Tichifunga nezvehuwandu hwemibvunzo yakatanga kusvika kwatiri kuburikidza neSD-WAN, tekinoroji yakatanga kunyatsodzika midzi muRussia. Vatengesi, sezvazviri, havana kurara uye vanopa pfungwa dzavo, uye mamwe mapiyona akashinga ari kutozviita pamanetiweki avo.
Isu tinoshanda pamwe nevanenge vatengesi vese, uye nekufamba kwemakore akati wandei murabhoritari yedu ndakakwanisa kuongorora mukuvaka kwega yega mugadziri mukuru wesoftware-yakatsanangurwa mhinduro. SD-WAN kubva kuFortinet inomira padiki padiki apa, iyo yakangovaka mashandiro ekuenzanisa traffic pakati pematanho ekutaurirana mune firewall software. Mhinduro yacho ndeyedemocracy, saka inowanzotariswa nemakambani asati agadzirira shanduko yepasi rose, asi anoda kushandisa nzira dzavo dzekutaurirana zvakanyanya.
Muchinyorwa chino ndinoda kukuudza maitiro ekugadzirisa nekushanda ne SD-WAN kubva kuFortinet, ndiani mhinduro iyi inokodzera uye ndeapi misungo yaungasangana nayo pano.
Vatambi vane mukurumbira mumusika weSD-WAN vanogona kuiswa mune imwe yemhando mbiri:
1. Kutanga kwakagadzira SD-WAN mhinduro kubva pakutanga. Vakanyanya kubudirira pane izvi vanowana kukurudzira kukuru kwebudiriro mushure mekutengwa nemakambani makuru - iyi ndiyo nyaya yeCisco/Viptela, VMWare/VeloCloud, Nuage/Nokia.
2. Makuru vatengesi venetiweki vakagadzira SD-WAN mhinduro, vachigadzira iyo programmability uye manejimendi echinyakare ma routers - iyi inyaya yeJuniper, Huawei.
Fortinet yakakwanisa kuwana nzira yayo. Iyo firewall software yaive yakavakirwa-mukati mashandiro ayo akaita kuti zvikwanise kusanganisa mainterfaces kuita chaiwo chiteshi uye kuenzanisa mutoro pakati pavo vachishandisa yakaoma algorithms zvichienzaniswa neyakajairwa nzira. Kuita uku kwakanzi SD-WAN. Ko iyo Fortinet yakanzi SD-WAN? Musika uri kunzwisisa zvishoma nezvishoma kuti Software-Defined zvinoreva kupatsanurwa kweDhipatimendi Rokudzora kubva kuData Plane, vatongi vakazvipira, uye orchestrators. Fortinet haina zvakadaro. Centralized manejimendi inosarudzika uye inopihwa kuburikidza neyechinyakare Fortimanager chishandiso. Asi mukuona kwangu, haufanirwe kutsvaga chokwadi chisinganzwisisike uye kutambisa nguva kupokana nezve mazwi. Munyika chaiyo, imwe neimwe nzira ine zvayakanakira nezvayakaipira. Nzira yakanakisa yekubuda ndeyekuvanzwisisa uye kugona kusarudza mhinduro dzinoenderana nemabasa.
Ini ndichaedza kukuudza nemascreenshots ari muruoko kuti SD-WAN kubva kuFortinet inotaridzika sei uye kuti ingaite sei.
Kuti zvese zvinoshanda sei
Ngatifungei kuti une matavi maviri akabatana nematanho maviri edata. Aya data link anosanganiswa kuita boka, zvakafanana neyakajairwa Ethernet interfaces inosanganiswa kuita LACP-Port-Channel. Vechinyakare-nguva vanorangarira PPP Multilink - zvakare fananidziro yakakodzera. Zviteshi zvinogona kuve zviteshi zvemuviri, VLAN SVI, pamwe neVPN kana GRE tunnel.
VPN kana GRE inowanzo shandiswa pakubatanidza bazi renzvimbo network paInternet. Uye zviteshi zvemuviri - kana paine L2 yakabatana pakati pemasaiti, kana kana ichibatanidza pamusoro yakatsaurirwa MPLS/VPN, kana isu tichigutsikana nekubatana pasina Overlay uye encryption. Chimwe chiitiko umo zviteshi zvemuviri zvinoshandiswa muboka reSD-WAN kuenzanisa kuwanikwa kwevashandisi kuInternet.
Pakumira kwedu kune mana firewall uye maviri VPN tunnels anoshanda kuburikidza maviri "communication operators". Dhiagiramu inoita seizvi:
Tunnels dzeVPN dzakagadzirirwa mumashandisirwo emhando kuitira kuti dzifanane ne-point-to-point yekubatanidza pakati pemidziyo ine IP kero paP2P interfaces, iyo inogona pinged kuti ive nechokwadi chokuti kutaurirana kuburikidza neimwe nzira iri kushanda. Kuti traffic ivharirwe uye iende kune rimwe divi, zvakakwana kuti uende nayo mugero. Iyo imwe nzira ndeyekusarudza traffic ye encryption uchishandisa zvinyorwa zve subnets, izvo zvinovhiringa zvakanyanya maneja sezvo iyo gadziriso inova yakaoma. Mune network yakakura, unogona kushandisa ADVPN tekinoroji kuvaka VPN; iyi analogue yeDMVPN kubva kuCisco kana DVPN kubva kuHuawei, iyo inobvumira kuseta nyore.
Site-to-Site VPN gadziriso yezvishandiso zviviri zvine BGP routing pamativi ese
«ЦОД» (DC)
«Филиал» (BRN)
config system interface
edit "WAN1"
set vdom "Internet"
set ip 1.1.1.1 255.255.255.252
set allowaccess ping
set role wan
set interface "DC-BRD"
set vlanid 111
next
edit "WAN2"
set vdom "Internet"
set ip 3.3.3.1 255.255.255.252
set allowaccess ping
set role lan
set interface "DC-BRD"
set vlanid 112
next
edit "BRN-Ph1-1"
set vdom "Internet"
set ip 192.168.254.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 192.168.254.2 255.255.255.255
set interface "WAN1"
next
edit "BRN-Ph1-2"
set vdom "Internet"
set ip 192.168.254.3 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 192.168.254.4 255.255.255.255
set interface "WAN2"
next
end
config vpn ipsec phase1-interface
edit "BRN-Ph1-1"
set interface "WAN1"
set local-gw 1.1.1.1
set peertype any
set net-device disable
set proposal aes128-sha1
set dhgrp 2
set remote-gw 2.2.2.1
set psksecret ***
next
edit "BRN-Ph1-2"
set interface "WAN2"
set local-gw 3.3.3.1
set peertype any
set net-device disable
set proposal aes128-sha1
set dhgrp 2
set remote-gw 4.4.4.1
set psksecret ***
next
end
config vpn ipsec phase2-interface
edit "BRN-Ph2-1"
set phase1name "BRN-Ph1-1"
set proposal aes256-sha256
set dhgrp 2
next
edit "BRN-Ph2-2"
set phase1name "BRN-Ph1-2"
set proposal aes256-sha256
set dhgrp 2
next
end
config router static
edit 1
set gateway 1.1.1.2
set device "WAN1"
next
edit 3
set gateway 3.3.3.2
set device "WAN2"
next
end
config router bgp
set as 65002
set router-id 10.1.7.1
set ebgp-multipath enable
config neighbor
edit "192.168.254.2"
set remote-as 65003
next
edit "192.168.254.4"
set remote-as 65003
next
end
config network
edit 1
set prefix 10.1.0.0 255.255.0.0
next
end
config system interface
edit "WAN1"
set vdom "Internet"
set ip 2.2.2.1 255.255.255.252
set allowaccess ping
set role wan
set interface "BRN-BRD"
set vlanid 111
next
edit "WAN2"
set vdom "Internet"
set ip 4.4.4.1 255.255.255.252
set allowaccess ping
set role wan
set interface "BRN-BRD"
set vlanid 114
next
edit "DC-Ph1-1"
set vdom "Internet"
set ip 192.168.254.2 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 192.168.254.1 255.255.255.255
set interface "WAN1"
next
edit "DC-Ph1-2"
set vdom "Internet"
set ip 192.168.254.4 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 192.168.254.3 255.255.255.255
set interface "WAN2"
next
end
config vpn ipsec phase1-interface
edit "DC-Ph1-1"
set interface "WAN1"
set local-gw 2.2.2.1
set peertype any
set net-device disable
set proposal aes128-sha1
set dhgrp 2
set remote-gw 1.1.1.1
set psksecret ***
next
edit "DC-Ph1-2"
set interface "WAN2"
set local-gw 4.4.4.1
set peertype any
set net-device disable
set proposal aes128-sha1
set dhgrp 2
set remote-gw 3.3.3.1
set psksecret ***
next
end
config vpn ipsec phase2-interface
edit "DC-Ph2-1"
set phase1name "DC-Ph1-1"
set proposal aes128-sha1
set dhgrp 2
next
edit "DC2-Ph2-2"
set phase1name "DC-Ph1-2"
set proposal aes128-sha1
set dhgrp 2
next
end
config router static
edit 1
set gateway 2.2.2.2
et device "WAN1"
next
edit 3
set gateway 4.4.4.2
set device "WAN2"
next
end
config router bgp
set as 65003
set router-id 10.200.7.1
set ebgp-multipath enable
config neighbor
edit "192.168.254.1"
set remote-as 65002
next
edit "192.168.254.3"
set remote-as 65002
next
end
config network
edit 1
set prefix 10.200.0.0 255.255.0.0
next
end
Ndiri kupa iyo config mufomu yezvinyorwa, nokuti, mumaonero angu, zviri nyore kugadzirisa VPN nenzira iyi. Anenge ese magadzirirwo akafanana pamativi ese ari maviri; mune zvinyorwa zvemavara anogona kugadzirwa sekopi-paste. Kana iwe ukaita chinhu chimwe chete muwebhu interface, zviri nyore kukanganisa - kanganwa cheki pane imwe nzvimbo, isa iyo isiriyo kukosha.
Mushure mekunge tawedzera iyo interfaces kune bundle
nzira dzese uye mitemo yekuchengetedza inogona kureva kwairi, uye kwete kune mainterface anosanganisirwa mairi. Zvirinani, iwe unofanirwa kubvumidza traffic kubva mukati metiweki kuenda kuSD-WAN. Paunenge uchivagadzirira mitemo, unogona kushandisa matanho ekudzivirira akadai seIPS, antivirus uye kuburitswa kweHTTPS.
SD-WAN Mitemo inogadzirirwa iyo bundle. Iyi ndiyo mitemo inotsanangura iyo balancing algorithm kune chaiyo traffic. Iwo akafanana nemafambisirwo emitemo muPolicy-Based Routing, chete semhedzisiro yetraffic inowira pasi pegwaro, haisi iyo inotevera-hop kana yakajairwa inobuda interface inoiswa, asi iyo interface yakawedzerwa kune SD-WAN bundle plus. traffic balancing algorithm pakati peaya mainterfaces.
Traffic inogona kupatsanurwa kubva kune yakajairika kuyerera neL3-L4 ruzivo, neanozivikanwa maapplication, Internet masevhisi (URL uye IP), pamwe nevanozivikanwa vashandisi venzvimbo dzekushandira uye malaptop. Mushure meizvi, imwe yeanotevera kuenzanisa algorithms inogona kupihwa kune yakagoverwa traffic:
Mune iyo Interface Preference runyorwa, iwo mainterface kubva kune ayo akatowedzerwa kune iyo bundle inozoshanda iyi mhando yetraffic inosarudzwa. Nekuwedzera kwete ese mainterface, unogona kudzikamisa chaizvo izvo zviteshi zvaunoshandisa, toti, email, kana iwe usingade kuremedza zvinodhura chiteshi neSLA yakakwira nayo. MuFortiOS 6.4.1, zvakave zvinogoneka kuunganidza nzvimbo dzakawedzerwa kune SD-WAN bundle muzvikamu, kugadzira, semuenzaniso, imwe nzvimbo yekutaurirana nenzvimbo dziri kure, uye imwe yenzvimbo yekuwana Internet uchishandisa NAT. Ehe, hongu, traffic inoenda kuInternet yakajairwa inogona zvakare kuenzana.
Nezve kuenzanisa algorithms
Nezve kuti Fortigate (firewall kubva kuFortinet) inogona kupatsanura traffic pakati pezviteshi, pane mbiri dzinonakidza sarudzo dzisina kunyanya kuwanda pamusika:
Mutengo wakaderera (SLA) - kubva kune ese mainterfaces anogutsa SLA panguva ino, iyo ine huremu hwakaderera (mutengo), nemaoko yakagadzwa nemutungamiriri, inosarudzwa; iyi modhi yakakodzera "yakawanda" traffic senge backups uye mafaera ekufambisa.
Hunhu Hwakanakisisa (SLA) -iyi algorithm, mukuwedzera kune yakajairwa kunonoka, jitter uye kurasikirwa kweFortigate mapaketi, inogona zvakare kushandisa yazvino chiteshi kurodha kuongorora mhando yematanho; Iyi modhi yakakodzera kune inonzwisisika traffic seVoIP uye vhidhiyo musangano.
Aya maalgorithms anoda kumisikidza yekutaurirana chiteshi kuita mita - Performance SLA. Iyi mita nguva nenguva (tarisa kupindirana) inotarisisa ruzivo nezve kutevedzera SLA: kurasikirwa kwepaketi, latency uye jitter muchiteshi chekutaurirana, uye inogona "kuramba" idzo nzira dzisiri kuzadzisa zvikumbaridzo zvemhando - dziri kurasikirwa nemapaketi akawandisa kana kusangana zvakare. latency yakawanda. Uye zvakare, iyo mita inotarisisa mamiriro echiteshi, uye inogona kuibvisa kwenguva pfupi kubva musumbu kana ichidzokororwa kurasikirwa kwemhinduro (kutadza kusati kwaita basa). Kana yadzoreredzwa, mushure memhinduro dzakati wandei dzakateedzana (dzoreredza chinongedzo mushure), mita inozodzosera otomatiki chiteshi kune bundle, uye data ichatanga kufambiswa kuburikidza nayo zvakare.
Izvi ndizvo zvinotaridzika se "mita":
Muwebhu interface, ICMP-Echo-chikumbiro, HTTP-GET uye DNS chikumbiro chiripo seye test protocol. Pane dzimwe sarudzo shoma pamutsara wekuraira: TCP-echo uye UDP-echo sarudzo dziripo, pamwe nehunyanzvi hwekuyera mhando protocol - TWAMP.
Mhedzisiro yekuyera inogonawo kuonekwa muwebhu interface:
Uye pamutsetse wemirairo:
Kugadzirisa matambudziko
Kana iwe wakagadzira mutemo, asi zvese zvisingashande sezvaitarisirwa, iwe unofanirwa kutarisa iyo Hit Count kukosha mune iyo SD-WAN Mitemo runyorwa. Icharatidza kana traffic inowira mumutemo uyu zvachose:
Pa peji rezvigadziriso yemamita pachayo, unogona kuona shanduko mumatanho paramita nekufamba kwenguva. Mutsetse une doti unoratidza kukosha kwechikumbaridzo cheparameter
Muwebhu interface iwe unogona kuona kuti traffic inogovaniswa sei nehuwandu hwe data inofambiswa / inogamuchirwa uye nhamba yezvikamu:
Pamusoro peizvi zvese, pane mukana wakanakisa wekuteedzera mafambiro emapaketi ane ruzivo rwakanyanya. Paunenge uchishanda munetiweki chaiyo, dhizaini yekumisikidza inounganidza akawanda marongero ekufambisa, firewalling, uye kugovera traffic pane ese SD-WAN ports. Zvese izvi zvinodyidzana neimwe nzira yakaoma, uye kunyangwe mutengesi achipa akadzama block diagraphs epacket processing algorithms, zvakakosha kuti ugone kusavaka uye kuyedza dzidziso, asi kuti uone kuti traffic inoenda kupi.
Semuenzaniso, inotevera seti yemirairo
diagnose debug flow filter saddr 10.200.64.15
diagnose debug flow filter daddr 10.1.7.2
diagnose debug flow show function-name
diagnose debug enable
diagnose debug trace 2
Inokutendera kuti utarise mapaketi maviri ane tsime kero ye10.200.64.15 uye kero yekuenda ye10.1.7.2.
Isu ping 10.7.1.2 kubva 10.200.64.15 kaviri uye tarisa zvakabuda pane console.
First package:
Chechipiri pasuru:
Heino yekutanga pakiti yakagamuchirwa nefirewall:
id=20085 trace_id=475 func=print_pkt_detail line=5605 msg="vd-Internet:0 received a packet(proto=1, 10.200.64.15:42->10.1.7.2:2048) from DMZ-Office. type=8, code=0, id=42, seq=0."
VDOM – Internet, Proto=1 (ICMP), DMZ-Office – название L3-интерфейса. Type=8 – Echo.
Chikamu chitsva chakagadzirirwa iye:
msg="allocate a new session-0006a627"
Uye mutambo wakawanikwa mumagadzirirwo emitemo yenzira
msg="Match policy routing id=2136539137: to 10.1.7.2 via ifindex-110"
Zvinoitika kuti pakiti inoda kutumirwa kune imwe yeVPN tunnel:
"find a route: flag=04000000 gw-192.168.254.1 via DC-Ph1-1"
Iyo inotevera inobvumira mutemo inoonekwa mumafirewall policy:
msg="Allowed by Policy-3:"
Iyo pakiti yakavharidzirwa uye inotumirwa kumugero weVPN:
func=ipsecdev_hard_start_xmit line=789 msg="enter IPsec interface-DC-Ph1-1"
func=_ipsecdev_hard_start_xmit line=666 msg="IPsec tunnel-DC-Ph1-1"
func=esp_output4 line=905 msg="IPsec encrypt/auth"
Iyo encrypted packet inotumirwa kukero yegedhi reiyo WAN interface:
msg="send to 2.2.2.2 via intf-WAN1"
Kune yechipiri pakiti, zvese zvinoitika zvakafanana, asi zvinotumirwa kune imwe VPN mugero uye inosiya kuburikidza neyakasiyana firewall port:
func=ipsecdev_hard_start_xmit line=789 msg="enter IPsec interface-DC-Ph1-2"
func=_ipsecdev_hard_start_xmit line=666 msg="IPsec tunnel-DC-Ph1-2"
func=esp_output4 line=905 msg="IPsec encrypt/auth"
func=ipsec_output_finish line=622 msg="send to 4.4.4.2 via intf-WAN2"
Zvakanakira mhinduro
Kuvimbika kushanda uye mushandisi-ushamwari interface. Iyo ficha seti yaive iripo muFortiOS isati yasvika SD-WAN yakachengetedzwa zvizere. Ndokunge, isu hatina ichangoburwa software, asi yakakura sisitimu kubva kune yakaratidza firewall mutengesi. Nechinyakare seti yetiweki mabasa, iri nyore uye iri nyore kudzidza-webhu interface. Vangani vatengesi veSD-WAN vane, toti, Remote-Access VPN mashandiro pamidziyo yekupedzisira?
Chengetedzo level 80. FortiGate ndeimwe yepamusoro firewall mhinduro. Pane zvakawanda zvezvinhu paInternet pakumisikidza uye kutonga firewall, uye pamusika wevashandi kune nyanzvi dzakawanda dzekuchengetedza dzakatoziva mhinduro dzemutengesi.
Zero mutengo weSD-WAN mashandiro. Kuvaka inetiweki yeSD-WAN paFortiGate kunodhura zvakafanana nekuvaka iyo yenguva dzose WAN network pairi, sezvo pasina mamwe marezinesi anodiwa kuita SD-WAN mashandiro.
Mutengo wakaderera wekupinda. Fortigate ine yakanaka gradation yemidziyo yematanho akasiyana ekuita. Iwo madiki uye asingadhure mamodheru akanyatso kukodzera kuwedzera hofisi kana nzvimbo yekutengesa nevanoti, 3-5 vashandi. Vatengesi vazhinji havangove nemhando yakaderera-yekuita uye inokwanisika.
Kuita kwepamusoro. Kuderedza kushanda kweSD-WAN kukuenzanisa kwetraffic kwakabvumira kambani kuburitsa yakasarudzika SD-WAN ASIC, nekuda kwekuti SD-WAN kushanda hakudzikisi kuita kwefirewall zvachose.
Iko kugona kuita hofisi yese paFortinet michina. Aya ndiwo maviri emafirewall, switch, Wi-Fi yekuwana nzvimbo. Hofisi yakadaro iri nyore uye iri nyore kubata - switch uye nzvimbo dzekuwana dzakanyoreswa pamafirewall uye dzinodzorwa kubva kwavari. Semuenzaniso, izvi ndizvo zvingaite senge switch port kubva kune firewall interface inodzora switch iyi:
Kushaikwa kwevatongi sechinhu chimwe chekukundikana. Mutengesi pachake anotarisa pane izvi, asi izvi zvinogona kunzi bhenefiti muchikamu, nekuti kune avo vatengesi vane vatongi, kuve nechokwadi chekuti kushivirira kwavo kusingadhure, kazhinji pamutengo wemari shoma yekombuta zviwanikwa munzvimbo ye virtualization.
Chii chekutarisa
Hapana kupatsanurwa pakati peKudzora Ndege uye Data Plane. Izvi zvinoreva kuti network inofanirwa kugadzirwa nemaoko kana kushandisa echinyakare manejimendi maturusi atovepo - FortiManager. Kune vatengesi vakashandisa kupatsanurwa kwakadaro, network inounganidzwa pachayo. Administrator angangoda kugadzirisa topology yayo, kurambidza chimwe chinhu kumwe, hapana chimwe. Nekudaro, FortiManager's trump kadhi ndeyekuti haigone kubata kwete chete firewall, asiwo switch uye Wi-Fi yekuwana mapoinzi, kureva, inenge yese network.
Conditional kuwedzera kwekudzora. Nekuda kwekuti maturusi echinyakare anoshandiswa kugadzirisa network, manejimendi manejimendi nekuunzwa kweSD-WAN kunowedzera zvishoma. Kune rumwe rutivi, kushanda kutsva kunowanikwa nekukurumidza, sezvo mutengesi anotanga kuisunungura chete kune firewall operating system (iyo inoita kuti zvikwanisike kuishandisa), uye chete ipapo inowedzera hurongwa hwehutungamiri neinodiwa nzvimbo.
Kumwe kushanda kunogona kuwanikwa kubva kumutsara wekuraira, asi hakusi kuwanikwa kubva pawebhu interface. Dzimwe nguva hazvisi kutyisa kupinda mumutsara wekuraira kuti ugadzirise chimwe chinhu, asi zvinotyisa kusaona muwebhu interface kuti mumwe munhu atogadzira chimwe chinhu kubva kumutsara wekuraira. Asi izvi zvinowanzo shanda kuzvinhu zvitsva uye zvishoma nezvishoma, neFortiOS zvigadziriso, kugona kwewebhu interface kunovandudzwa.
Ndiani achakodzera
Kune avo vasina mapazi mazhinji. Kuita SD-WAN mhinduro ine yakaoma yepakati zvikamu pane network ye8-10 matavi anogona kusadhura kenduru - iwe uchafanirwa kushandisa mari pamarezinesi eSD-WAN zvishandiso uye virtualization system zviwanikwa kubata izvo zvepakati zvikamu. Kambani diki kazhinji ine mashoma emahara emakomputa zviwanikwa. Panyaya yeFortinet, zvakakwana kungotenga mafirewall.
Kune avo vane matavi madiki akawanda. Kune vatengesi vazhinji, mutengo wakaderera wekugadzirisa pabazi wakanyanya kukwirira uye unogona kunge usingafadze kubva pakuona kwebhizinesi rekupedzisira mutengi. Fortinet inopa zvishandiso zvidiki pamitengo inoyevedza.
Kune avo vasati vagadzirira kutsika zvakanyanya. Kuita SD-WAN nevanodzora, nzira dzevaridzi, uye nzira nyowani yekuronga network uye manejimendi inogona kunge iri nhanho hombe kune vamwe vatengi. Ehe, kuita kwakadai kunozopedzisira kwabatsira kukwidziridza mashandisirwo enzira dzekutaurirana uye basa revatariri, asi chekutanga iwe uchafanirwa kudzidza zvakawanda zvezvinhu zvitsva. Kune avo vasati vagadzirira shanduko yeparadigm, asi vanoda kudzvanya zvakawanda kubva mumatanho avo ekutaurirana, mhinduro kubva kuFortinet iriyo.
Source: www.habr.com