Tare da taimakon wannan sihirin guntun rubutun Cisco ACI, zaku iya saita hanyar sadarwa da sauri.
Masana'antar cibiyar sadarwa don cibiyar bayanan Cisco ACI ta wanzu tsawon shekaru biyar, amma Habré bai faɗi komai game da shi ba, don haka na yanke shawarar gyara shi kaɗan. Zan gaya muku daga gwaninta abin da yake, menene amfanin sa da kuma inda yake da rake.
Menene shi kuma daga ina ya fito?
A lokacin da aka sanar da ACI (Aikace-aikacen Centric Infrastructure) a cikin 2013, masu fafatawa suna ci gaba a kan hanyoyin gargajiya zuwa cibiyoyin sadarwar bayanai daga bangarori uku a lokaci daya.
A gefe guda, "ƙarni na farko" SDN mafita dangane da OpenFlow yayi alƙawarin sanya hanyoyin sadarwa su zama masu sassauƙa da rahusa a lokaci guda. Manufar ita ce a matsar da shawarar da aka saba yi ta hanyar software ta sauya sheka zuwa mai sarrafawa ta tsakiya.
Wannan mai sarrafawa zai sami hangen nesa guda ɗaya na duk abin da ke faruwa kuma, bisa ga wannan, zai tsara kayan aikin duk masu sauyawa a matakin ƙa'idodi don sarrafa takamaiman kwararar ruwa.
A gefe guda, mafita na cibiyar sadarwa mai rufi ya ba da damar aiwatar da mahimman hanyoyin haɗin kai da manufofin tsaro ba tare da wani canje-canje a cikin hanyar sadarwa ta zahiri ba kwata-kwata, gina ramukan software tsakanin runduna masu ƙima. Misalin da aka fi sani da wannan tsarin shine Nicira, wanda a lokacin VMWare ya riga ya saya akan dala biliyan 1,26 kuma ya haifar da VMWare NSX na yanzu. An kara da cewa lamarin ya kara da cewa wadanda suka kafa Nicira su ne mutanen da a baya suka tsaya a asalin OpenFlow, yanzu suna cewa don gina masana'antar cibiyar bayanai. .
Kuma a ƙarshe, canza kwakwalwan kwamfuta da ake samu a kasuwannin buɗe ido (abin da ake kira siliki mai ciniki) sun kai matakin balaga inda suka zama babbar barazana ga masana'antun canjin gargajiya. Idan a baya kowane mai siyar da kansa ya haɓaka kwakwalwan kwamfuta don masu sauyawa, to bayan lokaci, kwakwalwan kwamfuta daga masana'antun ɓangare na uku, da farko daga Broadcom, sun fara rage nisa tare da kwakwalwan kwamfuta na dillali dangane da ayyuka, kuma sun zarce su cikin ƙimar farashi / aiki. Saboda haka, mutane da yawa sun gaskata cewa an ƙidaya kwanakin kunna kwakwalwan kwamfuta na ƙirar kansu.
ACI ta zama "amsar asymmetric" ta Cisco (mafi dai dai, kamfanin Insieme, wanda tsoffin ma'aikatansa suka kafa) ga duk abubuwan da ke sama.
Menene bambanci tare da OpenFlow?
Dangane da rarraba ayyuka, ACI shine ainihin kishiyar OpenFlow.
A cikin gine-ginen OpenFlow, mai sarrafawa yana da alhakin rubuta cikakkun dokoki (gudanarwa)
a cikin kayan aiki na duk masu sauyawa, wato, a cikin babbar hanyar sadarwa, yana iya zama alhakin kiyayewa kuma, mafi mahimmanci, canza dubun-dubatar bayanai a ɗaruruwan maki a cikin hanyar sadarwa, don haka aikinta da amincinsa ya zama ƙwanƙwasa. babban aiwatarwa.
ACI yana amfani da tsarin baya: ba shakka, akwai kuma mai sarrafawa, amma masu sauyawa suna karɓar manyan manufofin bayyanawa daga gare ta, kuma mai sauya kanta yana aiwatar da fassarar su cikin cikakkun bayanai na takamaiman saiti a cikin kayan aikin. Ana iya sake kunna mai sarrafawa ko kashe gaba ɗaya, kuma babu wani mummunan abu da zai faru da hanyar sadarwar, sai dai, ba shakka, rashin kulawa a wannan lokacin. Abin sha'awa, akwai yanayi a cikin ACI wanda har yanzu ana amfani da OpenFlow, amma a cikin gida a cikin mai watsa shirye-shiryen Buɗe vSwitch.
An gina ACI gabaɗaya akan sufuri mai rufi na tushen VXLAN, amma ya haɗa da jigilar IP na asali azaman ɓangare na mafita guda ɗaya. Cisco ya kira wannan kalmar "haɗe-haɗe mai rufi". A matsayin maƙasudin ƙarewa don overlays a cikin ACI, a mafi yawan lokuta, ana amfani da maɓallan masana'anta (suna yin haka a saurin haɗin gwiwa). Ba a buƙatar masu watsa shiri don sanin wani abu game da masana'anta, ɗaukar hoto, da sauransu, duk da haka, a wasu lokuta (misali, don haɗa rundunonin OpenStack), ana iya kawo musu zirga-zirgar VXLAN.
Ana amfani da overlays a cikin ACI ba kawai don samar da haɗin kai mai sauƙi ta hanyar hanyar sadarwar sufuri ba, har ma don canja wurin bayanai (ana amfani da shi, misali, don amfani da manufofin tsaro).
Chips daga Broadcom Cisco yayi amfani da su a baya a cikin jerin masu sauyawa na Nexus 3000. A cikin dangin Nexus 9000, musamman da aka saki don tallafawa ACI, an fara aiwatar da samfurin matasan, wanda ake kira Merchant +. Canjin a lokaci guda ya yi amfani da sabon guntu na Broadcom Trident 2 da kuma guntu na gaba wanda Cisco ya haɓaka, wanda ke aiwatar da duk sihirin ACI. A bayyane yake, wannan ya sa ya yiwu a hanzarta sakin samfurin kuma rage alamar farashin canji zuwa matakin kusa da samfurori kawai bisa Trident 2. Wannan hanya ta isa ga farkon shekaru biyu ko uku na isar da ACI. A wannan lokacin, Cisco ya haɓaka kuma ya ƙaddamar da ƙarni na gaba Nexus 9000 akan kwakwalwan kansa tare da ƙarin aiki da saiti, amma a daidai matakin farashin. Bayani dalla-dalla na waje dangane da hulɗar a cikin masana'anta an kiyaye su gaba ɗaya. A lokaci guda, cikawar ciki ya canza gaba ɗaya: wani abu kamar refactoring, amma ga baƙin ƙarfe.
Yadda Cisco ACI Architecture ke Aiki
A cikin mafi sauƙi, ACI an gina shi a kan topology na cibiyar sadarwar Klose, ko, kamar yadda sukan ce, Spine-Leaf. Maɓallin matakin kashin baya na iya zama daga biyu (ko ɗaya, idan ba mu damu da haƙurin kuskure ba) zuwa shida. Dangane da haka, yawancin su, mafi girman haƙurin kuskure (ƙananan bandwidth da raguwar dogaro a yanayin haɗari ko kiyaye Spine ɗaya) da kuma aikin gabaɗaya. Duk hanyoyin haɗin waje suna zuwa madaidaicin matakin ganye: waɗannan sabobin ne, da docking tare da cibiyoyin sadarwa na waje ta L2 ko L3, da haɗa masu sarrafa APIC. Gabaɗaya, tare da ACI, ba kawai daidaitawa ba, har ma da tarin ƙididdiga, saka idanu na gazawa, da sauransu - duk abin da aka yi ta hanyar keɓancewar masu sarrafawa, wanda akwai uku a cikin daidaitattun aiwatarwa.
Ba lallai ne ku taɓa haɗawa da na'urori tare da na'ura wasan bidiyo ba, har ma don fara cibiyar sadarwar: mai sarrafa kansa yana gano masu sauyawa kuma yana tattara masana'anta daga gare su, gami da saitunan duk ka'idojin sabis, don haka, ta hanya, yana da matukar mahimmanci. rubuta jerin lambobi na kayan aikin da ake sanyawa yayin shigarwa, ta yadda daga baya ba za ku yi tunanin wane maɓalli ne a cikin rak ɗin ba. Don magance matsala, idan ya cancanta, zaku iya haɗawa zuwa masu sauyawa ta hanyar SSH: suna sake yin umarni na nunin Cisco na yau da kullun a hankali.
A ciki, masana'anta suna amfani da jigilar IP, don haka babu Bishiyar Tsaya da sauran abubuwan ban tsoro da suka gabata a ciki: duk hanyoyin haɗin gwiwa suna da hannu, kuma haɗuwa idan akwai gazawa yana da sauri. Ana watsa zirga-zirga a cikin masana'anta ta hanyar rami bisa VXLAN. Daidai daidai, Cisco kanta yana kiran iVXLAN encapsulation, kuma ya bambanta da VXLAN na yau da kullum a cikin cewa ana amfani da filayen da aka tanada a cikin taken cibiyar sadarwa don watsa bayanan sabis, da farko game da dangantakar zirga-zirga zuwa ƙungiyar EPG. Wannan yana ba ku damar aiwatar da ƙa'idodin hulɗar tsakanin ƙungiyoyi a cikin kayan aiki, ta yin amfani da lambobin su kamar yadda ake amfani da adireshi a cikin jerin hanyoyin shiga na yau da kullun.
Tunnels suna ba da damar duka sassan L2 da sassan L3 (watau VRF) don shimfiɗa ta cikin jigilar IP na ciki. A wannan yanayin, ana rarraba ƙofa ta asali. Wannan yana nufin cewa kowane canji yana da alhakin tafiyar da zirga-zirgar da ke shiga masana'anta. Dangane da dabarun tafiyar zirga-zirga, ACI yayi kama da masana'anta VXLAN/EVPN.
Idan haka ne, menene bambancin? Komai sauran!
Bambancin lamba ɗaya da kuke ci karo da ACI shine yadda ake haɗa sabobin zuwa cibiyar sadarwa. A cikin cibiyoyin sadarwa na al'ada, haɗa nau'ikan sabobin jiki da na'urori masu kama da juna suna zuwa VLANs, kuma komai yana rawa daga gare su: haɗin kai, tsaro, da sauransu. babu inda za a tafi. Ko yana yiwuwa a daidaita shi zuwa VLAN? Ee, amma a wannan yanayin akwai damar da za a rasa yawancin abin da ACI ke bayarwa.
Game da EPG, an tsara duk ka'idodin samun dama, kuma a cikin ACI, ana amfani da ka'idar "jerin farar fata" ta tsohuwa, wato, kawai zirga-zirgar zirga-zirgar ababen hawa ne kawai aka ba da izini, wanda aka ba da izini a sarari. Wato, za mu iya ƙirƙirar ƙungiyoyin EPG na "Web" da "MySQL" da kuma ayyana ƙa'idar da ke ba da damar sadarwa a tsakanin su kawai akan tashar jiragen ruwa 3306. Wannan zai yi aiki ba tare da an ɗaure shi da adiresoshin cibiyar sadarwa ba har ma a cikin subnet guda ɗaya!
Muna da abokan ciniki waɗanda suka zaɓi ACI daidai saboda wannan fasalin, tunda yana ba ku damar hana shiga tsakanin sabobin (na zahiri ko na zahiri - ba komai) ba tare da jawo su tsakanin ƙananan bayanai ba, wanda ke nufin ba tare da taɓa adireshin ba. Ee, eh, mun san cewa babu wanda ya rubuta adiresoshin IP a cikin saitunan aikace-aikacen da hannu, daidai?
Dokokin zirga-zirga a ACI ana kiran su kwangila. A cikin irin wannan kwangilar, ƙungiya ɗaya ko fiye ko matakai a cikin aikace-aikace masu yawa sun zama mai bada sabis (ce, sabis ɗin bayanai), wasu sun zama mabukaci. Kwangilar na iya wucewa kawai ta hanyar zirga-zirga, ko kuma tana iya yin wani abu mafi wayo, misali, kai tsaye zuwa ga bangon wuta ko ma'auni, sannan kuma canza ƙimar QoS.
Ta yaya sabobin ke shiga waɗannan rukunoni? Idan waɗannan na'urori ne na zahiri ko wani abu da aka haɗa a cikin hanyar sadarwa da ke akwai wanda muka ƙirƙiri akwati na VLAN, to don sanya su a cikin EPG, kuna buƙatar nuna tashar tashar sauyawa da VLAN da aka yi amfani da ita. Kamar yadda kake gani, VLANs suna bayyana inda ba za ka iya yi ba tare da su ba.
Idan sabobin na'urori ne masu kama-da-wane, to ya isa ya koma yanayin yanayin haɓakawa da aka haɗa, sannan duk abin da zai faru da kansa: za a ƙirƙiri rukunin tashar tashar jiragen ruwa (a cikin sharuddan VMWare) don haɗa VM, VLANs ko VXLANs masu dacewa zasu kasance. za a sanya su, za a yi rajistar su a kan madaidaicin mashigai masu sauyawa, da dai sauransu. Don haka, ko da yake an gina ACI a kusa da hanyar sadarwa ta jiki, haɗi don sabobin kama-da-wane ya fi sauƙi fiye da na jiki. ACI ya riga ya gina haɗin kai tare da VMWare da MS Hyper-V, da kuma tallafi don OpenStack da RedHat Virtualization. Daga wani lokaci zuwa gaba, ginanniyar tallafi don dandamali na kwantena shima ya bayyana: Kubernetes, OpenShift, Cloud Foundry, yayin da ya shafi duka aikace-aikacen manufofi da saka idanu, wato, mai gudanar da hanyar sadarwa na iya ganin waɗanne runduna waɗanda kwas ɗin ke aiki a kai. wane rukuni suke fada.
Baya ga shigar da su cikin rukunin tashar tashar jiragen ruwa, sabar masu kama-da-wane suna da ƙarin kaddarorin: suna, halaye, da sauransu, waɗanda za a iya amfani da su azaman ma'auni don canja wurin su zuwa wata ƙungiya, a ce, lokacin da aka canza sunan VM ko ƙarin tag ya bayyana a ciki. shi. Cisco ya kira wannan ƙananan ƙungiyoyi, kodayake, gabaɗaya, ƙirar kanta tare da ikon ƙirƙirar ɓangarori masu yawa na tsaro a cikin nau'ikan EPGs akan rukunin yanar gizo iri ɗaya shima ƙaramin yanki ne. To, mai sayarwa ya fi sani.
EPGs kansu gine-ginen ma'ana ne kawai, ba a ɗaure su da takamaiman maɓalli, sabobin, da sauransu, don haka zaku iya yin abubuwa tare da su kuma ku gina su (aikace-aikace da masu haya) waɗanda ke da wahala a yi a cikin cibiyoyin sadarwa na yau da kullun, kamar cloning. A sakamakon haka, bari mu ce yana da sauƙi a haɗa yanayin samarwa don samun yanayin gwaji wanda ke da tabbacin ya zama daidai da yanayin samarwa. Kuna iya yin shi da hannu, amma yana da kyau (kuma mafi sauƙi) ta hanyar API.
Gabaɗaya, dabarun sarrafawa a cikin ACI kwata-kwata baya kama da abin da kuka saba haduwa
a cikin cibiyoyin sadarwa na gargajiya daga Cisco guda ɗaya: ƙirar software shine na farko, kuma GUI ko CLI na biyu ne, tunda suna aiki ta API iri ɗaya. Saboda haka, kusan duk wanda ke da hannu a cikin ACI, bayan ɗan lokaci, ya fara kewaya samfurin abu da ake amfani da shi don gudanarwa da sarrafa wani abu don dacewa da bukatun su. Hanya mafi sauƙi don yin wannan ita ce daga Python: akwai ingantattun kayan aikin da aka yi mata.
Rake alkawari
Babban matsalar ita ce abubuwa da yawa a cikin ACI ana yin su daban. Don fara aiki tare da shi kullum, kuna buƙatar sake horarwa. Wannan gaskiya ne musamman ga ƙungiyoyin ayyukan cibiyar sadarwa a cikin manyan abokan ciniki, inda injiniyoyi ke “bayyanar da VLANs” tsawon shekaru akan buƙata. Gaskiyar cewa yanzu VLANs ba VLANs ba ne, kuma ba kwa buƙatar ƙirƙirar VLANs da hannu don sanya sabbin hanyoyin sadarwa cikin runduna masu ƙima, gabaɗaya ta buge rufin daga masu sadarwar gargajiya kuma yana sa su manne da hanyoyin da suka saba. Ya kamata a lura cewa Cisco yayi ƙoƙari ya ɗanɗana kwaya kadan kuma ya kara da "NXOS-like" CLI zuwa mai sarrafawa, wanda ke ba ku damar yin tsari daga ƙirar mai kama da na gargajiya. Amma har yanzu, don fara amfani da ACI kullum, dole ne ku fahimci yadda yake aiki.
Dangane da farashi, a kan manyan ma'auni da matsakaici, cibiyoyin sadarwa na ACI ba su bambanta a zahiri daga hanyoyin sadarwa na gargajiya akan kayan aikin Cisco ba, tunda ana amfani da maɓalli iri ɗaya don gina su (Nexus 9000 na iya aiki a cikin ACI kuma a cikin yanayin gargajiya kuma yanzu sun zama babban mahimmanci. "horse" don sababbin ayyukan cibiyar bayanai). Amma ga cibiyoyin bayanai na masu sauyawa guda biyu, kasancewar masu sarrafawa da tsarin gine-gine na Spine-Leaf, ba shakka, suna jin kansu. Kwanan nan, wata masana'anta ta Mini ACI ta bayyana, wanda aka maye gurbin biyu daga cikin masu sarrafa guda uku da injina. Wannan yana rage bambancin farashi, amma har yanzu ya kasance. Don haka ga abokin ciniki, zaɓin yana yin la'akari da yadda yake sha'awar fasalulluka na tsaro, haɗin kai tare da haɓakawa, yanki ɗaya na sarrafawa, da sauransu.
source: www.habr.com