🥇VMware NSX rau cov menyuam yaus. Part 1

Yog tias koj saib ntawm qhov teeb tsa ntawm ib lub firewall, feem ntau peb yuav pom ib daim ntawv nrog ib pawg ntawm IP chaw nyob, chaw nres nkoj, raws tu qauv thiab subnets. Qhov no yog li cas network kev ruaj ntseg txoj cai rau cov neeg siv nkag mus rau cov kev pab cuam yog classical siv. Thaum xub thawj lawv sim tswj hwm qhov kev txiav txim hauv config, tab sis tom qab ntawd cov neeg ua haujlwm pib txav los ntawm chav haujlwm mus rau chav haujlwm, cov servers sib faib thiab hloov lawv lub luag haujlwm, kev nkag mus rau cov haujlwm sib txawv tshwm sim uas lawv feem ntau tsis tso cai, thiab ntau pua txoj kev tshis tsis paub tshwm sim.

Ib sab ntawm qee qhov kev cai, yog tias koj muaj hmoo, muaj cov lus hais tias "Vasya hais kom kuv ua qhov no" lossis "Qhov no yog txoj hauv kev rau DMZ." Tus thawj tswj hwm lub network tawm, thiab txhua yam yuav tsis meej meej. Tom qab ntawd ib tus neeg txiav txim siab tshem Vasya lub teeb tsa, thiab SAP poob, vim Vasya ib zaug thov kom nkag mus rau qhov no los khiav kev sib ntaus sib tua SAP.

Hnub no kuv yuav tham txog VMware NSX kev daws teeb meem, uas yuav pab kom siv tau cov kev sib txuas lus network thiab kev ruaj ntseg cov cai yam tsis muaj kev ntxhov siab hauv firewall configs. Kuv yuav qhia koj tias cov yam ntxwv tshiab tau tshwm sim piv rau dab tsi VMware yav dhau los muaj nyob rau hauv ntu no.

VMWare NSX yog virtualization thiab kev ruaj ntseg platform rau kev pabcuam network. NSX daws teeb meem ntawm routing, switching, load balancing, firewall thiab ua tau ntau yam nthuav.

NSX yog tus ua tiav rau VMware tus kheej vCloud Networking thiab Security (vCNS) cov khoom thiab tau txais Nicira NVP.

VCNS to NSX

Yav dhau los, tus neeg siv khoom muaj qhov sib cais vCNS vShield Edge virtual tshuab hauv huab ua rau VMware vCloud. Nws ua raws li lub rooj vag ciam teb, qhov uas nws muaj peev xwm los teeb tsa ntau lub network ua haujlwm: NAT, DHCP, Firewall, VPN, load balancer, thiab lwm yam. vShield Edge txwv kev cuam tshuam ntawm lub tshuab virtual nrog lub ntiaj teb sab nraud raws li cov cai teev tseg hauv Firewall thiab NAT. Hauv lub network, cov tshuab virtual sib txuas lus nrog ib leeg dawb hauv subnets. Yog tias koj xav sib faib thiab kov yeej kev khiav tsheb, koj tuaj yeem ua ib lub network sib cais rau ib qho ntawm cov ntawv thov (cov tshuab virtual sib txawv) thiab teeb tsa cov cai tsim nyog rau lawv cov kev sib cuam tshuam hauv network hauv firewall. Tab sis qhov no yog ntev, nyuaj thiab uninteresting, tshwj xeeb tshaj yog thaum koj muaj ob peb lub kaum os virtual tshuab.

Hauv NSX, VMware tau siv lub tswv yim ntawm micro-segmentation siv lub foob pob hluav taws sib faib ua rau hauv hypervisor kernel. Nws qhia txog kev ruaj ntseg thiab kev sib txuas lus network tsis yog rau IP thiab MAC chaw nyob, tab sis kuj rau lwm yam khoom: virtual machines, applications. Yog tias NSX raug xa mus rau hauv ib lub koom haum, cov khoom no tuaj yeem yog tus neeg siv lossis pab pawg neeg siv los ntawm Active Directory. Txhua yam khoom no hloov mus rau hauv microsegment hauv nws lub voj kev ruaj ntseg, hauv qhov xav tau subnet, nrog nws tus kheej cozy DMZ :).

Yav dhau los, tsuas muaj ib qho kev ruaj ntseg perimeter rau tag nrho lub pas dej ua ke ntawm cov peev txheej, tiv thaiv los ntawm kev hloov pauv, tab sis nrog NSX koj tuaj yeem tiv thaiv lub tshuab virtual los ntawm kev sib cuam tshuam tsis tsim nyog, txawm tias nyob hauv tib lub network.

Kev ruaj ntseg thiab kev sib tham txoj cai hloov pauv yog tias ib lub koom haum tsiv mus rau lwm lub network. Piv txwv li, yog tias peb txav lub tshuab nrog lub chaw khaws ntaub ntawv mus rau lwm ntu ntawm lub network lossis txawm tias mus rau lwm qhov chaw sib txuas nrog cov ntaub ntawv virtual, ces cov kev cai sau rau lub tshuab virtual no tseem yuav siv tsis hais nws qhov chaw tshiab. Daim ntawv thov server tseem tuaj yeem sib txuas lus nrog cov ntaub ntawv.

Lub ntug rooj vag nws tus kheej, vCNS vShield Edge, tau hloov los ntawm NSX Ntug. Nws muaj tag nrho cov yam ntxwv ntawm tus txiv neej laus ntawm Edge qub, ntxiv rau ob peb yam tshiab muaj txiaj ntsig. Peb yuav tham txog lawv ntxiv.

Dab tsi tshiab nrog NSX Ntug?

NSX Edge functionality nyob ntawm tsab ntawv NSX. Muaj tsib ntawm lawv: Standard, Professional, Advanced, Enterprise, Plus Remote Branch Office. Txhua yam tshiab thiab nthuav tuaj yeem pom tsuas yog pib nrog Advanced. Xws li lub interface tshiab, uas, kom txog rau thaum vCloud hloov mus rau HTML5 (VMware cog lus rau lub caij ntuj sov 2019), qhib rau hauv tab tshiab.

Hluav Taws Kub Kub. Koj tuaj yeem xaiv IP chaw nyob, tes hauj lwm, rooj vag interfaces, thiab cov tshuab virtual ua cov khoom uas yuav siv tau.

DHCP. Ntxiv nrog rau kev teeb tsa thaj tsam ntawm IP chaw nyob uas yuav raug xa mus rau cov tshuab virtual ntawm lub network no, NSX Edge tam sim no muaj cov haujlwm hauv qab no: ruaj и Relay.

Hauv tab Kev khi Koj tuaj yeem khi MAC chaw nyob ntawm lub tshuab virtual rau qhov chaw nyob IP yog tias koj xav tau qhov chaw nyob IP tsis hloov. Qhov tseem ceeb tshaj plaws yog qhov chaw nyob IP no tsis suav nrog DHCP Pas Dej.

Hauv tab Relay relay ntawm DHCP cov lus tau teeb tsa rau DHCP servers uas nyob sab nraud ntawm koj lub koom haum hauv vCloud Tus Thawj Coj, suav nrog DHCP servers ntawm lub cev infrastructure.

Txoj kev. vShield Edge tsuas tuaj yeem teeb tsa txoj kev zoo li qub. Dynamic routing nrog kev txhawb nqa rau OSPF thiab BGP raws tu qauv tau tshwm sim ntawm no. ECMP (Active-active) teeb tsa kuj tau dhau los, uas txhais tau hais tias ua haujlwm tsis ua haujlwm rau lub cev routers.

Kev teeb tsa OSPF

Kev teeb tsa BGP

Lwm qhov tshiab yog teeb tsa cov kev hloov pauv ntawm cov txheej txheem sib txawv,
txoj kev redistribution.

L4 / L7 Load Balancer. X-Forwarded-For tau qhia rau HTTPs header. Sawv daws quaj tsis muaj nws. Piv txwv li, koj muaj lub vev xaib uas koj sib npaug. Yog tsis muaj kev xa mus rau lub taub hau no, txhua yam ua haujlwm, tab sis hauv web server txheeb cais koj pom tsis yog tus IP ntawm cov neeg tuaj saib, tab sis tus IP ntawm tus nqi sib npaug. Tam sim no txhua yam yog lawm.

Tsis tas li nyob rau hauv Daim Ntawv Thov Cov Cai tab tam sim no koj tuaj yeem ntxiv cov ntawv sau uas yuav ncaj qha tswj kev ntsuas tsheb.

vpn ua. Ntxiv rau IPSec VPN, NSX Edge txhawb nqa:

L2 VPN, uas tso cai rau koj kom ncav cuag kev sib txuas ntawm thaj chaw sib cais. Xws li VPN yog xav tau, piv txwv li, yog li thaum tsiv mus rau lwm qhov chaw, lub tshuab virtual tseem nyob hauv tib lub subnet thiab khaws nws qhov chaw nyob IP.

SSL VPN Plus, uas tso cai rau cov neeg siv txuas mus rau thaj chaw sib koom tes. Nyob rau theem vSphere muaj qhov ua haujlwm zoo li no, tab sis rau vCloud Tus Thawj Coj qhov no yog kev tsim kho tshiab.

SSL daim ntawv pov thawj. Cov ntawv pov thawj tam sim no tuaj yeem ntsia tau rau ntawm NSX Edge. Qhov no rov los rau lo lus nug ntawm leej twg xav tau ib tug balancer tsis muaj daim ntawv pov thawj rau https.

Muab Cov Khoom Pab Pawg. Hauv tab no, pawg ntawm cov khoom tau teev tseg rau qee cov kev cai hauv network yuav siv tau, piv txwv li, cov cai firewall.

Cov khoom no tuaj yeem yog IP thiab MAC chaw nyob.

Kuj tseem muaj cov npe ntawm cov kev pabcuam (kev sib koom ua ke-chaw nres nkoj) thiab cov ntawv thov uas tuaj yeem siv tau thaum tsim cov kev cai firewall. Tsuas yog tus thawj tswj hwm vCD portal tuaj yeem ntxiv cov kev pabcuam tshiab thiab cov ntawv thov.

Kev txheeb cais. Kev sib txuas cov txheeb cais: cov tsheb uas hla lub rooj vag, firewall thiab balancer.

Cov xwm txheej thiab kev txheeb cais rau txhua IPSEC VPN thiab L2 VPN qhov.

Kev sau npe. Hauv Edge Settings tab, koj tuaj yeem teeb tsa lub server rau sau cov cav. Kev sau npe ua haujlwm rau DNAT / SNAT, DHCP, Firewall, routing, balancer, IPsec VPN, SSL VPN Ntxiv.

Hom kev ceeb toom hauv qab no muaj rau txhua yam khoom / kev pabcuam:

-Debug
- Ceeb toom
-Qhov tseem ceeb
- yuam kev
- Ceeb toom
— Daim ntawv ceeb toom
— Cov ntaub ntawv

NSX Edge Dimensions

Nyob ntawm cov haujlwm tau daws thiab qhov ntim ntawm VMware pom zoo tsim NSX Edge hauv qhov ntau thiab tsawg hauv qab no:

NSX Edge
(Compact)

NSX Edge
(loj)

NSX Edge
(Quad-loj)

NSX Edge
(X-loj)

vCPU

Memory

512MB

1GB

8GB

disk

512MB

4.5GB + 4GB

Lub Sijhawm

Ib
thov, test
data center

Me me
los yog nruab nrab
data center

Loaded
firewall

Sib Ntsuas
loads ntawm qib L7

Hauv qab no hauv cov lus yog cov kev ntsuas kev ua haujlwm ntawm cov kev pabcuam network nyob ntawm qhov loj ntawm NSX Edge.

NSX Edge
(Compact)

NSX Edge
(loj)

NSX Edge
(Quad-loj)

NSX Edge
(X-loj)

interfaces

Sub Interfaces (Lub cev)

200

NTUA Rules

2,048

4,096

8,192

ARP nkag
Mus txog rau Overwrite

1,024

2,048

FW Cov Cai

2000

FW Performance

3Gbps

9.7Gbps

DHCP Pools

20,000

ECMP Paths

Static Routes

2,048

LB Pools

1,024

LB Virtual Servers

1,024

LB Server/Pool

LB Health Checks

320

3,072

LB Application Rules

4,096

L2VPN Cov Neeg Siv Khoom Hub hais lus

L2VPN Networks rau Client/Server

200

IPSec Qhov

512

1,600

4,096

6,000

SSLVPN Qhov

100

1,000

SSLVPN Private Networks

Concurrent Sessions

64,000

1,000,000

Sessions/Second

8,000

50,000

LB Throughput L7 Pov Thawj)

2.2Gbps

3Gbps

LB Throughput L4 Hom)

6Gbps

LB Connections/s (L7 Pov Thawj)

46,000

50,000

LB Concurrent Connections (L7 Pov Thawj)

8,000

60,000

LB Connections/s (L4 hom)

50,000

LB Concurrent Connections (L4 hom)

600,000

1,000,000

BGP Routes

20,000

50,000

250,000

BGP Cov Neeg Zej Zog

100

BGP Routes Redistributed

Tsis txhob

OSPF Routes

20,000

50,000

100,000

OSPF LSA Entry Max 750 Type-1

20,000

50,000

100,000

OSPF Adjacencies

OSPF Routes Redistributed

2000

5000

20,000

Tag nrho cov kev

20,000

50,000

250,000

→ Tau qhov twg los

Cov lus qhia tau hais tias nws raug pom zoo los npaj kev sib npaug ntawm NSX Edge rau cov xwm txheej tsim tau tsuas yog pib los ntawm Loj Loj.

Qhov ntawd yog txhua yam kuv muaj rau hnub no. Hauv ntu nram qab no kuv yuav piav qhia meej yuav ua li cas teeb tsa txhua qhov kev pabcuam NSX Edge network.

Tau qhov twg los: www.hab.com

VMware NSX rau cov me me. Ntu 1

VCNS to NSX

Dab tsi tshiab nrog NSX Ntug?

NSX Edge Dimensions

Ntxiv ib saib Отменить ответ