Kana iwe ukatarisa kugadziridzwa kwechero firewall, saka kazhinji isu tichaona pepa rine boka re IP kero, ports, protocol uye subnets. Aya ndiwo maitirwo emitemo yekuchengetedzwa kwenetiweki yekuwana kwevashandisi kune zviwanikwa inoitwa zvechinyakare. Pakutanga vanoedza kuchengetedza kurongeka mugadziriro, asi ipapo vashandi vanotanga kubva kudhipatimendi kuenda kune rimwe dhipatimendi, maseva anowedzera uye anochinja mabasa avo, kuwana kwezvirongwa zvakasiyana kunoonekwa kwaasingawanzo kubvumidzwa, uye mazana enzira dzisingazivikanwe dzembudzi dzinobuda.
Padivi pemimwe mitemo, kana uine rombo rakanaka, pane zvakataurwa "Vasya akandikumbira kuti ndiite izvi" kana "Iyi ndiyo ndima inoenda kuDMZ." Mutariri wetiweki anosiya, uye zvese zvinobva zvanyatsojeka. Ipapo mumwe munhu akasarudza kujekesa Vasya's config, uye SAP yakaputsika, nokuti Vasya akambokumbira kuwana uku kuti atange kurwisana SAP.
Nhasi ini ndichataura nezve VMware NSX mhinduro, iyo inobatsira kunyatso shandisa network kutaurirana uye chengetedzo marongero pasina kuvhiringidzika mune firewall configs. Ini ndichakuratidza kuti ndezvipi zvitsva zvakaonekwa zvichienzaniswa nezvaimbove neVMware muchikamu chino.
VMWare NSX ndeye virtualization uye chengetedzo chikuva chetiweki masevhisi. NSX inogadzirisa matambudziko ekufambisa, kushandura, kuyera kuyera, firewall uye inogona kuita zvimwe zvinhu zvakawanda zvinonakidza.
NSX ndiye anotsiva kuVMware yake yega vCloud Networking uye Chengetedzo (vCNS) chigadzirwa uye yakawanikwa Nicira NVP.
Kubva kuvCNS kuenda kuNSX
Pakutanga, mutengi aive neyakasiyana vCNS vShield Edge virtual muchina mune gore rakavakirwa paVMware vCloud. Yaiita segedhi remuganho, kwazvaigoneka kugadzirisa akawanda network mabasa: NAT, DHCP, Firewall, VPN, loader balancer, etc. vShield Edge yakaganhura kupindirana kwemuchina chaiwo nenyika yekunze zvinoenderana nemitemo inotsanangurwa mu Firewall uye NAT. Mukati metiweki, machina chaiwo aitaurirana akasununguka mukati me subnets. Kana iwe uchida chaizvo kupatsanura uye kukunda traffic, iwe unogona kugadzira yakaparadzana network yezvikamu zvega zvekushandisa (yakasiyana chaiwo michina) uye isa mitemo yakakodzera yekubatana kwavo kwetiweki mune firewall. Asi izvi zvakareba, zvakaoma uye hazvifadzi, kunyanya kana uine akati wandei mashini chaiwo.
MuNSX, VMware yakashandisa pfungwa ye micro-segmentation uchishandisa firewall yakagoverwa yakavakirwa mu hypervisor kernel. Iyo inotsanangura chengetedzo uye network yekudyidzana mitemo kwete chete yeIP uye MAC kero, asiwo kune zvimwe zvinhu: chaiwo michina, maapplication. Kana NSX ikaiswa mukati mesangano, zvinhu izvi zvinogona kuva mushandisi kana boka revashandisi kubva kuActive Directory. Chinhu chimwe nechimwe chakadaro chinoshanduka kuita microsegment mune yayo yekuchengetedza loop, mune inodiwa subnet, ine yayo inotonhorera DMZ :).
Pakutanga, kwaingova nechikamu chekuchengetedza chedziva rose rezviwanikwa, zvakachengetedzwa neshanduko yemupendero, asi neNSX unogona kuchengetedza wakaparadzana muchina kubva mukusangana kusingakoshi, kunyangwe mukati metiweki imwe chete.
Chengetedzo uye networking marongero anochinja kana sangano richienda kune imwe network. Semuenzaniso, kana tikafambisa muchina une database kune imwe network segment kana kunyange kune imwe yakabatana virtual data center, ipapo mitemo yakanyorerwa iyi virtual machine icharamba ichishanda pasinei nenzvimbo yayo itsva. Sevha yekushandisa ichakwanisa kutaurirana nedatabase.
Iyo yekumucheto gedhi pachayo, vCNS vShield Edge, yakatsiviwa neNSX Edge. Iyo ine ese ane hunyoro maficha eEdge yekare, pamwe nemamwe mashoma anobatsira maficha. Tichazotaura pamusoro pavo.
Chii chitsva neNSX Edge?
NSX Edge kushanda kunoenderana NSX. Pane zvishanu zvacho: Standard, Professional, Advanced, Enterprise, Plus Remote Branch Office. Zvese zvitsva uye zvinonakidza zvinoonekwa chete kutanga neAdvanced. Kusanganisira chimiro chitsva, icho, kusvika vCloud yachinja zvachose kuHTML5 (VMware inovimbisa zhizha 2019), inovhura mune nyowani tebhu.
firewall. Iwe unogona kusarudza IP kero, network, gateway interfaces, uye chaiwo michina sezvinhu izvo mitemo ichashandiswa.
DHCP. Pamusoro pekugadzirisa huwandu hwemakero eIP ayo anozopihwa otomatiki kumashini chaiwo pane ino network, NSX Edge ikozvino ine anotevera mabasa: ndichisunga ΠΈ Relay.
Mune tab Bindings Iwe unogona kusunga iyo MAC kero yemuchina chaiwo kune IP kero kana iwe uchida iyo IP kero kuti isachinja. Chinhu chikuru ndechekuti iyi kero yeIP haina kuisirwa muDHCP Pool.
Mune tab Relay relay yeDHCP mameseji akagadziridzwa kumaseva eDHCP ari kunze kwesangano rako muvCloud Director, kusanganisira maseva eDHCP ezvivakwa zvemuviri.
Routing. vShield Edge yaingokwanisa kugadzirisa static routing. Dynamic routing nerutsigiro rweOSPF neBGP mapuroteni akaonekwa pano. ECMP (Active-inoshanda) zvigadziriso zvave kuwanikwawo, zvinoreva kuti inoshanda-inoshanda failover kune emuviri ma routers.
Kugadzira OSPF
Kugadzika BGP
Chimwe chinhu chitsva kumisa kutamiswa kwenzira pakati pemaprotocol akasiyana,
kugoverazve nzira.
L4/L7 Load Balancer. X-Forwarded-For yakaunzwa yeHTTPs musoro. Vanhu vese vaichema asipo. Semuenzaniso, une webhusaiti yauri kuenzanisa. Pasina kutumira musoro uyu, zvese zvinoshanda, asi muwebhu server statistics iwe wakaona kwete IP yevashanyi, asi iyo IP yevalancer. Iye zvino zvinhu zvose zvakanaka.
Zvakare mune iyo Mitemo Yekushandisa tebhu iwe unogona ikozvino kuwedzera zvinyorwa zvinozodzora zvakananga traffic balancing.
vpn. Pamusoro peIPSec VPN, NSX Edge inotsigira:
- L2 VPN, iyo inokutendera kuti utambanudze network pakati penzvimbo dzakapararira nzvimbo. VPN yakadaro inodiwa, semuenzaniso, kuitira kuti kana uchienda kune imwe saiti, iyo chaiyo muchina inoramba iri mune imwechete subnet uye inochengeta yayo IP kero.
- SSL VPN Plus, iyo inobvumira vashandisi kuti vabatanidze kure kune network yekambani. Padanho revSphere pakanga paine basa rakadaro, asi kune vCloud Director iyi innovation.
SSL zvitupa. Zvitupa zvino zvinogona kuiswa paNSX Edge. Izvi zvinouya zvakare kumubvunzo wekuti ndiani aida balancer asina chitupa che https.
Kuronga Zvinhu. Mune iyi tebhu, mapoka ezvinhu anotsanangurwa ayo mimwe mitemo yekudyidzana kwetiweki ichashanda, semuenzaniso, mitemo ye firewall.
Zvinhu izvi zvinogona kuva IP uye MAC kero.
Kune zvakare rondedzero yemasevhisi (protocol-port musanganiswa) uye maapplication anogona kushandiswa pakugadzira firewall mitemo. Chete vCD portal maneja anogona kuwedzera masevhisi matsva uye maapplication.
Statistics. Nhamba dzekubatanidza: traffic inopfuura nepagedhi, firewall uye balancer.
Mamiriro uye nhamba kune yega yega IPSEC VPN uye L2 VPN mugero.
Kutema miti. MuEdge Settings tab, unogona kuseta sevha yekurekodha matanda. Kutema miti kunoshanda kuDNAT/SNAT, DHCP, Firewall, routing, balancer, IPsec VPN, SSL VPN Plus.
Aya anotevera marudzi echenjedzo anowanikwa kune chimwe nechimwe chinhu/sevhisi:
β Debug
βYambiro
βInokosha
- Kukanganisa
βYambiro
β Cherechedza
β Info
NSX Edge Dimensions
Zvichienderana nemabasa ari kugadziriswa uye huwandu hweVMware gadzira NSX Edge mune anotevera saizi:
NSX Edge
(Padiki)
NSX Edge
(Zvikuru)
NSX Edge
(Makuru-Mana)
NSX Edge
(X-Mukuru)
vCPU
1
2
4
6
ndangariro
512MB
1GB
1GB
8GB
dhisiki
512MB
512MB
512MB
4.5GB + 4GB
Kusarudzwa
Poshi
application, test
data center
Small
kana pakati
data center
Loaded
firewall
Kuenzanisa
inotakura pamwero L7
Pazasi patafura pane mametric anoshanda etiweki masevhisi zvinoenderana nehukuru hweNSX Edge.
NSX Edge
(Padiki)
NSX Edge
(Zvikuru)
NSX Edge
(Makuru-Mana)
NSX Edge
(X-Mukuru)
Interfaces
10
10
10
10
Sub Interfaces (Trunk)
200
200
200
200
NAT Mitemo
2,048
4,096
4,096
8,192
ARP Entries
Kusvikira Kunyora
1,024
2,048
2,048
2,048
FW Mitemo
2000
2000
2000
2000
FW Performance
3Gbps
9.7Gbps
9.7Gbps
9.7Gbps
DHCP Madziva
20,000
20,000
20,000
20,000
Nzira dzeECMP
8
8
8
8
Dzakamira nzira
2,048
2,048
2,048
2,048
LB Pools
64
64
64
1,024
LB Virtual Servers
64
64
64
1,024
LB Server/Dziva
32
32
32
32
LB Health Checks
320
320
320
3,072
LB Mitemo Yekushandisa
4,096
4,096
4,096
4,096
L2VPN Clients Hub yekutaura
5
5
5
5
L2VPN Networks paMutengi / Sevha
200
200
200
200
IPSec Tunnels
512
1,600
4,096
6,000
SSLVPN Tunnels
50
100
100
1,000
SSLVPN Private Networks
16
16
16
16
Concurrent Sessions
64,000
1,000,000
1,000,000
1,000,000
Zvirongwa/Chechipiri
8,000
50,000
50,000
50,000
LB throughput L7 Proxy)
2.2Gbps
2.2Gbps
3Gbps
LB throughput L4 Mode)
6Gbps
6Gbps
6Gbps
LB Connections/s (L7 Proxy)
46,000
50,000
50,000
LB Concurrent Connections (L7 Proxy)
8,000
60,000
60,000
LB Connections/s (L4 Mode)
50,000
50,000
50,000
LB Concurrent Connections (L4 Mode)
600,000
1,000,000
1,000,000
BGP Nzira
20,000
50,000
250,000
250,000
BGP Vavakidzani
10
20
100
100
BGP Nzira Dzakagoverwazve
No usanyanyoratidza
No usanyanyoratidza
No usanyanyoratidza
No usanyanyoratidza
OSPF Nzira
20,000
50,000
100,000
100,000
OSPF LSA Entries Max 750 Type-1
20,000
50,000
100,000
100,000
OSPF Adjacencies
10
20
40
40
OSPF Nzira Dzakagoverwazve
2000
5000
20,000
20,000
Total Routes
20,000
50,000
250,000
250,000
β
Iyo tafura inoratidza kuti zvinokurudzirwa kuronga kuyera paNSX Edge yezvinoitika zvinogadzira chete kutanga kubva kuHuru saizi.
Ndizvo chete zvandinazvo nhasi. Muzvikamu zvinotevera ini ndichapfuura nemukati zvakadzama maitiro ekugadzirisa yega yega NSX Edge network sevhisi.
Source: www.habr.com