya bambanta?

DMVPN/PfR

  • Dukansu na'urori masu auna firikwensin software da masu aiki (Probes) ana amfani da su don kimanta daidaitattun ma'aunin lafiyar rami. Masu aiki sun dogara ne akan zirga-zirgar masu amfani, masu wucewa suna yin koyi da irin wannan zirga-zirga (a cikin rashi).
  • Babu kyau-daidaita masu ƙidayar lokaci da yanayin gano ɓarna - ƙayyadadden algorithm.
  • Bugu da ƙari, ana iya auna ma'aunin bandwidth da aka yi amfani da shi a cikin hanyar fita. Wanne yana ƙara ƙarin sassaucin sarrafa zirga-zirga zuwa DMVPN/PfR.
  • A lokaci guda kuma, wasu hanyoyin PfR, lokacin da aka ƙetare ma'auni, suna dogara da siginar amsawa ta hanyar saƙon TCA na musamman (Threshold Crossing Alert) waɗanda dole ne su fito daga mai karɓar zirga-zirga zuwa tushen, wanda hakan ke ɗauka cewa yanayin yanayin. tashoshin da aka auna yakamata su kasance aƙalla isa don watsa irin waɗannan saƙonnin TCA. Wanda a mafi yawan lokuta ba matsala ba ne, amma a fili ba za a iya lamuni ba.

SD WAN

  • Don kimanta ƙarshen-zuwa-ƙarshe na daidaitattun ma'aunin yanayin rami, ana amfani da ka'idar BFD a yanayin amsawa. A wannan yanayin, ba a buƙatar martani na musamman a cikin nau'in TCA ko saƙonnin makamancin haka - ana kiyaye keɓewar yankunan gazawa. Hakanan baya buƙatar kasancewar zirga-zirgar mai amfani don kimanta yanayin rami.
  • Yana yiwuwa a daidaita masu ƙidayar lokaci BFD don daidaita saurin amsawa da azancin algorithm zuwa lalata tashar sadarwa daga daƙiƙa da yawa zuwa mintuna.

    Shin Cisco SD-WAN zai yanke reshen da DMVPN ke zaune?

  • A lokacin rubutawa, akwai zaman BFD guda ɗaya a kowace rami. Wannan na iya haifar da ƙarancin ƙima a cikin binciken jihar rami. A zahiri, wannan na iya zama iyakancewa ne kawai idan kun yi amfani da haɗin WAN dangane da MPLS L2/L3 VPN tare da yarjejeniya ta QoS SLA - idan alamar DSCP na zirga-zirgar BFD (bayan rufewa a cikin IPSec/GRE) ya dace da babban jerin gwano a ciki. hanyar sadarwar afaretan sadarwa, to wannan na iya shafar daidaito da saurin gano ɓarna don zirga-zirgar da ba ta da fifiko. A lokaci guda, yana yiwuwa a canza tsohuwar alamar BFD don rage haɗarin irin waɗannan yanayi. A cikin nau'ikan software na Cisco SD-WAN na gaba, ana tsammanin ƙarin saitunan BFD masu kyau, da kuma ikon ƙaddamar da zaman BFD da yawa a cikin rami ɗaya tare da ƙimar DSCP guda ɗaya (don aikace-aikace daban-daban).
  • BFD kuma yana ba ku damar kimanta matsakaicin girman fakitin da za a iya watsa ta wani rami na musamman ba tare da rarrabuwa ba. Wannan yana ba da damar SD-WAN don daidaita sigogi masu ƙarfi kamar MTU da TCP MSS Daidaita don yin amfani da mafi yawan adadin bandwidth da ake samu akan kowace hanyar haɗin gwiwa.
  • A cikin SD-WAN, zaɓi na aiki tare da QoS daga ma'aikatan telecom yana samuwa, ba wai kawai a kan filayen L3 DSCP ba, har ma bisa ƙimar L2 CoS, wanda za a iya samar da shi ta atomatik a cikin hanyar sadarwa ta reshe ta na'urori na musamman - misali, IP. wayoyi

Ta yaya iyawa, hanyoyin ayyana da amfani da manufofin AppQ suka bambanta?

Manufofin DMVPN/PfR:

  • An ayyana kan hanyar sadarwa (s) reshe na tsakiya ta hanyar layin umarni na CLI ko samfuran sanyi na CLI. Samar da samfura na CLI yana buƙatar shiri da sanin tsarin tsarin manufofin.

    Shin Cisco SD-WAN zai yanke reshen da DMVPN ke zaune?

  • An bayyana a duniya ba tare da yuwuwar daidaitawar mutum / canji zuwa buƙatun sassan cibiyoyin sadarwar mutum ɗaya ba.
  • Ba a samar da tsararrun manufofin hulɗa a cikin mahallin hoto ba.
  • Canje-canje na bin diddigin, gado, da ƙirƙirar nau'ikan manufofi masu yawa don saurin sauyawa ba a bayar da su ba.
  • Rarraba ta atomatik ga masu amfani da rassa masu nisa. A wannan yanayin, ana amfani da hanyoyin sadarwa iri ɗaya don watsa bayanan mai amfani. Idan babu tashar sadarwa tsakanin reshe na tsakiya da na nesa, rarraba / canza manufofin ba zai yiwu ba.
  • Ana amfani da su akan kowane na'ura mai ba da hanya tsakanin hanyoyin sadarwa kuma, idan ya cancanta, canza sakamakon daidaitattun ka'idojin zirga-zirga, suna da fifiko mafi girma.
  • Ga lokuta inda duk hanyoyin haɗin WAN na reshe suka sami babban asarar zirga-zirga, babu hanyoyin biyan diyya da aka bayar.

Manufofin SD-WAN:

  • An bayyana a cikin vManage GUI ta hanyar mayen samfuri na mu'amala.
  • Yana goyan bayan ƙirƙirar manufofi da yawa, kwafi, gado, sauyawa tsakanin manufofi a ainihin lokacin.
  • Yana goyan bayan saitunan manufofin mutum ɗaya don sassan cibiyar sadarwa daban-daban (bangare)
  • Ana rarraba su ta amfani da kowane tashar siginar da ke akwai tsakanin mai sarrafawa da na'ura mai ba da hanya tsakanin hanyoyin sadarwa da / ko vSmart - kar a dogara kai tsaye akan haɗin bayanan-jirgin da ke tsakanin masu amfani da hanyar sadarwa. Wannan, ba shakka, yana buƙatar haɗin IP tsakanin na'ura mai ba da hanya tsakanin hanyoyin sadarwa da kanta da masu sarrafawa.

    Shin Cisco SD-WAN zai yanke reshen da DMVPN ke zaune?

  • Don lokuta lokacin da duk wasu rassan reshe suka sami asarar bayanai da suka wuce ƙofofin da aka yarda da su don aikace-aikace masu mahimmanci, yana yiwuwa a yi amfani da ƙarin hanyoyin da ke haɓaka amincin watsawa:
    • FEC (Gyarwar Kuskuren Gaba) - yana amfani da algorithm na ƙididdigewa na musamman. Lokacin aika da mahimmancin zirga-zirga akan tashoshi tare da adadi mai yawa na asara, FEC za a iya kunna ta ta atomatik kuma yana ba da damar, idan ya cancanta, don dawo da ɓangaren bayanan da suka ɓace. Wannan dan kadan yana ƙara yawan watsa watsawa da aka yi amfani da shi, amma yana inganta ingantaccen aminci.

      Shin Cisco SD-WAN zai yanke reshen da DMVPN ke zaune?

    • Kwafi magudanun bayanai - Baya ga FEC, manufar na iya ba da damar kwafin zirga-zirgar ababen hawa ta atomatik a yayin da wani mahimmin matakin asarar da ba za a iya biya ta FEC ba. A wannan yanayin, za a watsa bayanan da aka zaɓa ta duk ramukan zuwa reshen karɓa tare da cire kwafi na gaba (zubar da ƙarin kwafi na fakiti). Tsarin yana ƙaruwa da amfani da tashoshi sosai, amma kuma yana haɓaka amincin watsawa sosai.

Cisco SD-WAN iyawar, ba tare da analogues kai tsaye a cikin DMVPN/PfR ba

Gine-gine na Cisco SD-WAN bayani a wasu lokuta yana ba ku damar samun damar da ko dai ke da wuyar aiwatarwa a cikin DMVPN/PfR, ko kuma ba su da amfani saboda farashin aiki da ake buƙata, ko kuma gaba ɗaya ba zai yiwu ba. Mu duba mafi ban sha'awa daga cikinsu:

Injiniya-Traffic (TE)

TE ya haɗa da hanyoyin da ke ba da damar zirga-zirga zuwa reshe daga daidaitattun hanyar da aka kafa ta hanyar bin ka'idoji. Ana amfani da TE sau da yawa don tabbatar da wadatar sabis na cibiyar sadarwa, ta hanyar iyawa da sauri da / ko a hankali canja wurin zirga-zirgar zirga-zirgar ababen hawa zuwa madadin hanyar watsawa (disjoint), don tabbatar da ingantaccen sabis ko saurin murmurewa a cikin yanayin rashin nasara. akan babbar hanya.

Wahalar aiwatar da TE yana cikin buƙatar ƙididdigewa da ajiye (duba) wata hanya ta dabam a gaba. A cikin cibiyoyin sadarwa na MPLS na ma'aikatan sadarwa, ana magance wannan matsalar ta amfani da fasahohi kamar MPLS Traffic-Engineering tare da kari na ka'idojin IGP da ka'idar RSVP. Har ila yau, kwanan nan, Fasahar Rarraba Yanki, wacce aka fi inganta don daidaitawa da ƙungiyar kade-kade, ta ƙara shahara. A cikin hanyoyin sadarwar WAN na gargajiya, waɗannan fasahohin galibi ba a wakilta ko an rage su zuwa amfani da hanyoyin hop-by-hop kamar Policy-Based Routing (PBR), waɗanda ke da ikon rarraba zirga-zirga, amma aiwatar da wannan akan kowane na'ura mai ba da hanya tsakanin hanyoyin sadarwa daban - ba tare da ɗauka ba. cikin la'akari da yanayin hanyar sadarwar gaba ɗaya ko sakamakon PBR a cikin matakan baya ko na gaba. Sakamakon yin amfani da waɗannan zaɓuɓɓukan TE yana da ban sha'awa - MPLS TE, saboda ƙayyadaddun tsari da aiki, ana amfani da shi, a matsayin mai mulkin, kawai a cikin mafi mahimmancin ɓangaren cibiyar sadarwa (core), kuma ana amfani da PBR akan masu amfani da kowane mutum ba tare da yin amfani da su ba. da ikon ƙirƙirar haɗin kai manufofin PBR ga dukan cibiyar sadarwa. Babu shakka, wannan kuma ya shafi cibiyoyin sadarwa na tushen DMVPN.

Shin Cisco SD-WAN zai yanke reshen da DMVPN ke zaune?

SD-WAN a cikin wannan batun yana ba da mafi kyawun bayani wanda ba kawai sauƙin daidaitawa ba ne, amma har ma yana da kyau sosai. Wannan shi ne sakamakon tsarin sarrafawa-jirgin sama da manufofin-jirgin da aka yi amfani da su. Aiwatar da tsarin jirgin sama a cikin SD-WAN yana ba ku damar ayyana manufofin TE a tsakiya - menene zirga-zirgar ababen hawa? wanne VPNs? Ta waɗanne nodes/tunnel ɗin ya zama dole ko, akasin haka, an hana su samar da wata hanya dabam? Hakanan, daidaitawar sarrafa jirgin sama bisa masu kula da vSmart yana ba ku damar canza sakamakon zirga-zirga ba tare da yin amfani da saitunan na'urori ɗaya ba - masu amfani da hanyar sadarwa sun riga sun ga kawai sakamakon dabarun da aka kirkira a cikin vManage interface kuma an canza su don amfani da su. vSmart.

Sarkar sabis

Ƙirƙirar sarƙoƙin sabis wani aiki ne mai ƙwaƙƙwaran aiki a cikin tuƙi na gargajiya fiye da yadda aka riga aka kwatanta tsarin Injiniya-Traffic. Tabbas, a wannan yanayin, yana da mahimmanci ba kawai don ƙirƙirar hanya ta musamman don takamaiman aikace-aikacen cibiyar sadarwa ba, har ma don tabbatar da ikon cire zirga-zirga daga hanyar sadarwar akan wasu (ko duk) nodes na hanyar sadarwar SD-WAN don sarrafawa ta hanyar. aikace-aikace ko sabis na musamman (Firewall, daidaitawa, caching, zirga-zirgar dubawa, da sauransu). A sa'i daya kuma, wajibi ne a iya sarrafa yanayin wadannan ayyuka na waje, domin a dakile bakar fata, kuma ana bukatar hanyoyin da za su ba da damar sanya irin wadannan ayyuka na waje iri daya a wurare daban-daban na geo-locations. tare da ikon hanyar sadarwar don zaɓar mafi kyawun kullin sabis ta atomatik don sarrafa zirga-zirgar wani reshe ta musamman. A cikin yanayin Cisco SD-WAN, wannan abu ne mai sauƙi don cimmawa ta hanyar ƙirƙirar ƙayyadaddun manufofin da suka dace waɗanda ke "manne" duk sassan sarkar sabis ɗin da aka yi niyya zuwa gabaɗaya kuma ta atomatik canza bayanan-jirgin sama da dabaru na jirgin sama kawai inda kuma idan ya cancanta.

Shin Cisco SD-WAN zai yanke reshen da DMVPN ke zaune?

Ikon ƙirƙirar tsarin rarraba nau'ikan aikace-aikacen da aka zaɓa a cikin wani jeri akan ƙwararrun (amma ba da alaƙa da hanyar sadarwar SD-WAN kanta ba) ƙila shine mafi kyawun nunin fa'idodin Cisco SD-WAN akan na gargajiya. fasahar har ma da wasu madadin SD mafita -WAN daga wasu masana'antun.

Mene ne a karshen?

A bayyane yake, duka DMVPN (tare da ko ba tare da Ayyukan Ayyuka) da Cisco SD-WAN ba kawo karshen magance matsaloli iri daya dangane da rarraba WAN cibiyar sadarwa na kungiyar. A lokaci guda, manyan bambance-bambancen gine-gine da ayyuka a cikin fasahar Cisco SD-WAN suna haifar da aiwatar da magance waɗannan matsalolin zuwa wani ingancin matakin. Don taƙaitawa, zamu iya lura da manyan bambance-bambance masu zuwa tsakanin fasahar SD-WAN da DMVPN/PfR:

  • DMVPN/PfR gabaɗaya suna amfani da fasahar da aka gwada lokaci don gina hanyoyin sadarwa na VPN kuma, dangane da jirgin sama, sun yi kama da fasahar SD-WAN na zamani, duk da haka, akwai iyakoki da yawa a cikin nau'in tsayayyen tsari na wajibi. na hanyoyin sadarwa da zaɓin topologies yana iyakance ga Hub-n-Spoke. A gefe guda, DMVPN/PfR yana da wasu ayyuka waɗanda har yanzu ba su samuwa a cikin SD-WAN (muna magana ne game da kowane aikace-aikacen BFD).
  • A cikin jirgin sama mai sarrafawa, fasaha ya bambanta da gaske. Yin la'akari da tsarin tsarin siginar siginar, SD-WAN yana ba da damar, musamman, don taƙaita manyan wuraren gazawar da kuma "ɓata" tsarin watsa zirga-zirgar mai amfani daga hulɗar siginar - rashin samun masu sarrafawa na wucin gadi ba ya shafar ikon watsa zirga-zirgar mai amfani. . A lokaci guda, rashin kasancewar kowane reshe na ɗan lokaci (ciki har da na tsakiya) ba ta kowace hanya ya shafi ikon sauran rassan don yin hulɗa da juna da masu sarrafawa.
  • Tsarin gine-gine don samarwa da aikace-aikacen manufofin gudanar da zirga-zirgar ababen hawa a cikin yanayin SD-WAN shima ya fi wancan a cikin DMVPN/PfR - an fi aiwatar da ajiyar geo-reservation, babu haɗin kai da Hub, akwai ƙarin damar samun tarar. -daidaita manufofin, jerin aiwatar da yanayin tafiyar da zirga-zirga shima ya fi girma.
  • Tsarin orchestration na mafita shima ya bambanta sosai. DMVPN yana ɗaukar kasancewar sigogin da aka sani a baya waɗanda dole ne a nuna su ko ta yaya a cikin saitin, wanda ɗan iyakance sassaucin mafita da yuwuwar canje-canje masu ƙarfi. Hakanan, SD-WAN ya dogara da yanayin cewa a farkon lokacin haɗin na'ura mai ba da hanya tsakanin hanyoyin sadarwa "bai san komai ba" game da masu kula da shi, amma ya san "wanda za ku iya tambaya" - wannan ya isa ba kawai don kafa sadarwa ta atomatik ba. masu sarrafawa, amma kuma don samar da cikakken haɗin bayanai ta atomatik topology, wanda za'a iya daidaita shi cikin sauƙi/canza ta amfani da manufofi.
  • Dangane da tsarin gudanarwa na tsakiya, aiki da kai da saka idanu, ana tsammanin SD-WAN zai wuce karfin DMVPN/PfR, waɗanda suka samo asali daga fasahohin gargajiya kuma sun fi dogaro da layin umarni na CLI da kuma amfani da tsarin NMS na tushen samfuri.
  • A cikin SD-WAN, idan aka kwatanta da DMVPN, buƙatun tsaro sun kai wani matakin inganci na daban. Babban ka'idoji sune amana sifili, scalability da ingantaccen abu biyu.

Waɗannan ƙararrawa masu sauƙi na iya ba da ra'ayi mara kyau cewa ƙirƙirar hanyar sadarwa bisa DMVPN/PfR ya rasa duk wani mahimmanci a yau. Wannan ba shakka ba gaskiya ba ne. Alal misali, a lokuta inda cibiyar sadarwa ta yi amfani da kayan aiki da yawa kuma babu hanyar da za a maye gurbinsa, DMVPN na iya ba ka damar haɗa na'urorin "tsohuwar" da "sababbin" a cikin hanyar sadarwa guda ɗaya da aka rarraba ta geo tare da yawancin fa'idodin da aka bayyana. a sama.

A gefe guda, ya kamata a tuna cewa duk masu amfani da hanyoyin sadarwa na Cisco na yanzu dangane da IOS XE (ISR 1000, ISR 4000, ASR 1000, CSR 1000v) a yau suna tallafawa kowane yanayin aiki - duka na yau da kullun da DMVPN da SD-WAN - Zaɓin zaɓi yana ƙayyade ta buƙatun yanzu da fahimtar cewa a kowane lokaci, ta amfani da kayan aiki iri ɗaya, zaku iya fara matsawa zuwa ƙarin fasahar ci gaba.

source: www.habr.com

Add a comment