Ukuba ujonga kuqwalaselo lwalo naliphi na i-firewall, ngoko kusenokwenzeka ukuba siyakubona iphepha elineqela leedilesi ze-IP, izibuko, imithetho elandelwayo kunye nee subnets. Le yindlela imigaqo-nkqubo yokhuseleko lothungelwano lokufikelela komsebenzisi kwizinto ezisetyenziswayo ngokwesiqhelo. Ekuqaleni bazama ukugcina ucwangco kwi-config, kodwa ke abasebenzi baqala ukuhamba ukusuka kwisebe ukuya kwisebe, abancedisi baphindaphinda kwaye batshintshe iindima zabo, ukufikelela kwiiprojekthi ezahlukeneyo kubonakala apho ngokuqhelekileyo bengavumelekanga, kwaye amakhulu eendlela zebhokhwe ezingaziwa zivela.
Ecaleni kweminye imithetho, ukuba unethamsanqa, kukho izimvo "uVasya wandicela ukuba ndenze oku" okanye "Le yindlela eya kwi-DMZ." Umlawuli wenethiwekhi uyayeka, kwaye yonke into ayicacanga ngokupheleleyo. Emva koko umntu wagqiba ekubeni acacise i-config ye-Vasya, kwaye i-SAP yaphahlazeka, kuba uVasya wayekhe wacela ukuba olu fikelelo luqhube i-SAP yokulwa.
Namhlanje ndiza kuthetha nge-VMware isisombululo se-NSX, esinceda ukuba sisebenzise ngokuchanekileyo unxibelelwano lwenethiwekhi kunye nemigaqo-nkqubo yokhuseleko ngaphandle kokudideka kwi-firewall configs. Ndiza kukubonisa ukuba zeziphi izinto ezintsha eziveleyo xa kuthelekiswa neVMware ebinayo ngaphambili kule nxalenye.
I-VMWare NSX liqonga lokubonwa kunye nokhuseleko lweenkonzo zenethiwekhi. I-NSX isombulula iingxaki zendlela, ukutshintsha, ukulinganisa umthwalo, i-firewall kwaye inokwenza ezinye izinto ezininzi ezinomdla.
I-NSX ilandela imveliso ye-VMware ye-vCloud Networking kunye noKhuseleko (vCNS) kunye ne-Nicira NVP efunyenweyo.
Ukusuka kwi-vCNS ukuya kwi-NSX
Ngaphambili, umxhasi wayenomatshini owahlukileyo we-vCNS vShield Edge kwilifu elakhiwe kwiVMware vCloud. Yasebenza njengesango lomda, apho kwakunokwenzeka ukuqwalasela imisebenzi emininzi yenethiwekhi: i-NAT, i-DHCP, i-Firewall, i-VPN, i-balancer yomthwalo, njl. njl I-Firewall kunye ne-NAT. Ngaphakathi kuthungelwano, oomatshini benyani banxibelelana omnye nomnye ngokukhululekileyo kwi-subnets. Ukuba ngenene ufuna ukwahlula kwaye ukoyise i-traffic, ungenza uthungelwano olwahlukileyo lweendawo ezizimeleyo zezicelo (iimatshini ezahlukeneyo zenyani) kwaye usete imithetho efanelekileyo yonxibelelwano lwabo lomnatha kwi-firewall. Kodwa oku kude, kunzima kwaye akunamdla, ngakumbi xa unomatshini obuninzi obuninzi.
Kwi-NSX, i-VMware iphumeze ingqikelelo ye-micro-segmentation isebenzisa i-firewall esasaziweyo eyakhelwe kwi-hypervisor kernel. Icacisa imigaqo-nkqubo yokhuseleko kunye nentsebenziswano yenethiwekhi kungekhona kuphela kwiidilesi ze-IP kunye ne-MAC, kodwa nakwezinye izinto: oomatshini bokwenene, izicelo. Ukuba i-NSX isetyenziswe ngaphakathi kwintlangano, ezi zinto zinokuba ngumsebenzisi okanye iqela labasebenzisi ukusuka kwi-Active Directory. Into nganye enjalo ijika ibe yi-microsegment kwi-loop yayo yokhuseleko, kwi-subnet efunekayo, kunye ne-DMZ yayo epholileyo :).
Ngaphambili, kwakukho i-perimeter enye kuphela yokhuseleko kwi-pool yonke yemithombo, ekhuselweyo ngokutshintshela i-edge, kodwa nge-NSX unokukhusela umatshini wenyani owahlukileyo kwiintsebenziswano ezingeyomfuneko, nakwinethiwekhi efanayo.
Ukhuseleko kunye nemigaqo-nkqubo yothungelwano ilungelelanisa ukuba iziko lifudukela kuthungelwano olwahlukileyo. Ngokomzekelo, ukuba sihambisa umatshini kunye nesiseko sedatha kwelinye icandelo lenethiwekhi okanye kwelinye iziko ledatha edibeneyo, ngoko imithetho ebhaliweyo kulo matshini wenyani iya kuqhubeka isebenza kungakhathaliseki indawo yayo entsha. Umncedisi wesicelo useza kukwazi ukunxibelelana nesiseko sedatha.
Umphetho wesango ngokwayo, i-vCNS vShield Edge, ithathelwe indawo yi-NSX Edge. Inazo zonke iimpawu zobunene zoMda wakudala, kunye nezinto ezimbalwa eziluncedo. Siza kuthetha ngazo ngokubhekele phaya.
Yintoni entsha nge-NSX Edge?
NSX Edge ukusebenza kuxhomekeke
I-firewall. Unokukhetha iidilesi ze-IP, uthungelwano, ujongano lwesango, kunye noomatshini benyani njengezinto apho imigaqo iya kusetyenziswa khona.
I-DHCP. Ukongeza ekuqwalaseleni uluhlu lweedilesi ze-IP eziza kukhutshwa ngokuzenzekelayo koomatshini ababonakalayo kule nethiwekhi, i-NSX Edge ngoku inemisebenzi elandelayo: Kudityaniswa ΠΈ Ukubuyisela.
Kwithebhu Izibophelelo Ungabophelela idilesi ye-MAC yomatshini wenyani kwidilesi ye-IP ukuba ufuna idilesi ye-IP ukuba ingatshintshi. Into ephambili kukuba le dilesi ye-IP ayifakwanga kwi-DHCP Pool.
Kwithebhu Ukubuyisela i-relay yemiyalezo ye-DHCP iqwalaselwe kwiiseva ze-DHCP ezibekwe ngaphandle kombutho wakho kuMlawuli we-vCloud, kuquka iiseva ze-DHCP zeziseko ezingundoqo.
Indlela. I-vShield Edge inokuqwalasela kuphela indlela emileyo. Indlela eDynamic ngenkxaso ye-OSPF kunye ne-BGP protocol ibonakala apha. Iisetingi zeECMP (Esebenzayo-esebenzayo) ziye zafumaneka, oku kuthetha ukuba i-failover esebenzayo kwiirutha zomzimba.
Ukumisela i-OSPF
Ukumisela i-BGP
Enye into entsha kukuseta ukuhanjiswa kweendlela phakathi kweeprotocol ezahlukeneyo,
ukwabiwa kwakhona kwendlela.
L4/L7 Layisha iBalancer. I-X-Forwarded-For yaziswa kwi-header ye-HTTPs. Kwakhala wonke umntu ngaphandle kwakhe. Umzekelo, unewebhusayithi olinganiselayo. Ngaphandle kokuthumela le ntloko, yonke into isebenza, kodwa kwi-statistics ye-web server awubonanga i-IP yeendwendwe, kodwa i-IP ye-balancer. Ngoku yonke into ilungile.
Kwakhona kwiMithetho yeSicelo isithuba ngoku unokongeza izikripthi eziya kulawula ngokuthe ngqo ulungelelwaniso lwetrafikhi.
I-VPN. Ukongeza kwi-IPSec VPN, i-NSX Edge ixhasa:
- I-L2 VPN, ekuvumela ukuba wolule uthungelwano phakathi kweendawo ezisasazekileyo ngokwejografi. I-VPN enjalo iyadingeka, umzekelo, ukwenzela ukuba xa ufudukela kwelinye isayithi, umatshini wenyani uhlala kwi-subnet efanayo kwaye ugcina idilesi ye-IP.
- I-SSL VPN Plus, evumela abasebenzisi ukuba baxhume ukude kwinethiwekhi yenkampani. Kwinqanaba le-vSphere kwakukho umsebenzi onjalo, kodwa kuMlawuli we-vCloud le nto entsha.
izatifikethi ze-SSL. Izatifikethi ngoku zinokufakwa kwi-NSX Edge. Oku kwakhona kuza kumbuzo wokuba ngubani ofuna ibhalansi ngaphandle kwesatifikethi se-https.
Izinto zokwahlulahlulwa. Kule thebhu, amaqela ezinto achaziweyo apho imithetho ethile yokusebenzisana kwenethiwekhi iya kusebenza, umzekelo, imithetho ye-firewall.
Ezi zinto zinokuba yi-IP kunye needilesi ze-MAC.
Kukho noluhlu lweenkonzo (iprotocol-port indibaniselwano) kunye nezicelo ezinokuthi zisetyenziswe xa udala imithetho ye-firewall. Kuphela ngumlawuli weportal ye-vCD onokongeza iinkonzo ezintsha kunye nezicelo.
Amanani. Izibalo zoqhagamshelo: itrafikhi edlula kwisango, i-firewall kunye ne-balancer.
Ubume kunye neenkcukacha kwi-IPSEC VPN nganye kunye ne-L2 VPN tunnel.
Ukugawulwa kwemithi. Kwi-Edge Useto ithebhu, unokuseta umncedisi wokurekhoda iilogi. Ukungena ngemvume kusebenza kwi-DNAT / SNAT, i-DHCP, i-Firewall, i-routing, i-balancer, i-IPsec VPN, i-SSL VPN Plus.
Ezi ndidi zilandelayo zezilumkiso ziyafumaneka kwinto/inkonzo nganye:
-Debug
βIsilumkiso
βIbalulekile
- Impazamo
βIsilumkiso
β Phawula
β Ulwazi
NSX Edge Imilinganiselo
Kuxhomekeke kwimisebenzi esonjululwayo kunye nomthamo weVMware
NSX Edge
(Ibambene)
NSX Edge
(Enkulu)
NSX Edge
(Ikane-Enkulu)
NSX Edge
(X-Enkulu)
vCPU
1
2
4
6
Imemori
512MB
1GB
1GB
8GB
disk
512MB
512MB
512MB
4.5GB + 4GB
Utyunjwa
Nye
isicelo, uvavanyo
iziko ledatha
Ncinane
okanye umndilili
iziko ledatha
Ilayishiwe
i-firewall
Ukulungelelanisa
imithwalo kwinqanaba L7
Ngezantsi kwitheyibhile kukho i-metrics yokusebenza yeenkonzo zenethiwekhi ngokuxhomekeke kubukhulu be-NSX Edge.
NSX Edge
(Ibambene)
NSX Edge
(Enkulu)
NSX Edge
(Ikane-Enkulu)
NSX Edge
(X-Enkulu)
ujongano
10
10
10
10
Ujongano olungaphantsi (Isiqu)
200
200
200
200
Imigaqo yeNAT
2,048
4,096
4,096
8,192
Amangenelo e-ARP
Kude kuBhalwe ngaphezulu
1,024
2,048
2,048
2,048
Imithetho ye-FW
2000
2000
2000
2000
FW Ukusebenza
3Gbps
9.7Gbps
9.7Gbps
9.7Gbps
Amachibi e-DHCP
20,000
20,000
20,000
20,000
Iindlela zeECMP
8
8
8
8
Iindlela ezingatshintshiyo
2,048
2,048
2,048
2,048
LB Amachibi
64
64
64
1,024
Iiseva ze-LB Virtual
64
64
64
1,024
Iseva yeLB/Iphuli
32
32
32
32
Ukuhlolwa kweMpilo ye-LB
320
320
320
3,072
Imithetho yeSicelo ye-LB
4,096
4,096
4,096
4,096
L2VPN Clients Hub ukuba bathethe
5
5
5
5
IiNethiwekhi zeL2VPN ngoMthengi / umncedisi
200
200
200
200
IPSec Iitonela
512
1,600
4,096
6,000
Iitonela ze-SSLVPN
50
100
100
1,000
IiNethiwekhi zaBucala ze-SSLVPN
16
16
16
16
Iiseshoni ezingqinelanayo
64,000
1,000,000
1,000,000
1,000,000
Iiseshoni/Okwesibini
8,000
50,000
50,000
50,000
Ummeli we-LB Throughput L7)
2.2Gbps
2.2Gbps
3Gbps
Imowudi yokuPhuhliswa kwe-LB ye-L4)
6Gbps
6Gbps
6Gbps
UQhagamshelwano lwe-LB (i-L7 Proxy)
46,000
50,000
50,000
I-LB yoQhagamshelwano ngaxeshanye (L7 Proxy)
8,000
60,000
60,000
UQhagamshelwano lwe-LB (Imo ye-L4)
50,000
50,000
50,000
LB uQhagamshelwano ngaxeshanye (Imo ye-L4)
600,000
1,000,000
1,000,000
Iindlela ze-BGP
20,000
50,000
250,000
250,000
BGP Abamelwane
10
20
100
100
Iindlela ze-BGP zisasazwe kwakhona
Akukho Mda
Akukho Mda
Akukho Mda
Akukho Mda
Iindlela ze-OSPF
20,000
50,000
100,000
100,000
OSPF LSA Amangenelo Max 750 Uhlobo-1
20,000
50,000
100,000
100,000
I-OSPF i-Adjacencies
10
20
40
40
Iindlela ze-OSPF zisasazwe ngokutsha
2000
5000
20,000
20,000
Iindlela zizonke
20,000
50,000
250,000
250,000
β
Itheyibhile ibonisa ukuba kuyacetyiswa ukuba ulungelelanise ukulinganisa kwi-NSX Edge yeemeko ezivelisayo kuphela ukusuka kubukhulu obukhulu.
Nantso ke into endinayo namhlanje. Kula macandelo alandelayo ndiya kudlula ngokweenkcukacha indlela yokuqwalasela inkonzo yenethiwekhi ye-NSX Edge nganye.
umthombo: www.habr.com