Haddii aad eegto qaab-dhismeedka dab-damis kasta, markaa waxay u badan tahay inaan arki doonno xaashi leh fara badan oo cinwaanno IP ah, dekedo, borotokool iyo shabakad-hoosaadyo. Sidan ayaa ah sida siyaasadaha amniga shabakada ee marin u helka agabka loo fuliyo si heersare ah. Marka ugu horeysa waxay isku dayaan inay ilaaliyaan nidaamka qaabeynta, laakiin markaa shaqaaluhu waxay bilaabaan inay ka guuraan waax ilaa waax, adeegayaashu way tarmaan oo beddelaan doorkooda, marin u helka mashaariic kala duwan ayaa u muuqda halka aan inta badan la oggolayn, boqollaal waddooyin riyo ah oo aan la garanayn ayaa soo baxaya.
Xeerarka qaarkood, haddii aad nasiib leedahay, waxaa jira faallooyin "Vasya wuxuu iga codsaday inaan tan sameeyo" ama "Tani waa marin loo maro DMZ." Maamulaha shabakada ayaa shaqada ka taga, wax walbana gabi ahaanba ma cadda. Kadibna qof ayaa go'aansaday inuu nadiifiyo qaabka Vasya, SAP wuu burburay, sababtoo ah Vasya ayaa mar weydiistay marinkan si uu u socodsiiyo dagaalka SAP.
Maanta waxaan ka hadli doonaa xalka VMware NSX, kaas oo gacan ka geysanaya in si sax ah loo isticmaalo isgaadhsiinta shabakada iyo siyaasadaha amniga iyada oo aan jahawareer ku jirin habaynta dabka. Waxaan ku tusi doonaa sifooyinka cusub ee soo baxay marka la barbar dhigo wixii VMware hore ugu lahaa qaybtan.
VMWare NSX waa hab-samaynta iyo amniga adeegyada shabakadda. NSX waxay xallisaa mashaakilaadka habaynta, beddelka, isku dheelitirka culeyska, dab-damiska waxayna samayn kartaa waxyaabo kale oo badan oo xiiso leh.
NSX waa ku guulaysta VMware sheyga vCloud Networking and Security (vCNS) iyo Nicira NVP ee la helay.
Laga soo bilaabo vCNS ilaa NSX
Markii hore, macmiilku wuxuu lahaa mashiinka farsamada ee vCNS vShield Edge gaar ah oo ku dhex jiray daruur lagu dhisay VMware vCloud. Waxay u dhaqmeen sidii albaabka soohdinta, halkaas oo ay suurtagal ahayd in la habeeyo hawlaha shabakada badan: NAT, DHCP, Firewall, VPN, load balancer, iwm Firewall iyo NAT. Shabakadda dhexdeeda, mashiinnada farsamada gacanta ayaa si xor ah midba midka kale ugula xiriiray shabakadaha hoose. Haddii aad runtii rabto inaad qaybiso oo aad ka adkaato taraafikada, waxaad samayn kartaa shabakad gaar ah oo loogu talagalay qaybo gaar ah oo codsiyada ah (mashiinnada farsamada ee kala duwan) oo deji sharciyada ku habboon isdhexgalka shabakadooda ee dabka. Laakiin tani waa dheer, adag oo aan xiiso lahayn, gaar ahaan marka aad haysato dhowr darsin oo mashiinnada farsamada gacanta ah.
Gudaha NSX, VMware waxay hirgelisay fikradda qayb-yar-yar iyadoo la adeegsanayo dab-damis qaybsan oo lagu dhex dhisay kernel-ka hypervisor. Waxay qeexaysaa siyaasadaha amniga iyo isdhexgalka shabakada maaha oo kaliya cinwaanada IP iyo MAC, laakiin sidoo kale walxaha kale: mashiinnada farsamada, codsiyada. Haddii NSX la geeyo ururka dhexdiisa, walxahan waxay noqon karaan isticmaale ama koox isticmaaleyaal ka socda Hagaha Active. Shay kasta oo noocan oo kale ah wuxuu u beddelaa qayb yar oo ka mid ah wareegga amniga, gudaha subnet-ka loo baahan yahay, oo leh DMZ raaxo leh :).
Markii hore, waxaa jiray hal xayndaab amni oo loogu talagalay barkada kheyraadka oo dhan, oo lagu ilaalinayo beddelka cirifka, laakiin NSX waxaad ka ilaalin kartaa mashiinka farsamada gaarka ah ee isdhexgalka aan loo baahnayn, xitaa isla shabakad isku mid ah.
Siyaasadaha amniga iyo isku xidhka ayaa la qabsada haddii ay koox u guurto shabakad kale. Tusaale ahaan, haddii aan u guurno mishiinka xog-ururinta qayb kale oo shabakad ah ama xitaa xarun kale oo xogta farsamada ah ee ku xiran, markaa sharciyada loo qoray mashiinka farsamada ayaa sii wadi doona inay dabaqaan iyada oo aan loo eegin goobta cusub. Adeegaha dalabka ayaa wali awood u yeelan doona inuu la xidhiidho kaydka xogta
Albaabka cidhifka laftiisa, vCNS vShield Edge, waxaa bedelay NSX Edge. Waxay leedahay dhammaan sifooyinka wanaagsan ee Edge hore, oo lagu daray dhowr astaamood oo faa'iido leh. Waan ka sii hadli doonaa iyaga.
Maxaa ka cusub NSX Edge?
shaqeynta NSX Edge waxay kuxirantahay NSX. Waxaa jira shan ka mid ah: Standard, Professional, Advanced, Enterprise, Plus Remote Branch Office. Wax kasta oo cusub oo xiiso leh ayaa la arki karaa oo kaliya laga bilaabo Advanced. Oo ay ku jirto is-dhexgal cusub, kaas oo, ilaa vCloud gabi ahaanba u wareego HTML5 (VMware wuxuu ballanqaadayaa xagaaga 2019), wuxuu ku furmay tabo cusub.
Dabka. Waxaad dooran kartaa ciwaannada IP-yada, shabakadaha, is-dhexgalka albaabbada, iyo mashiinnada farsamada gacanta sida shayga loo adeegsan doono xeerarka.
DHCP Marka lagu daro habaynta tirada ciwaannada IP-yada ee si toos ah loogu soo saari doono mashiinnada farsamada ee shabakaddan, NSX Edge hadda waxay leedahay shaqooyinka soo socda: Qaylkiisa ΠΈ Socodka.
In tab Xiritaanka Waxaad ku xidhi kartaa cinwaanka MAC ee mashiinka farsamada gacanta IP-ga haddii aad u baahan tahay ciwaanka IP-ga inaanu isbeddelin. Waxa ugu weyn ayaa ah in ciwaanka IP-ga aanu ku jirin barkadda DHCP.
In tab Socodka gudbinta fariimaha DHCP waxa lagu habeeyey xayndaabyada DHCP kuwaas oo ku yaala meel ka baxsan ururkaaga ee ku jira agaasimaha vCloud, oo ay ku jiraan serfarada DHCP ee kaabayaasha jidhka.
Jideynta. vShield Edge waxa kaliya oo uu habayn karaa dariiqa toosan. Jidka firfircoon ee taageerada OSPF iyo borotokoolka BGP ayaa halkan ka muuqday. Goobaha ECMP (Active-firfircoon) sidoo kale waa la heli karaa, taas oo macnaheedu yahay fir-fircooni-firfircoonida ku-guuldarrida jiheeyaha.
Dejinta OSPF
Dejinta BGP
Wax kale oo cusub ayaa ah dejinta wareejinta dariiqyada u dhexeeya borotokoollada kala duwan,
dib u qaybinta wadada.
L4/L7 Dheelitirka Xamuulka. X-Forwarded-Forwarded waxaa loo soo bandhigay madaxa HTTPs. Qof kastaa wuu ooyay la'aantiis. Tusaale ahaan, waxaad leedahay shabakad aad isku dheellitirayso. Adigoon gudbin madaxan, wax walbaa wuu shaqeeyaa, laakiin tirakoobka server-ka shabakada ma arag IP-ga booqdayaasha, laakiin IP-ga dheelitirka. Hadda wax walba waa sax.
Sidoo kale tab Shuruucda Codsiga waxaad hadda ku dari kartaa qoraallo si toos ah u xakameyn doona dheelitirka gaadiidka.
vpn. Marka lagu daro IPSec VPN, NSX Edge waxay taageertaa:
- L2 VPN, kaas oo kuu ogolaanaya inaad kala bixiso shabakadaha u dhexeeya goobaha juqraafi ahaan kala firdhiyey. VPN noocan oo kale ah ayaa loo baahan yahay, tusaale ahaan, si marka aad u guurto goob kale, mashiinka farsamada gacanta uu ku sii jiro isla subnet-ka oo uu sii hayo ciwaanka IP-ga.
- SSL VPN Plus, kaas oo u oggolaanaya isticmaaleyaasha inay meel fog ku xidhmaan shabakad shirkadeed. Heerka vSphere waxaa jiray shaqo noocaas ah, laakiin agaasimaha vCloud tani waa hal-abuur.
Shahaadooyinka SSL Shahaadooyinka hadda waxaa lagu rakibi karaa NSX Edge. Tani waxay mar kale ku imanaysaa su'aasha ah cidda u baahan dheelitiriye la'aan shahaado https.
Waxyaalaha kooxaynta Shabkaan, kooxo walxo ah ayaa lagu cayimay kuwaas oo qawaaniinta is dhexgalka shabakada qaarkood lagu dabaqi doono, tusaale ahaan, xeerarka dab-damiska.
Walxahaasi waxay noqon karaan ciwaanada IP iyo MAC.
Waxa kale oo jira liiska adeegyada (isku-darka borotokoolka-dekedda) iyo codsiyada la isticmaali karo marka la abuurayo xeerarka dab-damiska. Kaliya maamulaha bogga vCD ayaa ku dari kara adeegyo iyo codsiyo cusub.
Tirakoobka Tirakoobka isku xirka: taraafikada ka gudubta albaabka, firewall iyo dheelitiriyaha.
Xaaladda iyo tirakoobka IPSEC VPN kasta iyo L2 VPN tunnel.
Goynta Gudaha Edge Settings tab, waxaad dejin kartaa server-ka si aad u duubto diiwaannada. Logging waxa uu u shaqeeyaa DNAT/SNAT, DHCP, Firewall, Routing, balancer, IPsec VPN, SSL VPN Plus.
Noocyada soo socda ee digniinaha ayaa diyaar u ah shay/adeeg kasta:
-Ka-saar
β Digniin
β Halis
- Khalad
β Digniin
- Ogeysiis
- Xog
NSX Edge Cabbirrada
Iyada oo ku xidhan hawlaha la xalinayo iyo mugga VMware ku samee NSX Edge cabbirrada soo socda:
NSX Edge
(Iska kooban)
NSX Edge
(weyn)
NSX Edge
(Quad-Large)
NSX Edge
(X-weyn)
vCPU
1
2
4
6
Xasuusta
512MB
1GB
1GB
8GB
disk
512MB
512MB
512MB
4.5GB + 4GB
Ballanta
Mid
codsi, imtixaan
xarunta xogta
Yar
ama celcelis ahaan
xarunta xogta
La raray
firewall
Dheelitirka
xamuulka heerka L7
Hoos waxaa ku yaal jaantuska cabbirka hawlgalka ee adeegyada shabakadda iyadoo ku xiran cabbirka NSX Edge.
NSX Edge
(Iska kooban)
NSX Edge
(weyn)
NSX Edge
(Quad-Large)
NSX Edge
(X-weyn)
Interfaces
10
10
10
10
Interfaces-hoosaad (jir)
200
200
200
200
Xeerarka NAT
2,048
4,096
4,096
8,192
Gelida ARP
Ilaa Inta La Qorayo
1,024
2,048
2,048
2,048
Xeerarka FW
2000
2000
2000
2000
Waxqabadka FW
3Gbps
9.7Gbps
9.7Gbps
9.7Gbps
Barkadaha DHCP
20,000
20,000
20,000
20,000
Wadooyinka ECMP
8
8
8
8
Wadooyinka taagan
2,048
2,048
2,048
2,048
Barkadaha LB
64
64
64
1,024
LB Virtual Servers
64
64
64
1,024
LB Server/Pool
32
32
32
32
Baaritaannada Caafimaadka LB
320
320
320
3,072
Xeerarka Codsiga LB
4,096
4,096
4,096
4,096
Hubka Macaamiisha L2VPN in lagu hadlo
5
5
5
5
Shabakadaha L2VPN macmiilkii/ adeegaha
200
200
200
200
IPSec Tunnels
512
1,600
4,096
6,000
SSLVPN Tunnels
50
100
100
1,000
Shabakadaha Gaarka ah ee SSLVPN
16
16
16
16
Kulamada iswada socda
64,000
1,000,000
1,000,000
1,000,000
Fadhiyada/labaad
8,000
50,000
50,000
50,000
LB gudbinta L7 wakiil)
2.2Gbps
2.2Gbps
3Gbps
Qaabka L4 ee loo soo gudbiyo LB)
6Gbps
6Gbps
6Gbps
LB Connections/s (L7 Proxy)
46,000
50,000
50,000
LB Xiriirinta Isku-dhafka ah (L7 Proxy)
8,000
60,000
60,000
Xiriirinta LB (Qaabka L4)
50,000
50,000
50,000
LB Isku-xidhka Isku-dhafka ah (Qaabka L4)
600,000
1,000,000
1,000,000
Jidadka BGP
20,000
50,000
250,000
250,000
Deriska BGP
10
20
100
100
Waddooyinka BGP dib loo qaybiyay
No Yaree
No Yaree
No Yaree
No Yaree
Wadooyinka OSPF
20,000
50,000
100,000
100,000
Gelida OSPF LSA Max 750 Nooca-1
20,000
50,000
100,000
100,000
Agabka OSPF
10
20
40
40
Wadooyinka OSPF ayaa dib loo qaybiyay
2000
5000
20,000
20,000
Wadarta Wadooyinka
20,000
50,000
250,000
250,000
β
Jadwalka ayaa muujinaya in lagu taliyay in lagu abaabulo isku dheelitirka NSX Edge ee xaaladaha wax soo saarka leh oo kaliya laga bilaabo cabbirka Weyn.
Taasi waa waxa aan haysto maanta. Qaybaha soo socda waxaan si faahfaahsan ugu dhex mari doonaa sida loo habeeyo adeeg kasta oo shabakada NSX Edge ah.
Source: www.habr.com