Ngoncedo lwesi siqwenga somlingo weskripthi seCisco ACI, unokuseta ngokukhawuleza inethiwekhi.
Ifektri yenethiwekhi yeziko ledatha yeCisco ACI ikhona iminyaka emihlanu, kodwa uHabrΓ© akazange athethe nto malunga nayo, ngoko ndagqiba ekubeni ndiyilungise kancinci. Ndiza kukuxelela ngokwam amava ukuba yintoni, yintoni ukusetyenziswa kwayo kwaye apho inereki.
Yintoni kwaye ivela phi?
Ngethuba i-ACI (i-Application Centric Infrastructure) yabhengezwa kwi-2013, abakhuphisana babeqhubela phambili kwiindlela zendabuko kwiinethiwekhi zamaziko edatha ukusuka kumacala amathathu kanye.
Kwelinye icala, "isizukulwana sokuqala" izisombululo ze-SDN ezisekwe kwi-OpenFlow zithembise ukwenza uthungelwano lube bhetyebhetye kwaye lungabizi kakhulu ngaxeshanye. Umbono yayikukuhambisa ukuthathwa kwesigqibo ngokwesiko kwenziwa yisoftware yokutshintsha kobunikazi kumlawuli ophakathi.
Lo mlawuli uya kuba nombono omnye wento yonke eyenzekayo kwaye, ngokusekelwe kule nto, uya kucwangcisa i-hardware yazo zonke izitshintshi kwinqanaba lemithetho yokucubungula ukuhamba okuthe ngqo.
Kwelinye icala, izisombululo zothungelwano ezingaphezulu zenze ukuba kwenzeke ukuphumeza uqhagamshelo oluyimfuneko kunye nemigaqo-nkqubo yokhuseleko ngaphandle kotshintsho kuthungelwano olubonakalayo konke konke, ukwakha iitonela zesoftware phakathi kwenginginya ebonakalayo. Owona mzekelo waziwa kakhulu wale ndlela yayinguNicira, eyayisele ifunyenwe yi-VMWare nge-1,26 yeebhiliyoni zeedola kwaye yavelisa i-VMWare NSX yangoku. Enye i-piquancy yemeko yongezwa yinto yokuba abasunguli be-Nicira babengabantu abafanayo ababemi ngaphambili kwimvelaphi ye-OpenFlow, ngoku besithi ukuze kwakhiwe i-data data center. .
Kwaye ekugqibeleni, iitshiphusi zokutshintsha ezikhoyo kwimarike evulekileyo (into ebizwa ngokuba yi-silicon yomthengisi) ifikelele kwinqanaba lokuvuthwa apho baye baba sisongelo sokwenyani kubavelisi bokutshintsha bemveli. Ukuba ngaphambili umthengisi ngamnye waphuhlisa iitshiphusi ngokuzimeleyo ngenxa yokutshintsha kwayo, emva kwexesha, iitshiphusi ezivela kubavelisi beqela lesithathu, ngokuyintloko ukusuka kwi-Broadcom, zaqala ukunciphisa umgama kunye neetshiphusi zomthengisi ngokwemigaqo yemisebenzi, kwaye zigqithise ngokwexabiso / umlinganiselo wokusebenza. Ngoko ke, abaninzi bakholelwa ukuba iintsuku zokutshintsha kwiitshiphusi zoyilo lwabo zibaliwe.
I-ACI ibe "yimpendulo ye-asymmetric" yeCisco (ngokuchanekileyo, inkampani yayo ye-Insieme, eyasungulwa ngabasebenzi bayo bangaphambili) kuzo zonke ezi ngasentla.
Yintoni umahluko nge-OpenFlow?
Ngokumalunga nokuhanjiswa kwemisebenzi, i-ACI ngokwenene ichasene ne-OpenFlow.
Kuyilo lwe-OpenFlow, umlawuli unoxanduva lokubhala imithetho eneenkcukacha (ukuhamba)
kwi-hardware yazo zonke iiswitshi, oko kukuthi, kwinethiwekhi enkulu, inokuba noxanduva lokugcina kwaye, okona kubaluleke kakhulu, ukutshintsha amashumi ezigidi zeerekhodi kumakhulu amanqaku kuthungelwano, ngoko ukusebenza kwayo kunye nokuthembeka kube ngumqobo kwi ukuphunyezwa okukhulu.
I-ACI isebenzisa indlela yokubuyela umva: ngokuqinisekileyo, kukho umlawuli, kodwa iitshintshi zifumana imigaqo-nkqubo yokubhengeza yezinga eliphezulu ukusuka kuyo, kwaye utshintsho ngokwalo lwenza unikezelo lwazo kwiinkcukacha zezicwangciso ezithile kwi-hardware. Umlawuli unokuphinda aqaliswe okanye acinywe ngokupheleleyo, kwaye akukho nto imbi iya kwenzeka kwinethiwekhi, ngaphandle, ngokuqinisekileyo, ukungabikho kolawulo kulo mzuzu. Okubangela umdla kukuba, kukho iimeko kwi-ACI apho i-OpenFlow isasetyenziswa, kodwa ekuhlaleni ngaphakathi komkhosi we-Open vSwitch programming.
I-ACI yakhiwe ngokupheleleyo kwi-VXLAN-based overlay transport, kodwa iquka i-IP ephantsi yothutho njengenxalenye yesisombululo esisodwa. UCisco wabiza oku "ligama elidityanisiweyo lokwaleka". Njengendawo yokuphelisa ukugqithisa kwi-ACI, kwiimeko ezininzi, ukutshintshwa kwefektri kusetyenziswa (bakwenza oku ngesantya sekhonkco). Imikhosi ayidingeki ukuba yazi nantoni na malunga nefektri, i-encapsulation, njl., nangona kunjalo, kwezinye iimeko (umzekelo, ukudibanisa i-OpenStack hosts), i-VXLAN traffic inokuziswa kubo.
I-Overlays isetyenziswe kwi-ACI kungekhona nje ukubonelela ukudibanisa okuguquguqukayo ngokusebenzisa inethiwekhi yezothutho, kodwa kunye nokudlulisa i-metainformation (isetyenziswa, umzekelo, ukusebenzisa imigaqo-nkqubo yokhuseleko).
Iichips ezivela kwi-Broadcom zazisetyenziswe ngaphambili nguCisco kwiinguqu zechungechunge ze-Nexus 3000. Kwintsapho ye-Nexus 9000, ikhutshwe ngokukodwa ukuxhasa i-ACI, imodeli ye-hybridi yaqaliswa, eyayibizwa ngokuba nguMrhwebi +. Ukutshintsha kwangaxeshanye kusetyenziswe i-chip entsha ye-Broadcom Trident 2 kunye ne-chip ehambelanayo ephuhliswe yiCisco, esebenzisa yonke imilingo ye-ACI. Kubonakala ukuba, oku kwenze ukuba kube lula ukukhutshwa kwemveliso kunye nokunciphisa ixabiso lexabiso lokutshintsha kwinqanaba elisondeleyo kwiimodeli ezisekelwe kwi-Trident 2. Le ndlela yayanele kwiminyaka emibini okanye emithathu yokuqala yokuhanjiswa kwe-ACI. Ngeli xesha, iCisco iphuhlise kwaye yazisa isizukulwana esilandelayo i-Nexus 9000 kwiitshiphusi zayo ezinomsebenzi ongaphezulu kunye neseti yeempawu, kodwa kwinqanaba elifanayo lexabiso. Inkcazo yangaphandle malunga nentsebenziswano kwifektri igcinwe ngokupheleleyo. Ngelo xesha, ukuzaliswa kwangaphakathi kutshintshe ngokupheleleyo: into efana ne-refactoring, kodwa isinyithi.
Indlela iCisco ACI Architecture isebenza ngayo
Kwimeko elula, i-ACI yakhiwe kwi-topology yenethiwekhi ye-Klose, okanye, njengoko bahlala bethetha, i-Spine-Leaf. Izitshixo zomgangatho womqolo zinokusuka ezimbini (okanye enye, ukuba asikhathali malunga nokunyamezela impazamo) ukuya ezintandathu. Ngako oko, uninzi lwazo, ukunyamezela kwesiphoso esiphezulu (esezantsi kwe-bandwidth kunye nokunciphisa ukuthembeka kwimeko yengozi okanye ukugcinwa kwe-Spine enye) kunye nokusebenza ngokubanzi. Zonke uxhulumaniso lwangaphandle luya kutshintsho lwezinga leqabunga: ezi zizincedisi, kunye ne-docking kunye neenethiwekhi zangaphandle nge-L2 okanye i-L3, kunye nokudibanisa abalawuli be-APIC. Ngokubanzi, kunye ne-ACI, kungekhona nje ukucwangciswa, kodwa kunye nokuqokelela izibalo, ukubeka iliso kokungaphumeleli, njalo njalo - yonke into yenziwa nge-interface yabalawuli, apho kukho ezintathu ekuphunyezweni okusemgangathweni.
Awunakuze udibanise kwiiswitshi kunye ne-console, nokuba uqalise inethiwekhi: umlawuli ngokwawo ufumanisa utshintsho kwaye ahlanganise umzi-mveliso kubo, kubandakanywa nezicwangciso zazo zonke iiprothokholi zenkonzo, ngoko ke, ngendlela, kubaluleke kakhulu bhala phantsi iinombolo ze-serial zezixhobo ezifakwe ngexesha lofakelo, ukuze kamva ungaqikelele ukuba yeyiphi iswitshi ekuyo i-rack ekhoyo. Ukusombulula ingxaki, ukuba kukho imfuneko, ungaqhagamshela kwiiswitshi nge-SSH: ziphinda zivelise imiyalelo yesiqhelo yeCisco ngononophelo.
Ngaphakathi, i-factory isebenzisa uthutho lwe-IP, ngoko akukho Mthi we-Spanning kunye nezinye izinto ezibuhlungu ezidlulileyo kuyo: zonke izixhumanisi zibandakanyeka, kwaye ukudibanisa kwimeko yokungaphumeleli kukhawuleza kakhulu. I-traffic kwilaphu isasazwa ngeetonela ezisekelwe kwi-VXLAN. Ngokuchanekileyo, i-Cisco ngokwayo ibiza i-iVXLAN encapsulation, kwaye ihluke kwi-VXLAN eqhelekileyo ukuba iindawo ezigciniweyo kwi-header yenethiwekhi zisetyenziselwa ukuhambisa ulwazi lwenkonzo, ngokukodwa malunga nobudlelwane bezithuthi kwiqela le-EPG. Oku kukuvumela ukuba ufezekise imigaqo yokusebenzisana phakathi kwamaqela kwisixhobo, usebenzisa amanani abo ngendlela efanayo njengoko iidilesi zisetyenziswa kwizintlu zokufikelela eziqhelekileyo.
Iitonela zivumela zombini iisegmenti ze-L2 kunye namacandelo e-L3 (oko kukuthi i-VRF) ukuba yolulwe ngothutho lwangaphakathi lwe-IP. Kule meko, isango elimiselweyo lisasazwa. Oku kuthetha ukuba umtshintshi ngamnye unoxanduva lokuhambisa i-traffic engena kwelaphu. Ngokumalunga nokuhamba kwe-traffic logic, i-ACI ifana ne-VXLAN / EVPN ilaphu.
Ukuba kunjalo, yeyiphi umahluko? Yonke into!
Umahluko wokuqala odibana nawo ne-ACI yindlela iiseva eziqhagamshelwe ngayo kwinethiwekhi. Kwiinethiwekhi zendabuko, ukufakwa kweeseva zombini kunye noomatshini benyani baya kwiiVLAN, kunye nayo yonke enye into edansa kubo: uxhulumaniso, ukhuseleko, njl. Kwi-ACI, i-design isetyenziswa ukuba i-Cisco ibize i-EPG (iQela leQela), ukusuka kuyo. akukho ndawo yokuphuma. Ngaba kuyenzeka ukuyilinganisa neVLAN? Ewe, kodwa kule meko kukho ithuba lokuphulukana nezinto ezininzi ezinikezwa yi-ACI.
Ngokumalunga ne-EPG, yonke imigaqo yokufikelela iqulunqwe, kwaye kwi-ACI, umgaqo othi "uluhlu olumhlophe" lusetyenziswa ngokungagqibekanga, oko kukuthi, i-traffic kuphela ivumelekile, ukudlula kwayo kuvunyelwe ngokucacileyo. Oko kukuthi, sinokwenza "iWeb" kunye "ne-MySQL" amaqela e-EPG kwaye sichaze umgaqo ovumela unxibelelwano phakathi kwabo kuphela kwi-port 3306. Oku kuya kusebenza ngaphandle kokubotshwa kwiidilesi zenethiwekhi kunye nakwi-subnet efanayo!
Sinabathengi abakhethe i-ACI ngokuchanekileyo ngenxa yolu phawu, kuba ikuvumela ukuba uthintele ukufikelela phakathi kwamaseva (enyanisiweyo okanye ngokwasemzimbeni-akunamsebenzi) ngaphandle kokuwatsala phakathi kwama-subnets, okuthetha ukuba ngaphandle kokuchukumisa idilesi. Ewe, ewe, siyazi ukuba akukho mntu uchaza iidilesi ze-IP kuqwalaselo lwesicelo ngesandla, akunjalo?
Imithetho yendlela kwi-ACI ibizwa ngokuba yizivumelwano. Kwikontrakthi enjalo, elinye okanye amaqela amaninzi okanye amanqanaba kwisicelo se-multi-tier abe ngumnikezeli wenkonzo (thi, inkonzo yedatha), abanye baba ngumthengi. Ikhontrakthi inokudlula nje i-traffic, okanye inokwenza into ekhohlisayo, umzekelo, iqondise kwi-firewall okanye i-balancer, kwaye iphinde iguqule ixabiso leQoS.
Abancedisi bangena njani kula maqela? Ukuba ngaba abancedisi bomzimba okanye into ebandakanyiweyo kuthungelwano olukhoyo apho sidale i-trunk ye-VLAN, ngoko ukuze uzibeke kwi-EPG, kuya kufuneka ubonise i-port yokutshintsha kunye ne-VLAN esetyenziswa kuyo. Njengoko ubona, iiVLAN zivela apho awukwazi ukwenza ngaphandle kwazo.
Ukuba abancedisi bangoomatshini benyani, ngoko kwanele ukubhekisa kwindawo edityanisiweyo ye-virtualization, kwaye ke yonke into iya kwenzeka ngokwayo: iqela lezibuko liyakwenziwa (ngokwemiqathango yeVMWare) ukuqhagamshela iVM, iiVLAN eziyimfuneko okanye iiVXLAN babelwa, baya kubhaliswa kwizibuko zokutshintsha eziyimfuneko, njl. Ngoko ke, nangona i-ACI yakhiwe ngeenxa zonke kuthungelwano olubonakalayo, imidibaniso yeeseva zenyani ibonakala ilula kakhulu kuneyomzimba. I-ACI sele inonxibelelwano olwakhelwe ngaphakathi kunye ne-VMWare kunye ne-MS Hyper-V, kunye nenkxaso ye-OpenStack kunye ne-RedHat Virtualization. Ukusuka kwindawo ethile ukuya phambili, inkxaso eyakhelwe-ngaphakathi yeeplatifti zekhonteyina iye yavela: I-Kubernetes, i-OpenShift, i-Cloud Foundry, ngelixa ichaphazela zombini ukusetyenziswa kwemigaqo-nkqubo kunye nokubeka iliso, oko kukuthi, umlawuli wothungelwano unokubona ngokukhawuleza ukuba yeyiphi imikhosi esebenza kuyo kwaye ngawaphi amaqela abawela kuwo.
Ukongeza ekufakweni kwiqela elithile lezibuko, abancedisi abanenyani baneempawu ezongezelelweyo: igama, iimpawu, njl. njl., ezinokusetyenziswa njengeenqobo zokuzidlulisela kwelinye iqela, yithi, xa i-VM ithiywa ngokutsha okanye i-tag eyongezelelweyo ibonakala kuyo. yona. I-Cisco ibiza la maqela amacandelo amancinci, nangona, ngokubanzi, uyilo ngokwalo kunye nokukwazi ukudala amacandelo amaninzi okhuseleko ngendlela yee-EPGs kwi-subnet efanayo nayo i-micro-segmentation. Ewe, umthengisi wazi ngcono.
Ii-EPGs ngokwazo zilulwakhiwo olunengqiqo, alubotshelelwanga kwizitshixo ezithile, iiseva, njl.njl., ngoko ke unokwenza izinto kunye nolwakhiwo olusekwe kuzo (izicelo kunye nabaqeshi) ekunzima ukuzenza kuthungelwano oluqhelekileyo, olufana ne-cloning. Ngenxa yoko, masithi kulula kakhulu ukubumba imeko-bume yemveliso ukuze ufumane imeko-bume yovavanyo eqinisekisiweyo ukuba iyafana nendawo yemveliso. Unokwenza ngesandla, kodwa kungcono (kwaye kulula) nge-API.
Ngokubanzi, ingqiqo yolawulo kwi-ACI ayifani kwaphela nento oqhele ukudibana nayo
kuthungelwano zemveli ukusuka Cisco efanayo: ujongano software eprayimari, kwaye GUI okanye CLI yesibini, ekubeni basebenza API efanayo. Ke ngoko, phantse wonke umntu obandakanyekayo kwi-ACI, emva kwethuba, uqala ukuzulazula kwimodeli yento esetyenziselwa ulawulo kunye nokuzenzekelayo into ehambelana neemfuno zabo. Eyona ndlela ilula yokwenza oku ivela kwiPython: kukho izixhobo ezilungele esele zenziwe kuyo.
Iraki ethenjisiweyo
Ingxaki enkulu kukuba izinto ezininzi kwi-ACI zenziwa ngokwahlukileyo. Ukuqala ukusebenza nayo ngokuqhelekileyo, kufuneka uphinde uqeqeshe. Oku kuyinyani ngokukodwa kumaqela okusebenza kwenethiwekhi kubathengi abakhulu, apho iinjineli "zichaza ii-VLANs" iminyaka ngesicelo. Inyani yokuba ngoku iiVLAN azisekho iiVLAN, kwaye awudingi ukwenza iiVLAN ngesandla ukuze ubeke uthungelwano olutsha kwimikhosi ebonakalayo, ivuthela ngokupheleleyo uphahla kunethiwekhi yemveli kwaye ibenze babambelele kwiindlela eziqhelekileyo. Kufuneka kuqatshelwe ukuba i-Cisco yazama ukunambitha ipilisi encinci kwaye yongeza "i-NXOS-efana" i-CLI kumlawuli, okuvumela ukuba wenze uqwalaselo ukusuka kwi-interface efana nokutshintsha kwendabuko. Kodwa kunjalo, ukuze uqalise ukusebenzisa i-ACI ngokuqhelekileyo, kufuneka uqonde ukuba isebenza njani.
Ngokwexabiso, kwizikali ezinkulu neziphakathi, uthungelwano lwe-ACI alufani ngokwenene nothungelwano lwemveli kwizixhobo zeCisco, ekubeni iiswitshi ezifanayo zisetyenziselwa ukuzakha (i-Nexus 9000 inokusebenza kwi-ACI nakwimo yemveli kwaye ngoku ibe yeyona nto iphambili. "ihashe lomsebenzi" kwiiprojekthi ezintsha zeziko ledatha). Kodwa kumaziko eenkcukacha zokutshintsha ezimbini, ubukho babalawuli kunye ne-Spine-Leaf architecture, ngokuqinisekileyo, bazenza bazive. Kutshanje, kuye kwavela umzi-mveliso we-Mini ACI, apho abalawuli ababini kwabathathu batshintshwa ngoomatshini bokwenene. Oku kunciphisa umahluko kwiindleko, kodwa kusekho. Ngoko kumthengi, ukhetho luchazwe ukuba unomdla kangakanani kwiimpawu zokhuseleko, ukudibanisa ne-virtualization, indawo enye yokulawula, njalo njalo.
umthombo: www.habr.com