Ngati muyang'ana makonzedwe a firewall iliyonse, ndiye kuti tidzawona pepala lokhala ndi ma adilesi a IP, madoko, ma protocol ndi ma subnets. Umu ndi momwe malamulo otetezera maukonde ofikira ogwiritsa ntchito zinthu amagwiritsidwira ntchito mwadongosolo. Poyamba amayesa kusunga dongosolo mu config, koma kenako antchito amayamba kusuntha kuchokera ku dipatimenti kupita ku dipatimenti, ma seva amachulukitsa ndikusintha maudindo awo, kupeza ntchito zosiyanasiyana kumawonekera kumene nthawi zambiri saloledwa, ndipo mazana a mbuzi osadziwika atulukira.
Pafupi ndi malamulo ena, ngati muli ndi mwayi, pali ndemanga "Vasya anandipempha kuti ndichite izi" kapena "Iyi ndi ndime yopita ku DMZ." Woyang'anira ma netiweki amasiya, ndipo chilichonse sichidziwika bwino. Kenako wina adaganiza zochotsa masinthidwe a Vasya, ndipo SAP idagwa, chifukwa Vasya nthawi ina adapempha mwayiwu kuti athamangitse SAP yolimbana.
Lero ndilankhula za yankho la VMware NSX, lomwe limathandiza kugwiritsa ntchito njira zolumikizirana ndi maukonde ndi chitetezo popanda chisokonezo pamakonzedwe a firewall. Ndikuwonetsani zatsopano zomwe zawoneka poyerekeza ndi zomwe VMware inali nazo m'gawoli.
VMWare NSX ndi nsanja yodzitchinjiriza komanso chitetezo cha mautumiki apaintaneti. NSX imathetsa mavuto a mayendedwe, kusintha, kusanja katundu, firewall ndipo imatha kuchita zinthu zina zambiri zosangalatsa.
NSX ndiye wolowa m'malo mwa VMware's vCloud Networking and Security (vCNS) ndi zomwe adapeza Nicira NVP.
Kuchokera ku vCNS kupita ku NSX
M'mbuyomu, kasitomala anali ndi makina apadera a vCNS vShield Edge mumtambo womangidwa pa VMware vCloud. Idakhala ngati chipata chamalire, komwe kunali kotheka kukonza ntchito zambiri zapaintaneti: NAT, DHCP, Firewall, VPN, balancer, etc. vShield Edge idachepetsa kulumikizana kwa makina akunja ndi dziko lakunja malinga ndi malamulo omwe afotokozedwa mu Firewall ndi NAT. Mu netiweki, makina enieni amalumikizana wina ndi mnzake momasuka mkati mwa ma subnets. Ngati mukufunadi kugawanitsa ndi kugonjetsa magalimoto, mukhoza kupanga maukonde osiyana kwa mbali munthu ntchito (osiyana makina pafupifupi pafupifupi) ndi kukhazikitsa malamulo oyenera maukonde mogwirizana awo mu firewall. Koma izi ndi zazitali, zovuta komanso zosasangalatsa, makamaka mukakhala ndi makina angapo angapo.
Ku NSX, VMware idakhazikitsa lingaliro la magawo ang'onoang'ono pogwiritsa ntchito chowotcha chowotcha chomwe chimapangidwa mu hypervisor kernel. Imatchula mfundo zachitetezo ndi zolumikizirana pamaneti osati ma adilesi a IP ndi MAC okha, komanso zinthu zina: makina enieni, mapulogalamu. Ngati NSX itumizidwa m'bungwe, zinthu izi zitha kukhala wogwiritsa ntchito kapena gulu la ogwiritsa ntchito kuchokera ku Active Directory. Chilichonse chotere chimasandulika kukhala gawo laling'ono muchitetezo chake, mu subnet yofunika, yokhala ndi DMZ yake yabwino :).
M'mbuyomu, panali gawo limodzi lokha lachitetezo pagawo lonse lazachuma, lotetezedwa ndi chosinthira cham'mphepete, koma ndi NSX mutha kuteteza makina apadera osagwirizana ndi zosafunika, ngakhale pamaneti omwewo.
Ndondomeko zachitetezo ndi maukonde zimagwirizana ngati bungwe lisamukira ku netiweki ina. Mwachitsanzo, ngati tisuntha makina okhala ndi database kupita ku gawo lina lamaneti kapenanso ku malo ena olumikizidwa, ndiye kuti malamulo olembedwa pamakina awa apitilizabe kugwira ntchito mosasamala kanthu za malo ake atsopano. Seva yogwiritsira ntchito idzatha kuyankhulana ndi database.
Chipata cha m'mphepete mwake, vCNS vShield Edge, chasinthidwa ndi NSX Edge. Ili ndi mbali zonse zaulemu za Edge yakale, kuphatikiza zina zatsopano zothandiza. Tikambirananso za iwo.
Chatsopano ndi chiyani ndi NSX Edge?
NSX Edge magwiridwe antchito amatengera Mtengo wa NSX. Pali asanu mwa iwo: Standard, Professional, Advanced, Enterprise, Plus Remote Branch Office. Chilichonse chatsopano komanso chosangalatsa chimawoneka kuyambira ndi Zapamwamba. Kuphatikizira mawonekedwe atsopano, omwe, mpaka vCloud itasinthiratu ku HTML5 (VMware ikulonjeza chilimwe 2019), imatsegula pa tabu yatsopano.
Zowonjezera. Mutha kusankha ma adilesi a IP, ma network, malo olumikizirana ndi zipata, ndi makina enieni ngati zinthu zomwe malamulowo adzagwiritsidwe.
Zamgululi Kuphatikiza pakusintha ma adilesi angapo a IP omwe azingoperekedwa kokha kumakina apa intaneti, NSX Edge tsopano ili ndi izi: kUMANGA ΠΈ Sungani.
Mu tabu Zomangira Mutha kumanga adilesi ya MAC yamakina enieni ku adilesi ya IP ngati mukufuna adilesi ya IP kuti isasinthe. Chinthu chachikulu ndikuti adilesi ya IP iyi siyikuphatikizidwa mu DHCP Pool.
Mu tabu Sungani kutumiza mauthenga a DHCP kusinthidwa kukhala maseva a DHCP omwe ali kunja kwa bungwe lanu mu vCloud Director, kuphatikiza maseva a DHCP a zomangamanga.
Njira. vShield Edge imatha kungosintha njira zokhazikika. Mayendedwe amphamvu mothandizidwa ndi ma protocol a OSPF ndi BGP adawonekera apa. Makonda a ECMP (Active-active) apezekanso, zomwe zikutanthauza kuti kulephera kogwira ntchito kwa ma routers akuthupi.
Kupanga OSPF
Kupanga BGP
Chinthu china chatsopano ndikukhazikitsa kusamutsa mayendedwe pakati pa ma protocol osiyanasiyana,
kugawanso njira.
L4/L7 Load Balancer. X-Forwarded-For idayambitsidwa pamutu wa HTTPs. Aliyense analira popanda iye. Mwachitsanzo, muli ndi tsamba lawebusayiti lomwe mukulinganiza. Popanda kutumiza mutu uwu, chirichonse chimagwira ntchito, koma mu ziwerengero za seva ya intaneti simunawone IP ya alendo, koma IP ya balancer. Tsopano zonse ziri bwino.
Komanso mu Tabu ya Malamulo a Ntchito tsopano mutha kuwonjezera zolemba zomwe zitha kuwongolera mwachindunji kusanja kwa magalimoto.
vpn. Kuphatikiza pa IPSec VPN, NSX Edge imathandizira:
- L2 VPN, yomwe imakupatsani mwayi wotambasula maukonde pakati pamasamba amwazikana. VPN yotereyi ikufunika, mwachitsanzo, kuti posamukira kumalo ena, makina enieni amakhalabe mu subnet yomweyo ndikusunga adilesi yake ya IP.
- SSL VPN Plus, yomwe imalola ogwiritsa ntchito kulumikizana kutali ndi netiweki yamakampani. Pa mlingo wa vSphere panali ntchito yoteroyo, koma kwa vCloud Director izi ndi zatsopano.
Zikalata za SSL. Zikalata zitha kukhazikitsidwa pa NSX Edge. Izi zimabweranso ku funso la yemwe amafunikira balancer popanda satifiketi ya https.
Zinthu Zopanga M'magulu. Patsamba ili, magulu azinthu amatchulidwa kuti malamulo ena okhudzana ndi intaneti adzagwiritsidwa ntchito, mwachitsanzo, malamulo a firewall.
Zinthu izi zitha kukhala ma adilesi a IP ndi MAC.
Palinso mndandanda wa mautumiki (protocol-port combination) ndi mapulogalamu omwe angagwiritsidwe ntchito popanga malamulo a firewall. Oyang'anira portal a vCD okha ndi omwe angawonjezere mautumiki atsopano ndi mapulogalamu.
Ziwerengero. Ziwerengero zamalumikizidwe: kuchuluka kwa magalimoto omwe amadutsa pachipata, ma firewall ndi balancer.
Mkhalidwe ndi ziwerengero za njira iliyonse ya IPSEC VPN ndi L2 VPN.
Kudula mitengo. Mu tabu ya Edge Settings, mutha kukhazikitsa seva yojambulira zipika. Kudula mitengo kumagwira ntchito pa DNAT/SNAT, DHCP, Firewall, routing, balancer, IPsec VPN, SSL VPN Plus.
Mitundu yotsatirayi ya zidziwitso ilipo pa chinthu/ntchito iliyonse:
- Kuthetsa vuto
β Chenjezo
βZovuta
- Zolakwika
βChenjezo
β Zindikirani
- Zambiri
NSX Edge Dimensions
Kutengera ntchito zomwe zikuthetsedwa komanso kuchuluka kwa VMware pangani NSX Edge mu makulidwe otsatirawa:
NSX Edge
(Pang'ono)
NSX Edge
(Chachikulu)
NSX Edge
(Quad-Large)
NSX Edge
(X-Chachikulu)
vCPU
1
2
4
6
Memory
512MB
1GB
1GB
8GB
litayamba
512MB
512MB
512MB
4.5GB + 4GB
Kusankhidwa
Mmodzi
application, test
data center
Small
kapena pafupifupi
data center
Zadzaza
firewall
Kusamala
katundu pa mlingo L7
Pansipa patebulo pali ma metric ogwiritsira ntchito mautumiki apaintaneti kutengera kukula kwa NSX Edge.
NSX Edge
(Pang'ono)
NSX Edge
(Chachikulu)
NSX Edge
(Quad-Large)
NSX Edge
(X-Chachikulu)
polumikizira
10
10
10
10
Ma Sub Interfaces (Trunk)
200
200
200
200
Malamulo a NAT
2,048
4,096
4,096
8,192
Zolemba za ARP
Mpaka Kulemba
1,024
2,048
2,048
2,048
Malamulo a FW
2000
2000
2000
2000
Ntchito ya FW
3Gbps
9.7Gbps
9.7Gbps
9.7Gbps
Madziwe a DHCP
20,000
20,000
20,000
20,000
Njira za ECMP
8
8
8
8
Njira Zokhazikika
2,048
2,048
2,048
2,048
Madzi a LB
64
64
64
1,024
LB Virtual Seva
64
64
64
1,024
LB Seva / Dziwe
32
32
32
32
LB Health Checks
320
320
320
3,072
LB Kugwiritsa Ntchito Malamulo
4,096
4,096
4,096
4,096
L2VPN Clients Hub kuti Alankhule
5
5
5
5
L2VPN Networks pa Makasitomala / Seva
200
200
200
200
IPSec Tunnels
512
1,600
4,096
6,000
SSLVPN Tunnels
50
100
100
1,000
SSLVPN Private Networks
16
16
16
16
Magawo Amodzi
64,000
1,000,000
1,000,000
1,000,000
Magawo/Yachiwiri
8,000
50,000
50,000
50,000
LB Throughput L7 Proxy)
2.2Gbps
2.2Gbps
3Gbps
LB throughput L4 Mode)
6Gbps
6Gbps
6Gbps
LB Connections/s (L7 Proxy)
46,000
50,000
50,000
LB Connections Concurrent (L7 Proxy)
8,000
60,000
60,000
LB Connections/s (L4 Mode)
50,000
50,000
50,000
LB Connection Concurrent (L4 Mode)
600,000
1,000,000
1,000,000
Njira za BGP
20,000
50,000
250,000
250,000
Oyandikana nawo a BGP
10
20
100
100
Njira za BGP Zagawidwanso
No Mukafuna
No Mukafuna
No Mukafuna
No Mukafuna
Njira za OSPF
20,000
50,000
100,000
100,000
OSPF LSA Entries Max 750 Type-1
20,000
50,000
100,000
100,000
Njira za OSPF
10
20
40
40
Njira za OSPF Zagawidwanso
2000
5000
20,000
20,000
Njira Zonse
20,000
50,000
250,000
250,000
β
Gome likuwonetsa kuti tikulimbikitsidwa kulinganiza kusanja pa NSX Edge pazopanga zopanga kuyambira pa Kukula Kwakukulu.
Ndizo zonse zomwe ndili nazo lero. M'magawo otsatirawa ndidutsamo mwatsatanetsatane momwe ndingakhazikitsire ntchito iliyonse ya netiweki ya NSX Edge.
Source: www.habr.com