Idan kun kalli tsarin kowane Tacewar zaɓi, to, wataƙila za mu ga takarda tare da tarin adiresoshin IP, tashoshin jiragen ruwa, ƙa'idodi da ƙa'idodi. Wannan shine yadda ake aiwatar da manufofin tsaro na hanyar sadarwa don samun damar mai amfani ga albarkatun. Da farko suna ƙoƙarin kiyaye tsari a cikin tsarin, amma sai ma'aikata suka fara motsawa daga sashe zuwa sashe, sabobin suna ninka kuma suna canza matsayinsu, samun dama ga ayyuka daban-daban suna bayyana inda yawanci ba a yarda da su ba, kuma daruruwan hanyoyin akuya da ba a san su ba sun fito.
Kusa da wasu dokoki, idan kun yi sa'a, akwai sharhi "Vasya ya nemi in yi wannan" ko "Wannan sashe ne zuwa DMZ." Mai gudanar da cibiyar sadarwa ya daina, kuma komai ya zama mara tabbas. Sa'an nan kuma wani ya yanke shawarar share tsarin Vasya, kuma SAP ya fadi, saboda Vasya ya taɓa neman wannan damar don gudanar da SAP na fama.
A yau zan yi magana game da mafita na VMware NSX, wanda ke taimakawa daidai da aiwatar da hanyoyin sadarwar hanyar sadarwa da manufofin tsaro ba tare da rudani ba a cikin saitunan wuta. Zan nuna muku sabbin fasalolin da suka bayyana idan aka kwatanta da abin da VMware ke da shi a baya a wannan bangare.
VMWare NSX dandamali ne na haɓakawa da tsaro don ayyukan cibiyar sadarwa. NSX tana magance matsalolin kewayawa, sauyawa, daidaita nauyi, bangon wuta kuma yana iya yin wasu abubuwa masu ban sha'awa da yawa.
NSX shine magaji na samfurin sadarwar vCloud da Tsaro (vCNS) na VMware da Nicira NVP da aka samu.
Daga vCNS zuwa NSX
A baya can, abokin ciniki yana da na'ura mai kama da vCNS vShield Edge daban a cikin gajimare da aka gina akan VMware vCloud. Ya yi aiki a matsayin ƙofar kan iyaka, inda zai yiwu a daidaita ayyukan cibiyar sadarwa da yawa: NAT, DHCP, Firewall, VPN, ma'aunin nauyi, da sauransu. Firewall da kuma NAT. A cikin hanyar sadarwar, injunan kama-da-wane suna sadarwa tare da juna cikin yardar kaina a cikin gidajen yanar gizo. Idan da gaske kuna son rarrabawa da cin nasara kan zirga-zirga, zaku iya yin hanyar sadarwa daban don sassa daban-daban na aikace-aikacen (na'urori masu kama da juna) kuma saita ƙa'idodin da suka dace don hulɗar hanyar sadarwar su a cikin Tacewar zaɓi. Amma wannan yana da tsayi, mai wahala da rashin sha'awa, musamman idan kuna da injunan kama-da-wane da yawa.
A cikin NSX, VMware ya aiwatar da manufar ƙaramin yanki ta amfani da bangon wuta da aka rarraba wanda aka gina a cikin kwaya ta hypervisor. Yana ƙayyadaddun manufofin tsaro da haɗin gwiwar cibiyar sadarwa ba kawai don adiresoshin IP da MAC ba, har ma don wasu abubuwa: na'urori masu mahimmanci, aikace-aikace. Idan an tura NSX a cikin ƙungiya, waɗannan abubuwa na iya zama mai amfani ko ƙungiyar masu amfani daga Active Directory. Kowane irin wannan abu yana juya zuwa microsegment a cikin madauki na tsaro, a cikin rukunin da ake buƙata, tare da nasa DMZ mai daɗi :).
A baya can, akwai kewayen tsaro guda ɗaya kawai don duk tafkin albarkatun, ana kiyaye shi ta hanyar sauya gefen, amma tare da NSX zaku iya kare na'ura mai mahimmanci daga hulɗar da ba dole ba, koda a cikin hanyar sadarwa iri ɗaya.
Manufofin tsaro da sadarwar suna daidaitawa idan ƙungiya ta matsa zuwa wata hanyar sadarwa ta daban. Misali, idan muka matsar da na'ura mai rumbun adana bayanai zuwa wani bangaren cibiyar sadarwa ko ma zuwa wata cibiyar bayanan kama-da-wane da ke da alaka, to, dokokin da aka rubuta don wannan na'ura za su ci gaba da aiki ba tare da la'akari da sabon wurin da take ba. Har ila yau uwar garken aikace-aikacen za ta iya sadarwa tare da bayanan bayanai.
Ƙofar gefen kanta, vCNS vShield Edge, an maye gurbinsa da NSX Edge. Yana da duk fasalulluka na mutunci na tsohon Edge, da wasu sabbin abubuwa masu amfani. Za mu kara magana a kansu.
Menene sabo tare da NSX Edge?
Ayyukan NSX Edge ya dogara da NSX. Akwai biyar daga cikinsu: Standard, Professional, Advanced, Enterprise, Plus Remote Branch Office. Duk abin sabo da ban sha'awa ana iya gani kawai farawa tare da Advanced. Ciki har da sabon dubawa, wanda, har sai vCloud gaba ɗaya ya canza zuwa HTML5 (VMware yayi alƙawarin bazara 2019), yana buɗewa a cikin sabon shafin.
Tacewar zaɓi. Kuna iya zaɓar adiresoshin IP, cibiyoyin sadarwa, mu'amalar ƙofa, da injuna kama-da-wane a matsayin abubuwan da za a yi amfani da ƙa'idodin.
DHCP. Baya ga daidaita kewayon adiresoshin IP waɗanda za a bayar ta atomatik zuwa na'urori masu kama da wannan hanyar sadarwa, NSX Edge yanzu yana da ayyuka masu zuwa: dauri и Relay.
A cikin tab Daure Kuna iya ɗaure adireshin MAC na injin kama-da-wane zuwa adireshin IP idan kuna buƙatar adireshin IP kar ku canza. Babban abu shine cewa ba a haɗa wannan adireshin IP a cikin DHCP Pool ba.
A cikin tab Relay An saita saƙon DHCP zuwa sabar DHCP waɗanda ke wajen ƙungiyar ku a cikin vCloud Director, gami da sabar DHCP na kayan aikin jiki.
Hanyar hanya. vShield Edge zai iya saita a tsaye kawai. Hanyar hanya mai ƙarfi tare da goyan baya ga ƙa'idodin OSPF da BGP sun bayyana anan. Saitunan ECMP (Active-active) sun kuma zama samuwa, wanda ke nufin gazawar aiki-mai aiki ga masu amfani da hanyar sadarwa ta zahiri.
Saita OSPF
Saita BGP
Wani sabon abu shi ne kafa hanyar canja wuri tsakanin ka'idoji daban-daban,
hanyar sake rarrabawa.
Ma'aunin Load L4/L7. An gabatar da X-Forwarded-For don taken HTTPs. Kowa yayi kuka babu shi. Misali, kuna da gidan yanar gizon da kuke daidaitawa. Ba tare da tura wannan rubutun ba, duk abin yana aiki, amma a cikin ƙididdigar sabar yanar gizo ba ku ga IP na baƙi ba, amma IP na ma'auni. Yanzu komai yayi daidai.
Hakanan a cikin Dokokin Aikace-aikacen shafin yanzu zaku iya ƙara rubutun waɗanda zasu sarrafa daidaita zirga-zirga kai tsaye.
vpn. Baya ga IPSec VPN, NSX Edge yana goyan bayan:
- L2 VPN, wanda ke ba ku damar shimfiɗa cibiyoyin sadarwa tsakanin wuraren da aka tarwatsa a yanayi. Ana buƙatar irin wannan VPN, alal misali, ta yadda lokacin ƙaura zuwa wani rukunin yanar gizon, injin kama-da-wane ya kasance a cikin gidan yanar gizo iri ɗaya kuma yana riƙe da adireshin IP.
- SSL VPN Plus, wanda ke ba masu amfani damar haɗa nesa zuwa cibiyar sadarwar kamfani. A matakin vSphere akwai irin wannan aikin, amma ga vCloud Director wannan bidi'a ne.
Takaddun shaida na SSL. Ana iya shigar da takaddun shaida a kan NSX Edge. Wannan ya sake zuwa ga tambayar wanene yake buƙatar ma'auni ba tare da takaddun shaida don https ba.
Rukunin Abubuwan. A cikin wannan shafin, an ƙayyade ƙungiyoyin abubuwa waɗanda wasu ƙa'idodin hulɗar cibiyar sadarwa za su yi amfani da su, misali, dokokin Tacewar zaɓi.
Wadannan abubuwa na iya zama adireshin IP da MAC.
Hakanan akwai jerin ayyuka (haɗin haɗin tashar jiragen ruwa) da aikace-aikacen da za a iya amfani da su yayin ƙirƙirar ƙa'idodin Tacewar zaɓi. Manajan tashar tashar vCD kawai zai iya ƙara sabbin ayyuka da aikace-aikace.
Kididdiga Kididdigar haɗin kai: zirga-zirgar zirga-zirgar da ke wucewa ta ƙofa, bangon wuta da ma'auni.
Matsayi da ƙididdiga ga kowane IPSEC VPN da L2 VPN rami.
Shiga A cikin Saitunan Edge, zaku iya saita uwar garken don rikodin rajistan ayyukan. Shiga yana aiki don DNAT/SNAT, DHCP, Firewall, routing, balancer, IPsec VPN, SSL VPN Plus.
Akwai nau'ikan faɗakarwa masu zuwa don kowane abu/sabis:
- Gyara
- Fadakarwa
- Mahimmanci
- Kuskure
- Gargadi
- Sanarwa
- Bayani
NSX Edge Dimensions
Dangane da ayyukan da ake warwarewa da girman VMware ƙirƙirar NSX Edge a cikin masu girma dabam:
Farashin NSX
(Ƙaramin)
Farashin NSX
(Babba)
Farashin NSX
(Babban girma)
Farashin NSX
(X-Babban)
vCPU
1
2
4
6
Memory
512MB
1GB
1GB
8GB
faifai
512MB
512MB
512MB
4.5GB + 4GB
Manufar
Daya
aikace-aikace, gwaji
cibiyar bayanai
Ƙananan
ko matsakaici
cibiyar bayanai
Loaded
Tacewar zaɓi
Daidaitawa
lodi a matakin L7
A ƙasa a cikin tebur akwai ma'aunin aiki na sabis na cibiyar sadarwa dangane da girman NSX Edge.
Farashin NSX
(Ƙaramin)
Farashin NSX
(Babba)
Farashin NSX
(Babban girma)
Farashin NSX
(X-Babban)
musaya
10
10
10
10
Sub Interfaces (Trunk)
200
200
200
200
Dokokin NAT
2,048
4,096
4,096
8,192
Shigarwar ARP
Har sai an Rubutu
1,024
2,048
2,048
2,048
Dokokin FW
2000
2000
2000
2000
Ayyukan FW
3Gbps
9.7Gbps
9.7Gbps
9.7Gbps
DHCP Pools
20,000
20,000
20,000
20,000
Hanyoyin ECMP
8
8
8
8
Hanyoyi na tsaye
2,048
2,048
2,048
2,048
LB Pools
64
64
64
1,024
LB Virtual Servers
64
64
64
1,024
LB Server/Pool
32
32
32
32
Binciken Lafiya na LB
320
320
320
3,072
Dokokin Aikace-aikacen LB
4,096
4,096
4,096
4,096
Cibiyar Abokin Ciniki ta L2VPN don Magana
5
5
5
5
Hanyoyin sadarwa na L2VPN ga Abokin ciniki/Sabar
200
200
200
200
IPSec Tunnels
512
1,600
4,096
6,000
SSLVPN Tunnels
50
100
100
1,000
SSLVPN Networks masu zaman kansu
16
16
16
16
Zama Na Zamani
64,000
1,000,000
1,000,000
1,000,000
Zama/Na Biyu
8,000
50,000
50,000
50,000
LB Taimako na L7 Proxy)
2.2Gbps
2.2Gbps
3Gbps
Yanayin Yanayin L4 na LB)
6Gbps
6Gbps
6Gbps
LB Connections/s (L7 Proxy)
46,000
50,000
50,000
LB Haɗin Haɗin Kai (L7 Proxy)
8,000
60,000
60,000
Haɗin LB (Yanayin L4)
50,000
50,000
50,000
Haɗin Haɗin LB (Yanayin L4)
600,000
1,000,000
1,000,000
Hanyoyin BGP
20,000
50,000
250,000
250,000
BGP makwabta
10
20
100
100
An Sake Rarraba Hanyoyin BGP
babu Iyakan
babu Iyakan
babu Iyakan
babu Iyakan
Hanyoyin OSPF
20,000
50,000
100,000
100,000
Shigarwar OSPF LSA Max 750 Nau'in-1
20,000
50,000
100,000
100,000
Bayanan Bayani na OSPF
10
20
40
40
An Sake Rarraba Hanyoyin OSPF
2000
5000
20,000
20,000
Jimillar Hanyoyi
20,000
50,000
250,000
250,000
→
Teburin ya nuna cewa ana ba da shawarar tsara daidaitawa akan NSX Edge don al'amuran da suka dace kawai farawa daga Babban Girma.
Abin da nake da shi na yau ke nan. A cikin wadannan sassan zan yi bayani dalla-dalla yadda ake daidaita kowane sabis na cibiyar sadarwar NSX Edge.
source: www.habr.com