Iziseko ezitsha ze-IT kwiziko ledatha yaseRashiya

Ndiqinisekile ukuba bonke abafundi beHabr baye ba-odola iimpahla kanye kwiivenkile ezikwi-intanethi phesheya kwaye baye kufumana iipasile kwiPosi yaseRashiya. Ngaba unokuwuthelekelela ubungakanani balo msebenzi, ukusuka kwindawo yokujonga ulungiselelo lolungiselelo? Ukuphindaphinda inani labathengi ngenani lokuthenga kwabo, cinga imephu yelizwe lethu elikhulu, kwaye kuyo kukho iiofisi zeposi ezingaphezu kwamawaka angama-40 ... Ngendlela, kwi-2018, i-Russian Post iqhutywe kwiipasile ze-345 yezigidi zamazwe ngamazwe.

Kule nqaku, siya kukuxelela ukuba yeyiphi imiba iPochta ejongene nayo kunye nendlela i-LANIT Integration iqela elizisombulule ngayo, ukudala isiseko esitsha se-IT kumaziko edatha.

Elinye lamaziko othungelwano lwangoku kwiPosi yaseRashiya
 

Ngaphambi kweprojekthi

Ngenxa yokunyuka okubukhali kwinani leepasela ezivela kwiivenkile zangaphandle e-China, eNtshona Yurophu naseMntla Melika, umthwalo kwizibonelelo ze-logistics ye-Russian Post uye wanda. Ke ngoko, amaziko othungelwano esizukulwana esitsha aye akhiwa, asebenzisa oomatshini bokuhlela abakumgangatho ophezulu. Bafuna inkxaso kwiziseko ezingundoqo zekhompyutha.

Iziseko zophuhliso lwedatha zaziphelelwe lixesha kwaye azizange zibonelele ngokusebenza okuyimfuneko kunye nokuthembeka ekusebenzeni kweenkqubo zolwazi lweshishini. Kwakhona, iPosi yaseRussia yafumana ukunqongophala kwamandla ekhompyuter ukuqalisa iinkonzo ezintsha.
 

Amaziko edatha yabathengi kunye neengxaki zabo

Amaziko edatha ye-Russian Post akhonza ngaphezu kweendawo ze-40 kunye namasebe emimandla ye-000. Amaziko edatha asebenzisa iinkonzo ezininzi ze-85/XNUMX zeshishini, kuquka neenkonzo ze-e-commerce.

Namhlanje, amashishini asebenzisa iinkqubo zokugcina, ukuhlalutya kunye nokusebenza kwedatha enkulu. Kwiinkqubo ezinjalo, ukusetyenziswa kobukrelekrele bokwenziwa kunye ne-algorithms yokufunda koomatshini kudlala indima ebalulekileyo. Namhlanje, enye yezona meko zibalulekileyo kwishishini kukuphucula ulawulo lokuhamba kunye nokukhawulezisa inkonzo yabathengi kwiiofisi zeposi.

Ngaphambi kokuqala kweprojekthi yokuphucula, kwakukho malunga nama-3000 oomatshini bokwenene kwiindawo eziphambili kunye ne-backup data, umthamo wolwazi olugciniweyo ugqithise i-2 petabytes. Amaziko edatha ayenobume bendlela yetrafikhi entsonkothileyo ehambelana nokwahlulahlula ngokwamacandelo ahlukeneyo ngokwemigangatho yokhuseleko.

Ngokuphuhliswa kwezicelo kunye nokuqaliswa kweenkonzo ezintsha, i-bandwidth ekhoyo yezixhobo zenethiwekhi kumaziko edatha akwanelanga. Ukutshintshela kwi-interfaces kunye nezantya ezitsha zazifuneka: i-10 Gbit / s, endaweni ye-1 Gbit / s ekufikeleleni kunye ne-40 Gbit / s kwinqanaba eliphambili, kunye nokungafuneki ngokupheleleyo kwezixhobo kunye neendlela zokunxibelelana.

Isebe lokhuseleko lolwazi lifumene imfuno yokwahlula iziseko zophuhliso zibe ngamacandelo anenqanaba eliphezulu lokhuseleko lolwazi lwezithuthi kunye nezicelo (PN - Inethiwekhi yaBucala kunye neDMZ - uMmandla weDemilitarized). I-traffic idlule kwii-firewall (FWUs) ekungafunekiyo ukuba ihluzwe. I-VRF kwiiswitshi ayizange isetyenziswe kule traffic. Imithetho kwi-firewall yayingekho bhetele (amashumi amawaka emithetho kwiziko ledatha nganye).

Ukufuduka okungenamthungo koomatshini benyani (i-VMs) phakathi kwamaziko edatha ngelixa ugcina idilesi ye-IP kunye nendlela efanelekileyo yokuthutha phakathi kwamacandelo, kubandakanywa nenethiwekhi yedatha yenkampani (CDN), yayingenakwenzeka.

I-MSTP yayisetyenziselwa ukugcina; Ukutshintsha okungundoqo kunye nokufikelela akuzange kudityaniswe kwi-failover cluster, kunye ne-interface aggregation (LAG) ayizange isetyenziswe.

Ngokufika kweziko lesithathu ledatha, i-architecture entsha kunye nokucwangciswa kwezixhobo zafuneka ukuba kusebenze indandatho phakathi kwamaziko edatha (EVPN yaphakanyiswa).

Kwakungekho ngcamango imanyeneyo yophuhliso lwamaziko edatha, ebhalwe ngendlela yeprojekthi kwaye ekuvunyelwene ngayo nawo onke amasebe omthengi. Amaxwebhu angoku okusebenza kothungelwano ebengagqitywanga kwaye aphelelwe lixesha.
 

Ulindelo lwabathengi

Iqela leprojekthi lijongene nale misebenzi ilandelayo:

• lungisa ingcamango yoyilo kunye nophuhliso lokwakha uthungelwano kunye neziseko zeseva yeziko lesithathu ledatha;
• qhuba uphicotho-zincwadi olusebenzayo lwenethiwekhi ekhoyo yomthengi;
• ukwandisa umthamo ongundoqo womnatha ngaphezu kwe-1500 10/40 Gbps izibuko ze-Ethernet kwiziko ngalinye ledatha (amachweba angama-4500 ewonke);
• qinisekisa ukusebenza kwendandatho phakathi kwamaziko amathathu edatha kunye nokukwazi ukunyusa isantya ukuya kwi-80 Gbit / s kwicandelo ngalinye ukwenzela ukudibanisa izixhobo zekhompyutha zomthengi ezivela kumaziko ahlukeneyo edatha kwinkqubo enye ye-IT;
• ukubonelela nge-100% yokugcinwa kabini kuzo zonke iinkalo zothungelwano ukuze kufikelelwe ekujoliswe kuko kwi-Uptime kwinqanaba lama-99,995%;
• ukunciphisa ukulibaziseka kwezithuthi phakathi koomatshini benyani ukukhawulezisa izicelo zoshishino;
• ukuqokelela izibalo, ukwenza uhlalutyo kwaye wenze ukulungiswa okulandelayo kwemithetho yokucoca i-traffic kumaziko edatha (ekuqaleni kwakukho malunga nemithetho ye-80);
• ukuphuhlisa ulwakhiwo olujoliswe kuyo ukuqinisekisa ukufuduka ngokungenamthungo kwezicelo zoshishino ezibalulekileyo zomthengi kuzo naziphi na amaziko amathathu edatha.

Ngoko sasinento yokusebenzela.

Izixhobo

Makhe sijonge ngakumbi ukuba zeziphi izixhobo esizisebenzisileyo kwiprojekthi.

I-Firewall (NGWF) USG9560:

• ulwahlulo ngeVSYS;
• ukuya kuthi ga kwi-720 Gbps;
• ukuya kuthi ga kwi-720 yezigidi zeeseshoni ngaxeshanye;
• 8 iindawo zokubeka.

 
Umzila NE40E-X8:

• ukuya kuthi ga kwi-7,08 Tbit / s Ukutshintsha Umthamo;
• ukuya kuthi ga kwi-2,880 Mpps yokuFakisa ukusebenza;
• 8 kwiindawo zokubeka amakhadi emigca (LPU);
• ukuya kuthi ga kwi-10M iindlela ze-BGP IPv4 ngeMPU nganye;
• ukuya kuthi ga kwi-1500K OSPF IPv4 iindlela ngeMPU nganye;
• ukuya kuthi ga kwi-3000K – IPv4 FIB (kuxhomekeke kwiLPU).

CE12800 Uluhlu loTshintsho:

• I-Virtualization yeDivaysi: VS (1: 16 virtualization), i-Cluster Switch System (CSS), i-Super Virtual Fabric (SVF);
• I-Network Virtualization: i-M-LAG, i-TRILL, i-VXLAN kunye ne-VXLAN ibhuloho, i-QinQ kwi-VXLAN, i-EVN (i-Ethernet Virtual Network);
• ukuqala kwi-VRP V2, inkxaso ye-EVPN ifakiwe;
• I-M-LAG – i-analogue ye-vPC (i-virtual Port Channel) ye-Cisco Nexus;
• IProtokholi yoMthi weSpanning Virtual (VSTP) - Iyahambelana neCisco PVST.

CE12804

CE12808

Software

Kwiprojekthi sisebenzise:

• Uguqulo lweefayile zoqwalaselo lomlilo ukusuka kwabanye abathengisi kwifomathi yomyalelo wesixhobo esitsha;
• imibhalo yobunini ukulungiselela nokuguqula ubumbeko bomlilo.

Imbonakalo yomguquli wokuguqula iifayile zoqwalaselo
 
Isicwangciso sonxibelelwano phakathi kwamaziko edatha (EVPN VXLAN)
 

Iinuances zokuseta izixhobo

CE12808
 

• I-EVPN (eqhelekileyo) endaweni ye-EVN (iHuawei proprietary) yonxibelelwano phakathi kwamaziko edatha:

  ○ L2 phezu kwe-L3 usebenzisa i-iBGP kwinqwelomoya yoLawulo;
  ○ uqeqesho lwe-MAC kunye nentengiso yabo nge-iBGP EVPN usapho (iindlela ze-MAC, uhlobo 2);
  ○ ulwakhiwo oluzenzekelayo lweetonela ze-VXLAN zokusasaza / ukungaziwa kwetrafikhi ye-unicast (IiNdlela eziBandakanyayo zeMulticast, uhlobo lwesi-3).

• Iindlela ezimbini zokwahlula kwi-VS:

  ○ ngokusekelwe kumazibuko (izibuko lendlela yezibuko) okanye ngokusekelwe kwi-ASIC (iqela lemowudi yeqela, izibuko lesixhobo sokubonisa imephu);
  ○ ujongano lwedimension yolwahlulo lwezibuko 40GE isebenza KUPHELA kwi-Admin VS (nokuba ikwimowudi yesibuko).

USG9560
 

• ukuba nokwenzeka kokwahlulwa yiVSYS,
• Indlela eDynamic kunye nokuvuza kwendlela ayinakwenzeka phakathi kweVSYS!

CE12804
 
Yonke i-Active GW (VRRP Master / Master / Master) ene-MAC VRRP yokucoca phakathi kwamaziko edatha
 
acl number 4000
  rule 5 deny source-mac 0000-5e00-0100 ffff-ffff-ff00
  rule 10 deny destination-mac 0000-5e00-0100 ffff-ffff-ff00
  rule 15 permit
 
interface Eth-Trunk1
  traffic-filter acl 4000 outbound

Inkqubo yentsebenziswano yezibonelelo phakathi kwamaziko edatha (VXLAN EVPN kunye ne-All Active GW)
 

Ubunzima beprojekthi

Obona bunzima yayiyimfuno yokuxhasa izicelo ezikhoyo kusetyenziswa iziseko zekhompyutha. Umthengi wayenezicelo ezahlukeneyo ezingaphezu kwe-100, ezinye zazo ezabhalwa phantse kwiminyaka eyi-10 eyadlulayo. Umzekelo, ukuba kwiYandex unokucima ngokulula oomatshini abangamakhulu aliqela ngaphandle kokulimala kubasebenzisi bokugqibela, ngoko kwiPosi yaseRashiya indlela enjalo iya kufuna ukuphuhliswa kwenani lezicelo ukusuka ekuqaleni kunye notshintsho kulwakhiwo lweenkqubo zolwazi lweshishini. Sizisombulule iingxaki ezithe zavela ngexesha lemfuduko kunye nenkqubo yokwandisa kwinqanaba lophicotho-zincwadi oluhlangeneyo lweziseko ezingundoqo zekhompyutha. Zonke iitekhnoloji zenethiwekhi ezintsha kwishishini (ezifana ne-EVPN) ziye zavavanywa okokuqala elabhoratri.
 

Iziphumo zeprojekthi

Iqela leprojekthi libandakanya iingcali "LANIT-Integration", umthengi kunye namaqabane akhe ekusebenzeni kweziseko zekhompuyutha. Amaqela azinikeleyo enkxaso avela kubathengisi (Check Point kunye neHuawei) asekwa. Le projekthi yathatha iminyaka emibini. Oku koko kwenziwa ngeli xesha.

• Isicwangciso sophuhliso lothungelwano lwamaziko edatha, i-Corporate Data Network (CDTN) kunye neringi phakathi kwamaziko edatha iye yaphuhliswa kwaye kwavunyelwana ngayo nawo onke amasebe omthengi.
• Ubukho beenkonzo bunyukile. Oku kuye kwaphawulwa lishishini lomthengi kwaye kukhokelele ekwandeni okukhulu kwezithuthi ngenxa yokuqaliswa kweenkonzo ezintsha.
• Ngaphezulu kwemithetho ye-40 iye yafuduswa kwaye yaphuculwa ukusuka kwi-FWSM/ASA ukuya kwi-USG 000. Iimeko ezahlukeneyo ze-ASA kwi-UGG 9560 ziye zadityaniswa zaba ngumgaqo-nkqubo omnye wokhuseleko.
• I-throughput yamachweba amaziko edatha yandisiwe ukusuka kwi-1G ukuya kwi-10/40G ngokusetyenziswa kwe-CE12800/CE6850. Oku kwenze ukuba kube nokwenzeka ukuphelisa ukugcwala kojongano kunye nokulahleka kweepakethi.
• Ii-routers ze-Carrier-grade NE40E-X8 zigubungela ngokupheleleyo iimfuno zeziko ledatha yomthengi kunye neziko lokudlulisa idatha, ngokuqwalasela uphuhliso lweshishini elizayo.
• Kucelwe i-USG 9560 ezitsha izicelo ezitsha ezisibhozo. Kwezi, ezisixhenxe sele ziphunyeziwe kwaye zibandakanyiwe kuhlelo lwangoku lweVRP. I-1 FR - yokuphunyezwa kwiHuawei R&D. Eli qela le-chassis elisibhozo elinamandla okuqwalasela umsebenzi oyimfuneko wokulungelelaniswa kolungelelwaniso ngaphandle kongqamaniso lweseshoni. Kufunwa ukuba ukulibaziseka kwezithuthi kwelinye lamaziko edatha kukhulu kakhulu (i-Adler - eMoscow i-1300 km ecaleni kwendlela ephambili kunye ne-2800 km ecaleni kwendlela yokugcina).

Iprojekthi ayinayo i-analogues xa kuthelekiswa nezinye iinkampani zeposi zaseRashiya.

Ukwenziwa kwangoku kweziseko zoncedo zothungelwano lwamaziko edatha kuvule amathuba amatsha kwishishini lokuphuhlisa iinkonzo zedijithali.

• Ukubonelela ngeakhawunti yakho kunye nesicelo esiphathwayo sabantu kunye namaqumrhu asemthethweni.
• Ukudityaniswa neevenkile zombane ukubonelela ngeenkonzo zokuhanjiswa kwempahla.
• Ukuzaliseka - ukugcinwa kwempahla, ukuqulunqwa kunye nokuhanjiswa kwee-odolo ezivela kwiivenkile ze-elektroniki.
• Ukwandisa iindawo zokuthatha ii-odolo, kubandakanywa nokusebenzisa amanethiwekhi adibeneyo.
• Ukuhamba koxwebhu olubalulekileyo ngokusemthethweni kunye namaqabane. Oku kuya kuphelisa ukucotha neendleko zokuthumela amaxwebhu amaphepha.
• Ukwamkelwa kweeleta ezibhalisiweyo kwifom ye-elektroniki kunye nokuhanjiswa kokubili nge-elektroniki nangephepha (ngokushicilelwa kwezinto ngokusondeleyo kangangoko kunokwenzeka kumamkeli wokugqibela). Inkonzo yeeleta ezibhalisiweyo kwi-intanethi yeenkonzo zoluntu.
• Iqonga lokubonelela ngeenkonzo zetelemedicine.
• Ulwamkelo olulula kunye nokuhanjiswa kweposi ebhalisiweyo lula kusetyenziswa umsayino we-elektroniki olula.
• Ukwenziwa kwedijithali kuthungelwano lweposi.
• Ukuyilwa ngokutsha kweenkonzo zokuzibonelela (itheminali kunye neetheminali zeepasela).
• Ukudalwa kweqonga ledijithali lokulawula inkonzo ye-courier kunye nesicelo esitsha seselula kubathengi benkonzo ye-courier.

Yiza usebenze nathi!

• INjineli yeziSeko ezinguNdoqo
• Injineli yeLinux/DevOps

umthombo: www.habr.com