Inā ʻoe e nānā i ka config o kekahi pā ahi, a laila e ʻike paha mākou i kahi pepa me ka pūʻulu o nā helu IP, nā awa, nā protocols a me nā subnets. ʻO kēia ke ʻano o ka hoʻokō ʻana i nā kulekele palekana pūnaewele no ka loaʻa ʻana o ka mea hoʻohana i nā kumuwaiwai. I ka wā mua, hoʻāʻo lākou e mālama i ka hoʻonohonoho ʻana, akā hoʻomaka nā limahana e neʻe mai kahi ʻoihana a i kekahi ʻoihana, hoʻonui nā kikowaena a hoʻololi i kā lākou kuleana, ʻike ʻia ke komo ʻana i nā papahana like ʻole ma kahi e ʻae ʻole ʻia ai, a puka mai nā haneli o nā ala kao ʻike ʻole.
Ma hope o kekahi mau lula, inā he laki ʻoe, aia nā manaʻo "Ua noi ʻo Vasya iaʻu e hana i kēia" a i ʻole "He wahi kēia i ka DMZ." Haʻalele ka luna hoʻoponopono pūnaewele, a ʻaʻole maopopo loa nā mea a pau. A laila ua hoʻoholo kekahi e hoʻomaʻemaʻe i ka config o Vasya, a hāʻule ʻo SAP, no ka mea, ua noi ʻo Vasya i kēia komo e holo i ka SAP kaua.
I kēia lā e kamaʻilio wau e pili ana i ka hoʻonā VMware NSX, e kōkua ana i ka hoʻopili pololei ʻana i ka kamaʻilio pūnaewele a me nā kulekele palekana me ka ʻole o ka huikau i nā configs firewall. E hōʻike wau iā ʻoe i nā hiʻohiʻona hou i hoʻohālikelike ʻia me ka mea i loaʻa iā VMware ma kēia ʻāpana.
ʻO VMWare NSX kahi kikowaena virtualization a palekana no nā lawelawe pūnaewele. Hoʻoponopono ʻo NSX i nā pilikia o ke ala ʻana, ka hoʻololi ʻana, ke kaulike ʻana i ka ukana, ka pā ahi a hiki ke hana i nā mea hoihoi ʻē aʻe.
ʻO NSX ka mea pani i ka vCloud Networking and Security (vCNS) huahana a me ka Nicira NVP i loaʻa.
Mai vCNS a i NSX
Ma mua, ua loaʻa i kahi mea kūʻai kahi mīkini virtual vCNS vShield Edge i kahi ao i kūkulu ʻia ma VMware vCloud. Ua hana ʻo ia ma ke ʻano he ʻīpuka palena, kahi i hiki ai ke hoʻonohonoho i nā hana pūnaewele he nui: NAT, DHCP, Firewall, VPN, load balancer, a pēlā aku. Pahu ahi a me NAT. I loko o ka pūnaewele, kamaʻilio manuahi nā mīkini virtual me kekahi i kekahi i loko o nā subnets. Inā makemake ʻoe e hoʻokaʻawale a lanakila i nā kaʻa, hiki iā ʻoe ke hana i kahi pūnaewele ʻokoʻa no nā ʻāpana pākahi o nā noi (nā mīkini virtual like ʻole) a hoʻonohonoho i nā lula kūpono no kā lākou pilina pūnaewele ma ka pā ahi. Akā he lōʻihi kēia, paʻakikī a hoihoi ʻole, ʻoi aku ka nui inā loaʻa iā ʻoe kekahi mau mīkini virtual.
Ma NSX, ua hoʻokō ʻo VMware i ka manaʻo o ka micro-segmentation me ka hoʻohana ʻana i kahi pā ahi i hoʻokaʻawale ʻia i kūkulu ʻia i loko o ka kernel hypervisor. Hōʻike ia i ka palekana a me nā kulekele pili pūnaewele ʻaʻole wale no nā IP a me MAC address, akā no nā mea ʻē aʻe: nā mīkini virtual, nā noi. Inā hoʻokomo ʻia ʻo NSX i loko o kahi hui, hiki i kēia mau mea ke lilo i mea hoʻohana a i ʻole hui o nā mea hoʻohana mai Active Directory. Lilo kēlā me kēia mea i microsegment i loko o kāna puʻupuʻu palekana, i ka subnet i koi ʻia, me kāna DMZ ʻoluʻolu :).
I ka wā ma mua, hoʻokahi wale nō perimeter palekana no ka loko o nā kumuwaiwai holoʻokoʻa, i pale ʻia e kahi hoʻololi lihi, akā me NSX hiki iā ʻoe ke pale i kahi mīkini virtual kaʻawale mai nā pilina pono ʻole, ʻoiai i loko o ka pūnaewele like.
Hiki ke hoʻololi i nā kulekele palekana a me ka pūnaewele inā neʻe kahi hui i kahi pūnaewele ʻē aʻe. No ka laʻana, inā mākou e hoʻoneʻe i kahi mīkini me kahi waihona i kahi ʻāpana pūnaewele ʻē aʻe a i ʻole i kahi kikowaena data virtual pili, a laila e hoʻomau ʻia nā lula i kākau ʻia no kēia mīkini virtual me ka nānā ʻole i kona wahi hou. Hiki i ke kikowaena noi ke kamaʻilio me ka waihona.
ʻO ka ʻīpuka ʻaoʻao ponoʻī, vCNS vShield Edge, ua pani ʻia e NSX Edge. Loaʻa iā ia nā hiʻohiʻona a pau o ka Edge kahiko, a me kekahi mau hiʻohiʻona hou. E kamaʻilio hou mākou no lākou.
He aha ka mea hou me ka NSX Edge?
Pili ka hana NSX Edge NSX. ʻElima o lākou: Standard, Professional, Advanced, Enterprise, Plus Remote Branch Office. Hiki ke ʻike ʻia nā mea hou a hoihoi e hoʻomaka me Advanced. Hoʻokomo pū me kahi interface hou, a hiki i ka hoʻololi ʻana o vCloud i HTML5 (Ua hoʻohiki ʻo VMware i ke kauwela 2019), e wehe ʻia i kahi papa hou.
Pahuahi. Hiki iā ʻoe ke koho i nā IP address, networks, gateway interfaces, and virtual machines i mea e hoʻohana ʻia ai nā lula.
DHCP. Ma waho aʻe o ka hoʻonohonoho ʻana i ka laulā o nā leka uila IP e hoʻopuka ʻia i nā mīkini virtual ma kēia pūnaewele, aia nā NSX Edge i kēia mau hana: ka paa и mika.
Ma ka pā Paʻa ʻana Hiki iā ʻoe ke hoʻopaʻa i ka helu MAC o kahi mīkini virtual i kahi helu IP inā pono ʻoe e hoʻololi i ka IP address. ʻO ka mea nui ʻaʻole i hoʻokomo ʻia kēia IP IP i ka Pool DHCP.
Ma ka pā mika Hoʻonohonoho ʻia ka relay o nā memo DHCP i nā kikowaena DHCP aia ma waho o kāu hui ma vCloud Director, me nā kikowaena DHCP o ka ʻōnaehana kino.
Ke alahele. Hiki i ka vShield Edge ke hoʻonohonoho i ka hoʻokele static. Hōʻike ʻia ma ʻaneʻi ka hoʻokele ikaika me ke kākoʻo no nā protocol OSPF a me BGP. Ua loaʻa nō hoʻi nā hoʻonohonoho ECMP (Active-active), ʻo ia hoʻi, ʻo ia hoʻi ka hana hoʻoikaika ikaika i nā mea hoʻokele kino.
Hoʻonohonoho i ka OSPF
Hoʻonohonoho i ka BGP
ʻO kekahi mea hou e hoʻonohonoho ana i ka hoʻololi ʻana o nā ala ma waena o nā protocols like ʻole,
hoʻohele hou ʻana i ke ala.
L4/L7 Mea Kaulike. Ua hoʻokomo ʻia ʻo X-Forwarded-For no ke poʻomanaʻo HTTPs. Ua uē nā kānaka a pau me ka ʻole o ia. No ka laʻana, loaʻa iā ʻoe kahi pūnaewele āu e kaupaona nei. Me ka hoʻouna ʻole ʻana i kēia poʻo, hana nā mea a pau, akā i ka helu kikowaena pūnaewele ʻaʻole ʻoe i ʻike i ka IP o ka poʻe kipa, akā ʻo ka IP o ka mea kaulike. I kēia manawa ua pololei nā mea a pau.
I loko o ka ʻaoʻao Rules Application hiki iā ʻoe ke hoʻohui i nā palapala e hoʻokele pololei i ke kaupaona ʻana.
vpn. Ma kahi o IPSec VPN, kākoʻo ʻo NSX Edge:
- L2 VPN, ka mea e hiki ai iā ʻoe ke hoʻolōʻihi i nā pūnaewele ma waena o nā pūnaewele i hoʻopuehu ʻia. Pono ia VPN, no ka laʻana, i ka wā e neʻe ai i kahi pūnaewele ʻē aʻe, noho ka mīkini virtual i ka subnet hoʻokahi a mālama i kāna helu IP.
- SSL VPN Plus, ka mea e hiki ai i nā mea hoʻohana ke hoʻopili mamao aku i kahi pūnaewele hui. Ma ka pae vSphere aia kahi hana, akā no vCloud Luna he mea hou kēia.
Palapala SSL. Hiki ke hoʻokomo ʻia nā palapala hōʻoia ma ka NSX Edge. Hele hou kēia i ka nīnau o ka mea e pono ai kahi mea kaulike me ka ʻole o ka palapala hōʻoia no https.
Huihui Mea. Ma kēia ʻaoʻao, hōʻike ʻia nā pūʻulu o nā mea e pili ai kekahi mau lula pili pūnaewele, no ka laʻana, nā lula ahi.
Hiki i kēia mau mea ke helu IP a me MAC.
Aia kekahi papa inoa o nā lawelawe (protocol-port combined) a me nā noi i hiki ke hoʻohana ʻia i ka hana ʻana i nā lula firewall. Hiki i ka luna hoʻoponopono puka vCD ke hoʻohui i nā lawelawe a me nā noi hou.
Heluhelu. ʻIkepili pili: kaʻahele e hele ana ma ka ʻīpuka, ka pā ahi a me ka mea kaulike.
Ke kūlana a me nā helu no kēlā me kēia IPSEC VPN a me L2 VPN tunnel.
Ke kālai lāʻau. Ma ka ʻaoʻao Edge Settings, hiki iā ʻoe ke hoʻonohonoho i ke kikowaena no ka hoʻopaʻa ʻana i nā lāʻau. Hana ʻia ka logging no DNAT/SNAT, DHCP, Firewall, routing, balancer, IPsec VPN, SSL VPN Plus.
Loaʻa kēia mau ʻano makaʻala no kēlā me kēia mea/lawelawe:
—Debug
—Akaala
—Kinoino
- Kupa
—Ka olelo ao
— Hoolaha
— ʻIkepili
NSX Kekahi Ana
Ma muli o nā hana e hoʻoponopono ʻia a me ka nui o VMware e hana i ka NSX Edge ma kēia mau nui:
NSX Edge
(Compact)
NSX Edge
(Nui)
NSX Edge
(Quad-Large)
NSX Edge
(X-Nui)
vCPU
1
2
4
6
hoomanao ana
512MB
1GB
1GB
8GB
pā hōkū
512MB
512MB
512MB
4.5GB + 4GB
Ka koho
ʻekahi
palapala noi, hoao
kikowaena ʻikepili
ʻO kahi liʻiliʻi
a i ʻole awelika
kikowaena ʻikepili
Hoʻouka ʻia
pā ahi
Ke kaupaona
nā ukana ma ka pae L7
Aia ma lalo o ka papaʻaina nā metric hana o nā lawelawe pūnaewele ma muli o ka nui o NSX Edge.
NSX Edge
(Compact)
NSX Edge
(Nui)
NSX Edge
(Quad-Large)
NSX Edge
(X-Nui)
Interfaces
10
10
10
10
Nā Kūlana Haʻahaʻa (Puʻupuʻu)
200
200
200
200
Nā Rula NAT
2,048
4,096
4,096
8,192
Nā Koho ARP
A hiki i ke kākau hou ʻana
1,024
2,048
2,048
2,048
Nā Rula FW
2000
2000
2000
2000
Hana FW
3Gbps
9.7Gbps
9.7Gbps
9.7Gbps
DHCP Pools
20,000
20,000
20,000
20,000
ECMP Alanui
8
8
8
8
Nā Kūlana Kūlana
2,048
2,048
2,048
2,048
LB Pools
64
64
64
1,024
LB mau kikowaena
64
64
64
1,024
LB Server/Pool
32
32
32
32
LB Ola Ola
320
320
320
3,072
LB Noi Rula
4,096
4,096
4,096
4,096
L2VPN Hub nā mea kūʻai aku e kamaʻilio
5
5
5
5
L2VPN Pūnaewele no kēlā me kēia mea kūʻai aku
200
200
200
200
IPSec Tunnels
512
1,600
4,096
6,000
SSLVPN Tunnels
50
100
100
1,000
SSLVPN Pūnaewele Kūikawā
16
16
16
16
Nā kau kau like
64,000
1,000,000
1,000,000
1,000,000
Nā Kau/Kalua
8,000
50,000
50,000
50,000
LB ma waena o L7 Proxy)
2.2Gbps
2.2Gbps
3Gbps
LB ma waena o ke ʻano L4)
6Gbps
6Gbps
6Gbps
Nā Hoʻohui LB/s (L7 Proxy)
46,000
50,000
50,000
Nā Hoʻohui Kūlike LB (L7 Proxy)
8,000
60,000
60,000
Nā Hoʻohui LB/s (L4 Mode)
50,000
50,000
50,000
Nā Hoʻohui Kūlike LB (L4 Mode)
600,000
1,000,000
1,000,000
Nā Alanui BGP
20,000
50,000
250,000
250,000
BGP na hoalauna
10
20
100
100
Ua puunaue hou ia na alanui BGP
No Kaupalena
No Kaupalena
No Kaupalena
No Kaupalena
Nā Alanui OSPF
20,000
50,000
100,000
100,000
OSPF LSA Komo Max 750 Type-1
20,000
50,000
100,000
100,000
OSPF Pili
10
20
40
40
Hāʻawi hou ʻia nā Alanui OSPF
2000
5000
20,000
20,000
Huina Alanui
20,000
50,000
250,000
250,000
→
Hōʻike ka papa ʻaina e ʻōlelo ʻia e hoʻonohonoho i ke kaupaona ʻana ma NSX Edge no nā hiʻohiʻona huahana e hoʻomaka wale ana mai ka nui Nui.
ʻO ia wale nō kaʻu i kēia lā. Ma nā ʻāpana aʻe e hele au i nā kikoʻī pehea e hoʻonohonoho ai i kēlā me kēia lawelawe pūnaewele NSX Edge.
Source: www.habr.com